关于Linux系统安全加固的具体实现脚本及基线检查规范,以供主机维护人员参考学习。

其中以下脚本主要实现的功能包括:

*加固项包括:密码长度、session超时时间、删除不用的帐号和组、限制root用户直接telnet或rlogin、ssh

*检查是否存在除root之外UID为0的用户、确保root用户的系统路径中不包含父目录,在非必要的情况下,不应包含组权限为777的目录

*检查操作系统Linux用户umask设置、检查重要目录和文件的权限、禁止除root之外的用户su操作、查找系统中任何人都有写权限的目录

*查找系统中没有属主的文件、查找系统中的隐藏文件、判断日志与审计是否合规、登录超时设置、禁用不必要的服务

*linux 安全加固适用于redhat、centos5.8至6.2

具体内容如下,请结合自身业务需求进行系统级加固:

#1、---------------------------------------------------------------------

echo "删除不用的帐号和组"

echo "delete unused users and grups"

for i in lp sync shutdown halt news uucp operator games gopher

do

echo "will delete user $i"

userdel $i

echo "user $i have delete"

done

for i in lp sync shutdown halt news uucp operator games gopher

do

echo "will delete group $i"

groupdel $i

echo "group $i have delete"

done

date=`date +%F`

#2、-----------------------------------------------

#section1 密码要求密码长度大于8,口令90天过期/etc/login.defs

#-----------------------------------------------

#---------------------------------------------------------------------

echo "cp /etc/login.defs to /etc/login.defs.bak_%date"

echo "#-------------------------------------"

cp /etc/login.defs /etc/login.defs.bak_$date

#echo "检查密码的配置"

echo "Check the configure for user's password."

echo "#-------------------------------------"

for i in PASS_MAX_DAYS PASS_MIN_LEN PASS_MIN_DAYS PASS_WARN_AGE

do

cat /etc/login.defs |grep $i|grep -v \#

done

#set password min length 8

echo "#-------------------------------------"

echo "Set user's password min length is 8"

sed  -i '/PASS_MIN_LEN/s/5/8/g' /etc/login.defs

echo "#-------------------------------------"

#set password max day 90

#echo "set password expired 90 day"

#sed  -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs

#3、---------------------------------------------------------------------

echo "#检查是否存在空口令"

echo "Check if there have user without password!"

echo "#-------------------------------------"

awk -F: '($2 == "") { print $1 }' /etc/shadow

#4、-----------------------------------------------

#section2 限制root用户直接telnet或rlogin,ssh无效

######建议在/etc/securetty文件中配置:CONSOLE = /dev/tty01

#---------------------------------------------------------------------

#帐号与口令-检查是否存在除root之外UID为0的用户

#echo "#检查系统中是否存在其它id为0的用户"

echo "Check if the system have other user's id is 0"

echo "#-------------------------------------"

mesg=`awk -F: '($3 == 0) { print $1 }' /etc/passwd|grep -v root`

if [ -z $mesg ]

then

echo "There don't have other user uid=0"

else

echo

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

echo "$mesg uid=0"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

fi

#5、-----------------------------------------------------------

echo "#确保root用户的系统路径中不包含父目录,在非必要的情况下,不应包含组权限为777的目录"

echo "check the Path set for root,make sure the path for root dont have father directory and 777 rights"

echo "#-------------------------------------"

echo $PATH | egrep '(^|:)(\.|:|$)'

find `echo $PATH | tr ':' ' '` -type d \( -perm -002 -o -perm -020 \) -ls

#6、---------------------------------------------------------------------

echo "#检查操作系统Linux远程连接"

echo "Check if system have remote connection seting"

echo "#-------------------------------------"

find  / -name  .netrc

find  / -name  .rhosts

echo "检查操作系统Linux用户umask设置"

echo "Check the system users umask setting"

echo "#-------------------------------------"

for i in /etc/profile /etc/csh.login /etc/csh.cshrc /etc/bashrc

do

grep -H umask $i|grep -v "#"

done

###################设置umask为027

#7、---------------------------------------------------------------------

#echo "#检查重要目录和文件的权限"

##echo "Check the important files and directory rights"

echo "#-------------------------------------"

for i in /etc /etc/rc.d/init.d /tmp /etc/inetd.conf /etc/passwd /etc/shadow /etc/group /etc/security /etc/services /etc/rc*.d

do

ls  -ld $i

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#8、-----------------------------------------------------------

#echo "#配置rc.d下脚本的权限"

echo "Configure the scripts right(750) in rc.d directory"

echo "#-------------------------------------"

chmod -R 750 /etc/rc.d/init.d/*

chmod 755 /bin/su 改了之后只能root su,没有了s位别的用户无法成功su

chmod 664 /var/log/wtmp

#chattr +a /var/log/messages

#9、-----------------------------------------------------------

echo "#查找系统中存在的SUID和SGID程序"

echo "Find the files have suid or Sgid"

echo "#-------------------------------------"

for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print $2 }'`; do

find $PART \( -perm -04000 -o -perm -02000 \) -type f -xdev -print |xargs ls  -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#10、----------------------------------------------------------

echo "#查找系统中任何人都有写权限的目录"

echo "Find the directory everyone have the write right"

echo "#-------------------------------------"

for PART in `awk '($3 == "ext2" || $3 == "ext3") \

{ print $2 }' /etc/fstab`; do

find $PART -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print |xargs ls  -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#11、----------------------------------------------------------

#echo "#查找系统中任何人都有写权限的文件"

echo "Find the files everyone have write right"

echo "#-------------------------------------"

for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print $2 }'`; do

find $PART -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -print |xargs ls -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#12、----------------------------------------------------------

echo "#查找系统中没有属主的文件"

echo "Find no owner or no group files in system"

echo "#-------------------------------------"

for PART in `grep -v ^# /etc/fstab |grep -v swap| awk '($6 != "0") {print $2 }'`; do

find $PART -nouser -o -nogroup |grep  -v "vmware"|grep -v "dev"|xargs ls  -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#13、----------------------------------------------------------

###echo "#查找系统中的隐藏文件"

##echo " Find the hiding file in system"

##echo "#-------------------------------------"

###linux执行报错\排除/dev”目录下的那些文件

####find  / -name \(".. *"  -o "…*"  -o ".xx" -o ".mail" \) -print -xdev

## #find  / -name "…*" -print -xdev | cat -v

##find  /  \( -name ".*"  -o -name  "…*"  -o -name ".xx" -o -name ".mail" \) -xdev

##echo -n "If you have check all the output files if correct yes or no ? :"

##read i

## case $i in

## y|yes)

## break

## ;;

## n|no)

## echo "Please recheck the output!"

## echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

## continue

## ;;

## *)

## echo "please input yes or no"

## ;;

## esac

##

#14、---------------------------------------------------------------------

echo "#判断日志与审计是否合规"

echo "Judge if the syslog audition if follow the rules"

echo "#-------------------------------------"

autmesg=`cat /etc/syslog.conf |egrep ^authpriv`

if [ ! -n "$autmesg" ]

then

echo "there don't have authpriv set in /etc/syslog.conf"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

echo -n "If you have know this y or n ?"

read i

case $i in

y|yes)

break

;;

n|no)

echo "there don't have authpriv set in /etc/syslog.conf"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

else

# echo "日志与审计合规"

echo "syslog audition follow the rules"

fi

#15、---------------------------------------------------------------------

echo "#关闭linux core dump"

echo "Turn off the system core dump"

echo "#-------------------------------------"

mesg1=`grep "* soft core 0" /etc/security/limits.conf`

mesg2=`grep "* hard core 0" /etc/security/limits.conf`

if [ ! -n "$mesg1" -o ! -n "$mesg2" ]

then

cp /etc/security/limits.conf /etc/security/limits.conf_$date

if [ ! -n "$mesg1" ]

then

echo "* soft core 0" >> /etc/security/limits.conf

fi

if [ ! -n "$mesg2" ]

then

echo "* hard core 0" >> /etc/security/limits.conf

fi

fi

#修改login文件使limits限制生效

cp /etc/pam.d/login /etc/pam.d/login_$date

echo "session required /lib/security/pam_limits.so" >> /etc/pam.d/login

#16、---------------------------------------------------------------------

#登录超时设置

#检查/etc/pam.d/system-auth文件是否存在account required /lib/security/pam_tally.so deny=的相关设置

#建议设置为auth required pam_tally.so onerr=fail deny=6 unlock_time=300

#17、---------------------------------------------------------------------

#su命令使用,对su命令使用进行限制设置

#检查/etc/pam.d/su文件设置

#文件中包含

#auth sufficient /lib/security/pam_rootok.so debug

#auth required /lib/security/pam_wheel.so group=isd

#20、---------------------------------------------------------------------

echo "#登录超时自动退出"

echo "set session time out terminal "

echo "#-------------------------------------"

tmout=`grep -i TMOUT /etc/profile`

if [ ! -n "$tmout" ]

then

echo

echo -n "do you want to set login timeout to 300s? [yes]:"

read i

case $i in

y|yes)

cp /etc/profile /etc/profile_$date

echo "export TMOUT=300" >> /etc/profile

. /etc/profile

;;

n|no)

break

;;

*)

echo "please input yes or no"

;;

esac

else

mesg=`echo $tmout |awk -F"=" '{print $2}'`

if [ "$mesg" -ne 300 ]

then

echo "The login session timeout is $mesg now will change to 300 seconds"

cp /etc/profile /etc/profile_$date

echo "export TMOUT=300" >> /etc/profile

. /etc/profile

fi

fi

sed  -i 's/HISTSIZE=1000/HISTSIZE=100/g' /etc/profile

#21、---------------------------------------------------------------------

echo "#禁用telnet启用ssh"

echo "Stop telnet and start up sshd"

echo "#-------------------------------------"

mesg1=`lsof -i:23`

mesg2=`lsof -i:22`

if [ ! -n "$mesg2" ]

then

service start sshd

chkconfig sshd on

mesg2=`lsof -i:22`

fi

if [ ! -n "$mesg1" -a ! -n "$mesg2" ]

then

echo

echo "Will Deactive telnet"

chkconfig krb5-telnet off

chkconfig ekrb5-telnet off

fi

#22、---------------------------------------------------------------------

#echo "#设置终端超时,使系统10分钟后自动退出不活动的Shell"

#echo "#-------------------------------------"

#mesg=`grep "export TMOUT=600" /etc/profile`

#if [ -z $mesg ]

#then

#echo "export TMOUT=600" >>/etc/profile

#. /etc/profile

#fi

#23、---------------------------------------------------------------------

echo "#禁用不必要的服务"

echo "Stop unuseing services"

echo "#-------------------------------------"

list="avahi-daemon bluetooth cups firstboot hplip ip6tables iptables iscsi iscsid isdn kudzu pcscd rhnsd rhsmcertd rpcgssd rpcidmapd sendmail smartd  yum-updatesd netfs portmap autofs nfslock nfs"

for i in $list

do

chkconfig $i off

service $i stop

done

echo "change kernel parameter for network secure"

cp  /etc/sysctl.conf /etc/sysctl.conf.$date

#echo "net.ipv4.icmp_echo_ignore_all = 1">>/etc/sysctl.conf

sysctl -a |grep arp_filter|sed -e 's/\=\ 0/\=\ 1/g' >>/etc/sysctl.conf

sysctl -a |grep accept_redirects|sed -e 's/\=\ 1/\=\ 0/g' >>/etc/sysctl.conf

sysctl -a |grep send_redirects|sed -e 's/\=\ 1/\=\ 0/g' >>/etc/sysctl.conf

sysctl -a |grep log_martians |sed -e 's/\=\ 0/\=\ 1/g'>>/etc/sysctl.conf

sysctl -p

#24、---------------------------------------------------------------------

echo "设置热键"

#ctrl+alt+del

if [ -d  /etc/init ]

then

sed  -i 's/^[^#]/#&/g' /etc/control-alt-delete.conf

else

sed -i 's/^ca::/#&/g' /etc/inittab

fi

#25、---------------------------------------------------------------------

echo "demo:禁止除了db2inst1的用户su到root"

usermod -G wheel db2inst1

sed -i '/pam_wheel.so use_uid/s/^#//g' /etc/pam.d/su

echo "SU_WHEEL_ONLY yes">>/etc/login.defs

作者:大福技术
链接:https://www.jianshu.com/p/850ac59fae41
來源:简书
简书著作权归作者所有,任何形式的转载都请联系作者获得授权并注明出处。

CentOS系统安全加固常见方法的更多相关文章

  1. CentOS系统版本的查看方法

    CentOS系统版本的查看方法 查看操作系统版本 1 [root@aliyun ~]# lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noa ...

  2. 六招轻松搞定你的CentOS系统安全加固

    Redhat是目前企业中用的最多的一类Linux,而目前针对Redhat攻击的黑客也越来越多了.我们要如何为这类服务器做好安全加固工作呢?  一.  账户安全 1.1 锁定系统中多余的自建帐号 检查方 ...

  3. Centos7.0操作系统加固常见方法

    1. 账号和口令 1.1 禁用或删除无用账号 减少系统无用账号,降低安全风险. 操作步骤 使用命令 userdel <用户名> 删除不必要的账号. 使用命令 passwd -l <用 ...

  4. CentOS系统找不到setup命令工具的解决方法

    如果你的CentOS系统中没有setup命令,很有可能是因为你安装CentOS系统时采用了最小化安装(minimal).这时,你执行setup命令时,就会报错: 错误信息: 1[root@localh ...

  5. CentOS系统时间与现在时间相差8小时解决方法

    很多网友在安装完CentOS系统后发现时间与现在时间相差8小时,这是由于我们在安装系统的时选择的时区是上海,而CentOS默认bios时间是utc时间,所以时间相差了8小时.这个时候的bios的时间和 ...

  6. 解决win下无法ping通VM虚拟机CentOS系统的方法

    事情描述:公司迁新址,电脑带过去之后,用xshell连接vm的centos系统老是连接失败,然后考虑到公司迁新址这个情况,我首先怀疑是ip的问题,然后在vm中执行ifconfig找到centos的ip ...

  7. CentOS系统实现SSH无密码登录的方法

    一.环境配置 1.服务端:CentOS release 5.3 IP:222.73.115.198 2.客服端:CentOS release 5.8 IP:192.168.4.244 二.配置SSH无 ...

  8. 使用ntp从时间同步服务器更新centos系统时间的方法

    CentOS系统时间同步的步骤如下: 复制代码 代码如下: cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtimentpdate us.pool.ntp ...

  9. CentOS防火墙iptables的配置方法详解

    CentOS系统也是基于linux中的它的防火墙其实就是iptables了,下面我来介绍在CentOS防火墙iptables的配置教程,希望此教程对各位朋友会有所帮助. iptables是与Linux ...

随机推荐

  1. pgsql 并行相关配置

  2. 2019The Preliminary Contest for ICPC China Nanchang National Invitational

    The Preliminary Contest for ICPC China Nanchang National Invitational 题目一览表 考察知识点 I. Max answer 单调栈+ ...

  3. sea.js简单使用教程

    sea.js简单使用教程 下载sea.js, 并引入 官网: http://seajs.org/ github : https://github.com/seajs/seajs 将sea.js导入项目 ...

  4. 金融量化分析【day112】:股票数据分析Tushare2

    目录 1.使用tushare包获取某股票的历史行情数据 2.使用pandas包计算该股票历史数据的5日局限和60日均线 3.matplotlib包可视化历史数据的收盘价和历史均线 4.分析输出所有金叉 ...

  5. 基于alpine制作php镜像

    alpine包搜索https://pkgs.alpinelinux.org/ 安装依赖库 apk add --no-cache xxx 可以基于php apline镜像自行增加或删除扩展. https ...

  6. LFYZ-OJ ID: 1008 求A/B高精度值

    思路 小数点前的部分可以通过m/n直接计算得出 小数点后的20位可通过循环进行快速计算,计算方法如下: m%=n m*=10 小数点后第i位为m/n,回到第1步 第3步后,如果m%n为0,说明已经除净 ...

  7. IISExpress使用64位

    C#有一些函数如GetHashCode和x86,X64版本有关系,为了和服务器保持一致,本地iis Express也需要设置64位. 方法如下,vs2010不支持. vs2012可以手动添加配置 re ...

  8. [译]Ocelot - Getting Started

    原文 Ocelot专为.NET Core而设计. .NET Core 2.1 安装 首先需要创建一个netstandard2.0项目,然后再通过nuget安装. Install-Package Oce ...

  9. 【hdu 5217】Brackets

    Description Miceren likes playing with brackets. There are N brackets on his desk forming a sequence ...

  10. 最大熵模型和EM算法

    一.极大似然已经发生的事件是独立重复事件,符合同一分布已经发生的时间是可能性(似然)的事件利用这两个假设,已经发生时间的联合密度值就最大,所以就可以求出总体分布f中参数θ 用极大似然进行机器学习有监督 ...