本基线脚本为自己所写,仅适用于Centos7,SUSE,TencentOS2.4系统
基线脚本主要包含以下内容
- 密码复杂度:8-32位,同时包含大小写字母,特殊字符
- 密码有效期:不超过90天
- 登录限制:密码输入错误连续5次账号临时锁定
- 连接超时:系统登录10-30分钟不活动,自动断开连接
- 分配三个用户:系统管理员,审计管理员,安全管理员
- 锁定或删除shutdown、halt帐户
- 启用安全审计功能:开启auditd,rsyslog服务
- 禁用telnet.socket服务
- 系统日志保留时间:不小于180天
自动检测/配置脚本
#! /bin/bash
#检查系统版本
function CheckSystem() {
system\_version=''
if [[ -e /etc/os-release ]]; then
source /etc/os-release
system\_version=${system\_version}"PRETTY\_NAME: $PRETTY\_NAME, "
else
system\_version=${system\_version}"PRETTY\_NAME: `cat /etc/issue|head -n 1`, "
fi
var=${system\_version%??}
echo "......${var}......"
}
#检查密码有效期
function CheckPassMaxDays() {
PASS\_MAX\_DAYS=`cat /etc/login.defs | grep PASS\_MAX\_DAYS | grep -v ^# | awk '{print $2}'`
if [ -z $PASS\_MAX\_DAYS ];then
sed -i 's/#PASS\_MAX\_DAYS/PASS\_MAX\_DAYS/' /etc/login.defs
PASS\_MAX\_DAYS=`cat /etc/login.defs | grep PASS\_MAX\_DAYS | grep -v ^# | awk '{print $2}'`
fi
if [ -z $PASS\_MAX\_DAYS ];then
echo "............[N] Password Validity Period: Reset failed"
elif [ $PASS\_MAX\_DAYS -le 90 -a $PASS\_MAX\_DAYS -ge 30 ];then
echo "......[Y] Password Validity Period: $PASS\_MAX\_DAYS days"
else
sed -i '/PASS\_MAX\_DAYS/s/'"${PASS\_MAX\_DAYS}"'/90/g' /etc/login.defs
PASS\_MAX\_DAYS=`cat /etc/login.defs | grep PASS\_MAX\_DAYS | grep -v ^# | awk '{print $2}'`
if [ $PASS\_MAX\_DAYS -le 90 -a $PASS\_MAX\_DAYS -ge 30 ];then
echo "......[Y] Password Validity Period: $PASS\_MAX\_DAYS days"
else
echo "............[N] Password Validity Period: Reset failed"
fi
fi
}
#检查日志保留时间
function CheckLogBackupTime() {
Log\_Backup\_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
if [ -z $Log\_Backup\_Time ];then
sed -i 's/#rotate/rotate/' /etc/logrotate.conf
Log\_Backup\_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
fi
if [ -z $Log\_Backup\_Time ];then
echo "............[N] Log backup Time,Configuration does not exist"
elif [ $Log\_Backup\_Time -ge 26 ];then
echo "......[Y] Log backup Time: $Log\_Backup\_Time weeks"
else
sed -i '/rotate/s/'"${Log\_Backup\_Time}"'/26/g' /etc/logrotate.conf
Log\_Backup\_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
if [ $Log\_Backup\_Time -ge 26 ];then
echo "......[Y] Log backup Time: $Log\_Backup\_Time weeks"
else
echo "............[N] Log backup Time,Reset failed"
fi
fi
}
#检查会话超时时间
function CheckConnectionTimeout() {
Connection\_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
if [ -z $Connection\_Timeout ];then
sed -i '$a export TMOUT=1800' /etc/profile
elif [ $Connection\_Timeout -gt 1800 -o $Connection\_Timeout -lt 600 ];then
sed -i '/TMOUT/s/'"${Connection\_Timeout}"'/1800/g' /etc/profile
fi
source /etc/profile
Connection\_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
if [ $Connection\_Timeout -le 1800 -a $Connection\_Timeout -ge 600 ];then
echo "......[Y] Connection timeout: $Connection\_Timeout seconds"
else
echo "............[N] Connection timeout: Reset failed"
fi
}
#检查共享账户
function CheckSharedUser() {
usermod -L shutdown 2>/dev/null
usermod -L halt 2>/dev/null
echo "......[Y] Shared user: Locked"
}
#检查审计策略
function CheckAuditLogs() {
Audit\_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
if [ $Audit\_Logs -ne 1 ];then
systemctl start auditd
systemctl enable auditd
fi
Audit\_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
if [ $Audit\_Logs -eq 1 ];then
echo "......[Y] Audit Policy: $Audit\_Logs Enable"
else
echo "............[N] Audit Policy: $Audit\_Logs Disabled"
fi
}
#检查分权账户
function CheckAuthorizedUser() {
shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
if [ -z $shenji ];then
useradd shenji
echo shenji:In123!@#123|chpasswd
sed -i '$a shenji ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head' /etc/sudoers
fi
if [ -z $anquan ];then
useradd anquan
echo anquan:In123!@#123|chpasswd
fi
if [ -z $sysadmin ];then
useradd sysadmin
echo sysadmin:In123!@#123|chpasswd
fi
shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
if [ -z $shenji -o -z $anquan -o -z $sysadmin ];then
echo "............[N] Authorized user: $shenji, $anquan, $sysadmin"
else
echo "......[Y] Authorized user: $shenji, $anquan, $sysadmin"
fi
}
#检查登录失败锁定配置CentOS
function CheckLoginFailureLock\_CentOS() {
Login\_Failure\_Lock=`grep "pam\_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
if [ -z $Login\_Failure\_Lock ];then
sed -i '/pam_tally2.so/s/#auth/auth/g' /etc/pam.d/system-auth
Login\_Failure\_Lock=`grep "pam\_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
fi
if [ -z $Login\_Failure\_Lock ];then
sed -i '$a auth required pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600 even\_deny\_root root\_unlock\_time=600' /etc/pam.d/system-auth
else
Login\_Failure\_Lock=`grep "pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7}'`
if [ -z $Login\_Failure\_Lock ];then
sed -i '/pam\_tally2.so/s/auth/#auth/g' /etc/pam.d/system-auth
sed -i '$a auth required pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600 even\_deny\_root root\_unlock\_time=600' /etc/pam.d/system-auth
fi
fi
Login\_Failure\_Lock=`grep "pam\_tally2.so onerr=fail audit silent dent=5 unlock\_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7","$8","$10}'`
if [ -z $Login\_Failure\_Lock ];then
echo "............[N] Login Failure Lock: Reset failed"
else
echo "......[Y] Login Failure Lock: $Login\_Failure\_Lock"
fi
}
#检查登录失败锁定配置SUSE
function CheckLoginFailureLock\_SUSE() {
Login\_Failure\_Number=`cat /etc/login.defs | grep LOGIN\_RETRIES | grep -v ^# | awk '{print $2}'`
if [ -z $Login\_Failure\_Number ];then
sed -i 's/#LOGIN\_RETRIES/LOGIN\_RETRIES/' /etc/login.defs
Login\_Failure\_Number=`cat /etc/login.defs | grep LOGIN\_RETRIES | grep -v ^# | awk '{print $2}'`
fi
if [ -z $Login\_Failure\_Number ];then
echo "............[N] Number of login failures: No configuration"
elif [ $Login\_Failure\_Number -le 8 -a $Login\_Failure\_Number -ge 3 ];then
echo "......[Y] Number of login failures: $Login\_Failure\_Number"
else
sed -i '/LOGIN\_RETRIES/s/'"${Login\_Failure\_Number}"'/5/g' /etc/login.defs
Login\_Failure\_Number=`cat /etc/login.defs | grep LOGIN\_RETRIES | grep -v ^# | awk '{print $2}'`
if [ $Login\_Failure\_Number -le 8 -a $Login\_Failure\_Number -ge 3 ];then
echo "......[Y] Number of login failures: $Login\_Failure\_Number"
else
echo "............[N] Number of login failures: No configuration"
fi
fi
Login\_Failure\_Time=`cat /etc/login.defs | grep LOGIN\_TIMEOUT | grep -v ^# | awk '{print $2}'`
if [ -z $Login\_Failure\_Time ];then
sed -i 's/#LOGIN\_TIMEOUT/LOGIN\_TIMEOUT/' /etc/login.defs
Login\_Failure\_Time=`cat /etc/login.defs | grep LOGIN\_TIMEOUT | grep -v ^# | awk '{print $2}'`
fi
if [ -z $Login\_Failure\_Time ];then
echo "............[N] Login failure lock time: Reset failed"
elif [ $Login\_Failure\_Time -le 1800 -a $Login\_Failure\_Time -ge 300 ];then
echo "......[Y] Login failure lock time: $Login\_Failure\_Time seconds"
else
sed -i '/LOGIN\_TIMEOUT/s/'"${Login\_Failure\_Time}"'/300/g' /etc/login.defs
Login\_Failure\_Time=`cat /etc/login.defs | grep LOGIN\_TIMEOUT | grep -v ^# | awk '{print $2}'`
if [ $Login\_Failure\_Time -le 1800 -a $Login\_Failure\_Time -ge 300 ];then
echo "......[Y] Login failure lock time: $Login\_Failure\_Time seconds"
else
echo "............[N] Login failure lock time: Reset failed"
fi
fi
}
#检查密码策略CentOS
function CheckPasswordPolicy\_CentOS() {
Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
if [ -z $Password\_Policy ];then
sed -i '/pam_cracklib.so/s/#password/password/g' /etc/pam.d/system-auth
Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
fi
if [ -z $Password\_Policy ];then
sed -i '$a password requisite pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
else
Password\_Policy=`grep "pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
if [ -z $Password\_Policy ];then
sed -i '/pam\_cracklib.so/s/password/#password/g' /etc/pam.d/system-auth
sed -i '$a password requisite pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
fi
fi
Password\_Policy=`grep "pam\_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
if [ -z $Password\_Policy ];then
echo "............[N] Password Policy: Reset failed"
else
echo "......[Y] Password Policy: $Password\_Policy"
fi
}
#检查密码策略SUSE
function CheckPasswordPolicy\_SUSE() {
Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
if [ -z $Password\_Policy ];then
sed -i '/pam\_cracklib.so/s/#password/password/g' /etc/pam.d/common-password
Password\_Policy=`grep "pam\_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
fi
if [ -z $Password\_Policy ];then
sed -i '$a password requisite pam\_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
else
Password\_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
if [ -z $Password\_Policy ];then
sed -i '/pam\_cracklib.so/s/password/#password/g' /etc/pam.d/common-password
sed -i '$a password requisite pam\_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
fi
fi
Password\_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
if [ -z $Password\_Policy ];then
echo "............[N] Password Policy: Reset failed"
else
echo "......[Y] Password Policy: $Password\_Policy"
fi
}
#检查日志服务CentOS
function CheckLogService\_CentOS() {
Log\_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
if [ $Log\_Service != "(running)" ];then
systemctl start rsyslog
systemctl enable rsyslog
fi
Log\_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
if [ $Log\_Service = "(running)" ];then
echo "......[Y] Log Service: $Log\_Service"
else
echo "............[N] Log Service: $Log\_Service"
fi
}
#检查日志服务SUSE
function CheckLogService\_SUSE() {
Log\_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
if [ $Log\_Service != "(running)" ];then
systemctl start syslog-ng
systemctl enable syslog-ng
fi
Log\_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
if [ $Log\_Service = "(running)" ];then
echo "......[Y] Log Service: $Log\_Service"
else
zypper install syslog-ng -y 2>/dev/null
systemctl start syslog-ng
systemctl enable syslog-ng
Log\_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
if [ $Log\_Service = "(running)" ];then
echo "......[Y] Log Service: $Log\_Service"
else
echo "............[N] Log Service: Reset failed"
fi
fi
}