首页 > 系统相关 >centos7基线整改

centos7基线整改

时间:2024-04-01 16:56:26浏览次数:21  
标签:sysctl #. 整改 echo centos7 etc 基线 conf net

愚人节快乐

#!/bin/bash
# auth:chenjf
# func:centos7_加固
# version:v5.0
# sys:CentOS Linux release 7.9.2009 (Core)

[ $(id -u) -gt 0 ] && echo "please use root to execute the script!" && exit 1

#definition environment variable.
export PATH=/sbin/:/usr/sbin/:/bin/:/usr/bin/
DATE=$(date +%Y%m%d-%H:%M:%S)

echo -e  "###################################################################################"
echo -e  "#                                                                                 #"
echo -e  "#                             centos7基础系统基线加固V5                           #"
echo -e  "#                                                                                 #"
echo -e  "###################################################################################"

###备份重要文件###
localpath=$(cd $(dirname $0); pwd)
mkdir $localpath/baseline-bak -p
mkdir $localpath/baseline-bak/source -p
if [[ ! -f "$localpath/baseline-bak/source/sshd_config" ]]; then
    cp -a /etc/ssh/sshd_config $localpath/baseline-bak/source/sshd_config
fi
if [[ ! -f "$localpath/baseline-bak/source/sysctl.conf" ]]; then
    cp -a /etc/sysctl.conf $localpath/baseline-bak/source/sysctl.conf
fi
if [[ ! -f "$localpath/baseline-bak/source/yum.conf" ]]; then
    cp -a /etc/pam.d/system-auth $localpath/baseline-bak/source/system-auth
fi
if [[ ! -f "$localpath/baseline-bak/source/password-auth" ]]; then
    cp -a /etc/pam.d/password-auth $localpath/baseline-bak/source/password-auth
fi
if [[ ! -f "$localpath/baseline-bak/source/grub" ]]; then
    cp -a /etc/default/grub $localpath/baseline-bak/source/grub
fi
if [[ ! -f "$localpath/baseline-bak/source/profile" ]]; then
    cp -a /etc/profile $localpath/baseline-bak/source/profile
fi
if [[ ! -f "$localpath/baseline-bak/source/bashrc" ]]; then
    cp -a /etc/bashrc $localpath/baseline-bak/source/bashrc
fi
if [[ ! -f "$localpath/baseline-bak/source/yum.conf" ]]; then
    cp -a /etc/yum.conf $localpath/baseline-bak/source/yum.conf
fi
if [[ ! -f "$localpath/baseline-bak/source/audit.rules" ]]; then
    cp -a /etc/audit/rules.d/audit.rules $localpath/baseline-bak/source/audit.rules
fi
if [[ ! -f "$localpath/baseline-bak/source/auditd.conf" ]]; then
    cp -a /etc/audit/auditd.conf $localpath/baseline-bak/source/auditd.conf
fi
if [[ ! -f "$localpath/baseline-bak/source/issue.net" ]]; then
    cp -a /etc/issue.net $localpath/baseline-bak/source/issue.net
fi
if [[ ! -f "$localpath/baseline-bak/source/issue" ]]; then
    cp -a /etc/issue $localpath/baseline-bak/source/issue
fi


echo "------------The original files are backed up"
echo "------------Start hardening the system"
read -p "Please enter ssh port number you want to change (default is 22):" sshport
read -p"Are you sure? This may cause the ssh connection to break!!!(e.g.[y/n])" choice
until [ "$choice" == "y"  -o "$choice" == "n"  ];do
    echo "Please input y or n ..."
    read choice
done
if [ "$choice" = "n" ];then
    exit 0
fi
####加固ssh###
cp -a /etc/ssh/sshd_config  /etc/ssh/sshd_config-${DATE}.bak && cp -a /etc/ssh/sshd_config $localpath/baseline-bak/sshd_config-${DATE}.bak
egrep -q "^\s*.*Port\s+.+(\s*#.*)?\s*$" /etc/ssh/sshd_config  && sed -ri "s/^\s*.*Port\s+.+(\s*#.*)?\s*$/Port $sshport/" /etc/ssh/sshd_config || echo "Port $sshport" >> /etc/ssh/sshd_config
echo "------------Change the ssh port to $sshport"
egrep -q "^\s*.*PermitRootLogin\s+.+(\s*#.*)?\s*$" /etc/ssh/sshd_config  && sed -ri "s/^\s*.*PermitRootLogin\s+.+(\s*#.*)?\s*$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
echo "------------Disable the remote login with the root permission"
egrep -q "^\s*.*LoginGraceTime\s+.+(\s*#.*)?\s*$" /etc/ssh/sshd_config  && sed -ri "s/^\s*.*LoginGraceTime\s+.+(\s*#.*)?\s*$/LoginGraceTime 60/" /etc/ssh/sshd_config || echo "LoginGraceTime 60" >> /etc/ssh/sshd_config
echo "------------set LoginGraceTime 60 in /etc/ssh/sshd_config"
cat << EOF > /etc/issue.net
********************************************************************************
*                         SSH登录系统安全警告信息                             *
********************************************************************************

欢迎使用本系统!您已成功通过SSH登录到服务器。

请注意:
1. 请确保您的登录行为符合公司/组织的安全政策,并仅用于授权操作。
2. 系统会记录所有登录活动,非法访问将被追踪并报告给相关部门。
3. 请勿在未经授权的情况下共享您的密码或密钥,定期更换密码以增强安全性。
4. 登录后请立即更新系统及应用程序至最新版本,保持系统补丁的及时安装。
5. 若发现任何可疑活动,请立即向IT部门报告。

感谢您对网络安全的贡献,让我们共同维护系统的稳定与安全!

---
系统管理员团队敬上
当前时间:$(date)

********************************************************************************
EOF
egrep -q "^\s*.*Banner\s+.+(\s*#.*)?\s*$" /etc/ssh/sshd_config  && sed -ri "s/^\s*.*Banner\s+.+(\s*#.*)?\s*$/Banner \/etc\/issue.net/" /etc/ssh/sshd_config || echo "Banner /etc/issue.net" >> /etc/ssh/sshd_config
echo "------------set Alarm slogan of ssh login "
egrep -q "^\s*.*Protocol\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*Protocol\s\w+.*$/Protocol 2/" /etc/ssh/sshd_config || echo "Protocol 2 " >> /etc/ssh/sshd_config
echo "------------set Protocol 2 in /etc/ssh/sshd_config"
egrep -q "^\s*.*MACs\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*MACs\s\w+.*$/MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]/" /etc/ssh/sshd_config || echo "MACs [email protected],[email protected],[email protected],hmac-sha2-512,hmac-sha2-256,[email protected]" >> /etc/ssh/sshd_config
echo "------------Use approved MAC algorithms in /etc/ssh/sshd_config"
egrep -q "^\s*.*MaxAuthTries\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*MaxAuthTries\s\w+.*$/MaxAuthTries 4/" /etc/ssh/sshd_config || echo "MaxAuthTries 4" >> /etc/ssh/sshd_config
echo "------------set MaxAuthTries 4 in /etc/ssh/sshd_config"
egrep -q "^\s*.*LogLevel\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*LogLevel\s\w+.*$/LogLevel INFO/" /etc/ssh/sshd_config || echo "LogLevel INFO" >> /etc/ssh/sshd_config
echo "------------set LogLevel INFO in /etc/ssh/sshd_config"
egrep -q "^HostbasedAuthentication\s+.+(\s*#.*)?\s*$" /etc/ssh/sshd_config  && sed -ri "s/^HostbasedAuthentication\s+.+(\s*#.*)?\s*$/HostbasedAuthentication no/" /etc/ssh/sshd_config || echo "HostbasedAuthentication no" >> /etc/ssh/sshd_config
echo "------------set HostbasedAuthentication no in /etc/ssh/sshd_config"
egrep -q "^\s*.*ClientAliveInterval\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*ClientAliveInterval\s\w+.*$/ClientAliveInterval 300/" /etc/ssh/sshd_config || echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
echo "------------set ClientAliveInterval 300 in /etc/ssh/sshd_config"
egrep -q "^\s*.*ClientAliveCountMax\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*ClientAliveCountMax\s\w+.*$/ClientAliveCountMax 0/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
echo "------------set ClientAliveCountMax 0 in /etc/ssh/sshd_config"
egrep -q "^\s*.*IgnoreRhosts\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*IgnoreRhosts\s\w+.*$/IgnoreRhosts yes/" /etc/ssh/sshd_config || echo "IgnoreRhosts yes" >> /etc/ssh/sshd_config
echo "------------set IgnoreRhosts yes in /etc/ssh/sshd_config"
egrep -q "^\s*.*PermitEmptyPasswords\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*PermitEmptyPasswords\s\w+.*$/PermitEmptyPasswords no/" /etc/ssh/sshd_config || echo "PermitEmptyPasswords no" >> /etc/ssh/sshd_config
echo "------------set PermitEmptyPasswords no in /etc/ssh/sshd_config"

systemctl restart sshd &>/dev/null 2&>/dev/null

####加固yum###
cp -a /etc/yum.conf  /etc/yum.conf-${DATE}.bak && cp -a /etc/yum.conf $localpath/baseline-bak/yum.conf-${DATE}.bak
egrep -q "^gpgcheck\s*=\s*.+\s*$" /etc/yum.conf  && sed -ri "s/^gpgcheck\s*=\s*.+\s*$/gpgcheck=1/" /etc/yum.conf  || echo "gpgcheck=1" >> /etc/yum.conf
echo "------------Set gpgcheck to 1 in /etc/yum.conf"

####加固系统内核参数###
cp -a /etc/sysctl.conf  /etc/sysctl.conf-${DATE}.bak && cp -a /etc/sysctl.conf $localpath/baseline-bak/sysctl.conf-${DATE}.bak
#net.ipv4.conf.all.secure_redirects = 0
egrep -q "^\s*net\.ipv4\.conf\.all\.secure_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.all\.secure_redirects\s*.+(\s*#.*)?\s*$/net.ipv4.conf.all.secure_redirects = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.all.secure_redirects = 0" >> /etc/sysctl.conf
#net.ipv4.conf.default.secure_redirects = 0
egrep -q "^\s*net\.ipv4\.conf\.default\.secure_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.default\.secure_redirects\s*.+(\s*#.*)?\s*$/net.ipv4.conf.default.secure_redirects = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.default.secure_redirects = 0" >> /etc/sysctl.conf
echo "------------secure ICMP redirection is not accepted"
egrep -q "^\s*\*\s+hard\s+core\s+.+(\s*#.*)?\s*$" /etc/security/limits.conf  && sed -ri "s/^\s*\*\s+hard\s+core\s+.+(\s*#.*)?\s*$/* hard core 0/" /etc/security/limits.conf || echo "* hard core 0" >> /etc/security/limits.conf
egrep -q "^\s*fs\.suid_dumpable\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*fs\.suid_dumpable\s*.+(\s*#.*)?\s*$/fs.suid_dumpable = 0/" /etc/sysctl.conf || echo "fs.suid_dumpable = 0" >> /etc/sysctl.conf
echo "------------The core dump is restricted"
egrep -q "^\s*net\.ipv4\.conf\.all\.log_martians\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.all\.log_martians\s*.+(\s*#.*)?\s*$/net.ipv4.conf.all.log_martians = 1/" /etc/sysctl.conf || echo "net.ipv4.conf.all.log_martians = 1" >> /etc/sysctl.conf
egrep -q "^\s*net\.ipv4\.conf\.default\.log_martians\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.default\.log_martians\s*.+(\s*#.*)?\s*$/net.ipv4.conf.default.log_martians = 1/" /etc/sysctl.conf || echo "net.ipv4.conf.default.log_martians = 1" >> /etc/sysctl.conf
echo "------------Log suspicious packets"
egrep -q "^\s*net\.ipv6\.conf\.all\.accept_ra\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv6\.conf\.all\.accept_ra\s*.+(\s*#.*)?\s*$/net.ipv6.conf.all.accept_ra = 0/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_ra = 0" >> /etc/sysctl.conf
egrep -q "^\s*net\.ipv6\.conf\.default\.accept_ra\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv6\.conf\.default\.accept_ra\s*.+(\s*#.*)?\s*$/net.ipv6.conf.default.accept_ra = 0/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_ra = 0" >> /etc/sysctl.conf
echo "------------IPv6 router notification is not accepted"
egrep -q "^\s*net\.ipv4\.conf\.all\.rp_filter\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.all\.rp_filter\s*.+(\s*#.*)?\s*$/net.ipv4.conf.all.rp_filter = 1/" /etc/sysctl.conf || echo "net.ipv4.conf.all.rp_filter = 1" >> /etc/sysctl.conf
egrep -q "^\s*net\.ipv4\.conf\.default\.rp_filter\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.default\.rp_filter\s*.+(\s*#.*)?\s*$/net.ipv4.conf.default.rp_filter = 1/" /etc/sysctl.conf || echo "net.ipv4.conf.default.rp_filter = 1" >> /etc/sysctl.conf
echo "------------Enable reverse path filtering"
egrep -q "^\s*net\.ipv4\.conf\.all\.accept_source_route\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.all\.accept_source_route\s*.+(\s*#.*)?\s*$/net.ipv4.conf.all.accept_source_route = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_source_route = 0" >> /etc/sysctl.conf
egrep -q "^\s*net\.ipv4\.conf\.default\.accept_source_route\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.default\.accept_source_route\s*.+(\s*#.*)?\s*$/net.ipv4.conf.default.accept_source_route = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_source_route = 0" >> /etc/sysctl.conf
echo "------------Source routing packets are not accepted"
egrep -q "^\s*net\.ipv4\.conf\.all\.send_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.all\.send_redirects\s*.+(\s*#.*)?\s*$/net.ipv4.conf.all.send_redirects = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
egrep -q "^\s*net\.ipv4\.conf\.default\.send_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.default\.send_redirects\s*.+(\s*#.*)?\s*$/net.ipv4.conf.default.send_redirects = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.default.send_redirects = 0" >> /etc/sysctl.conf
echo "------------Packet redirection is disabled"
egrep -q "^\s*net\.ipv4\.ip_forward\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.ip_forward\s*.+(\s*#.*)?\s*$/net.ipv4.ip_forward = 0/" /etc/sysctl.conf || echo "net.ipv4.ip_forward = 0" >> /etc/sysctl.conf
echo "------------Disabling IP forwarding"
egrep -q "^\s*net\.ipv6\.conf\.all\.accept_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv6\.conf\.all\.accept_redirects\s*.+(\s*#.*)?\s*$/net.ipv6.conf.all.accept_redirects = 0/" /etc/sysctl.conf || echo "net.ipv6.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
egrep -q "^\s*net\.ipv6\.conf\.default\.accept_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv6\.conf\.default\.accept_redirects\s*.+(\s*#.*)?\s*$/net.ipv6.conf.default.accept_redirects = 0/" /etc/sysctl.conf || echo "net.ipv6.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
echo "------------IPv6 redirection is not accepted"
egrep -q "^\s*net\.ipv4\.tcp_syncookies\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.tcp_syncookies\s*.+(\s*#.*)?\s*$/net.ipv4.tcp_syncookies = 1/" /etc/sysctl.conf || echo "net.ipv4.tcp_syncookies = 1" >> /etc/sysctl.conf
echo "------------TCP SYN Cookies are enabled"
egrep -q "^\s*net\.ipv4\.conf\.all\.accept_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.all\.accept_redirects\s*.+(\s*#.*)?\s*$/net.ipv4.conf.all.accept_redirects = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
egrep -q "^\s*net\.ipv4\.conf\.default\.accept_redirects\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*net\.ipv4\.conf\.default\.accept_redirects\s*.+(\s*#.*)?\s*$/net.ipv4.conf.default.accept_redirects = 0/" /etc/sysctl.conf || echo "net.ipv4.conf.default.accept_redirects = 0" >> /etc/sysctl.conf
echo "------------ICMP redirection is not accepted"
egrep -q "^\s*kernel\.randomize_va_space\s*.+(\s*#.*)?\s*$" /etc/sysctl.conf && sed -ri "s/^\s*kernel\.randomize_va_space\s*.+(\s*#.*)?\s*$/kernel.randomize_va_space = 2/" /etc/sysctl.conf || echo "kernel.randomize_va_space = 2" >> /etc/sysctl.conf
echo "------------Address space layout Randomization (ASLR) enabled"

sysctl -p &>/dev/null 2&>/dev/null

###禁用模块###
cat << EOF > /etc/modprobe.d/CIS.conf
install rds /bin/true
install jffs2 /bin/true
install sctp /bin/true
install dccp /bin/true
install udf /bin/true
install hfsplus /bin/true
install squashfs /bin/true
install hfs /bin/true
install freevxfs /bin/true
install cramfs /bin/true
install tipc /bin/true
install vfat /bin/true
EOF
rmmod jffs2    &>/dev/null 2&>/dev/nul
rmmod udf      &>/dev/null 2&>/dev/nul
rmmod hfsplus  &>/dev/null 2&>/dev/nul
rmmod hfs      &>/dev/null 2&>/dev/nul
rmmod freevxfs &>/dev/null 2&>/dev/nul
rmmod cramfs   &>/dev/null 2&>/dev/nul
rmmod vfat     &>/dev/null 2&>/dev/nul
echo "------------Disable RDS/jffs2/sctp/DCCP/udf/hfsplus/squashfs/hfs/freevxfs/cramfs/tipc"

###加固登录验证###
cp -a /etc/pam.d/system-auth  /etc/pam.d/system-auth-${DATE}.bak && cp -a /etc/pam.d/system-auth $localpath/baseline-bak/system-auth-${DATE}.bak
sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/system-auth
sed -ri "1a auth       required     pam_tally2.so deny=5 unlock_time=900 even_deny_root root_unlock_time=30" /etc/pam.d/system-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/system-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account     required      pam_tally2.so' /etc/pam.d/system-auth

cp -a /etc/pam.d/password-auth  /etc/pam.d/password-auth-${DATE}.bak && cp -a /etc/pam.d/password-auth $localpath/baseline-bak/password-auth-${DATE}.bak
sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d"  /etc/pam.d/password-auth
sed -ri "1a auth       required     pam_tally2.so deny=5 unlock_time=900 even_deny_root root_unlock_time=30" /etc/pam.d/password-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/password-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account     required      pam_tally2.so' /etc/pam.d/password-auth

echo "------------Password try 5 locks for 900 seconds"

###grub加固###
cp -a /etc/default/grub  /etc/default/grub-${DATE}.bak && cp -a /etc/default/grub $localpath/baseline-bak/grub-${DATE}.bak
if grep -q "ipv6.disable=1" /etc/default/grub; then
    echo "GRUB_CMDLINE_LINUX already contains ipv6.disable=1"
else
    sudo sed -i '/GRUB_CMDLINE_LINUX/s/"$/ ipv6.disable=1"/' /etc/default/grub
    grub2-mkconfig > /boot/grub2/grub.cfg
fi
echo "------------Disable ipv6"
if grep -q "audit=1" /etc/default/grub; then
    echo "GRUB_CMDLINE_LINUX already contains audit=1"
else
    sudo sed -i '/GRUB_CMDLINE_LINUX/s/"$/ audit=1"/' /etc/default/grub
    grub2-mkconfig > /boot/grub2/grub.cfg
fi
###umask加固###
cp -a /etc/profile /etc/profile-${DATE}.bak && cp -a /etc/profile $localpath/baseline-bak/profile-${DATE}.bak
cp -a /etc/bashrc /etc/bashrc-${DATE}.bak && cp -a /etc/bashrc $localpath/baseline-bak/bashrc-${DATE}.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 027/" /etc/profile || echo "umask 027" >> /etc/profile
egrep -q "^\s*umask\s+\w+.*$" /etc/bashrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 027/" /etc/bashrc || echo "umask 027" >> /etc/bashrc
egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=600/" /etc/profile || echo "export TMOUT=600" >> /etc/profile
egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/bashrc && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=600/" /etc/bashrc || echo "export TMOUT=600" >> /etc/bashrc
echo "------------set umask 027"

###cron文件夹权限加固###
chown root:root /etc/cron.hourly
chmod og-rwx /etc/cron.hourly
echo "------------Narrow permissions /etc/cron.hourly"
#回滚chmod 755 /etc/cron.hourly
chown root:root /etc/cron.monthly
chmod og-rwx /etc/cron.monthly
echo "------------Narrow permissions /etc/cron.monthly"
#回滚chmod 755 /etc/cron.monthly
chown root:root /etc/cron.daily
chmod og-rwx /etc/cron.daily
echo "------------Narrow permissions /etc/cron.daily"
#回滚chmod 755 /etc/cron.daily
chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly
echo "------------Narrow permissions /etc/cron.weekly"
#回滚chmod 755 /etc/cron.weekly
chown root:root /etc/cron.d
chmod og-rwx /etc/cron.d
echo "------------Narrow permissions /etc/cron.d"
#回滚chmod 755 /etc/cron.d
chown root:root /etc/crontab
chmod og-rwx /etc/crontab
echo "------------Narrow permissions /etc/crontab"
#回滚chmod 644 /etc/crontab
chown root:root /boot/grub2/grub.cfg
chmod og-rwx /boot/grub2/grub.cfg
echo "------------Narrow permissions /boot/grub2/grub.cfg"
#回滚chmod 644 /boot/grub2/grub.cfg

cat << EOF > /etc/issue
********************************************************************************
*                         SSH登录系统安全警告信息                             *
********************************************************************************

欢迎使用本系统!您已成功通过SSH登录到服务器。

请注意:
1. 请确保您的登录行为符合公司/组织的安全政策,并仅用于授权操作。
2. 系统会记录所有登录活动,非法访问将被追踪并报告给相关部门。
3. 请勿在未经授权的情况下共享您的密码或密钥,定期更换密码以增强安全性。
4. 登录后请立即更新系统及应用程序至最新版本,保持系统补丁的及时安装。
5. 若发现任何可疑活动,请立即向IT部门报告。

感谢您对网络安全的贡献,让我们共同维护系统的稳定与安全!

---
系统管理员团队敬上
当前时间:$(date)

********************************************************************************
EOF

cat << EOF > $localpath/audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/selinux/ -p wa -k MAC-policy
-w /usr/share/selinux/ -p wa -k MAC-policy
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-w /var/log/sudo.log -p wa -k actions
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
-e 2
EOF

###加固audit###

cp -a /etc/audit/auditd.conf /etc/audit/auditd.conf-${DATE}.bak && cp -a /etc/audit/auditd.conf $localpath/baseline-bak/auditd.conf-${DATE}.bak
cp -a /etc/audit/rules.d/audit.rules  /etc/audit/rules.d/audit.rules-${DATE}.bak && cp -a /etc/audit/rules.d/audit.rules $localpath/baseline-bak/audit.rules-${DATE}.bak

egrep -q "^\s*space_left_action\s+.+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^\s*space_left_action\s+.+(\s*#.*)?\s*$/space_left_action = email/" /etc/audit/auditd.conf || echo "space_left_action = email" >> /etc/audit/auditd.conf
echo "------------set space_left_action = email in /etc/audit/auditd.conf"

egrep -q "^\s*action_mail_acct\s+.+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^\s*action_mail_acct\s+.+(\s*#.*)?\s*$/action_mail_acct = root/" /etc/audit/auditd.conf || echo "action_mail_acct = root" >> /etc/audit/auditd.conf
echo "------------set action_mail_acct = root in /etc/audit/auditd.conf"

egrep -q "^\s*admin_space_left_action\s+.+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^\s*admin_space_left_action\s+.+(\s*#.*)?\s*$/admin_space_left_action = halt/" /etc/audit/auditd.conf || echo "admin_space_left_action = halt" >> /etc/audit/auditd.conf
echo "------------set admin_space_left_action = halt in /etc/audit/auditd.conf"

egrep -q "^\s*max_log_file_action\s+.+(\s*#.*)?\s*$" /etc/audit/auditd.conf && sed -ri "s/^\s*max_log_file_action\s+.+(\s*#.*)?\s*$/max_log_file_action = keep_logs/" /etc/audit/auditd.conf || echo "max_log_file_action = keep_logs" >> /etc/audit/auditd.conf
echo "------------set max_log_file_action = keep_logs in /etc/audit/auditd.conf"

\cp -a $localpath/audit.rules  /etc/audit/rules.d/audit.rules
echo "------------set rules into /etc/audit/rules.d/audit.rules"
systemctl restart auditd &>/dev/null 2&>/dev/nul

标签:sysctl,#.,整改,echo,centos7,etc,基线,conf,net
From: https://www.cnblogs.com/haiyoyo/p/18108855

相关文章

  • 什么是Docker引擎架构,Docker引擎架构详解及Vmware,CentOS7、Docker引擎的安装,CentOS7常
    Dockere引擎架构详解2.1Docker引擎发展历程2.1.1首发版本架构       Docker在首次发布时,其引擎有两个核心组件构成,LXC(LinuxContainer)与DockerDaemon构成。不过该架构依赖于LXC,使得Docker存在严重的问题:依赖于外部工具对Docker来说存在着巨大的生存风险。......
  • 在vmware16.2.5上安装虚拟机centos7.9镜像文件
    1:首先,下载vmware 进入到VMware的官网,这里小元子要和大家提前说一下哦,大家可以提前看一下自己的windous的版本,选择适合自己windous版本的vmware进行下载,避免下载以后由于版本问题不兼容。由于小元子是windous11,所以我选择下载vmware16.2.5,(温馨提示:版本兼容问题很重要,windous1......
  • 在centos7虚拟机上通过jupyter、notebook实现波士顿房产预测
    一、环境搭建anaconda环境搭建:参考连接:CentOS7上安装Anaconda详细教程_centos7安装anaconda-CSDN博客首先在centos7上安装Anaconda,使用清华源下载Anaconda:wget--user-agent="Mozilla"https://mirrors.tuna.tsinghua.edu.cn/anaconda/archive/Anaconda3-2023.09-......
  • 在VMware虚拟机软件中安装Centos7.9及网络配置
    目录一、使用软件创建虚拟机二.安装操作系统三、系统网络配置四、结语一、使用软件创建虚拟机1.菜单选择新建虚拟机2.安装导航向导创建 在这一步选择相应的操作系统,如系统类型是Windows则选择Windows,是Linux则选择Linux;然后选择自己所要安装的系统版本,我这里选择Li......
  • centos7提示 file /root/.serverauth.13703 does not exist
    情况背景:安装虚拟数据服务器,使用系统为centos7,安装完成后,开始安装图形化程序,在虚拟服务器上一切正常,输入startx也会正常显示图形操作界面问题来源:现在通过其他电脑远程连接虚拟数据服务器,输入地址进入也是正常,但是输入“startx”命令后就显示失败代码,无法进入图形操作界面,如......
  • CentOS7安装MySQL
    文章目录1、下载并安装MySQL官方的YumRepository2、MySQL数据库设置3、开启mysql的远程访问4、为firewalld添加开放端口(可选)5、更改mysql的语言在CentOS中默认安装有MariaDB,这个是MySQL的分支,但为了需要,还是要在系统中安装MySQL,而且安装完成之后可以直接覆盖掉Mar......
  • CentOS7 下 Docker方式部署 nextcloud步骤
    本示范站点在操作系统Centos7环境下;根目录设在:/app/dapp/caihcloud/nextcloud/html,根据实际情况自行调整;假设你已经安装启动好mysql80。现在开始,步骤如下:1、执行安装命令yuminstalldocker-ysystemctlstartdocker//启动dockersystemctlenabledocker//设置开机启动......
  • Navicat连接本地CentOs7虚拟机中的Mysql数据库
    1、准备工作:虚拟机中安装Mysql不会的可以参考:https://blog.csdn.net/m0_66360096/article/details/1340535172、Navicat新建连接虚拟机IP地址是和Xshell连接一样的:https://www.cnblogs.com/Bernard94/p/18097141账号密码是安装Mysql时默认的,当然也可以自己修改,可以参考上面安......
  • greenplum-centOs7环境-组模式扩容
    1.扩容说明GreenPlum6.X目前支持以下版本操作系统:RedHatEnterpriseLinux64-bit7.xRedHatEnterpriseLinux64-bit6.xCentOS64-bit7.xCentOS64-bit6.xsUbuntu18.04LTS建议采用7.3以上的7系列版本本次扩容使用两个segment的节点.每个节点配置为2核心2G......
  • centos7下安装nodejs-v16.x
    今天记录一下centos7下安装nodejs-v16.x版本的nodejs官方下载:CNPMBinariesMirror(npmmirror.com)安装步骤1.下载nodejs-v16.x,其地址已经在上方附上2.将下载的"node-v16.13.1-linux-x64.tar.gz"上到/usr/local/nodejs。如果没有nodejs目录,请自行创建3.解压安装包tar-xvf......

赞助商

阅读排行

网站主页关于我们联系我们网站地图

本网站内容转载自其他媒体,侵权联系[admin##ips99.com]。

Copyright © 2020-2023 IPS99 版权所有 IPS99