# CentOS等保安全基线配置
# 密码策略
vi /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 1
PASS_MIN_LEN 8
PASS_WARN_AGE 7
# ssh登录处理
vi /etc/ssh/sshd_config
LoginGraceTime 30
PermitRootLogin no
MaxAuthTries 2
ClientAliveInterval 300
ClientAliveCountMax 0
MaxAuthTries 4
PermitEmptyPasswords no
PermitRootLogin no
vi /etc/pam.d/sshd
auth required pam_tally2.so deny=5 even_deny_root unlock_time=900 root_unlock_time=900
# 设置密码复杂度及长度
vi /etc/security/pwquality.conf
minlen = 9 //用户密码的最小长度
dcredit = 1 //用户密码中必须包含多少个数字
ucredit = 1 //用户密码中必须包含多少个大写字母
lcredit = 1 //用户密码中必须包含多少个小些字母
ocredit = 1 //用户密码中必须包含多少个特殊字符(除数字、字母之外)
minclass = 3 //用户密码所需的最少字符类数
# 超时锁定
vi /etc/profile
export TMOUT=300
readonly TMOUT
# 审计规则
yum list audit audit-libs
vi /etc/audit/auditd.conf
num_logs = 10 //服务器上保留的审核日志文件数
max_log_file = 30 //配置最大日志文件大小(以MB为单位)
max_log_file_action = ROTATE //达到大小后采取什么操作
vi /etc/audit/rules.d/audit.rules //编写自定义规则
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope
# 审计帐号
useradd audit //创建审计账号
vi /etc/sudoers //为审计用户添加查看的权限
audit ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head
# 访问控制的粒度应达到主体为用户级或进程级,客体为文件、数据库表级
chown root:root /etc/hosts.allow
chown root:root /etc/hosts.deny
chmod 644 /etc/hosts.deny
chmod 644 /etc/hosts.allow
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
chown root:root /etc/profile
chmod 644 /etc/profile