最近公司做了一次等保3测评,发现很多不符合现在记录以下修改的配置文件已备下次使用
修改密码策略文件
vim /etc/login.defs
将以下修改
PASS_MAX_DAYS 90
PASS_MIN_DAYS 2
PASS_MIN_LEN 8
PASS_WARN_AGE 7
修改root密码
chage -M 90 root
chage -m 2 root
chage -W 7 root
chage -M 90 centuser
chage -m 2 centuser
chage -W 7 centuser
删除多余的账号:
userdel uucp
userdel nuucp
userdel lp
userdel adm
userdel sync
userdel shutdown
userdel halt
userdel news
userdel operator
userdel gopher
userdel bin
userdel mail
userdel games
userdel ftp
userdel vcsa
userdel abrt
userdel ntp
userdel saslauth
userdel tcpdump
日志权限不得大于640 设置日志权限为640
chmod 640 /var/log/messages
chmod 640 /var/log/secure
chmod 640 /var/log/audit/audit.log
添加审计账号
useradd audit
usermod -G audit audit
添加审计
编辑: audit.rules
vim /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -S umask -S chown -S chmod
-a exit,always -F arch=b64 -S unlink -S rmdir
-a exit,always -F arch=b64 -S setrlimit
-a exit,always -F arch=b64 -S setuid -S setreuid
-a exit,always -F arch=b64 -S setgid -S setregid
-a exit,always -F arch=b64 -S sethostname -S setdomainname
-a exit,always -F arch=b64 -S adjtimex -S settimeofday
-a exit,always -F arch=b64 -S mount -S _sysctl
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
-w /etc/ssh/sshd_config
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /etc/aliases -p wa
-w /etc/sysctl.conf -p wa
-w /var/log/lastlog
# Disable adding any additional rules - note that adding *new* rules will require a reboot
将/var/log/赋给audit
chown audit:audit -R /var/log
chown root:root -R /var/log/audit
禁止root登陆
vim /etc/ssh/sshd_config
PermitRootLogin no
日志上传服务器
vim /etc/rsyslog.conf
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
*.* @@172.16.x.xx:514
*.* @172.16.x.xx:514
登陆失败处理
vim /etc/pam.d/system-auth
在对应的auth段添加如下内容
auth required pam_tally2.so onerr=fail deny=5 unlock_time=300
在对应的password段添加如下内容
password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1
vim /etc/profile
export TMOUT=600
重启相关审计服务
service rsyslog restart
service auditd restart