hostname
USERNAME="user"
PASSWORD="xxxxxxx"
echo "口令更改最小间隔天数:"
cp /etc/login.defs /etc/login.defs_bak_$(date +%Y-%m-%d)
sed -i "/PASS_MIN_DAYS/s/1/7/g" /etc/login.defs
grep PASS_MIN_DAYS /etc/login.defs|grep -v ^#
echo -e "\n"
echo "认证失败次数:"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth_bak_$(date +%Y-%m-%d)
sed -i "/pam_tally2.so/s/deny=6/deny=5/g" /etc/pam.d/system-auth
NO=`grep -ci pam_tally2.so /etc/pam.d/system-auth`
if [ $NO -lt 2 ];
then
sed -i ':a;$!{N;ba};s/\(account\)/account required pam_tally2.so\naccount/1' /etc/pam.d/system-auth
fi
grep pam_tally2.so /etc/pam.d/system-auth
echo -e "\n"
echo "用户目录缺省访问权限:"
cp /etc/profile /etc/profile_bak_$(date +%Y-%m-%d)
umask027=`awk '{print $1":"$2}' /etc/profile|grep -v "^[[:space:]]*#"|grep -i umask|tail -n1`
if [ $umask027 != "umask:027" ];
then
echo "umask 027">>/etc/profile
fi
echo `awk '{print $1":"$2}' /etc/profile|grep -v "^[[:space:]]*#"|grep -i umask|tail -n1`
echo -e "\n"
echo "SSH登录前警告Banner:"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config_bak_$(date +%Y-%m-%d)
grep /etc/ssh_banner /etc/ssh/sshd_config > /dev/null
if [ $? -ne 0 ];
then
echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
echo "Authorized only. All activity will be monitored and reported" > /etc/ssh_banner
chmod 644 /etc/ssh_banner
fi
grep /etc/ssh_banner /etc/ssh/sshd_config
cat /etc/ssh_banner
echo -e "\n"
echo "passwd,shadow,group权限设置:"
chmod 644 /etc/passwd
chmod 400 /etc/shadow
chmod 644 /etc/group
ls -lh /etc/passwd /etc/shadow /etc/group
echo -e "\n"
echo "历史命令设置:"
sed -i "/HISTFILESIZE/s/5000/5/g" /etc/profile
sed -i "/HISTSIZE/s/1000/5/g" /etc/profile
grep HISTFILESIZE /etc/profile
grep HISTSIZE /etc/profile|grep -v ^export
source /etc/profile
echo -e "\n"
echo "别名设置:"
cp ~/.bashrc /tmp
grep 'ls -aol' ~/.bashrc > /dev/null
if [ $? -ne 0 ];
then
sed -i ':a;$!{N;ba};s/\(rm=\)/ls=\x27ls -aol\x27\nalias rm=/1' ~/.bashrc
fi
source ~/.bashrc
grep alias ~/.bashrc |grep rm
grep alias ~/.bashrc |grep ls
echo -e "\n"
echo "自动锁屏"
mkdir -p /etc/yum.repos.d/bak
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/bak
cat > /etc/yum.repos.d/CentOS-7.6.repo << EOF
[CentOS7.6]
name=CentOS7.6
baseurl=http://192.168.38.218/standard/centos/7.6/ARM_64
enabled=1
gpgcheck=0
EOF
yum clean all >> /dev/null
yum -y install GConf2 > /dev/null
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gnome-screensaver/mode blank-only
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 15
sleep 1
echo "idle_activation_enabled="`gconftool-2 -g /apps/gnome-screensaver/idle_activation_enabled 2>/dev/null`
echo "lock_enabled="`gconftool-2 -g /apps/gnome-screensaver/lock_enabled 2>/dev/null`
echo "mode="`gconftool-2 -g /apps/gnome-screensaver/mode 2>/dev/null`
echo "idle_delay="`gconftool-2 -g /apps/gnome-screensaver/idle_delay 2>/dev/null`
echo -e "\n"
echo "coredump设置"
grep 'ls -aol' ~/.bashrc > /dev/null
echo -e "\n"
echo "禁止wheel组之外的用户su"
useradd ${USERNAME}
echo ${PASSWORD} | passwd --stdin ${USERNAME}
usermod -G wheel ${USERNAME}
cp /etc/pam.d/su /etc/pam.d/su_bak_$(date +%Y-%m-%d)
sed -i /'required\s\+pam_wheel.so/s/^#//' /etc/pam.d/su
grep 'sufficient\s\+pam_rootok.so' /etc/pam.d/su
grep 'required\s\+pam_wheel.so' /etc/pam.d/su
echo -e "\n"
echo "禁止root用户远程登录"
sed -i '/PermitRootLogin\s\+yes/s/^#//' /etc/ssh/sshd_config
sed -i '/^PermitRootLogin/s/yes/no/' /etc/ssh/sshd_config
grep '^PermitRootLogin' /etc/ssh/sshd_config
version=`cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/'`
if [ $version == 7 ]
then
systemctl restart sshd
else
/etc/init.d/sshd restart
fi
echo -e "\n"
Linux安全基线脚本
最新推荐文章于 2023-07-06 16:05:15 发布