packages/security-tool
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Package init

Browse Source
This commit is contained in:
dogsheng 2019-12-25 17:13:05 +08:00
parent 810781bc8d
commit 22c9b10f21
16 changed files with 1807 additions and 75 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

121
LICENSE Normal file
View File

@ -0,0 +1,121 @@
木兰宽松许可证, 第1版
木兰宽松许可证, 第1版
2019年8月 http://license.coscl.org.cn/MulanPSL
您对“软件”的复制、使用、修改及分发受木兰宽松许可证第1版“本许可证”的如下条款的约束
0. 定义
“软件”是指由“贡献”构成的许可在“本许可证”下的程序和相关文档的集合。
“贡献者”是指将受版权法保护的作品许可在“本许可证”下的自然人或“法人实体”。
“法人实体”是指提交贡献的机构及其“关联实体”。
“关联实体”是指对“本许可证”下的一方而言控制、受控制或与其共同受控制的机构此处的控制是指有受控方或共同受控方至少50%直接或间接的投票权、资金或其他有价证券。
“贡献”是指由任一“贡献者”许可在“本许可证”下的受版权法保护的作品。
1. 授予版权许可
每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的版权许可,您可以复制、使用、修改、分发其“贡献”,不论修改与否。
2. 授予专利许可
每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的(根据本条规定撤销除外)专利许可,供您制造、委托制造、使用、许诺销售、销售、进口其“贡献”或以其他方式转移其“贡献”。前述专利许可仅限于“贡献者”现在或将来拥有或控制的其“贡献”本身或其“贡献”与许可“贡献”时的“软件”结合而将必然会侵犯的专利权利要求,不包括仅因您或他人修改“贡献”或其他结合而将必然会侵犯到的专利权利要求。如您或您的“关联实体”直接或间接地(包括通过代理、专利被许可人或受让人),就“软件”或其中的“贡献”对任何人发起专利侵权诉讼(包括反诉或交叉诉讼)或其他专利维权行动,指控其侵犯专利权,则“本许可证”授予您对“软件”的专利许可自您提起诉讼或发起维权行动之日终止。
3. 无商标许可
“本许可证”不提供对“贡献者”的商品名称、商标、服务标志或产品名称的商标许可但您为满足第4条规定的声明义务而必须使用除外。
4. 分发限制
您可以在任何媒介中将“软件”以源程序形式或可执行形式重新分发,不论修改与否,但您必须向接收者提供“本许可证”的副本,并保留“软件”中的版权、商标、专利及免责声明。
5. 免责声明与责任限制
“软件”及其中的“贡献”在提供时不带任何明示或默示的担保。在任何情况下,“贡献者”或版权所有者不对任何人因使用“软件”或其中的“贡献”而引发的任何直接或间接损失承担责任,不论因何种原因导致或者基于何种法律理论,即使其曾被建议有此种损失的可能性。
条款结束。
如何将木兰宽松许可证第1版应用到您的软件
如果您希望将木兰宽松许可证第1版应用到您的新软件为了方便接收者查阅建议您完成如下三步
1 请您补充如下声明中的空白,包括软件名、软件的首次发表年份以及您作为版权人的名字;
2 请您在软件包的一级目录下创建以“LICENSE”为名的文件将整个许可证文本放入该文件中
3 请将如下声明文本放入每个源文件的头部注释中。
Copyright (c) [2019] [name of copyright holder]
[Software Name] is licensed under the Mulan PSL v1.
You can use this software according to the terms and conditions of the Mulan PSL v1.
You may obtain a copy of Mulan PSL v1 at:
http://license.coscl.org.cn/MulanPSL
THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
PURPOSE.
See the Mulan PSL v1 for more details.
Mulan Permissive Software LicenseVersion 1
Mulan Permissive Software LicenseVersion 1 (Mulan PSL v1)
August 2019 http://license.coscl.org.cn/MulanPSL
Your reproduction, use, modification and distribution of the Software shall be subject to Mulan PSL v1 (this License) with following terms and conditions:
0. Definition
Software means the program and related documents which are comprised of those Contribution and licensed under this License.
Contributor means the Individual or Legal Entity who licenses its copyrightable work under this License.
Legal Entity means the entity making a Contribution and all its Affiliates.
Affiliates means entities that control, or are controlled by, or are under common control with a party to this License, control means direct or indirect ownership of at least fifty percent (50%) of the voting power, capital or other securities of controlled or commonly controlled entity.
Contribution means the copyrightable work licensed by a particular Contributor under this License.
1. Grant of Copyright License
Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable copyright license to reproduce, use, modify, or distribute its Contribution, with modification or not.
2. Grant of Patent License
Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable (except for revocation under this Section) patent license to make, have made, use, offer for sale, sell, import or otherwise transfer its Contribution where such patent license is only limited to the patent claims owned or controlled by such Contributor now or in future which will be necessarily infringed by its Contribution alone, or by combination of the Contribution with the Software to which the Contribution was contributed, excluding of any patent claims solely be infringed by your or others modification or other combinations. If you or your Affiliates directly or indirectly (including through an agent, patent licensee or assignee, institute patent litigation (including a cross claim or counterclaim in a litigation) or other patent enforcement activities against any individual or entity by alleging that the Software or any Contribution in it infringes patents, then any patent license granted to you under this License for the Software shall terminate as of the date such litigation or activity is filed or taken.
3. No Trademark License
No trademark license is granted to use the trade names, trademarks, service marks, or product names of Contributor, except as required to fulfill notice requirements in section 4.
4. Distribution Restriction
You may distribute the Software in any medium with or without modification, whether in source or executable forms, provided that you provide recipients with a copy of this License and retain copyright, patent, trademark and disclaimer statements in the Software.
5. Disclaimer of Warranty and Limitation of Liability
The Software and Contribution in it are provided without warranties of any kind, either express or implied. In no event shall any Contributor or copyright holder be liable to you for any damages, including, but not limited to any direct, or indirect, special or consequential damages arising from your use or inability to use the Software or the Contribution in it, no matter how its caused or based on which legal theory, even if advised of the possibility of such damages.
End of the Terms and Conditions
How to apply the Mulan Permissive Software LicenseVersion 1 (Mulan PSL v1) to your software
To apply the Mulan PSL v1 to your work, for easy identification by recipients, you are suggested to complete following three steps:
i. Fill in the blanks in following statement, including insert your software name, the year of the first publication of your software, and your name identified as the copyright owner;
ii. Create a file named “LICENSE” which contains the whole context of this License in the first directory of your software package;
iii. Attach the statement to the appropriate annotated syntax at the beginning of each source file.
Copyright (c) [2019] [name of copyright holder]
[Software Name] is licensed under the Mulan PSL v1.
You can use this software according to the terms and conditions of the Mulan PSL v1.
You may obtain a copy of Mulan PSL v1 at:
http://license.coscl.org.cn/MulanPSL
THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
PURPOSE.
See the Mulan PSL v1 for more details.

36
README.en.md
View File

@ -1,36 +0,0 @@
# security-tool
#### Description
{**When you're done, you can delete the content in this README and update the file with details for others getting started with your repository**}
#### Software Architecture
Software architecture description
#### Installation
1. xxxx
2. xxxx
3. xxxx
#### Instructions
1. xxxx
2. xxxx
3. xxxx
#### Contribution
1. Fork the repository
2. Create Feat_xxx branch
3. Commit your code
4. Create Pull Request
#### Gitee Feature
1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md
2. Gitee blog [blog.gitee.com](https://blog.gitee.com)
3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore)
4. The most valuable open source project [GVP](https://gitee.com/gvp)
5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help)
6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

39
README.md
View File

@ -1,39 +0,0 @@
# security-tool
#### 介绍
{**以下是码云平台说明,您可以替换此简介**
码云是 OSCHINA 推出的基于 Git 的代码托管平台(同时支持 SVN。专为开发者提供稳定、高效、安全的云端软件开发协作平台
无论是个人、团队、或是企业,都能够用码云实现代码托管、项目管理、协作开发。企业项目请看 [https://gitee.com/enterprises](https://gitee.com/enterprises)}
#### 软件架构
软件架构说明
#### 安装教程
1. xxxx
2. xxxx
3. xxxx
#### 使用说明
1. xxxx
2. xxxx
3. xxxx
#### 参与贡献
1. Fork 本仓库
2. 新建 Feat_xxx 分支
3. 提交代码
4. 新建 Pull Request
#### 码云特技
1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md
2. 码云官方博客 [blog.gitee.com](https://blog.gitee.com)
3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解码云上的优秀开源项目
4. [GVP](https://gitee.com/gvp) 全称是码云最有价值开源项目,是码云综合评定出的优秀开源项目
5. 码云官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help)
6. 码云封面人物是一档用来展示码云会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/)

30
openEuler-security.service Normal file
View File

@ -0,0 +1,30 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Security Tool Activation Service
#
#######################################################################################
[Unit]
Description=OpenEuler Security Tool
After=network.target sshd.service auditd.service crond.service tuned.service NetworkManager.service
Wants=sshd.service auditd.service rsyslog.service tuned.service NetworkManager.service
ConditionFileIsExecutable=/usr/sbin/security-tool.sh
[Service]
Type=oneshot
RemainAfterExit=yes
EnvironmentFile=/etc/openEuler_security/security
ExecStart=/usr/sbin/security-tool.sh -d / -c /etc/openEuler_security/security.conf -u /etc/openEuler_security/usr-security.conf -l /var/log/openEuler-security.log -s
TimeoutSec=0
[Install]
WantedBy=multi-user.target

17
security Normal file
View File

@ -0,0 +1,17 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Configuration file for the openEuler-security service.
#
#######################################################################################
OPENEULER_SECURITY=0

24
security-tool-2.0/csh.precmd Normal file
View File

@ -0,0 +1,24 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Append the history list to the history file.
#
#######################################################################################
set el_precmd_msg = `history 1|cut -f3-|sed -e "s|{||g" | sed -e "s|}||g"`
set el_precmd_user = `whoami`
set el_precmd_loginuser = `who -m | awk '{print $2" "$NF}'`
set el_precmd_num = `history 1| awk -F" " '{print $1}'`
if ((${el_precmd_num} != ${LastComandNum_for_history}) && (${LastComandNum_for_history} != "" || ${el_precmd_num} == 1)) then
logger -t "[/bin/csh]" "[${el_precmd_msg}]" "by [${el_precmd_user}] from [${el_precmd_loginuser}]" > /dev/null
endif
set LastComandNum_for_history = ${el_precmd_num}

45
security-tool-2.0/password-auth-crond Normal file
View File

@ -0,0 +1,45 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Configuration File for PAMified Services
#
#######################################################################################
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
-auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
-auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
#account required pam_faillock.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
-account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
-password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
-session optional pam_sss.so

44
security-tool-2.0/password-auth-local Normal file
View File

@ -0,0 +1,44 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Configuration File for PAMified Services
#
#######################################################################################
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
-auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
-auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
-account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
-password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
-session optional pam_sss.so

14
security-tool-2.0/su-local Normal file
View File

@ -0,0 +1,14 @@
#%PAM-1.0
auth sufficient pam_rootok.so
# Uncomment the following line to implicitly trust users in the "wheel" group.
#auth sufficient pam_wheel.so trust use_uid
# Uncomment the following line to require a user to be in the "wheel" group.
auth required pam_wheel.so use_uid
auth substack system-auth
auth include postlogin
account sufficient pam_succeed_if.so uid = 0 use_uid quiet
account include system-auth
password include system-auth
session include system-auth
session include postlogin
session optional pam_xauth.so

45
security-tool-2.0/system-auth-local Normal file
View File

@ -0,0 +1,45 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Configuration File for PAMified Services
#
#######################################################################################
#%PAM-1.0
# User changes will be destroyed the next time authconfig is run.
auth required pam_env.so
auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
-auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
-auth sufficient pam_sss.so use_first_pass
auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account required pam_faillock.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
-account [default=bad success=ok user_unknown=ignore] pam_sss.so
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
-password sufficient pam_sss.so use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
-session optional pam_sss.so

17
security-tool-2.0/zzz_openEuler_history.csh Normal file
View File

@ -0,0 +1,17 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Append the history list to the history file.
#
#######################################################################################
set LastComandNum_for_history
alias precmd 'source /etc/csh.precmd'

54
security-tool-2.0/zzz_openEuler_history.sh Normal file
View File

@ -0,0 +1,54 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Append the history list to the history file.
#
#######################################################################################
function openEuler_history()
{
local result=$?
local result_str=""
if [ ${result} -eq 0 ];then
result_str="return code=[0], execute success"
else
result_str="return code=[${result}], execute failed"
fi
history -a
local user=$(whoami)
local user_id=$(id -ur $user)
local login=$(who -m | awk '{print $2" "$NF}')
local msg=$(history 1 | { read x y; echo "$y"; })
local num=$(history 1 | { read x y; echo "$x"; })
if [ "${num}" != "${LastComandNum_for_history}" ] && [ "${LastComandNum_for_history}" != "" -o "${num}" == "1" ];then
logger -t "[${SHELL}]" "[${msg}]" "${result_str}" "by [${user}(uid=$user_id)] from [$login]"
fi
LastComandNum_for_history=${num}
}
function openEuler_variable_readonly()
{
local var="$1"
local val="$2"
local ret=$(readonly -p | grep -w "${var}" | awk -F "${var}=" '{print $NF}')
if [ "${ret}" = "\"${val}\"" ]
then
return
else
export "${var}"="${val}"
readonly "${var}"
fi
}
export HISTCONTROL=''
openEuler_variable_readonly HISTTIMEFORMAT ""
openEuler_variable_readonly PROMPT_COMMAND openEuler_history

1004
security-tool.sh Normal file
View File

File diff suppressed because it is too large Load Diff

157
security-tool.spec Normal file
View File

@ -0,0 +1,157 @@
Summary: openEuler Security Tool
Name : security-tool
Version: 2.0
Release: 1.38
Source0: %{name}-%{version}.tar.bz2
Source1: security
Source2: security.conf
Source3: security-tool.sh
Source4: openEuler-security.service
Source5: usr-security.conf
License: Mulan PSL v1
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
Requires: bash setup pam util-linux binutils sudo crontabs cronie
Requires: shadow initscripts ca-certificates openssh rsyslog
Requires(post): systemd-units
Requires(preun): systemd-units
Requires(postun): systemd-units
BuildRequires: xauth
%description
openEuler Security Tool
%global debug_package %{nil}
%prep
%setup -q
%build
%check
%install
rm -rf $RPM_BUILD_ROOT
install -d -m0700 $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security
install -m0600 %{SOURCE1} $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security
install -m0400 %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/security.conf
install -m0600 %{SOURCE5} $RPM_BUILD_ROOT%{_sysconfdir}/openEuler_security/usr-security.conf
install -d -m0755 $RPM_BUILD_ROOT/%{_unitdir}
install -m0644 %{SOURCE4} $RPM_BUILD_ROOT/%{_unitdir}/openEuler-security.service
install -d -m0755 $RPM_BUILD_ROOT/%{_sbindir}
install -m0500 %{SOURCE3} $RPM_BUILD_ROOT/%{_sbindir}/security-tool.sh
install -m0644 csh.precmd $RPM_BUILD_ROOT%{_sysconfdir}/csh.precmd
install -d -m0755 $RPM_BUILD_ROOT/%{_sysconfdir}/profile.d
install -m0644 zzz_openEuler_history.csh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/zzz_openEuler_history.csh
install -m0644 zzz_openEuler_history.sh $RPM_BUILD_ROOT%{_sysconfdir}/profile.d/zzz_openEuler_history.sh
install -d -m0755 $RPM_BUILD_ROOT/%{_sysconfdir}/pam.d
install -m0644 password-auth-crond $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/password-auth-crond
install -m0644 password-auth-local $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/password-auth-local
install -m0644 system-auth-local $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/system-auth-local
install -m0644 su-local $RPM_BUILD_ROOT%{_sysconfdir}/pam.d/su-local
%clean
rm -rf $RPM_BUILD_ROOT
%pre
%post
sed -i 's/password-auth$/password-auth-crond/g' /etc/pam.d/crond
if [ $1 -ge 2 ]
then
sed -i 's/readonly HISTSIZE$//g' /etc/profile
sed -i 's/readonly TMOUT$//g' /etc/profile
fi
if [ -h /etc/pam.d/system-auth ]
then
rm -f /etc/pam.d/system-auth
else
mv -f /etc/pam.d/system-auth /etc/pam.d/system-auth-bak
fi
ln -s /etc/pam.d/system-auth-local /etc/pam.d/system-auth
if [ -h /etc/pam.d/password-auth ]
then
rm -f /etc/pam.d/password-auth
else
mv -f /etc/pam.d/password-auth /etc/pam.d/password-auth-bak
fi
ln -s /etc/pam.d/password-auth-local /etc/pam.d/password-auth
if [ -h /etc/pam.d/su ]
then
rm -f /etc/pam.d/su
else
mv -f /etc/pam.d/su /etc/pam.d/su-bak
fi
ln -s /etc/pam.d/su-local /etc/pam.d/su
%systemd_post openEuler-security.service
systemctl enable openEuler-security.service
%preun
%systemd_preun openEuler-security.service
if [ $1 -eq 0 ]
then
sed -i 's/password-auth-crond$/password-auth/g' /etc/pam.d/crond
fi
%postun
%systemd_postun_with_restart openEuler-security.service
if [ $1 -eq 0 ]
then
if [ -f /etc/pam.d/su-bak ]
then
mv -f /etc/pam.d/su-bak /etc/pam.d/su
fi
if [ -f /etc/pam.d/password-auth-ac ]
then
rm -f /etc/pam.d/password-auth
ln -s /etc/pam.d/password-auth-ac /etc/pam.d/password-auth
elif [ -f /etc/pam.d/password-auth-bak ]
then
mv -f /etc/pam.d/password-auth-bak /etc/pam.d/password-auth
fi
if [ -f /etc/pam.d/system-auth-ac ]
then
rm -f /etc/pam.d/system-auth
ln -s /etc/pam.d/system-auth-ac /etc/pam.d/system-auth
elif [ -f /etc/pam.d/system-auth-bak ]
then
mv -f /etc/pam.d/system-auth-bak /etc/pam.d/system-auth
fi
fi
%files
%defattr(-,root,root)
%attr(0700,root,root) %dir %{_sysconfdir}/openEuler_security
%attr(0600,root,root) %config(noreplace) %{_sysconfdir}/openEuler_security/security
%attr(0400,root,root) %config %{_sysconfdir}/openEuler_security/security.conf
%attr(0600,root,root) %config %{_sysconfdir}/openEuler_security/usr-security.conf
%attr(0644,root,root) %{_sysconfdir}/csh.precmd
%attr(0644,root,root) %{_sysconfdir}/profile.d/zzz_openEuler_history.csh
%attr(0644,root,root) %{_sysconfdir}/profile.d/zzz_openEuler_history.sh
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/password-auth-crond
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/password-auth-local
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/system-auth-local
%attr(0644,root,root) %config(noreplace) %{_sysconfdir}/pam.d/su-local
%attr(0644,root,root) %{_unitdir}/openEuler-security.service
%attr(0500,root,root) %{_sbindir}/security-tool.sh
%changelog
* Thu Dec 19 2019 openEuler Buildteam <buildteam@openEuler.org> - 2.0-1.38
- Delete unused infomation
* Mon Nov 11 2019 openEuler Buildteam <buildteam@openEuler.org> - 2.0-1.37
- Modify License
* Mon Sep 25 2019 openEuler Buildteam <buildteam@openEuler.org> - 2.0-1.36
- Add requires
* Mon Sep 16 2019 openEuler Buildteam <buildteam@openEuler.org> - 2.0-1.35
- Package init for openEuler

221
security.conf Normal file
View File

@ -0,0 +1,221 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Configuration file for the security-tool.
#
#######################################################################################
########################################################################
#
# HowTo:
# # delete key, and difference caused by blankspace/tab on key is ignored
# id@d@file@key
#
# # modify option: find line started with key, and get the value changed
# id@m@file@key[@value]
#
# # modify sub-option: find line started with key, and then change the value of key2 to value2(prepostive seperator should not be blank characters) in the line
# id@M@file@key@key2[@value2]
#
# # check existence of commands
# id@which@command1 [command2 ...]
#
# # execute command on the files found
# id@find@dir@condition@command
#
# # any command(with or without parameter), such as 'rm -f','chmod 700','which','touch', used to extend functions, return 0 is ok
# id@command@file1 [file2 ...]
#
# Notes:
# 1. The comment line should start with '#'
# 2. "value" related with "key" should contain prepositive separator("="," " and so on), if there is any.
# 3. When item starts with "d", "m" or "M", "file" should be a single normal file, otherwise multi-objects(separated by blankspace) are allowed.
#
########################################################################
########################################################################
# SSH server settting
########################################################################
# Set sshd Protocol version
101@m@/etc/ssh/sshd_config@Protocol @2
102@m@/etc/ssh/sshd_config@SyslogFacility @AUTH
102@m@/etc/ssh/sshd_config@LogLevel @VERBOSE
103@m@/etc/ssh/sshd_config@X11Forwarding @no
105@m@/etc/ssh/sshd_config@PubkeyAuthentication @yes
105@m@/etc/ssh/sshd_config@RSAAuthentication @yes
# Don't read the user's ~/.rhosts and ~/.shosts files
105@m@/etc/ssh/sshd_config@IgnoreRhosts @yes
105@m@/etc/ssh/sshd_config@RhostsRSAAuthentication @no
# To disable host authentication
106@m@/etc/ssh/sshd_config@HostbasedAuthentication @no
108@m@/etc/ssh/sshd_config@PermitEmptyPasswords @no
109@m@/etc/ssh/sshd_config@PermitUserEnvironment @no
# Set sshd password algorithm
110@m@/etc/ssh/sshd_config@Ciphers @aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@@openssh.com,aes256-gcm@@openssh.com,chacha20-poly1305@@openssh.com
111@m@/etc/ssh/sshd_config@ClientAliveCountMax @0
# Make sshd print warning banner
112@m@/etc/ssh/sshd_config@Banner @/etc/issue.net
# Set sshd message authentication code algorithm
113@m@/etc/ssh/sshd_config@MACs @hmac-sha2-512,hmac-sha2-512-etm@@openssh.com,hmac-sha2-256,hmac-sha2-256-etm@@openssh.com,hmac-sha1,hmac-sha1-etm@@openssh.com
# Make sshd check file modes and ownership of the user's files and home directory before accepting login
114@m@/etc/ssh/sshd_config@StrictModes @yes
# Set this to 'yes' to enable PAM authentication, account processing, and session processing.
115@m@/etc/ssh/sshd_config@UsePAM @yes
# Set this to 'no', do not allowed TCP forwarding.
116@m@/etc/ssh/sshd_config@AllowTcpForwarding @no
# Log on sftp.
117@m@/etc/ssh/sshd_config@Subsystem sftp @/usr/libexec/openssh/sftp-server -l INFO -f AUTH
118@m@/etc/ssh/sshd_config@AllowAgentForwarding @no
119@m@/etc/ssh/sshd_config@GatewayPorts @no
120@m@/etc/ssh/sshd_config@PermitTunnel @no
#CVE-2015-4000
121@m@/etc/ssh/sshd_config@KexAlgorithms@ curve25519-sha256,curve25519-sha256@@libssh.org,diffie-hellman-group14-sha1,diffie-hellman-group-exchange-sha1,diffie-hellman-group-exchange-sha256
130@systemctl@sshd.service@restart
########################################################################
# System access and authorization
########################################################################
# close the kernel request debugging functionality
204@m@/etc/sysctl.conf@kernel.sysrq@=0
206@rm -f @/etc/motd
206@touch @/etc/motd
206@chown root:root @/etc/motd
206@chmod 644 @/etc/motd
206@m@/etc/motd@Authorized users only. All activities may be monitored and reported.
206@rm -f @/etc/issue
206@touch @/etc/issue
206@chown root:root @/etc/issue
206@chmod 644 @/etc/issue
206@m@/etc/issue@Authorized users only. All activities may be monitored and reported.
206@rm -f @/etc/issue.net
206@touch @/etc/issue.net
206@chown root:root @/etc/issue.net
206@chmod 644 @/etc/issue.net
206@m@/etc/issue.net@Authorized users only. All activities may be monitored and reported.
208@chown root:root @/etc/crontab
208@chmod og-rwx @/etc/crontab
209@chown root:root @/etc/cron.d
209@chmod og-rwx @/etc/cron.d
210@chown root:root @/etc/cron.hourly
210@chmod og-rwx @/etc/cron.hourly
211@chown root:root @/etc/cron.daily
211@chmod og-rwx @/etc/cron.daily
212@chown root:root @/etc/cron.weekly
212@chmod og-rwx @/etc/cron.weekly
213@chown root:root @/etc/cron.monthly
213@chmod og-rwx @/etc/cron.monthly
214@rm -f @/etc/at.deny
214@touch @/etc/at.allow
214@chown root:root @/etc/at.allow
214@chmod og-rwx @/etc/at.allow
215@rm -f @/etc/cron.deny
215@touch @/etc/cron.allow
215@chown root:root @/etc/cron.allow
215@chmod og-rwx @/etc/cron.allow
#rpm initscripts drop /etc/sysconfig/init defaultly
216@touch @/etc/sysconfig/init
217@m@/etc/sysconfig/init@PROMPT=@no
222@umask@user@0077
223@umask@deamon@0027
########################################################################
# Kernel parameters
########################################################################
# Disable IP forwarding
301@m@/etc/sysctl.conf@net.ipv4.ip_forward=@0
# Disable sending ICMP redirects
302@m@/etc/sysctl.conf@net.ipv4.conf.all.send_redirects=@0
302@m@/etc/sysctl.conf@net.ipv4.conf.default.send_redirects=@0
# Disable IP source routing
303@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_source_route=@0
303@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_source_route=@0
# Disable ICMP redirects acceptance
304@m@/etc/sysctl.conf@net.ipv4.conf.all.accept_redirects=@0
304@m@/etc/sysctl.conf@net.ipv4.conf.default.accept_redirects=@0
# Disable ICMP redirect messages only for gateways
305@m@/etc/sysctl.conf@net.ipv4.conf.all.secure_redirects=@0
305@m@/etc/sysctl.conf@net.ipv4.conf.default.secure_redirects=@0
# Disable response to broadcasts.
306@m@/etc/sysctl.conf@net.ipv4.icmp_echo_ignore_broadcasts=@1
# Enable ignoring bogus error responses
307@m@/etc/sysctl.conf@net.ipv4.icmp_ignore_bogus_error_responses=@1
# Enable route verification on all interfaces
308@m@/etc/sysctl.conf@net.ipv4.conf.all.rp_filter=@1
308@m@/etc/sysctl.conf@net.ipv4.conf.default.rp_filter=@1
# Enable TCP-SYN cookie protection
309@m@/etc/sysctl.conf@net.ipv4.tcp_syncookies=@1
# Enable preventing normal users from getting dmesg output
310@m@/etc/sysctl.conf@kernel.dmesg_restrict=@1
########################################################################
# Only Wants NetworkManager
########################################################################
401@m@/usr/lib/systemd/system/openEuler-security.service@Wants=@NetworkManager.service
401@d@/etc/sudoers@%wheel
#del SHA1 pem
402@rm -f @/etc/pki/ca-trust/extracted/pem/email-ca-bundle.pem
#limit user environment variables when used su
403@m@/etc/login.defs@ALWAYS_SET_PATH=@yes
#add umask 077 to /etc/csh.login
404@m@/etc/csh.login@umask@ 077
#disable ICMP redirects acceptance
407@m@/etc/sysctl.conf@net.ipv6.conf.all.accept_redirects=@0
407@m@/etc/sysctl.conf@net.ipv6.conf.default.accept_redirects=@0
#set LOG_UNKFAIL_ENAB to no
622@m@/etc/login.defs@LOG_UNKFAIL_ENAB @no

14
usr-security.conf Normal file
View File

@ -0,0 +1,14 @@
#######################################################################################
#
# Copyright (c) Huawei Technologies Co., Ltd. 2019. All rights reserved.
# security-tool licensed under the Mulan PSL v1.
# You can use this software according to the terms and conditions of the Mulan PSL v1.
# You may obtain a copy of Mulan PSL v1 at:
# http://license.coscl.org.cn/MulanPSL
# THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR
# IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR
# PURPOSE.
# See the Mulan PSL v1 for more details.
# Description: Configuration file for the usr hardening.
#
#######################################################################################