安全基线 · 2022护网笔记

[TOC] ## 基本筛查 * 检查是否设置口令更改最小间隔天数 * 检查是否设置口令过期前警告天数 * 检查系统core dump设置 * 检查历史命令设置 * 检查密码重复使用次数限制 * 检查是否设置口令生存周期 * 检查口令最小长度 * 检查是否设置命令行界面超时退出 * 检查系统是否禁用ctrl+alt+del组合键 * 检查设备密码复杂度策略 * 检查是否配置用户所需最小权限 * 检查是否设置ssh成功登录后Banner * 检查用户umaski设置 * 检查重要目录或文件权限设置 * 检查是否设置ssh登录前警告Banner * 检查是否禁止root用户远程登录 * 检查系统openssh安全配置 * 检查是否已修改系统Banner信息 ## 加固脚本 ``` echo ---------------开始-------------------- echo ---------------aboutkey---------------- cd /etc if \[ -f login.defs \];then cp /etc/login.defs /home/test1 MINDAY=`cat -n /home/test1/login.defs | grep -v ".\*#.\*"| grep PASS\_MIN\_DAYS|awk '{print $1}'` sed -i ''$MINDAY's/.\*PASS\_MIN\_DAYS.\*/PASS\_MIN\_DAYS 6/' /home/test1/login.defs WARNAGE=`cat -n /home/test1/login.defs | grep -v ".\*#.\*"| grep PASS\_WARN\_AGE|awk '{print $1}'` sed -i ''$WARNAGE's/.\*PASS\_WARN.\*/PASS\_WARN\_AGE 30/' /home/test1/login.defs MAXDAY=`cat -n /home/test1/login.defs | grep -v ".\*#.\*"| grep PASS\_MAX\_DAYS|awk '{print $1}'` sed -i ''$MAXDAY's/.\*PASS\_MAX.\*/PASS\_MAX\_DAYS 90/' /home/test1/login.defs MINLEN=`cat -n /home/test1/login.defs | grep -v ".\*#.\*"| grep PASS\_MIN\_LEN|awk '{print $1}'` sed -i ''$MINDAY's/.\*PASS\_MIN\_LEN.\*/PASS\_MIN\_ LEN 6/' /home/test1/login.defs fi echo --------------------ok--------------------------- echo -------------------stop the del------------------------ cd /etc/init if \[ -f control-alt-delete.conf \];then cp /etc/init/control-alt-delete.conf /home/test1 #delete=`grep -n "/sbin/shutdown -r now" /home/test1/control-alt-delete.conf | cut -d ":" -f 1` #sed -i ''$delete' r s/^/#/' /home/test1/control-alt-delete.conf #cp /etc/init/control-alt-delete.conf /home/test1 #num1=`grep -n "/sbin/shutdown" /home/test1/control-alt-delete.conf | cut -d "" -f 1` #sed -i ''$num' r s/^/#/' /home/test1/control-alt-delete.conf #a=`cat -n /home/test1/control-alt-delete.conf|grep -v "#" | grep "/sbin/shutdown" | awk '{print $1}'` #text=`sed -n "$a"p /home/test1/control-alt-delete.conf` #sed -i ''$a'c # '$text'' /home/test1/control-alt-delete.conf a=`cat -n /home/test1/control-alt-delete.conf|grep -v "#" | grep /sbin/shutdown | awk '{print $1}'` if \[ -z $a \];then echo ok else sed -i ''$a' s/^/#/' /home/test1/control-alt-delete.conf fi fi echo ---------------------ok--------------------------------------- echo ------------------------grub and lilo key------------------------ grub="/home/test1/menu.lst" if \[ ! -x "$grub" \];then touch "$grub" echo password=123456 >> "$grub" else echo password=123456 >> "$grub" fi lilo="/home/test1/lilo.conf" if \[ ! -x "$lilo" \];then touch "$lilo" echo password=123456 >> "$lilo" else echo password=123456 >> "$lilo" fi echo ---------------------ok-------------------------------------- echo ----------------------the history of mouthpasswd------------------ cd /etc if \[ -f profile \];then cp /etc/profile /home/test1 #num=`sed -n /home/test1/profile | grep HISTFILESIZE | awk '{print $1}'` #/home/test1/profile | sed $num'c HISTFILESIZE=5' echo "HISTFILESIZE=5" >> /home/test1/profile echo "ulimit -S -c unlimited" >> /home/test1/profile fi echo -------------------------ok--------------------- echo ------------------------issue----------------- #issu="/etc/issue.net" cd /etc if \[ -f issue.net \];then cp issue.net /home/test1/issue.net.bak echo ok fi echo ok if \[ -f issue \];then cp issue /home/test1/issue.bak echo ok fi echo -----------------------allow/deny ip------------------- cd /etc if \[ -f hosts.allow \];then cp /etc/hosts.allow /home/test1 echo "all:172.18.12.:all" >> /home/test1/hosts.allow echo "sshd:172.18.12.:all" >> /home/test1/hosts.allow fi cd /etc if \[ -f hosts.deny \];then cp /etc/hosts.deny /home/test1 echo "all:all" >> /home/test1/hosts.deny fi echo -----------------ok------------------------ #/etc/init.d/xinetd restart echo -----------------------------core dump------------------- cd /etc/security if \[ -f limits.conf \];then cp /etc/security/limits.conf /home/test1 echo "\*soft core 0" >> /home/test1/limits.conf echo "\*hard core 0" >> /home/test1/limits.conf fi echo --------------ok------------------------- echo ----------------------------passwdrepeat--------------------- cd /etc/pam.d if \[ -f system-auth \];then cp /etc/pam.d/system-auth /home/test1 #num=`grep -n "md5" /home/test1/system-auth | cut -d ":" -f 1` #sed -i ''$num' r s/$/ remember=5' /home/test1/system-auth kk=`cat -n /home/test1/system-auth | grep -v ".\*#.\*"| grep md5|awk '{print $1}'` echo $kk version="password sufficient pam\_unix.so md5 shadow nullok try\_first\_pass use\_authtok remember=500" sed -i ""$kk"c $version" /home/test1/system-auth letter=`cat -n /home/test1/system-auth |grep password | grep requisite | awk '{print $1}'` sed -i ''$letter's/pam\_cracklib.so/& ucredit=-1 lcredit=-1 dcredit=-1 /' /etc/pam.d/system-auth fi echo -----------------ok-------------------- echo --------------------超出退出-------------- cd /etc if \[ -f profile \];then cp /etc/profile /home/test1 echo "export TMOUT=600" >> /home/test1/profile fi echo ------------------ok------------------- echo ------------------权限------------------- chmod 644 /etc/passwd chmod 644 /etc/group chmod 400 /etc/shadow #chmod 600 /etc/xinetd.conf chmod 644 /etc/services chmod 600 /etc/security chmod 600 /etc/grub.conf chmod 600 /boot/grub/grub.conf chmod 600 /etc/lilo.conf echo ------------------unmask-------------------- cp /etc/csh.cshrc /home/test1 cp /etc/csh.login /home/test1 cp /etc/bashrc /home/test1 cp /etc/profile /home/test1 sed -i '11 s/.\*umask.\*/umask 077/' /home/test1/csh.cshrc sed -i '58 s/.\*umask.\*/umask 077/' /home/test1/csh.login sed -i '66 s/.\*UMASK.\*/UMASK 077/' /home/test1/bashrc sed -i '62s/.\*umask.\*/umask 077/' /home/test1/profile echo --------------------before login banner------------------- cd /etc if \[ -f ssh\_banner \];then touch /etc/ssh\_banner chown bin:bin /etc/ssh\_banner chmod 644 /etc/ssh\_banner echo "Authorized only.All activity will be monitored and reported" > /etc/ssh\_banner fi echo -----------------------ok---------------------------- echo -------------------stop root ssh login------------------ cp /etc/pam.d/login /home/test1 echo "auth required pam\_securetty.so" >> /home/test1/login cp /etc/ssh/sshd\_config /home/test1 echo "Banner /etc/ssh\_banner" >> /home/test1/sshd\_config echo "PermitRootLogin no" >> /home/test1/sshd\_config service sshd restart echo -------------------------ok------------------- echo --------------------openssh---------------------------- openssh=`cat -n /home/test1/sshd\_config | grep -v ".\*#.\*"| grep Protocol |awk '{print $1}'` sed -i ''$openssh's/.\*Protocol.\*/Protocol 2/' /home/test1/sshd\_config echo -------------ok--------------------------- ```