linux伺服器基線加固、安全漏掃工具(綠盟...)掃出來的系統漏洞
以下指令碼主要是修復漏掃工具掃出來的一些系統漏洞
例如:密碼強度策略、預設密碼有效期、ssh配置加固…
生產環境伺服器為Centos7系列、在執行基線加固指令碼後、重新對該伺服器進行再次漏掃、已消除絕大部分檢查專案
#!/bin/bash
### Hardening Script for CentOS7 Servers.
##定義變數###
BACKUP=$(date +%F:%T)
services_to_disable="chargen-dgram chargen-stream daytime-dgram daytime-stream discard-dgram discard-stream echo-dgram echo-stream time-dgram time-stream tftp"
services_to_disable_modprobe="ipv6"
systemctl_services_to_disable="autofs xinetd avahi-daemon cups dhcpd slapd nfs rpcbind named vsftpd httpd dovecot smb squid snmpd ypserv rsh.socket rlogin.socket rexec.socket telnet.socket tftp.socket rsyncd ntalk"
systemctl_services_to_enable="rsyslog crond syslog-ng"
ISSUE_MESSAGE=$'Only authorized users may use this system.\nAll activity may be monitored and recorded.' #
#密碼強度策略
PASS_MAX_DAYS=90
PASS_MIN_DAYS=7
PASS_MIN_LEN=10
PASS_WARN_AGE=7
DISABLE_AFTER_EXPIRATION=30
users_to_expire=""
AUDITDIR="/tmp/$(hostname -s)_audit"
TIME="$(date +%F_%T)"
mkdir -p $AUDITDIR
grep_check(){
string_to_find="$1"
file_to_check="$2"
expected="$3"
found_line="$(egrep "${string_to_find}" ${file_to_check})"
if [[ "$found_line" == "$expected" ]] ; then
echo "$string_to_find found in $file_to_check and is as expected"
else
if [[ ${#found_line} -gt 0 ]] ; then
sed -i.${BACKUP} '/'${string_to_find}'/d' $file_to_check
else
echo "${string_to_find} not found, adding"
echo "$expected" >> "$file_to_check"
echo "$expected added to file $file_to_check"
fi
fi
}
grep_check "172.30.36.35 jsrv2.aegis.res.zwww.ncbd.com" /etc/hosts '172.30.36.35 jsrv2.aegis.res.zwww.ncbd.com'
grep_check "172.30.36.35 jsrv.aegis.res.zwww.ncbd.com" /etc/hosts '172.30.36.35 jsrv.aegis.res.zwww.ncbd.com'
grep_check "172.30.36.45 update.aegis.res.zwww.ncbd.com" /etc/hosts '172.30.36.45 update.aegis.res.zwww.ncbd.com'
grep_check "172.30.36.45 update2.aegis.res.zwww.ncbd.com" /etc/hosts '172.30.36.45 update2.aegis.res.zwww.ncbd.com'
grep_check "172.30.36.38 web.aegis.res.zwww.ncbd.com" /etc/hosts '172.30.36.38 web.aegis.res.zwww.ncbd.com'
#grep_check "113.105.168.158 mirrors.aliyun.com" /etc/hosts '113.105.168.158 mirrors.aliyun.com'
##update yum
#mv /etc/yum.repos.d/CentOS-Base.repo /etc/yum.repos.d/CentOS-Base.repo_$TIME.bak
#curl http://mirrors.aliyun.com/repo/Centos-7.repo -o /etc/yum.repos.d/CentOS-Base.repo
#curl http://mirrors.aliyun.com/repo/epel-7.repo -o /etc/yum.repos.d/epel-7.repo
#yum clean all
#yum makecache
#yum -y update
#echo "Removing legacy services..."
#yum -y remove rsh-server rsh ypserv tftp tftp-server talk talk-server telnet-server xinetd >> $AUDITDIR/service_remove_$TIME.log
#echo "Disabling SNMP..."
#yum -y remove net-snmp >> $AUDITDIR/service_remove_$TIME.log
## 修改issue資訊
echo "$ISSUE_MESSAGE" > /etc/issue
echo "$ISSUE_MESSAGE" > /etc/issue.net
##記錄history時間
grep_check "export HISTTIMEFORMAT" /etc/profile 'export HISTTIMEFORMAT="%d/%m/%y %T "'
## 修改密碼加密方式
echo "Upgrading password hashing algorithm to SHA512..."
authconfig --passalgo=sha512 --update
###### 預設密碼有效期 #########
echo "Setting Password Expiry Time for users …"
cp /etc/login.defs $AUDITDIR/login.defs_$TIME.bak
grep_check "^PASS_MAX_DAYS" /etc/login.defs 'PASS_MAX_DAYS = 90'
grep_check "^PASS_MIN_DAYS" /etc/login.defs 'PASS_MIN_DAYS = 7'
grep_check "^PASS_MIN_LEN" /etc/login.defs 'PASS_MIN_LEN = 10'
grep_check "^PASS_WARN_AGE" /etc/login.defs 'PASS_WARN_AGE = 7'
grep_check "^DISABLE_AFTER_EXPIRATION" /etc/login.defs 'DISABLE_AFTER_EXPIRATION = 30'
echo "密碼強度策略,針對Centos"
cp /etc/security/pwquality.conf $AUDITDIR/pwquality.conf_$TIME.bak
authconfig --enablereqlower --enablerequpper --enablereqdigit --enablereqother --passminlen=10 --update
authconfig --enablefaillock --faillockargs="deny=6 fail_interval=90 unlock_time=300" --update
grep_check "pam_pwquality.so" /etc/pam.d/password-auth 'password requisite pam_pwquality.so try_first_pass retry=3'
grep_check "^minlen" /etc/security/pwquality.conf 'minlen = 10'
grep_check "^ucredit" /etc/security/pwquality.conf 'minclass = 3'
grep_check "^dcredit" /etc/security/pwquality.conf 'dcredit = -1'
grep_check "^lcredit" /etc/security/pwquality.conf 'lcredit = -1'
grep_check "^ocredit" /etc/security/pwquality.conf 'ocredit = -1'
grep_check "^ucredit" /etc/security/pwquality.conf 'ucredit = -1'
grep_check "^auth required pam_faillock.so authfail deny=6 fail_interval=90 unlock_time=300 even_deny_root" /etc/pam.d/system-auth 'auth required pam_faillock.so authfail deny=6 fail_interval=90 unlock_time=300 even_deny_root'
grep_check "^password\s+sufficient\s+pam_unix.so\s+remember" /etc/pam.d/password-auth 'password sufficient pam_unix.so remember=5'
grep_check "^password\s+sufficient\s+pam_unix.so\s+remember" /etc/pam.d/system-auth 'password sufficient pam_unix.so remember=5'
echo "Enabling auditd service..."
systemctl enable auditd
echo "Configuring Audit Log Storage Size..."
cp /etc/audit/auditd.conf $AUDITDIR/auditd.conf_$TIME.bak
#sed -i 's/^space_left_action.*$/space_left_action = SYSLOG/' /etc/audit/auditd.conf
#sed -i 's/^action_mail_acct.*$/action_mail_acct = root/' /etc/audit/auditd.conf
#sed -i 's/^admin_space_left_action.*$/admin_space_left_action = SYSLOG/' /etc/audit/auditd.conf
grep_check "max_log_file = 30MB" /etc/audit/auditd.conf 'max_log_file = 30MB'
echo "Setting audit rules..."
cat > /etc/audit/audit.rules << "EOF"
-D
-b 320
-w /etc/passwd -p wa -k identity
-w /usr/bin/ps -p w -k file_changes
-w /usr/bin/top -p w -k file_changes
-w /usr/bin/netstat -p w -k file_changes
-w /usr/bin/sshd -p w -k sshd_changes
-w /etc/sudoers -p wa -k actions
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-w /usr/bin/wget -p x -k susp_activity
-w /usr/bin/curl -p x -k susp_activity
-w /usr/bin/base64 -p x -k susp_activity
-w /bin/nc -p x -k susp_activity
-w /bin/netcat -p x -k susp_activity
-e 2
EOF
echo "SSH配置加固"
cp /etc/ssh/sshd_config $AUDITDIR/sshd_config_$TIME.bak
grep_check "^Protocol" /etc/ssh/sshd_config 'Protocol 2'
grep_check "^LogLevel" /etc/ssh/sshd_config 'LogLevel INFO'
grep_check "^X11Forwarding" /etc/ssh/sshd_config 'X11Forwarding no'
grep_check "^MaxAuthTries" /etc/ssh/sshd_config 'MaxAuthTries 6'
grep_check "^IgnoreRhosts" /etc/ssh/sshd_config 'IgnoreRhosts yes'
grep_check "^HostbasedAuthentication" /etc/ssh/sshd_config 'HostbasedAuthentication no'
# grep_check "^PermitRootLogin" /etc/ssh/sshd_config 'PermitRootLogin no'
grep_check "^PermitEmptyPasswords" /etc/ssh/sshd_config 'PermitEmptyPasswords no'
grep_check "^PermitUserEnvironment" /etc/ssh/sshd_config 'PermitUserEnvironment no'
# grep_check "^Ciphers" /etc/ssh/sshd_config 'Ciphers aes256-ctr,aes192-ctr,aes128-ctr'
# grep_check "MACs" /etc/ssh/sshd_config 'MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com'
grep_check "^ClientAliveInterval" /etc/ssh/sshd_config 'ClientAliveInterval 600'
grep_check "^ClientAliveCountMax" /etc/ssh/sshd_config 'ClientAliveCountMax 0'
systemctl restart sshd >> $AUDITDIR/service_restart_$TIME.log
#只允許wheel組進行su
cp /etc/pam.d/su $AUDITDIR/su_$TIME.bak
grep_check "^auth\s+required\s+pam_wheel.so use_uid" /etc/pam.d/su 'auth required pam_wheel.so use_uid'
## 禁用不必要的系統服務
echo "Disabling Unnecessary Services..."
servicelist=(avahi-daemon cups nfslock rpcgssd rpcbind rpcidmapd rpcsvcgssd postfix )
for i in ${servicelist[@]}; do
[ $(systemctl disable $i 2> /dev/null) ] || echo "$i is Disabled"
done
##刪除不需要的系統賬戶
userdel games
echo >/var/log/messages
echo >/var/log/secure
echo >/var/log
echo ""
echo "Successfully Completed"
echo "Please check $AUDITDIR"
history -c
相關文章
- 【求】安全漏洞掃描工具 xscan
- 容器化部署GVM掃漏系統
- WEB安全漏洞掃描與處理(上)——安全漏洞掃描工具AppScan的安裝使用WebAPP
- 5種常用Web安全掃描工具,快來查漏補缺吧!Web
- 漏掃工具AWVS命令執行
- nmap命令-----基礎用法(系統漏洞掃描之王-nmap)
- 在Linux中,如何進行安全漏洞掃描?Linux
- GNU/Linux安全基線與加固-0.1Linux
- IDC報告|綠盟網路安全漏洞掃描與管理產品領跑十年
- 伺服器安全加固 - Linux伺服器Linux
- 容器映象安全:安全漏洞掃描神器Trivy
- Linux 平臺下的漏洞掃描器 VulsLinux
- 【工具篇】最流行的Web漏洞掃描工具推薦!Web
- 主機安全掃描工具-- vuls
- 什麼是漏洞掃描?漏洞掃描功能有哪些?
- burp suite工具web漏洞掃描步驟UIWeb
- 系統安全加固
- 【網路安全必備篇】有哪些好用的網站漏洞掃描工具?網站
- Nexpose v6.6.247 for Linux & Windows - 漏洞掃描LinuxWindows
- Nexpose v6.6.242 for Linux & Windows - 漏洞掃描LinuxWindows
- Nexpose v6.6.266 for Linux & Windows - 漏洞掃描LinuxWindows
- Nexpose v6.6.265 for Linux & Windows - 漏洞掃描LinuxWindows
- Nexpose v6.6.264 for Linux & Windows - 漏洞掃描LinuxWindows
- Nexpose v6.6.256 for Linux & Windows - 漏洞掃描LinuxWindows
- Nexpose v6.6.261 for Linux & Windows - 漏洞掃描LinuxWindows
- Nexpose v6.6.260 for Linux & Windows - 漏洞掃描LinuxWindows
- AWVS掃描器掃描web漏洞操作Web
- 讓企業伺服器更安全十大漏洞掃描程式伺服器
- 網站滲透測試漏掃工具的應用技巧網站
- 物理機伺服器系統安全加固方法伺服器
- 【推薦】超好用的5款漏洞掃描工具!
- 在Linux中,如何進行系統安全加固?Linux
- 網路安全漏洞掃描工具有哪些?老男孩網路安全入門教程
- Linux系統下對NFS服務安全加固的方法LinuxNFS
- 【推薦閱讀】超有用的漏洞掃描工具合集!
- 5款實用的漏洞掃描工具,記得收藏!
- 常用作業系統掃描工具介紹(轉)作業系統
- Rust 程式碼質量和漏洞掃描工具 - RedditRust