Centos7的常规加固脚本

以下为一个普通的linux Centos7的常规加固脚本
加固项包括以下项目:
1、操作超时
2、保留历史命令改为10条
3、Enable TCP SYN Cookie Protection
4、口令策略加固
5、设置mask值&超时锁定
#!/bin/sh

author:lp

version 1.0 written by 2019.05.03

#1 add continue input failure 3 ,passwd unlock time 5 minite
#1 操作超时
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -i 's#auth required pam_env.so#auth required pam_env.so\nauth required pam_tally.so onerr=fail deny=3 unlock_time=300\nauth required /lib/security/$ISA/pam_tally.so onerr=fail deny=3 unlock_time=300#' /etc/pam.d/system-auth

#2 will system save history command list to 10
cp /etc/profile /etc/profile.bak
sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile
source /etc/profile

#3 add syncookie enable /etc/sysctl.conf
cp /etc/sysctl.conf /etc/sysctl.conf.bak
echo "net.ipv4.tcp_syncookies=1" >> /etc/sysctl.conf
sysctl -p

#4 password 口令加固
cp /etc/login.defs /etc/login.defs.bak
sed -i '/PASS_MAX_DAYS/s/99999/7/g' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/1/g' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/10/g' /etc/login.defs
sed -i '/PASS_WARN_AGE/s/7/7/g' /etc/login.defs

#5 设置mask值&超时锁定
cp /etc/bashrc /etc/bashrc.bak
sed -i '/umask/s/022/027/g' /etc/bashrc
echo "TMOUT=300" >> /etc/bashrc
source /etc/bashrc

上一篇:设置Linux内核运行时参数的正确方法是什么?


下一篇:linux – 为什么编辑core_pattern受限制?