#密码最短使用30天，最长使用期限90天

sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs

sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 30' /etc/login.defs

sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 8' /etc/login.defs

#无操作600秒后自动退出

echo TMOUT=600 >> /etc/profile 

source /etc/profile

# 创建admin用户组及admin用户

groupadd admin   

useradd systemadmin -g admin 

useradd auditadmin -g admin 

useradd securityadmin -g admin 

echo "XmggaqP@systemadmin" | passwd --stdin systemadmin

echo "XmggaqP@auditadmin" | passwd --stdin auditadmin

echo "XmggaqP@securityadmin" | passwd --stdin securityadmin

chown -R systemadmin:admin  /home/systemadmin  

chown -R auditadmin:admin  /home/auditadmin  

chown -R securityadmin:admin  /home/securityadmin

echo 'systemadmin ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

echo 'auditadmin ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

echo 'securityadmin ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers

#删除多余的账号

userdel uucp

userdel nuucp

userdel lp

userdel adm

userdel sync

userdel shutdown

userdel halt

userdel news

userdel operator

userdel gopher

userdel bin

userdel mail

userdel games

userdel ftp

userdel vcsa

userdel abrt

userdel ntp

userdel saslauth

userdel tcpdump

#提交日志

yum -y install rsyslog

cat >> /etc/rsyslog.conf <<EOF

*.*     @@10.8.31.4:514

EOF

systemctl restart rsyslog

#sshd_config

sed -i 's/.*#PermitEmptyPasswords no/GSSAPIAuthentication no/' /etc/ssh/sshd_config

sed -i 's/.*UseDNS yes/UseDNS no/' /etc/ssh/sshd_config

sed -i 's/.*GSSAPIAuthentication yes/GSSAPIAuthentication no/' /etc/ssh/sshd_config

sed -i 's/.*#MaxAuthTries.*$/MaxAuthTries 4/' /etc/ssh/sshd_config

sed -i 's/.*#LoginGraceTime.*$/LoginGraceTime 60/' /etc/ssh/sshd_config

sed -i "s/#ClientAliveInterval 0/ClientAliveInterval 300/g" /etc/ssh/sshd_config 

sed -i "s/#ClientAliveCountMax 3/ClientAliveCountMax 3/g" /etc/ssh/sshd_config

sed -i 's/.*PermitRootLogin yes/#PermitRootLogin yes/' /etc/ssh/sshd_config

#配置加密算法

cat >> /etc/ssh/sshd_config <<EOF

Ciphers aes256-ctr,aes192-ctr,aes128-ctr       # 使用已批准的加密类型

MACs hmac-sha2-512,hmac-sha2-256          # 使用已批准的Mac算法

EOF

#tomcat默认的索引页面:

---web.xml 设置 welcome-page

<welcome-file-list>

　　<welcome-file>list.jsp</welcome-file>

</welcome-file-list>

---处理tomcat默认错误页面

-在web.xml中添加配置：

    <error-page>          

        <exception-type>java.lang.Exception</exception-type>

        <location>/404.html</location>

    </error-page>

    <error-page>

        <error-code>404</error-code>

        <location>/404.html</location>

    </error-page>

    <error-page>

        <error-code>400</error-code>

        <location>/404.html</location>

    </error-page>

    <error-page>

        <error-code>500</error-code>

        <location>/404.html</location>

    </error-page>

# 添加审计账号

useradd audit

usermod -G audit audit

# 添加审计

vim /etc/audit/rules.d/audit.rules

-a exit,always -F arch=b64 -S umask -S chown -S chmod

-a exit,always -F arch=b64 -S unlink -S rmdir

-a exit,always -F arch=b64 -S setrlimit

-a exit,always -F arch=b64 -S setuid -S setreuid

-a exit,always -F arch=b64 -S setgid -S setregid

-a exit,always -F arch=b64 -S sethostname -S setdomainname

-a exit,always -F arch=b64 -S adjtimex -S settimeofday

-a exit,always -F arch=b64 -S mount -S _sysctl

-w /etc/group -p wa

-w /etc/passwd -p wa

-w /etc/shadow -p wa

-w /etc/sudoers -p wa

-w /etc/ssh/sshd_config

-w /etc/bashrc -p wa

-w /etc/profile -p wa

-w /etc/profile.d/

-w /etc/aliases -p wa

-w /etc/sysctl.conf -p wa

-w /var/log/lastlog

# Disable adding any additional rules - note that adding *new* rules will require a reboot

# 将/var/log/赋给audit

chown audit:audit -R /var/log

chown root:root -R /var/log/audit

# 日志上传服务器

vim  /etc/rsyslog.conf

*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages

*.* @@172.16.x.xx:514

*.* @172.16.x.xx:514