Linux操作系统安全配置步骤详细解析

* hard core 0
* hard rss 5000
* hard nproc 20

session required /lib/security/pam_limits.so

boot=/dev/sda
map=/boot/map
install=/boot/boot.b
prompt
timeout=50
Default=linux
restricted ?add this line.
password=some_password ?add this line.
image=/boot/vmlinuz-2.2.12-20
label=linux
initrd=/boot/initrd-2.2.12-10.img
root=/dev/sda6
read-only
[root@deep]# chmod 600 /etc/lilo.conf (不再能被其他用户可读).
[root@deep]# /sbin/lilo -v (更新lilo配置).
[root@deep]# chattr +i /etc/lilo.conf（阻止该文件被修改）

[root@deep]# vi /etc/inittab
ca::ctrlaltdel:/sbin/shutdown -t3 -r now
To
#ca::ctrlaltdel:/sbin/shutdown -t3 -r now
[root@deep]# /sbin/init q

[root@deep]# chmod -R 700 /etc/rc.d/init.d/*

# This will overwrite /etc/issue at every boot. So, make any changes you
# want to make to /etc/issue here or you will lose them when you reboot.
#echo "" >; /etc/issue
#echo "$R" >;>; /etc/issue
#echo "Kernel $(uname -r) on $a $(uname -m)" >;>; /etc/issue
#
#cp -f /etc/issue /etc/issue.net
#echo >;>; /etc/issue
--

[root@deep]# rm -f /etc/issue
[root@deep]# rm -f /etc/issue.net
[root@deep]# touch /etc/issue
[root@deep]# touch /etc/issue.net

[root@deep]# find / -type f \( -perm -04000 -o -perm -02000 \) \-exec ls –lg {} \;
-rwsr-xr-x 1 root root 33120 Mar 21 1999 /usr/bin/at
*-rwsr-xr-x 1 root root 30560 Apr 15 20:03 /usr/bin/chage
*-rwsr-xr-x 1 root root 29492 Apr 15 20:03 /usr/bin/gpasswd
-rwsr-xr-x 1 root root 3208 Mar 22 1999 /usr/bin/disable-paste
-rwxr-sr-x 1 root man 32320 Apr 9 1999 /usr/bin/man
-r-s--x--x 1 root root 10704 Apr 14 17:21 /usr/bin/passwd
-rws--x--x 2 root root 517916 Apr 6 1999 /usr/bin/suidperl
-rws--x--x 2 root root 517916 Apr 6 1999 /usr/bin/sperl5.00503
-rwxr-sr-x 1 root mail 11432 Apr 6 1999 /usr/bin/lockfile
-rwsr-sr-x 1 root mail 64468 Apr 6 1999 /usr/bin/procmail
-rwsr-xr-x 1 root root 21848 Aug 27 11:06 /usr/bin/crontab
-rwxr-sr-x 1 root slocate 15032 Apr 19 14:55 /usr/bin/slocate
*-r-xr-sr-x 1 root tty 6212 Apr 17 11:29 /usr/bin/wall
*-rws--x--x 1 root root 14088 Apr 17 12:57 /usr/bin/chfn
*-rws--x--x 1 root root 13800 Apr 17 12:57 /usr/bin/chsh
*-rws--x--x 1 root root 5576 Apr 17 12:57 /usr/bin/newgrp
*-rwxr-sr-x 1 root tty 8392 Apr 17 12:57 /usr/bin/write
-rwsr-x--- 1 root squid 14076 Oct 7 14:48 /usr/lib/squid/pinger
-rwxr-sr-x 1 root utmp 15587 Jun 9 09:30 /usr/sbin/utempter
*-rwsr-xr-x 1 root root 5736 Apr 19 15:39 /usr/sbin/usernetctl
*-rwsr-xr-x 1 root bin 16488 Jul 6 09:35 /usr/sbin/traceroute
-rwsr-sr-x 1 root root 299364 Apr 19 16:38 /usr/sbin/sendmail
-rwsr-xr-x 1 root root 34131 Apr 16 18:49 /usr/libexec/pt_chown
-rwsr-xr-x 1 root root 13208 Apr 13 14:58 /bin/su
*-rwsr-xr-x 1 root root 52788 Apr 17 15:16 /bin/mount
*-rwsr-xr-x 1 root root 26508 Apr 17 20:26 /bin/umount
*-rwsr-xr-x 1 root root 17652 Jul 6 09:33 /bin/ping
-rwsr-xr-x 1 root root 20164 Apr 17 12:57 /bin/login
*-rwxr-sr-x 1 root root 3860 Apr 19 15:39 /sbin/netreport
-r-sr-xr-x 1 root root 46472 Apr 17 16:26 /sbin/pwdb_chkpwd
[root@deep]# chmod a-s /usr/bin/chage
[root@deep]# chmod a-s /usr/bin/gpasswd
[root@deep]# chmod a-s /usr/bin/wall
[root@deep]# chmod a-s /usr/bin/chfn
[root@deep]# chmod a-s /usr/bin/chsh
[root@deep]# chmod a-s /usr/bin/newgrp
[root@deep]# chmod a-s /usr/bin/write
[root@deep]# chmod a-s /usr/sbin/usernetctl
[root@deep]# chmod a-s /usr/sbin/traceroute
[root@deep]# chmod a-s /bin/mount
[root@deep]# chmod a-s /bin/umount
[root@deep]# chmod a-s /bin/ping
[root@deep]# chmod a-s /sbin/netreport