rockylinux9.5默认安装后进行安全加固

1.检查是否使用PAM认证模块禁止wheel组之外的用户su为root

vim /etc/pam.d/su#%PAM-1.0
auth            required        pam_env.so
auth            sufficient      pam_rootok.so
auth            required        pam_wheel.so group=wheel
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth           sufficient      pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
#auth           required        pam_wheel.so use_uid
auth            substack        system-auth
auth            include         postlogin
account         sufficient      pam_succeed_if.so uid = 0 use_uid quiet
account         include         system-auth
password        include         system-auth
session         include         system-auth
session         include         postlogin
session         optional        pam_xauth.so

usermod -G wheel root

2.检查重要目录或文件权限设置

chmod 644 /etc/security 
chmod 600 /etc/grub2.cfg; 
chmod 600 /boot/grub2/grub.cfg。 

3.检查是否修改snmp默认团体字 （如安装了snmp相关工具）

vim /etc/snmp/snmpd.conf

修改默认community public为其他值

4.检查用户umask设置,设置 umask 022

vim /etc/csh.cshrc
vim /etc/csh.login
vim /etc/profile

5.是否设置ssh登录前警告Banner

touch /etc/ssh_banner
chown bin:bin /etc/ssh_banner
chmod 644 /etc/ssh_banner
echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_bannervim /etc/ssh/sshd_config
Banner /etc/ssh_bannersystemctl restart  sshd

6.检查别名文件/etc/aliase（或/etc/mail/aliases）配置 ,删除或注释掉下面的行

vim /etc/aliases
vim /etc/mail/aliases

#games: root 
#ingres: root 
#system: root 
#toor: root 
#uucp: root 
#manager: root 
#dumper: root 
#operator: root 
#decode: root 
#root: marc 

补充操作说明
更新后运行/usr/bin/newaliases，使改变生效

7.检查设备密码复杂度策略

vim /etc/pam.d/system-auth中应当使用pam_pwquality.so
# Generated by authselect on Mon Sep  4 07:59:35 2023
# Do not modify this file manually.auth        required                                     pam_env.so
auth        required                                     pam_faildelay.so delay=2000000
auth        required                                     pam_faillock.so preauth audit deny=5 even_deny_root unlock_time=600
-auth sufficient pam_fprintd.so
auth        sufficient                                   pam_fprintd.so
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        [default=1 ignore=ignore success=ok]         pam_localuser.so
auth        sufficient                                   pam_unix.so nullok try_first_pass
-auth sufficient pam_sss.so use_first_pass
auth        [default=1 ignore=ignore success=ok]         pam_usertype.so isregular
auth        sufficient                                   pam_sss.so forward_pass
auth        [default=die]                                pam_faillock.so authfail audit deny=5 even_deny_root unlock_time=600
auth        required                                     pam_deny.so
auth sufficient pam_faillock.so authsucc audit deny=5 even_deny_root unlock_time=600account     required                                     pam_faillock.so
account     required                                     pam_unix.so
account     sufficient                                   pam_localuser.so
account     sufficient                                   pam_usertype.so issystem
account     [default=bad success=ok user_unknown=ignore] pam_sss.so
account     required                                     pam_permit.sopassword    requisite                                    pam_pwquality.so local_users_only ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minlen=8
password    sufficient                                   pam_unix.so sha512 shadow nullok use_authtok remember=5
password    sufficient                                   pam_sss.so use_authtok
password    required                                     pam_deny.sosession     optional                                     pam_keyinit.so revoke
session     required                                     pam_limits.so
-session    optional                                     pam_systemd.so
session     [success=1 default=ignore]                   pam_succeed_if.so service in crond quiet use_uid
session     required                                     pam_unix.so
session     optional                                     pam_sss.sovim /etc/security/pwquality.conf中minclass不小于3 

8.检查口令最小长度(实际无作用，仅用于检查合规）

vim /etc/login.defs
PASS_MIN_LEN    8

9.polkit安全配置

chmod 0755  /usr/bin/pkexec

10.检查是否配置远程日志功能

vim /etc/rsyslog.conf*.info @syslog-ip

11.检查是否使用NTP（网络时间协议）保持时间同步

vim /etc/chrony.conf
server svrip iburst

12.检查是否设置命令行界面超时退出

vim /etc/profile
export TMOUT=900