CentOS基线脚本，三级等保服务器系统安全配置脚本_centos 日志 等保三

本基线脚本为自己所写，仅适用于Centos7，SUSE，TencentOS2.4系统

基线脚本主要包含以下内容

1. 密码复杂度：8-32位，同时包含大小写字母，特殊字符
2. 密码有效期：不超过90天
3. 登录限制：密码输入错误连续5次账号临时锁定
4. 连接超时：系统登录10-30分钟不活动，自动断开连接
5. 分配三个用户：系统管理员，审计管理员，安全管理员
6. 锁定或删除shutdown、halt帐户
7. 启用安全审计功能：开启auditd，rsyslog服务
8. 禁用telnet.socket服务
9. 系统日志保留时间：不小于180天

自动检测/配置脚本

#! /bin/bash

#检查系统版本
function CheckSystem() {
    system\_version=''
    if [[ -e /etc/os-release ]]; then
        source /etc/os-release 
        system\_version=${system\_version}"PRETTY\_NAME: $PRETTY\_NAME, "
	else
		system\_version=${system\_version}"PRETTY\_NAME: `cat /etc/issue|head -n 1`, "
    fi
    var=${system\_version%??}
    echo "......${var}......"
}

#检查密码有效期
function CheckPassMaxDays() {
	PASS\_MAX\_DAYS=`cat /etc/login.defs | grep PASS\_MAX\_DAYS | grep -v ^# | awk '{print $2}'`
	if [ -z $PASS\_MAX\_DAYS ];then		
		sed -i 's/#PASS\_MAX\_DAYS/PASS\_MAX\_DAYS/' /etc/login.defs
		PASS\_MAX\_DAYS=`cat /etc/login.defs | grep PASS\_MAX\_DAYS | grep -v ^# | awk '{print $2}'`
	fi
	if [ -z $PASS\_MAX\_DAYS ];then
		echo "............[N] Password Validity Period: Reset failed"
	elif [ $PASS\_MAX\_DAYS -le 90 -a $PASS\_MAX\_DAYS -ge 30 ];then
		echo "......[Y] Password Validity Period: $PASS\_MAX\_DAYS days"
	else
		sed -i '/PASS\_MAX\_DAYS/s/'"${PASS\_MAX\_DAYS}"'/90/g' /etc/login.defs
 PASS\_MAX\_DAYS=`cat /etc/login.defs | grep PASS\_MAX\_DAYS | grep -v ^# | awk '{print $2}'`
 if [ $PASS\_MAX\_DAYS -le 90 -a $PASS\_MAX\_DAYS -ge 30 ];then
 echo "......[Y] Password Validity Period: $PASS\_MAX\_DAYS days"
 else
 echo "............[N] Password Validity Period: Reset failed"
 fi
 fi
}

#检查日志保留时间
function CheckLogBackupTime() {

 Log\_Backup\_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
 if [ -z $Log\_Backup\_Time ];then
 
 sed -i 's/#rotate/rotate/' /etc/logrotate.conf
		Log\_Backup\_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
	fi
	if [ -z $Log\_Backup\_Time ];then
		echo "............[N] Log backup Time,Configuration does not exist"
	elif [ $Log\_Backup\_Time  -ge 26 ];then
		echo "......[Y] Log backup Time: $Log\_Backup\_Time weeks"
	else
		sed -i '/rotate/s/'"${Log\_Backup\_Time}"'/26/g' /etc/logrotate.conf
 Log\_Backup\_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
 if [ $Log\_Backup\_Time -ge 26 ];then
 echo "......[Y] Log backup Time: $Log\_Backup\_Time weeks"
 else
 echo "............[N] Log backup Time,Reset failed"
 fi
 fi
}

#检查会话超时时间
function CheckConnectionTimeout() {
 Connection\_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
 if [ -z $Connection\_Timeout ];then
 sed -i '$a export TMOUT=1800' /etc/profile
 elif [ $Connection\_Timeout -gt 1800 -o $Connection\_Timeout -lt 600 ];then
 sed -i '/TMOUT/s/'"${Connection\_Timeout}"'/1800/g' /etc/profile
 fi
 source /etc/profile
 Connection\_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
 if [ $Connection\_Timeout -le 1800 -a $Connection\_Timeout -ge 600 ];then
 echo "......[Y] Connection timeout: $Connection\_Timeout seconds"
 else
 echo "............[N] Connection timeout: Reset failed"
 fi

}

#检查共享账户
function CheckSharedUser() {
 usermod -L shutdown 2>/dev/null
 usermod -L halt 2>/dev/null
 echo "......[Y] Shared user: Locked"
}

#检查审计策略
function CheckAuditLogs() {
 Audit\_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
 if [ $Audit\_Logs -ne 1 ];then
 systemctl start auditd
 systemctl enable auditd
 fi
 Audit\_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
 if [ $Audit\_Logs -eq 1 ];then
 echo "......[Y] Audit Policy: $Audit\_Logs Enable"
 else
 echo "............[N] Audit Policy: $Audit\_Logs Disabled"
 fi
}

#检查分权账户
function CheckAuthorizedUser() {
 shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
 anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
 sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
 if [ -z $shenji ];then
 useradd shenji
 echo shenji:In123!@#123|chpasswd
 sed -i '$a shenji ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head' /etc/sudoers
 fi
 if [ -z $anquan ];then
 useradd anquan
 echo anquan:In123!@#123|chpasswd
 fi
 if [ -z $sysadmin ];then
 useradd sysadmin
 echo sysadmin:In123!@#123|chpasswd
 fi
 shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
 anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
 sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
 if [ -z $shenji -o -z $anquan -o -z $sysadmin ];then
 echo "............[N] Authorized user: $shenji, $anquan, $sysadmin"
 else
 echo "......[Y] Authorized user: $shenji, $anquan, $sysadmin"
 fi
}

#检查登录失败锁定配置CentOS
function CheckLoginFailureLock\_CentOS() {
 Login\_Failure\_Lock=`grep "pam\_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
 if [ -z $Login\_Failure\_Lock ];then
 sed -i '/pam_tally2.so/s/#auth/auth/g' /etc/pam.d/system-auth
		Login\_Failure\_Lock=`grep "pam\_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
	fi 
	if [ -z $Login\_Failure\_Lock ];then
			sed -i '$a auth required pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600 even\_deny\_root root\_unlock\_time=600' /etc/pam.d/system-auth
	else
		Login\_Failure\_Lock=`grep "pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7}'`
		if [ -z $Login\_Failure\_Lock ];then
			sed -i '/pam\_tally2.so/s/auth/#auth/g' /etc/pam.d/system-auth
			sed -i '$a auth required pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600 even\_deny\_root root\_unlock\_time=600' /etc/pam.d/system-auth
		fi
	fi
	Login\_Failure\_Lock=`grep "pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7","$8","$10}'`
	if [ -z $Login\_Failure\_Lock ];then
		echo "............[N] Login Failure Lock: Reset failed"
	else
		echo "......[Y] Login Failure Lock: $Login\_Failure\_Lock"
	fi

}

#检查登录失败锁定配置SUSE
function CheckLoginFailureLock\_SUSE() {
	Login\_Failure\_Number=`cat /etc/login.defs | grep LOGIN\_RETRIES | grep -v ^# | awk '{print $2}'`	
	if [ -z $Login\_Failure\_Number ];then		
		sed -i 's/#LOGIN\_RETRIES/LOGIN\_RETRIES/' /etc/login.defs
		Login\_Failure\_Number=`cat /etc/login.defs | grep LOGIN\_RETRIES | grep -v ^# | awk '{print $2}'`
	fi
	if [ -z $Login\_Failure\_Number ];then
		echo "............[N] Number of login failures: No configuration"
	elif [ $Login\_Failure\_Number -le 8 -a $Login\_Failure\_Number -ge 3 ];then
		echo "......[Y] Number of login failures: $Login\_Failure\_Number"
	else
		sed -i '/LOGIN\_RETRIES/s/'"${Login\_Failure\_Number}"'/5/g' /etc/login.defs
 Login\_Failure\_Number=`cat /etc/login.defs | grep LOGIN\_RETRIES | grep -v ^# | awk '{print $2}'`
 if [ $Login\_Failure\_Number -le 8 -a $Login\_Failure\_Number -ge 3 ];then
 echo "......[Y] Number of login failures: $Login\_Failure\_Number"
 else
 echo "............[N] Number of login failures: No configuration"
 fi
 fi
 
 Login\_Failure\_Time=`cat /etc/login.defs | grep LOGIN\_TIMEOUT | grep -v ^# | awk '{print $2}'`
 if [ -z $Login\_Failure\_Time ];then 
 sed -i 's/#LOGIN\_TIMEOUT/LOGIN\_TIMEOUT/' /etc/login.defs
		Login\_Failure\_Time=`cat /etc/login.defs | grep LOGIN\_TIMEOUT | grep -v ^# | awk '{print $2}'`
	fi
	if [ -z $Login\_Failure\_Time ];then
		echo "............[N] Login failure lock time: Reset failed"
	elif [ $Login\_Failure\_Time -le 1800 -a $Login\_Failure\_Time -ge 300 ];then
		echo "......[Y] Login failure lock time: $Login\_Failure\_Time seconds"
	else
		sed -i '/LOGIN\_TIMEOUT/s/'"${Login\_Failure\_Time}"'/300/g' /etc/login.defs
 Login\_Failure\_Time=`cat /etc/login.defs | grep LOGIN\_TIMEOUT | grep -v ^# | awk '{print $2}'`
 if [ $Login\_Failure\_Time -le 1800 -a $Login\_Failure\_Time -ge 300 ];then
 echo "......[Y] Login failure lock time: $Login\_Failure\_Time seconds"
 else
 echo "............[N] Login failure lock time: Reset failed"
 fi
 fi
 
}


#检查密码策略CentOS
function CheckPasswordPolicy\_CentOS() {
 Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
 if [ -z $Password\_Policy ];then
 sed -i '/pam_cracklib.so/s/#password/password/g' /etc/pam.d/system-auth
		Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
	fi 
	if [ -z $Password\_Policy ];then
			sed -i '$a password requisite pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
	else
		Password\_Policy=`grep "pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
		if [ -z $Password\_Policy ];then
			sed -i '/pam\_cracklib.so/s/password/#password/g' /etc/pam.d/system-auth
			sed -i '$a password requisite pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
		fi
	fi
	Password\_Policy=`grep "pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
	if [ -z $Password\_Policy ];then
		echo "............[N] Password Policy: Reset failed"
	else
		echo "......[Y] Password Policy: $Password\_Policy"
	fi
}

#检查密码策略SUSE
function CheckPasswordPolicy\_SUSE() {
	Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
	if [ -z $Password\_Policy ];then
		sed -i '/pam\_cracklib.so/s/#password/password/g' /etc/pam.d/common-password
		Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
	fi 
	if [ -z $Password\_Policy ];then
			sed -i '$a password requisite pam\_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
	else
		Password\_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
		if [ -z $Password\_Policy ];then
			sed -i '/pam\_cracklib.so/s/password/#password/g' /etc/pam.d/common-password
			sed -i '$a password requisite pam\_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
		fi
	fi
	Password\_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
	if [ -z $Password\_Policy ];then
		echo "............[N] Password Policy: Reset failed"
	else
		echo "......[Y] Password Policy: $Password\_Policy"
	fi
}

#检查日志服务CentOS
function CheckLogService\_CentOS() {
	Log\_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
	if [ $Log\_Service != "(running)" ];then
		systemctl start rsyslog
		systemctl enable rsyslog
	fi
	Log\_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
	if [ $Log\_Service = "(running)" ];then
		echo "......[Y] Log Service: $Log\_Service"
	else
		echo "............[N] Log Service: $Log\_Service"
	fi
}

#检查日志服务SUSE
function CheckLogService\_SUSE() {
	Log\_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
	if [ $Log\_Service != "(running)" ];then
		systemctl start syslog-ng
		systemctl enable syslog-ng
	fi
	Log\_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
	if [ $Log\_Service = "(running)" ];then
		echo "......[Y] Log Service: $Log\_Service"
	else
		zypper install syslog-ng -y 2>/dev/null
		systemctl start syslog-ng
		systemctl enable syslog-ng
		Log\_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
		if [ $Log\_Service = "(running)" ];then
			echo "......[Y] Log Service: $Log\_Service"
		else
			echo "............[N] Log Service: Reset failed"
		fi
	fi
}