linux 基线检查加固
修改vsftp回显信息 ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf" sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf ansible -i hosts task -m shell -a "echo 'ftpd_banner=" Authorized users only. All activity may be monitored and reported."' >> /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "echo 'ftpd_banner=Authorized users only. All activity may be monitored and reported.' >> /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf" systemctl is-active vsftpd systemctl reload vsftpd ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf" --------------------------------------------------------------------------------------------------------------------- 禁止匿名FTP ansible -i hosts task -m shell -a "systemctl is-active vsftpd" ansible -i hosts task -m shell -a "grep 'anonymous_enable' /etc/vsftpd/vsftpd.conf" --------------------------------------------------------------------------------------------------------------------- 隐藏SSH的Banner信息 ansible -i hosts task -m shell -a "grep 'Banner' /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak20240605" ansible -i hosts task -m shell -a "sed -i '/Banner/s/^/#/g' /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "systemctl reload sshd" --------------------------------------------------------------------------------------------------------------------- 修改vsftp回显信息 ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf" | tee ./20240605bak/ftpd_banner.log ansible -i hosts task -m shell -a "sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "echo 'ftpd_banner=Authorized users only. All activity may be monitored and reported.' >> /etc/vsftpd/vsftpd.conf" ansible -i hosts task -m shell -a "systemctl reload vsftpd" --------------------------------------------------------------------------------------------------------------------- 对审计进程进行保护,防止未经授权的中断 sudo chown root:root /etc/audit/auditd.conf sudo chmod 600 /etc/audit/auditd.conf sudo chown root:root /etc/audit/audit.rules sudo chmod 600 /etc/audit/audit.rules sudo chown root:root /var/log/audit/audit.log sudo chmod 600 /var/log/audit/audit.log sudo systemctl restart rsyslog sudo systemctl reload auditd sudo systemctl start auditd sudo systemctl status auditd systemctl restart auditd --------------------------------------------------------------------------------------------------------------------- 日志文件读写权限 ansible -i hosts task -m shell -a " ls -la /var/log | grep -E 'messages$|secure$|maillog$|cron$|spooler$|boot.log$' " ansible -i hosts task -m shell -a "chmod 600 /var/log/messages" ansible -i hosts task -m shell -a "chmod 600 /var/log/secure" ansible -i hosts task -m shell -a "chmod 600 /var/log/maillog" ansible -i hosts task -m shell -a "chmod 600 /var/log/cron" ansible -i hosts task -m shell -a "chmod 600 /var/log/spooler" ansible -i hosts task -m shell -a "chmod 600 /var/log/boot.log" --------------------------------------------------------------------------------------------------------------------- 限制具备超级管理员权限的用户远程登录 ansible -i hosts task -m shell -a " grep 'PermitRootLogin' /etc/ssh/sshd_config | grep -Ev '^#|^$' " ansible -i hosts task -m shell -a "sed -i '/PermitRootLogin/s/^/#/g' /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "echo 'PermitRootLogin no' >> /etc/ssh/sshd_config" ansible -i hosts task -m shell -a "systemctl reload sshd" ansible -i hosts task -m shell -a "service sshd reload" /sbin/service sshd reload --------------------------------------------------------------------------------------------------------------------- 隐藏Telnet的Banner信息 ansible -i hosts task -m shell -a " cat /etc/issue.net " ansible -i hosts task -m shell -a " cp -p /etc/issue.net /etc/issue.net_bak " ansible -i hosts task -m shell -a "echo 'Authorized users only. All activity may be monitored and reported' > /etc/issue.net" --------------------------------------------------------------------------------------------------------------------- Vsftp的chroot list配置 ansible -i hosts task -m shell -a " grep 'chroot_local_user' /etc/vsftpd/vsftpd.conf | grep -Ev '^#|^$' " ansible -i hosts task -m shell -a " ll -ls /etc/vsftpd/chroot_list " ansible -i hosts task -m shell -a "echo 'postgres' >> /etc/vsftpd/chroot_list" ansible -i hosts task -m shell -a " cat /etc/vsftpd/chroot_list " --------------------------------------------------------------------------------------------------------------------- Wuftp的banner信息 ansible -i hosts task -m shell -a "echo 'banner /thisftpbannerfile' >>/etc/ftpaccess" ansible -i hosts task -m shell -a "touch /thisftpbannerfile" ansible -i hosts task -m shell -a "echo 'this is banner' >>/thisftpbannerfile" --------------------------------------------------------------------------------------------------------------------- 定时账户自动登出 ansible -i hosts task -m shell -a " grep 'TMOUT' /etc/profile | grep -Ev '^#|^$' " --------------------------------------------------------------------------------------------------------------------- 检查密码长度及复杂度策略 ansible -i hosts task -m shell -a " grep -E '(ucredit=-1)|(lcredit=-1)|(ocredit=-1)|(dcredit=-1)' /etc/pam.d/system-auth" --------------------------------------------------------------------------------------------------------------------- 对系统账号进行登录限制 --------------------------------------------------------------------------------------------------------------------- 检查是否指定用户组成员使用su命令 ansible -i hosts task -m shell -a "grep 'wheel' /etc/pam.d/su | grep -Ev '^#|^$' " --------------------------------------------------------------------------------------------------------------------- 日志文件读写权限640 ansible -i hosts task -m shell -a " ls -la /var/log | grep -E 'messages$|secure$|maillog$|cron$|spooler$|boot.log$' " --------------------------------------------------------------------------------------------------------------------- 设置FTP权限及访问,限制部分用户的ftp访问权限 ansible -i hosts task -m shell -a "cat /etc/ftpaccess " --------------------------------------------------------------------------------------------------------------------- 重要目录和文件的权限进行设置 0440 0644 ansible -i hosts task -m shell -a "ls -lt /etc/shadow /etc/passwd /etc/group " ansible -i hosts task -m shell -a "chmod 0600 /etc/shadow && chmod 0644 /etc/passwd && chmod 0644 /etc/group " --------------------------------------------------------------------------------------------------------------------- 账户口令安全符合要求90 ansible -i hosts task -m shell -a "cat /etc/login.defs | grep PASS_MAX_DAYS" --------------------------------------------------------------------------------------------------------------------- 检查新建用户的home目录的缺省访问权限027 ansible -i hosts task -m shell -a "cat /etc/login.defs | grep UMASK " --------------------------------------------------------------------------------------------------------------------- 配置记录cron行为日志功能 cat /etc/rsyslog.conf /etc/syslog.conf /etc/rsyslog.d/50-default.conf /etc/syslog-ng/syslog-ng.conf | grep cron --------------------------------------------------------------------------------------------------------------------- 对用户登录认证、权限变更进行记录 (cat /etc/rsyslog.conf;cat /etc/syslog.conf;cat /etc/rsyslog.d/50-default.conf;cat /etc/syslog-ng/syslog-ng.conf) | grep -Ev '^#|^$'| grep -E '^authpriv|^authpriv.info|^filter' ---------------------------------------------------------------------------------------------------------------------