#! /bin/bash
set -x
function backup () {
DATE_NOW=`date +'%Y%m%d'`
mkdir -p /home/sys_security && BACK_UP=/home/sys_security
mkdir -p $BACK_UP/$2_$DATE_NOW && BACK_UP_TMP=$BACK_UP/$2_$DATE_NOW/
mv $1 $BACK_UP_TMP
echo "$2 backup successful..."
}
# S1001 屏蔽ctrl+alt+del魔术键
# Centos 7x
echo "********************S1001**********************"
TARGET_FILE=/usr/lib/systemd/system/ctrl-alt-del.target
if [ -f $TARGET_FILE ];then
rm -rf $TARGET_FILE
echo " S1001 has been rectified..."
else
echo " S1001 not need to rectify..."
fi
# S1002 屏蔽SELINUX功能
# Centos 7x
# 临时关闭SELINUX
echo "********************S1002**********************"
NUM=S1002
CONF_FILE=/etc/selinux/config
tar zcvfP selinux_conf.tar.gz $CONF_FILE
backup selinux_conf.tar.gz $NUM
SELINUX_CONF=`cat $CONF_FILE | grep "^SELINUX=" | awk -F '=' '{print $2}'`
if test X$SELINUX_CONF == Xdisabled
then
echo "$NUM not need to rectify..."
else
setenforce 0
sed -i 's/^SELINUX=.*$/SELINUX=disabled/' $CONF_FILE
echo "$NUM has been rectified..."
fi
unset NUM
# S1003 设置系统提示语
# Centos 7x
echo "********************S1003**********************"
NUM=S1003
ISSUE_FILE=/etc/issue
ISSUE_NET_FILE=/etc/issue.net
ISSUE_MOTD_FILE=/etc/motd
SSH_CONF=/etc/ssh/sshd_config
tar zcvfP issue_conf.tar.gz $ISSUE_FILE $ISSUE_NET_FILE $ISSUE_MOTD_FILE $SSH_CONF
backup issue_conf.tar.gz $NUM
echo "Authorized only. All activity will be monitored and reported." > $ISSUE_FILE
echo "Authorized only. All activity will be monitored and reported." > $ISSUE_NET_FILE
echo "login success. All activity will be monitored and reported." > $ISSUE_MOTD_FILE
BANNER=`cat $SSH_CONF | grep '^Banner /etc/issue'`
if test $? -ne 0
then
BANNER_NUM=`cat $SSH_CONF | grep -n Banner | awk -F ':' '{print $1}'`
sed -i "${BANNER_NUM}d" $SSH_CONF
sed -i "${BANNER_NUM}i Banner $ISSUE_FILE" $SSH_CONF
systemctl restart sshd
echo "$NUM has been rectified..."
else
echo "$NUM not need to rectify..."
fi
unset NUM
# S2001 账号密码生命周期
# Centos 7x
# S2001
echo "********************S2001**********************"
NUM=S2001
DEFS_CONF_FILE=/etc/login.defs && tar zcvfP login.defs.tar.gz $DEFS_CONF_FILE
backup login.defs.tar.gz $NUM
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS '90'' $DEFS_CONF_FILE
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS '10'' $DEFS_CONF_FILE
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN '8'' $DEFS_CONF_FILE
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE '7'' $DEFS_CONF_FILE
MAX_DAYS=`cat $DEFS_CONF_FILE | grep '^PASS_MAX_DAYS' | awk '{print $2}'`
MIN_DAYS=`cat $DEFS_CONF_FILE | grep '^PASS_MIN_DAYS' | awk '{print $2}'`
MIN_LEN=`cat $DEFS_CONF_FILE | grep '^PASS_MIN_LEN' | awk '{print $2}'`
WARN_AGE=`cat $DEFS_CONF_FILE | grep '^PASS_WARN_AGE' | awk '{print $2}'`
if test $MAX_DAYS -eq 90
then
if test $MIN_DAYS -eq 10
then
if test $MIN_LEN -eq 8
then
if test $WARN_AGE -ne 7
then
echo "$NUM rectification failure..."
else
echo "$NUM has been rectified..."
fi
else
echo "$NUM rectification failure..."
fi
else
echo "$NUM rectification failure..."
fi
else
echo "$NUM rectification failure..."
fi
unset NUM
# S2002 账号密码强度
# Centos 7x
echo "********************S2002**********************"
NUM=S2002
SYS_AUTH=/etc/pam.d/system-auth && tar zcvfP sys_auth.tar.gz $SYS_AUTH
backup sys_auth.tar.gz $NUM
RULE=`cat $SYS_AUTH | grep 'difok=1 minlen=8'`
if test $? -eq 0
then
echo "$NUM not need to rectify..."
else
sed -i '/pam_pwquality.so/c\password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= difok=1 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1' $SYS_AUTH
echo "$NUM has been rectified..."
fi
unset NUM
# S2003 限制用户登陆次数
# Centos 7x
echo "********************S2003**********************"
NUM=S2003
PAM_SSHD=/etc/pam.d/sshd && tar zcvfP pam_sshd.tar.gz $PAM_SSHD
backup pam_sshd.tar.gz $NUM
SSH_RULE=`cat $PAM_SSHD | grep 'deny=3 unlock_time=150 even_deny_root root_unlock_time300'`
if test $? -eq 0
then
echo "$NUM not need to rectify..."
else
sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=150 even_deny_root root_unlock_time300' $PAM_SSHD
echo "$NUM has been rectified..."
fi
unset NUM
# S2004 禁止root用户直接ssh登陆
# Centos 7x
echo "********************S2004**********************"
NUM=S2004
tar zcvf sshd_conf.tar.gz $SSH_CONF
backup sshd_conf.tar.gz $NUM
sed -i '/PermitRootLogin/c\PermitRootLogin no' $SSH_CONF
systemctl restart sshd
echo "$NUM has been rectified..."
unset NUM
# S2005 文件权限最小化
# Centos 7x
echo "********************S2005**********************"
NUM=S2005
PASS_FILE=/etc/passwd && tar zcvfP pass_file.tar.gz $PASS_FILE
backup pass_file.tar.gz $NUM
chmod 644 $PASS_FILE
echo "$NUM has been recitfied..."
unset NUM
# S2006 是否存在除root外UID为0的用户
# Centos 7x
echo "********************S2006**********************"
USER_0=`awk -F ':' '($3==0){print $1}' $PASS_FILE`
USER_OTHER=`awk -F ':' '($3==0){print $1}' $PASS_FILE | grep -v root`
USER_NUM=`awk -F ':' '($3==0){print $1}' $PASS_FILE | wc -l`
if [[ $USER_NUM -eq 1 && $USER_0 == root ]]
then
echo "S2006 not need to rectify..."
else
for USER in $USER_OTHER
do
sed -i "s/^$USER:x:0/$USER:x:2000/" $PASS_FILE
userdel -r $USER 2>/dev/null
rm -rf /home/$USER 2>/dev/null
rm -rf /var/spool/mail/$USER 2>/dev/null
echo "S2006 has been rectified..."
done
fi
# S2007 检查账号是否存在空口令
# Centos 7x
echo "********************S2007**********************"
NUM=S2007
SHADOW_FILE=/etc/shadow && tar zcvfP shadow_file.tar.gz $SHADOW_FILE
backup shadow_file.tar.gz $NUM
USER_PASSWD_NONE=`awk -F ':' '($2=="" || $2 =="!!"){print $1}' $SHADOW_FILE`
if test -z $USER_PASSWD_NONE
then
echo "$NUM not need to rectify..."
else
for USER in $USER_PASSWD_NONE
do
echo "$USER@123" | passwd --stdin $USER
echo "$NUM has been rectified..."
done
fi
unset NUM
# S2008 设置内部通用账号
# Centos 7x
echo "********************S2008**********************"
useradd elex 2>/dev/null
echo "Elextec@123" | passwd --stdin elex 2>/dev/null
echo "S2008 has been rectified..."
# S2009 umask
# Centos 7x
echo "********************S2009**********************"
NUM=S2009 && PRO_FILE=/etc/profile && tar zcvfP profile_cig.tar.gz $PRO_FILE
backup profile_cig.tar.gz $NUM
UMASK_CONF=`cat $PRO_FILE | grep 'umask 027'`
if test $? -ne 0
then
echo "umask 027" >> $PRO_FILE
source $PRO_FILE
echo "$NUM has been rectified..."
else
echo "$NUM not need to rectify..."
fi
unset NUM
# S3001 使用安全的ssh加密算法
# Centos 7x
echo "********************S3001**********************"
SSH_CHECK=`cat $SSH_CONF | grep -E '^Ciphers|^MACs'`
if test $? -eq 0
then
echo "S3001 not need to rectify..."
else
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr" >> $SSH_CONF
echo "MACs hmac-sha1,umac-64@openssh.com,hmac-ripemd160" >> $SSH_CONF
echo "S3001 has been rectified..."
fi
# S4001 关闭系统审计功能
# Centos 7x
echo "********************S4001**********************"
systemctl stop auditd
systemctl disable auditd
echo "S4001 has been rectified..."
# S5001 修改message/cron/secure日志归档路径
# Centos 7x
echo "********************S5001**********************"
NUM=S5001
RSYS_FILE=/etc/rsyslog.conf
tar zcvf rsys_file.tar.gz $RSYS_FILE
backup rsys_file.tar.gz $NUM
LOG_DIR=/var/log
systemctl stop rsyslog && mv $LOG_DIR/messages $LOG_DIR/messages.bak \
&& mv $LOG_DIR/cron $LOG_DIR/cron.bak && mv $LOG_DIR/secure $LOG_DIR/secure.bak
mkdir -p /var/log/messages && mkdir -p /var/log/cron && mkdir -p /var/log/secure
mv $LOG_DIR/messages.bak $LOG_DIR/messages/messages && \
mv $LOG_DIR/cron.bak $LOG_DIR/cron/cron && \
mv $LOG_DIR/secure.bak $LOG_DIR/secure/secure
sed -i "s/\/var\/log\/secure/\/var\/log\/secure\/secure/" $RSYS_FILE
sed -i "s/\/var\/log\/cron/\/var\/log\/cron\/cron/" $RSYS_FILE
sed -i "s/\/var\/log\/messages/\/var\/log\/messages\/messages/" $RSYS_FILE
systemctl restart rsyslog
echo "$NUM has been rectified..."
unset NUM
# S5002 message/cron/secure日志转储规则
# Centos 7x
echo "********************S5002**********************"
NUM=S5002
LOGRO_SYS=/etc/logrotate.d/syslog
tar zcvf logrotate_sys.tar.gz $LOGRO_SYS
backup logrotate_sys.tar.gz $NUM
CRON_DEC=`cat $LOGRO_SYS | grep "/var/log/cron"`
CRON_TMP=$(echo ${CRON_DEC} | sed "s/\//\\\\\//g")
sed -i "/${CRON_TMP}/d" $LOGRO_SYS
MESSAGE_DEC=`cat $LOGRO_SYS | grep "/var/log/messages"`
MESSAGE_TMP=$(echo ${MESSAGE_DEC} | sed "s/\//\\\\\//g")
sed -i "/${MESSAGE_TMP}/d" $LOGRO_SYS
SECURE_DEC=`cat $LOGRO_SYS | grep "/var/log/secure"`
SECURE_TMP=$(echo ${SECURE_DEC} | sed "s/\//\\\\\//g")
sed -i "/${SECURE_TMP}/d" $LOGRO_SYS
# mkdir -p /var/log/messages/messages && mkdir -p /var/log/cron/cron && mkdir -p /var/log/secure/secure
cat >> $LOGRO_SYS << _EOF_
/var/log/cron/cron
/var/log/messages/messages
/var/log/secure/secure
{
daily
rotate 60
create 0644 root root
compress
nomail
dateext
missingok
sharedscripts
postrotate
/bin/kill -HUP \`cat /var/run/syslogd.pid 2> /dev/null\` 2> /dev/null || true
endscript
}
_EOF_
logrotate -d -f $LOGRO_SYS
echo "$NUM has been rectified..."