Linux系统
Linux物理层
LSI Raid 阵列日常操作
MegaCLI基本使用指南
重要参数含义说明
Raid的增删改
Linux系统层
Linux 系统启动过程流程
timedatectl命令时间时区操作
sar命令用法
Linux 性能调优工具9张图
Linux 特殊权限说明
Linux系统三级等保整改脚本
CentOS 7 停止维护(EOL)后的仓库变动
Linux误删紧急救援
Linux查看主板内存槽与内存信息
安装麒麟Kylin-v10 Arm64版本到阿里云
CentOS7 多网卡单网关利用策略路由实现源进源出
初始化Linux数据盘(parted)
解决CentOS7下yum命令的异常
EXSI虚机mount出现‘unknown filesystem type 'LVM2_member'’
Linux虚机网卡单队列导致压测CPU无法满载的问题
Linux网络性能优化建议
Linux 修改系统语言环境
LInux文件系统中的默认保留空间 Ext4 vs. XFS
Linux CPU占用率原理与精确度分析
中标麒麟安装Nvidia显卡驱动
Linux主机双网卡同网段同网关配置
Linux 服务层
编译Expat 2.6.2的rpm包并升级
Linux主机挂载共享samba出现普通用户没有写权限的问题
编译OpenSSH 9.3p1的rpm包并升级
CentOS 7.x通过rpm升级OpenSSH到 8.5p1版本
Linux日志切割Logrotate原理和配置详解
systemd下配置sshd监听端口
编译NTP 4.2.8p17的rpm包并升级
编译OpenSSL 1.1.1w的rpm包并升级
linux命令集
磁盘工具集
Linux du 命令
fpsync数据迁移工具
字符处理集
Linux sed 命令
Linux命令输出重定向到变量
使用 paste 合并文件内容
常用调试指令集
编译cmake 3.5.2版本
网络工具集
MTR探测主机间丢包
Linux性能测试
甲骨文主机测试
本文档使用 MrDoc 发布
-
+
home page
Linux系统三级等保整改脚本
国标2.0标准三级等保要求整改脚本 ## 涉及的等保合规要求 >身份鉴别 访问控制 安全审计 入侵防范 恶意代码防范 ### 具体整改项目 | 高 | 身份鉴别 | 检查是否设置口令生存周期 | |---|------|------------------------------------------| | 高 | 身份鉴别 | 检查是否设置口令更改最小间隔天数 | | 高 | 身份鉴别 | 检查口令最小长度 | | 高 | 访问控制 | 检查是否使用PAM认证模块禁止wheel组之外的用户su为root | | 高 | 身份鉴别 | 检查是否设置口令过期前警告天数 | | 高 | 资源控制 | 检查是否禁止root用户远程登录 | | 高 | 访问控制 | 配置cron、at的安全性 | | 高 | 访问控制 | 是否开启SELinux | | 高 | 入侵防范 | 查看是否启用了主机防火墙、TCP SYN保护机制设置 | | 中 | 访问控制 | 检查重要文件属性设置 | | 中 | 访问控制 | 检查用户umask设置 | | 中 | 身份鉴别 | 检查密码重复使用次数限制 | | 中 | 访问控制 | 检查重要目录或文件权限设置 | | 中 | 访问控制 | 检查系统openssh安全配置 | | 低 | 身份鉴别 | 检查是否设置ssh登录前警告Banner | | 低 | 身份鉴别 | 检查是否配置远程日志功能 | | 低 | 身份鉴别 | 检查是否设置系统引导管理器密码 | | 低 | 身份鉴别 | 检查是否配置定时自动屏幕锁定(适用于具备图形界面的设备) | | 低 | 入侵防范 | 检查是否限制远程登录IP范围 | | 低 | 访问控制 | 检查别名文件/etc/aliases(或/etc/mail/aliases)配置 | | 低 | 身份鉴别 | 检查账户认证失败次数限制 | ## Linux系统层三级整改脚本(更新中) ```bash #/bin/bash #仅适用于CentOS7.x系列 #Update 2021.12.03 by Nathan #操作记录日志文件 oplog=./oplog.log #备份文件目录 oriDir=./oriDir '' if [ ! -d $oriDir ];then mkdir $oriDir -p;fi time="`date +%s`" function copy { pathName=$(echo "$1"|cut -c 2-|sed 's!/!·!g') mkdir -p $oriDir/$time cp -frp $1 $oriDir/$time/$pathName >/dev/null 2>&1 } function update { echo "[`date +%F\ %H:%M:%S`] [SUCCESS] Success to update item \`$1\` from \`$2\`" >> $oplog } function warn { echo "[`date +%F\ %H:%M:%S`] [WARN] $1" >> $oplog } function error { case $1 in nofile) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no \`$4\` file" >> $oplog ;; noitem) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no item in \`$4\` file" >> $oplog ;; noset) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting value \`$2\` to \`$3\` failed,please check file about \`$4\` by manual" >> $oplog ;; exists) echo "[`date +%F\ %H:%M:%S`] [WARN] Configuration item \`$2\` already exists by \`$3\` ,skip file \`$4\`" >> $oplog ;; esac } function cmd { if [[ $1 == '' ]];then echo '';exit 0;fi resCmd=$(/usr/bin/whereis $1|awk '{print $2}') echo $resCmd } #高危修复 copy /etc/login.defs #检查口令生存周期//默认9999 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MAX_DAYS.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MAX_DAYS 90 /etc/login.defs else sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs update PASS_MAX_DAYS /etc/login.defs fi else error nofile PASS_MAX_DAYS 90 /etc/login.defs fi #检查口令更改最小间隔天数//默认0 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MIN_DAYS.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MIN_DAYS 2 /etc/login.defs else sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 2/g' /etc/login.defs update PASS_MIN_DAYS /etc/login.defs fi else error nofile PASS_MIN_DAYS 2 /etc/login.defs fi #检查口令最小长度//默认5 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MIN_LEN.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MIN_LEN 8 /etc/login.defs else sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/g' /etc/login.defs update PASS_MIN_LEN /etc/login.defs fi else error nofile PASS_MIN_LEN 8 /etc/login.defs fi #检查口令过期前警告天数//默认7 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_WARN_AGE.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_WARN_AGE 30 /etc/login.defs else sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 30/g' /etc/login.defs update PASS_WARN_AGE /etc/login.defs fi else error nofile PASS_WARN_AGE 30 /etc/login.defs fi copy /etc/ssh/sshd_config #检查是否禁止root用户远程ssh登录 if [ -f /etc/ssh/sshd_config ];then res1=$(sed -n "/^PermitRootLogin.*/p" /etc/ssh/sshd_config) res2=$(sed -n "/^#PermitRootLogin.*/p" /etc/ssh/sshd_config) if [[ $res1 == '' ]] && [[ $res2 == '' ]];then sed -i '38i\PermitRootLogin no' /etc/ssh/sshd_config elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config elif [[ $res1 != '' ]];then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config fi update PermitRootLogin /etc/ssh/sshd_config warn 'Please reload sshd service by manual,because value of `PermitRootLogin` is updated' else error nofile PermitRootLogin no /etc/ssh/sshd_config fi copy /etc/pam.d/su #检查是否使用PAM认证模块禁止wheel组之外的用户su为root//默认无 if [ -f /etc/pam.d/su ];then res=$(cat /etc/pam.d/su|grep -B 1 'auth sufficient pam_rootok.so'|grep 'auth required pam_wheel.so group=wheel'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth sufficient pam_rootok.so\nauth required pam_wheel.so group=wheel' /etc/pam.d/su update 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/pam.d/su warn "Please add user to wheel group,cmd:\`usermod –G wheel username\`" else error exists 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' 'add config' /etc/pam.d/su fi else error nofile 'add config' 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/login.defs fi copy /etc/pam.d/login #检查是否禁止root用户远程telnet登录//默认无 if [ -f /etc/pam.d/login ];then res=$(cat /etc/pam.d/login|grep 'auth required pam_securetty.so'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_securetty.so' /etc/pam.d/login update 'auth required pam_securetty.so' /etc/pam.d/login else error exists 'auth required pam_securetty.so' 'add config' /etc/pam.d/login fi else error nofile 'add config' 'auth required pam_securetty.so' /etc/pam.d/login fi copy /etc/selinux/config #检查SELinux是否开启//默认enforce if [ -f /etc/selinux/config ];then res=$(sed -n "/^SELINUX=.*/p" /etc/selinux/config) if [[ $res == '' ]];then error noitem SELINUX permissive /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config update SELINUX /etc/selinux/config setenforce 0 fi else error nofile SELINUX permissive /etc/selinux/config fi #检查防火墙状态 copy /etc/firewalld/zones/public.xml if [[ "$( systemctl is-active firewalld.service)" != 'active' ]]; then systemctl restart sshd sshPort=$(netstat -luntp|grep sshd|awk '{print $4}'|awk -F: '{print $NF}'|uniq) sed -i 's!</zone>! <port protocol="tcp" port="$sshPort"/>\n</zone>!g' /etc/firewalld/zones/public.xml systemctl enable firewalld.service systemctl start firewalld.service fi #中危修复 #检查重要文件属性设置//默认无 userFile='gshadow shadow passwd group' for i in $userFile; do if [[ -f /etc/$i ]]; then copy /etc/$i `cmd chattr` +i /etc/$i res=$(`cmd lsattr` /etc/$i|awk -F\- '{print $5}') if [[ $res == 'i' ]]; then update i /etc/$i else error noset chattr i /etc/$i fi else error nofile chattr i /etc/$i fi done #检查密码重复使用次数限制//默认无 copy /etc/pam.d/system-auth if [ -f /etc/pam.d/system-auth ];then sed -i 's/\(^password\s*sufficient\s*pam_unix.so.*use_authtok$\)/\1 remember=5/g' /etc/pam.d/system-auth res=$(grep -E '^password\s*sufficient\s*pam_unix.so.*remember=5$' /etc/pam.d/system-auth|awk -F= '{print $NF}') if [[ $res == '5' ]]; then update 'remember=5' /etc/pam.d/system-auth else error noset sed remember=5 /etc/pam.d/system-auth fi else error nofile sed remember=5 /etc/pam.d/system-auth fi #检查重要目录或文件权限设置 p750File='/etc/rc.d/rc3.d /etc/rc.d/rc6.d /etc/rc.d/rc5.d /etc/rc.d/rc1.d /etc/rc.d/rc4.d /etc/rc.d/rc0.d /etc/rc.d/rc2.d /etc/rc.d/init.d' #p600File='/etc/security /etc/default/grub /etc/shadow' for i in $p750File; do if [[ -d $i ]]; then copy $i `cmd chmod` 750 $i res=$(`cmd ls` -dl $i|awk '{print $1}') if [[ $res == "drwxr-x---." ]] || [[ $res =~ "drwxr-x--t." ]]; then update chmod $i else error noset chmod 750 $i fi else error nofile chmod 750 $i fi done #检查是否设置ssh登录前警告Banner//默认无 echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner chown bin:bin /etc/ssh_banner chmod 644 /etc/ssh_banner if [ -f /etc/ssh/sshd_config ];then res1=$(sed -n "/^Banner.*/p" /etc/ssh/sshd_config) res2=$(sed -n "/^#Banner.*/p" /etc/ssh/sshd_config) if [[ $res1 == '' ]] && [[ $res2 == '' ]];then sed -i '123i\Banner /etc/ssh_banner' /etc/ssh/sshd_config elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then sed -i 's!^#Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config elif [[ $res1 != '' ]];then sed -i 's!^Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config fi update Banner /etc/ssh/sshd_config warn 'Please reload sshd service by manual,because value of `Banner` is updated' else error nofile PermitRootLogin no /etc/ssh/sshd_config fi #检查账户认证失败次数限制//默认无 copy /etc/pam.d/sshd if [ -f /etc/pam.d/sshd ];then res=$(cat /etc/pam.d/sshd|grep 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd update 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd else error exists 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' 'add config' /etc/pam.d/sshd fi else error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd fi if [ -f /etc/pam.d/system-auth ];then res=$(cat /etc/pam.d/system-auth|grep 'auth required pam_tally2.so deny=5 unlock_time=300'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth update 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth else error exists 'auth required pam_tally2.so deny=5 unlock_time=300' 'add config' /etc/pam.d/system-auth fi else error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth fi echo 'Please remember to create a normal user and add it as an administrator, otherwise you may not be able to login to the host again. chattr -i /etc/passwd /etc/group /etc/gshadow /etc/shadow useradd username echo "password"|passwd --stdin username usermod -G wheel username chattr +i /etc/passwd /etc/group /etc/gshadow /etc/shadow ' #done ```
Nathan
Dec. 27, 2021, 12:38 p.m.
转发文档
Collection documents
Last
Next
手机扫码
Copy link
手机扫一扫转发分享
Copy link
Markdown文件
PDF文件
Docx文件
share
link
type
password
Update password