安全基线脚本
作者:互联网
安全基线脚本
#!/bin/bash
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin
NAME="syscheck"
HOSTNAME=`uname -n`
DATE=`date +%Y%m%d`
BASEPATH="/tmp/$NAME"
FILE="$DATE"_"$HOSTNAME"_autosh.log
VERSION=`cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/'`
TIMESERVERIP=2.2.2.2
function check_checklog()
{
if [ ! -d $BASEPATH ]; then
mkdir -p $BASEPATH
cd $BASEPATH
touch "$FILE"
echo "$BASEPATH/$FILE create sucess!" > $BASEPATH/script.log
else
echo "$BASEPATH/$FILE already exist" > $BASEPATH/script.log
fi
>$BASEPATH/$FILE
}
function bak_file()
{
for i in /etc/passwd /etc/shadow /etc/gshadow /etc/group /etc/pam.d/password-auth-ac /etc/pam.d/system-auth-ac /etc/login.defs /etc/profile /etc/pam.d/su /etc/csh.cshrc /etc/sysctl.conf /etc/csh.login /etc/bashrc
do
if [ ! -f $i.bak ];then
cp $i{,.bak}
echo "-------------------back file finish--------------------------" >> $BASEPATH/$FILE
ls $i.bak >> $BASEPATH/$FILE
else
echo "------------------back file already existed--------------------------" >> $BASEPATH/$FILE
ls $i.bak >> $BASEPATH/$FILE
fi
done
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function login_policy()
{
LOGIN_POLICY=`grep "pam_tally2.so" /etc/pam.d/password-auth-ac`
LOGIN_POLICY_1=`grep "pam_tally2.so" /etc/pam.d/system-auth-ac`
if [ -n "$LOGIN_POLICY" ];
then
sed -i '/pam_tally2.so/c\auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-ac
echo "****parameter_password_auth_ac lock policy replace finish****" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE
else
sed -i '/^# User/a \auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-ac
echo "****parameter_password_auth_ac lock policy append finish****" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE
fi
if [ -n "$LOGIN_POLICY_1" ];
then
sed -i '/pam_tally2.so/c\auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-ac
echo "****parameter_system_auth_ac lock policy replace finish****" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE
else
sed -i '/^# User/a \auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-ac
echo "****parameter_system_auth_ac lock policy append finish****" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE
fi
}
function create_user()
{
USE=linuxadmin
for i in $USE ;do
if ! id ${i} &>/dev/null ;then
useradd $i >>$BASEPATH/$FILE
echo 'q1w2e3r4'|passwd --stdin $i &> /dev/null
usermod -G wheel $USE
echo "---------------create_user $USE finish---------------" >>$BASEPATH/$FILE
id $i >>$BASEPATH/$FILE
else
echo "**** user $USE already exist**** " && exit 2
fi
done
}
function file_lock_set()
{
echo "---------------file_lock_set finish---------------" >>$BASEPATH/$FILE
for i in /etc/passwd /etc/shadow /etc/group /etc/gshadow
do
if [ `lsattr ${i} | cut -c 5` = i ];then
echo " ${i} 存在i安全属性" >> $BASEPATH/$FILE
else
chattr +i $i
lsattr $i >> $BASEPATH/$FILE
fi
done
}
function user_lock_set()
{
echo "---------------user_lock_set finish---------------" >>$BASEPATH/$FILE
for i in adm lp mail uucp operator games gopher ftp nobody nobody4 noaccess listen webservd dbus avahi mailnull smmsp nscd vcsa rpc rpcuser nfs pcap ntp haldaemon distcache apache webalizer squid xfs gdm sabayon named ;do
id $i &>/dev/null
if [ $? -eq 0 ];then
usermod -L $i &>/dev/null
#echo "****use_lock_set finish****" >>$BASEPATH/$FILE
echo "--------------------------------- " >> $BASEPATH/$FILE
echo "user $i Has been locked" >> $BASEPATH/$FILE
else
echo "--------------------------------- " >> $BASEPATH/$FILE
echo "user $i no found" >> $BASEPATH/$FILE
fi
done
}
function history_num_set()
{
HISTSIZE=`cat /etc/profile|grep HISTSIZE|head -1|awk -F[=] '{print $2}'`
if [ $HISTSIZE -eq 10 ];then
#echo -e "\033[1;34m ****保留历史命令条数为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILE
echo " ****保留历史命令条数为${HISTSIZE}****" >>$BASEPATH/$FILE
else
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
echo "历史命令条数更改为10" >> $BASEPATH/$FILE
#echo -e "\033[1;34m ****历史命令条数更改为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILE
source /etc/profile
fi
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function change_open_file_num()
{
#change open file number
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------change open file number----------------" >> $BASEPATH/$FILE
cat >> /etc/security/limits.conf <<EOF
* soft core 0
* hard core 0
* soft nproc 65535
* hard nproc 65535
* soft nofile 65535
* hard nofile 65535
EOF
grep -v "#" /etc/security/limits.conf >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
#设置只有wheel组用户才能su到root
function group_permissions_set()
{
echo "---------------group_permissions_set finish---------------" >>$BASEPATH/$FILE
sed -i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel' /etc/pam.d/su
ls "/etc/pam.d/su" >>$BASEPATH/$FILE
grep -v "#" /etc/pam.d/su | grep wheel.so >>$BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
#设置用户umask
function user_permissions_set()
{
echo "---------------user_permissions_set finish---------------" >>$BASEPATH/$FILE
sed -i '/UMASK/c \UMASK 027' /etc/login.defs
ls /etc/login.defs >>$BASEPATH/$FILE
grep UMASK /etc/login.defs >>$BASEPATH/$FILE
echo "-------------------------------------------------" >>$BASEPATH/$FILE
sed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/bashrc
ls /etc/bashrc >>$BASEPATH/$FILE
grep -v "#" /etc/bashrc | grep umask >>$BASEPATH/$FILE
echo "-------------------------------------------------" >>$BASEPATH/$FILE
sed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/profile
ls /etc/profile >>$BASEPATH/$FILE
grep -v "#" /etc/profile | grep umask >>$BASEPATH/$FILE
echo "-------------------------------------------------" >>$BASEPATH/$FILE
sed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/csh.cshrc
ls /etc/csh.cshrc >>$BASEPATH/$FILE
grep -v "#" /etc/csh.cshrc | grep umask >>$BASEPATH/$FILE
echo "-------------------------------------------------" >>$BASEPATH/$FILE
sed -i '/^setenv/a \set umask 077' /etc/csh.login
ls /etc/csh.login >>$BASEPATH/$FILE
grep -v "#" /etc/csh.login | grep umask >>$BASEPATH/$FILE
echo "-------------------------------------------------" >>$BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function system_dir_file_permissions_set()
{
chmod 750 /etc/rc0.d/ >> $BASEPATH/$FILE
chmod 750 /etc/rc1.d/ >> $BASEPATH/$FILE
chmod 750 /etc/rc2.d/ >> $BASEPATH/$FILE
chmod 750 /etc/rc3.d/ >> $BASEPATH/$FILE
chmod 750 /etc/rc4.d/ >> $BASEPATH/$FILE
chmod 750 /etc/rc5.d/ >> $BASEPATH/$FILE
chmod 750 /etc/rc6.d/ >> $BASEPATH/$FILE
chmod 750 /etc/rc.d/init.d/ >> $BASEPATH/$FILE
chmod 750 /tmp >> $BASEPATH/$FILE
#chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILE
chmod 600 /etc/security >> $BASEPATH/$FILE
#chmod 400 /etc/shadow
#chmod 644 /etc/passwd
#chmod 644 /etc/services
#chmod 644 /etc/group
if [ -f /etc/xinetd.conf ];then
chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILE
else
echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILE
fi
echo "---------------system_dir_file_permissions_set finish---------------" >> $BASEPATH/$FILE
ls -ld /etc/rc0.d/ >> $BASEPATH/$FILE
ls -ld /etc/rc1.d/ >> $BASEPATH/$FILE
ls -ld /etc/rc2.d/ >> $BASEPATH/$FILE
ls -ld /etc/rc3.d/ >> $BASEPATH/$FILE
ls -ld /etc/rc4.d/ >> $BASEPATH/$FILE
ls -ld /etc/rc5.d/ >> $BASEPATH/$FILE
ls -ld /etc/rc.d/init.d/ >> $BASEPATH/$FILE
ls -ld /tmp >> $BASEPATH/$FILE
#ls /etc/xinetd.conf >> $BASEPATH/$FILE
ls -ld /etc/security >> $BASEPATH/$FILE
ls -l /etc/shadow >> $BASEPATH/$FILE
ls -l /etc/passwd >> $BASEPATH/$FILE
ls -l /etc/services >> $BASEPATH/$FILE
ls -l /etc/group >> $BASEPATH/$FILE
if [ -f /etc/xinetd.conf ];then
ls -l /etc/xinetd.conf >> $BASEPATH/$FILE
else
echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILE
fi
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function sys_kernel_parameter_set()
{
echo "---------------sys_kernel_parameter_set finish---------------" >>$BASEPATH/$FILE
ls /etc/sysctl.conf >>$BASEPATH/$FILE
echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf
echo "net.ipv4.ip_forward=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf
echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.conf
sysctl -p >>$BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function rhel6_stop_service()
{
#set banner
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------set banner----------------" >> $BASEPATH/$FILE
echo '"Authorized access only"' > /etc/motd
cat /etc/motd >> $BASEPATH/$FILE
#stop NetworkManager
#echo `echo ""` >> $BASEPATH/$FILE
#echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE
#/etc/init.d/NetworkManager stop >> $BASEPATH/$FILE
#chkconfig NetworkManager off >> $BASEPATH/$FILE
#chkconfig --list | grep NetworkManager >> $BASEPATH/$FILE
#stop iptables
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------stop iptables---------------" >> $BASEPATH/$FILE
#iptables -F
#/etc/init.d/iptables stop >> $BASEPATH/$FILE
#/etc/init.d/ip6tables stop >> $BASEPATH/$FILE
#chkconfig iptables off >> $BASEPATH/$FILE
#chkconfig ip6tables off >> $BASEPATH/$FILE
#chkconfig --list | grep iptables >> $BASEPATH/$FILE
#chkconfig --list | grep ip6tables >> $BASEPATH/$FILE
#stop selinux
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------set selinux---------------" >> $BASEPATH/$FILE
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
grep "disabled" /etc/selinux/config >> $BASEPATH/$FILE
#stop telnet_server
#echo `echo ""` >> $BASEPATH/$FILE
#echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE
#yum remove telnet-server -y >> $BASEPATH/$FILE
#set root romote access
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------set root romote access---------------" >> $BASEPATH/$FILE
sed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_config
grep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILE
/etc/init.d/sshd restart >> $BASEPATH/$FILE
chkconfig --list | grep sshd >> $BASEPATH/$FILE
#stop OS other services
echo "---------------stop OS other services---------------" >> $BASEPATH/$FILE
for i in acpid bluetooth postfix rhnsd rhsmcertd
do
rpm -qa | grep $i &>/dev/null
if [ $? -eq 0 ];then
chkconfig $i off >> $BASEPATH/$FILE
else
echo " $i services no found " >> $BASEPATH/$FILE
fi
chkconfig --list | grep $i >> $BASEPATH/$FILE
done
}
function rhel6_pass_policy()
{
awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defs
awk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defs
awk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defs
awk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defs
echo "------------password controls set finish-----------------" >> $BASEPATH/$FILE
sed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILE
CRACK_PASS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/password-auth-ac`
CRACK_SYS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/system-auth-ac`
UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac`
UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac`
if [ -n "$CRACK_PASS_POLICY" ];
then
sed -i '/type=/c \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE
else
sed -i '$a \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE
fi
if [ -n "$CRACK_SYS_POLICY" ];
then
sed -i '/type=/c \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE
else
sed -i '$a \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac pam_cracklib.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE
fi
if [ -n "$UNIX_PASS_POLICY" ];
then
sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
else
sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
fi
if [ -n "$UNIX_SYS_POLICY" ];
then
sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
else
sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
fi
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function rhel6_para_set()
{
grep "TMOUT=300" /etc/profile >> $BASEPATH/$FILE
if [ $? -eq 0 ];
then
echo "TMOUT already set" >> $BASEPATH/$FILE
else
sed -i '$a \export TMOUT=300' /etc/profile
grep "TMOUT" /etc/profile >> $BASEPATH/$FILE
fi
#modify default init
#grep "id:3:initdefault:" /etc/inittab
#if [ $? -eq 0 ];
#then
#sed -i '/^id/d' /etc/inittab
#sed -i '$c \id:3:initdefault:' /etc/inittab
#echo "inittab change finish" >> $BASEPATH/$FILE
#else
#sed -i '/^id/d' /etc/inittab
#sed -i '$a \id:3:initdefault:' /etc/inittab
#echo "inittab append finish" >> $BASEPATH/$FILE
#fi
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function rhel6_timeserver_set()
{
rpm -qa | grep ntp &>/dev/null
if [ $? -eq 0 ];then
sed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/ntp.conf
echo "--------------------ntp server set finish---------------------" >> $BASEPATH/$FILE
ls /etc/ntp.conf >> $BASEPATH/$FILE
sed -n '22p' /etc/ntp.conf >> $BASEPATH/$FILE
else
echo "ntp server no found"
fi
}
function rhel7_timeserver_set()
{
rpm -qa | grep chrony &>/dev/null
if [ $? -eq 0 ];then
sed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/chrony.conf
echo "--------------------chrony server set finish---------------------" >> $BASEPATH/$FILE
ls /etc/chrony.conf >> $BASEPATH/$FILE
sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILE
else
echo "chronyd server no found start install"
yum -y install chrony &>/dev/null
if [ $? -eq 0 ];then
echo " chrony install finish " >> $BASEPATH/$FILE
sed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/chrony.conf
echo "--------------------chrony server set finish---------------------" >> $BASEPATH/$FILE
ls /etc/chrony.conf >> $BASEPATH/$FILE
sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILE
else
echo "chrony install failed" >> $BASEPATH/$FILE
fi
fi
echo "-----------------------------------------------------------------" >> $BASEPATH/$FILE
}
function rhel7_stop_service()
{
#set banner
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------set banner----------------" >> $BASEPATH/$FILE
echo '"Authorized access only"' > /etc/motd
cat /etc/motd >> $BASEPATH/$FILE
#stop NetworkManager
#echo `echo ""` >> $BASEPATH/$FILE
#echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE
#systemctl stop NetworkManager >> $BASEPATH/$FILE
#systemctl disable NetworkManager >> $BASEPATH/$FILE
#systemctl list-unit-files | grep NetworkManager >> $BASEPATH/$FILE
#stop iptables
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------stop firewall---------------" >> $BASEPATH/$FILE
iptables -F
systemctl stop firewalld >> $BASEPATH/$FILE
systemctl disable firewalld >> $BASEPATH/$FILE
systemctl list-unit-files | grep firewalld >> $BASEPATH/$FILE
#stop selinux
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------set selinux---------------" >> $BASEPATH/$FILE
sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config
grep "disabled" /etc/selinux/config >> $BASEPATH/$FILE
#stop telnet_server
#echo `echo ""` >> $BASEPATH/$FILE
#echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE
#yum remove telnet-server -y >> $BASEPATH/$FILE
#set root romote access
echo `echo ""` >> $BASEPATH/$FILE
echo "---------------set root romote access---------------" >> $BASEPATH/$FILE
sed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_config
grep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILE
systemctl restart sshd >> $BASEPATH/$FILE
systemctl list-unit-files | grep sshd.service >> $BASEPATH/$FILE
#stop OS other services
echo "---------------stop OS other services---------------" >> $BASEPATH/$FILE
for i in bluetooth.target postfix rhnsd rhsmcertd
do
rpm -qa | grep $i &>/dev/null
if [ $? -eq 0 ];then
systemctl stop $i &>/dev/null
systemctl disable $i &>/dev/null
else
echo " $i services no found " >> $BASEPATH/$FILE
fi
systemctl list-unit-files | grep $i >> $BASEPATH/$FILE
done
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function rhel7_pass_policy()
{
awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defs
awk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defs
awk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defs
awk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defs
echo "------------password controls set finish-----------------" >> $BASEPATH/$FILE
sed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILE
PWQUALITY_PASS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/password-auth-ac`
PWQUALITY_SYS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/system-auth-ac`
UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac`
UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac`
#retry 定义登录/修改密码失败时,可以重试的次数
#minlen 定义用户密码的最小长度为8位
#lcredit=-1 定义用户密码中最少有1个小写字母
#dcredit=-1 定义用户密码中最少有1个数字
#ocredit=-1 定义用户密码中最少有1个特殊字符
#ucredit=-2 定义用户密码中最少有2个大写字母
#remember=5 修改用户密码时最近5次用过的旧密码就不能重用了
if [ -n "$PWQUALITY_PASS_POLICY" ];
then
sed -i '/authtok_type=/c \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILE
else
sed -i '$a \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE
fi
if [ -n "$PWQUALITY_SYS_POLICY" ];
then
sed -i '/authtok_type=/c \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILE
else
sed -i '$a \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac pam_pwquality.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILE
fi
if [ -n "$UNIX_PASS_POLICY" ];
then
sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
else
sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac
echo "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
fi
if [ -n "$UNIX_SYS_POLICY" ];
then
sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
else
sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac
echo "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILE
cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE
fi
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
function rhel7_para_set()
{
grep "TMOUT=300" /etc/profile
if [ $? -eq 0 ];
then
echo "TMOUT already set" >> $BASEPATH/$FILE
else
sed -i '$a \export TMOUT=300' /etc/profile
grep "TMOUT" /etc/profile >> $BASEPATH/$FILE
fi
#systemctl set-default multi-user.target >> $BASEPATH/$FILE
#systemctl get-default >> $BASEPATH/$FILE
echo "rhel7 parameter set finished" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE
}
check_checklog
login_policy
create_user
bak_file
file_lock_set
user_lock_set
group_permissions_set
user_permissions_set
system_dir_file_permissions_set
sys_kernel_parameter_set
history_num_set
change_open_file_num
if [ $VERSION = 6 ];then
rhel6_stop_service
rhel6_pass_policy
rhel6_para_set
rhel6_timeserver_set
echo "centos 6 init finish" >>$BASEPATH/$FILE
#echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中"
echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m"
else
[ $VERSION = 7 ]
rhel7_stop_service
rhel7_pass_policy
rhel7_para_set
rhel7_timeserver_set
echo "centos 7 init finish" >>$BASEPATH/$FILE
#echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中"
echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m"
fi标签:脚本,etc,BASEPATH,auth,echo,安全,基线,FILE,pam 来源: https://blog.51cto.com/13768323/2678464