头像 余温Gueen
头像
余温Gueen
-- : -- : --
-- : -- : --
hugo-teek is loading...
脚本 +1 shell脚本 787 字 5 分钟 --

Linux基线加固

最后更新于:

2024.4.1-Linux基线加固

脚本位置:

https://onedayxyy.cn/scripts/Linux_jixianJiaGu/Linux_jixianJiaGu.sh

1wget -qO- https://onedayxyy.cn/scripts/Linux_jixianJiaGu/Linux_jixianJiaGu.sh|bash

Linux_jixianJiaGu.sh

  1[root@docusaurus-wiki Linux_jixianJiaGu]#cat Linux_jixianJiaGu.sh 
  2#!/bin/bash
  3
  4#云管平台带内监控账号创建及配置(包括icnoc账号)
  5useradd monitor
  6useradd Guanliyuan
  7usermod -G wheel Guanliyuan
  8echo '123456' | passwd --stdin monitor
  9echo '123456' | passwd --stdin Guanliyuan
 10chage -M 9999 Guanliyuan
 11echo 'Defaults: monitor !requiretty
 12monitor ALL=(root) NOPASSWD:/usr/sbin/lvdisplay
 13monitor ALL=(root) NOPASSWD:/usr/sbin/vgdisplay
 14monitor ALL=(root) NOPASSWD:/usr/sbin/pvdisplay
 15monitor ALL=(root) NOPASSWD:/usr/sbin/lvscan
 16monitor ALL=(root) NOPASSWD:/usr/sbin/vgscan
 17monitor ALL=(root) NOPASSWD:/usr/sbin/pvscan
 18monitor ALL=(root) NOPASSWD:/usr/sbin/lvs
 19monitor ALL=(root) NOPASSWD:/usr/sbin/vgs
 20monitor ALL=(root) NOPASSWD:/usr/sbin/pvs
 21monitor ALL=(root) NOPASSWD:/usr/sbin/dmidecode
 22monitor ALL=(root) NOPASSWD:/usr/sbin/fdisk -l
 23monitor ALL=(root) NOPASSWD:/usr/sbin/smartctl
 24monitor ALL=(root) NOPASSWD:/sbin/lvdisplay
 25monitor ALL=(root) NOPASSWD:/sbin/vgdisplay
 26monitor ALL=(root) NOPASSWD:/sbin/pvdisplay
 27monitor ALL=(root) NOPASSWD:/sbin/lvscan
 28monitor ALL=(root) NOPASSWD:/sbin/vgscan
 29monitor ALL=(root) NOPASSWD:/sbin/pvscan
 30monitor ALL=(root) NOPASSWD:/sbin/dmidecode
 31monitor ALL=(root) NOPASSWD:/sbin/fdisk -l
 32monitor ALL=(root) NOPASSWD:/sbin/smartctl
 33monitor ALL=(root) NOPASSWD:/bin/cat
 34monitor ALL=(root) NOPASSWD:/bin/rm -f ./jtdc_rw_tmp_file
 35monitor ALL=(root) NOPASSWD:/usr/bin/tee ./jtdc_rw_tmp_file
 36monitor ALL=(root) NOPASSWD:/usr/bin/tail
 37icnoc     ALL=(ALL)       NOPASSWD:ALL
 38' >> /etc/sudoers
 39
 40#初始化环境配置(关闭且禁用防火墙/NetwokManager/selinux)
 41systemctl stop firewalld
 42systemctl disable  firewalld
 43
 44systemctl stop NetworkManager
 45systemctl disable  NetworkManager
 46
 47setenforce 0
 48sed -i s/SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/config 
 49
 50#yum配置
 51cd /etc/yum.repos.d/
 52mkdir backup
 53mv * backup/
 54
 55# cat > /etc/yum.repos.d/base.repo << EOF                  
 56# [base]
 57# name=local_yum
 58# baseurl=file:///mnt
 59# enabled=1
 60# gpgcheck=0                                                   
 61# EOF
 62
 63# mount /dev/cdrom /mnt/
 64
 65cat >> /etc/yum.repos.d/http.repo << EOF
 66[centos-source]
 67name=centos source
 68baseurl=http://172.29.9.10:8023/centos761810/
 69enabled=1
 70gpgcheck=0
 71EOF
 72
 73yum clean all
 74yum makecache
 75yum install -y net-tools
 76yum install -y vim
 77yum remove -y ntp*
 78#history日志配置
 79echo "export HISTSIZE=1000"   >> /etc/bashrc
 80echo "export PROMPT_COMMAND='{ msg=\$(history 1 | { read x y; echo \$y; });logger \"[euid=\$(whoami)]\":[\$(who am i)]:[\`pwd\`]:[\"\$msg\"]; }'" >> /etc/bashrc
 81echo "export HISTTIMEFORMAT=\"%Y%m%d_%T \`whoami\` \`who am i|awk '{print \$1,\$5}'|sed 's/ (/@/'|sed 's/)//'\` \"" >> /etc/bashrc
 82
 83echo "export TMOUT=300" >> /etc/profile
 84. /etc/profile
 85
 86#sudo日志
 87echo "Defaults log_host,log_year,logfile=/var/log/sudo.log">>/etc/sudoers
 88
 89#syslog日志配置
 90systemctl start rsyslog
 91systemctl enable rsyslog
 92echo "*.* @172.29.9.100:514" >> /etc/rsyslog.conf;systemctl restart rsyslog
 93
 94#/etc/profile 文件中umask加固项
 95sed -i s'/umask 022/umask 027/g' /etc/profile
 96. /etc/profile
 97
 98#su到root加固项
 99sed -i 's/auth\t\tsufficient\tpam_rootok.so/auth sufficient \/lib\/security\/pam_rootok.so/g' /etc/pam.d/su
100sed -i '2aauth required pam_wheel.so group=wheel' /etc/pam.d/su
101
102#密码复杂度加固项
103sed -i  s"/^PASS_MIN_LEN/#PASS_MIN_LEN/g" /etc/login.defs
104sed -i "/#PASS_MIN_LEN/a\PASS_MIN_LEN 8" /etc/login.defs
105
106sed -i  s"/^PASS_MAX_DAYS/#PASS_MAX_DAYS/g" /etc/login.defs
107sed -i  "/#PASS_MAX_DAYS/a\PASS_MAX_DAYS 90" /etc/login.defs
108
109sed -i  s"/^password    required/#password    required/g" /etc/pam.d/system-auth
110sed -i  "/#password    required/a\password required pam_passwdqc.so min=disabled,disabled,disabled,8,8" /etc/pam.d/system-auth
111
112sed -i  s"/^password    requisite/#password    requisite/g" /etc/pam.d/system-auth
113sed -i  "/#password    requisite/a\password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=" /etc/pam.d/system-auth
114
115#用户口令防爆破
116sed -i '/#%PAM-1.0/a\account required pam_tally2.so' /etc/pam.d/sshd
117sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=10 unlock_time=600 even_deny_root root_unlock_time=3600' /etc/pam.d/sshd
118
119#ntp配置
120yum install chrony –y
121systemctl start  chronyd
122systemctl enable chronyd
123
124sed -i s'/^server/#server/g' /etc/chrony.conf 
125echo "server 172.29.9.5 iburst" >> /etc/chrony.conf 
126echo "server 172.29.9.6 iburst" >> /etc/chrony.conf 
127systemctl restart  chronyd
128
129#UseDNS选项
130sed -i "s/#UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config
131systemctl restart  sshd
132
133#禁止root用户登录,默认允许root用户登录
134sed -i s"/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config 
135systemctl restart sshd 
136
137chmod 0755 /usr/bin/pkexec
📡
👤 作者: 余温Gueen
🔗 链接: https://wiki.xxdevops.cn/topic/y7d1k
🌐 版权: 本站文章除特别声明外,均采用 CC BY-NC-SA 4.0 协议,转载请注明来自 余温Gueen Blog
推荐使用微信支付
微信支付二维码
推荐使用支付宝
支付宝二维码
最新文章

文档导航