Linux基线扫描常用修复建议

#检查口令最小长度
cp /etc/login.defs /etc/login.defs.back
sed -i "/^PASS_MIN_LEN/c PASS_MIN_LEN 8" /etc/login.defs

#检查口令生存周期
sed -i "/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90" /etc/login.defs

#检查设备密码复杂度策略
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -i "/^password/i password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1" /etc/pam.d/system-auth

#检查是否限制用户su到root
sed -i "/^auth/i auth sufficient pam_rootok.so" /etc/pam.d/su
sed -i "/^auth/i auth required pam_wheel.so group=wheel" /etc/pam.d/su

#检查是否设置文件与目录缺省权限
cp /etc/profile /etc/profile.bak
sed -i "/umask 002/c umask 027" /etc/profile

#检查是否设置命令行界面超时退出
sed -i "/^TMOUT=1800/c TMOUT=300" /etc/profile

#检查是否限制root用户远程登录
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i "/^PermitRootLogin/c PermitRootLogin no" /etc/ssh/sshd_config

#检查是否修改系统banner
mv /etc/issue /etc/issue.bak
mv /etc/issue.net /etc/issue.net.bak

 

 

##########################################################
#检查是否禁止匿名ftp
cp -p /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf_bak
sed -i "s/anonymous_enable=YES/anonymous_enable=NO/g" /etc/vsftpd/vsftpd.conf

##########################################################
#检查是否限制root远程登录
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
sed -i "s/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config

#检查登录提示-是否设置ssh警告Banner
echo " Authorized users only. All activity may be monitored and reported " >/etc/sshbanner
chown bin:bin /etc/sshbanner
chmod 644 /etc/sshbanner
cat << EOF >> /etc/ssh/sshd_config
##for safety
Banner /etc/sshbanner
EOF

##########################################################
#检查口令相关
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bak

cat << EOF >> /etc/pam.d/system-auth
##for safety
#检查口令重复次数限制
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5
password sufficient /lib/security/pam_unix.so nullok use_authtok md5 shadow remember=5
#检查口令锁定策略
auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=120
#检查口令策略设置是否符合复杂度要求
password requisite pam_cracklib.so dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=8
password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok
EOF

##########################################################
#检查是否设置登录超时
cp -p /etc/profile /etc/profile_bak
cat << EOF >> /etc/profile
TMOUT=180
export TMOUT
EOF

cp -p /etc/csh.cshrc /etc/csh.cshrc_bak
cat << EOF >> /etc/csh.cshrc
set autologout=30
EOF

##########################################################
#检查是否禁止icmp重定向
cp -p /etc/sysctl.conf /etc/sysctl.conf_bak
cat << EOF >> /etc/sysctl.conf
##for safety
net.ipv4.conf.all.accept_redirects=0
EOF
sysctl -w net.ipv4.conf.all.accept_redirects=0

##########################################################
#检查登录提示-是否设置登录成功后警告Banner
echo "Authorized users only. All activity may be monitored and reported" > /etc/motd

##########################################################
#检查口令生存周期要求
cp -p /etc/login.defs /etc/login.defs_bak
sed -i "s/PASS_MAX_DAYS/#PASS_MAX_DAYS/g" /etc/login.defs
echo "PASS_MAX_DAYS 90" >> /etc/login.defs

#vi /etc/login.defs
#PASS_MAX_DAYS 90

————————————————
版权声明：本文为CSDN博主「qq_40766246」的原创文章，遵循CC 4.0 BY-SA版权协议，转载请附上原文出处链接及本声明。
原文链接：https://blog.csdn.net/qq_40766246/article/details/132082446