centos7安全基线审计

检查yum源，然后执行yum update ，更新后再删除无效的公网yum源

1.查找全局权限的目录，测试大于766会扫描出来

df --local -P 2> /dev/null | awk '{if (NR!=1) print $6}' | xargs -I '{}' find '{}' -xdev -type d \( -perm -0002 -a ! -perm -1000 \) 2>/dev/null
修复命令
chmod -R 700  目录

2.设置Bootloader 权限配置

chmod og-rwx /boot/grub2/grub.cfg

3.统一设置告警信息

echo "Authorized uses only. All activity may be monitored and reported." > /etc/issue
echo "Authorized uses only. All activity may be monitored and reported." > /etc/motd

4.虚拟化机器，删除相关包。其他机器符合审计

yum remove xorg-x11-server*  bind  vsftpd  samba  telnet-server  rpcbind  rsync  openldap-clients

5.禁用IPV6

echo "net.ipv6.conf.all.disable_ipv6 = 1"  >>/etc/sysctl.conf
echo "net.ipv6.conf.default.disable_ipv6 = 1"  >>/etc/sysctl.conf
sysctl -p

6. 禁用包重定向转发.

echo "net.ipv4.conf.all.send_redirects = 0"  >>/etc/sysctl.conf
echo "net.ipv4.conf.default.send_redirects = 0" >>/etc/sysctl.conf
运行以下命令来设置活动内核参数：
sysctl -w net.ipv4.conf.all.send_redirects=0
sysctl -w net.ipv4.conf.default.send_redirects=0
sysctl -w net.ipv4.route.flush=1

7.确保不接受安全的 ICMP 重定向

echo "net.ipv4.conf.all.secure_redirects = 0" >>/etc/sysctl.conf
echo "net.ipv4.conf.default.secure_redirects = 0">>/etc/sysctl.conf
运行以下命令来设置活动内核参数：
sysctl -w net.ipv4.conf.all.secure_redirects=0
sysctl -w net.ipv4.conf.default.secure_redirects=0
sysctl -w net.ipv4.route.flush=1

8.确保记录可疑数据包

echo "net.ipv4.conf.all.log_martians = 1"  >>/etc/sysctl.conf
echo "net.ipv4.conf.default.log_martians = 1"  >>/etc/sysctl.conf
运行以下命令来设置活动内核参数：
sysctl -w net.ipv4.conf.all.log_martians=1
sysctl -w net.ipv4.conf.default.log_martians=1
sysctl -w net.ipv4.route.flush=1

9.确保审计日志不被自动删除

sed  -i  "s\ROTATE\keep_logs\g"  /etc/audit/auditd.conf             #默认是ROTATE，循环日志。keep_logs是保留日志

10.收集修改日志和时间信息的事件

cat >> /etc/audit/rules.d/50-time_change.rules<<EOF
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k timechange
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
EOF

11.收集修改user/group信息的事件

cat  >>  /etc/audit/rules.d/50-identity.rules << EOF
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
EOF

12.收集修改系统网络环境信息的事件

cat >> /etc/audit/rules.d/50-system_local.rules <<EOF
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
EOF

13.收集登入和登出事件

cat >> /etc/audit/rules.d/50-MAC_policy.rules <<EOF
-w /var/log/lastlog -p wa -k logins
-w /var/run/faillock/ -p wa -k logins
EOF

14. 收集session 初始化信息

cat >> /etc/audit/rules.d/50-session.rules <<EOF
/etc/audit/rules.d/50-session.rules
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k logins
-w /var/log/btmp -p wa -k logins
EOF

15.收集任意访问控制权限修改事件

cat >> /etc/audit/rules.d/50-perm_mod.rules <<EOF
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod
EOF

16. 收集不成功的未授权的文件访问尝试

cat >> /etc/audit/rules.d/50-access.rules <<EOF
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -k access
EOF

17.收集对文件系统成功的挂载

cat  >> /etc/audit/rules.d/50-mounts.rules <<EOF
-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -k mounts
EOF

18.收集用户删除文件事件

cat >> /etc/audit/rules.d/50-deletion.rules << EOF
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
EOF

19.收集系统管理范围的更改

cat  >> /etc/audit/rules.d/50-scope.rules <<EOF
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
EOF

20.收集系统管理命令执行

cat  >> /etc/audit/rules.d/50-actions.rules <<EOF
-a always,exit -F arch=b64 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
-a always,exit -F arch=b32 -C euid!=uid -F euid=0 -F auid>=1000 -F auid!=4294967295 -S execve -k actions
EOF

21.收集内核模块加载和卸载

cat  >> /etc/audit/rules.d/50-modules.rules <<EOF
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
EOF

22.将journald 配置为发送日志给rsyslog

echo  "ForwardToSyslog=yes"  >>/etc/systemd/journald.conf

23.将journald 配置为可压缩大型日志文件

echo  "Compress=yes" >>/etc/systemd/journald.conf

24.将journald 配置为可写日志文件到持久化存储

echo "Storage=persistent">>/etc/systemd/journald.conf

25.配置/etc/crontab权限

chmod u-x,og-rwx /etc/crontab

26.配置/etc/cron.hourly权限

chmod og-rwx /etc/cron.hourly

27.配置/etc/cron.daily的权限

chmod og-rwx /etc/cron.daily

28.配置/etc/cron.weekly的权限

chown root:root /etc/cron.weekly
chmod og-rwx /etc/cron.weekly

29.配置/etc/cron.monthly的权限

chmod og-rwx /etc/cron.monthly

30.配置/etc/cron.d的权限

chmod og-rwx /etc/cron.d

31.确保cron被限定为授权用户访问

rm /etc/cron.deny  && touch /etc/cron.allow
chown root:root /etc/cron.allow  && chmod u-x,og-rwx /etc/cron.allow

32.确保at被限定为授权

rm /etc/at.deny
touch /etc/at.allow
chown root:root /etc/at.allow  
chmod u-x,og-rwx /etc/at.allow

33.确保sudo 命令使用 pty

echo  "Defaults use_pty"  >>/etc/sudoers

34.确保sudo 日志文件存在

echo "Defaults logfile="/var/log/sudo.log"" >>/etc/sudoers

35.限制SSH 访问

cat >> /etc/ssh/sshd_config <<EOF
AllowUsers  vkapp
AllowUsers s-linuxad
AllowUsers zabbix
AllowUsers s-zabbix
AllowUsers mysql
AllowUsers root
EOF

36.禁用 SSH X11 Forwarding

sed -i "s/X11Forwarding yes/X11Forwarding no/g"  /etc/ssh/sshd_config

37.配置SSH Idle 超时间隔

cat  >>/etc/ssh/sshd_config <<EOF
ClientAliveInterval 900
ClientAliveCountMax 0
EOF

38.将ssh loginGraceTime 设置为一分钟或更少

sed  -i  "s/#LoginGraceTime 2m/LoginGraceTime 60/g"  /etc/ssh/sshd_config

39. 配置SSH 警告标语

mv  /etc/issue.net  /etc/issue.net_bak
echo  "Authorized only. All activity will be monitored and reported"  >>/etc/issue.net
echo "Banner /etc/issue.net" >>/etc/ssh/sshd_config

40.配置SSH MaxStartups

echo  "maxstartups 10:30:60"  >> /etc/ssh/sshd_config

41. 配置密码创建需求

sed -i "s/# minclass = 0/minclass = 4/g"  /etc/security/pwquality.conf

42.设置密码过期时间

for i in  s-linuxad vkapp s-zabbix mysql;do chage --maxdays 365 $i;done  
sed -i  "s\99999\365\g"   /etc/login.defs

43.确保不活跃的密码锁定小于等于90天，修改为180

useradd -D -f 180
chage --inactive 180 vkapp

44. 配置用户umask

echo "umask 027" >> /etc/profile
echo "umask 027" >> /etc/csh.login
echo "umask 027" >> /etc/bashrc
echo "umask 027" >> /etc/csh.cshrc
echo "umask 027" >> /root/.bashrc
echo "umask 027" >> /root/.cshrc

45.限制对su 命令的访问

groupadd sugroup
echo  "auth required pam_wheel.so use_uid group=sugroup"  >>/etc/pam.d/su

46.确保对audit进程启用之前运行的进程进行审计

vi /etc/default/grub                # audit=1 添加到 GRUB_CMDLINE_LINUX：
     GRUB_CMDLINE_LINUX="audit=1"
grub2-mkconfig -o /boot/grub2/grub.cfg

47.确保audit_backlog_limit是有效的

vi  /etc/default/grub        # audit_backlog_limit=<BACKLOG SIZE> 添加到GRUB_CMDLINE_LINUX：
     GRUB_CMDLINE_LINUX="audit_backlog_limit=8192"
grub2-mkconfig -o /boot/grub2/grub.cfg

48.确保仅有强ciphers被使用、确保仅有强MAC算法被使用、确保仅有强key交换算法被使用

echo "Ciphers chacha20-poly1305@openssh.com,aes256-gcm@openssh.com,aes128-gcm@openssh.com,aes256-ctr,aes192-ctr,aes128-ctr" >>/etc/ssh/sshd_config
echo "MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,hmac-sha2-512,hmac-sha2-256"  >>/etc/ssh/sshd_config
echo 'KexAlgorithms curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group1-sha1' >> /etc/ssh/sshd_config

49.配置失败密码尝试的锁定

vi  /etc/pam.d/sshd  

在auth行下方添加：
auth  required  pam_tally2.so deny=5 unlock_time=600  

在account行下方添加：
account  required   pam_tally2.so