nproc是操作系统级别对每个用户创建的进程数的限制,在Linux下运行多线程时,每个线程的实现其实是一个轻量级的进程,对应的术语是:light weight process(LWP)。
系统初始化
| 点击这里 | 点击这里 |
|---|---|
| 目录 | 系统初始化安全加固1. 系统帐号设置3. 系统安全设置3. 允许办公室IP和内网IP使用ssh登录4. ssh设置5 文件权限6 口令策略Custom profile7 系统参数设置8 日志设置性能优化1. 精简系统服务2. 内核参数优化3. 磁盘优化4. 设置时间同步5. 本地yum源* 基础yum源基础组件系统特性1. 服务管理2. kvm模块加载检测3. docker初始化系统驱动统一格式规范1. HOSTNAME2. history格式修改3. 系统空闲时间4. 添加初始化记录文件其它配置1. 禁止内核更新2. 其它配置3. 自动补全如何实施1. 加入到kickstart2. 服务器(比如模版)上手动执行脚本TODO展开 |
安全加固
1. 系统帐号设置
• 删除不必要系统的用户
1. UserDel="
2. adm
3. lp
4. sync
5. shutdown
6. halt
7. news
8. uucp
9. operator
10. games
11. gopher
12. ftp
13. "
14. for u in ${UserDel}
15. do
16. userdel ${u}
17. done
• 删除不必要的系统用户组
1. GroupDel="
2. adm
3. lp
4. news
5. uucp
6. games
7. dip
8. pppusers
9. "
10.
11. for g in ${GroupDel}
12. do
13. groupdel ${g}
14. done
• Root用户的环境变量中不能含有可执行本地目录执行操作的“点命令”
1. ###2.标准化系统账号
2. useradd kyapp
3. echo 'ky123456' | passwd --stdin kyapp
4. echo 'Ct@2018.com' | passwd --stdin root
3. 系统安全设置
• 关闭ctrl+alt+del
1. sed -i "s/ca::ctrlaltdel:/sbin/shutdown -t3 -r now/#ca::ctrlaltdel:/sbin/shutdown -t3 -r now/" /etc/inittab
2. sed -i 's/^id:5:initdefault:/id:3:initdefault:/' /etc/inittab
• 关闭SELinux
1. setenforce 0
2. sed -i '/SELINUX/s/enforcing/disabled/' /etc/selinux/config
• 登录提示,邮箱为安全部的邮箱
1. cat > /etc/motd << EOF
2. **************************************************************************"
3. * *"
4. *Attention: Auditing process will report your every action! *"
5. *Warning: Don't delete any files in directory ${LOGDIR}!! *"
6. * *"
7. * --KYE-Express COMPANY OF CHINA,LTD. *"
8. **************************************************************************"
9. EOF
• 防火墙设置
1. centos默认不开启防火墙,通过安全组控制
• 登录超时设置
1. cat > /etc/profile << EOF
2. TMOUT = 1800
3. readonly TMOUT
4. export TMOUT
5. EOF
3. 允许办公室IP和内网IP使用ssh登录
改到安全组控制
4. ssh设置
• 关闭DNS解析
1. sed -i 's/^GSSAPIAuthentication yes$/GSSAPIAuthentication no/' /etc/ssh/sshd_config
2. sed -i 's/#UseDNS yes/UseDNS no/' /etc/ssh/sshd_config
3. sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
• 限制root用户远程直接登录系统(待考虑)
1. grep "PemitRootLogin no"/etc/ssh/sshd_conig || echo "PemitRootLogin no" >> /etc/ssh/sshd_config
2.
3. service sshd restart
5 文件权限
• 系统敏感文件权限设置
1. chmod 644 /etc/passwd
2. chmod 644 /etc/group
3. chmod 400 /etc/shadow
4. chmod 400 /etc/gshadow
5. echo "Set important files privileges sucessfully"
• 系统日志属性配置要求
1. chmod -R www.www /var/log/*
6 口令策略
• 口令最短长度:8个字符
1. sed -i 's/'^PASS_MIN_LEN 5'/'PASS_MIN_LEN 8'/g' /etc/login.defs
• 口令历史:修改密码不得使用最近5次的密码
1. sed -i 's/use_authtok/use_authtok remember=5/' /etc/pam.d/system-auth
• 口令复杂度:大写/小写字母、数字、特殊符号任选3种组合
1. sed -i 's/authtok_type=/authtok_type= minclass=3/' /etc/pam.d/system-auth
Custom profile
1. cat > /etc/profile.d/oneinstack.sh << EOF
2. HISTSIZE=10000
3. PS1="[e[37;40m][[e[32;40m]u[e[37;40m]@h [e[35;40m]W[e[0m]]\\$ "
4. HISTTIMEFORMAT="%F %T $(whoami) "
5.
6. alias l='ls -AFhlt'
7. alias lh='l | head'
8. alias vi=vim
9.
10. GREP_OPTIONS="--color=auto"
11. alias grep='grep --color'
12. alias egrep='egrep --color'
13. alias fgrep='fgrep --color'
14. EOF
15.
16. [ -z "$(grep ^'PROMPT_COMMAND=' /etc/bashrc)" ] && cat >> /etc/bashrc << EOF
17. PROMPT_COMMAND='{ msg=$(history 1 | { read x y; echo $y; });logger "[euid=$(whoami)]":$(who am i):[\`pw
18. d\`]"$msg"; }'
19. EOF
7 系统参数设置
•
使用console登录模式
systemctl set-default multi-user.target
•
echo "umask 027" >> /etc/profile
8 日志设置
• 开启安全日志记录功能
1. /etc/rsyslog.conf:authpriv.* /var/log/secure
性能优化
1. 精简系统服务
1. 关闭不重要的服务
1. StopServiceList="
2. abrt-ccpp
3. abrtd
4. acpid
5. agentwatch
6. atd
7. auditd
8. blk-availability
9. cpuspeed
10. haldaemon
11. ip6tables
12. lvm2-monitor
13. mdmonitor
14. messagebus
15. netconsole
16. netfs
17. nscd
18. ntpd
19. ntpdate
20. postfix
21. psacct
22. quota_nld
23. rdisc
24. restorecond
25. rngd
26. saslauthd
27. smartd
28. snmptrapd
29. svnserve
30. psacct
31. NetworkManager
32. telnet
33. vsftpd
34. wu-ftpd
35. sendmail
36. tftp
37. "
38. osrelease=`cat /etc/redhat-release | grep -oE '[0-9]+.[0-9]+' |awk -F'.' '{print $1}'`
39. for s in ${StopServerList}
40. do
41. if [ $osrelease == 6 ];then
42. chkconfig --level 3 ${s} off > /dev/null 2>&1
43. else
44. systemctl disable ${s} > /dev/null 2>&1
45. done
1. 需要开启的服务
1. StartServiceList="
2. irqbalance
3. kdump
4. udev-post
5. "
6. osrelease=`cat /etc/redhat-release | grep -oE '[0-9]+.[0-9]+' |awk -F'.' '{print $1}'`
7. for s in ${StartServerList}
8. do
9. if [ $osrelease == 6 ];then
10. chkconfig --level 3 ${s} on > /dev/null 2>&1
11. else
12. systemctl enable ${s} > /dev/null 2>&1
13. fi
14. done
1. 部分服务说明
• netconsole 是一个通过网络发送所有内核日志消息(即dmesg)到另一台计算机的内核模块,且无需用户空间(如syslogd的)。
• psacctlinux系统审计服务,用于监视进程活动的几项功能
2. 内核参数优化
• 内核参数
1. {
2. cat <<'XIAONIU66'
3. net.core.netdev_max_backlog = 32768
4. net.core.wmem_default = 8388608
5. net.core.rmem_default = 8388608
6. net.core.rmem_max = 16777216
7. net.core.wmem_max = 16777216
8. net.core.somaxconn = 65535
9. net.ipv4.tcp_max_tw_buckets = 60000
10. net.ipv4.tcp_rmem = 4096 87380 4194304
11. net.ipv4.tcp_wmem = 4096 16384 4194304
12. net.ipv4.tcp_max_orphans = 3276800
13. net.ipv4.tcp_max_syn_backlog = 262144
14. net.ipv4.tcp_timestamps = 0
15. net.ipv4.tcp_synack_retries = 1
16. net.ipv4.tcp_syn_retries = 1
17. net.ipv4.tcp_tw_reuse = 1
18. net.ipv4.tcp_mem = 94500000 915000000 927000000
19. net.ipv4.ip_local_port_range = 1024 65535
20. net.nf_conntrack_max = 2621400
21. vm.max_map_count = 100000
22. kernel.pid_max = 100000
23. vm.max_map_count = 200000
24. vm.swappiness = 5
25. XIAONIU66
26. } >> /etc/sysctl.conf
3. 磁盘优化
• 格式化挂载 /dev/[vdb|xvdb] - ext4
1. DiskList=`fdisk -l|grep -E '/dev/vdb|/dev/xvdb'`
2. DiskNum=`echo ${DiskList} | wc -l`
3. MountList=`mount |grep -E 'vdb|xvdb' | wc -l`
4.
5. if [ ${MountList} -eq 0 ];then
6. if [ ${DiskNum} -eq 1 ];then
7. Disk=`echo ${DiskList} | awk '{print $2}' |sed 's/://'`
8. mkfs.ext4 ${Disk}
9. Fstab=`grep "${Disk}" /etc/fstab | wc -l`
10. if [ ${Fstab} -eq 0 ];then
11. echo "${Disk} /data ext4 defaults,noatime 0 0" >> /etc/fstab
12. [ -d /data ] || mkdir -p /data
13. else
14. echo "${Disk} is added /etc/fstab !!!"
15. fi
16. else
17. echo "/dev/[vdb|xvdb] is fdisked !!!"
18. fi
19. else
20. echo "/dev/[vdb|xvdb] is mounted !!!"
21. fi
• 格式化挂载 /dev/[vdb|xvdb] - xfs
1. DiskList=`fdisk -l|grep -E '/dev/vdb|/dev/xvdb'`
2. DiskNum=`echo ${DiskList} | wc -l`
3. MountList=`mount |grep -E 'vdb|xvdb' | wc -l`
4.
5. if [ ${MountList} -eq 0 ];then
6. if [ ${DiskNum} -eq 1 ];then
7. Disk=`echo ${DiskList} | awk '{print $2}' |sed 's/://'`
8. #docker的数据盘需加参数-n -fstype 1
9. mkfs.xfs ${Disk}
10. Fstab=`grep "${Disk}" /etc/fstab | wc -l`
11. if [ ${Fstab} -eq 0 ];then
12. echo "${Disk} /data xfs
13. noexec,nodev,noatime,nodiratime,nobarrier 0 0" >> /etc/fstab
14. [ -d /data ] || mkdir -p /data
15. else
16. echo "${Disk} is added /etc/fstab !!!"
17. fi
18. else
19. echo "/dev/[vdb|xvdb] is fdisked !!!"
20. fi
21. else
22. echo "/dev/[vdb|xvdb] is mounted !!!"
23. fi
• updatedb 优化
1. sed -i 's,media,media /data,' /etc/updatedb.conf
• 调整ulimit
1. {
2. cat <<'XIAONIU66'
3. * soft nofile 65535
4. * hard nofile 65535
5. * soft nproc 65535
6. * hard nproc 65535
7. XIAONIU66
8. } >> /etc/security/limits.conf
9.
10. [ -f /etc/security/limits.d/90-nproc.conf ] && sed -i 's/1024/65535/' /etc/security/limits.d/90-nproc.conf
• 关闭IPv6
1. {
2. cat <<'XIAONIU66'
3. alias net-pf-10 off
4. alias ipv6 off
5. XIAONIU66
6. } >> /etc/modprobe.conf
4. 设置时间同步
• 使用戳服务器
1. ntpdate pool.ntp.org
2. [ ! -e "/var/spool/cron/root" -o -z "$(grep 'ntpdate' /var/spool/cron/root)" ] && { echo "*/20 * * * * $(wh
3. ich ntpdate) pool.ntp.org > /dev/null 2>&1" >> /var/spool/cron/root;chmod 600 /var/spool/cron/root; }
4.
5. systemctl restart ntpdate
5. 本地yum源
* 基础yum源
1. yum install -y epel
基础组件
• 系统基础工具和组件
1. yum -y install bison patch unzip sudo bzip2 mlocate lrzsz sysstat lsof setuptool ntpdate wget lrzsz kernel-headers rsync nc mtr traceroute openssl vim bind-utils
系统特性
1. 服务管理
• centos 6
1. #服务开机自启动
2. chkconfig --level service name on
3. #服务开机不自启动
4. chkconfig --level service name off
5. #启动服务
6. /etc/init.d/service name start
7. #停止服务
8. /etc/init.d/service name stop
• centos 7
1. 服务开机自启动
2. systemctl enable service name
3. #服务开机不自启动
4. systemctl disable service name
5. #启动服务
6. systemctl start service name
7. #停止服务
8. systemctl stop service name
2. kvm模块加载检测
1. egrep --color=auto '(vmx|svm)' /proc/cpuinfo
3. docker初始化
参考链接docker
系统驱动
统一格式规范
1. HOSTNAME
• 规则:[地区]-[机房]-[项目名]-[环境]-[应用名]-[编号]
1. [root@sz-rjds_4f-common-prd-cobbler-001 ~]# echo $HOSTNAME
2. sz-rjds_4f-common-prd-cobbler-001
3. # 深圳-软件大夏_4楼-公共组件-生产环境-cobbler应用
详细请看运维工程师平台标准化指引
• 初始化
1. HostNameNew="sz-rjds_4f-common-prd-cobbler-001"
2. /bin/hostname ${HostNameNew}
3. sed -i "s/^HOSTNAME/#HOSTNAME/;/^#HOSTNAME/aHOSTNAME=${HostNameNew}" /etc/sysconfig/network
• 添加主机名到/etc/hosts
1. grep $(hostname) /etc/hosts
2. if [ $# -ne 1 ]
3. then
4. echo $(echo -n $(hostname -I | awk '{print $1" " }') ; echo -e ' ' ;echo $(hostname)) >> /etc/hosts
5. sed -i 's/(127.*)/1 "'$(hostname)'"/' /etc/hosts
6. fi
• 在127.0.0.1和localhost间,插入hostname
1. HOSTNAME=$(hostname)
2. sed -i "s/127.0.0.1(.*)localhost /127.0.0.1 ${HOSTNAME} localhost /" /etc/hosts
2. history格式修改
• 增加历史命令记录数为:3000
1. sed -i "s/HISTSIZE=[0-9]*/HISTSIZE=3000/" ~/.bashrc
• 增加日期时间格式显示
1. sed -i "s/export HISTTIMEFORMAT=.*/export HISTTIMEFORMAT="%F %T "/g" .bashrc
3. 系统空闲时间
• 用户空闲30分钟后自动断开连接
1. sed -i 's/'^PASS_MIN_LEN 5'/'PASS_MIN_LEN 12'/g' /etc/login.defs
4. 添加初始化记录文件
• 通过记录文件判断是否需要初始化
1. if [ $# -ne 1 ]; then
2. echo "Usage: $0 HOSTNAME"
3. exit 1
4. fi
5.
6. if [ $(id -u) != 0 ];then
7. echo "Must be root can do this."
8. exit 9
9. fi
10.
11. if [ -e /root/OSinitdone ]
12. then
13. echo "OSinit.sh configure complete!"
14. exit 9
15. fi
16.
17. umask 027
其它配置
1. 禁止内核更新
• 不允许非管理员更新内核
1. cat <<'XIAONIU66'
2. exclude=kernel* redhat-release* centos-release*
3. XIAONIU66
4. } >> /etc/yum.conf
2. 其它配置
1. echo "alias vi='vim'" >> /root/.bashrc
2. echo "alias vi='vim'" >> /etc/skel/.bashrc
3. echo 'PS1="[e[37;40m][[e[32;40m]u[e[37;40m]@h [e[35;40m]W[e[0m]]\$ "' >> /etc/skel/.bashrc
4. echo 'PS1="[e[37;40m][[e[32;40m]u[e[37;40m]@h [e[35;40m]W[e[0m]]\$ "' >> /root/.bashrc
5. echo '
6. set enc=utf8
7. syntax on
8. set tabstop=4
9. set shiftwidth=4
10. set softtabstop=4
11. set smarttab
12. set shiftround
13. set expandtab
14.
15. "Setup indenting
16. set autoindent
17. set smartindent
18. set cindent
19. set nobackup ' > /root/.vimrc
3. 自动补全
1. cp /usr/share/bash-completion/completions/yum /etc/bash_completion.d/
2. echo 'for file in /etc/bash_completion.d/* ; do source $file; done' >> /etc/profile
如何实施
使用附件的OSinit.sh脚本
1. OSinit.sh $hostname
1. 加入到kickstart
2. 服务器(比如模版)上手动执行脚本
TODO
1. 根据安全部门发的最新文档更新脚本的安全加固。
1. curl 10.124.20.2:3000/wazuh_agent_install.sh |sh 生产
2. curl 10.125.20.10:3000/wazuh_agent_install.sh |sh 测试
1. kernel版本固定出来。