安全基线脚本
#!/bin/bash export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin NAME="syscheck" HOSTNAME=`uname -n` DATE=`date +%Y%m%d` BASEPATH="/tmp/$NAME" FILE="$DATE"_"$HOSTNAME"_autosh.log VERSION=`cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/'` TIMESERVERIP=2.2.2.2 function check_checklog() { if [ ! -d $BASEPATH ]; then mkdir -p $BASEPATH cd $BASEPATH touch "$FILE" echo "$BASEPATH/$FILE create sucess!" > $BASEPATH/script.log else echo "$BASEPATH/$FILE already exist" > $BASEPATH/script.log fi >$BASEPATH/$FILE } function bak_file() { for i in /etc/passwd /etc/shadow /etc/gshadow /etc/group /etc/pam.d/password-auth-ac /etc/pam.d/system-auth-ac /etc/login.defs /etc/profile /etc/pam.d/su /etc/csh.cshrc /etc/sysctl.conf /etc/csh.login /etc/bashrc do if [ ! -f $i.bak ];then cp $i{,.bak} echo "-------------------back file finish--------------------------" >> $BASEPATH/$FILE ls $i.bak >> $BASEPATH/$FILE else echo "------------------back file already existed--------------------------" >> $BASEPATH/$FILE ls $i.bak >> $BASEPATH/$FILE fi done #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function login_policy() { LOGIN_POLICY=`grep "pam_tally2.so" /etc/pam.d/password-auth-ac` LOGIN_POLICY_1=`grep "pam_tally2.so" /etc/pam.d/system-auth-ac` if [ -n "$LOGIN_POLICY" ]; then sed -i '/pam_tally2.so/c\auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-ac echo "****parameter_password_auth_ac lock policy replace finish****" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE else sed -i '/^# User/a \auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-ac echo "****parameter_password_auth_ac lock policy append finish****" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE fi if [ -n "$LOGIN_POLICY_1" ]; then sed -i '/pam_tally2.so/c\auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-ac echo "****parameter_system_auth_ac lock policy replace finish****" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE else sed -i '/^# User/a \auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-ac echo "****parameter_system_auth_ac lock policy append finish****" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILE fi } function create_user() { USE=linuxadmin for i in $USE ;do if ! id ${i} &>/dev/null ;then useradd $i >>$BASEPATH/$FILE echo 'q1w2e3r4'|passwd --stdin $i &> /dev/null usermod -G wheel $USE echo "---------------create_user $USE finish---------------" >>$BASEPATH/$FILE id $i >>$BASEPATH/$FILE else echo "**** user $USE already exist**** " && exit 2 fi done } function file_lock_set() { echo "---------------file_lock_set finish---------------" >>$BASEPATH/$FILE for i in /etc/passwd /etc/shadow /etc/group /etc/gshadow do if [ `lsattr ${i} | cut -c 5` = i ];then echo " ${i} 存在i安全属性" >> $BASEPATH/$FILE else chattr +i $i lsattr $i >> $BASEPATH/$FILE fi done } function user_lock_set() { echo "---------------user_lock_set finish---------------" >>$BASEPATH/$FILE for i in adm lp mail uucp operator games gopher ftp nobody nobody4 noaccess listen webservd dbus avahi mailnull smmsp nscd vcsa rpc rpcuser nfs pcap ntp haldaemon distcache apache webalizer squid xfs gdm sabayon named ;do id $i &>/dev/null if [ $? -eq 0 ];then usermod -L $i &>/dev/null #echo "****use_lock_set finish****" >>$BASEPATH/$FILE echo "--------------------------------- " >> $BASEPATH/$FILE echo "user $i Has been locked" >> $BASEPATH/$FILE else echo "--------------------------------- " >> $BASEPATH/$FILE echo "user $i no found" >> $BASEPATH/$FILE fi done } function history_num_set() { HISTSIZE=`cat /etc/profile|grep HISTSIZE|head -1|awk -F[=] '{print $2}'` if [ $HISTSIZE -eq 10 ];then #echo -e "\033[1;34m ****保留历史命令条数为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILE echo " ****保留历史命令条数为${HISTSIZE}****" >>$BASEPATH/$FILE else sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile echo "历史命令条数更改为10" >> $BASEPATH/$FILE #echo -e "\033[1;34m ****历史命令条数更改为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILE source /etc/profile fi #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function change_open_file_num() { #change open file number echo `echo ""` >> $BASEPATH/$FILE echo "---------------change open file number----------------" >> $BASEPATH/$FILE cat >> /etc/security/limits.conf <<EOF * soft core 0 * hard core 0 * soft nproc 65535 * hard nproc 65535 * soft nofile 65535 * hard nofile 65535 EOF grep -v "#" /etc/security/limits.conf >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } #设置只有wheel组用户才能su到root function group_permissions_set() { echo "---------------group_permissions_set finish---------------" >>$BASEPATH/$FILE sed -i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel' /etc/pam.d/su ls "/etc/pam.d/su" >>$BASEPATH/$FILE grep -v "#" /etc/pam.d/su | grep wheel.so >>$BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } #设置用户umask function user_permissions_set() { echo "---------------user_permissions_set finish---------------" >>$BASEPATH/$FILE sed -i '/UMASK/c \UMASK 027' /etc/login.defs ls /etc/login.defs >>$BASEPATH/$FILE grep UMASK /etc/login.defs >>$BASEPATH/$FILE echo "-------------------------------------------------" >>$BASEPATH/$FILE sed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/bashrc ls /etc/bashrc >>$BASEPATH/$FILE grep -v "#" /etc/bashrc | grep umask >>$BASEPATH/$FILE echo "-------------------------------------------------" >>$BASEPATH/$FILE sed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/profile ls /etc/profile >>$BASEPATH/$FILE grep -v "#" /etc/profile | grep umask >>$BASEPATH/$FILE echo "-------------------------------------------------" >>$BASEPATH/$FILE sed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/csh.cshrc ls /etc/csh.cshrc >>$BASEPATH/$FILE grep -v "#" /etc/csh.cshrc | grep umask >>$BASEPATH/$FILE echo "-------------------------------------------------" >>$BASEPATH/$FILE sed -i '/^setenv/a \set umask 077' /etc/csh.login ls /etc/csh.login >>$BASEPATH/$FILE grep -v "#" /etc/csh.login | grep umask >>$BASEPATH/$FILE echo "-------------------------------------------------" >>$BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function system_dir_file_permissions_set() { chmod 750 /etc/rc0.d/ >> $BASEPATH/$FILE chmod 750 /etc/rc1.d/ >> $BASEPATH/$FILE chmod 750 /etc/rc2.d/ >> $BASEPATH/$FILE chmod 750 /etc/rc3.d/ >> $BASEPATH/$FILE chmod 750 /etc/rc4.d/ >> $BASEPATH/$FILE chmod 750 /etc/rc5.d/ >> $BASEPATH/$FILE chmod 750 /etc/rc6.d/ >> $BASEPATH/$FILE chmod 750 /etc/rc.d/init.d/ >> $BASEPATH/$FILE chmod 750 /tmp >> $BASEPATH/$FILE #chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILE chmod 600 /etc/security >> $BASEPATH/$FILE #chmod 400 /etc/shadow #chmod 644 /etc/passwd #chmod 644 /etc/services #chmod 644 /etc/group if [ -f /etc/xinetd.conf ];then chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILE else echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILE fi echo "---------------system_dir_file_permissions_set finish---------------" >> $BASEPATH/$FILE ls -ld /etc/rc0.d/ >> $BASEPATH/$FILE ls -ld /etc/rc1.d/ >> $BASEPATH/$FILE ls -ld /etc/rc2.d/ >> $BASEPATH/$FILE ls -ld /etc/rc3.d/ >> $BASEPATH/$FILE ls -ld /etc/rc4.d/ >> $BASEPATH/$FILE ls -ld /etc/rc5.d/ >> $BASEPATH/$FILE ls -ld /etc/rc.d/init.d/ >> $BASEPATH/$FILE ls -ld /tmp >> $BASEPATH/$FILE #ls /etc/xinetd.conf >> $BASEPATH/$FILE ls -ld /etc/security >> $BASEPATH/$FILE ls -l /etc/shadow >> $BASEPATH/$FILE ls -l /etc/passwd >> $BASEPATH/$FILE ls -l /etc/services >> $BASEPATH/$FILE ls -l /etc/group >> $BASEPATH/$FILE if [ -f /etc/xinetd.conf ];then ls -l /etc/xinetd.conf >> $BASEPATH/$FILE else echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILE fi #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function sys_kernel_parameter_set() { echo "---------------sys_kernel_parameter_set finish---------------" >>$BASEPATH/$FILE ls /etc/sysctl.conf >>$BASEPATH/$FILE echo "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.conf echo "net.ipv4.ip_forward=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.conf echo "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.conf sysctl -p >>$BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function rhel6_stop_service() { #set banner echo `echo ""` >> $BASEPATH/$FILE echo "---------------set banner----------------" >> $BASEPATH/$FILE echo '"Authorized access only"' > /etc/motd cat /etc/motd >> $BASEPATH/$FILE #stop NetworkManager #echo `echo ""` >> $BASEPATH/$FILE #echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE #/etc/init.d/NetworkManager stop >> $BASEPATH/$FILE #chkconfig NetworkManager off >> $BASEPATH/$FILE #chkconfig --list | grep NetworkManager >> $BASEPATH/$FILE #stop iptables echo `echo ""` >> $BASEPATH/$FILE echo "---------------stop iptables---------------" >> $BASEPATH/$FILE #iptables -F #/etc/init.d/iptables stop >> $BASEPATH/$FILE #/etc/init.d/ip6tables stop >> $BASEPATH/$FILE #chkconfig iptables off >> $BASEPATH/$FILE #chkconfig ip6tables off >> $BASEPATH/$FILE #chkconfig --list | grep iptables >> $BASEPATH/$FILE #chkconfig --list | grep ip6tables >> $BASEPATH/$FILE #stop selinux echo `echo ""` >> $BASEPATH/$FILE echo "---------------set selinux---------------" >> $BASEPATH/$FILE sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config grep "disabled" /etc/selinux/config >> $BASEPATH/$FILE #stop telnet_server #echo `echo ""` >> $BASEPATH/$FILE #echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE #yum remove telnet-server -y >> $BASEPATH/$FILE #set root romote access echo `echo ""` >> $BASEPATH/$FILE echo "---------------set root romote access---------------" >> $BASEPATH/$FILE sed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_config grep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILE /etc/init.d/sshd restart >> $BASEPATH/$FILE chkconfig --list | grep sshd >> $BASEPATH/$FILE #stop OS other services echo "---------------stop OS other services---------------" >> $BASEPATH/$FILE for i in acpid bluetooth postfix rhnsd rhsmcertd do rpm -qa | grep $i &>/dev/null if [ $? -eq 0 ];then chkconfig $i off >> $BASEPATH/$FILE else echo " $i services no found " >> $BASEPATH/$FILE fi chkconfig --list | grep $i >> $BASEPATH/$FILE done } function rhel6_pass_policy() { awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defs awk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defs awk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defs awk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defs echo "------------password controls set finish-----------------" >> $BASEPATH/$FILE sed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILE CRACK_PASS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/password-auth-ac` CRACK_SYS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/system-auth-ac` UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac` UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac` if [ -n "$CRACK_PASS_POLICY" ]; then sed -i '/type=/c \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE else sed -i '$a \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE fi if [ -n "$CRACK_SYS_POLICY" ]; then sed -i '/type=/c \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE else sed -i '$a \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac pam_cracklib.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE fi if [ -n "$UNIX_PASS_POLICY" ]; then sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE else sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE fi if [ -n "$UNIX_SYS_POLICY" ]; then sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE else sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE fi #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function rhel6_para_set() { grep "TMOUT=300" /etc/profile >> $BASEPATH/$FILE if [ $? -eq 0 ]; then echo "TMOUT already set" >> $BASEPATH/$FILE else sed -i '$a \export TMOUT=300' /etc/profile grep "TMOUT" /etc/profile >> $BASEPATH/$FILE fi #modify default init #grep "id:3:initdefault:" /etc/inittab #if [ $? -eq 0 ]; #then #sed -i '/^id/d' /etc/inittab #sed -i '$c \id:3:initdefault:' /etc/inittab #echo "inittab change finish" >> $BASEPATH/$FILE #else #sed -i '/^id/d' /etc/inittab #sed -i '$a \id:3:initdefault:' /etc/inittab #echo "inittab append finish" >> $BASEPATH/$FILE #fi #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function rhel6_timeserver_set() { rpm -qa | grep ntp &>/dev/null if [ $? -eq 0 ];then sed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/ntp.conf echo "--------------------ntp server set finish---------------------" >> $BASEPATH/$FILE ls /etc/ntp.conf >> $BASEPATH/$FILE sed -n '22p' /etc/ntp.conf >> $BASEPATH/$FILE else echo "ntp server no found" fi } function rhel7_timeserver_set() { rpm -qa | grep chrony &>/dev/null if [ $? -eq 0 ];then sed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/chrony.conf echo "--------------------chrony server set finish---------------------" >> $BASEPATH/$FILE ls /etc/chrony.conf >> $BASEPATH/$FILE sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILE else echo "chronyd server no found start install" yum -y install chrony &>/dev/null if [ $? -eq 0 ];then echo " chrony install finish " >> $BASEPATH/$FILE sed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/chrony.conf echo "--------------------chrony server set finish---------------------" >> $BASEPATH/$FILE ls /etc/chrony.conf >> $BASEPATH/$FILE sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILE else echo "chrony install failed" >> $BASEPATH/$FILE fi fi echo "-----------------------------------------------------------------" >> $BASEPATH/$FILE } function rhel7_stop_service() { #set banner echo `echo ""` >> $BASEPATH/$FILE echo "---------------set banner----------------" >> $BASEPATH/$FILE echo '"Authorized access only"' > /etc/motd cat /etc/motd >> $BASEPATH/$FILE #stop NetworkManager #echo `echo ""` >> $BASEPATH/$FILE #echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE #systemctl stop NetworkManager >> $BASEPATH/$FILE #systemctl disable NetworkManager >> $BASEPATH/$FILE #systemctl list-unit-files | grep NetworkManager >> $BASEPATH/$FILE #stop iptables echo `echo ""` >> $BASEPATH/$FILE echo "---------------stop firewall---------------" >> $BASEPATH/$FILE iptables -F systemctl stop firewalld >> $BASEPATH/$FILE systemctl disable firewalld >> $BASEPATH/$FILE systemctl list-unit-files | grep firewalld >> $BASEPATH/$FILE #stop selinux echo `echo ""` >> $BASEPATH/$FILE echo "---------------set selinux---------------" >> $BASEPATH/$FILE sed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/config grep "disabled" /etc/selinux/config >> $BASEPATH/$FILE #stop telnet_server #echo `echo ""` >> $BASEPATH/$FILE #echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE #yum remove telnet-server -y >> $BASEPATH/$FILE #set root romote access echo `echo ""` >> $BASEPATH/$FILE echo "---------------set root romote access---------------" >> $BASEPATH/$FILE sed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_config grep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILE systemctl restart sshd >> $BASEPATH/$FILE systemctl list-unit-files | grep sshd.service >> $BASEPATH/$FILE #stop OS other services echo "---------------stop OS other services---------------" >> $BASEPATH/$FILE for i in bluetooth.target postfix rhnsd rhsmcertd do rpm -qa | grep $i &>/dev/null if [ $? -eq 0 ];then systemctl stop $i &>/dev/null systemctl disable $i &>/dev/null else echo " $i services no found " >> $BASEPATH/$FILE fi systemctl list-unit-files | grep $i >> $BASEPATH/$FILE done #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function rhel7_pass_policy() { awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defs awk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defs awk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defs awk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defs echo "------------password controls set finish-----------------" >> $BASEPATH/$FILE sed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILE PWQUALITY_PASS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/password-auth-ac` PWQUALITY_SYS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/system-auth-ac` UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac` UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac` #retry 定义登录/修改密码失败时,可以重试的次数 #minlen 定义用户密码的最小长度为8位 #lcredit=-1 定义用户密码中最少有1个小写字母 #dcredit=-1 定义用户密码中最少有1个数字 #ocredit=-1 定义用户密码中最少有1个特殊字符 #ucredit=-2 定义用户密码中最少有2个大写字母 #remember=5 修改用户密码时最近5次用过的旧密码就不能重用了 if [ -n "$PWQUALITY_PASS_POLICY" ]; then sed -i '/authtok_type=/c \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILE else sed -i '$a \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILE fi if [ -n "$PWQUALITY_SYS_POLICY" ]; then sed -i '/authtok_type=/c \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILE else sed -i '$a \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac pam_pwquality.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILE fi if [ -n "$UNIX_PASS_POLICY" ]; then sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE else sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-ac echo "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE fi if [ -n "$UNIX_SYS_POLICY" ]; then sed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE else sed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-ac echo "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILE cat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILE fi #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } function rhel7_para_set() { grep "TMOUT=300" /etc/profile if [ $? -eq 0 ]; then echo "TMOUT already set" >> $BASEPATH/$FILE else sed -i '$a \export TMOUT=300' /etc/profile grep "TMOUT" /etc/profile >> $BASEPATH/$FILE fi #systemctl set-default multi-user.target >> $BASEPATH/$FILE #systemctl get-default >> $BASEPATH/$FILE echo "rhel7 parameter set finished" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE } check_checklog login_policy create_user bak_file file_lock_set user_lock_set group_permissions_set user_permissions_set system_dir_file_permissions_set sys_kernel_parameter_set history_num_set change_open_file_num if [ $VERSION = 6 ];then rhel6_stop_service rhel6_pass_policy rhel6_para_set rhel6_timeserver_set echo "centos 6 init finish" >>$BASEPATH/$FILE #echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中" echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m" else [ $VERSION = 7 ] rhel7_stop_service rhel7_pass_policy rhel7_para_set rhel7_timeserver_set echo "centos 7 init finish" >>$BASEPATH/$FILE #echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中" echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m" fi