3次900秒
vi /etc/pam.d/sshd
auth required pam_tally2.so deny=5 unlock_time=900 even_deny_root root_unlock_time=900
vi /etc/pam.d/login
修改密码策略文件
vi /etc/login.defs
将以下修改
PASS_MAX_DAYS 90
PASS_MIN_DAYS 2
PASS_MIN_LEN 8
PASS_WARN_AGE 7
chage -M 90 root
chage -m 2 root
chage -W 7 root
chage -M 90 app
chage -m 2 app
chage -W 7 app
chage -M 90 audit
chage -m 2 audit
chage -W 7 audit
passwd root
passwd app
chage -l app
日志权限不得大于640 设置日志权限为640
chmod 640 /var/log/messages
chmod 640 /var/log/secure
chmod 640 /var/log/audit/audit.log
添加审计账号
useradd audit
usermod -G audit audit
passwd audit
Au!123456
添加审计
编辑: audit.rules
vi /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -S umask -S chown -S chmod
-a exit,always -F arch=b64 -S unlink -S rmdir
-a exit,always -F arch=b64 -S setrlimit
-a exit,always -F arch=b64 -S setuid -S setreuid
-a exit,always -F arch=b64 -S setgid -S setregid
-a exit,always -F arch=b64 -S sethostname -S setdomainname
-a exit,always -F arch=b64 -S adjtimex -S settimeofday
-a exit,always -F arch=b64 -S mount -S _sysctl
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
-w /etc/ssh/sshd_config
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /etc/aliases -p wa
-w /etc/sysctl.conf -p wa
-w /var/log/lastlog
# Disable adding any additional rules - note that adding *new* rules will require a reboot
将/var/log/赋给audit
chown audit:audit -R /var/log
chown root:root -R /var/log/audit
chown audit:audit -R /var/log/boot.log /var/log/cron /var/log/secure /var/log/messages /var/log/dmesg
禁止root登陆
vi /etc/ssh/sshd_config
PermitRootLogin no
PermitRootLogin without-password
service sshd reload
日志上传服务器
vim /etc/rsyslog.conf
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
*.* @@172.16.x.xx:514
*.* @172.16.x.xx:514
登陆失败处理
vi /etc/pam.d/system-auth
在对应的auth段添加如下内容
auth required pam_tally2.so onerr=fail deny=5 unlock_time=900
在对应的password段添加如下内容
password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
vi /etc/profile
export TMOUT=600
重启相关审计服务
service rsyslog restart
service auditd restart