Skip to content

U
ubains-module-test
提交 e900a288 authored 作者: PGY's avatar PGY
浏览文件
操作

refactor(ScriptTool):增加统信系统的主机漏洞配置扫描和解决方法

上级 1c1e9480
隐藏空白字符变更
内嵌 并排
正在显示 包含 1660 行增加0 行删除
AuxiliaryTool/ScriptTool/主机漏洞修复(统信系统)/security_check.sh 0 → 100644
浏览文件 @ e900a288
#!/bin/bash
# 统信系统安全配置检测脚本
# 功能:检测系统安全配置状态并输出详细日志
# 作者:Security Team
# 日期:$(date +%Y-%m-%d)
# 日志配置
LOG_FILE="/tmp/security_check_$(date +%Y%m%d_%H%M%S).log"
SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# 日志函数
log() {
local level=$1
shift
local message="$*"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [$level] $message" | tee -a "$LOG_FILE"
}
# 初始化检查结果
declare -A check_results
# 检查OpenSSH安全配置
check_ssh_security() {
log INFO "开始检查OpenSSH安全配置..."
local checks=(
"X11Forwarding=no"
"MaxAuthTries=4"
"IgnoreRhosts=yes"
"HostbasedAuthentication=no"
"PermitEmptyPasswords=no"
"PermitRootLogin=no"
"Protocol=2"
)
local total_checks=${#checks[@]}
local passed_checks=0
for check in "${checks[@]}"; do
param="${check%=*}"
expected="${check#*=}"
actual=$(grep "^$param" /etc/ssh/sshd_config 2>/dev/null | head -n1 | cut -d' ' -f2)
if [[ "$actual" == "$expected" ]]; then
log INFO " ✓ $param = $expected (当前值: $actual)"
((passed_checks++))
else
log WARN " ✗ $param = $expected (当前值: $actual)"
fi
done
# 打印当前SSH配置详情,用于说明配置状态
log INFO " 当前SSH配置详情:"
for check in "${checks[@]}"; do
param="${check%=*}"
grep_result=$(grep "^$param" /etc/ssh/sshd_config 2>/dev/null | head -n1)
if [[ -n "$grep_result" ]]; then
log INFO " $grep_result"
else
log INFO " $param 参数未找到"
fi
done
log INFO "OpenSSH安全配置检查完成: $passed_checks/$total_checks 项通过"
check_results["ssh_security"]="$passed_checks/$total_checks"
}
# 检查命令行界面超时设置
check_timeout_setting() {
log INFO "开始检查命令行界面超时设置..."
local tmout_value=$(grep -E '^TMOUT=' /etc/profile 2>/dev/null | cut -d'=' -f2)
local export_tmout=$(grep -E 'export TMOUT' /etc/profile 2>/dev/null)
if [[ -n "$tmout_value" ]] && [[ -n "$export_tmout" ]] && [[ "$tmout_value" -le 300 ]]; then
log INFO " ✓ TMOUT 设置为 $tmout_value 秒"
check_results["timeout_setting"]="1/1"
else
log WARN " ✗ TMOUT 未正确设置 (当前值: $tmout_value)"
check_results["timeout_setting"]="0/1"
fi
# 打印当前TMOUT配置详情
log INFO " 当前TMOUT配置详情:"
tmout_line=$(grep -E '^TMOUT=|^export TMOUT' /etc/profile 2>/dev/null)
if [[ -n "$tmout_line" ]]; then
while IFS= read -r line; do
log INFO " $line"
done <<< "$tmout_line"
else
log INFO " 未找到TMOUT相关配置"
fi
}
# 检查PAM认证模块配置
check_pam_auth() {
log INFO "开始检查PAM认证模块配置..."
local auth_lines=$(grep -E "auth\s+sufficient\s+pam_rootok\.so|auth\s+required\s+pam_wheel\.so" /etc/pam.d/su 2>/dev/null | wc -l)
if [[ $auth_lines -ge 2 ]]; then
log INFO " ✓ PAM认证模块配置正确"
check_results["pam_auth"]="1/1"
else
log WARN " ✗ PAM认证模块配置不正确"
check_results["pam_auth"]="0/1"
fi
# 打印当前PAM配置详情
log INFO " 当前PAM su配置详情:"
pam_lines=$(grep -E "auth.*(pam_rootok|pam_wheel)" /etc/pam.d/su 2>/dev/null)
if [[ -n "$pam_lines" ]]; then
while IFS= read -r line; do
log INFO " $line"
done <<< "$pam_lines"
else
log INFO " 未找到PAM认证相关配置"
fi
}
# 检查Telnet服务状态
check_telnet_status() {
log INFO "开始检查Telnet服务状态..."
# 检查telnet是否已禁用
local telnet_disabled=$(grep -E "^disable" /etc/xinetd.d/telnet 2>/dev/null | grep -o "yes" || echo "")
if [[ -n "$telnet_disabled" ]]; then
log INFO " ✓ Telnet服务已禁用"
check_results["telnet_status"]="1/1"
else
log WARN " ✗ Telnet服务未禁用"
check_results["telnet_status"]="0/1"
fi
# 打印当前Telnet配置详情
log INFO " 当前Telnet配置详情:"
telnet_conf=$(grep -E "^disable" /etc/xinetd.d/telnet 2>/dev/null)
if [[ -n "$telnet_conf" ]]; then
log INFO " $telnet_conf"
else
log INFO " Telnet配置未找到或服务未安装"
fi
}
# 检查SSH服务状态
check_ssh_service() {
log INFO "开始检查SSH服务状态..."
if systemctl is-active --quiet sshd; then
log INFO " ✓ SSH服务正在运行"
check_results["ssh_service"]="1/1"
else
log WARN " ✗ SSH服务未运行"
check_results["ssh_service"]="0/1"
fi
# 打印SSH服务状态详情
log INFO " 当前SSH服务状态:"
ssh_status=$(systemctl is-active sshd 2>/dev/null)
ssh_enabled=$(systemctl is-enabled sshd 2>/dev/null)
log INFO " Active: $ssh_status"
log INFO " Enabled: $ssh_enabled"
}
# 检查登录日志记录配置
check_login_logging() {
log INFO "开始检查登录日志记录配置..."
local secure_log_exists=$(stat -c %a /var/log/secure 2>/dev/null | grep "^600$")
local rsyslog_conf=$(grep -E "authpriv\.\*" /etc/rsyslog.conf 2>/dev/null | grep "/var/log/secure")
if [[ -n "$secure_log_exists" ]] && [[ -n "$rsyslog_conf" ]]; then
log INFO " ✓ 登录日志记录配置正确"
check_results["login_logging"]="1/1"
else
log WARN " ✗ 登录日志记录配置不正确"
check_results["login_logging"]="0/1"
fi
# 打印当前rsyslog配置详情
log INFO " 当前rsyslog配置详情:"
rsyslog_lines=$(grep -E "authpriv\.\*" /etc/rsyslog.conf 2>/dev/null)
if [[ -n "$rsyslog_lines" ]]; then
while IFS= read -r line; do
log INFO " $line"
done <<< "$rsyslog_lines"
else
log INFO " 未找到authpriv日志配置"
fi
# 打印secure日志文件权限
secure_perms=$(stat -c %a /var/log/secure 2>/dev/null)
log INFO " /var/log/secure 权限: $secure_perms"
}
# 检查用户目录默认访问权限
check_umask_setting() {
log INFO "开始检查用户目录默认访问权限设置..."
local umask_value=$(grep -E "^umask" /etc/profile 2>/dev/null | grep -o "[0-9]\{3,\}" | head -n1)
if [[ -n "$umask_value" ]] && [[ "$umask_value" == "027" ]]; then
log INFO " ✓ umask 设置为 $umask_value"
check_results["umask_setting"]="1/1"
else
log WARN " ✗ umask 未正确设置 (当前值: $umask_value)"
check_results["umask_setting"]="0/1"
fi
# 打印当前umask配置详情
log INFO " 当前umask配置详情:"
umask_line=$(grep -E "^umask" /etc/profile 2>/dev/null)
if [[ -n "$umask_line" ]]; then
log INFO " $umask_line"
else
log INFO " 未找到umask配置"
fi
}
# 检查口令过期前警告天数
check_password_warn_age() {
log INFO "开始检查口令过期前警告天数..."
local warn_age=$(grep -E "^PASS_WARN_AGE" /etc/login.defs 2>/dev/null | awk '{print $2}')
if [[ -n "$warn_age" ]] && [[ "$warn_age" -le 7 ]]; then
log INFO " ✓ 口令过期前警告天数设置为 $warn_age 天"
check_results["password_warn_age"]="1/1"
else
log WARN " ✗ 口令过期前警告天数未正确设置 (当前值: $warn_age)"
check_results["password_warn_age"]="0/1"
fi
# 打印当前PASS_WARN_AGE配置详情
log INFO " 当前PASS_WARN_AGE配置详情:"
warn_age_line=$(grep -E "^PASS_WARN_AGE" /etc/login.defs 2>/dev/null)
if [[ -n "$warn_age_line" ]]; then
log INFO " $warn_age_line"
else
log INFO " 未找到PASS_WARN_AGE配置"
fi
}
# 检查密码复杂度策略
check_password_complexity() {
log INFO "开始检查密码复杂度策略..."
local complexity_rule=$(grep -E "pam_cracklib\.so" /etc/pam.d/system-auth 2>/dev/null | \
grep -E "minlen=8.*dcredit=-1.*ucredit=-1.*ocredit=-1.*lcredit=-1")
if [[ -n "$complexity_rule" ]]; then
log INFO " ✓ 密码复杂度策略配置正确"
check_results["password_complexity"]="1/1"
else
log WARN " ✗ 密码复杂度策略配置不正确"
check_results["password_complexity"]="0/1"
fi
# 打印当前密码复杂度配置详情
log INFO " 当前密码复杂度配置详情:"
complexity_lines=$(grep -E "pam_cracklib\.so" /etc/pam.d/system-auth 2>/dev/null)
if [[ -n "$complexity_lines" ]]; then
while IFS= read -r line; do
log INFO " $line"
done <<< "$complexity_lines"
else
log INFO " 未找到pam_cracklib配置"
fi
}
# 检查口令更改最小间隔天数
check_password_min_days() {
log INFO "开始检查口令更改最小间隔天数..."
local min_days=$(grep -E "^PASS_MIN_DAYS" /etc/login.defs 2>/dev/null | awk '{print $2}')
if [[ -n "$min_days" ]] && [[ "$min_days" -ge 7 ]]; then
log INFO " ✓ 口令更改最小间隔天数设置为 $min_days 天"
check_results["password_min_days"]="1/1"
else
log WARN " ✗ 口令更改最小间隔天数未正确设置 (当前值: $min_days)"
check_results["password_min_days"]="0/1"
fi
# 打印当前PASS_MIN_DAYS配置详情
log INFO " 当前PASS_MIN_DAYS配置详情:"
min_days_line=$(grep -E "^PASS_MIN_DAYS" /etc/login.defs 2>/dev/null)
if [[ -n "$min_days_line" ]]; then
log INFO " $min_days_line"
else
log INFO " 未找到PASS_MIN_DAYS配置"
fi
}
# 检查口令生存周期
check_password_max_days() {
log INFO "开始检查口令生存周期..."
local max_days=$(grep -E "^PASS_MAX_DAYS" /etc/login.defs 2>/dev/null | awk '{print $2}')
if [[ -n "$max_days" ]] && [[ "$max_days" -le 90 ]]; then
log INFO " ✓ 口令生存周期设置为 $max_days 天"
check_results["password_max_days"]="1/1"
else
log WARN " ✗ 口令生存周期未正确设置 (当前值: $max_days)"
check_results["password_max_days"]="0/1"
fi
# 打印当前PASS_MAX_DAYS配置详情
log INFO " 当前PASS_MAX_DAYS配置详情:"
max_days_line=$(grep -E "^PASS_MAX_DAYS" /etc/login.defs 2>/dev/null)
if [[ -n "$max_days_line" ]]; then
log INFO " $max_days_line"
else
log INFO " 未找到PASS_MAX_DAYS配置"
fi
}
# 检查重要目录及文件权限
check_critical_permissions() {
log INFO "开始检查重要目录及文件权限..."
local passwd_perm=$(stat -c %a /etc/passwd 2>/dev/null)
local shadow_perm=$(stat -c %a /etc/shadow 2>/dev/null)
local group_perm=$(stat -c %a /etc/group 2>/dev/null)
local checks_passed=0
local total_checks=3
if [[ "$passwd_perm" == "644" ]]; then
log INFO " ✓ /etc/passwd 权限正确 ($passwd_perm)"
((checks_passed++))
else
log WARN " ✗ /etc/passwd 权限不正确 (当前: $passwd_perm)"
fi
if [[ "$shadow_perm" == "400" ]]; then
log INFO " ✓ /etc/shadow 权限正确 ($shadow_perm)"
((checks_passed++))
else
log WARN " ✗ /etc/shadow 权限不正确 (当前: $shadow_perm)"
fi
if [[ "$group_perm" == "644" ]]; then
log INFO " ✓ /etc/group 权限正确 ($group_perm)"
((checks_passed++))
else
log WARN " ✗ /etc/group 权限不正确 (当前: $group_perm)"
fi
log INFO "重要目录及文件权限检查完成: $checks_passed/$total_checks 项通过"
check_results["critical_permissions"]="$checks_passed/$total_checks"
# 打印当前权限详情
log INFO " 当前关键文件权限详情:"
log INFO " /etc/passwd 权限: $passwd_perm (期望: 644)"
log INFO " /etc/shadow 权限: $shadow_perm (期望: 400)"
log INFO " /etc/group 权限: $group_perm (期望: 644)"
}
# 检查账户认证失败次数限制
check_auth_failure_limit() {
log INFO "开始检查账户认证失败次数限制..."
local tally2_auth=$(grep -E "pam_tally2\.so.*deny=5" /etc/pam.d/system-auth 2>/dev/null)
local tally2_account=$(grep -E "pam_tally2\.so" /etc/pam.d/system-auth 2>/dev/null | grep "account")
if [[ -n "$tally2_auth" ]] && [[ -n "$tally2_account" ]]; then
log INFO " ✓ 账户认证失败次数限制配置正确"
check_results["auth_failure_limit"]="1/1"
else
log WARN " ✗ 账户认证失败次数限制配置不正确"
check_results["auth_failure_limit"]="0/1"
fi
# 打印当前pam_tally2配置详情
log INFO " 当前pam_tally2配置详情:"
tally2_lines=$(grep -E "pam_tally2\.so" /etc/pam.d/system-auth 2>/dev/null)
if [[ -n "$tally2_lines" ]]; then
while IFS= read -r line; do
log INFO " $line"
done <<< "$tally2_lines"
else
log INFO " 未找到pam_tally2配置"
fi
}
# 检查历史命令数量限制
check_history_limit() {
log INFO "开始检查历史命令数量限制..."
local hist_file_size=$(grep -E "^HISTFILESIZE=" /etc/profile 2>/dev/null | cut -d'=' -f2)
local hist_size=$(grep -E "^HISTSIZE=" /etc/profile 2>/dev/null | cut -d'=' -f2)
local checks_passed=0
local total_checks=2
if [[ -n "$hist_file_size" ]] && [[ "$hist_file_size" -le 5 ]]; then
log INFO " ✓ HISTFILESIZE 设置为 $hist_file_size"
((checks_passed++))
else
log WARN " ✗ HISTFILESIZE 未正确设置 (当前值: $hist_file_size)"
fi
if [[ -n "$hist_size" ]] && [[ "$hist_size" -le 5 ]]; then
log INFO " ✓ HISTSIZE 设置为 $hist_size"
((checks_passed++))
else
log WARN " ✗ HISTSIZE 未正确设置 (当前值: $hist_size)"
fi
log INFO "历史命令数量限制检查完成: $checks_passed/$total_checks 项通过"
check_results["history_limit"]="$checks_passed/$total_checks"
# 打印当前历史命令配置详情
log INFO " 当前历史命令配置详情:"
hist_file_size_line=$(grep -E "^HISTFILESIZE=" /etc/profile 2>/dev/null)
hist_size_line=$(grep -E "^HISTSIZE=" /etc/profile 2>/dev/null)
if [[ -n "$hist_file_size_line" ]]; then
log INFO " $hist_file_size_line"
else
log INFO " 未找到HISTFILESIZE配置"
fi
if [[ -n "$hist_size_line" ]]; then
log INFO " $hist_size_line"
else
log INFO " 未找到HISTSIZE配置"
fi
}
# 检查密码重复使用次数限制
check_password_reuse_limit() {
log INFO "开始检查密码重复使用次数限制..."
local reuse_check=$(grep -E "pam_unix\.so.*remember=5" /etc/pam.d/system-auth 2>/dev/null)
if [[ -n "$reuse_check" ]]; then
log INFO " ✓ 密码重复使用次数限制配置正确"
check_results["password_reuse_limit"]="1/1"
else
log WARN " ✗ 密码重复使用次数限制配置不正确"
check_results["password_reuse_limit"]="0/1"
fi
# 打印当前密码重复使用配置详情
log INFO " 当前密码重复使用配置详情:"
reuse_lines=$(grep -E "pam_unix\.so.*remember" /etc/pam.d/system-auth 2>/dev/null)
if [[ -n "$reuse_lines" ]]; then
while IFS= read -r line; do
log INFO " $line"
done <<< "$reuse_lines"
else
log INFO " 未找到密码重复使用限制配置"
fi
}
# 检查Ctrl+Alt+Delete组合键状态
check_ctrl_alt_del() {
log INFO "开始检查Ctrl+Alt+Delete组合键状态..."
local masked=$(systemctl is-enabled ctrl-alt-del.target 2>/dev/null | grep -o "masked")
if [[ -n "$masked" ]]; then
log INFO " ✓ Ctrl+Alt+Delete组合键已被禁用"
check_results["ctrl_alt_del"]="1/1"
else
log WARN " ✗ Ctrl+Alt+Delete组合键未被禁用"
check_results["ctrl_alt_del"]="0/1"
fi
# 打印当前Ctrl+Alt+Delete服务状态
log INFO " 当前Ctrl+Alt+Delete服务状态:"
cad_status=$(systemctl is-active ctrl-alt-del.target 2>/dev/null)
cad_enabled=$(systemctl is-enabled ctrl-alt-del.target 2>/dev/null)
log INFO " Active: $cad_status"
log INFO " Enabled: $cad_enabled"
}
# 输出汇总报告
output_summary() {
log INFO ""
log INFO "=================================="
log INFO "安全配置检测汇总报告"
log INFO "=================================="
local total_items=0
local passed_items=0
for key in "${!check_results[@]}"; do
IFS='/' read -r passed total <<< "${check_results[$key]}"
((total_items += total))
((passed_items += passed))
log INFO "$(printf '%-20s' "$key:") ${check_results[$key]}"
done
log INFO "=================================="
log INFO "总计: $passed_items/$total_items 项通过"
local percentage=$((passed_items * 100 / total_items))
if [[ $percentage -ge 90 ]]; then
log INFO "安全配置达标率: $percentage% (优秀)"
elif [[ $percentage -ge 70 ]]; then
log INFO "安全配置达标率: $percentage% (良好)"
else
log INFO "安全配置达标率: $percentage% (需要改进)"
fi
log INFO "=================================="
log INFO "检测完成,详细日志请查看: $LOG_FILE"
}
# 主函数
main() {
log INFO "开始执行统信系统安全配置检测脚本"
log INFO "脚本位置: $SCRIPT_DIR"
log INFO "检测开始时间: $(date '+%Y-%m-%d %H:%M:%S')"
log INFO ""
# 执行各项检查
check_ssh_security
check_timeout_setting
check_pam_auth
check_telnet_status
check_ssh_service
check_login_logging
check_umask_setting
check_password_warn_age
check_password_complexity
check_password_min_days
check_password_max_days
check_critical_permissions
check_auth_failure_limit
check_history_limit
check_password_reuse_limit
check_ctrl_alt_del
# 输出汇总报告
output_summary
}
# 运行主函数
main "$@"
\ No newline at end of file
AuxiliaryTool/ScriptTool/主机漏洞修复(统信系统)/security_fix.sh 0 → 100644
浏览文件 @ e900a288
#!/bin/bash
# 统信系统安全漏洞修复脚本
# 功能:修复系统安全配置问题
# 作者:Security Team
# 日期:$(date +%Y-%m-%d)
# 颜色定义
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m' # No Color
# 日志配置
LOG_FILE="/tmp/security_fix_$(date +%Y%m%d_%H%M%S).log"
SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
# 日志函数
log() {
local level=$1
shift
local message="$*"
local timestamp=$(date '+%Y-%m-%d %H:%M:%S')
echo "[$timestamp] [$level] $message" | tee -a "$LOG_FILE"
}
# 彩色输出函数
print_title() {
echo -e "${BLUE}$1${NC}"
}
print_success() {
echo -e "${GREEN}$1${NC}"
}
print_warning() {
echo -e "${YELLOW}$1${NC}"
}
print_error() {
echo -e "${RED}$1${NC}"
}
# 确认函数
confirm_action() {
local message=$1
read -p "$message (y/N): " -n 1 -r
echo
if [[ ! $REPLY =~ ^[Yy]$ ]]; then
log INFO "用户取消操作"
return 1
fi
return 0
}
# 备份文件函数
backup_file() {
local file_path=$1
local timestamp=$(date +%Y%m%d_%H%M%S)
local backup_path="${file_path}_backup_${timestamp}"
if [[ -f "$file_path" ]]; then
cp "$file_path" "$backup_path"
log INFO "已创建备份: $backup_path"
echo "$backup_path"
else
log WARN "文件不存在,无法备份: $file_path"
echo ""
fi
}
# 修复OpenSSH安全配置
fix_ssh_security() {
print_title "开始修复OpenSSH安全配置..."
log INFO "开始修复OpenSSH安全配置"
local ssh_config="/etc/ssh/sshd_config"
local backup_path=$(backup_file "$ssh_config")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份SSH配置文件,跳过此步骤"
return 1
fi
# 创建临时文件
local temp_file=$(mktemp)
# 读取现有配置并替换或添加所需参数
while IFS= read -r line; do
if [[ $line =~ ^[[:space:]]*X11Forwarding[[:space:]] ]]; then
echo "X11Forwarding no" >> "$temp_file"
elif [[ $line =~ ^[[:space:]]*MaxAuthTries[[:space:]] ]]; then
echo "MaxAuthTries 4" >> "$temp_file"
elif [[ $line =~ ^[[:space:]]*IgnoreRhosts[[:space:]] ]]; then
echo "IgnoreRhosts yes" >> "$temp_file"
elif [[ $line =~ ^[[:space:]]*HostbasedAuthentication[[:space:]] ]]; then
echo "HostbasedAuthentication no" >> "$temp_file"
elif [[ $line =~ ^[[:space:]]*PermitEmptyPasswords[[:space:]] ]]; then
echo "PermitEmptyPasswords no" >> "$temp_file"
elif [[ $line =~ ^[[:space:]]*PermitRootLogin[[:space:]] ]]; then
echo "PermitRootLogin no" >> "$temp_file"
elif [[ $line =~ ^[[:space:]]*Protocol[[:space:]] ]]; then
echo "Protocol 2" >> "$temp_file"
else
echo "$line" >> "$temp_file"
fi
done < "$ssh_config"
# 检查是否有缺少的参数并添加
if ! grep -q "^X11Forwarding" "$temp_file"; then
echo "X11Forwarding no" >> "$temp_file"
fi
if ! grep -q "^MaxAuthTries" "$temp_file"; then
echo "MaxAuthTries 4" >> "$temp_file"
fi
if ! grep -q "^IgnoreRhosts" "$temp_file"; then
echo "IgnoreRhosts yes" >> "$temp_file"
fi
if ! grep -q "^HostbasedAuthentication" "$temp_file"; then
echo "HostbasedAuthentication no" >> "$temp_file"
fi
if ! grep -q "^PermitEmptyPasswords" "$temp_file"; then
echo "PermitEmptyPasswords no" >> "$temp_file"
fi
if ! grep -q "^PermitRootLogin" "$temp_file"; then
echo "PermitRootLogin no" >> "$temp_file"
fi
if ! grep -q "^Protocol" "$temp_file"; then
echo "Protocol 2" >> "$temp_file"
fi
# 替换原文件
mv "$temp_file" "$ssh_config"
log INFO "OpenSSH安全配置修复完成"
print_success "OpenSSH安全配置修复完成"
}
# 修复命令行界面超时设置
fix_timeout_setting() {
print_title "开始修复命令行界面超时设置..."
log INFO "开始修复命令行界面超时设置"
local profile_file="/etc/profile"
local backup_path=$(backup_file "$profile_file")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份profile文件,跳过此步骤"
return 1
fi
# 检查是否已有设置,如果有则替换,否则添加
if grep -q "^TMOUT=" "$profile_file"; then
sed -i 's/^TMOUT=.*/TMOUT=300/' "$profile_file"
sed -i '/^export TMOUT/d' "$profile_file"
else
echo "" >> "$profile_file"
echo "# 设置命令行界面超时时间为300秒" >> "$profile_file"
echo "TMOUT=300" >> "$profile_file"
fi
if ! grep -q "^export TMOUT" "$profile_file"; then
echo "export TMOUT" >> "$profile_file"
fi
# 应用配置
source "$profile_file"
log INFO "命令行界面超时设置修复完成"
print_success "命令行界面超时设置修复完成"
}
# 修复PAM认证模块配置
fix_pam_auth() {
print_title "开始修复PAM认证模块配置..."
log INFO "开始修复PAM认证模块配置"
local pam_su="/etc/pam.d/su"
local backup_path=$(backup_file "$pam_su")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份PAM su文件,跳过此步骤"
return 1
fi
# 检查是否已有配置,避免重复添加
if ! grep -q "pam_rootok.so" "$pam_su"; then
sed -i '1i auth sufficient pam_rootok.so' "$pam_su"
else
sed -i 's/^auth.*pam_rootok\.so/auth sufficient pam_rootok.so/' "$pam_su"
fi
if ! grep -q "pam_wheel.so" "$pam_su"; then
sed -i '2i auth required pam_wheel.so group=wheel' "$pam_su"
else
sed -i 's/^auth.*pam_wheel\.so.*/auth required pam_wheel.so group=wheel/' "$pam_su"
fi
log INFO "PAM认证模块配置修复完成"
print_success "PAM认证模块配置修复完成"
}
# 修复Telnet服务状态
fix_telnet_status() {
print_title "开始修复Telnet服务状态..."
log INFO "开始修复Telnet服务状态"
local telnet_file="/etc/xinetd.d/telnet"
if [[ -f "$telnet_file" ]]; then
local backup_path=$(backup_file "$telnet_file")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份telnet配置文件,跳过此步骤"
return 1
fi
# 禁用Telnet服务
sed -i 's/disable.*/disable = yes/' "$telnet_file"
# 重启xinetd服务
systemctl restart xinetd
log INFO "Telnet服务已禁用并重启xinetd服务"
print_success "Telnet服务已禁用"
else
log INFO "Telnet服务未安装或配置文件不存在,跳过此步骤"
print_warning "Telnet服务未安装或配置文件不存在,跳过此步骤"
fi
}
# 修复SSH服务状态
fix_ssh_service() {
print_title "开始修复SSH服务状态..."
log INFO "开始修复SSH服务状态"
# 启动并启用SSH服务
systemctl enable sshd
systemctl start sshd
if systemctl is-active --quiet sshd; then
log INFO "SSH服务已启动并设置为开机自启"
print_success "SSH服务已启动并设置为开机自启"
else
log ERROR "SSH服务启动失败"
print_error "SSH服务启动失败"
fi
}
# 修复登录日志记录配置
fix_login_logging() {
print_title "开始修复登录日志记录配置..."
log INFO "开始修复登录日志记录配置"
local rsyslog_conf="/etc/rsyslog.conf"
local backup_path=$(backup_file "$rsyslog_conf")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份rsyslog配置文件,跳过此步骤"
return 1
fi
# 检查是否已有配置,避免重复添加
if ! grep -q "authpriv.* /var/log/secure" "$rsyslog_conf"; then
echo "authpriv.* /var/log/secure" >> "$rsyslog_conf"
fi
# 创建并设置日志文件权限
touch /var/log/secure
chmod 600 /var/log/secure
# 重启rsyslog服务
systemctl restart rsyslog
log INFO "登录日志记录配置修复完成"
print_success "登录日志记录配置修复完成"
}
# 修复用户目录默认访问权限
fix_umask_setting() {
print_title "开始修复用户目录默认访问权限设置..."
log INFO "开始修复用户目录默认访问权限设置"
local profile_file="/etc/profile"
local backup_path=$(backup_file "$profile_file")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份profile文件,跳过此步骤"
return 1
fi
# 检查是否已有umask设置
if grep -q "^umask" "$profile_file"; then
sed -i 's/^umask.*/umask 027/' "$profile_file"
else
echo "" >> "$profile_file"
echo "# 设置默认权限掩码" >> "$profile_file"
echo "umask 027" >> "$profile_file"
fi
# 应用配置
source "$profile_file"
log INFO "用户目录默认访问权限设置修复完成"
print_success "用户目录默认访问权限设置修复完成"
}
# 修复口令过期前警告天数
fix_password_warn_age() {
print_title "开始修复口令过期前警告天数..."
log INFO "开始修复口令过期前警告天数"
local login_defs="/etc/login.defs"
local backup_path=$(backup_file "$login_defs")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份login.defs文件,跳过此步骤"
return 1
fi
# 检查是否已有设置
if grep -q "^PASS_WARN_AGE" "$login_defs"; then
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/' "$login_defs"
else
echo "" >> "$login_defs"
echo "# 密码过期前警告天数" >> "$login_defs"
echo "PASS_WARN_AGE 7" >> "$login_defs"
fi
log INFO "口令过期前警告天数修复完成"
print_success "口令过期前警告天数修复完成"
}
# 修复密码复杂度策略
fix_password_complexity() {
print_title "开始修复密码复杂度策略..."
log INFO "开始修复密码复杂度策略"
local system_auth="/etc/pam.d/system-auth"
local backup_path=$(backup_file "$system_auth")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份system-auth文件,跳过此步骤"
return 1
fi
# 检查是否已有pam_cracklib配置
if grep -q "pam_cracklib.so" "$system_auth"; then
sed -i 's/password.*requisite.*pam_cracklib.so.*/password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1/' "$system_auth"
else
# 添加密码复杂度配置
echo "" >> "$system_auth"
echo "# 密码复杂度策略" >> "$system_auth"
echo "password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1" >> "$system_auth"
fi
log INFO "密码复杂度策略修复完成"
print_success "密码复杂度策略修复完成"
}
# 修复口令更改最小间隔天数
fix_password_min_days() {
print_title "开始修复口令更改最小间隔天数..."
log INFO "开始修复口令更改最小间隔天数"
local login_defs="/etc/login.defs"
local backup_path=$(backup_file "$login_defs")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份login.defs文件,跳过此步骤"
return 1
fi
# 检查是否已有设置
if grep -q "^PASS_MIN_DAYS" "$login_defs"; then
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 7/' "$login_defs"
else
echo "" >> "$login_defs"
echo "# 密码更改最小间隔天数" >> "$login_defs"
echo "PASS_MIN_DAYS 7" >> "$login_defs"
fi
log INFO "口令更改最小间隔天数修复完成"
print_success "口令更改最小间隔天数修复完成"
}
# 修复口令生存周期
fix_password_max_days() {
print_title "开始修复口令生存周期..."
log INFO "开始修复口令生存周期"
local login_defs="/etc/login.defs"
local backup_path=$(backup_file "$login_defs")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份login.defs文件,跳过此步骤"
return 1
fi
# 检查是否已有设置
if grep -q "^PASS_MAX_DAYS" "$login_defs"; then
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' "$login_defs"
else
echo "" >> "$login_defs"
echo "# 密码最大生存周期" >> "$login_defs"
echo "PASS_MAX_DAYS 90" >> "$login_defs"
fi
log INFO "口令生存周期修复完成"
print_success "口令生存周期修复完成"
}
# 修复重要目录及文件权限
fix_critical_permissions() {
print_title "开始修复重要目录及文件权限..."
log INFO "开始修复重要目录及文件权限"
chmod 644 /etc/passwd
chmod 400 /etc/shadow
chmod 644 /etc/group
log INFO "重要目录及文件权限修复完成"
print_success "重要目录及文件权限修复完成"
}
# 修复账户认证失败次数限制
fix_auth_failure_limit() {
print_title "开始修复账户认证失败次数限制..."
log INFO "开始修复账户认证失败次数限制"
local system_auth="/etc/pam.d/system-auth"
local backup_path=$(backup_file "$system_auth")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份system-auth文件,跳过此步骤"
return 1
fi
# 添加认证失败限制配置
if ! grep -q "pam_tally2.so.*deny=5" "$system_auth"; then
sed -i '/^auth[[:space:]]\+required/a auth required pam_tally2.so deny=5 unlock_time=180 onerr=fail no_magic_root' "$system_auth"
else
sed -i 's/^auth[[:space:]]\+required[[:space:]]\+pam_tally2.so.*/auth required pam_tally2.so deny=5 unlock_time=180 onerr=fail no_magic_root/' "$system_auth"
fi
if ! grep -q "pam_tally2.so" "$system_auth" | grep -q account; then
echo "" >> "$system_auth"
echo "# 账户认证失败次数限制" >> "$system_auth"
echo "account required pam_tally2.so" >> "$system_auth"
fi
log INFO "账户认证失败次数限制修复完成"
print_success "账户认证失败次数限制修复完成"
}
# 修复历史命令数量限制
fix_history_limit() {
print_title "开始修复历史命令数量限制..."
log INFO "开始修复历史命令数量限制"
local profile_file="/etc/profile"
local backup_path=$(backup_file "$profile_file")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份profile文件,跳过此步骤"
return 1
fi
# 设置历史命令数量限制
if grep -q "^HISTFILESIZE=" "$profile_file"; then
sed -i 's/^HISTFILESIZE=.*/HISTFILESIZE=5/' "$profile_file"
else
echo "" >> "$profile_file"
echo "# 历史命令数量限制" >> "$profile_file"
echo "HISTFILESIZE=5" >> "$profile_file"
fi
if grep -q "^HISTSIZE=" "$profile_file"; then
sed -i 's/^HISTSIZE=.*/HISTSIZE=5/' "$profile_file"
else
echo "HISTSIZE=5" >> "$profile_file"
fi
# 应用配置
source "$profile_file"
log INFO "历史命令数量限制修复完成"
print_success "历史命令数量限制修复完成"
}
# 修复密码重复使用次数限制
fix_password_reuse_limit() {
print_title "开始修复密码重复使用次数限制..."
log INFO "开始修复密码重复使用次数限制"
local system_auth="/etc/pam.d/system-auth"
local opasswd_file="/etc/security/opasswd"
local backup_path=$(backup_file "$system_auth")
if [[ -z "$backup_path" ]]; then
log ERROR "无法备份system-auth文件,跳过此步骤"
return 1
fi
# 创建旧密码存储文件
touch "$opasswd_file"
chown root:root "$opasswd_file"
chmod 600 "$opasswd_file"
# 修复或添加密码重复使用限制
if grep -q "pam_unix.so" "$system_auth"; then
sed -i 's/\(^password.*sufficient.*pam_unix\.so\).*/\1 remember=5/' "$system_auth"
else
echo "" >> "$system_auth"
echo "# 密码重复使用限制" >> "$system_auth"
echo "password sufficient pam_unix.so remember=5" >> "$system_auth"
fi
log INFO "密码重复使用次数限制修复完成"
print_success "密码重复使用次数限制修复完成"
}
# 修复Ctrl+Alt+Delete组合键状态
fix_ctrl_alt_del() {
print_title "开始修复Ctrl+Alt+Delete组合键状态..."
log INFO "开始修复Ctrl+Alt+Delete组合键状态"
# 禁用Ctrl+Alt+Delete系统调用
systemctl mask ctrl-alt-del.target
if [[ $? -eq 0 ]]; then
log INFO "Ctrl+Alt+Delete组合键已禁用"
print_success "Ctrl+Alt+Delete组合键已禁用"
else
log ERROR "禁用Ctrl+Alt+Delete组合键失败"
print_error "禁用Ctrl+Alt+Delete组合键失败"
fi
}
# 重启相关服务
restart_services() {
print_title "重启相关服务以应用更改..."
log INFO "重启相关服务以应用更改"
systemctl restart sshd
systemctl restart rsyslog
log INFO "服务重启完成"
print_success "服务重启完成"
}
# 输出修复摘要
output_summary() {
print_title "=================================="
print_success "安全漏洞修复汇总"
print_title "=================================="
log INFO "安全漏洞修复完成,请检查日志: $LOG_FILE"
print_success "安全漏洞修复完成!"
print_warning "建议重启系统以确保所有更改完全生效。"
}
# 主菜单
show_menu() {
echo "统信系统安全漏洞修复工具"
echo "请选择要执行的操作:"
echo "1) 完整修复所有安全问题"
echo "2) 选择性修复特定问题"
echo "3) 退出"
echo
}
# 选择性修复菜单
selective_fix_menu() {
while true; do
echo "选择要修复的安全问题:"
echo " 1) OpenSSH安全配置"
echo " 2) 命令行界面超时设置"
echo " 3) PAM认证模块配置"
echo " 4) Telnet服务状态"
echo " 5) SSH服务状态"
echo " 6) 登录日志记录配置"
echo " 7) 用户目录默认访问权限"
echo " 8) 口令过期前警告天数"
echo " 9) 密码复杂度策略"
echo "10) 口令更改最小间隔天数"
echo "11) 口令生存周期"
echo "12) 重要目录及文件权限"
echo "13) 账户认证失败次数限制"
echo "14) 历史命令数量限制"
echo "15) 密码重复使用次数限制"
echo "16) Ctrl+Alt+Delete组合键状态"
echo " b) 返回主菜单"
echo " a) 全选"
echo " q) 退出"
echo
read -p "请输入选项 (1-16, b, a, q): " option
case $option in
1) fix_ssh_security ;;
2) fix_timeout_setting ;;
3) fix_pam_auth ;;
4) fix_telnet_status ;;
5) fix_ssh_service ;;
6) fix_login_logging ;;
7) fix_umask_setting ;;
8) fix_password_warn_age ;;
9) fix_password_complexity ;;
10) fix_password_min_days ;;
11) fix_password_max_days ;;
12) fix_critical_permissions ;;
13) fix_auth_failure_limit ;;
14) fix_history_limit ;;
15) fix_password_reuse_limit ;;
16) fix_ctrl_alt_del ;;
b) break ;;
a)
fix_ssh_security
fix_timeout_setting
fix_pam_auth
fix_telnet_status
fix_ssh_service
fix_login_logging
fix_umask_setting
fix_password_warn_age
fix_password_complexity
fix_password_min_days
fix_password_max_days
fix_critical_permissions
fix_auth_failure_limit
fix_history_limit
fix_password_reuse_limit
fix_ctrl_alt_del
;;
q) exit 0 ;;
*) echo "无效选项,请重新选择" ;;
esac
done
}
# 主函数
main() {
log INFO "开始执行统信系统安全漏洞修复脚本"
log INFO "脚本位置: $SCRIPT_DIR"
log INFO "修复开始时间: $(date '+%Y-%m-%d %H:%M:%S')"
log INFO ""
# 检查是否以root权限运行
if [[ $EUID -ne 0 ]]; then
print_error "此脚本需要root权限才能运行,请使用sudo或以root身份运行"
exit 1
fi
while true; do
show_menu
read -p "请选择操作 (1-3): " choice
case $choice in
1)
if confirm_action "确定要修复所有安全问题吗?此操作将修改系统配置文件并创建备份。"; then
fix_ssh_security
fix_timeout_setting
fix_pam_auth
fix_telnet_status
fix_ssh_service
fix_login_logging
fix_umask_setting
fix_password_warn_age
fix_password_complexity
fix_password_min_days
fix_password_max_days
fix_critical_permissions
fix_auth_failure_limit
fix_history_limit
fix_password_reuse_limit
fix_ctrl_alt_del
restart_services
output_summary
break
fi
;;
2)
selective_fix_menu
;;
3)
exit 0
;;
*)
echo "无效选项,请重新选择"
;;
esac
done
}
# 运行主函数
main "$@"
\ No newline at end of file
AuxiliaryTool/ScriptTool/主机漏洞修复(统信系统)/统信系统漏洞修复_PRD.md 0 → 100644
浏览文件 @ e900a288
统信系统漏洞修复 PRD
=======================
**操作系统版本:** UOS Server 20 1070e
**文档目的:** 提供自动化脚本修复系统安全漏洞并支持复测验证
---
## 漏洞修复清单
### 问题一:OpenSSH 安全配置加固
#### 修复步骤:
1. **编辑 SSH 配置文件**
```bash
cp -p /etc/ssh/sshd_config /etc/ssh/sshd_config_bak
```
编辑配置文件 `/etc/ssh/sshd_config`,修改以下参数:
```
X11Forwarding no
MaxAuthTries 4
IgnoreRhosts yes
HostbasedAuthentication no
PermitEmptyPasswords no
PermitRootLogin no
Protocol 2
```
2. **重启 SSH 服务**
```bash
systemctl restart sshd
# 或者使用
# /etc/init.d/sshd restart
```
#### 检测方法:
- 检查 `/etc/ssh/sshd_config` 文件中对应参数的值
- 验证 SSH 服务是否正常运行:`systemctl status sshd`
---
### 问题二:命令行界面超时设置
#### 修复步骤:
1. **备份配置文件**
```bash
cp -p /etc/profile /etc/profile_bak
```
2. **配置超时参数**
`/etc/profile` 文件中添加或修改以下内容:
```bash
TMOUT=300
export TMOUT
```
3. **使配置立即生效**
```bash
source /etc/profile
```
#### 检测方法:
- 检查 `/etc/profile` 文件中是否存在 `TMOUT=300``export TMOUT`
- 验证环境变量:`echo $TMOUT`
---
### 问题三:PAM 认证模块配置(限制 su 切换 root)
#### 修复步骤:
1. **编辑 PAM 配置文件**
编辑 `/etc/pam.d/su` 文件,在文件开头添加以下内容:
```
auth sufficient pam_rootok.so
auth required pam_wheel.so group=wheel
```
2. **将用户添加到 wheel 组**
```bash
usermod -G wheel username # 将 username 替换为实际用户名
```
#### 检测方法:
- 检查 `/etc/pam.d/su` 文件中是否包含上述两行配置
- 验证 wheel 组成员:`groups username`
---
### 问题四:禁用 Telnet,启用 SSH 协议
#### 修复步骤:
1. **禁用 Telnet 服务**
```bash
cp -p /etc/xinetd.d/telnet /etc/xinetd.d/telnet_bak
# 编辑 /etc/xinetd.d/telnet 文件,将 disable 设置为 yes
sed -i 's/disable.*/disable = yes/' /etc/xinetd.d/telnet
service xinetd restart
```
2. **确保 SSH 服务已启动**
```bash
systemctl start sshd
systemctl enable sshd
```
#### 检测方法:
- 检查 `/etc/xinetd.d/telnet` 文件中的 `disable` 参数是否为 `yes`
- 验证 xinetd 服务状态:`systemctl status xinetd`
- 验证 SSH 服务状态:`systemctl status sshd`
---
### 问题五:禁用 Root 用户远程登录
此问题已在问题一中通过设置 `PermitRootLogin no` 解决。
#### 检测方法:
- 检查 `/etc/ssh/sshd_config` 文件中 `PermitRootLogin` 是否设置为 `no`
---
### 问题六:登录日志记录配置
#### 修复步骤:
1. **编辑 rsyslog 配置文件**
编辑 `/etc/rsyslog.conf` 文件,添加以下配置:
```
authpriv.* /var/log/secure
# 或者
# authpriv.info /var/log/secure
```
2. **创建并设置日志文件权限**
```bash
touch /var/log/secure
chmod 600 /var/log/secure
```
3. **重启 syslog 服务**
```bash
systemctl restart rsyslog
# 或者
# /etc/init.d/rsyslog restart
```
#### 检测方法:
- 检查 `/etc/rsyslog.conf` 文件中是否包含 authpriv 配置
- 验证 `/var/log/secure` 文件是否存在且权限为 600:`ls -la /var/log/secure`
---
### 问题七:用户目录默认访问权限设置
#### 修复步骤:
1. **备份配置文件**
```bash
cp /etc/profile /etc/profile.bak
```
2. **设置默认 umask 值**
编辑 `/etc/profile` 文件,在文件末尾添加:
```
umask 027
```
3. **使配置生效**
```bash
source /etc/profile
```
#### 检测方法:
- 检查 `/etc/profile` 文件中是否包含 `umask 027`
- 验证当前 umask 值:`umask`
---
### 问题八:设置口令过期前警告天数
#### 修复步骤:
1. **备份配置文件**
```bash
cp -p /etc/login.defs /etc/login.defs_bak
```
2. **修改密码过期警告天数**
编辑 `/etc/login.defs` 文件,设置:
```
PASS_WARN_AGE 7
```
#### 检测方法:
- 检查 `/etc/login.defs` 文件中 `PASS_WARN_AGE` 的值
---
### 问题九:密码复杂度策略配置
#### 修复步骤:
1. **备份配置文件**
```bash
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
```
2. **编辑 PAM 配置文件**
编辑 `/etc/pam.d/system-auth` 文件,找到如下行:
```
password requisite pam_cracklib.so
```
修改为:
```
password requisite pam_cracklib.so try_first_pass retry=3 minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1
```
此配置要求密码长度不小于8位,至少包含1位数字、大写字母、小写字母和特殊字符。
#### 检测方法:
- 检查 `/etc/pam.d/system-auth` 文件中是否包含上述复杂度规则
- 验证参数是否完整:`minlen=8 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1`
---
### 问题十:设置口令更改最小间隔天数
#### 修复步骤:
1. **备份配置文件**
```bash
cp -p /etc/login.defs /etc/login.defs_bak
```
2. **修改密码最短使用期限**
编辑 `/etc/login.defs` 文件,设置:
```
PASS_MIN_DAYS 7
```
#### 检测方法:
- 检查 `/etc/login.defs` 文件中 `PASS_MIN_DAYS` 的值
---
### 问题十一:设置口令生存周期
#### 修复步骤:
1. **备份配置文件**
```bash
cp -p /etc/login.defs /etc/login.defs_bak
```
2. **修改密码最长使用期限**
编辑 `/etc/login.defs` 文件,设置:
```
PASS_MAX_DAYS 90
```
#### 检测方法:
- 检查 `/etc/login.defs` 文件中 `PASS_MAX_DAYS` 的值
---
### 问题十二:重要目录及文件权限设置
#### 修复步骤:
1. **设置关键系统文件权限**
```bash
chmod 644 /etc/passwd
chmod 400 /etc/shadow
chmod 644 /etc/group
```
#### 检测方法:
- 检查各文件权限:`ls -la /etc/passwd /etc/shadow /etc/group`
- 验证权限是否为:`/etc/passwd` (644), `/etc/shadow` (400), `/etc/group` (644)
---
### 问题十三:账户认证失败次数限制
#### 修复步骤:
1. **备份配置文件**
```bash
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bak
```
2. **编辑 PAM 配置文件**
编辑 `/etc/pam.d/system-auth` 文件,添加以下内容:
```
auth required pam_tally2.so deny=5 unlock_time=180 onerr=fail no_magic_root
account required pam_tally2.so
```
此配置表示认证失败5次后锁定账户180秒。
#### 检测方法:
- 检查 `/etc/pam.d/system-auth` 文件中是否包含上述配置
- 验证参数是否完整:`deny=5 unlock_time=180`
---
### 问题十四:历史命令数量限制
#### 修复步骤:
1. **编辑配置文件**
编辑 `/etc/profile` 文件,添加以下内容:
```
HISTFILESIZE=5 # 历史文件中保存的最大命令数
HISTSIZE=5 # 命令行中显示的历史命令数
```
2. **使配置生效**
```bash
source /etc/profile
```
#### 检测方法:
- 检查 `/etc/profile` 文件中是否包含 `HISTFILESIZE=5``HISTSIZE=5`
- 验证变量值:`echo $HISTFILESIZE``echo $HISTSIZE`
---
### 问题十五:密码重复使用次数限制
#### 修复步骤:
1. **备份配置文件**
```bash
cp -p /etc/pam.d/system-auth /etc/pam.d/system-auth_bak
```
2. **创建旧密码存储文件**
```bash
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
```
3. **编辑 PAM 配置文件**
编辑 `/etc/pam.d/system-auth` 文件,找到如下行:
```
password sufficient pam_unix.so
```
修改为:
```
password sufficient pam_unix.so remember=5
```
此配置表示不能使用最近5次使用的密码。
#### 检测方法:
- 检查 `/etc/pam.d/system-auth` 文件中是否包含 `remember=5` 参数
- 验证 `/etc/security/opasswd` 文件是否存在且权限正确
---
### 问题十六:禁用 Ctrl+Alt+Delete 组合键
#### 修复步骤:
1. **禁用系统级的 Ctrl+Alt+Delete 服务**
```bash
systemctl mask ctrl-alt-del.target
```
或者直接删除链接文件:
```bash
rm -f /usr/lib/systemd/system/ctrl-alt-del.target
```
#### 检测方法:
- 检查服务状态:`systemctl is-enabled ctrl-alt-del.target` (应返回 "masked")
---
## 自动化脚本工具
### 检测脚本 (security_check.sh)
提供一个自动化检测脚本,可检查系统当前安全配置状态:
- 检查所有16个安全配置项的状态
- 输出详细日志到临时文件
- 提供彩色输出便于阅读
- 生成汇总报告,显示通过率和达标情况
- 打印每个检测项的实际配置内容,便于第三方验证
### 修复脚本 (security_fix.sh)
提供一个自动化修复脚本,可修复安全漏洞:
- 修复所有16个安全配置项
- 每次修改前自动创建备份文件
- 提供交互式菜单,可以选择完整修复或选择性修复
- 使用彩色输出区分不同类型的信息
- 包含确认机制防止误操作
- 修复完成后自动重启相关服务
---
## 总结
该文档涵盖了系统安全的各个方面,包括:
- SSH 安全配置
- 用户权限控制
- 密码策略设置
- 日志记录
- 命令历史限制
- 认证失败处理
建议在执行以上所有配置后重启系统以确保所有设置生效。
通过自动化脚本可以简化检测和修复过程,提高工作效率和准确性。
\ No newline at end of file
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论