德勤审计重点关注的linux文件命令 - 剩禁止容器root deqin审计

第一他们关心权限控制 网络控制

第二 他们会看linux以下文件

# 所谓的linux跑的命令
##################################################
echo '# cat /etc/shadow' >> $HOSTNAME-DEQIN.log
cat /etc/shadow >> $HOSTNAME-DEQIN.log
echo '# cat /etc/passwd' >> $HOSTNAME-DEQIN.log
cat /etc/passwd >> $HOSTNAME-DEQIN.log
echo '# cat /etc/login.defs' >> $HOSTNAME-DEQIN.log
cat /etc/login.defs >> $HOSTNAME-DEQIN.log

echo '# cat /etc/pam.d/system-auth' >> $HOSTNAME-DEQIN.log
cat /etc/pam.d/system-auth >> $HOSTNAME-DEQIN.log

echo '# cat /etc/pam.conf' >> $HOSTNAME-DEQIN.log
cat /etc/pam.conf >> $HOSTNAME-DEQIN.log

echo '# cat /etc/hosts.equiv' >> $HOSTNAME-DEQIN.log
cat /etc/hosts.equiv >> $HOSTNAME-DEQIN.log

echo '# cat .rhosts' >> $HOSTNAME-DEQIN.log
cat .rhosts >> $HOSTNAME-DEQIN.log

echo '# cat /etc/pam.d/common-password' >> $HOSTNAME-DEQIN.log
cat /etc/pam.d/common-password >> $HOSTNAME-DEQIN.log

echo '# cat /etc/pam.d/common-password-complexity' >> $HOSTNAME-DEQIN.log
cat /etc/pam.d/common-password-complexity >> $HOSTNAME-DEQIN.log

echo '# cat /etc/group' >> $HOSTNAME-DEQIN.log
cat /etc/group >> $HOSTNAME-DEQIN.log

echo '# cat /var/adm/sulog' >> $HOSTNAME-DEQIN.log
cat /var/adm/sulog >> $HOSTNAME-DEQIN.log

echo '# cat /etc/sudoers' >> $HOSTNAME-DEQIN.log
cat /etc/sudoers >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/exports' >> $HOSTNAME-DEQIN.log
ls -la /etc/exports >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/inetd.conf' >> $HOSTNAME-DEQIN.log
ls -la /etc/inetd.conf >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/passwd' >> $HOSTNAME-DEQIN.log
ls -la /etc/passwd >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/services' >> $HOSTNAME-DEQIN.log
ls -la /etc/services >> $HOSTNAME-DEQIN.log

echo '# ls -la  /etc/shadow' >> $HOSTNAME-DEQIN.log
ls -la  /etc/shadow >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/securetty' >> $HOSTNAME-DEQIN.log
ls -la /etc/securetty >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/group' >> $HOSTNAME-DEQIN.log
ls -la /etc/group >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/ftpusers' >> $HOSTNAME-DEQIN.log
ls -la /etc/ftpusers >> $HOSTNAME-DEQIN.log

echo '# cat /etc/securetty' >> $HOSTNAME-DEQIN.log
cat /etc/securetty >> $HOSTNAME-DEQIN.log

echo '# cat /etc/pam.d/login' >> $HOSTNAME-DEQIN.log
cat /etc/pam.d/login >> $HOSTNAME-DEQIN.log

echo '# cat /etc/ssh/sshd_config' >> $HOSTNAME-DEQIN.log
cat /etc/ssh/sshd_config >> $HOSTNAME-DEQIN.log

echo '# cat /var/adm/cron/cron.allow' >> $HOSTNAME-DEQIN.log
cat /var/adm/cron/cron.allow >> $HOSTNAME-DEQIN.log

echo '# cat /var/adm/cron/cron.deny' >> $HOSTNAME-DEQIN.log
cat /var/adm/cron/cron.deny >> $HOSTNAME-DEQIN.log

echo '# cat /var/adm/cron/at.allow' >> $HOSTNAME-DEQIN.log
cat /var/adm/cron/at.allow >> $HOSTNAME-DEQIN.log

echo '# cat /var/adm/cron/at.deny' >> $HOSTNAME-DEQIN.log
cat /var/adm/cron/at.deny >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/cron.allow' >> $HOSTNAME-DEQIN.log
ls -la /etc/cron.allow  >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/cron.deny' >> $HOSTNAME-DEQIN.log
ls -la /etc/cron.deny >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/at.allow' >> $HOSTNAME-DEQIN.log
ls -la /etc/at.allow >> $HOSTNAME-DEQIN.log

echo '# ls -la /etc/at.deny' >> $HOSTNAME-DEQIN.log
ls -la /etc/at.deny >> $HOSTNAME-DEQIN.log

echo '# ls -la /var/log/cron' >> $HOSTNAME-DEQIN.log
ls -la /var/log/cron >> $HOSTNAME-DEQIN.log

echo '# ls -la /var/spool/cron/*' >> $HOSTNAME-DEQIN.log
ls -la /var/spool/cron/* >> $HOSTNAME-DEQIN.log

echo '# ls -la /var/spool/at/*' >> $HOSTNAME-DEQIN.log
ls -la /var/spool/at/* >> $HOSTNAME-DEQIN.log

echo '# cat /var/spool/cron/*' >> $HOSTNAME-DEQIN.log
cat /var/spool/cron/* >> $HOSTNAME-DEQIN.log

echo '# rpm -qai' >> $HOSTNAME-DEQIN.log
rpm -qai >> $HOSTNAME-DEQIN.log

# # 还有两条跑不了
# # ls -la APP路径
# # ls -la 数据库路径

cat /etc/login.defs | grep -v ^# | grep -v ^$

MAIL_DIR	/var/spool/mail
PASS_MAX_DAYS	90
PASS_MIN_DAYS	1
PASS_MIN_LEN    8
PASS_WARN_AGE	7
UID_MIN                  1000
UID_MAX                 60000
SYS_UID_MIN               201
SYS_UID_MAX               999
GID_MIN                  1000
GID_MAX                 60000
SYS_GID_MIN               201
SYS_GID_MAX               999
CREATE_HOME	yes
UMASK           077
USERGROUPS_ENAB yes
ENCRYPT_METHOD MD5
MD5_CRYPT_ENAB yes

cat /etc/securetty # 这里面的终端不能写太多
console
tty1

需要关注几个配置文件 sshd_config /etc/pam.d/system-auth /etc/sudoers

PermitRootLogin no              # 禁止root用户登录
PermitEmptyPasswords no    # 禁止空密码用户登录
LoginGraceTime 2m             # 登录验证时间为2分钟
MaxAuthTries 6                   #  最大重试次数6次

再加上此文章里面提到的等保三级要求的：
https://www.jianshu.com/p/9cbbe4f6ffbc

pam详解： /etc/pam.d/system-auth 策略

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/cracklib/pw_dict enforce_for_root # 加上root这一项 才对root生效
auth        required      pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root root_unlock_time=1800
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

pam详细介绍：
https://www.cnblogs.com/marility/articles/9235522.html

容器禁止root：https://blog.csdn.net/qq_34556414/article/details/119426755

应付过去不含 rpm -qai ：

# cat /etc/shadow # 99999 改成90 过的
root:$1$vGgibHfk$CxxxxxxxXoh0/:18796:0:90:7:::

# cat /etc/login.defs
MAIL_DIR	/var/spool/mail
#MAIL_FILE	.mail
# Password aging controls:
#
#	PASS_MAX_DAYS	Maximum number of days a password may be used.
#	PASS_MIN_DAYS	Minimum number of days allowed between password changes.
#	PASS_MIN_LEN	Minimum acceptable password length.
#	PASS_WARN_AGE	Number of days warning given before a password expires.
#
# 密码最大有效期
PASS_MAX_DAYS   90
# 两次修改密码的最小间隔时间
PASS_MIN_DAYS   1
# 密码最小长度，对于root无效
PASS_MIN_LEN    8
# 密码过期前 7 天开始提示
PASS_WARN_AGE   7
UID_MIN                  1000
UID_MAX                 60000
# System accounts
SYS_UID_MIN               201
SYS_UID_MAX               999
GID_MIN                  1000
GID_MAX                 60000
# System accounts
SYS_GID_MIN               201
SYS_GID_MAX               999
CREATE_HOME	yes
UMASK           077
USERGROUPS_ENAB yes
ENCRYPT_METHOD SHA512 

# cat /etc/pam.d/system-auth
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth        required      pam_env.so
auth        required      pam_faildelay.so delay=2000000
auth        sufficient    pam_unix.so nullok try_first_pass
auth        requisite     pam_succeed_if.so uid >= 1000 quiet_success
auth        required      pam_deny.so

account     required      pam_unix.so
account     sufficient    pam_localuser.so
account     sufficient    pam_succeed_if.so uid < 1000 quiet
account     required      pam_permit.so

password    requisite     pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/cracklib/pw_dict enforce_for_root
auth        required      pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root root_unlock_time=1800
password    required      pam_deny.so

session     optional      pam_keyinit.so revoke
session     required      pam_limits.so
-session     optional      pam_systemd.so
session     [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session     required      pam_unix.so

password    requisite     pam_cracklib.so retry=5 difok=3 minlen=10 ucredit=-1 lcredit=-3 dcredit=-3 dictpath=/usr/share/cracklib/pw_dict
auth        required      pam_tally2.so onerr=fail deny=5 unlock_time=1800 even_deny_root root_unlock_time=1800
# cat /etc/pam.conf
# cat /etc/hosts.equiv
# cat .rhosts
# cat /etc/pam.d/common-password
# cat /etc/pam.d/common-password-complexity
# cat /etc/group
root:x:0:
bin:x:1:
daemon:x:2:
sys:x:3:
adm:x:4:centos
tty:x:5:
disk:x:6:
lp:x:7:
mem:x:8:
kmem:x:9:
wheel:x:10:centos,xiandai
cdrom:x:11:
mail:x:12:postfix
man:x:15:
dialout:x:18:
floppy:x:19:
games:x:20:
tape:x:33:
video:x:39:
ftp:x:50:
lock:x:54:
audio:x:63:
nobody:x:99:
users:x:100:
utmp:x:22:
utempter:x:35:
input:x:999:
systemd-journal:x:190:centos
systemd-network:x:192:
dbus:x:81:
polkitd:x:998:
rpc:x:32:
ssh_keys:x:997:
cgred:x:996:
rpcuser:x:29:
nfsnobody:x:65534:
sshd:x:74:
postdrop:x:90:
postfix:x:89:
chrony:x:995:
centos:x:1000:
tcpdump:x:72:
screen:x:84:
docker:x:994:ubi,ccore,zccx,ccore-logs,zjpt,jlcx
zabbix:x:993:
xiandai:x:1001:
worker:x:1002:
nginx:x:992:
sslh:x:991:
named:x:25:
ubi:x:1003:
ccore:x:1004:
zccx:x:1005:
ccore-logs:x:1006:
zjpt:x:1007:
jlcx:x:1008:
# cat /var/adm/sulog
# cat /etc/sudoers
## sudoers file.
Defaults env_keep += "LANG LANGUAGE LINGUAS LC_* _XKB_CHARSET"
Defaults env_keep += "QTDIR KDEDIR"
root ALL=(ALL) ALL
@includedir /etc/sudoers.d
# Added by cloud-init v. 18.2 on Mon, 26 Apr 2021 11:37:05 +0000
#includedir /etc/sudoers.d
#ALL  ALL=(ALL)  ALL,!/bin/bash,!/bin/sh,!/bin/tcsh,!/usr/bin/chattr
#xiandai ALL=(ALL) NOPASSWD: ALL
# ls -la /etc/exports
-rw-r--r--. 1 root root 0 Jun  7  2013 /etc/exports
# ls -la /etc/inetd.conf
# ls -la /etc/passwd
-rw-r--r-- 1 root root 1680 Dec  2 17:30 /etc/passwd
# ls -la /etc/services
-rw-r--r--. 1 root root 670293 Jun  7  2013 /etc/services
# ls -la  /etc/shadow
---------- 1 root root 1821 Dec  2 17:30 /etc/shadow
# ls -la /etc/securetty
-rw-------. 1 root root 221 Oct 31  2018 /etc/securetty
# ls -la /etc/group
-rw-r--r-- 1 root root 788 Dec  2 17:30 /etc/group
# ls -la /etc/ftpusers
# cat /etc/securetty
console
tty1
# cat /etc/pam.d/login
#%PAM-1.0
auth [user_unknown=ignore success=ok ignore=ignore default=bad] pam_securetty.so
auth       substack     system-auth
auth       include      postlogin
account    required     pam_nologin.so
account    include      system-auth
password   include      system-auth
# pam_selinux.so close should be the first session rule
session    required     pam_selinux.so close
session    required     pam_loginuid.so
session    optional     pam_console.so
# pam_selinux.so open should only be followed by sessions to be executed in the user context
session    required     pam_selinux.so open
session    required     pam_namespace.so
session    optional     pam_keyinit.so force revoke
session    include      system-auth
session    include      postlogin
-session   optional     pam_ck_connector.so
# cat /etc/ssh/sshd_config
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
SyslogFacility AUTHPRIV
AuthorizedKeysFile .ssh/authorized_keys
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp	/usr/libexec/openssh/sftp-server
GSSAPIAuthentication no # diy
UseDNS no # diy
listenAddress 0.0.0.0:22 # diy
PermitRootLogin no              # 禁止root用户登录
PermitEmptyPasswords no    # 禁止空密码用户登录
LoginGraceTime 2m             # 登录验证时间为2分钟
MaxAuthTries 6                   #  最大重试次数6次
# cat /var/adm/cron/cron.allow
# cat /var/adm/cron/cron.deny
# cat /var/adm/cron/at.allow
# cat /var/adm/cron/at.deny
# ls -la /etc/cron.allow
# ls -la /etc/cron.deny
-rw-------. 1 root root 0 Nov 20  2018 /etc/cron.deny
# ls -la /etc/at.allow
# ls -la /etc/at.deny
# ls -la /var/log/cron
-rw-r--r-- 1 root root 1542281 Dec  3 10:51 /var/log/cron
# ls -la /var/spool/cron/*
-rw------- 1 root root 422 Aug  9 08:49 /var/spool/cron/root
# ls -la /var/spool/at/*
# cat /var/spool/cron/* # 腾讯监控定时任务
*/5 * * * * flock -xn /tmp/stargate.lock -c '/usr/local/qcloud/stargate/admin/start.sh > /dev/null 2>&1 &'