Centos安全基线加固

详情见脚本内容，可自行修改
主要涉及如下安全加固内容：
1.密码最长过期天数90
2.密码最小长度16
3.密码组合策略
4.禁止非whell组用户切换到root
5.文件权限调整
6.账户锁定策略
7.日志配置
8.部分文件保护
9.NTP配置
10.新建文件权限配置
11.SSH超时断开

#!/bin/sh

# Please set ff=unix

# audit time
# AuditTime=`date`=
Time=$(date "+%Y%m%d%H%M")
AuditStr="SecurityAuditTime="
Flag=$AuditStr$Time

echo "**************************"

# PASS_MAX_DAYS   90
sed -i "/^PASS_MAX_DAYS/ c\PASS_MAX_DAYS\ \ \ 90" /etc/login.defs >/dev/null 2>&1
# check
issue=`cat /etc/login.defs | grep PASS_MAX_DAYS\ \ \ 90 | wc -L`
if [ $issue -gt 0 ];then
echo "*PASS_MAX_DAYS changed OK"
echo "**************************"
else
echo "*PASS_MAX_DAYS changed FAIL"
echo "**************************"
fi

# PASS_MIN_LEN	 16
sed -i "/^PASS_MIN_LEN/ c\PASS_MIN_LEN\ \ \ \ 16" /etc/login.defs >/dev/null 2>&1
# check
issue=`cat /etc/login.defs | grep PASS_MIN_LEN\ \ \ \ 16 | wc -L`
if [ $issue -gt 0 ];then
echo "*PASS_MIN_LEN changed OK"
echo "**************************"
else
echo "*PASS_MIN_LEN changed FAIL"
echo "**************************"
fi

# Centos6: pam_cracklib.so
# Centos7: pam_pwquality.so
# \ space \t 4space
number6=`cat /etc/pam.d/system-auth | grep '^password.*requisite.*pam_cracklib.so' | wc -L`
number7=`cat /etc/pam.d/system-auth | grep '^password.*requisite.*pam_pwquality.so' | wc -L`
if [ $number7 -gt 0 ];then
sed -i "/^password    requisite     pam_pwquality.so/ \
c\password    requisite     pam_pwquality.so \
try_first_pass \
local_users_only \
retry=3 \
authtok_type= \
minlen=16 \
ucredit=-1 \
lcredit=-1 \
dcredit=-1 \
ocredit=-1 \
enforce_for_root" /etc/pam.d/system-auth
sed -i "/^password    requisite     pam_pwquality.so/ \
c\password    requisite     pam_pwquality.so \
try_first_pass \
local_users_only \
retry=3 \
authtok_type= \
minlen=16 \
ucredit=-1 \
lcredit=-1 \
dcredit=-1 \
ocredit=-1 \
enforce_for_root" /etc/pam.d/password-auth
elif [ $number6 -gt 0 ];then
sed -i "/^password    requisite     pam_cracklib.so/ \
c\password    requisite     pam_cracklib.so \
try_first_pass \
local_users_only \
retry=3 \
authtok_type= \
minlen=16 \
ucredit=-1 \
lcredit=-1 \
dcredit=-1 \
ocredit=-1 \
enforce_for_root" /etc/pam.d/system-auth
sed -i "/^password    requisite     pam_cracklib.so/ \
c\password    requisite     pam_cracklib.so \
try_first_pass \
local_users_only \
retry=3 \
authtok_type= \
minlen=16 \
ucredit=-1 \
lcredit=-1 \
dcredit=-1 \
ocredit=-1 \
enforce_for_root" /etc/pam.d/password-auth
fi
# check
issue=`cat /etc/pam.d/system-auth | grep enforce_for_root | wc -L`
if [ $issue -gt 0 ];then
echo "*PASSWORD COMPLEXITY changed OK"
echo "**************************"
else
echo "*PASSWORD COMPLEXITY changed FAIL"
echo "**************************"
fi

# group=wheel
# **note**
# numberwheel=`cat /etc/pam.d/su | grep group=wheel | wc -L`
# if [ $numberwheel -eq 0 ];then
# sed -i "3i auth            required        pam_wheel.so group=wheel" /etc/pam.d/su
# fi
sed -i '/pam_wheel.so/d; /required/d' /etc/pam.d/su
sed -i "3i auth            required        pam_wheel.so group=wheel" /etc/pam.d/su
# check
issue=`cat /etc/pam.d/su | grep group=wheel | wc -L`
if [ $issue -gt 0 ];then
echo "*SU PERMISSIONS changed OK"
echo "**************************"
else
echo "*SU PERMISSIONS changed FAIL"
echo "**************************"
fi

# file permissions >/dev/null 2>&1
chmod 775 /var/log/cron /var/log/secure /var/log/maillog /var/log/boot.log /var/log/mail /var/log/spooler >/dev/null 2>&1
chmod 755 /var/log/messages >/dev/null 2>&1
chmod 644 /etc/passwd /etc/group >/dev/null 2>&1
chmod 600 /etc/shadow >/dev/null 2>&1
# check
echo "*FILE PERMISSIONS changed OK"
echo "**************************"

# account lock
usermod -L listen gdm webservd nobody nobody4 noaccess >/dev/null 2>&1
# check
echo "*ACCOUNT LOCK changed OK"
echo "**************************"

# rsyslog cron
sed -i "/^\#authpriv.\*/cauthpriv.\*							/var/log/secure" /etc/rsyslog.conf
sed -i "/^\#cron.\*/ccron.\*							/var/log/cron" /etc/rsyslog.conf
# check
echo "*RSYSLOG CONFIG changed OK"
echo "**************************"

# ftp account manual decision
#############################
# risk files
format=".bak"
road=`find / -maxdepth 3 -name hosts.equiv`
mv ${road} ${road}$format >/dev/null 2>&1
road=`find / -maxdepth 3 -name .rhosts`
mv ${road} ${road}$format >/dev/null 2>&1
road=`find / -maxdepth 3 -name .netrc`
mv ${road} ${road}$format >/dev/null 2>&1
mv /etc/issue /etc/issue.bak >/dev/null 2>&1
mv /etc/issue.net /etc/issue.net.bak >/dev/null 2>&1
# check
echo "*RISK FILES changed OK"
echo "**************************"

# ntp
yum install -y ntpdate >/dev/null 2>&1
/usr/sbin/ntpdate ntp.cloud.aliyuncs.com >/dev/null 2>&1
# touch /var/log/ntpdate.log >/dev/null 2>&1
# echo "*/5 * * * * /usr/sbin/ntpdate ntp.cloud.aliyuncs.com >> /var/log/ntpdate.log 2>&1" >> /var/spool/cron/root
echo "*/5 * * * * /usr/sbin/ntpdate ntp.cloud.aliyuncs.com" >> /var/spool/cron/root
# echo "*/5 * * * * /usr/sbin/ntpdate ntp.cloud.aliyuncs.com;/sbin/hwclock -w" >> /var/spool/cron/root
# check
echo "*NTP CONFIG changed OK"
echo "**************************"


# umask 027
umask_number=`cat /etc/profile | grep '^umask.*' | wc -L`
if [ $umask_number -gt 0 ];then
sed -i "/^\umask/cumask 027" /etc/profile
else
echo "umask 027" >> /etc/profile
fi
source /etc/profile
# check
issue=`umask`
if [ $issue -eq 0027 ];then
echo "*UMASK changed OK"
echo "**************************"
else
echo "*UMASK changed FAIL"
echo "**************************"
fi

# TMOUT=300
tmout_number=`cat /etc/profile | grep '^export.*TMOUT.*' | wc -L`
if [ $umask_number -gt 0 ];then
sed -i "/^\export TMOUT/cexport TMOUT=300" /etc/profile
else
echo "export TMOUT=300" >> /etc/profile
fi
source /etc/profile
# check
issue=`echo $TMOUT`
if [ $issue -eq 300 ];then
echo "*TMOUT changed OK"
echo "**************************"
else
echo "*TMOUT changed FAIL"
echo "**************************"
fi