论坛徽章:: 0

电梯直达

1楼 [收藏(0)] [报告]

发表于 2006-11-07 10:10 |只看该作者 |倒序浏览

1.Remove /etc/hosts.equiv

2.Create /etc/ftpusers

lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME; do
if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -lt 200 ]; then
echo "Adding $NAME to /etc/ftpusers"
echo $NAME >> /etc/ftpusers.new
fi
done
sort -u /etc/ftpusers.new > /etc/ftpusers
rm /etc/ftpusers.new
chown root:system /etc/ftpusers
chmod 600 /etc/ftpusers

3.Disable XDMCP port

if [ ! -f /etc/dt/config/Xconfig ]; then
mkdir -p /etc/dt/config
cp /usr/dt/config/Xconfig /etc/dt/config
fi
cd /etc/dt/config
awk '/Dtlogin.requestPort:/ \
{ print "Dtlogin.requestPort: 0"; next } \
{ print }' Xconfig > Xconfig.new
mv Xconfig.new Xconfig
chown root:bin Xconfig
chmod 444 Xconfig

4.Prevent X Server from listening on port 6000/tcp

if [ -f /etc/dt/config/Xservers ]; then
file=/etc/dt/config/Xservers
else
file=/usr/dt/config/Xservers
fi
awk '/Xsun/ && !/^#/ && !/-nolisten tcp/ \
{ print $0 " -nolisten tcp"; next }; \
{ print }' $file > $file.new
mkdir -p /etc/dt/config
mv $file.new /etc/dt/config/Xservers
chown root:bin /etc/dt/config/Xservers
chmod 444 /etc/dt/config/Xservers

5.Set default locking screensaver timeout

for file in /usr/dt/config/*/sys.resources; do
dir=`dirname $file | sed -e s/usr/etc/`
mkdir -p $dir
echo 'dtsession*saverTimeout: 10' >> $dir/sys.resources
echo 'dtsession*lockTimeout: 10' >> $dir/sys.resources
done

6.Remove empty crontab files and restrict file permissions

cd /var/spool/cron/crontabs
for file in *; do
lines=`grep -Ev '^[ \t]*#' $file | wc -l | sed 's/
//g'`
if [ $lines -eq 0 ]; then
echo "Removing $file"
rm $file
fi
done
chgrp -R cron /var/spool/cron/crontabs
chmod -R o= /var/spool/cron/crontabs
chmod 770 /var/spool/cron/crontabs

7.Restrict at and cron to authorized users

cd /var/adm/cron
rm -f cron.deny at.deny
echo root > cron.allow
echo root > at.allow
ls /var/spool/cron/crontabs | grep -v root >> cron.allow
ls /var/spool/cron/atjobs | grep -v root >> at.allow
chown root:sys cron.allow at.allow
chmod 400 cron.allow at.allow
cat at.allow
cat cron.allow
cat at.deny cron.deny # this should fail

8.Restrict root logins to system console

chuser rlogin=false login=true su=true sugroups=system root

本文来自ChinaUnix博客，如果查看原文请点：http://blog.chinaunix.net/u/4031/showart_196582.html

文库|博客

返回列表

Chinaunix › 论坛 › 操作系统 › AIX › AIX文档中心 › AIX System Security:6.System access,authentication

[系统管理] AIX System Security:6.System access,authentication [复制链接]