centos7 等保三级

 最近公司做了一次等保3测评,发现很多不符合现在记录以下修改的配置文件已备下次使用

修改密码策略文件
vim /etc/login.defs
将以下修改

PASS_MAX_DAYS	90
PASS_MIN_DAYS	2
PASS_MIN_LEN	8
PASS_WARN_AGE	7

修改root密码
chage  -M  90  root
chage  -m  2  root
chage  -W  7  root

chage  -M  90  centuser
chage  -m  2  centuser
chage  -W  7  centuser

删除多余的账号:
userdel uucp
userdel nuucp
userdel lp
userdel adm
userdel sync
userdel shutdown
userdel halt
userdel news
userdel operator
userdel gopher
userdel bin
userdel mail
userdel games
userdel ftp
userdel vcsa
userdel abrt
userdel ntp
userdel saslauth
userdel tcpdump

日志权限不得大于640 设置日志权限为640
chmod 640 /var/log/messages
chmod 640 /var/log/secure
chmod 640 /var/log/audit/audit.log

添加审计账号
useradd audit
usermod -G audit audit

添加审计

编辑: audit.rules
vim /etc/audit/rules.d/audit.rules


-a exit,always -F arch=b64 -S umask -S chown -S chmod 
-a exit,always -F arch=b64 -S unlink -S rmdir 
-a exit,always -F arch=b64 -S setrlimit 
-a exit,always -F arch=b64 -S setuid -S setreuid 
-a exit,always -F arch=b64 -S setgid -S setregid 
-a exit,always -F arch=b64 -S sethostname -S setdomainname 
-a exit,always -F arch=b64 -S adjtimex -S settimeofday 
-a exit,always -F arch=b64 -S mount -S _sysctl

-w /etc/group -p wa 
-w /etc/passwd -p wa 
-w /etc/shadow -p wa 
-w /etc/sudoers -p wa

-w /etc/ssh/sshd_config

-w /etc/bashrc -p wa   
-w /etc/profile -p wa   
-w /etc/profile.d/   
-w /etc/aliases -p wa   
-w /etc/sysctl.conf -p wa

-w /var/log/lastlog

# Disable adding any additional rules - note that adding *new* rules will require a reboot   

将/var/log/赋给audit
chown audit:audit -R /var/log
chown root:root -R /var/log/audit

禁止root登陆
vim /etc/ssh/sshd_config
PermitRootLogin no

日志上传服务器
vim  /etc/rsyslog.conf
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages
*.* @@172.16.x.xx:514
*.* @172.16.x.xx:514

登陆失败处理
vim /etc/pam.d/system-auth
在对应的auth段添加如下内容
auth        required      pam_tally2.so onerr=fail deny=5 unlock_time=300
在对应的password段添加如下内容
password    requisite     pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1

vim  /etc/profile
export TMOUT=600

重启相关审计服务
service rsyslog restart
service auditd restart