本基线脚本为自己所写,仅适用于Centos7,SUSE,TencentOS2.4系统
基线脚本主要包含以下内容
- 密码复杂度:8-32位,同时包含大小写字母,特殊字符
- 密码有效期:不超过90天
- 登录限制:密码输入错误连续5次账号临时锁定
- 连接超时:系统登录10-30分钟不活动,自动断开连接
- 分配三个用户:系统管理员,审计管理员,安全管理员
- 锁定或删除shutdown、halt帐户
- 启用安全审计功能:开启auditd,rsyslog服务
- 禁用telnet.socket服务
- 系统日志保留时间:不小于180天
自动检测/配置脚本
#! /bin/bash
#检查系统版本
function CheckSystem() {
system_version=''
if [[ -e /etc/os-release ]]; then
source /etc/os-release
system_version=${system_version}"PRETTY_NAME: $PRETTY_NAME, "
else
system_version=${system_version}"PRETTY_NAME: `cat /etc/issue|head -n 1`, "
fi
var=${system_version%??}
echo "......${var}......"
}
#检查密码有效期
function CheckPassMaxDays() {
PASS_MAX_DAYS=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
if [ -z $PASS_MAX_DAYS ];then
sed -i 's/#PASS_MAX_DAYS/PASS_MAX_DAYS/' /etc/login.defs
PASS_MAX_DAYS=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
fi
if [ -z $PASS_MAX_DAYS ];then
echo "............[N] Password Validity Period: Reset failed"
elif [ $PASS_MAX_DAYS -le 90 -a $PASS_MAX_DAYS -ge 30 ];then
echo "......[Y] Password Validity Period: $PASS_MAX_DAYS days"
else
sed -i '/PASS_MAX_DAYS/s/'"${PASS_MAX_DAYS}"'/90/g' /etc/login.defs
PASS_MAX_DAYS=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
if [ $PASS_MAX_DAYS -le 90 -a $PASS_MAX_DAYS -ge 30 ];then
echo "......[Y] Password Validity Period: $PASS_MAX_DAYS days"
else
echo "............[N] Password Validity Period: Reset failed"
fi
fi
}
#检查日志保留时间
function CheckLogBackupTime() {
Log_Backup_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
if [ -z $Log_Backup_Time ];then
sed -i 's/#rotate/rotate/' /etc/logrotate.conf
Log_Backup_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
fi
if [ -z $Log_Backup_Time ];then
echo "............[N] Log backup Time,Configuration does not exist"
elif [ $Log_Backup_Time -ge 26 ];then
echo "......[Y] Log backup Time: $Log_Backup_Time weeks"
else
sed -i '/rotate/s/'"${Log_Backup_Time}"'/26/g' /etc/logrotate.conf
Log_Backup_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
if [ $Log_Backup_Time -ge 26 ];then
echo "......[Y] Log backup Time: $Log_Backup_Time weeks"
else
echo "............[N] Log backup Time,Reset failed"
fi
fi
}
#检查会话超时时间
function CheckConnectionTimeout() {
Connection_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
if [ -z $Connection_Timeout ];then
sed -i '$a export TMOUT=1800' /etc/profile
elif [ $Connection_Timeout -gt 1800 -o $Connection_Timeout -lt 600 ];then
sed -i '/TMOUT/s/'"${Connection_Timeout}"'/1800/g' /etc/profile
fi
source /etc/profile
Connection_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
if [ $Connection_Timeout -le 1800 -a $Connection_Timeout -ge 600 ];then
echo "......[Y] Connection timeout: $Connection_Timeout seconds"
else
echo "............[N] Connection timeout: Reset failed"
fi
}
#检查共享账户
function CheckSharedUser() {
usermod -L shutdown 2>/dev/null
usermod -L halt 2>/dev/null
echo "......[Y] Shared user: Locked"
}
#检查审计策略
function CheckAuditLogs() {
Audit_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
if [ $Audit_Logs -ne 1 ];then
systemctl start auditd
systemctl enable auditd
fi
Audit_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
if [ $Audit_Logs -eq 1 ];then
echo "......[Y] Audit Policy: $Audit_Logs Enable"
else
echo "............[N] Audit Policy: $Audit_Logs Disabled"
fi
}
#检查分权账户
function CheckAuthorizedUser() {
shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
if [ -z $shenji ];then
useradd shenji
echo shenji:In123!@#123|chpasswd
sed -i '$a shenji ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head' /etc/sudoers
fi
if [ -z $anquan ];then
useradd anquan
echo anquan:In123!@#123|chpasswd
fi
if [ -z $sysadmin ];then
useradd sysadmin
echo sysadmin:In123!@#123|chpasswd
fi
shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
if [ -z $shenji -o -z $anquan -o -z $sysadmin ];then
echo "............[N] Authorized user: $shenji, $anquan, $sysadmin"
else
echo "......[Y] Authorized user: $shenji, $anquan, $sysadmin"
fi
}
#检查登录失败锁定配置CentOS
function CheckLoginFailureLock_CentOS() {
Login_Failure_Lock=`grep "pam_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
if [ -z $Login_Failure_Lock ];then
sed -i '/pam_tally2.so/s/#auth/auth/g' /etc/pam.d/system-auth
Login_Failure_Lock=`grep "pam_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
fi
if [ -z $Login_Failure_Lock ];then
sed -i '$a auth required pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
else
Login_Failure_Lock=`grep "pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7}'`
if [ -z $Login_Failure_Lock ];then
sed -i '/pam_tally2.so/s/auth/#auth/g' /etc/pam.d/system-auth
sed -i '$a auth required pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
fi
fi
Login_Failure_Lock=`grep "pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7","$8","$10}'`
if [ -z $Login_Failure_Lock ];then
echo "............[N] Login Failure Lock: Reset failed"
else
echo "......[Y] Login Failure Lock: $Login_Failure_Lock"
fi
}
#检查登录失败锁定配置SUSE
function CheckLoginFailureLock_SUSE() {
Login_Failure_Number=`cat /etc/login.defs | grep LOGIN_RETRIES | grep -v ^# | awk '{print $2}'`
if [ -z $Login_Failure_Number ];then
sed -i 's/#LOGIN_RETRIES/LOGIN_RETRIES/' /etc/login.defs
Login_Failure_Number=`cat /etc/login.defs | grep LOGIN_RETRIES | grep -v ^# | awk '{print $2}'`
fi
if [ -z $Login_Failure_Number ];then
echo "............[N] Number of login failures: No configuration"
elif [ $Login_Failure_Number -le 8 -a $Login_Failure_Number -ge 3 ];then
echo "......[Y] Number of login failures: $Login_Failure_Number"
else
sed -i '/LOGIN_RETRIES/s/'"${Login_Failure_Number}"'/5/g' /etc/login.defs
Login_Failure_Number=`cat /etc/login.defs | grep LOGIN_RETRIES | grep -v ^# | awk '{print $2}'`
if [ $Login_Failure_Number -le 8 -a $Login_Failure_Number -ge 3 ];then
echo "......[Y] Number of login failures: $Login_Failure_Number"
else
echo "............[N] Number of login failures: No configuration"
fi
fi
Login_Failure_Time=`cat /etc/login.defs | grep LOGIN_TIMEOUT | grep -v ^# | awk '{print $2}'`
if [ -z $Login_Failure_Time ];then
sed -i 's/#LOGIN_TIMEOUT/LOGIN_TIMEOUT/' /etc/login.defs
Login_Failure_Time=`cat /etc/login.defs | grep LOGIN_TIMEOUT | grep -v ^# | awk '{print $2}'`
fi
if [ -z $Login_Failure_Time ];then
echo "............[N] Login failure lock time: Reset failed"
elif [ $Login_Failure_Time -le 1800 -a $Login_Failure_Time -ge 300 ];then
echo "......[Y] Login failure lock time: $Login_Failure_Time seconds"
else
sed -i '/LOGIN_TIMEOUT/s/'"${Login_Failure_Time}"'/300/g' /etc/login.defs
Login_Failure_Time=`cat /etc/login.defs | grep LOGIN_TIMEOUT | grep -v ^# | awk '{print $2}'`
if [ $Login_Failure_Time -le 1800 -a $Login_Failure_Time -ge 300 ];then
echo "......[Y] Login failure lock time: $Login_Failure_Time seconds"
else
echo "............[N] Login failure lock time: Reset failed"
fi
fi
}
#检查密码策略CentOS
function CheckPasswordPolicy_CentOS() {
Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
if [ -z $Password_Policy ];then
sed -i '/pam_cracklib.so/s/#password/password/g' /etc/pam.d/system-auth
Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
fi
if [ -z $Password_Policy ];then
sed -i '$a password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
else
Password_Policy=`grep "pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
if [ -z $Password_Policy ];then
sed -i '/pam_cracklib.so/s/password/#password/g' /etc/pam.d/system-auth
sed -i '$a password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
fi
fi
Password_Policy=`grep "pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
if [ -z $Password_Policy ];then
echo "............[N] Password Policy: Reset failed"
else
echo "......[Y] Password Policy: $Password_Policy"
fi
}
#检查密码策略SUSE
function CheckPasswordPolicy_SUSE() {
Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
if [ -z $Password_Policy ];then
sed -i '/pam_cracklib.so/s/#password/password/g' /etc/pam.d/common-password
Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
fi
if [ -z $Password_Policy ];then
sed -i '$a password requisite pam_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
else
Password_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
if [ -z $Password_Policy ];then
sed -i '/pam_cracklib.so/s/password/#password/g' /etc/pam.d/common-password
sed -i '$a password requisite pam_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
fi
fi
Password_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
if [ -z $Password_Policy ];then
echo "............[N] Password Policy: Reset failed"
else
echo "......[Y] Password Policy: $Password_Policy"
fi
}
#检查日志服务CentOS
function CheckLogService_CentOS() {
Log_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
if [ $Log_Service != "(running)" ];then
systemctl start rsyslog
systemctl enable rsyslog
fi
Log_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
if [ $Log_Service = "(running)" ];then
echo "......[Y] Log Service: $Log_Service"
else
echo "............[N] Log Service: $Log_Service"
fi
}
#检查日志服务SUSE
function CheckLogService_SUSE() {
Log_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
if [ $Log_Service != "(running)" ];then
systemctl start syslog-ng
systemctl enable syslog-ng
fi
Log_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
if [ $Log_Service = "(running)" ];then
echo "......[Y] Log Service: $Log_Service"
else
zypper install syslog-ng -y 2>/dev/null
systemctl start syslog-ng
systemctl enable syslog-ng
Log_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
if [ $Log_Service = "(running)" ];then
echo "......[Y] Log Service: $Log_Service"
else
echo "............[N] Log Service: Reset failed"
fi
fi
}
#停用telnet-server服务
function CheckTelnetServer() {
Telnet_Server=`rpm -qa|grep telnet-server`
if [ -z $Telnet_Server ];then
echo "......[Y] Telnet Server: Not installed"
else
systemctl stop telnet.socket
systemctl disable telnet.socket
echo "......[Y] Telnet Server: disable"
fi
}
main() {
CheckSystem
system_v=`echo $var | cut -d " " -f 2`
if [ $system_v = "CentOS" -o $system_v = "TencentOS" ];then
CheckPassMaxDays
CheckLogBackupTime
CheckConnectionTimeout
CheckSharedUser
CheckAuthorizedUser
CheckAuditLogs
CheckLogService_CentOS
CheckPasswordPolicy_CentOS
CheckLoginFailureLock_CentOS
CheckTelnetServer
elif [ $system_v = "SUSE" ];then
# CheckPassMaxDays
CheckLogBackupTime
CheckConnectionTimeout
CheckSharedUser
CheckAuthorizedUser
CheckAuditLogs
CheckLogService_SUSE
CheckPasswordPolicy_SUSE
CheckLoginFailureLock_SUSE
CheckTelnetServer
elif [ $system_v = "Ubuntu" ];then
# CheckPassMaxDays
CheckLogBackupTime
CheckConnectionTimeout
CheckSharedUser
CheckAuthorizedUser
echo "............[N] Audit Policy: 暂不支持该系统"
CheckLogService_CentOS
echo "............[N] Password Policy: 暂不支持该系统"
echo "............[N] Login Failure Lock: 暂不支持该系统"
echo "............[N] Telnet Server: 暂不支持该系统"
else
# CheckPassMaxDays
CheckLogBackupTime
CheckConnectionTimeout
CheckSharedUser
CheckAuthorizedUser
CheckAuditLogs
echo "............[N] Log Service: 暂不支持该系统"
echo "............[N] Password Policy: 暂不支持该系统"
echo "............[N] Login Failure Lock: 暂不支持该系统"
echo "............[N] Telnet Server: 暂不支持该系统"
fi
}
main