linux 基线检查加固

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131

修改vsftp回显信息   ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf" sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf ansible -i hosts task -m shell -a "echo 'ftpd_banner=" Authorized users only. All activity may be monitored and reported."' >> /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "echo 'ftpd_banner=Authorized users only. All activity may be monitored and reported.' >> /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf"   systemctl is-active vsftpd systemctl reload  vsftpd ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf"   --------------------------------------------------------------------------------------------------------------------- 禁止匿名FTP   ansible -i hosts task -m shell -a "systemctl is-active vsftpd" ansible -i hosts task -m shell -a "grep 'anonymous_enable' /etc/vsftpd/vsftpd.conf" --------------------------------------------------------------------------------------------------------------------- 隐藏SSH的Banner信息   ansible -i hosts task -m shell -a "grep 'Banner' /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak20240605" ansible -i hosts task -m shell -a "sed -i '/Banner/s/^/#/g' /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "systemctl reload sshd" --------------------------------------------------------------------------------------------------------------------- 修改vsftp回显信息   ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf" | tee ./20240605bak/ftpd_banner.log ansible -i hosts task -m shell -a "sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "echo 'ftpd_banner=Authorized users only. All activity may be monitored and reported.' >> /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "systemctl reload  vsftpd" --------------------------------------------------------------------------------------------------------------------- 对审计进程进行保护，防止未经授权的中断   sudo chown root:root /etc/audit/auditd.conf sudo chmod 600 /etc/audit/auditd.conf sudo chown root:root /etc/audit/audit.rules sudo chmod 600 /etc/audit/audit.rules sudo chown root:root /var/log/audit/audit.log sudo chmod 600 /var/log/audit/audit.log   sudo systemctl restart rsyslog sudo systemctl reload auditd sudo systemctl start auditd sudo systemctl status auditd systemctl restart auditd --------------------------------------------------------------------------------------------------------------------- 日志文件读写权限   ansible -i hosts task -m shell -a " ls -la /var/log | grep -E 'messages$|secure$|maillog$|cron$|spooler$|boot.log$' " ansible -i hosts task -m shell -a "chmod 600 /var/log/messages" ansible -i hosts task -m shell -a "chmod 600 /var/log/secure" ansible -i hosts task -m shell -a "chmod 600 /var/log/maillog" ansible -i hosts task -m shell -a "chmod 600 /var/log/cron" ansible -i hosts task -m shell -a "chmod 600 /var/log/spooler" ansible -i hosts task -m shell -a "chmod 600 /var/log/boot.log" --------------------------------------------------------------------------------------------------------------------- 限制具备超级管理员权限的用户远程登录 ansible -i hosts task -m shell -a " grep 'PermitRootLogin' /etc/ssh/sshd_config  | grep -Ev '^#|^$' " ansible -i hosts task -m shell -a "sed -i '/PermitRootLogin/s/^/#/g' /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "echo 'PermitRootLogin no' >> /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "systemctl reload sshd"   ansible -i hosts task -m shell -a "service sshd reload" /sbin/service sshd reload     --------------------------------------------------------------------------------------------------------------------- 隐藏Telnet的Banner信息   ansible -i hosts task -m shell -a " cat /etc/issue.net " ansible -i hosts task -m shell -a " cp -p /etc/issue.net /etc/issue.net_bak " ansible -i hosts task -m shell -a "echo 'Authorized users only. All activity may be monitored and reported' > /etc/issue.net" --------------------------------------------------------------------------------------------------------------------- Vsftp的chroot list配置   ansible -i hosts task -m shell -a " grep 'chroot_local_user' /etc/vsftpd/vsftpd.conf  | grep -Ev '^#|^$' " ansible -i hosts task -m shell -a " ll -ls /etc/vsftpd/chroot_list " ansible -i hosts task -m shell -a "echo 'postgres' >> /etc/vsftpd/chroot_list" ansible -i hosts task -m shell -a " cat /etc/vsftpd/chroot_list " --------------------------------------------------------------------------------------------------------------------- Wuftp的banner信息   ansible -i hosts task -m shell -a "echo 'banner /thisftpbannerfile' >>/etc/ftpaccess" ansible -i hosts task -m shell -a "touch /thisftpbannerfile" ansible -i hosts task -m shell -a "echo 'this is banner' >>/thisftpbannerfile" --------------------------------------------------------------------------------------------------------------------- 定时账户自动登出 ansible -i hosts task -m shell -a " grep 'TMOUT' /etc/profile  | grep -Ev '^#|^$' " ---------------------------------------------------------------------------------------------------------------------   检查密码长度及复杂度策略 ansible -i hosts task -m shell -a " grep -E '(ucredit=-1)|(lcredit=-1)|(ocredit=-1)|(dcredit=-1)' /etc/pam.d/system-auth" --------------------------------------------------------------------------------------------------------------------- 对系统账号进行登录限制   --------------------------------------------------------------------------------------------------------------------- 检查是否指定用户组成员使用su命令   ansible -i hosts task -m shell -a "grep 'wheel' /etc/pam.d/su | grep -Ev '^#|^$' " --------------------------------------------------------------------------------------------------------------------- 日志文件读写权限640   ansible -i hosts task -m shell -a " ls -la /var/log | grep -E 'messages$|secure$|maillog$|cron$|spooler$|boot.log$' " --------------------------------------------------------------------------------------------------------------------- 设置FTP权限及访问，限制部分用户的ftp访问权限   ansible -i hosts task -m shell -a "cat /etc/ftpaccess " --------------------------------------------------------------------------------------------------------------------- 重要目录和文件的权限进行设置 0440 0644 ansible -i hosts task -m shell -a "ls -lt /etc/shadow /etc/passwd  /etc/group " ansible -i hosts task -m shell -a "chmod 0600 /etc/shadow && chmod 0644  /etc/passwd && chmod 0644 /etc/group " --------------------------------------------------------------------------------------------------------------------- 账户口令安全符合要求90   ansible -i hosts task -m shell -a "cat /etc/login.defs | grep PASS_MAX_DAYS" --------------------------------------------------------------------------------------------------------------------- 检查新建用户的home目录的缺省访问权限027   ansible -i hosts task -m shell -a "cat /etc/login.defs | grep UMASK " --------------------------------------------------------------------------------------------------------------------- 配置记录cron行为日志功能   cat  /etc/rsyslog.conf /etc/syslog.conf /etc/rsyslog.d/50-default.conf /etc/syslog-ng/syslog-ng.conf | grep cron --------------------------------------------------------------------------------------------------------------------- 对用户登录认证、权限变更进行记录   (cat /etc/rsyslog.conf;cat /etc/syslog.conf;cat /etc/rsyslog.d/50-default.conf;cat /etc/syslog-ng/syslog-ng.conf) | grep -Ev '^#|^$'|  grep -E '^authpriv|^authpriv.info|^filter' ---------------------------------------------------------------------------------------------------------------------