Linux系统
Linux物理层
LSI Raid 阵列日常操作
MegaCLI基本使用指南
重要参数含义说明
Linux系统层
timedatectl命令时间时区操作
sar命令用法
Linux 性能调优工具9张图
Linux 特殊权限说明
Linux系统三级等保整改脚本
CentOS7 多网卡单网关利用策略路由实现源进源出
初始化Linux数据盘(parted)
解决CentOS7下yum命令的异常
Linux 修改系统语言环境
中标麒麟安装Nvidia显卡驱动
Linux主机双网卡同网段同网关配置
Linux查看主板内存槽与内存信息
安装麒麟Kylin-v10 Arm64版本到阿里云
EXSI虚机mount出现‘unknown filesystem type 'LVM2_member'’
Linux 服务层
Linux主机挂载共享samba出现普通用户没有写权限的问题
CentOS 7.x通过rpm升级OpenSSH到 8.5p1版本
编译OpenSSH的rpm包并升级
linux命令集
磁盘工具集
Linux du 命令
字符处理集
Linux sed 命令
Linux命令输出重定向到变量
网络工具集
MTR探测主机间丢包
常用调试指令集
Linux性能测试
甲骨文主机测试
本文档使用 MrDoc 发布
-
+
home page
Linux系统三级等保整改脚本
国标2.0标准三级等保要求整改脚本 ## 涉及的等保合规要求 >身份鉴别 访问控制 安全审计 入侵防范 恶意代码防范 ### 具体整改项目 | 高 | 身份鉴别 | 检查是否设置口令生存周期 | |---|------|------------------------------------------| | 高 | 身份鉴别 | 检查是否设置口令更改最小间隔天数 | | 高 | 身份鉴别 | 检查口令最小长度 | | 高 | 访问控制 | 检查是否使用PAM认证模块禁止wheel组之外的用户su为root | | 高 | 身份鉴别 | 检查是否设置口令过期前警告天数 | | 高 | 资源控制 | 检查是否禁止root用户远程登录 | | 高 | 访问控制 | 配置cron、at的安全性 | | 高 | 访问控制 | 是否开启SELinux | | 高 | 入侵防范 | 查看是否启用了主机防火墙、TCP SYN保护机制设置 | | 中 | 访问控制 | 检查重要文件属性设置 | | 中 | 访问控制 | 检查用户umask设置 | | 中 | 身份鉴别 | 检查密码重复使用次数限制 | | 中 | 访问控制 | 检查重要目录或文件权限设置 | | 中 | 访问控制 | 检查系统openssh安全配置 | | 低 | 身份鉴别 | 检查是否设置ssh登录前警告Banner | | 低 | 身份鉴别 | 检查是否配置远程日志功能 | | 低 | 身份鉴别 | 检查是否设置系统引导管理器密码 | | 低 | 身份鉴别 | 检查是否配置定时自动屏幕锁定(适用于具备图形界面的设备) | | 低 | 入侵防范 | 检查是否限制远程登录IP范围 | | 低 | 访问控制 | 检查别名文件/etc/aliases(或/etc/mail/aliases)配置 | | 低 | 身份鉴别 | 检查账户认证失败次数限制 | ## Linux系统层三级整改脚本(更新中) ```bash #/bin/bash #仅适用于CentOS7.x系列 #Update 2021.12.03 by Nathan #操作记录日志文件 oplog=./oplog.log #备份文件目录 oriDir=./oriDir '' if [ ! -d $oriDir ];then mkdir $oriDir -p;fi time="`date +%s`" function copy { pathName=$(echo "$1"|cut -c 2-|sed 's!/!·!g') mkdir -p $oriDir/$time cp -frp $1 $oriDir/$time/$pathName >/dev/null 2>&1 } function update { echo "[`date +%F\ %H:%M:%S`] [SUCCESS] Success to update item \`$1\` from \`$2\`" >> $oplog } function warn { echo "[`date +%F\ %H:%M:%S`] [WARN] $1" >> $oplog } function error { case $1 in nofile) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no \`$4\` file" >> $oplog ;; noitem) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no item in \`$4\` file" >> $oplog ;; noset) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting value \`$2\` to \`$3\` failed,please check file about \`$4\` by manual" >> $oplog ;; exists) echo "[`date +%F\ %H:%M:%S`] [WARN] Configuration item \`$2\` already exists by \`$3\` ,skip file \`$4\`" >> $oplog ;; esac } function cmd { if [[ $1 == '' ]];then echo '';exit 0;fi resCmd=$(/usr/bin/whereis $1|awk '{print $2}') echo $resCmd } #高危修复 copy /etc/login.defs #检查口令生存周期//默认9999 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MAX_DAYS.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MAX_DAYS 90 /etc/login.defs else sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs update PASS_MAX_DAYS /etc/login.defs fi else error nofile PASS_MAX_DAYS 90 /etc/login.defs fi #检查口令更改最小间隔天数//默认0 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MIN_DAYS.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MIN_DAYS 2 /etc/login.defs else sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 2/g' /etc/login.defs update PASS_MIN_DAYS /etc/login.defs fi else error nofile PASS_MIN_DAYS 2 /etc/login.defs fi #检查口令最小长度//默认5 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MIN_LEN.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MIN_LEN 8 /etc/login.defs else sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/g' /etc/login.defs update PASS_MIN_LEN /etc/login.defs fi else error nofile PASS_MIN_LEN 8 /etc/login.defs fi #检查口令过期前警告天数//默认7 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_WARN_AGE.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_WARN_AGE 30 /etc/login.defs else sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 30/g' /etc/login.defs update PASS_WARN_AGE /etc/login.defs fi else error nofile PASS_WARN_AGE 30 /etc/login.defs fi copy /etc/ssh/sshd_config #检查是否禁止root用户远程ssh登录 if [ -f /etc/ssh/sshd_config ];then res1=$(sed -n "/^PermitRootLogin.*/p" /etc/ssh/sshd_config) res2=$(sed -n "/^#PermitRootLogin.*/p" /etc/ssh/sshd_config) if [[ $res1 == '' ]] && [[ $res2 == '' ]];then sed -i '38i\PermitRootLogin no' /etc/ssh/sshd_config elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config elif [[ $res1 != '' ]];then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config fi update PermitRootLogin /etc/ssh/sshd_config warn 'Please reload sshd service by manual,because value of `PermitRootLogin` is updated' else error nofile PermitRootLogin no /etc/ssh/sshd_config fi copy /etc/pam.d/su #检查是否使用PAM认证模块禁止wheel组之外的用户su为root//默认无 if [ -f /etc/pam.d/su ];then res=$(cat /etc/pam.d/su|grep -B 1 'auth sufficient pam_rootok.so'|grep 'auth required pam_wheel.so group=wheel'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth sufficient pam_rootok.so\nauth required pam_wheel.so group=wheel' /etc/pam.d/su update 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/pam.d/su warn "Please add user to wheel group,cmd:\`usermod –G wheel username\`" else error exists 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' 'add config' /etc/pam.d/su fi else error nofile 'add config' 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/login.defs fi copy /etc/pam.d/login #检查是否禁止root用户远程telnet登录//默认无 if [ -f /etc/pam.d/login ];then res=$(cat /etc/pam.d/login|grep 'auth required pam_securetty.so'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_securetty.so' /etc/pam.d/login update 'auth required pam_securetty.so' /etc/pam.d/login else error exists 'auth required pam_securetty.so' 'add config' /etc/pam.d/login fi else error nofile 'add config' 'auth required pam_securetty.so' /etc/pam.d/login fi copy /etc/selinux/config #检查SELinux是否开启//默认enforce if [ -f /etc/selinux/config ];then res=$(sed -n "/^SELINUX=.*/p" /etc/selinux/config) if [[ $res == '' ]];then error noitem SELINUX permissive /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config update SELINUX /etc/selinux/config setenforce 0 fi else error nofile SELINUX permissive /etc/selinux/config fi #检查防火墙状态 copy /etc/firewalld/zones/public.xml if [[ "$( systemctl is-active firewalld.service)" != 'active' ]]; then systemctl restart sshd sshPort=$(netstat -luntp|grep sshd|awk '{print $4}'|awk -F: '{print $NF}'|uniq) sed -i 's!</zone>! <port protocol="tcp" port="$sshPort"/>\n</zone>!g' /etc/firewalld/zones/public.xml systemctl enable firewalld.service systemctl start firewalld.service fi #中危修复 #检查重要文件属性设置//默认无 userFile='gshadow shadow passwd group' for i in $userFile; do if [[ -f /etc/$i ]]; then copy /etc/$i `cmd chattr` +i /etc/$i res=$(`cmd lsattr` /etc/$i|awk -F\- '{print $5}') if [[ $res == 'i' ]]; then update i /etc/$i else error noset chattr i /etc/$i fi else error nofile chattr i /etc/$i fi done #检查密码重复使用次数限制//默认无 copy /etc/pam.d/system-auth if [ -f /etc/pam.d/system-auth ];then sed -i 's/\(^password\s*sufficient\s*pam_unix.so.*use_authtok$\)/\1 remember=5/g' /etc/pam.d/system-auth res=$(grep -E '^password\s*sufficient\s*pam_unix.so.*remember=5$' /etc/pam.d/system-auth|awk -F= '{print $NF}') if [[ $res == '5' ]]; then update 'remember=5' /etc/pam.d/system-auth else error noset sed remember=5 /etc/pam.d/system-auth fi else error nofile sed remember=5 /etc/pam.d/system-auth fi #检查重要目录或文件权限设置 p750File='/etc/rc.d/rc3.d /etc/rc.d/rc6.d /etc/rc.d/rc5.d /etc/rc.d/rc1.d /etc/rc.d/rc4.d /etc/rc.d/rc0.d /etc/rc.d/rc2.d /etc/rc.d/init.d' #p600File='/etc/security /etc/default/grub /etc/shadow' for i in $p750File; do if [[ -d $i ]]; then copy $i `cmd chmod` 750 $i res=$(`cmd ls` -dl $i|awk '{print $1}') if [[ $res == "drwxr-x---." ]] || [[ $res =~ "drwxr-x--t." ]]; then update chmod $i else error noset chmod 750 $i fi else error nofile chmod 750 $i fi done #检查是否设置ssh登录前警告Banner//默认无 echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner chown bin:bin /etc/ssh_banner chmod 644 /etc/ssh_banner if [ -f /etc/ssh/sshd_config ];then res1=$(sed -n "/^Banner.*/p" /etc/ssh/sshd_config) res2=$(sed -n "/^#Banner.*/p" /etc/ssh/sshd_config) if [[ $res1 == '' ]] && [[ $res2 == '' ]];then sed -i '123i\Banner /etc/ssh_banner' /etc/ssh/sshd_config elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then sed -i 's!^#Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config elif [[ $res1 != '' ]];then sed -i 's!^Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config fi update Banner /etc/ssh/sshd_config warn 'Please reload sshd service by manual,because value of `Banner` is updated' else error nofile PermitRootLogin no /etc/ssh/sshd_config fi #检查账户认证失败次数限制//默认无 copy /etc/pam.d/sshd if [ -f /etc/pam.d/sshd ];then res=$(cat /etc/pam.d/sshd|grep 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd update 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd else error exists 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' 'add config' /etc/pam.d/sshd fi else error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd fi if [ -f /etc/pam.d/system-auth ];then res=$(cat /etc/pam.d/system-auth|grep 'auth required pam_tally2.so deny=5 unlock_time=300'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth update 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth else error exists 'auth required pam_tally2.so deny=5 unlock_time=300' 'add config' /etc/pam.d/system-auth fi else error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth fi echo 'Please remember to create a normal user and add it as an administrator, otherwise you may not be able to login to the host again. chattr -i /etc/passwd /etc/group /etc/gshadow /etc/shadow useradd username echo "password"|passwd --stdin username usermod -G wheel username chattr +i /etc/passwd /etc/group /etc/gshadow /etc/shadow ' #done ```
Nathan
Dec. 27, 2021, 12:38 p.m.
转发文档
Collection documents
Last
Next
手机扫码
Copy link
手机扫一扫转发分享
Copy link
本站将从https://wiki.netimed.cn
转移到
https://www.netimed.cn
,悉知!
联系邮箱:service@netimed.cn
Markdown文件
PDF文件
Docx文件
share
link
type
password
Update password