Linux -- 等级保护 (简单操作) 

// 密码复杂度: 字母/数字/特殊符号,不小于8位; 用户密码 5 次不能重复;
vim /etc/pam.d/system-auth
auth        required      pam_tally2.so onerr=fail deny=3  unlock_time=1200 even_deny_root root_unlock_time=1200
auth        sufficient    pam_unix.so nullok try_first_pass remember=5
password    requisite     pam_cracklib.so retry=3 difork=3 minlen=8 lcredit=-1 dcredit=-1 ocredit=-1

// 设置定期修改密码时间
vim /etc/login.defs
PASS_MAX_DAYS   90
PASS_MIN_DAYS   0
PASS_MIN_LEN   8
PASS_WARN_AGE   7

// 设置错误密码登录不超过3次, 超过锁定20分钟
find /lib* -iname "pam_tally2.so"
    /lib64/security/pam_tally2.so
vim /etc/pam.d/sshd
auth       required     pam_tally2.so deny=3 unlock_time=12000

// 启用auditd审计功能, 审计覆盖到服务器及用户
/etc/init.d/auditd start
    // 记录用户的登录与操作(操作日志记录 /tmp/dbasky/root/192.168.10.108\)
    vim /etc/profile
    USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`
    if [ "$USER_IP" = "" ]
    then
    USER_IP=`hostname`
    fi
    if [ ! -d /tmp/dbasky ]
    then
    mkdir /tmp/dbasky
    chmod  755 /tmp/dbasky
    fi
    if [ ! -d /tmp/dbasky/${LOGNAME} ]
    then
    mkdir /tmp/dbasky/${LOGNAME}
    chmod 300 /tmp/dbasky/${LOGNAME}
    fi
    export HISTSIZE=4096
    DT=`date "+%Y-%m-%d_%H-%M-%S"`
    export HISTFILE="/tmp/dbasky/${LOGNAME}/${USER_IP}-dbasky.$DT"
    export HISTTIMEFORMAT="[%Y.%m.%d %H:%M:%S]"
    chmod 600 /tmp/dbasky/${LOGNAME}/*dbasky* 2>/dev/null
    
    // 审计重要文件
    auditctl -w /etc/passwd -p war
    
    ausearch -f /etc/passwd -x rm/vim....   // 查询
    
    vim /etc/audit/audit.rules
    ... ... // 添加(-w 路径; -p 权限; -k 关键字 ;r 读; w 写; x 执行; a 修改文件属性;)
    -a exit,always -F arch=b64 -S umask -S chown -S chmod
    -a exit,always -F arch=b64 -S unlink -S rmdir
    -a exit,always -F arch=b64 -S setrlimit
    
    -a exit,always -F arch=b64 -S setuid -S setreuid
    -a exit,always -F arch=b64 -S setgid -S setregid
    
    -a exit,always -F arch=b64 -S sethostname -S setdomainname
    -a exit,always -F arch=b64 -S adjtimex -S settimeofday
    
    -a exit,always -F arch=b64 -S mount -S _sysctl
    
    -w /etc/group -p wa
    -w /etc/passwd -p wa
    -w /etc/shadow -p wa
    -w /etc/sudoers -p wa
    
    -w /etc/ssh/sshd_config
    
    -w /etc/bashrc -p wa
    -w /etc/profile -p wa
    -w /etc/profile.d/
    -w /etc/aliases -p wa
    -w /etc/sysctl.conf -p wa 
    
    -w /var/log/lastlog
    
    // 审计工具
    aureport        // 生成审计活动概述;
        * -au       // 查看授权失败的详细信息;
        * -m        // 所有账户修改的相关事件;
        
// 创建审计用户audit
    useradd audit
    passwd audit
        12tianrong.
    mkdir /tmp/dbasky
    chown -R audit.audit /var/log/audit/
    chmod 750 /var/log/audit/
    chmod 600 /var/log/audit/audit.log
    chown -R audit.audit /tmp/dbasky/
    
    vim /etc/sudoers
        audit   node2.hkrt.cn.com=/bin/ls,/bin/cat,/usr/bin/tail,/usr/bin/sz
        
        Defaults logfile=/var/log/sudo
        %wheel node2.hkrt.cn.com=/sbin/*,/usr/bin/*,/usr/sbin/*,!/sbin/reboot,!/sbin/init,!/sbin/poweroff,!/sbin/shutdown
    
// 保护审计进程,避免受到未预期的中断
    [root@localhost script]# vim audit_up.sh
        #!/bin/sh
        while true
        do
        ps -ef | grep " auditd" | grep -v "grep"
        if [ "$?" -eq 1 ]
        then
        /etc/init.d/auditd start
        echo "process has been restarted!"
        else
        echo "process already started!"
        fi
        sleep 10
        done
    chmod +x audit_up.sh
    sh audit_up.sh >/dev/null &

// 审计记录保留半年以上
    // 定时任务每周将日志内容切割分离
     crontab -e
     00 00 * * 1 /bin/mv /var/log/audit/audit.log /data/auditback/audit.log.$(date -d '1 days ago' +%d)
     mkdir -p /data/auditback

// 文件完整性
    tar xf tripwire-2.4.2.2-src.tar.bz2 -C /usr/src/
    cd /usr/src/tripwire-2.4.1.2-src/
    ./configure --prefix=/usr/local/tripwire
    make && make install
    vim /usr/local/tripwire/etc/twcfg
          9 LOOSEDIRECTORYCHECKING =true        // 不监测所属目录的完整性
         12 REPORTLEVEL   =4                    // 改变监测结果报告等级
    
    // 建立加密格式
    cd /usr/local/tripwire/etc/         
    /usr/local/tripwire/sbin/twadmin --create-cfgfile -S site.key twcfg.txt
    
    /usr/local/tripwire/sbin/tripwire --init    // 初始化数据库
    
    /usr/local/tripwire/sbin/tripwire --init
    /usr/local/tripwire/sbin/tripwire --check --interactive
    find / -type f -name *.twr      // 生成的检测文件
    /usr/local/tripwire//sbin/twprint --print-report --twrfile /usr/local/tripwire/lib/tripwire/report/node2.hkrt.cn.com-20180318-002054.twr      # 查看检查记录;

// 防恶意代码软件
    tar xf maldetect-current.tar.gz -C /usr/src/
    cd /usr/src/maldetect-1.6.2/
    ./install.sh
    maldet --scan-all /         // 检测
    // 存储路径
    /usr/local/maldetect/sess/session.180316-0921.16896
    /usr/local/maldetect/sess/session.hits.180316-0921.16896
    
// 单个用户系统资源(CPU、内存、硬盘)的使用限度进行限制
    //  以后每个一分钟就会检查一次,调整占用50%以上CPU或25%内存的进程的nice值,从而使这样的进程优先级变低,被调度的机会减少,同时会向root发邮件提示该进程被调整过。
    cd /script
    vim cpu.sh
        #!/bin/sh
        PIDS=`top -bn 1 | grep "^ *[1-9]" | awk '{ if($9 > 50 || $10 > 25 && id -u $2 > 500) print $1}'`
        for PID in $PIDS
        do
                renice +10 $PID
                echo "renice +10 $PID"
        done
    
    chmod +x /script/cpu.sh
    crontab -e  
    * * * * * /scripts/cpu.sh >/dev/null
    
// 系统的最大并发会话连接数进行限制(注意新建Xshell,尝试是否能连接)
    ulimit -n 8192
    /etc/sysctl.conf中加入ip_conntrack_max=8192
    /usr/include/bits/types.h 文件,改变__FD_SETSIZE 的值:
        #define _ _FD_SETSIZE 8192
    echo 8192 > /proc/sys/fs/file-max
    ulimit -Hn 8192
执行sysctl -p 生效..
/bin/bash: Too many open files in system 报错
修改 /proc/sys/fs/file-max 执行上述命令生效

 

posted @ 2019-04-10 11:06  荣荣很乖  阅读(1858)  评论(0编辑  收藏  举报