关于Redhat-9.x-Linux-安全加固-Disable USB Storage
Posted on 2023-10-31 14:23 520_1351 阅读(93) 评论(0) 编辑 收藏 举报本文的操作系统版本: Red Hat Enterprise Linux release 9.0 (Plow)
可以通过如下的脚本,进行验证-确认 usb-storage 是否开启了
#!/usr/bin/env bash { l_output="" l_output2="" l_mname="usb-storage" # set module name # Check if the module exists on the system if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then # Check how module will be loaded l_loadable="$(modprobe -n -v "$l_mname")" [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")" if grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then l_output="$l_output\n - module: \"$l_mname\" is not loadable: \"$l_loadable\"" else l_output2="$l_output2\n - module: \"$l_mname\" is loadable: \"$l_loadable\"" fi # Check is the module currently loaded if ! lsmod | grep "$l_mname" > /dev/null 2>&1; then l_output="$l_output\n - module: \"$l_mname\" is not loaded" else l_output2="$l_output2\n - module: \"$l_mname\" is loaded" fi # Check if the module is deny listed if modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<< "$l_mname")\b"; then l_output="$l_output\n - module: \"$l_mname\" is deny listed in: \"$(grep -Pl -- "^\h*blacklist\h+$l_mname\b" /etc/modprobe.d/*)\"" else l_output2="$l_output2\n - module: \"$l_mname\" is not deny listed" fi else l_output="$l_output\n - Module \"$l_mname\" doesn't exist on the system" fi # Report results. If no failures output in l_output2, we pass if [ -z "$l_output2" ]; then echo -e "\n- Audit Result:\n ** PASS **\n$l_output\n" else echo -e "\n- Audit Result:\n ** FAIL **\n - Reason(s) for audit failure:\n$l_output2\n" [ -n "$l_output" ] && echo -e "\n- Correctly set:\n$l_output\n" fi }
如下,先看看加固前的运行结果:
然后,我们进行整改-加固,也是使用一个脚本,快速加固,脚本如下:
#!/usr/bin/env bash { l_mname="usb-storage" # set module name # Check if the module exists on the system if [ -z "$(modprobe -n -v "$l_mname" 2>&1 | grep -Pi -- "\h*modprobe:\h+FATAL:\h+Module\h+$l_mname\h+not\h+found\h+in\h+directory")" ]; then # Remediate loadable l_loadable="$(modprobe -n -v "$l_mname")" [ "$(wc -l <<< "$l_loadable")" -gt "1" ] && l_loadable="$(grep -P -- "(^\h*install|\b$l_mname)\b" <<< "$l_loadable")" if ! grep -Pq -- '^\h*install \/bin\/(true|false)' <<< "$l_loadable"; then echo -e " - setting module: \"$l_mname\" to be not loadable" echo -e "install $l_mname /bin/false" >> /etc/modprobe.d/"$l_mname".conf fi # Remediate loaded if lsmod | grep "$l_mname" > /dev/null 2>&1; then echo -e " - unloading module \"$l_mname\"" modprobe -r "$l_mname" fi # Remediate deny list if ! modprobe --showconfig | grep -Pq -- "^\h*blacklist\h+$(tr '-' '_' <<< "$l_mname")\b"; then echo -e " - deny listing \"$l_mname\"" echo -e "blacklist $l_mname" >> /etc/modprobe.d/"$l_mname".conf fi else echo -e " - Nothing to remediate\n - Module \"$l_mname\" doesn't exist on the system" fi }
执行后,我们再次验证,就可以看到通过了,也即 usb-storage is disabled
尊重别人的劳动成果 转载请务必注明出处:https://www.cnblogs.com/5201351/p/17800154.html
作者:一名卑微的IT民工
出处:https://www.cnblogs.com/5201351
本博客所有文章仅用于学习、研究和交流目的,欢迎非商业性质转载。
由于博主的水平不高,文章没有高度、深度和广度,只是凑字数,不足和错误之处在所难免,希望大家能够批评指出。
博主是利用读书、参考、引用、复制和粘贴等多种方式打造成自己的文章,请原谅博主成为一个卑微的IT民工!