关于Linux系统安全加固的具体实现脚本及基线检查规范,以供主机维护人员参考学习。

其中以下脚本主要实现的功能包括:

*加固项包括:密码长度、session超时时间、删除不用的帐号和组、限制root用户直接telnet或rlogin、ssh

*检查是否存在除root之外UID为0的用户、确保root用户的系统路径中不包含父目录,在非必要的情况下,不应包含组权限为777的目录

*检查操作系统Linux用户umask设置、检查重要目录和文件的权限、禁止除root之外的用户su操作、查找系统中任何人都有写权限的目录

*查找系统中没有属主的文件、查找系统中的隐藏文件、判断日志与审计是否合规、登录超时设置、禁用不必要的服务

*linux 安全加固适用于redhat、centos5.8至6.2

具体内容如下,请结合自身业务需求进行系统级加固:

#1、---------------------------------------------------------------------

echo "删除不用的帐号和组"

echo "delete unused users and grups"

for i in lp sync shutdown halt news uucp operator games gopher

do

echo "will delete user $i"

userdel $i

echo "user $i have delete"

done

for i in lp sync shutdown halt news uucp operator games gopher

do

echo "will delete group $i"

groupdel $i

echo "group $i have delete"

done

date=`date +%F`

#2、-----------------------------------------------

#section1 密码要求密码长度大于8,口令90天过期/etc/login.defs

#-----------------------------------------------

#---------------------------------------------------------------------

echo "cp /etc/login.defs to /etc/login.defs.bak_%date"

echo "#-------------------------------------"

cp /etc/login.defs /etc/login.defs.bak_$date

#echo "检查密码的配置"

echo "Check the configure for user's password."

echo "#-------------------------------------"

for i in PASS_MAX_DAYS PASS_MIN_LEN PASS_MIN_DAYS PASS_WARN_AGE

do

cat /etc/login.defs |grep $i|grep -v \#

done

#set password min length 8

echo "#-------------------------------------"

echo "Set user's password min length is 8"

sed  -i '/PASS_MIN_LEN/s/5/8/g' /etc/login.defs

echo "#-------------------------------------"

#set password max day 90

#echo "set password expired 90 day"

#sed  -i '/PASS_MAX_DAYS/s/99999/90/g' /etc/login.defs

#3、---------------------------------------------------------------------

echo "#检查是否存在空口令"

echo "Check if there have user without password!"

echo "#-------------------------------------"

awk -F: '($2 == "") { print $1 }' /etc/shadow

#4、-----------------------------------------------

#section2 限制root用户直接telnet或rlogin,ssh无效

######建议在/etc/securetty文件中配置:CONSOLE = /dev/tty01

#---------------------------------------------------------------------

#帐号与口令-检查是否存在除root之外UID为0的用户

#echo "#检查系统中是否存在其它id为0的用户"

echo "Check if the system have other user's id is 0"

echo "#-------------------------------------"

mesg=`awk -F: '($3 == 0) { print $1 }' /etc/passwd|grep -v root`

if [ -z $mesg ]

then

echo "There don't have other user uid=0"

else

echo

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

echo "$mesg uid=0"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

fi

#5、-----------------------------------------------------------

echo "#确保root用户的系统路径中不包含父目录,在非必要的情况下,不应包含组权限为777的目录"

echo "check the Path set for root,make sure the path for root dont have father directory and 777 rights"

echo "#-------------------------------------"

echo $PATH | egrep '(^|:)(\.|:|$)'

find `echo $PATH | tr ':' ' '` -type d \( -perm -002 -o -perm -020 \) -ls

#6、---------------------------------------------------------------------

echo "#检查操作系统Linux远程连接"

echo "Check if system have remote connection seting"

echo "#-------------------------------------"

find  / -name  .netrc

find  / -name  .rhosts

echo "检查操作系统Linux用户umask设置"

echo "Check the system users umask setting"

echo "#-------------------------------------"

for i in /etc/profile /etc/csh.login /etc/csh.cshrc /etc/bashrc

do

grep -H umask $i|grep -v "#"

done

###################设置umask为027

#7、---------------------------------------------------------------------

#echo "#检查重要目录和文件的权限"

##echo "Check the important files and directory rights"

echo "#-------------------------------------"

for i in /etc /etc/rc.d/init.d /tmp /etc/inetd.conf /etc/passwd /etc/shadow /etc/group /etc/security /etc/services /etc/rc*.d

do

ls  -ld $i

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#8、-----------------------------------------------------------

#echo "#配置rc.d下脚本的权限"

echo "Configure the scripts right(750) in rc.d directory"

echo "#-------------------------------------"

chmod -R 750 /etc/rc.d/init.d/*

chmod 755 /bin/su 改了之后只能root su,没有了s位别的用户无法成功su

chmod 664 /var/log/wtmp

#chattr +a /var/log/messages

#9、-----------------------------------------------------------

echo "#查找系统中存在的SUID和SGID程序"

echo "Find the files have suid or Sgid"

echo "#-------------------------------------"

for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print $2 }'`; do

find $PART \( -perm -04000 -o -perm -02000 \) -type f -xdev -print |xargs ls  -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#10、----------------------------------------------------------

echo "#查找系统中任何人都有写权限的目录"

echo "Find the directory everyone have the write right"

echo "#-------------------------------------"

for PART in `awk '($3 == "ext2" || $3 == "ext3") \

{ print $2 }' /etc/fstab`; do

find $PART -xdev -type d \( -perm -0002 -a ! -perm -1000 \) -print |xargs ls  -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#11、----------------------------------------------------------

#echo "#查找系统中任何人都有写权限的文件"

echo "Find the files everyone have write right"

echo "#-------------------------------------"

for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print $2 }'`; do

find $PART -xdev -type f \( -perm -0002 -a ! -perm -1000 \) -print |xargs ls -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#12、----------------------------------------------------------

echo "#查找系统中没有属主的文件"

echo "Find no owner or no group files in system"

echo "#-------------------------------------"

for PART in `grep -v ^# /etc/fstab |grep -v swap| awk '($6 != "0") {print $2 }'`; do

find $PART -nouser -o -nogroup |grep  -v "vmware"|grep -v "dev"|xargs ls  -ld

done

echo -n "Please check if the output is ok ? yes or no :"

read i

case $i in

y|yes)

break

;;

n|no)

echo "Please recheck the output!"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

#13、----------------------------------------------------------

###echo "#查找系统中的隐藏文件"

##echo " Find the hiding file in system"

##echo "#-------------------------------------"

###linux执行报错\排除/dev”目录下的那些文件

####find  / -name \(".. *"  -o "…*"  -o ".xx" -o ".mail" \) -print -xdev

## #find  / -name "…*" -print -xdev | cat -v

##find  /  \( -name ".*"  -o -name  "…*"  -o -name ".xx" -o -name ".mail" \) -xdev

##echo -n "If you have check all the output files if correct yes or no ? :"

##read i

## case $i in

## y|yes)

## break

## ;;

## n|no)

## echo "Please recheck the output!"

## echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

## continue

## ;;

## *)

## echo "please input yes or no"

## ;;

## esac

##

#14、---------------------------------------------------------------------

echo "#判断日志与审计是否合规"

echo "Judge if the syslog audition if follow the rules"

echo "#-------------------------------------"

autmesg=`cat /etc/syslog.conf |egrep ^authpriv`

if [ ! -n "$autmesg" ]

then

echo "there don't have authpriv set in /etc/syslog.conf"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

echo -n "If you have know this y or n ?"

read i

case $i in

y|yes)

break

;;

n|no)

echo "there don't have authpriv set in /etc/syslog.conf"

echo "!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!!"

continue

;;

*)

echo "please input yes or no"

;;

esac

else

# echo "日志与审计合规"

echo "syslog audition follow the rules"

fi

#15、---------------------------------------------------------------------

echo "#关闭linux core dump"

echo "Turn off the system core dump"

echo "#-------------------------------------"

mesg1=`grep "* soft core 0" /etc/security/limits.conf`

mesg2=`grep "* hard core 0" /etc/security/limits.conf`

if [ ! -n "$mesg1" -o ! -n "$mesg2" ]

then

cp /etc/security/limits.conf /etc/security/limits.conf_$date

if [ ! -n "$mesg1" ]

then

echo "* soft core 0" >> /etc/security/limits.conf

fi

if [ ! -n "$mesg2" ]

then

echo "* hard core 0" >> /etc/security/limits.conf

fi

fi

#修改login文件使limits限制生效

cp /etc/pam.d/login /etc/pam.d/login_$date

echo "session required /lib/security/pam_limits.so" >> /etc/pam.d/login

#16、---------------------------------------------------------------------

#登录超时设置

#检查/etc/pam.d/system-auth文件是否存在account required /lib/security/pam_tally.so deny=的相关设置

#建议设置为auth required pam_tally.so onerr=fail deny=6 unlock_time=300

#17、---------------------------------------------------------------------

#su命令使用,对su命令使用进行限制设置

#检查/etc/pam.d/su文件设置

#文件中包含

#auth sufficient /lib/security/pam_rootok.so debug

#auth required /lib/security/pam_wheel.so group=isd

#20、---------------------------------------------------------------------

echo "#登录超时自动退出"

echo "set session time out terminal "

echo "#-------------------------------------"

tmout=`grep -i TMOUT /etc/profile`

if [ ! -n "$tmout" ]

then

echo

echo -n "do you want to set login timeout to 300s? [yes]:"

read i

case $i in

y|yes)

cp /etc/profile /etc/profile_$date

echo "export TMOUT=300" >> /etc/profile

. /etc/profile

;;

n|no)

break

;;

*)

echo "please input yes or no"

;;

esac

else

mesg=`echo $tmout |awk -F"=" '{print $2}'`

if [ "$mesg" -ne 300 ]

then

echo "The login session timeout is $mesg now will change to 300 seconds"

cp /etc/profile /etc/profile_$date

echo "export TMOUT=300" >> /etc/profile

. /etc/profile

fi

fi

sed  -i 's/HISTSIZE=1000/HISTSIZE=100/g' /etc/profile

#21、---------------------------------------------------------------------

echo "#禁用telnet启用ssh"

echo "Stop telnet and start up sshd"

echo "#-------------------------------------"

mesg1=`lsof -i:23`

mesg2=`lsof -i:22`

if [ ! -n "$mesg2" ]

then

service start sshd

chkconfig sshd on

mesg2=`lsof -i:22`

fi

if [ ! -n "$mesg1" -a ! -n "$mesg2" ]

then

echo

echo "Will Deactive telnet"

chkconfig krb5-telnet off

chkconfig ekrb5-telnet off

fi

#22、---------------------------------------------------------------------

#echo "#设置终端超时,使系统10分钟后自动退出不活动的Shell"

#echo "#-------------------------------------"

#mesg=`grep "export TMOUT=600" /etc/profile`

#if [ -z $mesg ]

#then

#echo "export TMOUT=600" >>/etc/profile

#. /etc/profile

#fi

#23、---------------------------------------------------------------------

echo "#禁用不必要的服务"

echo "Stop unuseing services"

echo "#-------------------------------------"

list="avahi-daemon bluetooth cups firstboot hplip ip6tables iptables iscsi iscsid isdn kudzu pcscd rhnsd rhsmcertd rpcgssd rpcidmapd sendmail smartd  yum-updatesd netfs portmap autofs nfslock nfs"

for i in $list

do

chkconfig $i off

service $i stop

done

echo "change kernel parameter for network secure"

cp  /etc/sysctl.conf /etc/sysctl.conf.$date

#echo "net.ipv4.icmp_echo_ignore_all = 1">>/etc/sysctl.conf

sysctl -a |grep arp_filter|sed -e 's/\=\ 0/\=\ 1/g' >>/etc/sysctl.conf

sysctl -a |grep accept_redirects|sed -e 's/\=\ 1/\=\ 0/g' >>/etc/sysctl.conf

sysctl -a |grep send_redirects|sed -e 's/\=\ 1/\=\ 0/g' >>/etc/sysctl.conf

sysctl -a |grep log_martians |sed -e 's/\=\ 0/\=\ 1/g'>>/etc/sysctl.conf

sysctl -p

#24、---------------------------------------------------------------------

echo "设置热键"

#ctrl+alt+del

if [ -d  /etc/init ]

then

sed  -i 's/^[^#]/#&/g' /etc/control-alt-delete.conf

else

sed -i 's/^ca::/#&/g' /etc/inittab

fi

#25、---------------------------------------------------------------------

echo "demo:禁止除了db2inst1的用户su到root"

usermod -G wheel db2inst1

sed -i '/pam_wheel.so use_uid/s/^#//g' /etc/pam.d/su

echo "SU_WHEEL_ONLY yes">>/etc/login.defs

作者:大福技术
链接:https://www.jianshu.com/p/850ac59fae41
來源:简书
简书著作权归作者所有,任何形式的转载都请联系作者获得授权并注明出处。

CentOS系统安全加固常见方法的更多相关文章

  1. CentOS系统版本的查看方法

    CentOS系统版本的查看方法 查看操作系统版本 1 [root@aliyun ~]# lsb_release -a LSB Version: :core-4.1-amd64:core-4.1-noa ...

  2. 六招轻松搞定你的CentOS系统安全加固

    Redhat是目前企业中用的最多的一类Linux,而目前针对Redhat攻击的黑客也越来越多了.我们要如何为这类服务器做好安全加固工作呢?  一.  账户安全 1.1 锁定系统中多余的自建帐号 检查方 ...

  3. Centos7.0操作系统加固常见方法

    1. 账号和口令 1.1 禁用或删除无用账号 减少系统无用账号,降低安全风险. 操作步骤 使用命令 userdel <用户名> 删除不必要的账号. 使用命令 passwd -l <用 ...

  4. CentOS系统找不到setup命令工具的解决方法

    如果你的CentOS系统中没有setup命令,很有可能是因为你安装CentOS系统时采用了最小化安装(minimal).这时,你执行setup命令时,就会报错: 错误信息: 1[root@localh ...

  5. CentOS系统时间与现在时间相差8小时解决方法

    很多网友在安装完CentOS系统后发现时间与现在时间相差8小时,这是由于我们在安装系统的时选择的时区是上海,而CentOS默认bios时间是utc时间,所以时间相差了8小时.这个时候的bios的时间和 ...

  6. 解决win下无法ping通VM虚拟机CentOS系统的方法

    事情描述:公司迁新址,电脑带过去之后,用xshell连接vm的centos系统老是连接失败,然后考虑到公司迁新址这个情况,我首先怀疑是ip的问题,然后在vm中执行ifconfig找到centos的ip ...

  7. CentOS系统实现SSH无密码登录的方法

    一.环境配置 1.服务端:CentOS release 5.3 IP:222.73.115.198 2.客服端:CentOS release 5.8 IP:192.168.4.244 二.配置SSH无 ...

  8. 使用ntp从时间同步服务器更新centos系统时间的方法

    CentOS系统时间同步的步骤如下: 复制代码 代码如下: cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtimentpdate us.pool.ntp ...

  9. CentOS防火墙iptables的配置方法详解

    CentOS系统也是基于linux中的它的防火墙其实就是iptables了,下面我来介绍在CentOS防火墙iptables的配置教程,希望此教程对各位朋友会有所帮助. iptables是与Linux ...

随机推荐

  1. xadmin后台 导入 excel 功能拓展

    新建 excel 文件 在 xadmin 的 plugins 下添加一个 excel.py # _*_ coding:utf-8 _*_ __author__ = "yangtuo" ...

  2. 20165223 《信息安全系统设计基础》 实现mypwd

    一.学习pwd命令 1. pwd命令简介 英文原名:Print Working Directory 指令功能:打印出当前工作目录 执行权限:All User 指令所在路径:/usr/bin/pwd 或 ...

  3. PR视频剪辑

    PR视频剪辑 新手问题1: 将素材导入到Adobe Premiere Pro CC后为什么无法拖入到时间轴上 解决办法:没有建立有序列所致,CC不会一开始就让你新建序列,图中间处写的好清楚“无序列”. ...

  4. crm 权限设计

    先在项目中创建  app rbac的models.py from django.db import models class Permission(models.Model): "" ...

  5. java Ajax跨域请求COOKIE无法带上的解决办法

    1.web.xml加入以下节点,,一定放在第一个filter <!--目录下所有文件可以跨域Begin--> <filter> <filter-name>CorsF ...

  6. 树状数组BIT

    模板1 #include<iostream> #include<cstdio> using namespace std; int n, m, c[500010]; inline ...

  7. Centos7安装vsftpd (FTP服务器)

    Centos7安装vsftpd (FTP服务器) 原文链接:https://www.jianshu.com/p/9abad055fff6 TyiMan 关注 2016.02.06 21:19* 字数 ...

  8. 点评cat系列-应用集成

    ========================消息的基本属性========================消息的几个属性:type: 定义消息的 category, 比如 SQL 或 RPC 或 ...

  9. scala使用slick查询的全过程(使用cass class)

    1. 首先导包 <dependency> <groupId>com.typesafe.slick</groupId> <artifactId>slick ...

  10. 基于STM32F1的语音合成芯片SYN6288驱动

    目录 说明 SYN6288.h SYN6288.c 说明 基于USART2制作,封装了各种通信协议 SYN6288.h #ifndef _SYN6288_H_ #define _SYN6288_H_ ...