linux伺服器基線加固、安全漏掃工具(綠盟...)掃出來的系統漏洞

不是書本的小明發表於2020-12-05
Linux伺服器

以下指令碼主要是修復漏掃工具掃出來的一些系統漏洞
例如:密碼強度策略、預設密碼有效期、ssh配置加固…
生產環境伺服器為Centos7系列、在執行基線加固指令碼後、重新對該伺服器進行再次漏掃、已消除絕大部分檢查專案

#!/bin/bash
### Hardening Script for CentOS7 Servers.

##定義變數###
BACKUP=$(date +%F:%T)

services_to_disable="chargen-dgram chargen-stream daytime-dgram daytime-stream discard-dgram discard-stream echo-dgram echo-stream time-dgram time-stream tftp" 
services_to_disable_modprobe="ipv6" 
systemctl_services_to_disable="autofs xinetd avahi-daemon cups dhcpd slapd nfs rpcbind named vsftpd httpd dovecot smb squid snmpd ypserv rsh.socket rlogin.socket rexec.socket telnet.socket tftp.socket rsyncd ntalk" 
systemctl_services_to_enable="rsyslog crond syslog-ng" 

ISSUE_MESSAGE=$'Only authorized users may use this system.\nAll activity may be monitored and recorded.' # 

#密碼強度策略
PASS_MAX_DAYS=90 
PASS_MIN_DAYS=7 
PASS_MIN_LEN=10
PASS_WARN_AGE=7 
DISABLE_AFTER_EXPIRATION=30 
users_to_expire="" 


AUDITDIR="/tmp/$(hostname -s)_audit"
TIME="$(date +%F_%T)"

mkdir -p $AUDITDIR

grep_check(){
  string_to_find="$1"
  file_to_check="$2"
  expected="$3"

  
  found_line="$(egrep "${string_to_find}" ${file_to_check})"
  if [[ "$found_line" == "$expected" ]] ; then
    echo "$string_to_find found in $file_to_check and is as expected"
  else
    if [[ ${#found_line} -gt 0 ]] ; then
       sed -i.${BACKUP} '/'${string_to_find}'/d' $file_to_check
    else
      echo "${string_to_find} not found, adding"
      echo "$expected" >> "$file_to_check"
      echo "$expected added to file $file_to_check"
     fi
  fi
}

grep_check  "172.30.36.35 jsrv2.aegis.res.zwww.ncbd.com"  /etc/hosts '172.30.36.35 jsrv2.aegis.res.zwww.ncbd.com'
grep_check  "172.30.36.35 jsrv.aegis.res.zwww.ncbd.com"  /etc/hosts '172.30.36.35 jsrv.aegis.res.zwww.ncbd.com'
grep_check  "172.30.36.45 update.aegis.res.zwww.ncbd.com"  /etc/hosts '172.30.36.45 update.aegis.res.zwww.ncbd.com'
grep_check  "172.30.36.45 update2.aegis.res.zwww.ncbd.com"  /etc/hosts '172.30.36.45 update2.aegis.res.zwww.ncbd.com'
grep_check  "172.30.36.38 web.aegis.res.zwww.ncbd.com"  /etc/hosts '172.30.36.38 web.aegis.res.zwww.ncbd.com'

#grep_check  "113.105.168.158 mirrors.aliyun.com"  /etc/hosts '113.105.168.158 mirrors.aliyun.com'



##update yum

#mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo_$TIME.bak
#curl http://mirrors.aliyun.com/repo/Centos-7.repo -o /etc/yum.repos.d/CentOS-Base.repo
#curl  http://mirrors.aliyun.com/repo/epel-7.repo -o  /etc/yum.repos.d/epel-7.repo
#yum  clean all
#yum  makecache
#yum -y  update

#echo "Removing legacy services..."
#yum -y  remove rsh-server rsh ypserv tftp tftp-server talk talk-server telnet-server xinetd >> $AUDITDIR/service_remove_$TIME.log

#echo "Disabling SNMP..."
#yum -y  remove net-snmp >> $AUDITDIR/service_remove_$TIME.log



## 修改issue資訊
 echo "$ISSUE_MESSAGE" > /etc/issue
 echo "$ISSUE_MESSAGE" > /etc/issue.net

##記錄history時間
grep_check "export HISTTIMEFORMAT"  /etc/profile 'export HISTTIMEFORMAT="%d/%m/%y  %T  "'


## 修改密碼加密方式
echo "Upgrading password hashing algorithm to SHA512..."
authconfig --passalgo=sha512 --update


###### 預設密碼有效期 #########

echo "Setting Password Expiry Time for users …"
cp /etc/login.defs  $AUDITDIR/login.defs_$TIME.bak
  grep_check "^PASS_MAX_DAYS" /etc/login.defs 'PASS_MAX_DAYS = 90'
  grep_check "^PASS_MIN_DAYS" /etc/login.defs 'PASS_MIN_DAYS = 7'
  grep_check "^PASS_MIN_LEN" /etc/login.defs 'PASS_MIN_LEN = 10'
  grep_check "^PASS_WARN_AGE" /etc/login.defs 'PASS_WARN_AGE = 7'
  grep_check "^DISABLE_AFTER_EXPIRATION" /etc/login.defs 'DISABLE_AFTER_EXPIRATION = 30'

echo "密碼強度策略,針對Centos"
cp /etc/security/pwquality.conf  $AUDITDIR/pwquality.conf_$TIME.bak
  authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=10  --update
  authconfig --enablefaillock   --faillockargs="deny=6 fail_interval=90 unlock_time=300"   --update
  grep_check "pam_pwquality.so" /etc/pam.d/password-auth 'password requisite pam_pwquality.so try_first_pass retry=3'
  grep_check "^minlen" /etc/security/pwquality.conf 'minlen = 10'
  grep_check "^ucredit" /etc/security/pwquality.conf 'minclass = 3'
  grep_check "^dcredit" /etc/security/pwquality.conf 'dcredit = -1'
  grep_check "^lcredit" /etc/security/pwquality.conf 'lcredit = -1'
  grep_check "^ocredit" /etc/security/pwquality.conf 'ocredit = -1'
  grep_check "^ucredit" /etc/security/pwquality.conf 'ucredit = -1'

  grep_check "^auth        required      pam_faillock.so authfail deny=6 fail_interval=90 unlock_time=300 even_deny_root" /etc/pam.d/system-auth 'auth        required      pam_faillock.so authfail deny=6 fail_interval=90 unlock_time=300 even_deny_root'
  grep_check "^password\s+sufficient\s+pam_unix.so\s+remember" /etc/pam.d/password-auth 'password sufficient pam_unix.so remember=5'
  grep_check "^password\s+sufficient\s+pam_unix.so\s+remember" /etc/pam.d/system-auth 'password sufficient pam_unix.so remember=5'


echo "Enabling auditd service..."
systemctl enable auditd

echo "Configuring Audit Log Storage Size..."
cp  /etc/audit/auditd.conf $AUDITDIR/auditd.conf_$TIME.bak
#sed -i 's/^space_left_action.*$/space_left_action = SYSLOG/' /etc/audit/auditd.conf
#sed -i 's/^action_mail_acct.*$/action_mail_acct = root/' /etc/audit/auditd.conf
#sed -i 's/^admin_space_left_action.*$/admin_space_left_action = SYSLOG/' /etc/audit/auditd.conf
grep_check "max_log_file = 30MB" /etc/audit/auditd.conf 'max_log_file = 30MB'
echo "Setting audit rules..."
cat > /etc/audit/audit.rules << "EOF"
-D
-b 320

-w /etc/passwd -p wa -k identity
-w /usr/bin/ps -p w -k file_changes
-w /usr/bin/top  -p w -k file_changes
-w /usr/bin/netstat -p w -k file_changes
-w /usr/bin/sshd -p w -k sshd_changes
-w /etc/sudoers -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity

-e 2
EOF


echo "SSH配置加固"
cp /etc/ssh/sshd_config $AUDITDIR/sshd_config_$TIME.bak
  grep_check "^Protocol" /etc/ssh/sshd_config 'Protocol 2'
  grep_check "^LogLevel" /etc/ssh/sshd_config 'LogLevel INFO'
  grep_check "^X11Forwarding" /etc/ssh/sshd_config 'X11Forwarding no'
  grep_check "^MaxAuthTries" /etc/ssh/sshd_config 'MaxAuthTries 6'
  grep_check "^IgnoreRhosts" /etc/ssh/sshd_config 'IgnoreRhosts yes'
  grep_check "^HostbasedAuthentication" /etc/ssh/sshd_config 'HostbasedAuthentication no'
 # grep_check "^PermitRootLogin" /etc/ssh/sshd_config 'PermitRootLogin no'
  grep_check "^PermitEmptyPasswords" /etc/ssh/sshd_config 'PermitEmptyPasswords no'
  grep_check "^PermitUserEnvironment" /etc/ssh/sshd_config 'PermitUserEnvironment no'
 # grep_check "^Ciphers" /etc/ssh/sshd_config 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
 # grep_check "MACs" /etc/ssh/sshd_config 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
  grep_check "^ClientAliveInterval" /etc/ssh/sshd_config 'ClientAliveInterval 600'
  grep_check "^ClientAliveCountMax" /etc/ssh/sshd_config 'ClientAliveCountMax 0'

systemctl restart sshd >> $AUDITDIR/service_restart_$TIME.log


#只允許wheel組進行su
cp /etc/pam.d/su  $AUDITDIR/su_$TIME.bak
  grep_check "^auth\s+required\s+pam_wheel.so use_uid"  /etc/pam.d/su 'auth		required	pam_wheel.so use_uid'

## 禁用不必要的系統服務
echo "Disabling Unnecessary Services..."
servicelist=(avahi-daemon cups nfslock rpcgssd rpcbind rpcidmapd rpcsvcgssd postfix )
for i in ${servicelist[@]}; do
  [ $(systemctl disable $i 2> /dev/null) ] || echo "$i is Disabled"
done

##刪除不需要的系統賬戶
userdel games

echo >/var/log/messages
echo >/var/log/secure
echo >/var/log

echo ""
echo "Successfully Completed"
echo "Please check $AUDITDIR"
history -c

相關文章