linux安全配置检查脚本_v0.8,linux基本安全配置设置脚本

方便设置一些基本的linux安全设置

#vi autosafe.sh

#!/bin/bash

#########################################################################

#

# File: autosafe.sh

# Description:

# Language: GNU Bourne-Again SHell

# Version: 1.1

# Date: 2010-6-23

# Corp.: c1gstudio.com

# Author: c1g

# WWW: http://blog.c1gstudio.com

### END INIT INFO

###############################################################################

V_DELUSER="adm lp sync shutdown halt mail news uucp operator games gopher ftp"

V_DELGROUP="adm lp mail news uucp games gopher mailnull floppy dip pppusers popusers slipusers daemon"

V_PASSMINLEN=8

V_HISTSIZE=30

V_TMOUT=300

V_GROUPNAME=suadmin

V_SERVICE="acpid anacron apmd atd auditd autofs avahi-daemon avahi-dnsconfd bluetooth cpuspeed cups dhcpd firstboot gpm haldaemon hidd ip6tables ipsec isdn kudzu lpd mcstrans messagebus microcode_ctl netfs nfs nfslock nscd pcscd portmap readahead_early restorecond rpcgssd rpcidmapd rstatd sendmail setroubleshoot snmpd sysstat xfs xinetd yppasswdd ypserv yum-updatesd"

V_TTY="3|4|5|6"

V_SUID=(

'/usr/bin/chage'

'/usr/bin/gpasswd'

'/usr/bin/wall'

'/usr/bin/chfn'

'/usr/bin/chsh'

'/usr/bin/newgrp'

'/usr/bin/write'

'/usr/sbin/usernetctl'

'/bin/traceroute'

'/bin/mount'

'/bin/umount'

'/sbin/netreport'

)

version=1.0

# we need root to run

if test "`id -u`" -ne 0

then

echo "You need to start as root!"

exit

fi

case $1 in

"deluser")

echo "delete user ..."

for i in $V_DELUSER ;do

echo "deleting $i";

userdel $i ;

done

;;

"delgroup")

echo "delete group ..."

for i in $V_DELGROUP ;do

echo "deleting $i";

groupdel $i;

done

;;

"password")

echo "change password limit ..."

echo "/etc/login.defs"

echo "PASS_MIN_LEN $V_PASSMINLEN"

sed -i "/^PASS_MIN_LEN/s/5/$V_PASSMINLEN/" /etc/login.defs

;;

"history")

echo "change history limit ..."

echo "/etc/profile"

echo "HISTSIZE $V_HISTSIZE"

sed -i "/^HISTSIZE/s/1000/$V_HISTSIZE/" /etc/profile

;;

"logintimeout")

echo "change login timeout ..."

echo "/etc/profile"

echo "TMOUT=$V_TMOUT"

sed -i "/^HISTSIZE/a\TMOUT=$V_TMOUT" /etc/profile

;;

"bashhistory")

echo "denied bashhistory ..."

echo "/etc/skel/.bash_logout"

echo 'rm -f $HOME/.bash_history'

if egrep "bash_history" /etc/skel/.bash_logout > /dev/null

then

echo 'warning:existed'

else

echo 'rm -f $HOME/.bash_history' >> /etc/skel/.bash_logout

fi

;;

"addgroup")

echo "groupadd $V_GROUPNAME ..."

groupadd $V_GROUPNAME

;;

"sugroup")

echo "permit $V_GROUPNAME use su ..."

echo "/etc/pam.d/su"

echo "auth sufficient /lib/security/pam_rootok.so debug"

echo "auth required /lib/security/pam_wheel.so group=$V_GROUPNAME"

if egrep "auth sufficient /lib/security/pam_rootok.so debug" /etc/pam.d/su > /dev/null

then

echo 'warning:existed'

else

echo 'auth sufficient /lib/security/pam_rootok.so debug' >> /etc/pam.d/su

echo "auth required /lib/security/pam_wheel.so group=${V_GROUPNAME}" >> /etc/pam.d/su

fi

;;

"denyrootssh")

echo "denied root login ..."

echo "/etc/ssh/sshd_config"

echo "PermitRootLogin no"

sed -i '/^#PermitRootLogin/s/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config

;;

"stopservice")

echo "stop services ..."

for i in $V_SERVICE ;do

service $i stop;

done

;;

"closeservice")

echo "close services autostart ..."

for i in $V_SERVICE ;do

chkconfig $i off;

done

;;

"tty")

echo "close tty ..."

echo "/etc/inittab"

echo "#3:2345:respawn:/sbin/mingetty tty3"

echo "#4:2345:respawn:/sbin/mingetty tty4"

echo "#5:2345:respawn:/sbin/mingetty tty5"

echo "#6:2345:respawn:/sbin/mingetty tty6"

sed -i '/^[$V_TTY]:2345/s/^/#/' /etc/inittab

;;

"ctrlaltdel")

echo "close ctrl+alt+del ..."

echo "/etc/inittab"

echo "#ca::ctrlaltdel:/sbin/shutdown -t3 -r now"

sed -i '/^ca::/s/^/#/' /etc/inittab

;;

"lockfile")

echo "lock user&services ..."

echo "chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services"

chattr +i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services

;;

"unlockfile")

echo "unlock user&services ..."

echo "chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services"

chattr -i /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/services

;;

"chmodinit")

echo "init script only for root ..."

echo "chmod -R 700 /etc/init.d/*"

echo "chmod 600 /etc/grub.conf"

echo "chattr +i /etc/grub.conf"

chmod -R 700 /etc/init.d/*

chmod 600 /etc/grub.conf

chattr +i /etc/grub.conf

;;

"chmodcommand")

echo "remove SUID ..."

echo "/usr/bin/chage /usr/bin/gpasswd ..."

for i in ${V_SUID[@]};

do

chmod a-s $i

done

;;

"version")

echo "Version: Autosafe for Linux $version"

;;

*)

echo "Usage: $0 "

echo ""

echo " deluser delete user"

echo " delgroup delete group"

echo " password change password limit"

echo " history change history limit"

echo " logintimeout change login timeout"

echo " bashhistory denied bashhistory"

echo " addgroup groupadd $V_GROUPNAME"

echo " sugroup permit $V_GROUPNAME use su"

echo " denyrootssh denied root login"

echo " stopservice stop services "

echo " closeservice close services"

echo " tty close tty"

echo " ctrlaltdel close ctrl+alt+del "

echo " lockfile lock user&services"

echo " unlockfile unlock user&services"

echo " chmodinit init script only for root"

echo " chmodcommand remove SUID"

echo " version "

echo ""

;;

esac

设置权限

chmod u+x ./autosafe.sh

运行脚本

./autosafe.sh deluser

./autosafe.sh delgroup

.....