CentOS基线脚本，三级等保服务器系统安全配置脚本

菜鸟白小白

已于 2024-01-16 10:31:56 修改

阅读量737

点赞数 20

分类专栏：运维安全 shell Linux 文章标签：服务器 centos 系统安全基线

于 2024-01-16 10:30:26 首次发布

本文链接：https://blog.csdn.net/weixin_45768191/article/details/135617904

版权

Linux 同时被 3 个专栏收录

16 篇文章 0 订阅

订阅专栏

运维安全

6 篇文章 1 订阅

订阅专栏

shell

5 篇文章 0 订阅

订阅专栏

本基线脚本为自己所写，仅适用于Centos7，SUSE，TencentOS2.4系统

基线脚本主要包含以下内容

密码复杂度：8-32位，同时包含大小写字母，特殊字符
密码有效期：不超过90天
登录限制：密码输入错误连续5次账号临时锁定
连接超时：系统登录10-30分钟不活动，自动断开连接
分配三个用户：系统管理员，审计管理员，安全管理员
锁定或删除shutdown、halt帐户
启用安全审计功能：开启auditd，rsyslog服务
禁用telnet.socket服务
系统日志保留时间：不小于180天

自动检测/配置脚本

#! /bin/bash

#检查系统版本
function CheckSystem() {
    system_version=''
    if [[ -e /etc/os-release ]]; then
        source /etc/os-release 
        system_version=${system_version}"PRETTY_NAME: $PRETTY_NAME, "
	else
		system_version=${system_version}"PRETTY_NAME: `cat /etc/issue|head -n 1`, "
    fi
    var=${system_version%??}
    echo "......${var}......"
}

#检查密码有效期
function CheckPassMaxDays() {
	PASS_MAX_DAYS=`cat /etc/login.defs  | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
	if [ -z $PASS_MAX_DAYS ];then		
		sed -i 's/#PASS_MAX_DAYS/PASS_MAX_DAYS/' /etc/login.defs
		PASS_MAX_DAYS=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
	fi
	if [ -z $PASS_MAX_DAYS ];then
		echo "............[N] Password Validity Period: Reset failed"
	elif [ $PASS_MAX_DAYS -le 90 -a $PASS_MAX_DAYS -ge 30 ];then
		echo "......[Y] Password Validity Period: $PASS_MAX_DAYS days"
	else
		sed -i '/PASS_MAX_DAYS/s/'"${PASS_MAX_DAYS}"'/90/g' /etc/login.defs
		PASS_MAX_DAYS=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
		if [ $PASS_MAX_DAYS -le 90 -a $PASS_MAX_DAYS -ge 30 ];then
			echo "......[Y] Password Validity Period: $PASS_MAX_DAYS days"
		else
			echo "............[N] Password Validity Period: Reset failed"
		fi
	fi
}

#检查日志保留时间
function CheckLogBackupTime() {

	Log_Backup_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
	if [ -z $Log_Backup_Time ];then
		
		sed -i 's/#rotate/rotate/' /etc/logrotate.conf
		Log_Backup_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
	fi
	if [ -z $Log_Backup_Time ];then
		echo "............[N] Log backup Time,Configuration does not exist"
	elif [ $Log_Backup_Time  -ge 26 ];then
		echo "......[Y] Log backup Time: $Log_Backup_Time weeks"
	else
		sed -i '/rotate/s/'"${Log_Backup_Time}"'/26/g' /etc/logrotate.conf
		Log_Backup_Time=`cat /etc/logrotate.conf |head -n 10|grep "rotate "| grep -v ^# | head -n 1|awk '{print $2}'`
		if [ $Log_Backup_Time -ge 26 ];then
			echo "......[Y] Log backup Time: $Log_Backup_Time weeks"
		else
			echo "............[N] Log backup Time,Reset failed"
		fi
	fi
}

#检查会话超时时间
function CheckConnectionTimeout() {
	Connection_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
	if [ -z $Connection_Timeout ];then
		sed -i '$a export TMOUT=1800' /etc/profile
	elif [ $Connection_Timeout -gt 1800 -o $Connection_Timeout -lt 600 ];then
		sed -i '/TMOUT/s/'"${Connection_Timeout}"'/1800/g' /etc/profile
	fi
	source /etc/profile
	Connection_Timeout=`cat /etc/profile | grep 'export TMOUT' | grep -v ^# | cut -d= -f2`
	if [ $Connection_Timeout -le 1800 -a $Connection_Timeout -ge 600 ];then
		echo "......[Y] Connection timeout: $Connection_Timeout seconds"
	else
		echo "............[N] Connection timeout: Reset failed"
	fi

}

#检查共享账户
function CheckSharedUser() {
	usermod -L shutdown 2>/dev/null
	usermod -L halt 2>/dev/null
	echo "......[Y] Shared user: Locked"
}

#检查审计策略
function CheckAuditLogs() {
	Audit_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
	if [ $Audit_Logs -ne 1 ];then
		systemctl start auditd
		systemctl enable auditd
	fi
	Audit_Logs=`auditctl -s | grep enabled | awk '{print $2}'`
	if [ $Audit_Logs -eq 1 ];then
		echo "......[Y] Audit Policy: $Audit_Logs Enable"
	else
		echo "............[N] Audit Policy: $Audit_Logs Disabled"
	fi
}

#检查分权账户
function CheckAuthorizedUser() {
	shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
	anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
	sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
	if [ -z $shenji ];then
		useradd shenji
		echo shenji:In123!@#123|chpasswd
		sed -i '$a shenji ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head' /etc/sudoers
	fi
	if [ -z $anquan ];then
		useradd anquan
		echo anquan:In123!@#123|chpasswd
	fi
	if [ -z $sysadmin ];then
		useradd sysadmin
		echo sysadmin:In123!@#123|chpasswd
	fi
	shenji=`cat /etc/passwd |grep shenji | grep -v ^# | cut -d: -f 1`
	anquan=`cat /etc/passwd |grep anquan | grep -v ^# | cut -d: -f 1`
	sysadmin=`cat /etc/passwd |grep sysadmin | grep -v ^# | cut -d: -f 1`
	if [ -z $shenji -o -z $anquan -o -z $sysadmin ];then
		echo "............[N] Authorized user: $shenji, $anquan, $sysadmin"
	else
		echo "......[Y] Authorized user: $shenji, $anquan, $sysadmin"
	fi
}

#检查登录失败锁定配置CentOS
function CheckLoginFailureLock_CentOS() {
	Login_Failure_Lock=`grep "pam_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
	if [ -z $Login_Failure_Lock ];then
		sed -i '/pam_tally2.so/s/#auth/auth/g' /etc/pam.d/system-auth
		Login_Failure_Lock=`grep "pam_tally2.so" /etc/pam.d/system-auth| grep -v ^#|head -n 1|awk '{print $7}'`
	fi 
	if [ -z $Login_Failure_Lock ];then
			sed -i '$a auth required pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
	else
		Login_Failure_Lock=`grep "pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7}'`
		if [ -z $Login_Failure_Lock ];then
			sed -i '/pam_tally2.so/s/auth/#auth/g' /etc/pam.d/system-auth
			sed -i '$a auth required pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
		fi
	fi
	Login_Failure_Lock=`grep "pam_tally2.so onerr=fail audit silent dent=5 unlock_time=600" /etc/pam.d/system-auth| grep -v ^#|awk '{print $7","$8","$10}'`
	if [ -z $Login_Failure_Lock ];then
		echo "............[N] Login Failure Lock: Reset failed"
	else
		echo "......[Y] Login Failure Lock: $Login_Failure_Lock"
	fi

}

#检查登录失败锁定配置SUSE
function CheckLoginFailureLock_SUSE() {
	Login_Failure_Number=`cat /etc/login.defs  | grep LOGIN_RETRIES | grep -v ^# | awk '{print $2}'`	
	if [ -z $Login_Failure_Number ];then		
		sed -i 's/#LOGIN_RETRIES/LOGIN_RETRIES/' /etc/login.defs
		Login_Failure_Number=`cat /etc/login.defs  | grep LOGIN_RETRIES | grep -v ^# | awk '{print $2}'`
	fi
	if [ -z $Login_Failure_Number ];then
		echo "............[N] Number of login failures: No configuration"
	elif [ $Login_Failure_Number -le 8 -a $Login_Failure_Number -ge 3 ];then
		echo "......[Y] Number of login failures: $Login_Failure_Number"
	else
		sed -i '/LOGIN_RETRIES/s/'"${Login_Failure_Number}"'/5/g' /etc/login.defs
		Login_Failure_Number=`cat /etc/login.defs | grep LOGIN_RETRIES | grep -v ^# | awk '{print $2}'`
		if [ $Login_Failure_Number -le 8 -a $Login_Failure_Number -ge 3 ];then
			echo "......[Y] Number of login failures: $Login_Failure_Number"
		else
			echo "............[N] Number of login failures: No configuration"
		fi
	fi
	
	Login_Failure_Time=`cat /etc/login.defs  | grep LOGIN_TIMEOUT | grep -v ^# | awk '{print $2}'`
		if [ -z $Login_Failure_Time ];then		
		sed -i 's/#LOGIN_TIMEOUT/LOGIN_TIMEOUT/' /etc/login.defs
		Login_Failure_Time=`cat /etc/login.defs  | grep LOGIN_TIMEOUT | grep -v ^# | awk '{print $2}'`
	fi
	if [ -z $Login_Failure_Time ];then
		echo "............[N] Login failure lock time: Reset failed"
	elif [ $Login_Failure_Time -le 1800 -a $Login_Failure_Time -ge 300 ];then
		echo "......[Y] Login failure lock time: $Login_Failure_Time seconds"
	else
		sed -i '/LOGIN_TIMEOUT/s/'"${Login_Failure_Time}"'/300/g' /etc/login.defs
		Login_Failure_Time=`cat /etc/login.defs | grep LOGIN_TIMEOUT | grep -v ^# | awk '{print $2}'`
		if [ $Login_Failure_Time -le 1800 -a $Login_Failure_Time -ge 300 ];then
			echo "......[Y] Login failure lock time: $Login_Failure_Time seconds"
		else
			echo "............[N] Login failure lock time: Reset failed"
		fi
	fi
	
}


#检查密码策略CentOS
function CheckPasswordPolicy_CentOS() {
	Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
	if [ -z $Password_Policy ];then
		sed -i '/pam_cracklib.so/s/#password/password/g' /etc/pam.d/system-auth
		Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
	fi 
	if [ -z $Password_Policy ];then
			sed -i '$a password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
	else
		Password_Policy=`grep "pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4}'`
		if [ -z $Password_Policy ];then
			sed -i '/pam_cracklib.so/s/password/#password/g' /etc/pam.d/system-auth
			sed -i '$a password requisite pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
		fi
	fi
	Password_Policy=`grep "pam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/system-auth| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
	if [ -z $Password_Policy ];then
		echo "............[N] Password Policy: Reset failed"
	else
		echo "......[Y] Password Policy: $Password_Policy"
	fi
}

#检查密码策略SUSE
function CheckPasswordPolicy_SUSE() {
	Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
	if [ -z $Password_Policy ];then
		sed -i '/pam_cracklib.so/s/#password/password/g' /etc/pam.d/common-password
		Password_Policy=`grep "pam_cracklib.so" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
	fi 
	if [ -z $Password_Policy ];then
			sed -i '$a password requisite pam_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
	else
		Password_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4}'`
		if [ -z $Password_Policy ];then
			sed -i '/pam_cracklib.so/s/password/#password/g' /etc/pam.d/common-password
			sed -i '$a password requisite pam_cracklib.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
		fi
	fi
	Password_Policy=`grep "minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1" /etc/pam.d/common-password| grep -v ^#|awk '{print $4","$5","$6","$7","$8}'`
	if [ -z $Password_Policy ];then
		echo "............[N] Password Policy: Reset failed"
	else
		echo "......[Y] Password Policy: $Password_Policy"
	fi
}

#检查日志服务CentOS
function CheckLogService_CentOS() {
	Log_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
	if [ $Log_Service != "(running)" ];then
		systemctl start rsyslog
		systemctl enable rsyslog
	fi
	Log_Service=`systemctl status rsyslog | grep active | awk '{print $3}'`
	if [ $Log_Service = "(running)" ];then
		echo "......[Y] Log Service: $Log_Service"
	else
		echo "............[N] Log Service: $Log_Service"
	fi
}

#检查日志服务SUSE
function CheckLogService_SUSE() {
	Log_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
	if [ $Log_Service != "(running)" ];then
		systemctl start syslog-ng
		systemctl enable syslog-ng
	fi
	Log_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
	if [ $Log_Service = "(running)" ];then
		echo "......[Y] Log Service: $Log_Service"
	else
		zypper install syslog-ng -y 2>/dev/null
		systemctl start syslog-ng
		systemctl enable syslog-ng
		Log_Service=`systemctl status syslog-ng | grep active | awk '{print $3}'`
		if [ $Log_Service = "(running)" ];then
			echo "......[Y] Log Service: $Log_Service"
		else
			echo "............[N] Log Service: Reset failed"
		fi
	fi
}

#停用telnet-server服务
function CheckTelnetServer() {
	Telnet_Server=`rpm -qa|grep telnet-server`
	if [ -z $Telnet_Server ];then
		echo "......[Y] Telnet Server: Not installed"
	else
		systemctl stop telnet.socket 
		systemctl disable telnet.socket
		echo "......[Y] Telnet Server: disable"
	fi
	
}

main() {
	CheckSystem
	system_v=`echo $var | cut -d " " -f 2`
	if [ $system_v = "CentOS" -o $system_v = "TencentOS" ];then
		CheckPassMaxDays
		CheckLogBackupTime
		CheckConnectionTimeout
		CheckSharedUser
		CheckAuthorizedUser
		CheckAuditLogs
		CheckLogService_CentOS
		CheckPasswordPolicy_CentOS
		CheckLoginFailureLock_CentOS
		CheckTelnetServer
	elif [ $system_v = "SUSE" ];then
	#	CheckPassMaxDays
		CheckLogBackupTime
		CheckConnectionTimeout
		CheckSharedUser
		CheckAuthorizedUser
		CheckAuditLogs
		CheckLogService_SUSE
		CheckPasswordPolicy_SUSE
		CheckLoginFailureLock_SUSE
		CheckTelnetServer
	elif [ $system_v = "Ubuntu" ];then
	#	CheckPassMaxDays
		CheckLogBackupTime
		CheckConnectionTimeout
		CheckSharedUser
		CheckAuthorizedUser
		echo "............[N] Audit Policy: 暂不支持该系统"
		CheckLogService_CentOS
		echo "............[N] Password Policy: 暂不支持该系统"
		echo "............[N] Login Failure Lock: 暂不支持该系统"
		echo "............[N] Telnet Server: 暂不支持该系统"
		
	else
	#	CheckPassMaxDays
		CheckLogBackupTime
		CheckConnectionTimeout
		CheckSharedUser
		CheckAuthorizedUser
		CheckAuditLogs
		echo "............[N] Log Service: 暂不支持该系统"
		echo "............[N] Password Policy: 暂不支持该系统"
		echo "............[N] Login Failure Lock: 暂不支持该系统"
		echo "............[N] Telnet Server: 暂不支持该系统"
    fi
}
main