跳到主要内容

11、Linux基线加固

2024.4.1-Linux基线加固

脚本位置:

https://onedayxyy.cn/scripts/Linux_jixianJiaGu/Linux_jixianJiaGu.sh

wget -qO- https://onedayxyy.cn/scripts/Linux_jixianJiaGu/Linux_jixianJiaGu.sh|bash

Linux_jixianJiaGu.sh

[root@docusaurus-wiki Linux_jixianJiaGu]#cat Linux_jixianJiaGu.sh 
#!/bin/bash

#云管平台带内监控账号创建及配置(包括icnoc账号)
useradd monitor
useradd Guanliyuan
usermod -G wheel Guanliyuan
echo '123456' | passwd --stdin monitor
echo '123456' | passwd --stdin Guanliyuan
chage -M 9999 Guanliyuan
echo 'Defaults: monitor !requiretty
monitor ALL=(root) NOPASSWD:/usr/sbin/lvdisplay
monitor ALL=(root) NOPASSWD:/usr/sbin/vgdisplay
monitor ALL=(root) NOPASSWD:/usr/sbin/pvdisplay
monitor ALL=(root) NOPASSWD:/usr/sbin/lvscan
monitor ALL=(root) NOPASSWD:/usr/sbin/vgscan
monitor ALL=(root) NOPASSWD:/usr/sbin/pvscan
monitor ALL=(root) NOPASSWD:/usr/sbin/lvs
monitor ALL=(root) NOPASSWD:/usr/sbin/vgs
monitor ALL=(root) NOPASSWD:/usr/sbin/pvs
monitor ALL=(root) NOPASSWD:/usr/sbin/dmidecode
monitor ALL=(root) NOPASSWD:/usr/sbin/fdisk -l
monitor ALL=(root) NOPASSWD:/usr/sbin/smartctl
monitor ALL=(root) NOPASSWD:/sbin/lvdisplay
monitor ALL=(root) NOPASSWD:/sbin/vgdisplay
monitor ALL=(root) NOPASSWD:/sbin/pvdisplay
monitor ALL=(root) NOPASSWD:/sbin/lvscan
monitor ALL=(root) NOPASSWD:/sbin/vgscan
monitor ALL=(root) NOPASSWD:/sbin/pvscan
monitor ALL=(root) NOPASSWD:/sbin/dmidecode
monitor ALL=(root) NOPASSWD:/sbin/fdisk -l
monitor ALL=(root) NOPASSWD:/sbin/smartctl
monitor ALL=(root) NOPASSWD:/bin/cat
monitor ALL=(root) NOPASSWD:/bin/rm -f ./jtdc_rw_tmp_file
monitor ALL=(root) NOPASSWD:/usr/bin/tee ./jtdc_rw_tmp_file
monitor ALL=(root) NOPASSWD:/usr/bin/tail
icnoc     ALL=(ALL)       NOPASSWD:ALL
' >> /etc/sudoers

#初始化环境配置(关闭且禁用防火墙/NetwokManager/selinux)
systemctl stop firewalld
systemctl disable  firewalld

systemctl stop NetworkManager
systemctl disable  NetworkManager

setenforce 0
sed -i s/SELINUX=enforcing/SELINUX=disabled/ /etc/selinux/config 

#yum配置
cd /etc/yum.repos.d/
mkdir backup
mv * backup/

# cat > /etc/yum.repos.d/base.repo << EOF                  
# [base]
# name=local_yum
# baseurl=file:///mnt
# enabled=1
# gpgcheck=0                                                   
# EOF

# mount /dev/cdrom /mnt/

cat >> /etc/yum.repos.d/http.repo << EOF
[centos-source]
name=centos source
baseurl=http://172.29.9.10:8023/centos761810/
enabled=1
gpgcheck=0
EOF

yum clean all
yum makecache
yum install -y net-tools
yum install -y vim
yum remove -y ntp*
#history日志配置
echo "export HISTSIZE=1000"   >> /etc/bashrc
echo "export PROMPT_COMMAND='{ msg=\$(history 1 | { read x y; echo \$y; });logger \"[euid=\$(whoami)]\":[\$(who am i)]:[\`pwd\`]:[\"\$msg\"]; }'" >> /etc/bashrc
echo "export HISTTIMEFORMAT=\"%Y%m%d_%T \`whoami\` \`who am i|awk '{print \$1,\$5}'|sed 's/ (/@/'|sed 's/)//'\` \"" >> /etc/bashrc

echo "export TMOUT=300" >> /etc/profile
. /etc/profile

#sudo日志
echo "Defaults log_host,log_year,logfile=/var/log/sudo.log">>/etc/sudoers

#syslog日志配置
systemctl start rsyslog
systemctl enable rsyslog
echo "*.* @172.29.9.100:514" >> /etc/rsyslog.conf;systemctl restart rsyslog

#/etc/profile 文件中umask加固项
sed -i s'/umask 022/umask 027/g' /etc/profile
. /etc/profile

#su到root加固项
sed -i 's/auth\t\tsufficient\tpam_rootok.so/auth sufficient \/lib\/security\/pam_rootok.so/g' /etc/pam.d/su
sed -i '2aauth required pam_wheel.so group=wheel' /etc/pam.d/su

#密码复杂度加固项
sed -i  s"/^PASS_MIN_LEN/#PASS_MIN_LEN/g" /etc/login.defs
sed -i "/#PASS_MIN_LEN/a\PASS_MIN_LEN 8" /etc/login.defs

sed -i  s"/^PASS_MAX_DAYS/#PASS_MAX_DAYS/g" /etc/login.defs
sed -i  "/#PASS_MAX_DAYS/a\PASS_MAX_DAYS 90" /etc/login.defs

sed -i  s"/^password    required/#password    required/g" /etc/pam.d/system-auth
sed -i  "/#password    required/a\password required pam_passwdqc.so min=disabled,disabled,disabled,8,8" /etc/pam.d/system-auth

sed -i  s"/^password    requisite/#password    requisite/g" /etc/pam.d/system-auth
sed -i  "/#password    requisite/a\password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=" /etc/pam.d/system-auth

#用户口令防爆破
sed -i '/#%PAM-1.0/a\account required pam_tally2.so' /etc/pam.d/sshd
sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=10 unlock_time=600 even_deny_root root_unlock_time=3600' /etc/pam.d/sshd

#ntp配置
yum install chrony –y
systemctl start  chronyd
systemctl enable chronyd

sed -i s'/^server/#server/g' /etc/chrony.conf 
echo "server 172.29.9.5 iburst" >> /etc/chrony.conf 
echo "server 172.29.9.6 iburst" >> /etc/chrony.conf 
systemctl restart  chronyd

#UseDNS选项
sed -i "s/#UseDNS yes/UseDNS no/g" /etc/ssh/sshd_config
systemctl restart  sshd

#禁止root用户登录,默认允许root用户登录
sed -i s"/PermitRootLogin yes/PermitRootLogin no/g" /etc/ssh/sshd_config 
systemctl restart sshd 

chmod 0755 /usr/bin/pkexec
最后One 更新
0%