One

主题

B

Linux基线加固

2024.4.1-Linux基线加固

脚本位置:

https:#!/bin/bash#云管平台带内监控账号创建及配置(包括icnoc账号)useraddmonitoruseraddGuanliyuanusermod-GwheelGuanliyuanecho'123456'|passwd--stdinmonitorecho'123456'|passwd--stdinGuanliyuanchage-M9999Guanliyuanecho'Defaults:monitor !requirettymonitor ALL=(root) NOPASSWD:/usr/sbin/lvdisplaymonitor ALL=(root) NOPASSWD:/usr/sbin/vgdisplaymonitor ALL=(root) NOPASSWD:/usr/sbin/pvdisplaymonitor ALL=(root) NOPASSWD:/usr/sbin/lvscanmonitor ALL=(root) NOPASSWD:/usr/sbin/vgscanmonitor ALL=(root) NOPASSWD:/usr/sbin/pvscanmonitor ALL=(root) NOPASSWD:/usr/sbin/lvsmonitor ALL=(root) NOPASSWD:/usr/sbin/vgsmonitor ALL=(root) NOPASSWD:/usr/sbin/pvsmonitor ALL=(root) NOPASSWD:/usr/sbin/dmidecodemonitor ALL=(root) NOPASSWD:/usr/sbin/fdisk -lmonitor ALL=(root) NOPASSWD:/usr/sbin/smartctlmonitor ALL=(root) NOPASSWD:/sbin/lvdisplaymonitor ALL=(root) NOPASSWD:/sbin/vgdisplaymonitor ALL=(root) NOPASSWD:/sbin/pvdisplaymonitor ALL=(root) NOPASSWD:/sbin/lvscanmonitor ALL=(root) NOPASSWD:/sbin/vgscanmonitor ALL=(root) NOPASSWD:/sbin/pvscanmonitor ALL=(root) NOPASSWD:/sbin/dmidecodemonitor ALL=(root) NOPASSWD:/sbin/fdisk -lmonitor ALL=(root) NOPASSWD:/sbin/smartctlmonitor ALL=(root) NOPASSWD:/bin/catmonitor ALL=(root) NOPASSWD:/bin/rm -f ./jtdc_rw_tmp_filemonitor ALL=(root) NOPASSWD:/usr/bin/tee ./jtdc_rw_tmp_filemonitor ALL=(root) NOPASSWD:/usr/bin/tailicnoc ALL=(ALL) NOPASSWD:ALL'>>/etc/sudoers#初始化环境配置(关闭且禁用防火墙/NetwokManager/selinux)systemctlstopfirewalldsystemctldisablefirewalldsystemctlstopNetworkManagersystemctldisableNetworkManagersetenforce0sed-is/SELINUX=enforcing/SELINUX=disabled//etc/selinux/config#yum配置cd/etc/yum.repos.d/mkdirbackupmv*backup/# cat >/etc/yum.repos.d/base.repo <<EOF # [base]# name=local_yum# baseurl=file:# enabled=1# gpgcheck=0 # EOF# mount /dev/cdrom /mnt/cat>>/etc/yum.repos.d/http.repo<<EOF[centos-source]name=centos sourcebaseurl=http:enabled=1gpgcheck=0EOFyumcleanallyummakecacheyuminstall-ynet-toolsyuminstall-yvimyumremove-yntp*#history日志配置echo"export HISTSIZE=1000">>/etc/bashrcecho"export PROMPT_COMMAND='{msg=\$(history 1 |{read x y;echo \$y;});logger \"[euid=\$(whoami)]\":[\$(who am i)]:[\`pwd\`]:[\"\$msg\"]; }'" >> /etc/bashrc echo "export HISTTIMEFORMAT=\"%Y%m%d_%T \`whoami\` \`who am i|awk '{print \$1,\$5}'|sed 's/ (/@/'|sed 's/)//'\` \"" >> /etc/bashrc echo "export TMOUT=300" >> /etc/profile . /etc/profile #sudo日志 echo "Defaults log_host,log_year,logfile=/var/log/sudo.log">>/etc/sudoers #syslog日志配置 systemctl start rsyslog systemctl enable rsyslog echo "*.* @172.29.9.100:514" >> /etc/rsyslog.conf;systemctl restart rsyslog #/etc/profile 文件中umask加固项 sed -i s'/umask 022/umask 027/g' /etc/profile . /etc/profile #su到root加固项 sed -i 's/auth\t\tsufficient\tpam_rootok.so/auth sufficient \/lib\/security\/pam_rootok.so/g' /etc/pam.d/su sed -i '2aauth required pam_wheel.so group=wheel' /etc/pam.d/su #密码复杂度加固项 sed -i s"/^PASS_MIN_LEN/#PASS_MIN_LEN/g" /etc/login.defs sed -i "/#PASS_MIN_LEN/a\PASS_MIN_LEN 8" /etc/login.defs sed -i s"/^PASS_MAX_DAYS/#PASS_MAX_DAYS/g" /etc/login.defs sed -i "/#PASS_MAX_DAYS/a\PASS_MAX_DAYS 90" /etc/login.defs sed -i s"/^password required/#password required/g" /etc/pam.d/system-auth sed -i "/#password required/a\password required pam_passwdqc.so min=disabled,disabled,disabled,8,8" /etc/pam.d/system-auth sed -i s"/^password requisite/#password requisite/g" /etc/pam.d/system-auth sed -i "/#password requisite/a\password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=" /etc/pam.d/system-auth #用户口令防爆破 sed -i '/#%PAM-1.0/a\account required pam_tally2.so' /etc/pam.d/sshd sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=10 unlock_time=600 even_deny_root root_unlock_time=3600' /etc/pam.d/sshd #ntp配置 yum install chrony –y systemctl start chronyd systemctl enable chronyd sed -i s'/^server/#server/g' /etc/chrony.conf echo "server 172.29.9.5 iburst" >> /etc/chrony.conf echo "server 172.29.9.6 iburst" >> /etc/chrony.conf systemctl restart chronyd #UseDNS选项 sed -i "s/#UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config systemctl restart sshd #禁止root用户登录,默认允许root用户登录 sed -i s"/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config systemctl restart sshd chmod 0755 /usr/bin/pkexec