CentOS release 6.6 (Final)操作系统安全加固
操作系统下载链接:https://vault.centos.org/
https://vault.centos.org/6.6/isos/x86_64/CentOS-6.6-x86_64-minimal.iso
安全基线策略
1.配置口令复杂度策略限制口令为8位以上数字、字母、特殊字符组合;
2.配置登录失败处理策略,连续登录失败5次后锁定用户10分钟;
3.配置不仅仅通过root用户进行日常运维操作;
4.限制root用户无法通过SSH直接远程登录,仅非root用户能够通过SSH远程登录;
5.配置操作行为、重要文件的写、执行行为、安全事件的审计策略、审计日志集中审计策略;
口令复杂度策略
安全基线说明
1.配置口令复杂度策略限制口令为8位以上数字、字母、特殊字符组合;
2.所有Linux操作系统用户均遵循口令复杂度策略;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应对登录的用户进行身份标识和鉴别,身份标识具有唯一性,身份鉴别信息具有复杂度要求并定期更换;
检测操作步骤
通过cat /etc/pam.d/system-auth核查口令复杂度配置:
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
通过cat /etc/login.defs核查口令更新周期策略:
cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 5
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
前置操作步骤
/bin/cp -rf /etc/pam.d/system-auth /tmp/system-auth
/bin/cp -rf /etc/login.defs /tmp/login.defs
加固操作步骤
sed -i "14 i\password\\trequisite\\tpam_cracklib.so try_first_pass retry=3 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root" /etc/pam.d/system-auth
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t99999/g' /etc/login.defs
sed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/g' /etc/login.defs
加固确认步骤
cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 500 quiet
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 500 quiet
account required pam_permit.so
password requisite pam_cracklib.so try_first_pass retry=3 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root
password requisite pam_cracklib.so try_first_pass retry=3 type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
cat /etc/login.defs
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 99999
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 500
UID_MAX 60000
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 500
GID_MAX 60000
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
恢复操作步骤
/bin/cp -rf /tmp/system-auth /etc/pam.d/system-auth
/bin/cp -rf /tmp/login.defs /etc/login.defs
登录失败处理功能
安全基线说明
1.启用登录失败处理功能;
2.配置登录失败处理策略,连续登录失败5次后锁定用户10分钟;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应具有登录失败处理功能,应配置并启用结束会话、限制非法登录次数和当登录连接超时自动退出等相关措施;
检测操作步骤
通过cat /etc/pam.d/sshd核查用户账号登录失败处理策略:
cat /etc/pam.d/sshd
#%PAM-1.0
auth required pam_sepermit.so
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
前置操作步骤
/bin/cp -rf /etc/pam.d/sshd /tmp/sshd
加固操作步骤
sed -i "3 i\auth\\trequired\\tpam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
查看封禁用户情况
pam_tally2
解封用户
pam_tally2 --user root --reset
加固确认步骤
cat /etc/pam.d/sshd
#%PAM-1.0
#%PAM-1.0
auth required pam_sepermit.so
auth required pam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600
auth include password-auth
account required pam_nologin.so
account include password-auth
password include password-auth
# pam_selinux.so close should be the first session rule
session required pam_selinux.so close
session required pam_loginuid.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session required pam_selinux.so open env_params
session optional pam_keyinit.so force revoke
session include password-auth
恢复操作步骤
/bin/cp -rf /tmp/sshd /etc/pam.d/sshd
配置普通用户
安全基线说明
1.配置不仅仅通过root用户进行日常运维操作;
2.配置普通用户不具备root权限;
3.普通用户不属于root组;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应授予管理用户所需的最小权限,实现管理用户的权限分离;
检测操作步骤
通过cat /etc/passwd核查用户及用户所属组:
cat /etc/passwd
前置操作步骤
无
加固操作步骤
添加用户user
useradd user
修改用户user的口令
passwd user
加固确认步骤
su user
使用普通用户尝试远程登录
恢复操作步骤
userdel user
限制root用户远程登录
安全基线说明
1.限制root用户无法通过SSH直接远程登录,仅非root用户能够通过SSH远程登录;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应重命名或删除默认账户,修改默认账户的默认口令;
检测操作步骤
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
前置操作步骤
/bin/cp -rf /etc/ssh/sshd_config /tmp/sshd_config
加固操作步骤
sed -i 's/#PermitRootLogin yes/#PermitRootLogin yes\nPermitRootLogin no/g' /etc/ssh/sshd_config
systemctl restart sshd
加固确认步骤
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.80 2008/07/02 02:24:18 djm Exp $
# This is the sshd server system-wide configuration file. See
# sshd_config(5) for more information.
# This sshd was compiled with PATH=/usr/local/bin:/bin:/usr/bin
# The strategy used for options in the default sshd_config shipped with
# OpenSSH is to specify options with their default value where
# possible, but leave them commented. Uncommented options change a
# default value.
#Port 22
#AddressFamily any
#ListenAddress 0.0.0.0
#ListenAddress ::
# Disable legacy (protocol version 1) support in the server for new
# installations. In future the default will change to require explicit
# activation of protocol 1
Protocol 2
# HostKey for protocol version 1
#HostKey /etc/ssh/ssh_host_key
# HostKeys for protocol version 2
#HostKey /etc/ssh/ssh_host_rsa_key
#HostKey /etc/ssh/ssh_host_dsa_key
# Lifetime and size of ephemeral version 1 server key
#KeyRegenerationInterval 1h
#ServerKeyBits 1024
# Logging
# obsoletes QuietMode and FascistLogging
#SyslogFacility AUTH
SyslogFacility AUTHPRIV
#LogLevel INFO
# Authentication:
#LoginGraceTime 2m
#PermitRootLogin yes
PermitRootLogin no
#StrictModes yes
#MaxAuthTries 6
#MaxSessions 10
#RSAAuthentication yes
#PubkeyAuthentication yes
#AuthorizedKeysFile .ssh/authorized_keys
#AuthorizedKeysCommand none
#AuthorizedKeysCommandRunAs nobody
# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts
#RhostsRSAAuthentication no
# similar for protocol version 2
#HostbasedAuthentication no
# Change to yes if you don't trust ~/.ssh/known_hosts for
# RhostsRSAAuthentication and HostbasedAuthentication
#IgnoreUserKnownHosts no
# Don't read the user's ~/.rhosts and ~/.shosts files
#IgnoreRhosts yes
# To disable tunneled clear text passwords, change to no here!
#PasswordAuthentication yes
#PermitEmptyPasswords no
PasswordAuthentication yes
# Change to no to disable s/key passwords
#ChallengeResponseAuthentication yes
ChallengeResponseAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
#KerberosGetAFSToken no
#KerberosUseKuserok yes
# GSSAPI options
#GSSAPIAuthentication no
GSSAPIAuthentication yes
#GSSAPICleanupCredentials yes
GSSAPICleanupCredentials yes
#GSSAPIStrictAcceptorCheck yes
#GSSAPIKeyExchange no
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
#UsePAM no
UsePAM yes
# Accept locale-related environment variables
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
#AllowAgentForwarding yes
#AllowTcpForwarding yes
#GatewayPorts no
#X11Forwarding no
X11Forwarding yes
#X11DisplayOffset 10
#X11UseLocalhost yes
#PrintMotd yes
#PrintLastLog yes
#TCPKeepAlive yes
#UseLogin no
#UsePrivilegeSeparation yes
#PermitUserEnvironment no
#Compression delayed
#ClientAliveInterval 0
#ClientAliveCountMax 3
#ShowPatchLevel no
#UseDNS yes
#PidFile /var/run/sshd.pid
#MaxStartups 10:30:100
#PermitTunnel no
#ChrootDirectory none
# no default banner path
#Banner none
# override default of no subsystems
Subsystem sftp /usr/libexec/openssh/sftp-server
# Example of overriding settings on a per-user basis
#Match User anoncvs
# X11Forwarding no
# AllowTcpForwarding no
# ForceCommand cvs server
恢复操作步骤
/bin/cp -rf /tmp/sshd_config /etc/ssh/sshd_config
service sshd restart
安全审计
安全基线说明
1.配置操作行为、重要文件的写、执行行为、安全事件的审计策略;
2.配置操作行为、重要文件的写、执行行为、安全事件的审计日志集中审计策略;
相关涉及标准
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应启用安全审计功能,审计覆盖到每个用户,对重要的用户行为和重要安全事件进行审计;
《GB/T 22239-2019 信息安全技术 网络安全等级保护基本要求》应对审计记录进行保护,定期备份,避免受到未预期的删除、修改或覆盖等;
检测操作步骤
核查是否启用audit规则:
auditctl -s
核查是否配置重要文件操作:
auditctl -l
核查是否配置安全日志、操作日志发送至日志服务器集中审计的策略:
cat /etc/rsyslog.conf
# rsyslog v5 configuration file
# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html
# If you experience problems, see http://www.rsyslog.com/doc/troubleshoot.html
#### MODULES ####
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
#$ModLoad immark # provides --MARK-- message capability
# Provides UDP syslog reception
#$ModLoad imudp
#$UDPServerRun 514
# Provides TCP syslog reception
#$ModLoad imtcp
#$InputTCPServerRun 514
#### GLOBAL DIRECTIVES ####
# Use default timestamp format
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
# File syncing capability is disabled by default. This feature is usually not required,
# not useful and an extreme performance hit
#$ActionFileEnableSync on
# Include all config files in /etc/rsyslog.d/
$IncludeConfig /etc/rsyslog.d/*.conf
#### RULES ####
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;authpriv.none;cron.none /var/log/messages
# The authpriv file has restricted access.
authpriv.* /var/log/secure
# Log all the mail messages in one place.
mail.* -/var/log/maillog
# Log cron stuff
cron.* /var/log/cron
# Everybody gets emergency messages
*.emerg *
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler
# Save boot messages also to boot.log
local7.* /var/log/boot.log
# ### begin forwarding rule ###
# The statement between the begin ... end define a SINGLE forwarding
# rule. They belong together, do NOT split them. If you create multiple
# forwarding rules, duplicate the whole block!
# Remote Logging (we use TCP for reliable delivery)
#
# An on-disk queue is created for this action. If the remote host is
# down, messages are spooled to disk and sent when it is up again.
#$WorkDirectory /var/lib/rsyslog # where to place spool files
#$ActionQueueFileName fwdRule1 # unique name prefix for spool files
#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)
#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown
#$ActionQueueType LinkedList # run asynchronously
#$ActionResumeRetryCount -1 # infinite retries if host is down
# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional
#*.* @@remote-host:514
# ### end of the forwarding rule ###
前置操作步骤
/bin/cp -rf /etc/audit/audit.rules /tmp/audit.rules
/bin/cp -rf /etc/rsyslog.conf /tmp/rsyslog.conf
/bin/cp -rf /etc/audisp/plugins.d/syslog.conf /tmp/syslog.conf
加固操作步骤
echo "-w /etc/passwd -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/shadow -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/crontab -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/hosts -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/hosts.allow -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/hosts.deny -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/fstab -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/group -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/gshadow -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/ntp.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/sysctl.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/security/limits.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /boot/grub/grub.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/ssh/sshd_config -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/ssh/ssh_config -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/udev/rules.d -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/profile -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/kdump.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/lvm/lvm.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/login.defs -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/rsyslog.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/auditd.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/sysconfig -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/multipath.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
sed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.conf
sed -i 's/args = LOG_INFO/args = LOG_LOCAL6/g' /etc/audisp/plugins.d/syslog.conf
该位置的@10.0.0.1:514需要匹配TCP/UDP协议、日志服务器IP地址、日志服务器监听端口情况
echo "local6.* /var/log/local6.log" >> /etc/rsyslog.conf
echo "local6.* @10.0.0.1:514" >> /etc/rsyslog.conf
echo "authpriv.* @10.0.0.1:514" >> /etc/rsyslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后添加如下内容
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
加固确认步骤
auditctl -l
cat /etc/passwd /etc/shadow
tail -10 /var/log/audit/audit.log | grep -E "passwd|content"
tail -20 /var/log/messages | grep -E "passwd|content"
tail -20 /var/log/local6.log | grep -E "passwd|content|command"
恢复操作步骤
auditctl -D
/bin/cp -rf /tmp/audit.rules /etc/audit/audit.rules
/bin/cp -rf /tmp/rsyslog.conf /etc/rsyslog.conf
/bin/cp -rf /tmp/syslog.conf /etc/audisp/plugins.d/syslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后删除最后两行
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
批量操作
前置批量操作
/bin/cp -rf /etc/pam.d/system-auth /tmp/system-auth
/bin/cp -rf /etc/login.defs /tmp/login.defs
/bin/cp -rf /etc/pam.d/sshd /tmp/sshd
/bin/cp -rf /etc/ssh/sshd_config /tmp/sshd_config
/bin/cp -rf /etc/audit/audit.rules /tmp/audit.rules
/bin/cp -rf /etc/rsyslog.conf /tmp/rsyslog.conf
/bin/cp -rf /etc/audisp/plugins.d/syslog.conf /tmp/syslog.conf
加固批量操作
该位置的具体用户和口令须注意安全基线策略情况
useradd user
passwd user
sed -i "14 i\password\\trequisite\\tpam_cracklib.so try_first_pass retry=3 type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root" /etc/pam.d/system-auth
sed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t99999/g' /etc/login.defs
sed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/g' /etc/login.defs
sed -i "3 i\auth\\trequired\\tpam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
sed -i 's/#PermitRootLogin yes/#PermitRootLogin yes\nPermitRootLogin no/g' /etc/ssh/sshd_config
echo "-w /etc/passwd -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/shadow -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/crontab -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/hosts -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/hosts.allow -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/hosts.deny -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/fstab -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/group -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/gshadow -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/ntp.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/sysctl.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/security/limits.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /boot/grub/grub.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/ssh/sshd_config -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/ssh/ssh_config -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/udev/rules.d -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/profile -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/kdump.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/lvm/lvm.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/login.defs -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/rsyslog.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/auditd.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/sysconfig -p wax -k changefileaction" >> /etc/audit/audit.rules
echo "-w /etc/multipath.conf -p wax -k changefileaction" >> /etc/audit/audit.rules
sed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.conf
sed -i 's/args = LOG_INFO/args = LOG_LOCAL6/g' /etc/audisp/plugins.d/syslog.conf
该位置的@10.0.0.1:514需要匹配TCP/UDP协议、日志服务器IP地址、日志服务器监听端口情况
echo "local6.* /var/log/local6.log" >> /etc/rsyslog.conf
echo "local6.* @10.0.0.1:514" >> /etc/rsyslog.conf
echo "authpriv.* @10.0.0.1:514" >> /etc/rsyslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后o添加如下内容
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
service sshd restart
恢复批量操作
userdel user
/bin/cp -rf /tmp/system-auth /etc/pam.d/system-auth
/bin/cp -rf /tmp/login.defs /etc/login.defs
/bin/cp -rf /tmp/sshd /etc/pam.d/sshd
/bin/cp -rf /tmp/sshd_config /etc/ssh/sshd_config
service sshd restart
auditctl -D
/bin/cp -rf /tmp/audit.rules /etc/audit/audit.rules
/bin/cp -rf /tmp/rsyslog.conf /etc/rsyslog.conf
/bin/cp -rf /tmp/syslog.conf /etc/audisp/plugins.d/syslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后删除最后两行
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"
export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrc
service rsyslog restart
service auditd restart
service sshd restart
参考链接:
https://blog.csdn.net/weixin_53532638/article/details/119728305