代码拉取完成,页面将自动刷新
同步操作将从 openEuler/security-tool 强制同步,此操作会覆盖自 Fork 仓库以来所做的任何修改,且无法恢复!!!
确定后同步将在后台操作,完成时将刷新页面,请耐心等待。
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v2.
# You can use this software according to the terms and conditions of the Mulan PSL v2.
# You may obtain a copy of Mulan PSL v2 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v2 for more details.
# Description: Configuration file for the security-tool.
#
#######################################################################################
########################################################################
#
# HowTo:
# # delete key, and difference caused by blankspace/tab on key is ignored
# id@d@file@key
#
# # modify option: find line started with key, and get the value changed
# id@m@file@key[@value]
#
# # modify sub-option: find line started with key, and then change the value of key2 to value2(prepostive seperator should not be blank characters) in the line
# id@M@file@key@key2[@value2]
#
# # check existence of commands
# id@which@command1 [command2 ...]
#
# # execute command on the files found
# id@find@dir@condition@command
#
# # any command(with or without parameter), such as 'rm -f','chmod 700','which','touch', used to extend functions, return 0 is ok
# id@command@file1 [file2 ...]
#
# Notes:
# 1. The comment line should start with '#'
# 2. "value" related with "key" should contain prepositive separator("="," " and so on), if there is any.
# 3. When item starts with "d", "m" or "M", "file" should be a single normal file, otherwise multi-objects(separated by blankspace) are allowed.
#
########################################################################
########################################################################
# SSH server settting
########################################################################
# Set sshd Protocol version
101@m@/etc/ssh/sshd_config@Protocol @2
102@m@/etc/ssh/sshd_config@SyslogFacility @AUTH
102@m@/etc/ssh/sshd_config@LogLevel @VERBOSE
103@m@/etc/ssh/sshd_config@X11Forwarding @no
105@m@/etc/ssh/sshd_config@PubkeyAuthentication @yes
105@m@/etc/ssh/sshd_config@RSAAuthentication @yes
# Don't read the user's ~/.rhosts and ~/.shosts files
105@m@/etc/ssh/sshd_config@IgnoreRhosts @yes
105@m@/etc/ssh/sshd_config@RhostsRSAAuthentication @no
# To disable host authentication
106@m@/etc/ssh/sshd_config@HostbasedAuthentication @no
108@m@/etc/ssh/sshd_config@PermitEmptyPasswords @no
109@m@/etc/ssh/sshd_config@PermitUserEnvironment @no
# Set sshd password algorithm
110@m@/etc/ssh/sshd_config@Ciphers @aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@@openssh.com,aes256-gcm@@openssh.com,chacha20-poly1305@@openssh.com
111@m@/etc/ssh/sshd_config@ClientAliveCountMax @0
# Make sshd print warning banner
112@m@/etc/ssh/sshd_config@Banner @/etc/issue.net
# Set sshd message authentication code algorithm
113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com
# Make sshd check file modes and ownership of the user's files and home directory before accepting login
114@m@/etc/ssh/sshd_config@StrictModes @yes
# Set this to 'yes' to enable PAM authentication, account processing, and session processing.
115@m@/etc/ssh/sshd_config@UsePAM @yes
# Set this to 'no', do not allowed TCP forwarding.
116@m@/etc/ssh/sshd_config@AllowTcpForwarding @no
# Log on sftp.
117@m@/etc/ssh/sshd_config@Subsystem sftp @/usr/libexec/openssh/sftp-server -l INFO -f AUTH
118@m@/etc/ssh/sshd_config@AllowAgentForwarding @no
119@m@/etc/ssh/sshd_config@GatewayPorts @no
120@m@/etc/ssh/sshd_config@PermitTunnel @no
#CVE-2015-4000
121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group-exchange-sha256
122@m@/etc/ssh/sshd_config@HostbasedAcceptedKeytypes@ ssh-ed25519,ssh-ed25519-cert-v01@@openssh.com,rsa-sha2-256,rsa-sha2-512
122@m@/etc/ssh/sshd_config@GSSAPIKexAlgorithms@ gss-group14-sha256-,gss-group16-sha512-,gss-curve25519-sha256-
122@m@/etc/ssh/sshd_config@CASignatureAlgorithms@ ssh-ed25519,sk-ssh-ed25519@@openssh.com,rsa-sha2-512,rsa-sha2-256
130@systemctl@sshd.service@restart
########################################################################
# System access and authorization
########################################################################
# close the kernel request debugging functionality
204@m@/etc/sysctl.conf@kernel.sysrq@=0
206@rm -f @/etc/motd
206@touch @/etc/motd
206@chown root:root @/etc/motd
206@chmod 644 @/etc/motd
206@m@/etc/motd@Authorized users only. All activities may be monitored and reported.
206@rm -f @/etc/issue
206@touch @/etc/issue
206@chown root:root @/etc/issue
206@chmod 644 @/etc/issue
206@m@/etc/issue@Authorized users only. All activities may be monitored and reported.
206@rm -f @/etc/issue.net
206@touch @/etc/issue.net
206@chown root:root @/etc/issue.net
206@chmod 644 @/etc/issue.net
206@m@/etc/issue.net@Authorized users only. All activities may be monitored and reported.
208@chown root:root @/etc/crontab
208@chmod og-rwx @/etc/crontab
209@chown root:root @/etc/cron.d
209@chmod og-rwx @/etc/cron.d
210@chown root:root @/etc/cron.hourly
210@chmod og-rwx @/etc/cron.hourly
211@chown root:root @/etc/cron.daily
211@chmod og-rwx @/etc/cron.daily
212@chown root:root @/etc/cron.weekly
212@chmod og-rwx @/etc/cron.weekly
213@chown root:root @/etc/cron.monthly
213@chmod og-rwx @/etc/cron.monthly
214@rm -f @/etc/at.deny
214@touch @/etc/at.allow
214@chown root:root @/etc/at.allow
214@chmod og-rwx @/etc/at.allow
215@rm -f @/etc/cron.deny
215@touch @/etc/cron.allow
215@chown root:root @/etc/cron.allow
215@chmod og-rwx @/etc/cron.allow
#rpm initscripts drop /etc/sysconfig/init defaultly
216@touch @/etc/sysconfig/init
217@m@/etc/sysconfig/init@PROMPT=@no
########################################################################
# Kernel parameters
########################################################################
# Disable IP forwarding
301@m@/etc/sysctl.conf@net.ipv4.ip_forward=@0
# Disable sending ICMP redirects
302@m@/etc/sysctl.conf@net.ipv4.conf.all.send_redirects=@0
302@m@/etc/sysctl.conf@net.ipv4.conf.default.send_redirects=@0
# Disable IP source routing
303@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_source_route=@0
303@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_source_route=@0
# Disable ICMP redirects acceptance
304@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_redirects=@0
304@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_redirects=@0
# Disable ICMP redirect messages only for gateways
305@m@/etc/sysctl.conf@net.ipv4.conf.all.secure_redirects=@0
305@m@/etc/sysctl.conf@net.ipv4.conf.default.secure_redirects=@0
# Disable response to broadcasts.
306@m@/etc/sysctl.conf@net.ipv4.icmp_echo_ignore_broadcasts=@1
# Enable ignoring bogus error responses
307@m@/etc/sysctl.conf@net.ipv4.icmp_ignore_bogus_error_responses=@1
# Enable route verification on all interfaces
308@m@/etc/sysctl.conf@net.ipv4.conf.all.rp_filter=@1
308@m@/etc/sysctl.conf@net.ipv4.conf.default.rp_filter=@1
# Enable TCP-SYN cookie protection
309@m@/etc/sysctl.conf@net.ipv4.tcp_syncookies=@1
# Enable preventing normal users from getting dmesg output
310@m@/etc/sysctl.conf@kernel.dmesg_restrict=@1
########################################################################
# Only Wants NetworkManager
########################################################################
401@m@/usr/lib/systemd/system/openEuler-security.service@Wants=@NetworkManager.service
#del SHA1 pem
402@rm -f @/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
#limit user environment variables when used su
403@m@/etc/login.defs@ALWAYS_SET_PATH=@yes
#add umask 077 to /etc/csh.login
404@m@/etc/csh.login@umask@ 077
#disable ICMP redirects acceptance
407@m@/etc/sysctl.conf@net.ipv6.conf.all.accept_redirects=@0
407@m@/etc/sysctl.conf@net.ipv6.conf.default.accept_redirects=@0
#set LOG_UNKFAIL_ENAB to no
622@m@/etc/login.defs@LOG_UNKFAIL_ENAB @no
#fix the problem of
700@chown root:dbus @/usr/libexec/dbus-1/dbus-daemon-launch-helper
700@chmod 4750 @/usr/libexec/dbus-1/dbus-daemon-launch-helper
此处可能存在不合适展示的内容,页面不予展示。您可通过相关编辑功能自查并修改。
如您确认内容无涉及 不当用语 / 纯广告导流 / 暴力 / 低俗色情 / 侵权 / 盗版 / 虚假 / 无价值内容或违法国家有关法律法规的内容,可点击提交进行申诉,我们将尽快为您处理。
马建仓 AI 助手