CentOS Linux release 7.4.1708 (Core)操作系统安全加固
操作系统下载链接:/
/7.4.1708/isos/x86_64/CentOS-7-x86_64-Minimal-1708.iso
安全基线策略
1.配置口令复杂度策略限制口令为8位以上数字、字母、特殊字符组合;
2.配置登录失败处理策略,连续登录失败5次后锁定用户10分钟;
3.配置不仅仅通过root用户进行日常运维操作;
4.限制root用户无法通过SSH直接远程登录,仅非root用户能够通过SSH远程登录;
5.配置操作行为、重要文件的写、执行行为、安全事件的审计策略、审计日志集中审计策略;
口令复杂度策略
安全基线说明
1.配置口令复杂度策略限制口令为8位以上数字、字母、特殊字符组合;
2.所有Linux操作系统用户均遵循口令复杂度策略;
相关涉及标准
《GB/T 22239- 信息安全技术 网络安全等级保护基本要求》应对登录的用户进行身份标识和鉴别,身份标识具有唯一性,身份鉴别信息具有复杂度要求并定期更换;
检测操作步骤
通过cat /etc/pam.d/system-auth核查口令复杂度配置:
cat /etc/pam.d/system-auth
#%PAM-1.0# This file is auto-generated.# User changes will be destroyed the next time authconfig is run.auth requiredpam_env.soauth sufficient pam_unix.so try_first_pass nullokauth requiredpam_deny.soaccountrequiredpam_unix.sopassword requisitepam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=password sufficient pam_unix.so try_first_pass use_authtok nullok sha512 shadowpassword requiredpam_deny.sosessionoptionalpam_keyinit.so revokesessionrequiredpam_limits.so-sessionoptionalpam_systemd.sosession[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsessionrequiredpam_unix.so
通过cat /etc/login.defs核查口令更新周期策略:
cat /etc/login.defs
## Please note that the parameters in this configuration file control the# behavior of the tools from the shadow-utils component. None of these# tools uses the PAM mechanism, and the utilities that use PAM (such as the# passwd command) should therefore be configured elsewhere. Refer to# /etc/pam.d/system-auth for more information.## *REQUIRED*# Directory where mailboxes reside, _or_ name of file, relative to the# home directory. If you _do_ define both, MAIL_DIR takes precedence.# QMAIL_DIR is for Qmail##QMAIL_DIRMaildirMAIL_DIR /var/spool/mail#MAIL_FILE.mail# Password aging controls:## PASS_MAX_DAYS Maximum number of days a password may be used.# PASS_MIN_DAYS Minimum number of days allowed between password changes.# PASS_MIN_LEN Minimum acceptable password length.# PASS_WARN_AGE Number of days warning given before a password expires.#PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_MIN_LEN 5PASS_WARN_AGE 7## Min/max values for automatic uid selection in useradd#UID_MIN 1000UID_MAX 60000# System accountsSYS_UID_MIN201SYS_UID_MAX999## Min/max values for automatic gid selection in groupadd#GID_MIN 1000GID_MAX 60000# System accountsSYS_GID_MIN201SYS_GID_MAX999## If defined, this command is run when removing a user.# It should remove any at/cron/print jobs etc. owned by# the user to be removed (passed as the first argument).##USERDEL_CMD /usr/sbin/userdel_local## If useradd should create home directories for users by default# On RH systems, we do. This option is overridden with the -m flag on# useradd command line.#CREATE_HOMEyes# The permission mask is initialized to this value. If not specified,# the permission mask will be initialized to 022.UMASK 077# This enables userdel to remove user groups if no members exist.#USERGROUPS_ENAB yes# Use SHA512 to encrypt password.ENCRYPT_METHOD SHA512
前置操作步骤
/bin/cp -rf /etc/pam.d/system-auth /tmp/system-auth/bin/cp -rf /etc/login.defs /tmp/login.defs
加固操作步骤
sed -i "14 i\password\\trequisite\\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root" /etc/pam.d/system-authsed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t99999/g' /etc/login.defssed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/g' /etc/login.defs
加固确认步骤
cat /etc/pam.d/system-auth
# Generated by authselect on Wed Jan 19 20:22:28 # Do not modify this file manually.auth required pam_env.soauth required pam_faildelay.so delay=2000000auth [default=1 ignore=ignore success=ok] pam_usertype.so isregularauth [default=1 ignore=ignore success=ok] pam_localuser.soauth sufficientpam_unix.so nullokauth [default=1 ignore=ignore success=ok] pam_usertype.so isregularauth sufficientpam_sss.so forward_passauth required pam_deny.soaccountrequired pam_unix.sopassword requisitepam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_rootaccountsufficientpam_localuser.soaccountsufficientpam_usertype.so issystemaccount[default=bad success=ok user_unknown=ignore] pam_sss.soaccountrequired pam_permit.sopassword requisitepam_pwquality.so local_users_onlypassword sufficientpam_unix.so sha512 shadow nullok use_authtokpassword sufficientpam_sss.so use_authtokpassword required pam_deny.sosessionoptional pam_keyinit.so revokesessionrequired pam_limits.so-session optional pam_systemd.sosession[success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uidsessionrequired pam_unix.sosessionoptional pam_sss.so
cat /etc/login.defs
## Please note that the parameters in this configuration file control the# behavior of the tools from the shadow-utils component. None of these# tools uses the PAM mechanism, and the utilities that use PAM (such as the# passwd command) should therefore be configured elsewhere. Refer to# /etc/pam.d/system-auth for more information.## *REQUIRED*# Directory where mailboxes reside, _or_ name of file, relative to the# home directory. If you _do_ define both, MAIL_DIR takes precedence.# QMAIL_DIR is for Qmail##QMAIL_DIRMaildirMAIL_DIR /var/spool/mail#MAIL_FILE.mail# Password aging controls:## PASS_MAX_DAYS Maximum number of days a password may be used.# PASS_MIN_DAYS Minimum number of days allowed between password changes.# PASS_MIN_LEN Minimum acceptable password length.# PASS_WARN_AGE Number of days warning given before a password expires.#PASS_MAX_DAYS 99999PASS_MIN_DAYS 0PASS_MIN_LEN 8PASS_WARN_AGE 7## Min/max values for automatic uid selection in useradd#UID_MIN 1000UID_MAX 60000# System accountsSYS_UID_MIN201SYS_UID_MAX999## Min/max values for automatic gid selection in groupadd#GID_MIN 1000GID_MAX 60000# System accountsSYS_GID_MIN201SYS_GID_MAX999## If defined, this command is run when removing a user.# It should remove any at/cron/print jobs etc. owned by# the user to be removed (passed as the first argument).##USERDEL_CMD /usr/sbin/userdel_local## If useradd should create home directories for users by default# On RH systems, we do. This option is overridden with the -m flag on# useradd command line.#CREATE_HOMEyes# The permission mask is initialized to this value. If not specified,# the permission mask will be initialized to 022.UMASK 077# This enables userdel to remove user groups if no members exist.#USERGROUPS_ENAB yes# Use SHA512 to encrypt password.ENCRYPT_METHOD SHA512
恢复操作步骤
/bin/cp -rf /tmp/system-auth /etc/pam.d/system-auth/bin/cp -rf /tmp/login.defs /etc/login.defs
登录失败处理功能
安全基线说明
1.启用登录失败处理功能;
2.配置登录失败处理策略,连续登录失败5次后锁定用户10分钟;
相关涉及标准
《GB/T 22239- 信息安全技术 网络安全等级保护基本要求》应具有登录失败处理功能,应配置并启用结束会话、限制非法登录次数和当登录连接超时自动退出等相关措施;
检测操作步骤
通过cat /etc/pam.d/sshd核查用户账号登录失败处理策略:
cat /etc/pam.d/sshd
#%PAM-1.0auth requiredpam_sepermit.soauth substackpassword-authauth includepostlogin# Used with polkit to reauthorize users in remote sessions-authoptionalpam_reauthorize.so prepareaccount requiredpam_nologin.soaccount includepassword-authpassword includepassword-auth# pam_selinux.so close should be the first session rulesession requiredpam_selinux.so closesession requiredpam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession requiredpam_selinux.so open env_paramssession requiredpam_namespace.sosession optionalpam_keyinit.so force revokesession includepassword-authsession includepostlogin# Used with polkit to reauthorize users in remote sessions-session optionalpam_reauthorize.so prepare
前置操作步骤
/bin/cp -rf /etc/pam.d/sshd /tmp/sshd
加固操作步骤
sed -i "3 i\auth\\trequired\\tpam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshd
查看封禁用户情况
pam_tally2
解封用户
pam_tally2 --user root --reset
加固确认步骤
cat /etc/pam.d/sshd
#%PAM-1.0auth requiredpam_sepermit.soauth required pam_tally.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600auth substackpassword-authauth includepostlogin# Used with polkit to reauthorize users in remote sessions-authoptionalpam_reauthorize.so prepareaccount requiredpam_nologin.soaccount includepassword-authpassword includepassword-auth# pam_selinux.so close should be the first session rulesession requiredpam_selinux.so closesession requiredpam_loginuid.so# pam_selinux.so open should only be followed by sessions to be executed in the user contextsession requiredpam_selinux.so open env_paramssession requiredpam_namespace.sosession optionalpam_keyinit.so force revokesession includepassword-authsession includepostlogin# Used with polkit to reauthorize users in remote sessions-session optionalpam_reauthorize.so prepare
恢复操作步骤
/bin/cp -rf /tmp/sshd /etc/pam.d/sshd
配置普通用户
安全基线说明
1.配置不仅仅通过root用户进行日常运维操作;
2.配置普通用户不具备root权限;
3.普通用户不属于root组;
相关涉及标准
《GB/T 22239- 信息安全技术 网络安全等级保护基本要求》应授予管理用户所需的最小权限,实现管理用户的权限分离;
检测操作步骤
通过cat /etc/passwd核查用户及用户所属组:
cat /etc/passwd
前置操作步骤
无
加固操作步骤
添加用户user
useradd user
修改用户user的口令
passwd user
加固确认步骤
su user
使用普通用户尝试远程登录
恢复操作步骤
userdel user
限制root用户远程登录
安全基线说明
1.限制root用户无法通过SSH直接远程登录,仅非root用户能够通过SSH远程登录;
相关涉及标准
《GB/T 22239- 信息安全技术 网络安全等级保护基本要求》应重命名或删除默认账户,修改默认账户的默认口令;
检测操作步骤
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 /08/15 12:32:04 naddy Exp $# This is the sshd server system-wide configuration file. See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options override the# default value.# If you want to change the port on a SELinux system, you have to tell# SELinux about this change.# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER##Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_ed25519_key# Ciphers and keying#RekeyLimit default none# Logging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2m#PermitRootLogin yes#StrictModes yes#MaxAuthTries 6#MaxSessions 10#PubkeyAuthentication yes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2# but this is overridden so installations will only check .ssh/authorized_keysAuthorizedKeysFile.ssh/authorized_keys#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI optionsGSSAPIAuthentication yesGSSAPICleanupCredentials no#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no#GSSAPIEnablek5users no# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several# problems.UsePAM yes#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PermitTTY yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin no#UsePrivilegeSeparation sandbox#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS no#PidFile /var/run/sshd.pid#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none#VersionAddendum none# no default banner path#Banner none# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS# override default of no subsystemsSubsystem sftp /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs# X11Forwarding no# AllowTcpForwarding no# PermitTTY no# ForceCommand cvs server
前置操作步骤
/bin/cp -rf /etc/ssh/sshd_config /tmp/sshd_config
加固操作步骤
sed -i 's/#PermitRootLogin yes/#PermitRootLogin yes\nPermitRootLogin no/g' /etc/ssh/sshd_config
systemctl restart sshd
加固确认步骤
cat /etc/ssh/sshd_config
# $OpenBSD: sshd_config,v 1.100 /08/15 12:32:04 naddy Exp $# This is the sshd server system-wide configuration file. See# sshd_config(5) for more information.# This sshd was compiled with PATH=/usr/local/bin:/usr/bin# The strategy used for options in the default sshd_config shipped with# OpenSSH is to specify options with their default value where# possible, but leave them commented. Uncommented options override the# default value.# If you want to change the port on a SELinux system, you have to tell# SELinux about this change.# semanage port -a -t ssh_port_t -p tcp #PORTNUMBER##Port 22#AddressFamily any#ListenAddress 0.0.0.0#ListenAddress ::HostKey /etc/ssh/ssh_host_rsa_key#HostKey /etc/ssh/ssh_host_dsa_keyHostKey /etc/ssh/ssh_host_ecdsa_keyHostKey /etc/ssh/ssh_host_ed25519_key# Ciphers and keying#RekeyLimit default none# Logging#SyslogFacility AUTHSyslogFacility AUTHPRIV#LogLevel INFO# Authentication:#LoginGraceTime 2m#PermitRootLogin yesPermitRootLogin no#StrictModes yes#MaxAuthTries 6#MaxSessions 10#PubkeyAuthentication yes# The default is to check both .ssh/authorized_keys and .ssh/authorized_keys2# but this is overridden so installations will only check .ssh/authorized_keysAuthorizedKeysFile.ssh/authorized_keys#AuthorizedPrincipalsFile none#AuthorizedKeysCommand none#AuthorizedKeysCommandUser nobody# For this to work you will also need host keys in /etc/ssh/ssh_known_hosts#HostbasedAuthentication no# Change to yes if you don't trust ~/.ssh/known_hosts for# HostbasedAuthentication#IgnoreUserKnownHosts no# Don't read the user's ~/.rhosts and ~/.shosts files#IgnoreRhosts yes# To disable tunneled clear text passwords, change to no here!#PasswordAuthentication yes#PermitEmptyPasswords noPasswordAuthentication yes# Change to no to disable s/key passwords#ChallengeResponseAuthentication yesChallengeResponseAuthentication no# Kerberos options#KerberosAuthentication no#KerberosOrLocalPasswd yes#KerberosTicketCleanup yes#KerberosGetAFSToken no#KerberosUseKuserok yes# GSSAPI optionsGSSAPIAuthentication yesGSSAPICleanupCredentials no#GSSAPIStrictAcceptorCheck yes#GSSAPIKeyExchange no#GSSAPIEnablek5users no# Set this to 'yes' to enable PAM authentication, account processing,# and session processing. If this is enabled, PAM authentication will# be allowed through the ChallengeResponseAuthentication and# PasswordAuthentication. Depending on your PAM configuration,# PAM authentication via ChallengeResponseAuthentication may bypass# the setting of "PermitRootLogin without-password".# If you just want the PAM account and session checks to run without# PAM authentication, then enable this but set PasswordAuthentication# and ChallengeResponseAuthentication to 'no'.# WARNING: 'UsePAM no' is not supported in Red Hat Enterprise Linux and may cause several# problems.UsePAM yes#AllowAgentForwarding yes#AllowTcpForwarding yes#GatewayPorts noX11Forwarding yes#X11DisplayOffset 10#X11UseLocalhost yes#PermitTTY yes#PrintMotd yes#PrintLastLog yes#TCPKeepAlive yes#UseLogin no#UsePrivilegeSeparation sandbox#PermitUserEnvironment no#Compression delayed#ClientAliveInterval 0#ClientAliveCountMax 3#ShowPatchLevel no#UseDNS no#PidFile /var/run/sshd.pid#MaxStartups 10:30:100#PermitTunnel no#ChrootDirectory none#VersionAddendum none# no default banner path#Banner none# Accept locale-related environment variablesAcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGESAcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENTAcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGEAcceptEnv XMODIFIERS# override default of no subsystemsSubsystem sftp /usr/libexec/openssh/sftp-server# Example of overriding settings on a per-user basis#Match User anoncvs# X11Forwarding no# AllowTcpForwarding no# PermitTTY no# ForceCommand cvs server
恢复操作步骤
/bin/cp -rf /tmp/sshd_config /etc/ssh/sshd_config
systemctl restart sshd
安全审计
安全基线说明
1.配置操作行为、重要文件的写、执行行为、安全事件的审计策略;
2.配置操作行为、重要文件的写、执行行为、安全事件的审计日志集中审计策略;
相关涉及标准
《GB/T 22239- 信息安全技术 网络安全等级保护基本要求》应启用安全审计功能,审计覆盖到每个用户,对重要的用户行为和重要安全事件进行审计;
《GB/T 22239- 信息安全技术 网络安全等级保护基本要求》应对审计记录进行保护,定期备份,避免受到未预期的删除、修改或覆盖等;
检测操作步骤
核查是否启用audit规则:
auditctl -s
核查是否配置重要文件操作:
auditctl -l
核查是否配置安全日志、操作日志发送至日志服务器集中审计的策略:
cat /etc/rsyslog.conf
# rsyslog configuration file# For more information see /usr/share/doc/rsyslog-*/rsyslog_conf.html# If you experience problems, see /doc/troubleshoot.html#### MODULES ##### The imjournal module bellow is now used as a message source instead of imuxsock.$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)$ModLoad imjournal # provides access to the systemd journal#$ModLoad imklog # reads kernel messages (the same are read from journald)#$ModLoad immark # provides --MARK-- message capability# Provides UDP syslog reception#$ModLoad imudp#$UDPServerRun 514# Provides TCP syslog reception#$ModLoad imtcp#$InputTCPServerRun 514#### GLOBAL DIRECTIVES ##### Where to place auxiliary files$WorkDirectory /var/lib/rsyslog# Use default timestamp format$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat# File syncing capability is disabled by default. This feature is usually not required,# not useful and an extreme performance hit#$ActionFileEnableSync on# Include all config files in /etc/rsyslog.d/$IncludeConfig /etc/rsyslog.d/*.conf# Turn off message reception via local log socket;# local messages are retrieved through imjournal now.$OmitLocalLogging on# File to store the position in the journal$IMJournalStateFile imjournal.state#### RULES ##### Log all kernel messages to the console.# Logging much else clutters up the screen.#kern.* /dev/console# Log anything (except mail) of level info or higher.# Don't log private authentication messages!*.info;mail.none;authpriv.none;cron.none/var/log/messages# The authpriv file has restricted access.authpriv.*/var/log/secure# Log all the mail messages in one place.mail.*-/var/log/maillog# Log cron stuffcron.*/var/log/cron# Everybody gets emergency messages*.emerg :omusrmsg:*# Save news errors of level crit and higher in a special file.uucp,news.crit /var/log/spooler# Save boot messages also to boot.loglocal7.* /var/log/boot.log# ### begin forwarding rule #### The statement between the begin ... end define a SINGLE forwarding# rule. They belong together, do NOT split them. If you create multiple# forwarding rules, duplicate the whole block!# Remote Logging (we use TCP for reliable delivery)## An on-disk queue is created for this action. If the remote host is# down, messages are spooled to disk and sent when it is up again.#$ActionQueueFileName fwdRule1 # unique name prefix for spool files#$ActionQueueMaxDiskSpace 1g # 1gb space limit (use as much as possible)#$ActionQueueSaveOnShutdown on # save messages to disk on shutdown#$ActionQueueType LinkedList # run asynchronously#$ActionResumeRetryCount -1 # infinite retries if host is down# remote host is: name/ip:port, e.g. 192.168.0.1:514, port optional#*.* @@remote-host:514# ### end of the forwarding rule ###
前置操作步骤
/bin/cp -rf /etc/audit/rules.d/audit.rules /tmp/audit.rules/bin/cp -rf /etc/rsyslog.conf /tmp/rsyslog.conf/bin/cp -rf /etc/audisp/plugins.d/syslog.conf /tmp/syslog.conf
加固操作步骤
echo "-w /etc/passwd -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/shadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/crontab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/hosts -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/hosts.allow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/hosts.deny -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/fstab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/group -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/gshadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/ntp.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/sysctl.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/security/limits.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /boot/grub/grub.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/ssh/sshd_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/ssh/ssh_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/udev/rules.d -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/profile -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/kdump.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/lvm/lvm.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/login.defs -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/rsyslog.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/auditd.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/sysconfig -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/multipath.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulessed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.confsed -i 's/args = LOG_INFO/args = LOG_LOCAL6/g' /etc/audisp/plugins.d/syslog.conf
该位置的@10.0.0.1:514需要匹配TCP/UDP协议、日志服务器IP地址、日志服务器监听端口情况
echo "local6.* /var/log/local6.log" >> /etc/rsyslog.confecho "local6.* @10.0.0.1:514" >> /etc/rsyslog.confecho "authpriv.* @10.0.0.1:514" >> /etc/rsyslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后添加如下内容
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrcservice rsyslog restartservice auditd restart
加固确认步骤
auditctl -l
cat /etc/passwd /etc/shadowtail -10 /var/log/audit/audit.log | grep -E "passwd|content"tail -20 /var/log/messages | grep -E "passwd|content"tail -20 /var/log/local6.log | grep -E "passwd|content|command"
恢复操作步骤
auditctl -D
/bin/cp -rf /tmp/audit.rules /etc/audit/rules.d/audit.rules/bin/cp -rf /tmp/rsyslog.conf /etc/rsyslog.conf/bin/cp -rf /tmp/syslog.conf /etc/audisp/plugins.d/syslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后删除最后两行
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrcservice rsyslog restartservice auditd restart
批量操作
前置批量操作
/bin/cp -rf /etc/pam.d/system-auth /tmp/system-auth/bin/cp -rf /etc/login.defs /tmp/login.defs/bin/cp -rf /etc/pam.d/sshd /tmp/sshd/bin/cp -rf /etc/ssh/sshd_config /tmp/sshd_config/bin/cp -rf /etc/audit/rules.d/audit.rules /tmp/audit.rules/bin/cp -rf /etc/rsyslog.conf /tmp/rsyslog.conf/bin/cp -rf /etc/audisp/plugins.d/syslog.conf /tmp/syslog.conf
加固批量操作
该位置的具体用户和口令须注意安全基线策略情况
useradd userpasswd user
sed -i "14 i\password\\trequisite\\tpam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root" /etc/pam.d/system-authsed -i 's/PASS_MAX_DAYS\t99999/PASS_MAX_DAYS\t99999/g' /etc/login.defssed -i 's/PASS_MIN_LEN\t5/PASS_MIN_LEN\t8/g' /etc/login.defssed -i "3 i\auth\\trequired\\tpam_tally2.so onerr=fail deny=5 unlock_time=600 even_deny_root root_unlock_time=600" /etc/pam.d/sshdsed -i 's/#PermitRootLogin yes/#PermitRootLogin yes\nPermitRootLogin no/g' /etc/ssh/sshd_configecho "-w /etc/passwd -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/shadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/crontab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/hosts -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/hosts.allow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/hosts.deny -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/fstab -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/group -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/gshadow -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/ntp.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/sysctl.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/security/limits.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /boot/grub/grub.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/ssh/sshd_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/ssh/ssh_config -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/udev/rules.d -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/profile -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/kdump.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/lvm/lvm.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/login.defs -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/rsyslog.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/auditd.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/sysconfig -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulesecho "-w /etc/multipath.conf -p wax -k changefileaction" >> /etc/audit/rules.d/audit.rulessed -i 's/active = no/active = yes/g' /etc/audisp/plugins.d/syslog.confsed -i 's/args = LOG_INFO/args = LOG_LOCAL6/g' /etc/audisp/plugins.d/syslog.conf
该位置的@10.0.0.1:514需要匹配TCP/UDP协议、日志服务器IP地址、日志服务器监听端口情况
echo "local6.* /var/log/local6.log" >> /etc/rsyslog.confecho "local6.* @10.0.0.1:514" >> /etc/rsyslog.confecho "authpriv.* @10.0.0.1:514" >> /etc/rsyslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后o添加如下内容
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrcservice rsyslog restartservice auditd restartsystemctl restart sshd
恢复批量操作
userdel user
/bin/cp -rf /tmp/system-auth /etc/pam.d/system-auth/bin/cp -rf /tmp/login.defs /etc/login.defs/bin/cp -rf /tmp/sshd /etc/pam.d/sshd/bin/cp -rf /tmp/sshd_config /etc/ssh/sshd_configsystemctl restart sshdauditctl -D/bin/cp -rf /tmp/audit.rules /etc/audit/rules.d/audit.rules/bin/cp -rf /tmp/rsyslog.conf /etc/rsyslog.conf/bin/cp -rf /tmp/syslog.conf /etc/audisp/plugins.d/syslog.conf
vi /etc/bashrc
按Shift+G快速跳到最后删除最后两行
logger -p local6.info \"====================nowuser:`whoami`\|loginstatus:`who am i`==================== is login \"export PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; }); logger -p local6.info \[nowuser\:$(whoami)\] \[loginstatus:$(who am i)\] \#command\# \""${msg}"\"; }'
source /etc/bashrcservice rsyslog restartservice auditd restartsystemctl restart sshd
参考链接:
/weixin_53532638/article/details/119728305
如果觉得《CentOS Linux release 7.4.1708 (Core)操作系统安全加固》对你有帮助,请点赞、收藏,并留下你的观点哦!
