SECURITY- class record 6.3 01/17 Update SLTechnology News&Howtos

SECURITY- class record 6.3

2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >

Shulou(Shulou.com)06/01 Report--

View the log at a specified time

$journalctl-since= "2012-10-30 18:17:16"

$journalctl-since "20 min ago"

$journalctl-since yesterday

$journalctl-since "2015-01-10"-- until "2015-01-11 03:00"

Journalctl-- since 09:00-- until "1 hour ago"

Show the latest 10 lines of log at the tail

$journalctl-n

Display the log at the end of the specified number of lines $journalctl-n 20 real-time scroll display the latest log $journalctl-f view the log of the specified service $journalctl / usr/lib/systemd/systemd view the log of the specified process $journalctl _ PID=1 view the log of a script in a path $journalctl / usr/bin/bash view the log of the specified user

$journalctl _ UID=33-- since today

View the log of a Unit

$journalctl-u nginx.service

$journalctl-u nginx.service-- since today

Scrolling the latest log of a Unit in real time

$journalctl-u nginx.service-f

Merge and display logs of multiple Unit

$journalctl-u nginx.service-u php-fpm.service-- since today

View logs with specified priority (and above). There are 8 levels 0: emerg # 1: alert # 2: crit # 3: err # 4: warning # 5: notice # 6: info # 7: debug

$journalctl-p err-b

Log default paging output,-- no-pager is changed to normal standard output

$journalctl-no-pager

Output in JSON format (single line)

$journalctl-b-u nginx.service-o json

Output in JSON format (multi-line) for better readability

$journalctl-b-u nginx.service-o json-pretty

Displays the hard disk space occupied by the log

$journalctl-disk-usage

Specify the maximum space occupied by the log file

$journalctl-vacuum-size=1G

Specify how long the log file will be saved

$journalctl-vacuum-time=1years

Audit log

Auditctl-l

Auditctl-w / etc/passwd-p rxwa

Vi / etc/audit/audit.rules

Ausearch-f / etc/passwd | grep useradd

Aureport

First, organize the list of more than 100 items

Second, write into a script, automatic batch processing function

Automated operation and maintenance tools (ansible, puppet, saltstack, cf)

Set PASS_MAX_DAYS not to be greater than the standard value in the file / etc/login.defs

Set PASS_MIN_DAYS not less than the standard value in the file / etc/login.defs

Set PASS_MIN_LEN not less than the standard value in the file / etc/login.defs

Set PASS_WARN_AGE not less than the standard value in the file / etc/login.defs

Awk-F:'$3 print 0 {print $1}'/ etc/passwd

UID should not be set to 0 between the second and third colons on all lines except root in the file / etc/passwd

"Redhat system: modifying / etc/pam.d/system-auth file

Suse9: modify / etc/pam.d/passwd file

Suse10,Suse11: modify / etc/pam.d/common-password file

Select 3 kinds of ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1, append them to password requisite pam_cracklib.so, and add them to the configuration file.

For example: password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1

Note: ucredit: number of uppercase letters; lcredit: number of lowercase letters; dcredit: number of numbers; ocredit: number of special characters "

"Redhat system: modifying / etc/pam.d/system-auth file

Suse9: modify / etc/pam.d/passwd file

Suse10,Suse11: modify / etc/pam.d/common-password file

Select 3 kinds of ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1, append them to password requisite pam_cracklib.so, and add them to the configuration file.

For example: password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1

Note: ucredit: number of uppercase letters; lcredit: number of lowercase letters; dcredit: number of numbers; ocredit: number of special characters "

"Redhat system: modifying / etc/pam.d/system-auth file

Suse9: modify / etc/pam.d/passwd file

Suse10,Suse11: modify / etc/pam.d/common-password file

Select 3 kinds of ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1, append them to password requisite pam_cracklib.so, and add them to the configuration file.

For example: password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1

Note: ucredit: number of uppercase letters; lcredit: number of lowercase letters; dcredit: number of numbers; ocredit: number of special characters "

"refer to the configuration action:

(1) set the default permissions of user directory, execute the command vi / etc/login.defs, and edit the file

(2) set umask 027 or UMASK 027 in the file and set the default access to 750. If the file contains the umask parameter, you need to set it at the beginning

Chmod 644 / etc/passwd

Chmod 750 / etc/rc.d/init.d/

Chmod 750 / tmp

Chmod 600 / etc/xinetd.conf? Note: lower version of Linux system uses inetd.conf configuration file, execute command: chmod 600 / etc/inetd.conf

Chmod 750 / etc/rc5.d/

Chmod 750 / etc/rc4.d

Chmod 750 / etc/

Chmod 600 / etc/security

Chmod 400 / etc/shadow

"if the / etc/grub.conf file exists and the file is not linked, execute chmod 600 / etc/grub.conf;? if the / boot/grub/grub.conf file exists, execute chmod 600 / boot/grub/grub.conf

If the / etc/lilo.conf file exists, execute chmod 600 / etc/lilo.conf. ? "

Chmod 644 / etc/services

Chmod 750 / etc/rc0.d/

Chmod 750 / etc/rc6.d

Chmod 750 / etc/rc2.d/

Chmod 644 / etc/group

Chmod 750 / etc/rc1.d/

Chmod 750 / etc/rc3.d

Set umask 077 or UMASK 077 in file / etc/csh.cshrc

Check the file / etc/bashrc (or / etc/bash.bashrc) to set umask 077 or UMASK 077

Set umask 077 or UMASK 077 in file / etc/csh.login

Set umask 077 or UMASK 077 in file / etc/profile

"execute chattr + I / etc/gshadow?

If chattr is not supported, edit / etc/fstab?

Add "" user_xattr,attrs "" to the options of the corresponding reiserfs system, and then restart the host. "

"execute chattr + I / etc/shadow?

If chattr is not supported, edit / etc/fstab?

Add "" user_xattr,attrs "" to the options of the corresponding reiserfs system, and then restart the host. "

"execute chattr + I / etc/group?

If chattr is not supported, edit / etc/fstab?

Add "" user_xattr,attrs "" to the options of the corresponding reiserfs system, and then restart the host. "

"execute chattr + I / etc/passwd?

If chattr is not supported, edit / etc/fstab?

Add "" user_xattr,attrs "" to the options of the corresponding reiserfs system, and then restart the host. "

"1. Execute the following command to create a ssh banner information file:

# touch / etc/ssh_banner

# chown bin:bin / etc/ssh_banner

# chmod 644 / etc/ssh_banner

# echo "" Authorized only. All activity will be monitored and reported "" > / etc/ssh_banner

The contents of the file can be modified according to the actual needs.

Modify the / etc/ssh/sshd_config file by adding the following line:

Banner / etc/ssh_banner

3. Restart the sshd service:

# / etc/init.d/sshd restart "

"the login log file is / var/log/wtmp,/var/log/utmp. These two files record all the users who have logged on to the host, time, source and so on. This file is not readable and can be viewed with the last command.

If the command is inconclusive, please contact the administrator. "

"Edit / etc/rsyslog.conf file

Configuration:

Cron. / var/log/cron

Where / var/log/cron is a log file.

If the file does not exist, create the file with the command:

Touch / var/log/cron, and modify the permission to 775. The command is chmod 775 / var/log/cron. "

"modify the configuration file vi / etc/rsyslog.conf

Add this line:

. @ 192.168.0.1

You can put "." Replace it with the log information you actually need. For example: kern. ; mail. Wait.

You can replace 192.168.0.1 here with the actual IP or domain name (domain name format such as: www.nsfocus.com, as appropriate). "

Execute command: chmod 775 / var/log/mail

Execute command: chmod 775 / var/log/boot.log

Execute command: chmod 775 / var/log/localmessages

Execute command: chmod 775 / var/log/secure

Execute command: chmod 755 / var/log/messages

Execute command: chmod 775 / var/log/cron

Execute command: chmod 775 / var/log/spooler

Execute command: chmod 775 / var/log/maillog

"1. Before Redhat5.x (including 5.x): edit / etc/syslog.conf

Redhat 6.x: edit / etc/rsyslog.conf

Suse 9: edit / etc/syslog.conf

Configuration:

Authpriv. / var/log/secureSuse10, 11:

Edit: / etc/syslog-ng/syslog-ng.conf.

Configuration:

Filter f_secure {facility (authpriv);}

Destination priverr {file ("" / var/log/secure ");}

Log {source (src); filter (f_secure); destination (priverr);}; create / var/log/secure file

Touch / var/log/secure restart syslog service

# / etc/init.d/syslog restart "

"every command for each user can be recorded by setting the log file, which is not open by default. To open it, you need to install the pacct tool and execute the following command:

# touch / var/log/pacct

# accton / var/log/pacct

Execute the read command lastcomm [user name]-f / var/log/pacct "

"Editor / etc/rsyslog.conf

Configuration:

* .err;kern.debug;daemon.notice / var/adm/messages

Where / var/adm/messages is a log file.

If the file does not exist, create the file with the command:

Touch / var/adm/messages, and modify the permission to 666.00. The command is: chmod 666 / var/adm/messages.

Restart the log service:

# / etc/init.d/rsyslog restart "

Get OpenSSH http://www.openssh.com/, free of charge on the website and follow the installation file instructions to perform the installation steps

In the / etc/services file, comment out the telnet 23/tcp line (if it does not work to restart the telnetd service or xinetd service or system, for example, restart xinetd:service xinetd restart on Red Hat, depending on the actual situation)

Edit / etc/pam.d/login file, configure auth required pam_securetty.so

Modify the / etc/ssh/sshd_config file to configure PermitRootLogin no. Restart the service, / etc/init.d/sshd restart.

Edit / etc/vsftpd.conf (or / etc/vsftpd/vsftpd.conf) file, set: anonymous_enable=NO

In the / etc/passwd file, delete the ftp user

"1. Edit / etc/ftpusers (or / etc/vsftpd/ftpusers) file

two。 Add root "

"add the following line to the / etc/ftpusers file

Root "

"1. Make sure the / etc/ssh/sshd_config or / etc/ssh3/sshd2_config file exists. If it does not exist, ignore the following configuration steps.

two。 Configure in sshd_config or sshd2_config: Protocol 2

3. Configure in sshd_config or sshd2_config: PermitRootLogin no or PermitRootLogin NO "

If the system does not have snmp services installed, it is considered compliant.

Edit / etc/snmp/snmpd.conf and change the private default community word to a user-defined community word.

If the snmp service is installed on the system, make sure that the file exists. If it does not exist, create the file in the / etc/snmp/ directory.

Edit / etc/snmp/snmpd.conf and change the public default community word to a user-defined community word.

Execute under the root account, vi / etc/profile, add export TMOUT=600 (in seconds, you can set the timeout exit time according to the specific situation, which is required to be no less than 600s), log out the user, and then log in with the user to activate the function.

"1. Execute the command find /-maxdepth 3-name .netrc 2 > / dev/null

two。 Go to the directory where the .netrc file exists

3. Execute the command: mv .netrc .netrc.bak "

"1. Execute the command find /-maxdepth 3-name hosts.equiv 2 > / dev/null

two。 Go to the directory where the hosts.equiv file exists

3. Execute the command: mv hosts.equiv hosts.equiv.bak "

"1. Execute the command find /-maxdepth 3-name .rhosts 2 > / dev/null

two。 Go to the directory where the .rhosts file exists

3. Execute the command: mv .rhosts .rhosts.bak "

"1. Execute the command find /-maxdepth 2-name hosts.equiv

two。 Enter into. The directory where the hosts.equiv file exists

3. Execute the command: mv hosts.equiv hosts.equiv.bak "

"1. Execute the command find /-maxdepth 3-type f-name .rhosts 2 > / dev/null

two。 Go to the directory where the .rhosts file exists

3. Execute the command: mv .rhosts .rhosts.bak "

"chkconfig [--level levels] xxx off

Note: levels is the running level and needs to be restarted. "

"Edit the su file (vi / etc/pam.d/su) and add the following two lines at the beginning:

Auth sufficient pam_rootok.so and

Auth required pam_wheel.so group=wheel this indicates that only members of the wheel group can become root users using the su command.

You can add a user to the wheel group so that it can become a root user using the su command.

Add method: usermod-G wheel username "

Edit / etc/inittab and comment as below: restart the system after ca::ctrlaltdel:/sbin/shutdown**,.

"configure soft core 0 in file / etc/security/limits.conf

Configure * hard core 0 "in the file / etc/security/limits.conf

"1. Backup configuration file

# cp-p / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts.bak

two。 Execute a command

# sysctl-w net.ipv4.icmp_echo_ignore_broadcasts= "" 1 ""

And modify the value of / proc/sys/net/ipv4/icmp_echo_ignore_broadcasts to 1

Note: the modification can only take effect at the same time, and the restart system needs to be modified again. "

"1. Backup configuration file

# cp-p / proc/sys/net/ipv4/conf/all/accept_redirects / proc/sys/net/ipv4/conf/all/accept_redirects.bak

two。 Execute a command

# sysctl-w net.ipv4.conf.all.accept_redirects= "" 0"

And modify the value of / proc/sys/net/ipv4/conf/all/accept_redirects to 0

Note: the modification can only take effect at the same time, and the restart system needs to be modified again. "

"1. Backup configuration file

# cp-p / proc/sys/net/ipv4/conf/all/send_redirects / proc/sys/net/ipv4/conf/all/send_redirects.bak

two。 Execute a command

# sysctl-w net.ipv4.conf.all.send_redirects= "" 0"

And modify the value of / proc/sys/net/ipv4/conf/all/send_redirects to 0

Note: the modification can only take effect at the same time, and the restart system needs to be modified again. "

"1. Backup configuration file

# cp-p / proc/sys/net/ipv4/ip_forward / proc/sys/net/ipv4/ip_forward.bak

two。 Execute a command

# sysctl-w net.ipv4.ip_forward= "" 0"

And modify the value of / proc/sys/net/ipv4/ip_forward to 0

Note: the modification can only take effect at the same time, and the restart system needs to be modified again. "

"1. Backup configuration file

# cp-p / proc/sys/net/ipv4/conf/all/accept_source_route/proc/sys/net/ipv4/conf/all/accept_source_route.bak

two。 Execute a command

# sysctl-w net.ipv4.conf.all.accept_source_route= "" 0"

And modify the value of / proc/sys/net/ipv4/conf/all/accept_source_route to 0

Note: the modification can only take effect at the same time, and the restart system needs to be modified again. "

"Redhat: edit / etc/pam.d/system-auth file

Suse9: edit / etc/pam.d/passwd file

Suse10,Suse11: edit / etc/pam.d/common-password file

Modify the settings as follows

Password sufficient pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5

Supplementary operation instructions

Just add remember=5 to the password sufficient line.

NIS system does not work, non-NIS system or NIS+ system can. "

Chmod 644 / etc/passwd

Chmod 644 / etc/group

Chmod 600 / etc/shadow

"find all the files in the system that contain the" s "attribute, remove the unnecessary" s "attribute, or delete the unused ones directly. Find / usr/bin-type f (- perm-04000-o-perm-02000)-exec ls-lg {}\; chmod Amurs filename"

"if the system uses vsftp:

Modify / etc/vsftpd.conf (or / etc/vsftpd/vsftpd.conf)

Vi / etc/vsftpd.conf

Make sure the following line is not commented out, and if there is no line, add:

Write_enable=YES / / upload is allowed. If upload permission is not required, this item can not be changed.

Ls_recurse_enable=YES

Local_umask=022 / / set the attribute of files uploaded by users to 755

Anon_umask=022 / / umask of files (including directories) uploaded by anonymous users

Restart network services

/ etc/init.d/vsftpd restart

If the system uses pure-ftp

Modify / etc/pure-ftpd/pure-ftpd.conf

Vi / etc/pure-ftpd/pure-ftpd.conf

Make sure the following line is not commented out, and if there is no line, add:

Umask 177:077

Restart the ftp service

# / etc/init.d/pure-ftpd restart "

"1. Verify that the type of system bootstrap is grub, and if it is not grub, ignore this checkpoint.

two。 If the / boot/grub/menu.lst file exists, edit the / boot/grub/menu.lst file and set password= (the password you need to set.

3. If it does not exist, check that grub is installed correctly, or that the / boot/grub/menu.lst file has been renamed "

"create an account for the user:

# useradd username # create an account

# passwd username # set password

Modify permissions:

# chmod 750directory # where 755 is the set permission, which can be set according to the actual situation, and directory is the directory where the permission is to be changed)

Use this command to assign different accounts to different users, set different passwords and permission information, etc. "

"Edit file / etc/profile

Configuration

HISTFILESIZE=5 "

"1. Modify the contents of the file / etc/motd, and if it does not exist, create it.

# echo "" Login success. All activity will be monitored and reported "> / etc/motd modify the contents of the file according to actual needs"

"1.vsftp

Modify / etc/vsftpd.conf (or / etc/vsfptd/vsftpd.conf)

# vi / etc/vsftpd.conf

Make sure the following line is not commented out, and if there is no line, add:

Chroot_local_user=YES

Restart network services

# / etc/init.d/vsftpd restart

2.pure-ftp

Modify / etc/pure-ftpd/pure-ftpd.conf

# vi / etc/pure-ftpd/pure-ftpd.conf

Make sure that the following line is not commented out (and the values are the following values), and if there is no row, add:

ChrootEveryone yes

AllowUserFXP no

AllowAnonymousFXP no

Restart the ftp service

# / etc/init.d/pure-ftpd restart "

"reference configuration operation

Edit the alias file vi / etc/aliases to delete or comment out the following lines

# games: root

# ingres: root

# system: root

# toor: root

# uucp: root

# manager: root

# dumper: root

# operator: root

# decode: root

# root: marc

Supplementary operation instructions

Run / usr/bin/newaliases after update to make the changes take effect. "

"1. Edit the alias file vi / etc/mail/aliases to delete or comment out the following lines

# games: root

# ingres: root

# system: root

# toor: root

# uucp: root

# manager: root

# dumper: root

# operator: root

# decode: root

# root: marc

two。 After modification, run the command: / usr/bin/newaliases to make the change effective. "

"1. Modify telnet echo information

Modify the contents of the file / etc/issue and / etc/issue.net:

# echo "" Authorized users only. All activity may be monitored and reported "" > / etc/issue

# echo "" Authorized users only. All activity may be monitored and reported "" > / etc/issue.net

The contents of the file can be modified according to the actual needs, but do not appear system sensitive information, such as redhat,suse and so on.

two。 Restart the service:

/ etc/init.d/xinetd restart "

"Editor / etc/hosts.deny

Add a line of all:all

Restart the process:

# / etc/init.d/xinetd restart "

"Editor / etc/hosts.allow

Add one line: examples of IP; allowed to be accessed are as follows:

All:192.168.4.44:allow # allows a single IP

Sshd:192.168.1.:allow # allows the PC of the entire network segment of 192.168.1 to access the local machine through SSH

Restart the process:

# / etc/init.d/xinetd restart "

"Delete user: # userdel username

Lock out the user:

# usermod-L username

Only users with superuser privileges can use it.

# usermod-U username can be unlocked.

Supplementary operation instructions

The user who needs to be locked out: adm,lp,mail,uucp,operator,games,gopher,ftp,nobody,nobody4,noaccess,listen,webservd,rpm,dbus,avahi,mailnull,smmsp,nscd,vcsa,rpc,rpcuser,nfs,sshd,pcap,ntp,haldaemon,distcache,apache,webalizer,squid,xfs,gdm,sabayon,named. "

"execute the command passwd-l adm to lock the adm account.

If the adm account does not exist, the check item is also compliant.

Note: there are adm, daemon,bin,sys, lp, uucp, nuucp and smmsp accounts that need to be locked. "

"1. Perform a backup:

# cp-p / etc/group / etc/group.bak

two。 Create a new user group

# groupadd group name

# usermod-g group name-d user directory-m user name

Add the user to a group (s) or refer to the usermod-help description to set it. "

"Redhat:

Edit / etc/pam.d/system-auth file

Configuration:

Auth required pam_tally.so deny=5 unlock_time=600

Account required pam_tally.so

Suse9:

Edit / etc/pam.d/passwd file

Configuration:

Auth required pam_tally.so deny=5 unlock_time=600

Account required pam_tally.so

Suse10,Suse11:

Edit / etc/pam.d/common-auth file

Configuration: auth required pam_tally.so deny=5 unlock_time=600 no_lock_time

Edit / etc/pam.d/common-account file

Configuration: account required pam_tally.so

Parameter description:

Deny # the number of consecutive authentication failures exceeding

Unlock_time # time locked (in seconds)

"Edit / etc/pam.d/sshd file

Add below the auth line:

Auth required pam_tally.so deny=5 unlock_time=600 no_lock_time

Add below the account line:

Account required pam_tally.so

Parameter description:

Deny # the number of consecutive authentication failures exceeding

Unlock_time # time locked (in seconds)

"execute the command:

Find / usr/bin/chage / usr/bin/gpasswd / usr/bin/wall / usr/bin/chfn / usr/bin/chsh / usr/bin/newgrp / usr/bin/write / usr/sbin/usernetctl / usr/sbin/traceroute / bin/mount / bin/umount / bin/ping / sbin/netreport-type f-perm + 6000 2 > / dev/null

If there is an output, use the chmod 755 filename command to modify the permissions of the file.

For example: chmod Amurs / usr/bin/chage "

"Edit the configuration file for ntp:?

# vi / etc/ntp.conf,?

Configuration: server IP address (machine that provides ntp services)?

Such as: server 192.168.1.1?

Open the ntp service:?

Redhat is: / etc/init.d/ntpd start?

Suse9 is: / etc/init.d/xntpd start?

Suse10,11 is: / etc/init.d/ntp start "

"if the ntp service is not enabled, open the ntp service:

Redhat is: / etc/init.d/ntpd start

Suse9 is: / etc/init.d/xntpd start

Suse10,11 is: / etc/init.d/ntp start "

"Redhat has turned off packet forwarding by default.

You can see if packet forwarding is turned off with the following command:

Cat / proc/sys/net/ipv4/ip_forward

If the return value is 0, the packet forwarding function has been turned off, and if it is 1, it will be enabled.

Turn off packet forwarding:

Command: # sysctl-w net.ipv4.ip_forward=0 "

"restrict the scope of IP that can access NFS services:

Edit file: vi / etc/hosts.allow

Add a line: portmap: IP allowed to be accessed

"Edit / etc/host.conf file:

Multi off # turn off multi-IP binding

Supplementary operation instructions

Redhat does not have a / etc/host.conf file by default. Create a new host.conf file first. "

"Edit / etc/host.conf file:

Nospoof on # turn off IP camouflage

Supplementary operation instructions

Redhat does not have a / etc/host.conf file by default. Create a new host.conf file first. "

#! / bin/bash

# vesion 1.1 20190505

# author by (jxwpx)

Ipadd=ifconfig-a | grep Bcast | awk-F "[:] +'{print $4}'| tr"\ n "" _ "

Cat "/ tmp/$ {ipadd} _ checkResult.txt"

User_id=whoami

Echo "current scanning user: ${user_id}" > "/ tmp/$ {ipadd} _ checkResult.txt"

Scanner_time=date'+% Y-%m-%d% HRV% MVA% S'

Echo "current scan time: ${scanner_time}" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Echo ""

Echo "account policy checking."

Echo ""

# number: GOOANN-Linux-02-01-01

# Project: account number and password-user password setting

# qualified: y; unqualified: n

# non-conforming places

Passmax=cat / etc/login.defs | grep PASS_MAX_DAYS | grep-v ^ # | awk'{print $2}'

Passmin=cat / etc/login.defs | grep PASS_MIN_DAYS | grep-v ^ # | awk'{print $2}'

Passlen=cat / etc/login.defs | grep PASS_MIN_LEN | grep-v ^ # | awk'{print $2}'

Passage=cat / etc/login.defs | grep PASS_WARN_AGE | grep-v ^ # | awk'{print $2}'

Echo "GOOANN-Linux-02-01-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

If [$passmax-le 90-a $passmax-gt 0]; then

Echo "Y: password lifetime is ${passmax} days, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Else

The life cycle of echo "N: password is ${passmax} days, which does not meet the requirement. It is recommended to set it less than 90 days" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [$passmin-ge 6]; then

Echo "Y: the minimum time interval for password change is ${passmin} days, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: the minimum time interval for password change is ${passmin} days, which does not meet the requirement. It is recommended to set it greater than or equal to 6 days" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [$passlen-ge 8]; then

Echo "Y: the minimum password length is ${passlen}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Else

The minimum length of echo "N: password is ${passlen}, which does not meet the requirement. It is recommended to set the minimum length greater than or equal to 8" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [$passage-ge 30-a $passage-lt $passmax]; then

Echo "Y: password expiration warning days are ${passage}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: password expiration warning days is ${passage}, which does not meet the requirements. It is recommended to set a value greater than or equal to 30 and less than the password lifetime" > / "/ tmp/$ {ipadd} _ checkResult.txt".

Echo ""

Echo "whether the account will take the initiative to cancel the check."

Echo ""

CheckTimeout=$ (cat / etc/profile | grep TMOUT | awk-F [=]'{print $2}')

If [$?-eq 0]; then

TMOUT=cat / etc/profile | grep TMOUT | awk-F [=]'{print $2}'

If [$TMOUT-le 600-a $TMOUT-ge 10]; then

Echo "Y: account timeout ${TMOUT} seconds, meeting requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: account timeout ${TMOUT} seconds, which does not meet the requirements. It is recommended to set less than 600s" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Else

Echo "N: account timeout does not exist automatic logout, which does not meet the requirements. It is recommended to set less than 600s" > > "/ tmp/$ {ipadd} _ checkResult.txt".

# No.: GOOANN-Linux-02-01-02

# Project: account number and password-remote login restrictions for root users

# qualified: y; unqualified: n

# non-conforming places

Echo ""

Echo "check whether root users can log in remotely."

Echo ""

Echo "GOOANN-Linux-02-01-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

RemoteLogin=$ (cat / etc/ssh/sshd_config | grep-v ^ # | grep "PermitRootLogin no")

If [$?-eq 0]; then

Echo "Y: remote root has been set not to log in, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: remote root has been set to log in, which does not meet the requirements. It is recommended that / etc/ssh/sshd_config add PermitRootLogin no" > > "/ tmp/$ {ipadd} _ checkResult.txt".

# No.: GOOANN-Linux-02-01-03

# item: account number and password-check whether there is a user with a UID of 0 except root

# qualified: y; unqualified: n

# non-conforming places

# find non-root accounts with a UID of 0

Echo "GOOANN-Linux-02-01-03:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

UIDS=awk-F [:] 'NRZ $3} 1 {print $3}' / etc/passwd

Flag=0

For i in $UIDS

If [$I = 0]; then

Echo "N: an account with a non-root account whose UID is 0 does not meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Flag=1

Done

If [$flag = 1]; then

Echo "Y: there is no non-root account UID is 0, which meets the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"

# No.: GOOANN-Linux-02-01-04

# item: account number and password-check whether the telnet service is enabled

# qualified: y; unqualified: n

# non-conforming places

# check whether telnet is enabled

Echo "GOOANN-Linux-02-01-04:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Telnetd=cat / etc/xinetd.d/telnet | grep disable | awk'{print $3}'

If ["$telnetd" x = "yes" x]; then

Echo "N: telnet service is detected to be enabled, which does not meet the requirements. It is recommended to close telnet" > "/ tmp/$ {ipadd} _ checkResult.txt".

# number: GOOANN-Linux-02-01-05

# Project: account number and password-Security of root user environment variables

# qualified: y; unqualified: n

# non-conforming places

# check whether the directory permission is 777

Echo "GOOANN-Linux-02-01-05:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

DirPri=$ (find $(echo $PATH | tr':'')-type d (- perm-0777) 2 > / dev/null)

If [- z "$dirPri"]

Then

Echo "Y: directory permissions do not have 777s, meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: file ${dirPri} directory permission is 777, does not meet the requirements." > "/ tmp/$ {ipadd} _ checkResult.txt"

# No.: GOOANN-Linux-02-01-06

# Project: security configuration of account and password-remote connection

# qualified: y; unqualified: n

# non-conforming places

Echo "GOOANN-Linux-02-01-06:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

FileNetrc=find /-xdev-mount-name .netrc-print 2 > / dev/null

If [- z "${fileNetrc}"]; then

Echo "Y: no .netrc file exists, meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: there is a .netrc file that does not meet the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

FileRhosts=find /-xdev-mount-name .rhosts-print 2 > / dev/null

If [- z "$fileRhosts"]; then

Echo "Y: the .rhosts file does not exist, meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: there is a .rhosts file that does not meet the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

# No.: GOOANN-Linux-02-01-07

# Project: account number and password-user's umask security configuration

# qualified: y; unqualified: n

# non-conforming places

# check umask settings

Echo "GOOANN-Linux-02-01-07:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Umask1=cat / etc/profile | grep umask | grep-v ^ # | awk'{print $2}'

Umask2=cat / etc/csh.cshrc | grep umask | grep-v ^ # | awk'{print $2}'

Umask3=cat / etc/bashrc | grep umask | grep-v ^ # | awk 'NRemote1 {print $2}'

Flags=0

For i in $umask1

If [$I! = "027"]; then

The umask set in the echo "N:/etc/profile file is ${I}, which does not meet the requirements. It is recommended to set it to 027" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Flags=1

Break

Done

If [$flags = = 0]; then

The umask set in the echo "Y:/etc/profile file is ${I}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Flags=0

For i in $umask2

If [$I! = "027"]; then

The umask set in the echo "N:/etc/csh.cshrc file is ${I}, which does not meet the requirements. It is recommended to set it to 027" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Flags=1

Break

Done

If [$flags = = 0]; then

The umask set in the echo "Y:/etc/csh.cshrc file is ${I}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Flags=0

For i in $umask3

If [$I! = "027"]; then

The umask set in the echo "N:/etc/bashrc file is ${I}, which does not meet the requirements. It is recommended to set it to 027" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Flags=1

Break

Done

If [$flags = = 0]; then

The umask set in the echo "Y:/etc/bashrc file is ${I}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".

# Ref.: GOOANN-Linux-02-01-08

# Project: account number and password-check whether the grub and lilo passwords are set

# qualified: y; unqualified: n

# non-conforming places

# check whether grub and lilo passwords are set

Echo "GOOANN-Linux-02-01-08:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Grubfile=$ (cat / etc/grub.conf | grep password)

If [$?-eq 0]; then

Echo "Y: grub password has been set and meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: no grub password is set, which does not meet the requirements. It is recommended to set grub password" > "/ tmp/$ {ipadd} _ checkResult.txt".

Lilo=$ (cat / etc/lilo.conf | grep password)

If [$?-eq 0]; then

Echo "Y: lilo password has been set and meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: no lilo password is set, which does not meet the requirements. It is recommended to set lilo password" > "/ tmp/$ {ipadd} _ checkResult.txt".

# No.: GOOANN-Linux-02-02-01

# Project: file system-permission settings for important directories and files

# qualified: y; unqualified: n

# non-conforming places

Echo "GOOANN-Linux-02-02-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Echo ""

Echo "checking important file permissions."

Echo ""

File1=ls-l / etc/passwd | awk'{print $1}'

File2=ls-l / etc/shadow | awk'{print $1}'

File3=ls-l / etc/group | awk'{print $1}'

File4=ls-l / etc/securetty | awk'{print $1}'

File5=ls-l / etc/services | awk'{print $1}'

File6=ls-l / etc/xinetd.conf | awk'{print $1}'

File7=ls-l / etc/grub.conf | awk'{print $1}'

File8=ls-l / etc/lilo.conf | awk'{print $1}'

# detect files with file permissions of 400

If [$file2 = "- r -"]; then

Echo "Y:/etc/shadow file permission is 400, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

The permission of echo "N:/etc/shadow file does not meet the requirement. It is recommended to set the permission to 400" > > "/ tmp/$ {ipadd} _ checkResult.txt".

# detect files with file permissions of 600

If [$file4 = "- rw-"]; then

Echo "Y:/etc/security file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

The permission of echo "N:/etc/security file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [$file6 = "- rw-"]; then

Echo "Y:/etc/xinetd.conf file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

The permission of echo "N:/etc/xinetd.conf file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [$file7 = "- rw-"]; then

Echo "Y:/etc/grub.conf file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

The permission of echo "N:/etc/grub.conf file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [- f / etc/lilo.conf]; then

If [$file8 = "- rw-"]; then

Echo "Y:/etc/lilo.conf file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

The permission of echo "N:/etc/lilo.conf file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Else

Echo "N:/etc/lilo.conf folder does not exist"

# detect files with file permissions of 644

If [$file1 = "- rw-r--r--"]; then

Echo "Y:/etc/passwd file permission is 644, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N:/etc/passwd file permission is not 644, which does not meet the requirements. It is recommended to set permission to 644" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [$file5 = "- rw-r--r--"]; then

Echo "Y:/etc/services file permission is 644, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N:/etc/services file permission is not 644, which does not meet the requirements. It is recommended to set permission to 644" > > "/ tmp/$ {ipadd} _ checkResult.txt".

If [$file3 = "- rw-r--r--"]; then

Echo "Y:/etc/group file permission is 644, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N:/etc/group file permission is not 644, which does not meet the requirements. It is recommended to set permission to 644" > > "/ tmp/$ {ipadd} _ checkResult.txt".

# No.: GOOANN-Linux-02-02-02

# Project: file system-find unauthorized SUID/SGID files

# qualified: y; unqualified: n

# non-conforming places

Echo "GOOANN-Linux-02-02-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Unauthorizedfile=find /\ (- perm-04000-o-perm-02000\)-type f

Echo "C: file ${unauthorizedfile} sets SUID/SGID. Please check whether it is authorized" > "/ tmp/$ {ipadd} _ checkResult.txt".

# No.: GOOANN-Linux-02-02-03

# Project: file system-check directories where anyone has write permission

# qualified: y; unqualified: n; check: C

# non-conforming places

Echo "GOOANN-Linux-02-02-03:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

CheckWriteDre=$ (find /-xdev-mount-type d (- perm-0002-a!-perm-1000) 2 > / dev/null)

If [- z "${checkWriteDre}"]; then

Echo "Y: there is no directory where anyone has write permission, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Else

The echo "NVV ${checkWriteDre} directory can be written by anyone, which does not meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt".

# No.: GOOANN-Linux-02-02-04

# Project: file system-check files for which anyone has write permission

# qualified: y; unqualified: n; check: C

# non-conforming places

Echo "GOOANN-Linux-02-02-04:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

CheckWriteFile=$ (find /-xdev-mount-type f (- perm-0002-a!-perm-1000) 2 > / dev/null)

If [- z "${checkWriteFile}"]; then

Echo "Y: there is no directory where anyone has write permission, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".

Else

The echo "NVV ${checkWriteFile} directory can be written by anyone, which does not meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt".

# No.: GOOANN-Linux-02-02-05

# Project: file system-check for abnormal hidden files

# qualified: y; unqualified: n; check: C

# non-conforming places

Echo "GOOANN-Linux-02-02-05:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

HideFile=$ (find /-xdev-mount (- name ".."-o-name "...") 2 > / dev/null)

If [- z "${hideFile}"]; then

Echo "Y: no hidden files exist, meet requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "NVR ${hideFile} is a hidden file. It is recommended to review" > "/ tmp/$ {ipadd} _ checkResult.txt".

# number: GOOANN-Linux-03-01-01

# Project: log audit-syslog login event record

# qualified: y; unqualified: n; check: C

# non-conforming places

Echo "GOOANN-Linux-03-01-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

RecodeFile=$ (cat / etc/syslog.conf)

If [!-z "${recodeFile}"]; then

LogFile=$ (cat / etc/syslog.conf | grep-V ^ # | grep authpriv.)

If [!-z "${logFile}"]; then

Echo "Y: log file exists to save authpirv" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: there is no log file to save authpirv" > "/ tmp/$ {ipadd} _ checkResult.txt"

Else

Echo "N: the / etc/syslog.conf file does not exist. It is recommended to log" > > "/ tmp/$ {ipadd} _ checkResult.txt" for all login events.

# No.: GOOANN-Linux-03-01-02

# Project: system files-check whether log auditing is enabled

# qualified: y; unqualified: n; check: C

Echo "GOOANN-Linux-03-01-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

AuditdStatus=$ (service auditd status 2 > / dev/null)

If [$? = 0]; then

Echo "Y: Syslog audit function is enabled and meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"

If [$? = 3]; then

Echo "N: Syslog audit function has been turned off and does not meet the requirements. It is recommended that service auditd start enable" > "/ tmp/$ {ipadd} _ checkResult.txt".

# number: GOOANN-Linux-04-01-01

# Project: system File-system core dump status

# qualified: y; unqualified: n; check: C

Echo "GOOANN-Linux-04-01-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

LimitsFile=$ (cat / etc/security/limits.conf | grep-V ^ # | grep core)

If [$?-eq 0]; then

Soft=cat / etc/security/limits.conf | grep-V ^ # | grep core | awk {print $2}

For i in $soft

If ["$I" x = "soft" x]; then

Echo "Y: soft core 0 has been set" > > "/ tmp/$ {ipadd} _ checkResult.txt"

If ["$I" x = "hard" x]; then

Echo "Y: hard core 0 has been set" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Done

Else

Echo "N: core is not set. It is recommended to add soft core 0 and * hard core 0" > > "/ tmp/$ {ipadd} _ checkResult.txt" to / etc/security/limits.conf.

# No.: GOOANN-Linux-04-01-02

# Project: system files-check disk dynamic space for 80% or greater

# qualified: y; unqualified: n; check: C

Echo "GOOANN-Linux-04-01-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"

Space=$ (df-h | awk-F "[%] +" NRRPH1 {print $5}')

For i in $space

If [$I-ge 80]; then

Echo "C: warning! disk storage capacity is greater than 80%. It is recommended to expand disk capacity or delete junk files" > "/ tmp/$ {ipadd} _ checkResult.txt".

Ansible/Saltstack (master- > minion)

Features of Ansible software

1.ansible does not need to install the client separately, and SSH is equivalent to the ansible client.

2.ansible does not need to start any services, just install the corresponding tools.

3.ansible relies on a large number of python modules for batch management.

4.ansible profile / etc/ansible/ansible.cfg

Implement key authentication from management machine man01 to other machines

0.ansible batch management with the help of public key

# using non-exchangeable tools to realize batch distribution of public keys and batch management servers

[root@man01] # ssh-copy-id-I ~ / .ssh/id_rsa.pub root@192.168.1.31

[root@man01] # ssh-copy-id-I ~ / .ssh/id_rsa.pub root@192.168.1.41

[root@man01] # ssh-copy-id-I ~ / .ssh/id_rsa.pub root@192.168.1.7

1. Install ansible

[root@man01 ~] # yum install ansible-y

two。 Configure ansible

[root@man01 ~] # vim / etc/ansible/hosts

[jxwpx]

192.168.1.31

192.168.1.41

3. Verify ansible

Ansible detects communication through the ssh port

[root@man01] # ansible jxwpx-m ping

192.168.1.7 | SUCCESS = > {

"changed": false

"ping": "pong"

}

192.168.1.31 | SUCCESS = > {

"changed": false

"ping": "pong"

}

192.168.1.41 | SUCCESS = > {

"changed": false

"ping": "pong"

}

# batch execution of commands

[root@man01] # ansible jxwpx-m command-a "df-h"

# 2. If no public key is issued to the corresponding host, you can add it using a password

192.168.1.41 ansible_ssh_user='root' ansible_ssh_pass='1' ansible_ssh_port='22'

3. Define host list

[web]

192.168.1.7

[nfs]

192.168.1.31

[backup]

192.168.1.41

[jxwpx:children]

Web

Nfs

Backup

[root@man01 ~] # ansible web-- list-hosts # web

Hosts (1):

192.168.1.7

[root@man01 ~] # ansible nfs-- list-hosts # nfs

Hosts (1):

192.168.1.31

[root@man01 ~] # ansible backup-- list-hosts # rsync

Hosts (1):

192.168.1.41

[root@man01 ~] # ansible jxwpx-- all teams in the list-hosts # set are used to perform some basic configuration

Hosts (3):

192.168.1.31

192.168.1.41

192.168.1.7

1. Command-> File = script

2. Module-> File = script

Installation configuration startup

1.command executes command

2.shell executes command

3.yum installation software module

4.copy configuration module

5.service startup service module

6.user user Management

7.file creates directories, creates files, and writes to files

8.cron scheduled task

9.mount mount

1.command command module

Default module, execute command

[root@man01 ~] # ansible jxwpx-a "hostname"

If some piping operations are required, use shell

[root@man01 ~] # ansible jxwpx-m shell-a "ifconfig | grep eth0"-f 50

-f = the number of forks / etc/ansible/ansible.cfg # results returned

2.yum installation module

# push script files to remote, and execute script files remotely

[root@man01] # ansible jxwpx-m yum-a "name=httpd state=installed"

Name-specify the name of the package to be installed

State-specify the method to use yum

Installed,present-install the package

Removed,absent-remove package

Latest-install the latest software package

3.copy module

Push file module

[root@man01] # ansible jxwpx-m copy-a "src=/etc/hosts dest=/tmp/test.txt owner=www group=www mode=0600"

Before pushing and overwriting the remote files, back up the remote files according to the time information.

[root@man01] # ansible jxwpx-m copy-a "src=/etc/hosts dest=/tmp/test.txt backup=yes"

Write data information directly to the remote file, and overwrite the original data information in the remote file

[root@man01] # ansible jxwpx-m copy-a "content='bgx' dest=/tmp/jxwpx"

Src-the source file information of the push data

Dest-the target path for pushing data

Backup-back up the files that have been pushed and transferred

Content-add content directly to the managed file in batch

Group-push the local file to the remote end and specify the file group information

Owner-push the local file to the remote end and specify the file owner information

Mode-push the local file to the remote end and specify the file permission information

4.service service module

[root@man01] # ansible jxwpx-m service-a "name=crond state=stopped enabled=yes"

Name-defines the name of the service to start

State-specify whether the service status is stopped or running

Started-start

Stopped-stop

Restarted-restart

Reloaded-overload

Enabled-whether to enable the service to start itself

1. Installation

[root@man01] # ansible web-m yum-a "name=httpd state=installed"

two。 Configuration

[root@man01] # ansible web-m copy-a "content='This is Ansible' dest=/var/www/html/index.html"

3. Start

[root@man01] # ansible web-m service-a "name=httpd state=started"

Yum copy service mount cron user file

1. Machine restore snapshot (firewalld, selinux, configured warehouse)

two。 Push your public key

3. Specify backup installation rsync, configuration, startup, create directory, create user, prepare password file, permissions

4. Specify nfs installation nfs, configuration, startup

5.web mount nfs

6.web executes scripts to push data to bakcup to join scheduled tasks

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.

*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.