乔克
乔克
Published on 2024-11-19 / 99 Visits
0
0

Linux基于等保的安全加固

✍ 道路千万条,安全第一条。操作不规范,运维两行泪。

一、设置密码安全策略

1、修改 vim /etc/login.defs 文件

#vim /etc/login.defs
PASS_MAX_DAYS   90         # 密码最长过期天数
PASS_MIN_DAYS   7         # 密码最小过期天数
PASS_MIN_LEN    8        # 密码最小长度
PASS_WARN_AGE   14        # 密码过期警告天数

2、修改 vim /etc/security/pwquality.conf 文件

# vim /etc/security/pwquality.conf
minlen=8                         # 密码长度
minclass=3                       # 密码策略 3 表示大小写字母、数字、字符是少 3 类

3、修改 /etc/pam.d/password-auth 和 /etc/pam.d/system-auth 文件

password    sufficient     pam_sss.so use_authtok  remember=5  # 密码最大重用次数

二、修复系统账户

1、查看是否存在特权用户,通过判断 uid 是否为 0 来查找系统是否存在特权用户

awk -F: '$3==0 {print $1}' /etc/passwd

2、查看是否存在空口令用户

awk -F: 'length($2)==0 {print $1}' /etc/shadow

三、修复系统日志

1、添加审计账户

useradd audit
usermod -G audit audit

2、开启审计服务

# 检查服务是否存在
systemctl status auditd
# 如果不存在则安装
yum -y install audit audit-libs-devel
systemctl daemon-reload
systemctl enable auditd

配置审计规则:

1)简单版本

# vim /etc/audit/rules.d/audit.rules
-a exit,always -F arch=b64 -S umask -S chown -S chmod
-a exit,always -F arch=b64 -S unlink -S rmdir
-a exit,always -F arch=b64 -S setrlimit
-a exit,always -F arch=b64 -S setuid -S setreuid
-a exit,always -F arch=b64 -S setgid -S setregid
-a exit,always -F arch=b64 -S sethostname -S setdomainname
-a exit,always -F arch=b64 -S adjtimex -S settimeofday
-a exit,always -F arch=b64 -S mount -S _sysctl
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
-w /etc/ssh/sshd_config
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /etc/aliases -p wa
-w /etc/sysctl.conf -p wa
-w /var/log/lastlog
# Disable adding any additional rules - note that adding *new* rules will require a reboot

2)详细版本

cat >> /etc/audit/rules.d/audit.rules <<EOF
###记录系统的日期和时间的修改
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change

####记录用户和组的修改的事件
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

####记录网络环境修改时间
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/sysconfig/network-scripts/ -p wa -k system-locale

####记录登录和登出事件
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins

####记录会话启动事件
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins

####监视对文件权限、属性、所有权和组的更改
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod

####记录未授权文件访问尝试
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access

####收集成功挂载磁盘事件
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mount

####收集用户的文件删除事件
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

####收集对系统管理范围(sudoers)的更改
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope

####收集内核模块加载和卸载
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules

####收集使用特权命令
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/staprun -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/pkexec -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/ssh-agent -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/pam_timestamp_check -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/unix_chkpwd -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/netreport -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/usernetctl -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/lib/polkit-1/polkit-agent-helper-1 -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/utempter/utempter -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/libexec/openssh/ssh-keysign -F perm=x -F auid>=1000 -F auid!=4294967295 -k privileged
EOF

重新加载规则

/sbin/augenrules --load

日志赋权

chown audit:audit -R /var/log
chown root:root -R /var/log/audit

3、日志权限设置,权限不得大于 640

chmod 640 /var/log/messages
chmod 640 /var/log/secure
chmod 640 /var/log/audit/audit.log

4、日志远程存储

#vim  /etc/rsyslog.conf
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
*.* @@172.16.x.xx:514
*.* @172.16.x.xx:514

三、限制远程登录

1、修改 /etc/ssh/sshd_config

# vim /etc/ssh/sshd_config
PermitEmptyPasswords no         # 禁止无密码访问服务器
MaxAuthTries 4                  # 用户最大认证次数
HostbasedAuthentication no      # 关闭openssh主机认证
# SSH空闲超时配置
ClientAliveInterval 300         # 小于等于300s
ClientAliveCountMax 3           # 存活用户数小于等于3

2、配置连接超时自动退出功能

echo "TMOUT=300">>/etc/profile
source /etc/profile

四、附检查修复脚本

1、基线检查脚本

#!/bin/bash
# ################ Descripthon ################
# Date: 2020-10-12
# Auth: Joker
# Mail: jokerbaix@163.com
# Version: v1
# Attention: 阿里云云服务器基线检测
# #############################################

IP=$(ifconfig eth0 | grep -w inet | awk '{print $2}')
NOW_TIME=$(date +"%Y-%m-%d-%T")

dash_line="------------------------------------------------------------------"
# 绿色字体输出检测通过
pass=$(($pass + 1))
print_pass() {
    echo -e "\033[32m++> PASS \033[0m"
    echo "++> PASS" >>"$file"
}
# 红色字体输出检测失败FAIL
fail=$(($fail + 1))
print_fail() {
    echo -e "\033[31m--> FAIL \033[0m"
    echo "--> FAIL" >>"$file"
}
# 黄色字体输出需手工再检查的项
print_manual_check() {
    echo -e "\033[33m##> Manual \033[0m"
    echo "##> Manual" >>"$file"
}
# 蓝色字体输出补充
print_info() {
    echo -e "\033[34m$1 \033[0m"
}
# 紫色字体输出检测项
print_check_point() {
    echo ""
    echo -e "\033[35m[No."$1"] "$2" \033[0m"
    echo "[$1]"" $2" >>"$file"
}
print_dot_line() {
    echo "$dash_line"
}
print_summary() {
    # 输出显示
    print_info "---------------------------- Summary -----------------------------"
    echo -e "\033[35m全部检测项: $1 \033[0m"
    echo -e "\033[32m通过检测项: $2 \033[0m"
    echo -e "\033[31m失败检测项: $3 \033[0m"
    echo -e "\033[33m手工检测项: $4 \033[0m"
    print_info "检测结果将写入文件 $file中..."
    print_info "$dash_line"
    # 写入文件
    echo "---------------------------- Summary -----------------------------" >>"$file"
    echo "全部检测项: $1" >>"$file"
    echo "通过检测项: $2" >>"$file"
    echo "失败检测项: $3" >>"$file"
    echo "手工检测项: $4" >>"$file"
    echo "$dash_line" >>"$file"
}
# ====================================
function check() {
    begin_msg="-------------------- 正在执行操作系统基线检查 --------------------"
    print_info "$begin_msg"
    index=0  # 检测项编号
    pass=0   # 通过的检测项数
    fail=0   # 未通过的检测项数
    manual=0 # 需手工复核的检测项数
    file="baseline_check_result.txt"

    echo "$begin_msg" >"$file"

    check_point="帐号管理-1:检查是否设置除root之外UID为0的用户"
    index=$(($index + 1))
    print_check_point $index "$check_point"

    print_info "'任何UID为0的帐户都具有系统上的超级用户特权,只有root账号的uid才能为0'"
    print_dot_line

    result=$(/bin/cat /etc/passwd | /bin/awk -F: '($3 == 0) { print $1 }')
    print_info "UID为0的用户如下:"
    print_info "[ $result ]"

    if [ "root" = $result ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi


    check_point="口令策略-1:检查是否设置口令生存周期 "
    index=$(($index + 1))
    print_check_point $index "$check_point"
    passmax=$(cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^#)
    print_info "'PASS_MAX_DAYS 应介于1~90'"
    print_dot_line
    print_info "$passmax"
    if [ -n "$passmax" ]; then
        days=$(echo $passmax | awk '{print $2}')
        if [ "$days" -gt 90 ]; then
            fail=$(($fail + 1))
            print_fail
        else
            pass=$(($pass + 1))
            print_pass
        fi
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="口令策略-2:检查是否设置口令更改最小间隔天数 "
    index=$(($index + 1))
    print_check_point $index "$check_point"
    passmin=$(cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^#)
    print_info "'PASS_MIN_DAYS 应大于等于 7'"
    print_dot_line
    print_info "$passmin"
    if [ -n "$passmin" ]; then
        days=$(echo $passmin | awk '{print $2}')
        if [ "$days" -lt 7 ]; then
            fail=$(($fail + 1))
            print_fail
        else
            pass=$(($pass + 1))
            print_pass
        fi
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="口令策略-3:检查是否设置口令过期前警告天数  "
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'口令过期前告警天数PASS_WARN_AGE应设置为 7'"
    print_dot_line
    pass_age=$(cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^#)
    print_info "$pass_age"
    if [ -n "$pass_age" ]; then
        days=$(echo $pass_age | awk '{print $2}')
        if [ "$days" -eq 7 ]; then
            pass=$(($pass + 1))
            print_pass
        else
            fail=$(($fail + 1))
            print_fail
        fi
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="口令策略-4:检查设备密码复杂度策略"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'系统应设置密码复杂度策略,避免设置账号弱口令'"
    print_dot_line
    print_info "'密码长度>=8,且至少包含一个大写字母、小写字母、数字、特殊字符(可自定义密码复杂度策略)'"
    print_dot_line
    flag=0
    # 以下检查/etc/security/pwquality.conf文件中的内容
    # minlen为密码字符串长度,minclass为字符类别,至少包含小写字母、大写字母、数字、特殊字符等4类字符中等3类或4类
    print_info "检查/etc/security/pwquality.conf,如下:"
    line_minlen=$(cat /etc/security/pwquality.conf | grep minlen | grep -v ^#)
    line_minclass=$(cat /etc/security/pwquality.conf | grep minclass | grep -v ^#)

    if [ -n "$line_minlen" ] && [ -n "$line_minclass" ]; then
        minlen=$(echo "$line_minlen" | awk -F "=" '{print $2}' | awk '{gsub(/^\s+|\s+$/, "");print}')
        minclass=$(echo "$line_minclass" | awk -F "=" '{print $2}' | awk '{gsub(/^\s+|\s+$/, "");print}')
        if [ "$minlen" -ge 8 ] && [ "$minclass" -ge 4 ]; then
            print_info "minlen =>"" [ $minlen ]"
            print_info "minclass =>"" [ $minclass ]"
            flag=1
        fi
    fi
    if [ "$flag" -eq 1 ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="口令策略-5:检查是否存在空口令账号"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'不允许存在空口令的账号'"
    print_dot_line
    tmp=$(/bin/cat /etc/shadow | /bin/awk -F: '($2 == "" ) { print "user " $1 " does not have a password "}')
    print_info '空口令账号:'"[ $tmp ]"
    if [ -z "$tmp" ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="口令策略-6:检查密码重复使用次数限制"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    line=$(cat /etc/pam.d/system-auth | grep password | grep sufficient | grep pam_unix.so | grep remember | grep -v ^#)
    print_info "'口令重复使用限制次数 remember >=5'"
    print_dot_line
    print_info "[ $line ]"
    if [ -n "$line" ]; then
        times=$(echo $line | awk -F "remember=" '{print $2}')
        if [ $times -ge 5 ]; then
            pass=$(($pass + 1))
            print_pass
        else
            fail=$(($fail + 1))
            print_fail
        fi
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="口令策略-7:检查账户认证失败次数限制"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_dot_line
    print_info "登录失败限制可以使用pam_tally2或pam.d,请手工检测/etc/pam.d/login和/etc/pam.d/sshd"
    print_info "建议配置:auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=10"
    manual=$(($manual + 1))
    print_manual_check

    check_point="日志审计-1:检查是否对登录进行日志记录"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'设备应配置日志功能,对用户登录进行记录,记录内容包括用户登录使用的账号,登录是否成功,登录时间,以及远程登录时,用户使用的IP地址'"
    tmp=$(cat /etc/rsyslog.conf | grep /var/log/secure | egrep 'authpriv'.\('info|\*'\) | grep -v ^#)
    print_dot_line
    print_info "/etc/rsyslog.conf 文件中 authpriv 的配置如下所示:"
    print_info "[ $tmp ]"
    if [ -n "$tmp" ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="口令策略-8:检测是否允许空密码登录"
    index=$(($index+1))
    print_check_point $index "$check_point"
    print_info "应该禁止SSH空密码用户登录"
    print_dot_line
    tmp=`cat /etc/ssh/sshd_config | grep PermitEmptyPasswords | grep -v ^#`
    print_info "/etc/ssh/sshd_config中是否允许空密码登录配置如下所示:"
    print_info "$tmp"
    if [ -n "$tmp" ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="日志审计-2:检查日志文件权限设置"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    messages=$(stat -c %a /var/log/messages)
    dmesg=$(stat -c %a /var/log/dmesg)
    maillog=$(stat -c %a /var/log/maillog)
    secure=$(stat -c %a /var/log/secure)
    wtmp=$(stat -c %a /var/log/wtmp)
    cron=$(stat -c %a /var/log/cron)
    print_info "'设备应配置权限,控制对日志文件读取、修改和删除等操作'"
    print_info "推荐的文件权限:(不大于左侧值)"
    print_info "600 /var/log/messages"
    print_info "600 /var/log/secure、"
    print_info "600 /var/log/maillog、"
    print_info "600 /var/log/cron"
    print_info "644 /var/log/dmesg"
    print_info "664 /var/log/wtmp"
    print_dot_line
    print_info "目前的文件权限如下:"
    print_info $messages' /var/log/messages'
    print_info $dmesg' /var/log/dmesg  '
    print_info $maillog' /var/log/maillog  '
    print_info $secure' /var/log/secure  '
    print_info $wtmp' /var/log/wtmp  '
    print_info $cron' /var/log/cron  '
    if [ "$messages" -le 600 ] && [ "$secure" -le 600 ] && [ "$maillog" -le 600 ] && [ "$cron" -le 600 ] && [ "$dmesg" -le 644 ] && [ "$wtmp" -le 664 ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="日志审计-3:检查安全事件日志配置"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'设备应配置日志功能,记录对与设备相关的安全事件'"
    print_dot_line
    tmp=$(cat /etc/rsyslog.conf | grep /var/log/messages | egrep '\*.info;mail.none;authpriv.none;cron.none' | grep -v ^#)
    print_info "/etc/rsyslog.conf 文件中 /var/log/messages 的配置如下所示:"
    print_info "$tmp"
    if [ -n "$tmp" ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="日志审计-4:检查SSH的日志级别"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'确保SSH LogLevel设置为INFO,记录登录和注销活动'"
    print_dot_line
    tmp=$(cat /etc/ssh/sshd_config | grep LogLevel | grep -v ^#)
    print_info "/etc/ssh/sshd_config文件中SSH的日志级别配置如下所示:"
    print_info "$tmp"
    if [ -n "$tmp" ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="文件权限-1:检查重要目录或文件权限设置"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    passwd=$(stat -c %a /etc/passwd)
    shadow=$(stat -c %a /etc/shadow)
    group=$(stat -c %a /etc/group)
    print_info "'在设备权限配置能力内,根据用户的业务需要,配置其所需的最小权限'"
    print_info "建议文件权限:(不大于左侧值)"
    print_info "644 /etc/passwd"
    print_info "400 /etc/shadow"
    print_info "644 /etc/group"
    print_dot_line
    print_info "实际检测值为:"
    print_info "$passwd"" /etc/passwd"
    print_info "$shadow"" /etc/shadow"
    print_info "$group"" /etc/group"
    if [ "$passwd" -le 644 ] && [ "$shadow" -le 400 ] && [ "$group" -le 644 ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    check_point="其他配置-1:检查是否设置命令行界面超时退出"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'命令行界面超时自动登出时间TMOUT应不大于300s'"
    print_dot_line
    TMOUT=$(cat /etc/profile | grep -i TMOUT | grep -v ^#)
    if [ -z "$TMOUT" ]; then
        print_info "没有设置超时时间TMOUT"
        fail=$(($fail + 1))
        print_fail
    else
        TMOUT=$(cat /etc/profile | grep -i TMOUT | egrep -v ^\# | awk -F "=" '{print $2}')
        if [ "$TMOUT" -gt 300 ]; then
            print_info "TMOUT值过大:""$TMOUT"
            fail=$(($fail + 1))
            print_fail
        else
            print_info "TMOUT:""$TMOUT"
            pass=$(($pass + 1))
            print_pass
        fi
    fi

    check_point="其他配置-2:检查SSH最大密码尝试失败次数"
    index=$(($index + 1))
    print_check_point $index "$check_point"
    print_info "'设置最大密码尝试失败次数3-6,建议为4'"
    print_dot_line
    tmp=$(cat /etc/ssh/sshd_config | grep MaxAuthTries | grep -v ^#)
    print_info "/etc/ssh/sshd_config文件中SSH的最大密码尝试失败次数配置如下所示:"
    print_info "$tmp"
    if [ -n "$tmp" ]; then
        pass=$(($pass + 1))
        print_pass
    else
        fail=$(($fail + 1))
        print_fail
    fi

    print_summary $index $pass $fail $manual
}

# 开始检测并生成报告
check

2、基线修复脚本

#!/bin/bash
# ################ Descripthon ################
# Date: 2020-10-15
# Auth: Joker
# Mail: jokerbaix@163.com
# Version: v1
# Attention: 阿里云云服务器基线检测修复
# #############################################


# 修复前先备份所有配置文件
function backup() {
    now_time=$(date +%Y%m%d%H%M)
    cp /etc/login.defs /etc/login.defs.bak.${now_time}
    cp /etc/security/pwquality.conf /etc/security/pwquality.conf.bak.${now_time}
    cp /etc/pam.d/password-auth /etc/pam.d/password-auth.bak.${now_time}
    cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak.${now_time}
    cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.${now_time}
    cp /etc/profile /etc/profile.bak.${now_time}
}

# 修改口令相关策略
function repair_pwd_policy() {
    # 更改口令最小间隔数
    grep '^PASS_MIN_DAYS   7' /etc/login.defs &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^PASS_MIN_DAYS/ d" /etc/login.defs
        echo 'PASS_MIN_DAYS   7' >>/etc/login.deeefs
        chage --mindays 7 root
    fi

    # 更改口令生存时间
    grep '^PASS_MAX_DAYS   90' /etc/login.defs &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^PASS_MAX_DAYS/ d" /etc/login.defs
        echo 'PASS_MAX_DAYS   90' >>/etc/login.deeefs
        chage --maxdays 90 root
    fi

    # 修改口令过期警告时间
    grep '^PASS_WARN_AGE   7' /etc/login.defs &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^PASS_WARN_AGE/ d" /etc/login.defs
        echo 'PASS_WARN_AGE   7' >>/etc/login.defs
    fi

    # 修改密码复杂度
    grep '^minlen=10' /etc/security/pwquality.conf &>/dev/null
    a=$?
    grep '^minclass=3' /etc/security/pwquality.conf &>/dev/null
    b=$?
    if [[ $a -ne 0 ]] && [[ $b -ne 0 ]]; then
        sed -i "/^minlen/ d" /etc/security/pwquality.conf
        sed -i "/^minclass/ d" /etc/security/pwquality.conf
        echo "minlen=10" >>/etc/security/pwquality.conf
        echo "minclass=3" >>/etc/security/pwquality.conf
    fi

    # 修改密码重用次数
    for file in /etc/pam.d/password-auth /etc/pam.d/system-auth; do
        grep 'password' $file | grep sufficient | grep remember &>/dev/null
        if [[ $? -ne 0 ]]; then
            grep 'use_authtok' $file &>/dev/null
            if [[ $? -eq 0 ]]; then #这行存在则末尾加字符
                sed -i 's/use_authtok$/& remember=5/' $file
            fi
        fi
    done
}

# 修改ssh参数
function repair_ssh() {
    ssh_config=/etc/ssh/sshd_config

    # 不允许空密码登录
    grep "^PermitEmptyPasswords no" $ssh_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^PermitEmptyPasswords/ d" $ssh_config
        echo "PermitEmptyPasswords no" >>$ssh_config
    fi

    # 修改最大尝试次数
    grep "^MaxAuthTries 4" $ssh_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^MaxAuthTries/ d" $ssh_config
        echo "MaxAuthTries 4" >>$ssh_config
    fi

    # 修改ssh远程协议
    grep "^Protocol 2" $ssh_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^Protocol/ d" $ssh_config
        echo "Protocol 2" >>$ssh_config
    fi

    # 其他参数修改
    grep "^X11Forwarding no" $ssh_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^X11Forwarding/ d" $ssh_config
        echo "X11Forwarding no" >>$ssh_config
    fi
    grep "^IgnoreRhosts yes" $ssh_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^IgnoreRhosts/ d" $ssh_config
        echo "IgnoreRhosts yes" >>$ssh_config
    fi
    grep "^HostbasedAuthentication no" $ssh_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^HostbasedAuthentication/ d" $ssh_config
        echo "HostbasedAuthentication no" >>$ssh_config
    fi
}

# 修改/etc/profile中的配置
function repair_profile() {
    profile_config=/etc/profile
    # 设置命令行界面超时退出
    grep "^TMOUT=300" $profile_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^TMOUT/ d" $profile_config
        echo "TMOUT=300" >>$profile_config
    fi

    # 设置历史命令显示条数
    grep "^HISTFILESIZE=5" $profile_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^HISTFILESIZE/ d" $profile_config
        echo "HISTFILESIZE=5" >>$profile_config
    fi
    grep "^HISTSIZE=5" $profile_config &>/dev/null
    if [ $? -ne 0 ]; then
        sed -i "/^HISTSIZE/ d" $profile_config
        echo "HISTSIZE=5" >>$profile_config
    fi
}

function main() {
    echo "===========  开始修复  ==========="
    # 备份需修改的文件
    backup
    # 修改口令策略
    repair_pwd_policy
    # 修改ssh配置文件
    repair_ssh
    # 修改环境变量
    repair_profile

    # 重启ssh
    # service sshd restart
    # source /etc/profile
    echo "===========  修复完成  ==========="
}

main

Comment