CentOS7等保问题处理
系统9个月前 (08-30)
密码复杂度策略
#修改为至少包含8个字符 cp /etc/security/pwquality.conf /etc/security/pwquality.conf.bak cp /etc/security/limits.conf /etc/security/limits.conf.bak cp /etc/pam.d/su /etc/pam.d/su.bak sed -i '/minlen/'d /etc/security/pwquality.conf sed -i '/dcredit/'d /etc/security/pwquality.conf sed -i '/ucredit/'d /etc/security/pwquality.conf sed -i '/lcredit/'d /etc/security/pwquality.conf sed -i '/ocredit/'d /etc/security/pwquality.conf sed -i '$aminlen = 8' /etc/security/pwquality.conf sed -i '$adcredit = -1' /etc/security/pwquality.conf sed -i '$aucredit = -1 ' /etc/security/pwquality.conf sed -i '$alcredit = -1 ' /etc/security/pwquality.conf sed -i '$aocredit = -1' /etc/security/pwquality.conf sed -i '$a * soft core 0' /etc/security/limits.conf sed -i '$a * hard core 0' /etc/security/limits.conf sed -i '$aauth sufficient pam_rootok.so' /etc/pam.d/su sed -i '$aauth required pam_wheel.so use_uid' /etc/pam.d/su
口令定期更换策略
#修改密码的最大有效期90天,非10天后可修改,密码最小长度8位,密码失效前7天在用户登录时通知用户修改密码 cat /etc/login.defs cp /etc/login.defs /etc/login.defs.bak sed -i '/PASS_MAX_DAYS/'d /etc/login.defs sed -i '/PASS_MIN_DAYS/'d /etc/login.defs sed -i '/PASS_MIN_LEN/'d /etc/login.defs sed -i '/PASS_WARN_AGE/'d /etc/login.defs sed -i '$aPASS_MAX_DAYS 90' /etc/login.defs sed -i '$aPASS_MIN_DAYS 10' /etc/login.defs sed -i '$aPASS_MIN_LEN 8' /etc/login.defs sed -i '$aPASS_WARN_AGE 7' /etc/login.defs
登录连接超时策略
#待机180秒后强制登出 cp /etc/profile /etc/profile.bak sed -i '/TMOUT/'d /etc/profile sed -i '$aexport TMOUT=180' /etc/profile source /etc/profile sed -i '$aumask 027' /etc/profile source /etc/profile
登陆失败处理策略
cp /etc/pam.d/passwd /etc/pam.d/passwd.bak cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak cat > /etc/pam.d/system-auth << EOF auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300 auth required pam_env.so auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid <= 1000 quiet_success auth required pam_deny.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF cat > /etc/pam.d/password-auth << EOF auth required pam_env.so auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300 auth required pam_faildelay.so delay=2000000 auth sufficient pam_unix.so nullok try_first_pass auth requisite pam_succeed_if.so uid <= 1000 quiet_success auth required pam_deny.so account required pam_tally2.so account required pam_unix.so account sufficient pam_localuser.so account sufficient pam_succeed_if.so uid < 1000 quiet account required pam_permit.so password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok password required pam_deny.so session optional pam_keyinit.so revoke session required pam_limits.so -session optional pam_systemd.so session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid session required pam_unix.so EOF cp /etc/pam.d/sshd /etc/pam.d/sshd.bak sed -i.bak '2i\auth required pam_tally2.so onerr=fail deny=3 unlock_time=300 even_deny_root root_unlock_time=300' /etc/pam.d/sshd
用户分配账户和权限
#新增操作账户voscn adduser voscn echo "V0scn$#@" | passwd --stdin voscn usermod -G wheel voscn cp /etc/sudoers /etc/sudoers.bak echo "voscn ALL=(ALL:ALL) NOPASSWD:ALL" >> /etc/sudoers #解锁pam_tally2 --user test --reset
删除多余用户
egrep "^(adm|lp|sync|halt|news|nfsnobody|mail|uucp|operator|games|gopher|ftp|nobody|nobody4|noaccess|listen|webservd|rpm|dbus|avahi|mailnull|smmsp|nscd|vcsa|rpc|rpcuser|nfs|sshd|pcap|ntp|haldaemon|distcache|apache|webalizer|squid|xfs|gdm|sabayon|named):" /etc/passwd 2>/dev/null|awk -F':' '($7 != "/bin/false" && $7 != "/sbin/nologin") {print $1":"$7}'
userdel sync
userdel halt设置banner
cp -p /etc/motd /etc/motd.bak cp -p /etc/issue /etc/issue.bak cp -p /etc/issue.net /etc/issue.net.bak echo "Login success. All activity will be monitored and reported" > /etc/motd echo "Authorized users only. All activity may be monitored and reported" > /etc/issue echo "Authorized users only. All activity may be monitored and reported" > /etc/issue.net echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner chown bin:bin /etc/ssh_banner chmod 644 /etc/ssh_banner sed -i -c '/^Banner.*/d' /etc/ssh/sshd_config echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config systemctl restart sshd
启用安全审计功能
systemctl status rsyslog systemctl status auditd ps -ef |grep rsyslog ps -ef |grep auditd cp /etc/rsyslog.conf /etc/rsyslog.conf.bak cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules.bak cat > /etc/audit/rules.d/audit.rules << EOF -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/sysconfig/network-scripts/ -p wa -k system-locale -w /var/log/lastlog -p wa -k logins -w /var/run/faillock/ -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k logins -w /var/log/btmp -p wa -k logins -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mount -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules EOF useradd audit usermod -G audit audit chown audit:audit -R /var/log chown root:root -R /var/log/audit
关闭多余服务
systemctl stop sendmail && systemctl disable sendmail
限制远程登陆范围
cp /etc/hosts.allow /etc/hosts.allow.bak cp /etc/hosts.deny /etc/hosts.deny.bak echo sshd:192.168.1.*:allow >> /etc/hosts.allow echo sshd:10.10.1.*:allow >> /etc/hosts.allow echo all:all >> /etc/hosts.deny
补丁更新
yum update --security
本站所有文章均可随意转载,转载时请保留原文链接及作者。
,想必也是非常愉悦的事!
