centos7.3安全加固脚本--根据绿盟扫描进行编写

最新推荐文章于 2024-05-11 14:39:59 发布

aischang

最新推荐文章于 2024-05-11 14:39:59 发布

阅读量699

点赞数

分类专栏： Linux 文章标签： linux

本文链接：https://blog.csdn.net/zhangmingcai/article/details/122479800

版权

这是一个针对CentOS 7.3的自动化安全强化脚本，包括修改SNMP默认读取社区，关闭所有xinet服务，禁用默认用户账号，禁用Selinux，启用pacct日志，文件系统强化，限制FTP登录，设置系统安全参数，停止不必要的服务等。通过执行此脚本，可以增强系统的安全性。

摘要由CSDN通过智能技术生成

#!/bin/bash

if [ -z "`uname -s | grep -i linux`" ]
then
exit 0
fi

TS="`date +%Y%m%d-%H%M%S`"

###################### func_change_snmp_rcom ########################
func_change_snmp_rcom()
{
echo ""
echo "Modify system default snmp read community ... "

CONF=/etc/snmp/snmpd.conf
/bin/cp -f ${CONF} ${CONF}.${TS}

sed -i "s|^com2sec notConfigUser.*$|com2sec notConfigUser default BJcudns123! |" ${CONF}

echo "Modify system default snmp read community ... done."
echo ""
}

###################### func_close_all_xinet_svc ########################
func_close_all_xinet_svc()
{
echo ""
echo "Close all xinet services ... "

cd /etc/xinetd.d

for CONF in `ls`
do
if [ `cat $CONF | grep -w disable * | grep -w "no" | wc -l` -ge 1 ]
then
/bin/cp -f ${CONF} ${CONF}.${TS}
sed -i "s|disable.*no.*$|disable = yes|" ${CONF}
fi
done

echo "Close all xinet services ... done."
echo ""
}

################## func_disable_default_user ####################
func_disable_default_user()
{
echo ""
echo "Disable/delete RHEL6 default user account ... "

CONF=/etc/passwd
/bin/cp -f ${CONF} ${CONF}.${TS}
for USER in `cat ${CONF} | awk -F: '{if($3 < 500) print $1}' | egrep -v 'root'`
do
usermod -s /sbin/nologin $USER
usermod -L $USER
done

echo "Disable/delete RHEL6 default user account ... done."
echo ""
}

###################### func_disable_selinux ########################
func_disable_selinux()
{
echo ""
echo "Disable selinux ... "

CONF=/etc/selinux/config
/bin/cp -f ${CONF} ${CONF}.${TS}

sed -i "s|^SELINUX=.*|SELINUX=disabled|" ${CONF}

echo "Disable selinux ... done."
echo ""
}

###################### func_enable_pacct ########################
func_enable_pacct()
{
echo ""
echo "Enable pacct ... "

if [ -f /etc/init.d/psacct ]
then
/etc/init.d/psacct start
ln -nfs /etc/init.d/psacct /etc/rc3.d/S90psacct
if [ ! -f /var/spool/cron/root ] || [ `cat /var/spool/cron/root | grep logrotate | wc -l` -lt 1 ]
then
echo '10 1 * * * /usr/sbin/logrotate /etc/logrotate.conf > /dev/null 2>&1 &' >> /var/spool/cron/root
service crond restart > /dev/null 2>&1
fi
echo "Enable pacct ... done."
else
echo "Enable pacct ... failed."
sleep 3
fi
echo ""
}

###################### func_harden_fs ########################
func_harden_fs()
{
echo ""
echo "func_harden_fs system ... "

echo " Check 777 directories ..."
for PART in `grep -v ^# /etc/fstab | awk '($6 != ""0"") {print $2 }'`
do
find $PART -xdev -type d $ -perm -0002 -a ! -perm -1000 $ -xdev -exec ls -ld {} \; 2>>/dev/null | awk '{print $NF}' | while read line
do
chmod o-w $line
done
done

echo " Check anybody can write files ..."
for PART in `grep -v ^# /etc/fstab | awk '($6 != ""0"") {print $2 }'`
do
find $PART -xdev -type f $ -perm -0002 -a ! -perm -1000 $ -xdev -exec ls -ld {} \; 2>>/dev/null | awk '{print $NF}' | while read line
do
chmod o-w $line
done
done

echo " Check anybody can write files ..."
for PART in `grep -v ^# /etc/fstab | awk '($6 != ""0"") {print $2 }'`
do
find $PART -nouser -o -nogroup -print 2>>/dev/null | while read line
do
chgrp root $line
done
done

echo "func_harden_fs system ... done."
echo ""
}

###################### func_hosts_allow ########################
#funchosts_allow()
#{
# echo ""
# echo "sec /etc/hosts.allow ... "
# CONF=/etc/hosts.allow
# /bin/cp -f ${CONF} ${CONF}.${TS}
# sed -i '/sshd:/d' $CONF
# echo "ALL:ALL:DENY" >> ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.195.58:ALLOW' ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.46.154:ALLOW' ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.46.155:ALLOW' ${CONF}
# sed -i '/^ALL:ALL:DENY/i\sshd:202.106.46.157:ALLOW' ${CONF}
#
# CONF=/e