目前等级保护测评非常有必要的一项安全活动,部分被测单位由于对等级保护的信息了解不足,无法有效进行加固,以下脚本根据GB/T 22239《基本要求》和GB/T 28448《测评要求 》的第三级系统要求设计的安全加固策略,仅供参考和学习
脚本代码
#!/bin/bash
#***************************Linux.sh*****************************
#创建账户
useradd admuser
useradd auduser
useradd secuser
#修改账户口令
echo "Mgrxt@123" | passwd --stdin admuser
echo "Mgrsj@123" | passwd --stdin auduser
echo "Mgraq@123" | passwd --stdin secuser
#身份鉴别加固
#配置密码策略(可以尝试3次修改,最少8位,包括大写字母、小写字母、数字、特殊字符至少1位)和登录失败处理(登录失败5次,锁定账户10分钟)
echo "password requisite pam_pwquality.so difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 enforce_for_root" >> /etc/pam.d/system-auth
echo "auth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600" >> /etc/pam.d/system-auth
#修改超时退出时间(10分钟无操作,自动退出登录)
echo "export TMOUT=600" >> /etc/profile
#修改定期修改口令(口令最短使用7天,最长使用90天,密码长度最少9位,/etc/pam.d/system-auth中的优先级更高)
sed -i 's/PASS_MAX_DAYS 99999/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/PASS_MIN_DAYS 0/PASS_MIN_DAYS 7/' /etc/login.defs
sed -i 's/PASS_MIN_LEN 5/PASS_MIN_LEN 9/' /etc/login.defs
#sed命令,直接替换文件中的某个参数和信息,-i修改后直接保存,s替换,g全局搜索
#格式:sed [参数] '动作/原内容/替换后内容/是否全局' 目标文件
#修改默认端口22
sed -i 's/#Port 22/Port 33022/' /etc/ssh/sshd_config
#重启ssh服务
systemctl restart sshd
#设置防火墙通信规则
firewall-cmd --zone=public --add-port=33022/tcp --permanent
firewall-cmd --reload
#访问控制加固
#禁止root账户的远程登录
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
#修改强访问控制
sed -i 's/SELINUX=disabled/SELINUX=enforcing/' /etc/selinux/config
#设置系统管理员的提权操作
echo "admuser ALL=(ALL) /usr/sbin/useradd,/usr/bin/passwd,/usr/sbin/userdel" >> /etc/sudoers
echo "admuser ALL=/bin/cat /etc/shadow" >> /etc/sudoers
echo "admuser ALL=/bin/vim /etc/pam.d/system-auth" >> /etc/sudoers
echo "admuser ALL=/bin/vim /etc/login.defs" >> /etc/sudoers
#设置安全管理员的提权操作
echo "secuser ALL=(ALL) /usr/bin/firewall-cmd,/usr/bin/systemctl" >> /etc/sudoers
echo "secuser ALL=(ALL) /usr/sbin/iptable" >> /etc/sudoers
echo "secuser ALL=/bin/vim /etc/profile" >> /etc/sudoers
echo "secuser ALL=/bin/vim /etc/selinux/config" >> /etc/sudoers
#设置审计管理员的提权操作
echo "auduser ALL=/bin/cat /etc/rsyslog.conf" >> /etc/sudoers
echo "auduser ALL=/bin/cat /var/log/messages" >> /etc/sudoers
echo "auduser ALL=/bin/cat /var/log/audit/audit.log" >> /etc/sudoers
echo "auduser ALL=/bin/vim /etc/audit/rules.d/audit.rules" >> /etc/sudoers
echo "auduser ALL=/bin/vim /etc/logrotate.conf" >> /etc/sudoers
echo "auduser ALL=/bin/vim /usr/lib/systemd/system/auditd.service" >> /etc/sudoers
echo "auduser ALL=(ALL) /usr/bin/systemctl,/usr/sbin/auditctl" >> /etc/sudoers
#安全审计加固
#添加审计规则
echo -w /etc/shadow -p rw >> /etc/audit/rules.d/audit.rules
echo -w /etc/passwd -p rw >> /etc/audit/rules.d/audit.rules
echo -w /etc/pam.d -p rwx >> /etc/audit/rules.d/audit.rules
echo -w /etc/audit -p rw >> /etc/audit/rules.d/audit.rules
echo -w /var/log/messages -p rwx >> /etc/audit/rules.d/audit.rules
echo -w /var/log/audit -p rw >> /etc/audit/rules.d/audit.rules
echo -w /etc/login.defs -p rw >> /etc/audit/rules.d/audit.rules
echo -w /etc/profile -p rw >> /etc/audit/rules.d/audit.rules
echo -w /etc/rsyslog.conf -p rw >> /etc/audit/rules.d/audit.rules
#重启auditd服务
sed -i 's/RefuseManualStop=yes/RefuseManualStop=no/' /usr/lib/systemd/system/auditd.service
systemctl daemon-reload
systemctl restart auditd
sed -i 's/RefuseManualStop=no/RefuseManualStop=yes/' /usr/lib/systemd/system/auditd.service
#设置日志留存6个月
sed -i 's/rotate 4/rotate 24/' /etc/logrotate.conf
sed -i 's/rotate 1/rotate 6/g' /etc/logrotate.conf
#备份与恢复加固
#创建备份脚本
touch /usr/local/backup.sh
mkdir -p /usr/local/backup
#编写备份脚本
echo '#!/bin/bash' >> /usr/local/backup.sh
echo rsync -a /etc/shadow /usr/local/backup >> /usr/local/backup.sh
echo rsync -a /etc/passwd /usr/local/backup >> /usr/local/backup.sh
echo rsync -a /etc/rsyslog.conf /usr/local/backup >> /usr/local/backup.sh
echo rsync -a /etc/login.defs /usr/local/backup >> /usr/local/backup.sh
echo rsync -a /etc/profile /usr/local/backup >> /usr/local/backup.sh
echo rsync -a /etc/pam.d /usr/local/backup >> /usr/local/backup.sh
echo rsync -a /var/log/audit /usr/local/backup >> /usr/local/backup.sh
echo rsync -a /var/log/messages /usr/local/backup >> /usr/local/backup.sh
#给备份脚本赋值
chmod 700 /usr/local/backup.sh
touch /usr/local/cronfile
#创建定时任务,每天凌晨自动备份
echo "0 0 * * * /usr/local/backup.sh" >> /usr/local/cronfile
crontab /usr/local/cronfile
#剩余信息清除架构
#修改剩余信息清除的参数配置
sed -i 's/HISTSIZE=1000/HISTSIZE=0/' /etc/profile
source /etc/profile
以上均为Linux主机(Red Hat 、Centos类)的加固策略,博主注意进行了验证,策略有效