- 论坛徽章:
- 0
|
1.Block system accounts
for user in daemon bin sys adm uucp nuucp printq guest
nobody lpd sshd; do
chuser rlogin=false login=false "$user"
done
2.Set password and account expiration on active accounts
chsec -f /etc/security/user -s default -a maxage=13
chsec -f /etc/security/user -s default -a minlen=6
chsec -f /etc/security/user -s default -a minage=1
chsec -f /etc/security/user -s default -a pwdwarntime=28
3.Verify there are no accounts with empty password fields
pwdck -n ALL
4.Verify no legacy '+' entries exist in passwd, and group file
grep ^+: /etc/passwd /etc/group
5.Verify no UID 0 accounts exist other than root
lsuser -a id ALL | grep "id=0" | awk '{print $1}'
6.No '.' or group/world-writable directory in root's $PATH
echo $PATH | grep -E '(^|:)(\.|:|$)'
7.User home directories should be mode 750 or more restrictive
NEW_PERMS=750
lsuser -c ALL | grep -v ^#name | cut -f1 -d: | while read NAME; do
if [ `lsuser -f $NAME | grep id | cut -f2 -d=` -ge 200 ]; then
HOME=`lsuser -a home $NAME | cut -f 2 -d =`
echo "Changing $NAME homedir $HOME"
chmod $NEW_PERMS $HOME
fi
done
if [ `grep -c "chmod $NEW_PERMS $1" \
/usr/lib/security/mkuser.sys` -eq 0 ]; then
sed -e "s/mkdir \$1/mkdir \$1 \&\& chmod $NEW_PERMS \$1/g" \
/usr/lib/security/mkuser.sys > /tmp/mkuser.tmp
mv /tmp/mkuser.tmp /usr/lib/security/mkuser.sys
chmod 750 /usr/lib/security/mkuser.sys
fi
8.No user dot-files should be world-writable
lsuser -a home ALL |cut -f2 -d= | while read HOMEDIR; do
echo "Examining $HOMEDIR"
if [ -d $HOMEDIR ]; then
ls -a $HOMEDIR | grep -Ev "^.$|^..$" | \
while read FILE; do
if [ -f $FILE ]; then
echo "Adjusting $FILE"
chmod go-w $FILE
fi
done
else
echo "No home dir for $HOMEDIR"
fi
done
9.Remove user .netrc and .rhosts files
10.Set Default umask for users
lsuser -a home ALL | awk '{print $1}' | while read user; do
chuser umask=077 $user
done
11.Set default umask for the FTP daemon
chsubserver -c -v ftp -p tcp "ftpd -l -u077"
refresh -s inetd
12.Set “mesg n” as the default for all users
echo "mesg n" >> /etc/profile
echo "mesg n" >> /etc/csh.login
13.Removing unnecessary default user accounts
# Remove users
LIST="uucp nuucp lpd guest printq"
for USERS in $LIST; do
rmuser -p $USERS
rmgroup $USERS
done
# Remove groups
LIST="uucp printq"
for USERS in $LIST; do
rmgroup $USERS
done
本文来自ChinaUnix博客,如果查看原文请点:http://blog.chinaunix.net/u/4031/showart_196607.html |
|