#!/bin/bash
#脚本适用于rhel7.x
fdate=$(date +%Y%m%d)
### 1. 口令生存周期
cp /etc/login.defs /etc/login.defs.bak
sed -i '/^PASS_MAX_DAYS/c PASS_MAX_DAYS 90' /etc/login.defs
### 2.密码复杂度配置
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak$fdate
sed -i '/^[^#].*pam_cracklib.so/c password requisite pam_cracklib.so retry=3 authtok_type= minlen=9 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=3 difok=3' /etc/pam.d/system-auth
sed -i '/^[^#].*pam_pwquality.so/c password requisite pam_pwquality.so local_users_only retry=3 authtok_type= minlen=9 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=3' /etc/pam.d/system-auth
if ! grep -q -E '^[^#].*pam_pwquality.so | ^[^#].*pam_cracklib.so' /etc/pam.d/system-auth;then
sed -i '$a password requisite pam_pwquality.so local_users_only retry=3 authtok_type= minlen=9 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=3' /etc/pam.d/system-auth
fi
### 3. 口令最小长度
sed -i '/^PASS_MIN_DAYS/c PASS_MIN_DAYS 7' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c PASS_MIN_LEN 8' /etc/login.defs
sed -i '/^PASS_WARN_AGE/c PASS_WARN_AGE 30' /etc/login.defs
sed -i '/^UMASK/c UMASK 027' /etc/login.defs
### 4. 用户目录缺省访问权限设置
cp /etc/csh.cshrc /etc/csh.cshrc.bak
sed -i "/umask/s/002/077/g" /etc/csh.cshrc
sed -i "/umask/s/022/077/g" /etc/csh.cshrc
cp /etc/bashrc /etc/bashrc.bak
sed -i "/umask/s/002/077/g" /etc/bashrc
sed -i "/umask/s/022/077/g" /etc/bashrc
cp /etc/profile /etc/profile.bak
sed -i "/umask/s/002/077/g" /etc/profile
sed -i "/umask/s/022/077/g" /etc/profile
### 5. 禁止root用户远程登录
if [ -f /etc/ssh/sshd_config ];then
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i "/^#PermitRootLogin yes/c PermitRootLogin no" /etc/ssh/sshd_config
sed -i 's/^PermitRootLogin.*$/PermitRootLogin no/g' /etc/ssh/sshd_config
systemctl restart sshd
fi
### 6. 命令行界面超时退出
echo "export TMOUT=600" >> /etc/profile
source /etc/profile
###7.禁止ICMP重定向
/bin/cp -fp /etc/sysctl.conf /tmp/sysctl.conf_bak$fdate
grep -q 'net.ipv4.conf.all.accept_redirects' /etc/sysctl.conf
if [ $? -ne 0 ];then
sed -i '$a net.ipv4.conf.all.accept_redirects=0' /etc/sysctl.conf
else
sed -i '/net.ipv4.conf.all.accept_redirects/c net.ipv4.conf.all.accept_redirects = 0' /etc/sysctl.conf
fi
sysctl -q -p
###8.连续5次登陆失败,锁定账户(5次600秒)
/bin/cp -fp /etc/pam.d/system-auth /tmp/system-auth_bak$fdate
if grep -q '^auth.*equired.*pam_tally2.so' /etc/pam.d/system-auth;then
sed -i '/auth.*required.*pam_tally2.so/c auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=600' /etc/pam.d/system-auth
else
sed -i '4a auth required pam_tally2.so deny=5 onerr=fail no_magic_root unlock_time=600' /etc/pam.d/system-auth
fi
sed -i '0,/^account/!b;//i account required pam_tally2.so' /etc/pam.d/system-auth
#9.密码重复使用次数
sed -i 's/^password.*sufficient.*$/& remember=5/' /etc/pam.d/system-auth
#10.su,cron日志配置 系统现在用的是rsyslog
/bin/cp -fp /etc/rsyslog.conf /tmp/rsyslog.conf$fdate
if ! grep -q '^cron' /etc/rsyslog.conf;then
sed -i '$a cron.* /var/log/cron' /etc/rsyslog.conf
systemctl restart rsyslog
fi
if ! grep -q '^authpriv.info' /etc/rsyslog.conf;then
sed -i '$a authpriv.info /var/log/authlog' /etc/rsyslog.conf
systemctl restart rsyslog
fi
centos7系统安全基线配置脚本
于 2023-10-02 23:47:10 首次发布