OS/CentOS

CentOS/Rocky 8 보안 취약점 기본 조치 스크립트

Lawmin 2024. 11. 13. 00:52

#1. pwquality 점검
mv /etc/security/pwquality.conf /etc/security/pwquality_old.conf
echo -e "minlen = 8\ndcredit = -1\nucredit = -1\nlcredit = -1\nocredit = -1\n" | cat - /etc/security/pwquality_old.conf > /etc/security/pwquality.conf
rm /etc/security/pwquality_old.conf

#2. faillock 설정 (10번 이상 로그인 실패시 10분간 차단)
authselect select sssd --force
authselect enable-feature with-faillock
sed -i "/# deny = 3/a deny = 10" /etc/security/faillock.conf

#3. wheel 설정 (su root 가능 그룹)
sed -i 's/^#auth\s\+required\s\+pam_wheel.so\s\+use_uid/auth            required        pam_wheel.so use_uid/' /etc/pam.d/su

chgrp wheel /usr/bin/su 

chmod 4750 /usr/bin/su


#4. password 규칙 설정
sed -i 's/^PASS_MAX_DAYS\s\+99999/PASS_MAX_DAYS   90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS\s\+0/PASS_MIN_DAYS   1/' /etc/login.defs
sed -i 's/^PASS_MIN_LEN\s\+5/PASS_MIN_LEN    8/' /etc/login.defs

#5. 불필요 계정 삭제
userdel lp

userdel ftp


#6. 세션 타임아웃 설정
echo "export TMOUT=600" >> /etc/profile

#7. rsyslog 설정
chmod 640 /etc/rsyslog.conf

#8. 불필요 suid, sgid, sticky bit 제거
chmod -s /usr/bin/newgrp
chmod -s /sbin/unix_chkpwd
chmod -s /usr/bin/at

 

#9. 로그인 메시지 변경

echo "Authorized users only." > /etc/issue

echo "Authorized users only." > /etc/issue.net

echo "All activities on this system are logged." > /etc/motd

sed -i 's/^#Banner none/Banner \/etc\/issue.net/' /etc/ssh/sshd_config

sed -i 's/^#PrintMotd/PrintMotd/' /etc/ssh/sshd_config

systemctl reload sshd


#10. ssh root login 차단 (wheel 그룹에 일반 사용자 추가 후 설정해야 함)
#usermod -aG wheel 사용자계정
#sed -i 's/PermitRootLogin\s\+yes/PermitRootLogin no/' /etc/ssh/sshd_config
#systemctl reload sshd