自动匹配操作系统
#!/bin/bash
# 检查当前用户是否为root用户
if [[ $EUID -ne 0 ]]; then
echo "错误:本脚本需要以root权限运行"
exit 1
fi
# 函数:检查修复状态
check_status() {
if [ $? -eq 0 ]; then
echo "修复完毕"
else
echo "修复失败"
# 可以在这里添加错误日志记录
fi
}
# 转换换行符
fix_line_endings() {
local script=$1
sed -i 's/\r$//' "$script"
}
# 欢迎页
print_welcome_message() {
cat <<EOF
#################################
欢迎使用基线修复脚本
作者: Fright_Moch
版本: v1.0
#################################
EOF
}
#suse修改系统 Banner
modify_system_banner_suse() {
echo "修改系统 Banner:开始修复..."
echo "警告:未经授权访问禁止!" > /etc/issue
echo "Authorized access only! All actions will be monitored and recorded." >> /etc/issue
echo "Disconnect immediately if you are not an authorized user!" >> /etc/issue
echo "警告:仅限授权用户访问!所有操作将被监视和记录。" >> /etc/issue
echo "如果您不是授权用户,请立即断开连接!" >> /etc/issue
echo "警告:未经授权访问禁止!" > /etc/issue.net
echo "Authorized access only! All actions will be monitored and recorded." >> /etc/issue.net
echo "Disconnect immediately if you are not an authorized user!" >> /etc/issue.net
echo "警告:仅限授权用户访问!所有操作将被监视和记录。" >> /etc/issue.net
echo "如果您不是授权用户,请立即断开连接!" >> /etc/issue.net
check_status
}
# CentOS 修改系统 Banner
modify_system_banner_centos() {
echo "修改系统 Banner:开始修复..."
echo "警告:未经授权访问禁止!" > /etc/issue
echo "Authorized access only! All actions will be monitored and recorded." >> /etc/issue
echo "Disconnect immediately if you are not an authorized user!" >> /etc/issue
echo "警告:仅限授权用户访问!所有操作将被监视和记录。" >> /etc/issue
echo "如果您不是授权用户,请立即断开连接!" >> /etc/issue
echo "警告:未经授权访问禁止!" > /etc/issue.net
echo "Authorized access only! All actions will be monitored and recorded." >> /etc/issue.net
echo "Disconnect immediately if you are not an authorized user!" >> /etc/issue.net
echo "警告:仅限授权用户访问!所有操作将被监视和记录。" >> /etc/issue.net
echo "如果您不是授权用户,请立即断开连接!" >> /etc/issue.net
check_status
}
# Ubuntu 修改系统 Banner
modify_system_banner_ubuntu() {
echo "修改系统 Banner:开始修复..."
echo "警告:未经授权访问禁止!" > /etc/issue
echo "Authorized access only! All actions will be monitored and recorded." >> /etc/issue
echo "Disconnect immediately if you are not an authorized user!" >> /etc/issue
echo "警告:仅限授权用户访问!所有操作将被监视和记录。" >> /etc/issue
echo "如果您不是授权用户,请立即断开连接!" >> /etc/issue
echo "警告:未经授权访问禁止!" > /etc/issue.net
echo "Authorized access only! All actions will be monitored and recorded." >> /etc/issue.net
echo "Disconnect immediately if you are not an authorized user!" >> /etc/issue.net
echo "警告:仅限授权用户访问!所有操作将被监视和记录。" >> /etc/issue.net
echo "如果您不是授权用户,请立即断开连接!" >> /etc/issue.net
check_status
}
# 打印系统状态信息
print_system_status() {
echo "当前系统网卡信息:"
ip addr show
echo "###################################################"
echo "当前系统版本信息:"
uname -a
echo "###################################################"
echo "磁盘使用情况:"
df -h
echo "###################################################"
echo "CPU利用率:"
#mpstat
top -bn1 | grep "Cpu(s)"
echo "###################################################"
echo "系统Banner初始状态打印"
echo "###################################################"
cat /etc/issue
echo "###################################################"
}
print_system_statusend() {
echo "当前系统网卡信息:"
ip addr show
echo "###################################################"
echo "当前系统版本信息:"
uname -a
echo "###################################################"
echo "磁盘使用情况:"
df -h
echo "###################################################"
echo "CPU利用率:"
top -bn1 | grep "Cpu(s)"
echo "###################################################"
echo "系统Banner修复后状态打印"
echo "###################################################"
cat /etc/issue
echo "###################################################"
}
# 函数:修复口令复杂度
fix_password_complexity() {
local pam_file=$1
local complexity_setting=$2
echo "修复口令复杂度:开始修复..."
echo "$complexity_setting" >> "$pam_file"
check_status
}
# 函数:修复口令生存周期
fix_password_lifespan() {
local login_defs_file=$1
local max_days_setting=$2
echo "修复口令生存周期:开始修复..."
sed -i "s/PASS_MAX_DAYS\s*[[:digit:]]\+/PASS_MAX_DAYS $max_days_setting/g" "$login_defs_file"
check_status
}
# 函数:修复限制用户 su 到 root
fix_su_limitation() {
local su_file=$1
echo "修复限制用户 su 到 root:开始修复..."
echo "auth required pam_wheel.so use_uid" >> "$su_file"
check_status
}
# 函数:修复限制 root 用户远程登录
fix_remote_root_login() {
local sshd_config_file=$1
echo "修复限制 root 用户远程登录:开始修复..."
sed -i 's/^#?PermitRootLogin\s.*/PermitRootLogin no/' "$sshd_config_file"
systemctl restart sshd
check_status
}
# 函数:查找并删除潜在危险文件
fix_dangerous_files() {
echo "查找并删除潜在危险文件:开始修复..."
for file in $(find / -type f \( -name "*.rhosts" -o -name "*.netrc" -o -name "*.equiv" \)); do
echo "发现潜在危险文件 $file,将进行处理..."
mv "$file" "${file}.bak"
done
check_status
}
# 函数:修复登陆超时时间设置
fix_login_timeout() {
local profile_file=$1
echo "修复登陆超时时间设置:开始修复..."
echo "TMOUT=300" >> "$profile_file"
check_status
}
# 函数:修复启用 Syslog 日志审计
fix_syslog_audit() {
local syslog_conf_file=$1
local syslog_entry=$2
echo "修复启用 Syslog 日志审计:开始修复..."
echo "$syslog_entry" >> "$syslog_conf_file"
systemctl restart rsyslog
check_status
}
# 函数:修复记录 cron 行为日志
fix_cron_logging() {
local syslog_conf_file=$1
echo "修复记录 cron 行为日志:开始修复..."
echo "cron.* /var/log/cron" >> "$syslog_conf_file"
systemctl restart rsyslog
check_status
}
# 函数:修复日志文件安全
fix_log_file_security() {
echo "修复日志文件安全:开始修复..."
chown root:root /var/log/messages
chmod 644 /var/log/messages
chown root:root /var/log/secure
chmod 600 /var/log/secure
check_status
}
# 函数:执行 SUSE 修复
fix_suse() {
fix_password_complexity "/etc/pam.d/system-auth" "auth required pam_passwdqc.so min=disabled,disabled,disabled,8,8"
fix_password_lifespan "/etc/login.defs" "90"
fix_su_limitation "/etc/pam.d/su"
fix_remote_root_login "/etc/ssh/sshd_config"
fix_dangerous_files
fix_login_timeout "/etc/profile"
fix_syslog_audit "/etc/syslog.conf" "authpriv.* /var/log/secure"
fix_cron_logging "/etc/syslog.conf"
modify_system_banner_suse
fix_log_file_security
echo "SUSE 所有项目修复完毕"
}
# 函数:执行 CentOS 修复
fix_centos() {
fix_password_complexity "/etc/pam.d/system-auth" "password requisite pam_cracklib.so try_first_pass retry=3 minlen=14 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1"
fix_password_lifespan "/etc/login.defs" "90"
fix_su_limitation "/etc/pam.d/su"
fix_remote_root_login "/etc/ssh/sshd_config"
fix_dangerous_files
fix_login_timeout "/etc/profile"
fix_syslog_audit "/etc/rsyslog.conf" "authpriv.* /var/log/secure"
fix_cron_logging "/etc/rsyslog.conf"
modify_system_banner_centos
fix_log_file_security
echo "CentOS 所有项目修复完毕"
}
# 函数:执行 Ubuntu 修复
fix_ubuntu() {
fix_password_complexity "/etc/pam.d/common-password" "password requisite pam_cracklib.so retry=3 minlen=14 difok=3 ucredit=-1 dcredit=-1 ocredit=-1 lcredit=-1"
fix_password_lifespan "/etc/login.defs" "90"
fix_su_limitation "/etc/pam.d/su"
fix_remote_root_login "/etc/ssh/sshd_config"
fix_dangerous_files
fix_login_timeout "/etc/profile"
fix_syslog_audit "/etc/rsyslog.conf" "authpriv.* /var/log/auth.log"
fix_cron_logging "/etc/rsyslog.conf"
modify_system_banner_ubuntu
fix_log_file_security
echo "Ubuntu 所有项目修复完毕"
}
# 打印欢迎消息
print_welcome_message
# 打印系统状态信息
print_system_status
# 根据系统类型执行相应的修复操作
if [ -f /etc/SuSE-release ]; then
echo "检测到 SUSE 系统"
fix_suse
elif [ -f /etc/redhat-release ]; then
echo "检测到 CentOS 系统"
fix_centos
elif [ -f /etc/lsb-release ]; then
echo "检测到 Ubuntu 系统"
fix_ubuntu
else
echo "未知系统类型,无法执行修复"
fi
#打印修复后的状态
print_system_statusend