1.检查是否使用PAM认证模块禁止wheel组之外的用户su为root
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
|
vim /etc/pam.d/su
#%PAM-1.0
auth required pam_env.so
auth sufficient pam_rootok.so
auth required pam_wheel.so group=wheel
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so
|
2.检查重要目录或文件权限设置
1
2
3
|
chmod 644 /etc/security
chmod 600 /etc/grub2.cfg
chmod 600 /boot/grub2/grub.cfg
|
3.检查是否修改snmp默认团体字 (如安装了snmp相关工具)
1
|
vim /etc/snmp/snmpd.conf
|
修改默认community public为其他值
4.检查用户umask设置,设置 umask 022
1
2
3
|
vim /etc/csh.cshrc
vim /etc/csh.login
vim /etc/profile
|
5.是否设置ssh登录前警告Banner
1
2
3
4
5
6
7
8
9
|
touch /etc/ssh_banner
chown bin:bin /etc/ssh_banner
chmod 644 /etc/ssh_banner
echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner
vim /etc/ssh/sshd_config
Banner /etc/ssh_banner
systemctl restart sshd
|
6.检查别名文件/etc/aliase(或/etc/mail/aliases)配置 ,删除或注释掉下面的行
1
2
|
vim /etc/aliases
vim /etc/mail/aliases
|
1
2
3
4
5
6
7
8
9
10
|
#games: root
#ingres: root
#system: root
#toor: root
#uucp: root
#manager: root
#dumper: root
#operator: root
#decode: root
#root: marc
|
补充操作说明
更新后运行/usr/bin/newaliases,使改变生效
7.检查设备密码复杂度策略
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
|
vim /etc/pam.d/system-auth中应当使用pam_pwquality.so
# Generated by authselect on Mon Sep 4 07:59:35 2023
# Do not modify this file manually.
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth required pam_faillock.so preauth audit deny=5 even_deny_root unlock_time=600
-auth sufficient pam_fprintd.so
auth sufficient pam_fprintd.so
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth [default=1 ignore=ignore success=ok] pam_localuser.so
auth sufficient pam_unix.so nullok try_first_pass
-auth sufficient pam_sss.so use_first_pass
auth [default=1 ignore=ignore success=ok] pam_usertype.so isregular
auth sufficient pam_sss.so forward_pass
auth [default=die] pam_faillock.so authfail audit deny=5 even_deny_root unlock_time=600
auth required pam_deny.so
auth sufficient pam_faillock.so authsucc audit deny=5 even_deny_root unlock_time=600
account required pam_faillock.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_usertype.so issystem
account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so local_users_only ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minlen=8
password sufficient pam_unix.so sha512 shadow nullok use_authtok remember=5
password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
session optional pam_sss.so
vim /etc/security/pwquality.conf中minclass不小于3
|
8.检查口令最小长度(实际无作用,仅用于检查合规)
1
2
|
vim /etc/login.defs
PASS_MIN_LEN 8
|
9.polkit安全配置
1
|
chmod 0755 /usr/bin/pkexec
|
10.检查是否配置远程日志功能
1
2
|
vim /etc/rsyslog.conf
*.info @syslog-ip
|
11.检查是否使用NTP(网络时间协议)保持时间同步
1
2
|
vim /etc/chrony.conf
server svrip iburst
|
12.检查是否设置命令行界面超时退出
1
2
|
vim /etc/profile
export TMOUT=900
|