linux 基线检查加固

修改vsftp回显信息

ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf"
sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf
ansible -i hosts task -m shell -a "echo 'ftpd_banner=" Authorized users only. All activity may be monitored and reported."' >> /etc/vsftpd/vsftpd.conf"
ansible -i hosts task -m shell -a "echo 'ftpd_banner=Authorized users only. All activity may be monitored and reported.' >> /etc/vsftpd/vsftpd.conf"
ansible -i hosts task -m shell -a "sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf"

systemctl is-active vsftpd
systemctl reload  vsftpd
ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf"

---------------------------------------------------------------------------------------------------------------------
禁止匿名FTP

ansible -i hosts task -m shell -a "systemctl is-active vsftpd"
ansible -i hosts task -m shell -a "grep 'anonymous_enable' /etc/vsftpd/vsftpd.conf"
---------------------------------------------------------------------------------------------------------------------
隐藏SSH的Banner信息

ansible -i hosts task -m shell -a "grep 'Banner' /etc/ssh/sshd_config"
ansible -i hosts task -m shell -a "cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak20240605"
ansible -i hosts task -m shell -a "sed -i '/Banner/s/^/#/g' /etc/ssh/sshd_config"
ansible -i hosts task -m shell -a "systemctl reload sshd"
---------------------------------------------------------------------------------------------------------------------
修改vsftp回显信息

ansible -i hosts task -m shell -a "grep 'ftpd_banner' /etc/vsftpd/vsftpd.conf" | tee ./20240605bak/ftpd_banner.log
ansible -i hosts task -m shell -a "sed -i '/ftpd_banner/s/^/#/g' /etc/vsftpd/vsftpd.conf"
ansible -i hosts task -m shell -a "echo 'ftpd_banner=Authorized users only. All activity may be monitored and reported.' >> /etc/vsftpd/vsftpd.conf"
ansible -i hosts task -m shell -a "systemctl reload  vsftpd"
---------------------------------------------------------------------------------------------------------------------
对审计进程进行保护，防止未经授权的中断

sudo chown root:root /etc/audit/auditd.conf
sudo chmod 600 /etc/audit/auditd.conf
sudo chown root:root /etc/audit/audit.rules
sudo chmod 600 /etc/audit/audit.rules
sudo chown root:root /var/log/audit/audit.log
sudo chmod 600 /var/log/audit/audit.log

sudo systemctl restart rsyslog
sudo systemctl reload auditd
sudo systemctl start auditd
sudo systemctl status auditd
systemctl restart auditd
---------------------------------------------------------------------------------------------------------------------
日志文件读写权限

ansible -i hosts task -m shell -a " ls -la /var/log | grep -E 'messages$|secure$|maillog$|cron$|spooler$|boot.log$' "
ansible -i hosts task -m shell -a "chmod 600 /var/log/messages"
ansible -i hosts task -m shell -a "chmod 600 /var/log/secure"
ansible -i hosts task -m shell -a "chmod 600 /var/log/maillog"
ansible -i hosts task -m shell -a "chmod 600 /var/log/cron"
ansible -i hosts task -m shell -a "chmod 600 /var/log/spooler"
ansible -i hosts task -m shell -a "chmod 600 /var/log/boot.log"
---------------------------------------------------------------------------------------------------------------------
限制具备超级管理员权限的用户远程登录
ansible -i hosts task -m shell -a " grep 'PermitRootLogin' /etc/ssh/sshd_config  | grep -Ev '^#|^$' "
ansible -i hosts task -m shell -a "sed -i '/PermitRootLogin/s/^/#/g' /etc/ssh/sshd_config"
ansible -i hosts task -m shell -a "echo 'PermitRootLogin no' >> /etc/ssh/sshd_config"
ansible -i hosts task -m shell -a "systemctl reload sshd"

ansible -i hosts task -m shell -a "service sshd reload"
/sbin/service sshd reload


---------------------------------------------------------------------------------------------------------------------
隐藏Telnet的Banner信息

ansible -i hosts task -m shell -a " cat /etc/issue.net "
ansible -i hosts task -m shell -a " cp -p /etc/issue.net /etc/issue.net_bak "
ansible -i hosts task -m shell -a "echo 'Authorized users only. All activity may be monitored and reported' > /etc/issue.net"
---------------------------------------------------------------------------------------------------------------------
Vsftp的chroot list配置

ansible -i hosts task -m shell -a " grep 'chroot_local_user' /etc/vsftpd/vsftpd.conf  | grep -Ev '^#|^$' "
ansible -i hosts task -m shell -a " ll -ls /etc/vsftpd/chroot_list "
ansible -i hosts task -m shell -a "echo 'postgres' >> /etc/vsftpd/chroot_list"
ansible -i hosts task -m shell -a " cat /etc/vsftpd/chroot_list "
---------------------------------------------------------------------------------------------------------------------
Wuftp的banner信息

ansible -i hosts task -m shell -a "echo 'banner /thisftpbannerfile' >>/etc/ftpaccess"
ansible -i hosts task -m shell -a "touch /thisftpbannerfile"
ansible -i hosts task -m shell -a "echo 'this is banner' >>/thisftpbannerfile"
---------------------------------------------------------------------------------------------------------------------
定时账户自动登出
ansible -i hosts task -m shell -a " grep 'TMOUT' /etc/profile  | grep -Ev '^#|^$' "
---------------------------------------------------------------------------------------------------------------------

检查密码长度及复杂度策略
ansible -i hosts task -m shell -a " grep -E '(ucredit=-1)|(lcredit=-1)|(ocredit=-1)|(dcredit=-1)' /etc/pam.d/system-auth"
---------------------------------------------------------------------------------------------------------------------
对系统账号进行登录限制

---------------------------------------------------------------------------------------------------------------------
检查是否指定用户组成员使用su命令

ansible -i hosts task -m shell -a "grep 'wheel' /etc/pam.d/su | grep -Ev '^#|^$' "
---------------------------------------------------------------------------------------------------------------------
日志文件读写权限640

ansible -i hosts task -m shell -a " ls -la /var/log | grep -E 'messages$|secure$|maillog$|cron$|spooler$|boot.log$' "
---------------------------------------------------------------------------------------------------------------------
设置FTP权限及访问，限制部分用户的ftp访问权限

ansible -i hosts task -m shell -a "cat /etc/ftpaccess "
---------------------------------------------------------------------------------------------------------------------
重要目录和文件的权限进行设置
0440
0644
ansible -i hosts task -m shell -a "ls -lt /etc/shadow /etc/passwd  /etc/group "
ansible -i hosts task -m shell -a "chmod 0600 /etc/shadow && chmod 0644  /etc/passwd && chmod 0644 /etc/group "
---------------------------------------------------------------------------------------------------------------------
账户口令安全符合要求90

ansible -i hosts task -m shell -a "cat /etc/login.defs | grep PASS_MAX_DAYS"
---------------------------------------------------------------------------------------------------------------------
检查新建用户的home目录的缺省访问权限027

ansible -i hosts task -m shell -a "cat /etc/login.defs | grep UMASK "
---------------------------------------------------------------------------------------------------------------------
配置记录cron行为日志功能

cat  /etc/rsyslog.conf /etc/syslog.conf /etc/rsyslog.d/50-default.conf /etc/syslog-ng/syslog-ng.conf | grep cron
---------------------------------------------------------------------------------------------------------------------
对用户登录认证、权限变更进行记录

(cat /etc/rsyslog.conf;cat /etc/syslog.conf;cat /etc/rsyslog.d/50-default.conf;cat /etc/syslog-ng/syslog-ng.conf) | grep -Ev '^#|^$'|  grep -E '^authpriv|^authpriv.info|^filter'
---------------------------------------------------------------------------------------------------------------------