CentOS等保安全基线配置

密码策略

vi /etc/login.defs

PASS_MAX_DAYS    90
PASS_MIN_DAYS    1
PASS_MIN_LEN     8
PASS_WARN_AGE    7

此设置只对新增用户生效，需要修改老用户的话
vi /etc/shadow
修改对应用户的后面的99999

ssh登录处理

vi /etc/ssh/sshd_config

LoginGraceTime 30
PermitRootLogin no
MaxAuthTries 2
ClientAliveInterval 300
ClientAliveCountMax 0
MaxAuthTries 4
PermitEmptyPasswords no
PermitRootLogin no

vi /etc/pam.d/sshd

auth required pam_tally2.so deny=5 even_deny_root unlock_time=900 root_unlock_time=900

设置密码复杂度及长度

vi /etc/security/pwquality.conf

minlen = 9 //用户密码的最小长度
dcredit = 1 //用户密码中必须包含多少个数字
ucredit = 1 //用户密码中必须包含多少个大写字母
lcredit = 1 //用户密码中必须包含多少个小些字母
ocredit = 1 //用户密码中必须包含多少个特殊字符（除数字、字母之外）
minclass = 3 //用户密码所需的最少字符类数

超时锁定

vi /etc/profile

export TMOUT=300
readonly TMOUT

禁ping

echo "1" > /proc/sys/net/ipv4/icmp_echo_ignore_all

nginx添加header

add_header "Strict-Transport-Security" "max-age=86400";
add_header "Cache-Control" "max-age=0, no-cache, no-store, must-revalidate";
add_header "Pragma" "no-cache";
add_header "Expires" "-1";
add_header "X-Frame-Options" "DENY";
add_header "X-XSS-Protection" "1; mode-block";
add_header "X-Content-Type-Options" "nosniff";
add_header "X-Content-Security-Policy" "default-src 'self'";
add_header "X-Download-Options" "noopen";
add_header "X-Permitted-Cross-Domain-Policies" "master-only";
add_header "Content-Security-Policy" "default-rsc 'self'";
add_header "Set-Cookie" "^(.*)$ $;HttpOnly";
server_tokens off;

location ~ /(uploadfile|statics|html)/.*\.php$ { deny all; }

location /nginx_status
{
    stub_status on;
    access_log   off;
}
location ~ .*\.(gif|jpg|jpeg|png|bmp|swf)$
{
    expires      30d;
}
location ~ .*\.(js|css)?$
{
    expires      12h;
}
location ~ /\.
{
    deny all;
}

设置php执行目录
fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/:/proc/";
location ~ \.php$ {
    include fastcgi.conf;
    fastcgi_param PHP_VALUE "open_basedir=$document_root:/tmp/:/proc/";
    fastcgi_pass unix:/run/php/php7.0-fpm.sock;
    fastcgi_index index.php;
}

审计规则

yum list audit audit-libs

vi /etc/audit/auditd.conf

num_logs = 10 //服务器上保留的审核日志文件数
max_log_file = 30 //配置最大日志文件大小（以MB为单位）
max_log_file_action = ROTATE //达到大小后采取什么操作

vi /etc/audit/rules.d/audit.rules //编写自定义规则

-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope

审计帐号

useradd audit //创建审计账号

vi /etc/sudoers //为审计用户添加查看的权限
audit ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head

访问控制的粒度应达到主体为用户级或进程级，客体为文件、数据库表级

chown root:root /etc/hosts.allow
chown root:root /etc/hosts.deny
chmod 644 /etc/hosts.deny
chmod 644 /etc/hosts.allow
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
chown root:root /etc/ssh/sshd_config
chmod 600 /etc/ssh/sshd_config
chown root:root /etc/profile
chmod 644 /etc/profile