Linux基线合规检查中各文件的作用及配置脚本
2017-12-22 16:12
141 查看
1./etc/motd
操作:echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
效果:telnet和ssh登录后的输出信息
View Code
操作:echo " Authorized users only. All activity may be monitored and reported " > /etc/motd
效果:telnet和ssh登录后的输出信息
MDFDATE=`date +"%Y%m%d"` #add telnet and ssh banner cp -p /etc/motd /etc/motd.bak${MDFDATE} cp -p /etc/issue /etc/issue.bak${MDFDATE} cp -p /etc/issue.net /etc/issue.net.bak${MDFDATE} echo " Authorized users only. All activity may be monitored and reported " > /etc/motd echo " Authorized users only. All activity may be monitored and reported " > /etc/issue echo " Authorized users only. All activity may be monitored and reported " > /etc/issue.net #/etc/init.d/xinetd restart #set ftp default right cp -p /etc/vsftpd/vsftpd.conf /etc/vsftpd/vsftpd.conf.bak${MDFDATE} sed -i 's/#ls_recurse_enable=/ls_recurse_enable=/g' /etc/vsftpd/vsftpd.conf echo "anon_umask=022" >> /etc/vsftpd/vsftpd.conf #vsftpd sed -i '/^anonymous_enable=YES/d' /etc/vsftpd/vsftpd.conf echo 'anonymous_enable=NO' >> /etc/vsftpd/vsftpd.conf sed -i '/^chroot_local_user=/d' /etc/vsftpd/vsftpd.conf echo 'chroot_local_user=YES' >> /etc/vsftpd/vsftpd.conf sed -i '/^userlist_enable=/d' /etc/vsftpd/vsftpd.conf echo 'userlist_enable=YES' >> /etc/vsftpd/vsftpd.conf echo 'userlist_deny=NO' >> /etc/vsftpd/vsftpd.conf echo 'userlist_file=/etc/vsftpd/ftpuser_deny' >> /etc/vsftpd/vsftpd.conf cat> /etc/vsftpd/ftpuser_deny << EOF root daemon bin sys adm lp uucp nuucp listen nobody noaccess nobody4 EOF #close not need service chkconfig cups off #forbidden icmp redirect cp -p /etc/sysctl.conf /etc/sysctl.conf.bak${MDFDATE} echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf #sysctl -p #add remote log server cp /etc/syslog.conf /etc/syslog.conf.bak${MDFDATE} sed -i '/remote-host:514/a\*.info @192.168.220.128' /etc/syslog.conf echo 'auht.info /var/log/authlog' >> /etc/syslog.conf echo 'authpriv.* /var/log/authlog' >> /etc/syslog.conf echo '*.err;auth.info /var/adm/messages' >> /etc/syslog.conf touch /var/log/authlog for f in `cat /etc/rsyslog.conf|grep -v "@"|grep -v "^#" |grep -v "^\$"|grep "/var" |grep -v "\-\/"|awk "{print$2}"` do chmod 640 $f done #forbid root romote login cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config.bak${MDFDATE} sed -i 's/^PermitRootLogin yes/#PermitRootLogin yes/g' /etc/ssh/sshd_config sed -i '/PermitRootLogin yes/a\PermitRootLogin no' /etc/ssh/sshd_config #/etc/init.d/sshd restart sed -i 's/^pts/#pts/g' /etc/securetty #ssh banner touch /etc/sshbanner chown bin:bin /etc/sshbanner chmod 644 /etc/sshbanner echo " Authorized users only. All activity may be monitored and reported " > /etc/sshbanner echo "Banner /etc/sshbanner" >> /etc/ssh/sshd_config service sshd restart #limit ip to login echo 'sshd:all:deny' >> /etc/hosts.deny echo 'sshd:192.168.220.129:allow' >> /etc/hosts.allow echo 'sshd:192.168.220.:allow' >> /etc/hosts.allow #add password limit #password remember #add auth clock cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth.bak${MDFDATE} echo "" >> /etc/pam.d/system-auth echo "password requisite pam_cracklib.so dcredit=-1 lcredit=-1 ocredit=-1 minclass=2 minlen=8" >> /etc/pam.d/system-auth echo "password sufficient pam_unix.so remember=5 md5 shadow nullok try_first_pass use_authtok" >> /etc/pam.d/system-auth echo "auth required pam_tally2.so deny=6 onerr=fail no_magic_root unlock_time=120" >> /etc/pam.d/system-auth #forbid ctrl+alt+del cp -p /etc/inittab /etc/inittab.bak${MDFDATE} sed -i '/ctrlaltdel/d' /etc/inittab cp /etc/init/control-alt-delete.conf /etc/init/control-alt-delete.conf.bak${MDFDATE} sed -i 's/^start/#start/g' /etc/init/control-alt-delete.conf sed -i 's/^exec/#exec/g' /etc/init/control-alt-delete.conf #umask cp -p /etc/profile /etc/profile.bak${MDFDATE} sed -i 's/umask 022/umask 027/g' /etc/profile echo 'umask 027' >> /etc/profile sed -i '/^TMOUT.*/d' /etc/profile echo "export TMOUT=540" >>/etc/profile cp -p /etc/csh.cshrc /etc/csh.cshrc.bak${MDFDATE} echo 'set autologout = 540' >> /etc/csh.cshrc #password file chmod u+rw /etc/shadow cp /etc/shadow /etc/shadow.bak${MDFDATE} sed -i 's/^lp:/lp:!!/g' /etc/shadow sed -i 's/^nobody:/nobody:!!/g' /etc/shadow sed -i 's/^uucp:/uucp:!!/g' /etc/shadow sed -i 's/^games:/games:!!/g' /etc/shadow sed -i 's/^rpm:/rpm:!!/g' /etc/shadow sed -i 's/^smmsp:/smmsp:!!/g' /etc/shadow sed -i 's/^nfsnobody:/nfsnobody:!!/g' /etc/shadow chmod 0644 /etc/passwd chmod 0400 /etc/shadow chmod 0644 /etc/group cp /etc/login.defs /etc/login.defs.bak${MDFDATE} sed -i 's/PASS_MIN_LEN.*5*/PASS_MIN_LEN 8/g' /etc/login.defs sed -i 's/PASS_MAX_DAYS.*99999/PASS_MAX_DAYS 90/g' /etc/login.defs #application user #useradd -U forchk
View Code
相关文章推荐
- linux环境下不同脚本文件配置的环境变量作用域范围的区别
- 详细讲解Linux启动流程及启动用到的配置文件及脚本
- 嵌入式Linux启动配置文件及脚本分…
- linux各种配置文件的作用
- 彻底摆脱配置文件 七(基于linux USER2信号检查当前管理的配置项信息)
- 详细讲解Linux启动流程及启动用到的配置文件及脚本
- Linux脚本调用Java模板,将Properties文件放到CLASSPATH中的配置方式
- linux中各个shell配置脚本文件的作用域和启动时间
- shell脚本批量监控Linux server配置文件的更改
- 详细讲解Linux启动流程及启动用到的配置文件及脚本
- 在linux中 apache 重写失效(各种模块都开了不启作用。 httpd.conf中是否加载其它配置文件
- linux系统的各配置文件的作用
- Linux 中 rc.local、init.d、rc.x、init 这几个文件(夹)各有什么作用?启动执行的脚本应该均放在 rc.local 中吗?
- Linux配置文件与脚本文件
- 检查NGINX配置文件修改后自动reload脚本
- 利用linux脚本ssh到路由器自动备份配置文件
- linux 命令系列之 环境变量配置文件作用(52)
- linux系统各配置文件作用
- 【转】嵌入式Linux启动配置文件及脚本
- 详细讲解Linux启动流程及启动用到的配置文件及脚本