Linux基线合规检查中各文件的作用及配置脚本

1./etc/motd

操作:echo " Authorized users only. All activity may be monitored and reported " > /etc/motd

效果:telnet和ssh登录后的输出信息

 

2. /etc/issue和/etc/issue.net

操作:echo " Authorized users only. All activity may be monitored and reported " > /etc/issue.net

效果:telnet主机未登录时输出的信息

 

3./etc/syslog.conf--远程日志服务配置文件

 

4./etc/sysctl.conf--操作系统配置文件

 

5./etc/vsftpd/vsftpd.conf--vsftpd配置文件

 

6./etc/ssh/sshd_config--ssh配置文件

 

7./etc/hosts.allow和/etc/hosts.deny--服务连接白名单/黑名单文件

 

8./etc/pam.d/system-auth--系统登录验证配置文件

 

9./etc/init/control-alt-delete.conf--ctrl+alt+del快捷键启用/禁用

 

10./etc/profile--环境变量配置文件,通常用于配置UMASK和TMOUT

 

11./etc/login.defs--口令(长度及有效时长等)配置文件

 

12.基线合规配置脚本(IP注意修改)

MDFDATE=`date +"%Y%m%d"`#add telnet and ssh banner
cp -p /etc/motd /etc/motd.bak${MDFDATE}
cp -p /etc/issue /etc/issue.bak${MDFDATE}
cp -p /etc/issue.net /etc/issue.net.bak${MDFDATE}
echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
echo " Authorized users only. All activity may be monitored and reported " > /etc/issue
echo " Authorized users only. All activity may be monitored and reported " > /etc/issue.net
#/etc/init.d/xinetd restart#set ftp default right
cp -p /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak${MDFDATE}
sed -i 's/#ls_recurse_enable=/ls_recurse_enable=/g' /etc/vsftpd/vsftpd.conf
echo "anon_umask=022" >> /etc/vsftpd/vsftpd.conf
#vsftpd 
sed -i '/^anonymous_enable=YES/d' /etc/vsftpd/vsftpd.conf
echo 'anonymous_enable=NO' >> /etc/vsftpd/vsftpd.conf
sed -i '/^chroot_local_user=/d' /etc/vsftpd/vsftpd.conf
echo 'chroot_local_user=YES' >> /etc/vsftpd/vsftpd.conf
sed -i '/^userlist_enable=/d' /etc/vsftpd/vsftpd.conf
echo 'userlist_enable=YES' >> /etc/vsftpd/vsftpd.conf
echo 'userlist_deny=NO' >> /etc/vsftpd/vsftpd.conf
echo 'userlist_file=/etc/vsftpd/ftpuser_deny' >> /etc/vsftpd/vsftpd.conf
cat> /etc/vsftpd/ftpuser_deny << EOF
root
daemon
bin
sys
adm
lp
uucp
nuucp
listen
nobody
noaccess
nobody4
EOF#close not need service
chkconfig cups off#forbidden icmp redirect
cp -p /etc/sysctl.conf /etc/sysctl.conf.bak${MDFDATE}
echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
#sysctl -p#add remote log server
cp /etc/syslog.conf /etc/syslog.conf.bak${MDFDATE}
sed -i '/remote-host:514/a\*.info    @192.168.220.128' /etc/syslog.conf
echo 'auht.info       /var/log/authlog' >> /etc/syslog.conf
echo 'authpriv.*   /var/log/authlog' >> /etc/syslog.conf
echo '*.err;auth.info        /var/adm/messages' >> /etc/syslog.conf
touch /var/log/authlog
for f in `cat /etc/rsyslog.conf|grep -v "@"|grep -v "^#" |grep -v "^\$"|grep "/var" |grep -v "\-\/"|awk "{print$2}"`
do
chmod 640 $f
done#forbid root romote login
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bak${MDFDATE}
sed -i 's/^PermitRootLogin yes/#PermitRootLogin yes/g' /etc/ssh/sshd_config
sed -i '/PermitRootLogin yes/a\PermitRootLogin no' /etc/ssh/sshd_config
#/etc/init.d/sshd restart
sed -i 's/^pts/#pts/g' /etc/securetty
#ssh banner
touch /etc/sshbanner
chown bin:bin /etc/sshbanner
chmod 644 /etc/sshbanner
echo " Authorized users only. All activity may be monitored and reported "   > /etc/sshbanner
echo "Banner /etc/sshbanner" >> /etc/ssh/sshd_config
service sshd restart#limit ip to login
echo 'sshd:all:deny' >> /etc/hosts.deny
echo 'sshd:192.168.220.129:allow' >> /etc/hosts.allow
echo 'sshd:192.168.220.:allow' >> /etc/hosts.allow#add password limit
#password remember
#add auth clock
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak${MDFDATE}
echo "" >> /etc/pam.d/system-auth
echo "password    requisite     pam_cracklib.so dcredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=8" >> /etc/pam.d/system-auth
echo "password    sufficient    pam_unix.so remember=5 md5 shadow nullok try_first_pass use_authtok" >> /etc/pam.d/system-auth
echo "auth required pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120" >> /etc/pam.d/system-auth#forbid ctrl+alt+del
cp -p /etc/inittab /etc/inittab.bak${MDFDATE}
sed -i '/ctrlaltdel/d' /etc/inittab
cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak${MDFDATE}
sed -i 's/^start/#start/g' /etc/init/control-alt-delete.conf
sed -i 's/^exec/#exec/g' /etc/init/control-alt-delete.conf#umask
cp -p /etc/profile /etc/profile.bak${MDFDATE}
sed -i 's/umask 022/umask 027/g' /etc/profile
echo 'umask 027' >> /etc/profile
sed -i '/^TMOUT.*/d' /etc/profile
echo "export TMOUT=540" >>/etc/profile
cp -p /etc/csh.cshrc /etc/csh.cshrc.bak${MDFDATE}
echo 'set autologout = 540' >> /etc/csh.cshrc#password file
chmod u+rw /etc/shadow
cp /etc/shadow /etc/shadow.bak${MDFDATE}
sed -i 's/^lp:/lp:!!/g' /etc/shadow
sed -i 's/^nobody:/nobody:!!/g' /etc/shadow
sed -i 's/^uucp:/uucp:!!/g' /etc/shadow
sed -i 's/^games:/games:!!/g' /etc/shadow
sed -i 's/^rpm:/rpm:!!/g' /etc/shadow
sed -i 's/^smmsp:/smmsp:!!/g' /etc/shadow
sed -i 's/^nfsnobody:/nfsnobody:!!/g' /etc/shadow
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0644 /etc/groupcp /etc/login.defs /etc/login.defs.bak${MDFDATE}
sed -i 's/PASS_MIN_LEN.*5*/PASS_MIN_LEN    8/g'  /etc/login.defs
sed -i 's/PASS_MAX_DAYS.*99999/PASS_MAX_DAYS   90/g' /etc/login.defs#application user
#useradd -U forchk
View Code

 

本文来自互联网用户投稿,该文观点仅代表作者本人,不代表本站立场。本站仅提供信息存储空间服务,不拥有所有权,不承担相关法律责任。如若转载,请注明出处:http://www.mzph.cn/news/391714.shtml

如若内容造成侵权/违法违规/事实不符,请联系多彩编程网进行投诉反馈email:809451989@qq.com,一经查实,立即删除!

相关文章

tableau使用_使用Tableau升级Kaplan-Meier曲线

tableau使用In a previous article, I showed how we can create the Kaplan-Meier curves using Python. As much as I love Python and writing code, there might be some alternative approaches with their unique set of benefits. Enter Tableau!在上一篇文章中 &#x…

Nexus3.x.x上传第三方jar

exus3.x.x上传第三方jar&#xff1a; 1. create repository 选择maven2(hosted)&#xff0c;说明&#xff1a; proxy&#xff1a;即你可以设置代理&#xff0c;设置了代理之后&#xff0c;在你的nexus中找不到的依赖就会去配置的代理的地址中找hosted&#xff1a;你可以上传你自…

责备的近义词_考试结果危机:我们应该责备算法吗?

责备的近义词I’ve been considering writing on the topic of algorithms for a little while, but with the Exam Results Fiasco dominating the headline news in the UK during the past week, I felt that now is the time to look more closely into the subject.我一直…

c/c++编译器的安装

MinGW(Minimalist GNU For Windows)是个精简的Windows平台C/C、ADA及Fortran编译器&#xff0c;相比Cygwin而言&#xff0c;体积要小很多&#xff0c;使用较为方便。 MinGW最大的特点就是编译出来的可执行文件能够独立在Windows上运行。 MinGW的组成&#xff1a; 编译器(支持C、…

numpy 线性代数_数据科学家的线性代数—用NumPy解释

numpy 线性代数Machine learning and deep learning models are data-hungry. The performance of them is highly dependent on the amount of data. Thus, we tend to collect as much data as possible in order to build a robust and accurate model. Data is collected i…

spring 注解方式配置Bean

概要&#xff1a; 再classpath中扫描组件 组件扫描&#xff08;component scanning&#xff09;&#xff1a;Spring可以从classpath下自己主动扫描。侦測和实例化具有特定注解的组件特定组件包含&#xff1a; Component&#xff1a;基本注解。标示了一个受Spring管理的组件&…

零元学Expression Blend 4 - Chapter 25 以Text相关功能就能简单做出具有设计感的登入画面...

原文:零元学Expression Blend 4 - Chapter 25 以Text相关功能就能简单做出具有设计感的登入画面本章将交大家如何运用Blend 4 内的Text相关功能做出有设计感的登入画面 让你五分钟就能快速做出一个登入画面 ? 本章将教大家如何运用Blend 4 内的Text相关功能做出有设计感的登入…

冠状病毒时代的负责任数据可视化

First, a little bit about me: I’m a data science grad student. I have been writing for Medium for a little while now. I’m a scorpio. I like long walks on beaches. And writing for Medium made me realize the importance of taking personal responsibility ove…

集合_java集合框架

转载自http://blog.csdn.net/zsw101259/article/details/7570033 Java集合框架图 简化图&#xff1a; Java平台提供了一个全新的集合框架。“集合框架”主要由一组用来操作对象的接口组成。不同接口描述一组不同数据类型。 1、Java 2集合框架图 ①集合接口&#xff1a;6个…

显示随机键盘

显示随机键盘 1 <!DOCTYPE html>2 <html lang"zh-cn">3 <head>4 <meta charset"utf-8">5 <title>7-77 课堂演示</title>6 <link rel"stylesheet" type"text/css" href"style…

数据特征分析-统计分析

一、统计分析 统计分析是对定量数据进行统计描述&#xff0c;常从集中趋势和离中趋势两个方面分析。 集中趋势&#xff1a;指一组数据向某一中心靠拢的倾向&#xff0c;核心在于寻找数据的代表值或中心值-统计平均数&#xff08;算数平均数和位置平均数&#xff09; 算术平均数…

数据eda_银行数据EDA:逐步

数据edaThis banking data was retrieved from Kaggle and there will be a breakdown on how the dataset will be handled from EDA (Exploratory Data Analysis) to Machine Learning algorithms.该银行数据是从Kaggle检索的&#xff0c;将详细介绍如何将数据集从EDA(探索性…

结构型模式之组合

重新看组合/合成&#xff08;Composite&#xff09;模式&#xff0c;发现它并不像自己想象的那么简单&#xff0c;单纯从整体和部分关系的角度去理解还是不够的&#xff0c;并且还有一些通俗的模式讲解类的书&#xff0c;由于其举的例子太过“通俗”&#xff0c;以致让人理解产…

计算机网络原理笔记-三次握手

三次握手协议指的是在发送数据的准备阶段&#xff0c;服务器端和客户端之间需要进行三次交互&#xff1a; 第一次握手&#xff1a;客户端发送syn包(synj)到服务器&#xff0c;并进入SYN_SEND状态&#xff0c;等待服务器确认&#xff1b; 第二次握手&#xff1a;服务器收到syn包…

Bigmart数据集销售预测

Note: This post is heavy on code, but yes well documented.注意&#xff1a;这篇文章讲的是代码&#xff0c;但确实有据可查。 问题描述 (The Problem Description) The data scientists at BigMart have collected 2013 sales data for 1559 products across 10 stores in…

数据特征分析-帕累托分析

帕累托分析(贡献度分析)&#xff1a;即二八定律 目的&#xff1a;通过二八原则寻找属于20%的关键决定性因素。 随机生成数据 df pd.DataFrame(np.random.randn(10)*10003000,index list(ABCDEFGHIJ),columns [销量]) #避免出现负数 df.sort_values(销量,ascending False,i…

dt决策树_决策树:构建DT的分步方法

dt决策树介绍 (Introduction) Decision Trees (DTs) are a non-parametric supervised learning method used for classification and regression. The goal is to create a model that predicts the value of a target variable by learning simple decision rules inferred f…

读C#开发实战1200例子记录-2017年8月14日10:03:55

C# 语言基础应用&#xff0c;注释 "///"标记不仅仅可以为代码段添加说明&#xff0c;它还有一项更重要的工作&#xff0c;就是用于生成自动文档。自动文档一般用于描述项目&#xff0c;是项目更加清晰直观。在VisualStudio2015中可以通过设置项目属性来生成自动文档。…

数据特征分析-正太分布

期望值&#xff0c;即在一个离散性随机变量试验中每次可能结果的概率乘以其结果的总和。 若随机变量X服从一个数学期望为μ、方差为σ^2的正态分布&#xff0c;记为N(μ&#xff0c;σ^2)&#xff0c;其概率密度函数为正态分布的期望值μ决定了其位置&#xff0c;其标准差σ决定…

r语言调用数据集中的数据集_自然语言数据集中未解决的问题

r语言调用数据集中的数据集Garbage in, garbage out. You don’t have to be an ML expert to have heard this phrase. Models uncover patterns in the data, so when the data is broken, they develop broken behavior. This is why researchers allocate significant reso…