CentOS Linux release 7.4.1708 (Core)操作系统安全加固
操作系统下载链接:https://vault.centos.org/
https://vault.centos.org/7.4.1708/isos/x86_64/CentOS-7-x86_64-Minimal-1708.iso
安全基线策略
1.配置口令复杂度策略限制口令为8位以上数字、字母、特殊字符组合;
2.配置登录失败处理策略,连续登录失败5次后锁定用户10分钟;
3.配置不仅仅通过root用户进行日常运维操作;
4.限制root用户无法通过SSH直接远程登录,仅非root用户能够通过SSH远程登录;
5.配置操作行为、重要文件的写、执行行为、安全事件的审计策略、审计日志集中审计策略;
口令复杂度策略
安全基线说明
1.配置口令复杂度策略限制口令为8位以上数字、字母、特殊字符组合;
2.所有Linux操作系统用户均遵循口令复杂度策略;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应对登录的用户进行身份标识和鉴别,身份标识具有唯一性,身份鉴别信息具有复杂度要求并定期更换;
检测操作步骤
通过cat /etc/pam.d/system-auth核查口令复杂度配置:
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so try_first_pass nullok
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadow
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
通过cat /etc/login.defs核查口令更新周期策略:
cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
前置操作步骤
/bin/cp -rf /etc/pam.d/system-auth /tmp/system-auth
/bin/cp -rf /etc/login.defs /tmp/login.defs
加固操作步骤
sed -i "14 i\password\\trequisite\\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root" /etc/pam.d/system-auth
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t99999/g' /etc/login.defs
sed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/g' /etc/login.defs
加固确认步骤
cat /etc/pam.d/system-auth
# Generated by authselect on Wed Jan 19 20:22:28 2022
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth required pam_deny.so
account required pam_unix.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only
password sufficient pam_unix.so sha512 shadow nullok use_authtok
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
恢复操作步骤
/bin/cp -rf /tmp/system-auth /etc/pam.d/system-auth
/bin/cp -rf /tmp/login.defs /etc/login.defs
登录失败处理功能
安全基线说明
1.启用登录失败处理功能;
2.配置登录失败处理策略,连续登录失败5次后锁定用户10分钟;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应具有登录失败处理功能,应配置并启用结束会话、限制非法登录次数和当登录连接超时自动退出等相关措施;
检测操作步骤
通过cat /etc/pam.d/sshd核查用户账号登录失败处理策略:
cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
前置操作步骤
/bin/cp -rf /etc/pam.d/sshd /tmp/sshd
加固操作步骤
sed -i "3 i\auth\\trequired\\tpam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
查看封禁用户情况
pam_tally2
解封用户
pam_tally2 --user root --reset
加固确认步骤
cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth required pam_tally.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600
auth substack password-auth
auth include postlogin
# Used with polkit to reauthorize users in remote sessions
-auth optional pam_reauthorize.so prepare
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session required pam_namespace.so
session optional pam_keyinit.so force revoke
session include password-auth
session include postlogin
# Used with polkit to reauthorize users in remote sessions
-session optional pam_reauthorize.so prepare
恢复操作步骤
/bin/cp -rf /tmp/sshd /etc/pam.d/sshd
配置普通用户
安全基线说明
1.配置不仅仅通过root用户进行日常运维操作;
2.配置普通用户不具备root权限;
3.普通用户不属于root组;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应授予管理用户所需的最小权限,实现管理用户的权限分离;
检测操作步骤
通过cat /etc/passwd核查用户及用户所属组:
cat /etc/passwd
前置操作步骤
无
加固操作步骤
添加用户user
useradd user
修改用户user的口令
passwd user
加固确认步骤
su user
使用普通用户尝试远程登录
恢复操作步骤
userdel user
限制root用户远程登录
安全基线说明
1.限制root用户无法通过SSH直接远程登录,仅非root用户能够通过SSH远程登录;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应重命名或删除默认账户,修改默认账户的默认口令;
检测操作步骤
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
前置操作步骤
/bin/cp -rf /etc/ssh/sshd_config /tmp/sshd_config
加固操作步骤
sed -i 's/#PermitRootLogin yes/#PermitRootLogin yes\nPermitRootLogin no/g' /etc/ssh/sshd_config
systemctl restart sshd
加固确认步骤
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 2016/08/15 12:32:04 naddy Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options override the
# default value.
# If you want to change the port on a SELinux system, you have to tell
# SELinux about this change.
# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER
#
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
# Ciphers and keying
#RekeyLimit default none
# Logging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#PubkeyAuthentication yes
# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2
# but this is overridden so installations will only check .ssh/authorized_keys
AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedPrincipalsFile none
#AuthorizedKeysCommand none
#AuthorizedKeysCommandUser nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
#GSSAPIEnablek5users no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several
# problems.
UsePAM yes
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PermitTTY yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation sandbox
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS no
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
#VersionAddendum none
# no default banner path
#Banner none
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# PermitTTY no
# ForceCommand cvs server
恢复操作步骤
/bin/cp -rf /tmp/sshd_config /etc/ssh/sshd_config
systemctl restart sshd
安全审计
安全基线说明
1.配置操作行为、重要文件的写、执行行为、安全事件的审计策略;
2.配置操作行为、重要文件的写、执行行为、安全事件的审计日志集中审计策略;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应启用安全审计功能,审计覆盖到每个用户,对重要的用户行为和重要安全事件进行审计;
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应对审计记录进行保护,定期备份,避免受到未预期的删除、修改或覆盖等;
检测操作步骤
核查是否启用audit规则:
auditctl -s
核查是否配置重要文件操作:
auditctl -l
核查是否配置安全日志、操作日志发送至日志服务器集中审计的策略:
cat /etc/rsyslog.conf
# rsyslog configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
# The imjournal module bellow is now used as a message source instead of imuxsock.
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imjournal # provides access to the systemd journal
#$ModLoad imklog # reads kernel messages (the same are read from journald)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Where to place auxiliary files
$WorkDirectory /var/lib/rsyslog
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
# Turn off message reception via local log socket;
# local messages are retrieved through imjournal now.
$OmitLocalLogging on
# File to store the position in the journal
$IMJournalStateFile imjournal.state
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg :omusrmsg:*
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
前置操作步骤
/bin/cp -rf /etc/audit/rules.d/audit.rules /tmp/audit.rules
/bin/cp -rf /etc/rsyslog.conf /tmp/rsyslog.conf
/bin/cp -rf /etc/audisp/plugins.d/syslog.conf /tmp/syslog.conf
加固操作步骤
echo "-w /etc/passwd -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/shadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/crontab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/hosts -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/hosts.allow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/hosts.deny -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/fstab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/group -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/gshadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/ntp.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/sysctl.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/security/limits.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /boot/grub/grub.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/ssh/sshd_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/ssh/ssh_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/udev/rules.d -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/profile -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/kdump.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/lvm/lvm.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/login.defs -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/rsyslog.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/auditd.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/sysconfig -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/multipath.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
sed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.conf
sed -i 's/args = LOG_INFO/args = LOG_LOCAL6/g' /etc/audisp/plugins.d/syslog.conf
该位置的@10.0.0.1:514需要匹配TCP/UDP协议、日志服务器IP地址、日志服务器监听端口情况
echo "local6.* /var/log/local6.log" >> /etc/rsyslog.conf
echo "local6.* @10.0.0.1:514" >> /etc/rsyslog.conf
echo "authpriv.* @10.0.0.1:514" >> /etc/rsyslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后添加如下内容
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
加固确认步骤
auditctl -l
cat /etc/passwd /etc/shadow
tail -10 /var/log/audit/audit.log | grep -E "passwd|content"
tail -20 /var/log/messages | grep -E "passwd|content"
tail -20 /var/log/local6.log | grep -E "passwd|content|command"
恢复操作步骤
auditctl -D
/bin/cp -rf /tmp/audit.rules /etc/audit/rules.d/audit.rules
/bin/cp -rf /tmp/rsyslog.conf /etc/rsyslog.conf
/bin/cp -rf /tmp/syslog.conf /etc/audisp/plugins.d/syslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后删除最后两行
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
批量操作
前置批量操作
/bin/cp -rf /etc/pam.d/system-auth /tmp/system-auth
/bin/cp -rf /etc/login.defs /tmp/login.defs
/bin/cp -rf /etc/pam.d/sshd /tmp/sshd
/bin/cp -rf /etc/ssh/sshd_config /tmp/sshd_config
/bin/cp -rf /etc/audit/rules.d/audit.rules /tmp/audit.rules
/bin/cp -rf /etc/rsyslog.conf /tmp/rsyslog.conf
/bin/cp -rf /etc/audisp/plugins.d/syslog.conf /tmp/syslog.conf
加固批量操作
该位置的具体用户和口令须注意安全基线策略情况
useradd user
passwd user
sed -i "14 i\password\\trequisite\\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root" /etc/pam.d/system-auth
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t99999/g' /etc/login.defs
sed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/g' /etc/login.defs
sed -i "3 i\auth\\trequired\\tpam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
sed -i 's/#PermitRootLogin yes/#PermitRootLogin yes\nPermitRootLogin no/g' /etc/ssh/sshd_config
echo "-w /etc/passwd -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/shadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/crontab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/hosts -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/hosts.allow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/hosts.deny -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/fstab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/group -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/gshadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/ntp.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/sysctl.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/security/limits.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /boot/grub/grub.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/ssh/sshd_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/ssh/ssh_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/udev/rules.d -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/profile -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/kdump.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/lvm/lvm.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/login.defs -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/rsyslog.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/auditd.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/sysconfig -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
echo "-w /etc/multipath.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rules
sed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.conf
sed -i 's/args = LOG_INFO/args = LOG_LOCAL6/g' /etc/audisp/plugins.d/syslog.conf
该位置的@10.0.0.1:514需要匹配TCP/UDP协议、日志服务器IP地址、日志服务器监听端口情况
echo "local6.* /var/log/local6.log" >> /etc/rsyslog.conf
echo "local6.* @10.0.0.1:514" >> /etc/rsyslog.conf
echo "authpriv.* @10.0.0.1:514" >> /etc/rsyslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后o添加如下内容
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
systemctl restart sshd
恢复批量操作
userdel user
/bin/cp -rf /tmp/system-auth /etc/pam.d/system-auth
/bin/cp -rf /tmp/login.defs /etc/login.defs
/bin/cp -rf /tmp/sshd /etc/pam.d/sshd
/bin/cp -rf /tmp/sshd_config /etc/ssh/sshd_config
systemctl restart sshd
auditctl -D
/bin/cp -rf /tmp/audit.rules /etc/audit/rules.d/audit.rules
/bin/cp -rf /tmp/rsyslog.conf /etc/rsyslog.conf
/bin/cp -rf /tmp/syslog.conf /etc/audisp/plugins.d/syslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后删除最后两行
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
systemctl restart sshd
参考链接:
https://blog.csdn.net/weixin_53532638/article/details/119728305