centos7系统安全基线配置脚本

漫步云端9527

已于 2023-11-12 10:02:37 修改

阅读量147

点赞数

分类专栏：操作系统安全文章标签：系统安全安全 centos

于 2023-10-02 23:47:10 首次发布

本文链接：https://blog.csdn.net/weixin_48229959/article/details/133501621

版权

操作系统安全专栏收录该内容

1 篇文章 0 订阅

订阅专栏

#!/bin/bash
#脚本适用于rhel7.x

fdate=$(date +%Y%m%d)

### 1. 口令生存周期
cp /etc/login.defs /etc/login.defs.bak
sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs

### 2.密码复杂度配置
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak$fdate
sed -i '/^[^#].*pam_cracklib.so/c password    requisite     pam_cracklib.so retry=3 authtok_type=  minlen=9 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=3 difok=3' /etc/pam.d/system-auth

sed -i '/^[^#].*pam_pwquality.so/c password    requisite     pam_pwquality.so local_users_only retry=3 authtok_type= minlen=9 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=3' /etc/pam.d/system-auth

if ! grep -q -E '^[^#].*pam_pwquality.so | ^[^#].*pam_cracklib.so' /etc/pam.d/system-auth;then
	sed -i '$a password    requisite     pam_pwquality.so local_users_only retry=3 authtok_type= minlen=9 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=3' /etc/pam.d/system-auth
fi

### 3. 口令最小长度
sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 7' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 8' /etc/login.defs
sed -i '/^PASS_WARN_AGE/c PASS_WARN_AGE 30' /etc/login.defs
sed -i '/^UMASK/c UMASK 027' /etc/login.defs

### 4. 用户目录缺省访问权限设置
cp /etc/csh.cshrc /etc/csh.cshrc.bak
sed -i "/umask/s/002/077/g" /etc/csh.cshrc
sed -i "/umask/s/022/077/g" /etc/csh.cshrc

cp /etc/bashrc /etc/bashrc.bak
sed -i "/umask/s/002/077/g" /etc/bashrc
sed -i "/umask/s/022/077/g" /etc/bashrc

cp /etc/profile /etc/profile.bak
sed -i "/umask/s/002/077/g" /etc/profile
sed -i "/umask/s/022/077/g" /etc/profile

### 5. 禁止root用户远程登录
if [ -f /etc/ssh/sshd_config ];then
        cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
        sed -i "/^#PermitRootLogin yes/c PermitRootLogin no" /etc/ssh/sshd_config
		sed -i 's/^PermitRootLogin.*$/PermitRootLogin no/g'  /etc/ssh/sshd_config
        systemctl restart sshd
fi


### 6. 命令行界面超时退出
echo "export TMOUT=600" >> /etc/profile
source /etc/profile

###7.禁止ICMP重定向

/bin/cp -fp /etc/sysctl.conf /tmp/sysctl.conf_bak$fdate
grep -q 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf 
if [ $? -ne 0 ];then
	sed -i '$a net.ipv4.conf.all.accept_redirects=0' /etc/sysctl.conf
else
	sed -i '/net.ipv4.conf.all.accept_redirects/c net.ipv4.conf.all.accept_redirects = 0' /etc/sysctl.conf
fi
sysctl -q -p

###8.连续5次登陆失败，锁定账户（5次600秒）
/bin/cp -fp /etc/pam.d/system-auth /tmp/system-auth_bak$fdate
if grep -q '^auth.*equired.*pam_tally2.so' /etc/pam.d/system-auth;then
	sed -i '/auth.*required.*pam_tally2.so/c auth    required    pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=600' /etc/pam.d/system-auth
else
	sed -i '4a auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=600' /etc/pam.d/system-auth
fi
sed -i '0,/^account/!b;//i account     required      pam_tally2.so' /etc/pam.d/system-auth

#9.密码重复使用次数

sed  -i 's/^password.*sufficient.*$/& remember=5/' /etc/pam.d/system-auth



#10.su,cron日志配置   系统现在用的是rsyslog
/bin/cp -fp /etc/rsyslog.conf /tmp/rsyslog.conf$fdate
if ! grep -q '^cron' /etc/rsyslog.conf;then
	sed -i '$a cron.* 		/var/log/cron' /etc/rsyslog.conf
	systemctl restart rsyslog
fi

if ! grep -q '^authpriv.info' /etc/rsyslog.conf;then
	sed -i '$a authpriv.info	/var/log/authlog' /etc/rsyslog.conf
	systemctl restart rsyslog
fi