Linux安全加固

1、检查shadow是否存在空口令用户和其他超级管理员用户：

awk -F: '($2 == "") { print $1 }' /etc/shadow
awk -F: '($3==0)' /etc/passwd

2、锁定系统中多余的自建(测试)帐号并备份

cat /etc/passwd  && cp /etc/passwd /etc/passwd.bak
cat /etc/shadow  && cp /etc/shadow /etc/shadow.bak
cp /etc/profile /etc/profile.bak

3、检查系统口令策略

cat /etc/login.defs|grep PASS
#PASS_MAX_DAYSMaximum number of days a password may be used.
#PASS_MIN_DAYSMinimum number of days allowed between password changes.
#PASS_MIN_LENMinimum acceptable password length.
#PASS_WARN_AGENumber of days warning given before a password expires.
PASS_MAX_DAYS99999
PASS_MIN_DAYS0
PASS_MIN_LEN5
PASS_WARN_AGE7

4、停用或禁用无关的服务

who -r            //查看当前的运行级别
chkconfig --list

5、设置访问控制策略
拒绝某些用户登录，允许某些用户登录，拒绝某些组登录，允许某些组登录

DenyUsers,AllowUsers,DenyGroups,AllowGroups
eg：DenyUsers aaa bbb        //禁用多个账户用空格隔开

如果只写AllowUsers表示如果这里不匹配就拒绝所用用户

PermitRootLogin no          //拒绝root用户登录

cp /etc/ssh/sshd_config   /etc/ssh/sshd_config.bak
grep Banner /etc/ssh/sshd_config
Banner /etc/ssh/ssh_login_banner

# Banner none        //取消banner消息
cat  /etc/ssh/ssh_login_banner
welcome to CentOS 6.5

看/etc/inittab里面有没有

#ca::ctrlaltdel:/sbin/shutdown -t3 -r now    //禁用ctrl+alt+del
vi /etc/pam.d/system-auth
auth required pam_tally.so onerr=fail deny=6 unlock_time=300      //密码连续输错6次，账户锁定300秒

vi /etc/profile

TMOUT=600           //无操作600秒自动退出
source /etc/profile

cat /etc/grub.conf|grep password     //查看grub是否设置密码

审计策略：

ps -aef | grep syslog |grep -v grep          //确认syslog是否启用
grep weekly /etc/logrotate.conf
# rotate log files weekly
weekly
grep 4 /etc/logrotate.conf
# keep 4 weeks worth of backlogs
rotate 4
cat /etc/logrotate.d/syslog
/var/log/cron
/var/log/maillog
/var/log/messages
/var/log/secure
/var/log/spooler