该脚本主要是针对 CentOS Linux 7 合规基线加固的一些配置操作,包括创建用户、安全审计配置、入侵防范配置、访问控制配置、身份鉴别策略配置等。如果您需要在脚本中添加公司网址,您可以在适当的位置添加相应的内容。不过请注意,在实际生产环境中,建议谨慎进行脚本修改和执行,以免造成意外的影响。
?
#!/bin/bash
# CentOS Linux 7基线标准系统-等保三级-CentOS Linux 7合规基线加固
[ -f /etc/init.d/functions ] && . /etc/init.d/functions
#定义脚本执行时间日志
bash_run(){
mkdir /etc/funi_bash -p
echo date +"%Y-%m-%d %H:%M:%S" > /etc/funi_bash/safe_date.log
}
bash_run
#判断是否执行加固脚本
check_bash(){
if [ -e /etc/funi_bash/safe_date.log ]; then
message=`cat /etc/funi_bash/safe_date.log`
echo 该服务器已于$message执行加固脚本,请确认是否继续执行
else
createuser
dengbao_bash
fi
}
#运维管理员:GGB
#安全管理员:GGB
#审计管理员:GGB
#新建管理员funi用户
createuser(){
useradd funi
if [ -z "$1" ]; then
echo "未传入密码,使用默认密码创建用户funi成功"
echo 'Funi_2021rjy' | passwd --stdin funi
echo "funi ALL=(ALL) ALL" >> /etc/sudoers
else
echo "使用自定义密码创建用户funi成功"
echo '$1' | passwd --stdin funi
echo "funi ALL=(ALL) ALL" >> /etc/sudoers
fi
}
createuser
#新建安全审计safeuser用户
createsafeuser(){
useradd safeuser
if [ -z "$2" ]; then
echo "未传入密码,使用默认密码创建用户funi成功"
echo 'Funi_2021rjy' | passwd --stdin funi
echo "funi ALL=(ALL) ALL" >> /etc/sudoers
else
echo "使用自定义密码创建用户funi成功"
echo '$1' | passwd --stdin funi
echo "funi ALL=(ALL) ALL" >> /etc/sudoers
fi
}
createsafeuser
#新建安全审计audituser用户
createaudituser(){
useradd audituser
if [ -z "$3" ]; then
echo "未传入密码,使用默认密码创建用户funi成功"
echo 'Funi_2021rjy' | passwd --stdin funi
echo "audituser ALL=(ALL) ALL" >> /etc/sudoers
else
echo "使用自定义密码创建用户funi成功"
echo '$1' | passwd --stdin funi
echo "audituser ALL=(ALL) ALL" >> /etc/sudoers
fi
}
createaudituser
#1
# 修改密码最大有效期为180天
passwdtime(){
echo "#01修改密码最大有效期为180天"
cp /etc/login.defs /etc/login.defs-${time}
sed -i.bak 's/^\(PASS_MAX_DAYS\).*/\1 180/' /etc/login.defs
if [ "$?" == 0 ]
then
action "sed -i.bak 's/^\(PASS_MAX_DAYS\).*/\1 180/' /etc/login.defs" /bin/true
else
action "sed -i.bak 's/^\(PASS_MAX_DAYS\).*/\1 180/' /etc/login.defs" /bin/false
fi
chage --maxdays 180 root
if [ "$?" == 0 ]
then
action "chage --maxdays 180 root" /bin/true
else
action "chage --maxdays 180 root" /bin/false
fi
}
passwdtime
#2
# 修改密码必须包含四种字符
mimaguifan(){
echo "#02修改密码必须包含四种字符"
sed -i 's/# minclass = 0/minclass = 3/g' /etc/security/pwquality.conf
if [ "$?" == 0 ]
then
action "sed -i 's/# minclass = 0/minclass = 3/g' /etc/security/pwquality.conf" /bin/true
else
action "sed -i 's/# minclass = 0/minclass = 3/g' /etc/security/pwquality.conf" /bin/false
fi
}
mimaguifan
#3
# 修改两次修改密码的最小间隔时间为7天
passwdjiange(){
echo "#03修改两次修改密码的最小间隔时间为7天"
sed -i.bak 's/^\(PASS_MIN_DAYS\).*/\1 7/' /etc/login.defs
if [ "$?" == 0 ]
then
action "sed -i.bak 's/^\(PASS_MIN_DAYS\).*/\1 7/' /etc/login.defs" /bin/true
else
action "sed -i.bak 's/^\(PASS_MIN_DAYS\).*/\1 7/' /etc/login.defs" /bin/false
fi
chage --mindays 7 root
if [ "$?" == 0 ]
then
action "chage --mindays 7 root" /bin/true
else
action "chage --mindays 7 root" /bin/false
fi
}
passwdjiange
#4
# 修改密码必须包含四种字符
passwdnandu(){
echo "#04修改密码必须包含四种字符"
cp /etc/security/pwquality.conf /etc/security/pwquality.conf-${time}
sed -i 's/# minclass = 0/minclass = 3/g' /etc/security/pwquality.conf
if [ "$?" == 0 ]
then
action "sed -i 's/# minclass = 0/minclass = 3/g' /etc/security/pwquality.conf" /bin/true
else
action "sed -i 's/# minclass = 0/minclass = 3/g' /etc/security/pwquality.conf" /bin/false
fi
}
passwdnandu
#5,6,7,8
# 修改密码最短为9位
mimaweishu(){
echo "#05,06,07,08修改密码最短为9位"
sed -i 's/# minlen = 9/minlen = 9/g' /etc/security/pwquality.conf
if [ "$?" == 0 ]
then
action "sed -i 's/# minlen = 9/minlen = 9/g' /etc/security/pwquality.conf " /bin/true
else
action "sed -i 's/# minlen = 9/minlen = 9/g' /etc/security/pwquality.conf " /bin/false
fi
}
mimaweishu
#9
# 密码设置及登陆控制文件/etc/pam.d/password-auth 禁止使用最近用过的5个密码 remember=5
password_auth(){
echo "#09密码设置及登陆控制文件/etc/pam.d/password-auth,禁止使用最近用过的5个密码"
cp /etc/pam.d/password-auth /etc/pam.d/password-auth-${time}
sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/password-auth
if [ "$?" == 0 ]
then
action "sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/password-auth" /bin/true
else
action "sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/password-auth" /bin/false
fi
}
password_auth
# 密码设置及登陆控制文件/etc/pam.d/system-auth 禁止使用最近用过的5个密码 remember=5
system_auth(){
echo "#密码设置及登陆控制文件/etc/pam.d/system-auth 禁止使用最近用过的5个密码 remember=5"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth-${time}
sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/system-auth
if [ "$?" == 0 ]
then
action "sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/system-auth" /bin/true
else
action "sed -i 's/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/g' /etc/pam.d/system-auth" /bin/false
fi
}
system_auth
#10
#密码过期时间告警
logindefs(){
echo "#10密码过期时间告警"
cp /etc/login.defs /etc/login.defs-${time}
echo 'PASS_WARN_AGE 30 ' >> /etc/login.defs
if [ "$?" == 0 ]
then
action "echo 'PASS_WARN_AGE 30 ' >> /etc/login.defs" /bin/true
else
action "echo 'PASS_WARN_AGE 30 ' >> /etc/login.defs" /bin/false
fi
}
logindefs
# ssh服务端每900秒向客户端发送一次消息,以保持长连接
sshchanglianjie(){
echo "#ssh服务端每900秒向客户端发送一次消息,以保持长连接"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config-${time}
sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 900/g' /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 900/g' /etc/ssh/sshd_config" /bin/true
else
action "sed -i 's/#ClientAliveInterval 0/ClientAliveInterval 900/g' /etc/ssh/sshd_config" /bin/false
fi
}
sshchanglianjie
# 客户端3次超时即断开客户端
sshdunakai(){
echo "#客户端3次超时即断开客户端"
sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config" /bin/true
else
action "sed -i 's/#ClientAliveCountMax 3/ClientAliveCountMax 3/g' /etc/ssh/sshd_config" /bin/false
fi
}
sshdunakai
#11
#检查是否存在空口令用户账号,如果有则锁定用户
kongkoulin(){
echo "#11检查是否存在空口令用户账号,如果有则锁定用户"
if [ `awk -F: 'NR==FNR && $3 >= 1000 && $3 < 65534 {users[$1]}; NR!=FNR && ($2 == "" || $2 == "!!") && ($1 in users) {print $1}' /etc/passwd /etc/shadow | wc -l` != 0 ]; then
for i in `awk -F: 'NR==FNR && $3 >= 1000 && $3 < 65534 {users[$1]}; NR!=FNR && ($2 == "" || $2 == "!!") && ($1 in users) {print $1}' /etc/passwd /etc/shadow`;
do
usermod -L $i
action "当前${i}用户没有密码,已锁定,如需要使用执行 usermod -U username 解锁" /bin/false
echo "当前${i}用户没有密码,已锁定" >> /etc/funi_bash/safe_date.log
done
else
action "当前无空口令用户" /bin/true
fi
}
kongkoulin
#12
# 用户重新尝试输入密码的次数设为4
sshcghangsi(){
echo "#12用户重新尝试输入密码的次数设为4"
sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/g' /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/g' /etc/ssh/sshd_config" /bin/true
else
action "sed -i 's/#MaxAuthTries 6/MaxAuthTries 4/g' /etc/ssh/sshd_config" /bin/false
fi
echo 'Protocol 2' >> /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "echo 'Protocol 2' >> /etc/ssh/sshd_config" /bin/true
else
action "echo 'Protocol 2' >> /etc/ssh/sshd_config" /bin/false
fi
}
sshcghangsi
# 13 SSH 日志级别设置为INFO,记录登录和注销活动
sshlog(){
echo "#13 SSH 日志级别设置为INFO,记录登录和注销活动"
sed -i 's/#LogLevel INFO/LogLevel INFO/g' /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "sed -i 's/#LogLevel INFO/LogLevel INFO/g' /etc/ssh/sshd_config" /bin/true
else
action "sed -i 's/#LogLevel INFO/LogLevel INFO/g' /etc/ssh/sshd_config" /bin/false
fi
service sshd restart
if [ "$?" == 0 ]
then
action "service sshd restart" /bin/true
else
action "service sshd restart" /bin/false
fi
sed -i '/# User/a\auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' /etc/pam.d/password-auth
if [ "$?" == 0 ]
then
action "sed -i '/# User/a\auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' /etc/pam.d/password-auth" /bin/true
else
action "sed -i '/# User/a\auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' /etc/pam.d/password-auth" /bin/false
fi
sed -i '/# User/a\auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' /etc/pam.d/system-auth
if [ "$?" == 0 ]
then
action "sed -i '/# User/a\auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' /etc/pam.d/system-auth" /bin/true
else
action "sed -i '/# User/a\auth required pam_tally2.so onerr=fail audit silent deny=5 unlock_time=900' /etc/pam.d/system-auth" /bin/false
fi
echo 'TMOUT=900' >> /etc/profile
if [ "$?" == 0 ]
then
action "echo 'TMOUT=900' >> /etc/profile" /bin/true
else
action "echo 'TMOUT=900' >> /etc/profile" /bin/false
fi
}
sshlog
#22
# 禁止root登录
PermitRootLogin(){
echo "#22禁止root登录"
sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config" /bin/true
else
action "sed -i 's/PermitRootLogin no/PermitRootLogin yes/g' /etc/ssh/sshd_config" /bin/false
fi
service sshd restart
if [ "$?" == 0 ]
then
action "service sshd restart" /bin/true
else
action "service sshd restart" /bin/false
fi
}
PermitRootLogin
#24
#检查使用IP协议远程维护的设备是否配置SSH协议,禁用telnet协议
telnet(){
echo "24检查使用IP协议远程维护的设备是否配置SSH协议,禁用telnet协议"
rpm -qa |grep telnet*
if [ $? == 0 ];
then
echo "disable = yes" >> /etc/xinetd.d/telnet
service xinetd restart
action "禁用telnet协议" /bin/true
else
action "禁用telnet协议" /bin/false
fi
}
telnet
#25
#禁止匿名VSFTP用户登录
vsftpuser(){
echo "25禁止匿名VSFTP用户登录"
if [ -f /etc/vsftpd.conf ] || [ -f /etc/vsftpd/vsftpd.conf ];
then
echo "anonymous_enable=NO" >> /etc/vsftpd.conf 2>/dev/null || echo "anonymous_enable=NO" >> /etc/vsftpd/vsftpd.conf
action "禁止匿名VSFTP用户登录" /bin/true
fi
}
#26
#删除ftp用户
delftp(){
echo "26 删除ftp用户"
userdel -f ftp
if [ $? == 0 ]
then
action "userdel -f ftp" /bin/true
else
action "userdel -f ftp" /bin/false
fi
}
delftp
#29
#检查配置文件/etc/snmp/snmpd.conf是否存在。
snmpd_file(){
echo "#29检查配置文件/etc/snmp/snmpd.conf是否存在。"
if [ -f /etc/snmp/snmpd.conf ];
then
action "文件/etc/snmp/snmpd.conf存在" /bin/true
else
mkdir -p /etc/snmp && touch /etc/snmp/snmpd.conf
action "创建/etc/snmp/snmpd.conf成功" /bin/true
fi
}
snmpd_file
#33,34
#禁止系统账号进行交互式登录
userdenlu(){
echo "33,34禁止系统账号进行交互式登录"
for i in `echo 'bin sys nuucp adm lp mail uucp operator games gopher ftp nobody nobody4 noaccess listen webservd rpm dbus avahi mailnull smmsp nscd vcsa rpc rpcuser nfs sshd pcap ntp haldaemon distcache apache webalizer squid xfs gdm sabayon named'`;
do
passwd -l $i > /dev/null
action "${i}用户已锁定" /bin/true
done
}
userdenlu
#37
#检查是否使用PAM认证模块禁止wheel组之外的用户su为root
sufile(){
echo "#37检查是否使用PAM认证模块禁止wheel组之外的用户su为root"
if [ -f /etc/pam.d/su ]
then
sed -i '2i\auth sufficient pam_rootok.so' /etc/pam.d/su
sed -i '2i\auth required pam_wheel.so group=wheel' /etc/pam.d/su
action "/etc/pam.d/su文件" /bin/true
else
action "/etc/pam.d/su文件" /bin/false
fi
}
#38
#禁止root登录VSFTP
rootvsftp(){
echo "#38禁止匿名VSFTP用户登录"
if [ -f /etc/ftpusers ] || [ -f /etc/vsftpd/ftpusers ]
then
echo "root" >> /etc/ftpusers || echo "root" >> /etc/vsftpd/ftpusers
action "#禁止root登录VSFTP" /bin/true
else
action "#禁止root登录VSFTP" /bin/false
fi
}
rootvsftp
#39
#禁止root登录WU-FTP
rootwuftp(){
echo "#39禁止root登录WU-FTP"
if [ -f /etc/ftpusers ]
then
echo "root" >> /etc/ftpusers
action "禁止root登录WU-FTP" /bin/true
else
action "禁止root登录WU-FTP" /bin/false
fi
}
rootwuftp
#40检查重要文件是否存在suid和sgid权限
suidfile(){
echo "#40检查重要文件是否存在suid和sgid权限"
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /usr/sbin/traceroute /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm +6000 2>/dev/nul
if [ $? == 0 ]
then
for i in `echo '/usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /usr/sbin/traceroute /bin/mount /bin/umount /bin/ping /sbin/netreport '`
do
chmod a-s $i
done
action "#40检查重要文件是否存在suid和sgid权限" /bin/true
else
action "#40检查重要文件是否存在suid和sgid权限" /bin/false
fi
}
suidfile
#41检查是否存在除root之外UID为0的用户
root_uid(){
echo "#41检查是否存在除root之外UID为0的用户"
if [ `awk -F: '$3 == 0 && $1 != "root"{print $1}' /etc/passwd | wc -l` >=1 ]
then
action 当前UID为零的用户有`echo ` awk -F: '$3 == 0 && $1 != "root"{print $1}' /etc/passwd`` /bin/true
else
action "#41不存在除root之外UID为0的用户" /bin/true
fi
}
root_uid
#42检查是否限制FTP用户登录后能访问的目录
ftp_file(){
echo "#42检查是否限制FTP用户登录后能访问的目录"
if [ -f /etc/vsftpd.conf ]
then
echo " chroot_local_user=YES" >> /etc/vsftpd.conf
/etc/init.d/vsftpd restart
action "修改/etc/vsftpd.conf" /bin/true
else
action "修改/etc/vsftpd.conf" /bin/false
fi
if [ -f /etc/pure-ftpd/pure-ftpd.conf ]
then
echo " ChrootEveryone yes AllowUserFXP no AllowAnonymousFXP no" >> /etc/pure-ftpd/pure-ftpd.conf
/etc/init.d/pure-ftpd restart
action "修改/etc/pure-ftpd/pure-ftpd.conf" /bin/true
else
action "修改/etc/pure-ftpd/pure-ftpd.conf" /bin/false
fi
}
ftp_file
#44检查/usr/bin/目录下的可执行文件的拥有者属性,当可执行文件设置s属性时,执行时可以获取其拥有者的权限。
binfile_s(){
if [ -d /usr/bin/ ]
then
echo "含有“s”属性的文件如下,可使用 chmod a-s filename 取消权限"
find /usr/bin -type f \( -perm -04000 -o -perm -02000 \) -exec ls -lg {} \;
else
action "/usr/bin/目录下的可执行文件已无含s权限" /bin/true
fi
}
binfile_s
#45/etc/rc2.d文件权限是否符合规范
file_rc2(){
echo "#45/etc/rc2.d文件权限是否符合规范"
if [ -e /etc/rc2.d ]
then
chmod 750 /etc/rc2.d/
action "/etc/rc2.d文件权限符合规范" /bin/true
else
action "/etc/rc2.d文件不存在" /bin/false
fi
}
file_rc2
#46/etc/rc4.d文件权限是否符合规范
file_rc4(){
echo "#46/etc/rc4.d文件权限是否符合规范"
if [ -e /etc/rc4.d ]
then
chmod 750 /etc/rc4.d/
action "#45/etc/rc4.d文件权限符合规范" /bin/true
else
action "/etc/rc4.d文件不存在" /bin/false
fi
}
file_rc4
#47/etc/passwd文件权限是否符合规范
passwd_file(){
echo "#47/etc/passwd文件权限是否符合规范"
if [ -e /etc/passwd ]
then
chmod 750 /etc/passwd
action "/etc/passwd文件权限符合规范" /bin/true
else
action "/etc/passwd文件不存在" /bin/false
fi
}
passwd_file
#48检查系统引导器配置文件权限
chmod_file(){
echo "#48检查系统引导器配置文件权限"
for i in `echo "/etc/grub.conf boot/grub/grub.conf /etc/lilo.conf /etc/grub2.cfg /boot/grub2/grub.cfg"`
do
if [ -e $i ];then
chmod 600 $i
action "${i}文件已修改600权限" /bin/true
fi
done
}
chmod_file
#49/etc/xinetd.conf文件权限是否符合规范
xinetd_file(){
echo "#49/etc/xinetd.conf文件权限是否符合规范"
if [ -e /etc/xinetd.conf ]
then
chmod 750 /etc/passwd
action "/etc/xinetd.conf文件权限符合规范" /bin/true
else
action "/etc/xinetd.conf文件不存在" /bin/false
fi
}
xinetd_file
#50/etc/group文件权限是否符合规范
group_file(){
echo "#50/etc/group文件权限是否符合规范"
if [ -e /etc/group ]
then
chmod 644 /etc/group
action "/etc/group文件权限符合规范" /bin/true
else
action "/etc/group文件不存在" /bin/false
fi
}
group_file
#51/tmp文件权限是否符合规范
tmp_file(){
echo "#51/tmp文件权限是否符合规范"
if [ -e /tmp ]
then
chmod 750 /tmp
action "/tmp文件权限符合规范" /bin/true
else
action "/tmp文件不存在" /bin/false
fi
}
tmp_file
#52/etc/shadow文件权限是否符合规范
shadow_file(){
echo "#52/etc/shadow文件权限是否符合规范"
if [ -e /etc/shadow ]
then
chmod 750 /etc/shadow
action "/etc/shadow文件权限符合规范" /bin/true
else
action "/etc/shadow文件不存在" /bin/false
fi
}
shadow_file
#53/etc/rc.d/init.d/文件权限是否符合规范
rc_d_file(){
echo "#53/etc/rc.d/init.d/文件权限是否符合规范"
if [ -e /etc/rc.d/init.d/ ]
then
chmod 750 /etc/rc.d/init.d/
action "/etc/rc.d/init.d/ 文件权限符合规范" /bin/true
else
action "/etc/rc.d/init.d/ 文件不存在" /bin/false
fi
}
rc_d_file
#54/etc/rc0.d文件权限是否符合规范
rc_file(){
echo "#54/etc/rc0.d文件权限是否符合规范"
if [ -e /etc/rc0.d ]
then
chmod 750 /etc/rc0.d
action "/etc/rc0.d 文件权限符合规范" /bin/true
else
action "/etc/rc0.d文件不存在" /bin/false
fi
}
rc_file
#55/etc/services文件权限是否符合规范
services_file(){
echo "#55/etc/services文件权限是否符合规范"
if [ -e /etc/services ]
then
chmod 644 /etc/services
action "/etc/services 文件权限符合规范" /bin/true
else
action "/etc/services 文件不存在" /bin/false
fi
}
services_file
#56/etc/rc3.d文件权限是否符合规范
rc3_file(){
echo "#56/etc/rc3.d文件权限是否符合规范"
if [ -e /etc/rc3.d ]
then
chmod 750 /etc/rc3.d
action "/etc/rc3.d 文件权限符合规范" /bin/true
else
action "/etc/rc3.d 文件不存在" /bin/false
fi
}
rc3_file
#57/etc/rc6.d文件权限是否符合规范
rc6_file(){
echo "#57/etc/rc6.d文件权限是否符合规范"
if [ -e /etc/rc6.d ]
then
chmod 750 /etc/rc6.d
action "/etc/rc6.d 文件权限符合规范" /bin/true
else
action "/etc/rc6.d 文件不存在" /bin/false
fi
}
rc6_file
#58/etc/rc5.d文件权限是否符合规范
rc5_file(){
echo "#58/etc/rc5.d文件权限是否符合规范"
if [ -e /etc/rc5.d ]
then
chmod 750 /etc/rc5.d
action "/etc/rc5.d 文件权限符合规范" /bin/true
else
action "/etc/rc5.d 文件不存在" /bin/false
fi
}
rc5_file
#59/etc/rc1.d/文件权限是否符合规范
rc1_file(){
echo "#59/etc/rc1.d/文件权限是否符合规范"
if [ -e /etc/rc1.d ]
then
chmod 750 /etc/rc1.d
action "/etc/rc1.d 文件权限符合规范" /bin/true
else
action "/etc/rc1.d 文件不存在" /bin/false
fi
}
rc1_file
#60/etc/security目录权限是否符合规范
security_file(){
echo "#60/etc/security目录权限是否符合规范"
if [ -e /etc/security ]
then
chmod 600 /etc/security
action "/etc/security 文件权限符合规范" /bin/true
else
action "/etc/security 文件不存在" /bin/false
fi
}
security_file
#61,62,63,64检查文件属性
file_shadow(){
echo "#61,62,63,64检查文件属性"
for i in ` echo '/etc/shadow /etc/group /etc/passwd /etc/gshadow' `
do
if [ -e $i ]
then
chattr +i $i
action "${i}文件属性已不可修改" /bin/true
else
action "${i}文件不存在" /bin/false
fi
done
}
file_shadow
#65检查用户目录缺省访问权限设置
login_file(){
echo "#65检查用户目录缺省访问权限设置"
if [ -e /etc/login.defs ]
then
sed -i 's/^UMASK.*/UMASK 027/g' /etc/login.defs
action " sed -i 's/^UMASK.*/UMASK 027/g' /etc/login.defs" /bin/true
else
action "/etc/login.defs文件不存" /bin/false
fi
}
#66~73检查日志文件是否非全局可写
log_file(){
echo "#66~73检查日志文件是否非全局可写"
for i in `echo ' /var/log/maillog /var/log/mail /var/log/secure /var/log/messages /var/log/localmessages /var/log/spooler /var/log/boot.log /var/log/cron '`
do
if [ -e $i ];then
chmod 775 $i
action "${i}文件权限已修改" /bin/true
else
action "${i}文件不存在" /bin/false
fi
done
}
log_file
#74,75检查是否配置用户所需最小权限
file_chmod(){
echo "#66~73检查日志文件是否非全局可写"
for i in `echo '/etc/passwd /etc/group'`
do
if [ -e $i ];then
chmod 775 $i
action "${i}文件权限已修改" /bin/true
else
action "${i}文件不存在" /bin/false
fi
done
}
file_chmod
#78限制FTP用户登录后上传文件的属性
FTP_file(){
echo "#78限制FTP用户登录后上传文件的属性"
if [ -e /etc/vsftpd.conf ];then
# 检查文件是否存在并且未注释
if ! grep -q "^write_enable=YES" /etc/vsftpd.conf; then
echo "write_enable=YES" >> /etc/vsftpd.conf
fi
if ! grep -q "^ls_recurse_enable=YES" /etc/vsftpd.conf; then
echo "ls_recurse_enable=YES" >> /etc/vsftpd.conf
fi
if ! grep -q "^local_umask=022" /etc/vsftpd.conf; then
echo "local_umask=022" >> /etc/vsftpd.conf
fi
if ! grep -q "^anon_umask=022" /etc/vsftpd.conf; then
echo "anon_umask=022" >> /etc/vsftpd.conf
fi
/etc/init.d/vsftpd restart
# 检查文件是否存在并且未注释
if ! grep -q "^Umask 177:077" /etc/pure-ftpd/pure-ftpd.conf; then
echo "Umask 177:077" >> /etc/pure-ftpd/pure-ftpd.conf
fi
# 重启ftp服务
/etc/init.d/pure-ftpd restart
action "限制FTP用户登录后上传文件的属性设置已完成" /bin/true
else
action "/etc/vsftpd.conf文件不存在" /bin/false
fi
}
FTP_file
#79检查是否禁用不必要的系统服务
#83如果没有必要,需要停止NFS服务
nfs_sys(){
echo "#83如果没有必要,需要停止NFS服务"
if [ `rpm -qa | grep nfs | wc -l` != 0 ];then
systemctl stop nfs
action "nfs服务已完成停止" /bin/true
else
action "为安装nfs服务" /bin/false
fi
}
nfs_sys
#84设置 主机允许策略文件/etc/hosts.allow 的属组和属主为root
host_allow(){
echo "#设置主机允许策略文件/etc/hosts.allow 的属组和属主为root"
chown root:root /etc/hosts.allow
if [ "$?" == 0 ]
then
echo
action "chown root:root /etc/hosts.allow" /bin/true
else
action "chown root:root /etc/hosts.allow" /bin/false
fi
}
host_allow
#85 检查是否关闭ident服务
check_ident() {
echo "#85检查是否关闭ident服务"
ident_status=$(systemctl is-active ident)
if [ "$ident_status" = "active" ]
then
systemctl disable ident
action "已禁用ident服务" /bin/false
else
action "ident服务已关闭" /bin/true
fi
}
check_ident
#86 检查是否关闭time服务
check_time() {
echo "#86检查是否关闭time服务"
time_status=$(systemctl is-active time)
if [ "$time_status" = "active" ]
then
systemctl disable time
action "已禁用time服务" /bin/false
else
action "time服务已关闭" /bin/true
fi
}
check_time
#87 检查是否关闭nfs服务
check_nfs() {
echo "#87检查是否关闭nfs服务"
nfs_status=$(systemctl is-active nfs)
if [ "$nfs_status" = "active" ]
then
systemctl disable nfs
action "已禁用nfs服务" /bin/false
else
action "nfs服务已关闭" /bin/true
fi
}
check_nfs
#88 检查是否关闭chargen服务
check_chargen() {
echo "#88检查是否关闭chargen服务"
chargen_status=$(systemctl is-active chargen)
if [ "$chargen_status" = "active" ]
then
systemctl disable chargen
action "已禁用chargen服务" /bin/false
else
action "chargen服务已关闭" /bin/true
fi
}
check_chargen
#89 检查是否关闭klogin服务
check_klogin() {
echo "#89检查是否关闭klogin服务"
klogin_status=$(systemctl is-active klogin)
if [ "$klogin_status" = "active" ]
then
systemctl disable klogin
action "已禁用klogin服务" /bin/false
else
action "klogin服务已关闭" /bin/true
fi
}
check_klogin
#90 检查是否关闭ypbind服务
check_ypbind() {
echo "#90检查是否关闭ypbind服务"
ypbind_status=$(systemctl is-active ypbind)
if [ "$ypbind_status" = "active" ]
then
systemctl disable ypbind
action "已禁用ypbind服务" /bin/false
else
action "ypbind服务已关闭" /bin/true
fi
}
check_ypbind
#91 检查是否关闭tftp服务
check_tftp() {
echo "#91检查是否关闭tftp服务"
tftp_status=$(systemctl is-active tftp)
if [ "$tftp_status" = "active" ]
then
systemctl disable tftp
action "已禁用tftp服务" /bin/false
else
action "tftp服务已关闭" /bin/true
fi
}
check_tftp
#92 检查是否关闭nfslock服务
check_nfslock() {
echo "#92检查是否关闭nfslock服务"
nfslock_status=$(systemctl is-active nfslock)
if [ "$nfslock_status" = "active" ]
then
systemctl disable nfslock
action "已禁用nfslock服务" /bin/false
else
action "nfslock服务已关闭" /bin/true
fi
}
check_nfslock
#93 检查是否关闭lpd服务
check_lpd() {
echo "#93检查是否关闭lpd服务"
lpd_status=$(systemctl is-active lpd)
if [ "$lpd_status" = "active" ]
then
systemctl disable lpd
action "已禁用lpd服务" /bin/false
else
action "lpd服务已关闭" /bin/true
fi
}
check_lpd
#94 检查是否关闭discard服务
check_discard() {
echo "#94检查是否关闭discard服务"
discard_status=$(systemctl is-active discard)
if [ "$discard_status" = "active" ]
then
systemctl disable discard
action "已禁用discard服务" /bin/false
else
action "discard服务已关闭" /bin/true
fi
}
check_discard
#95 检查是否关闭kshell服务
check_kshell() {
echo "#95检查是否关闭kshell服务"
kshell_status=$(systemctl is-active kshell)
if [ "$kshell_status" = "active" ]
then
systemctl disable kshell
action "已禁用kshell服务" /bin/false
else
action "kshell服务已关闭" /bin/true
fi
}
check_kshell
#96 检查是否关闭daytime服务
check_daytime() {
echo "#96检查是否关闭daytime服务"
daytime_status=$(systemctl is-active daytime)
if [ "$daytime_status" = "active" ]
then
systemctl disable daytime
action "已禁用daytime服务" /bin/false
else
action "daytime服务已关闭" /bin/true
fi
}
check_daytime
#97 检查是否关闭echo服务
check_echo() {
echo "#97检查是否关闭echo服务"
echo_status=$(systemctl is-active echo)
if [ "$echo_status" = "active" ]
then
systemctl disable echo
action "已禁用echo服务" /bin/false
else
action "echo服务已关闭" /bin/true
fi
}
check_echo
#98 检查是否关闭sendmail服务
check_sendmail() {
echo "#98检查是否关闭sendmail服务"
sendmail_status=$(systemctl is-active sendmail)
if [ "$sendmail_status" = "active" ]
then
systemctl disable sendmail
action "已禁用sendmail服务" /bin/false
else
action "sendmail服务已关闭" /bin/true
fi
}
check_sendmail
#99 检查是否关闭ntalk服务
check_ntalk() {
echo "#99检查是否关闭ntalk服务"
ntalk_status=$(systemctl is-active ntalk)
if [ "$ntalk_status" = "active" ]
then
systemctl disable ntalk
action "已禁用ntalk服务" /bin/false
else
action "ntalk服务已关闭" /bin/true
fi
}
check_ntalk
#100 检查是否关闭printer服务
check_printer() {
echo "#100检查是否关闭printer服务"
printer_status=$(systemctl is-active printer)
if [ "$printer_status" = "active" ]
then
systemctl disable printer
action "已禁用printer服务" /bin/false
else
action "printer服务已关闭" /bin/true
fi
}
check_printer
#101 检查是否关闭bootps服务
check_bootps() {
echo "#101检查是否关闭bootps服务"
bootps_status=$(systemctl is-active bootps)
if [ "$bootps_status" = "active" ]
then
systemctl disable bootps
action "已禁用bootps服务" /bin/false
else
action "bootps服务已关闭" /bin/true
fi
}
check_bootps
##102 设置允许访问的IP地址并重启SSH服务
#check_allow() {
# allowed_ip="192.168.4.44"
#
# #102 检查是否限制了远程登录的IP范围
# if grep -q "$allowed_ip" /etc/hosts.allow; then
# action "远程登录IP范围已经限制" /bin/true
# else
# action "远程登录IP范围未限制" /bin/false
# # 编辑 /etc/hosts.allow 文件,增加允许访问的IP
# if ! grep -q "sshd:$allowed_ip:allow" /etc/hosts.allow; then
# echo "sshd:$allowed_ip:allow" >> /etc/hosts.allow
# fi
# fi
#
# # 重启SSH服务
# if systemctl status sshd >/dev/null; then
# systemctl restart sshd
# fi
#}
#
#
##103 编辑 /etc/hosts.deny 文件,增加一行 all:all
#check_deny() {
# if ! grep -q "all:all" /etc/hosts.deny; then
# echo "all:all" >> /etc/hosts.deny
# systemctl restart xinetd
# action "/etc/hosts.deny未配置正确" /bin/false
# else
# action "/etc/hosts.deny配置正确" /bin/true
# fi
#}
#104检查保留历史命令的条数
histsize(){
echo "#104 保留历史命令条数"
file="/etc/profile"
neiron="HISTSIZE=.*"
neirong="HISTSIZE=3000"
cp "$file" "$file".bak
sed -i 's/^"$neiron"/"$neirong"' "$file"
source "$file"
action "内容已经替换并加载文件" /bin/true
}
histsize
#105检查保留历史命令的记录文件大小
histfilesize(){
echo "#105 历史命令文件大小"
file="/etc/profile"
neirong="HISTFILESIZE=500"
grep "$neirong" "$file"
if [ $? -eq 0 ]; then
action "配置内容存在" /bin/true
else
cp "$file" "$file".backup
echo "$neirong" >> "$file"
source "$file"
action "已添加内容到文件并加载" /bin/true
fi
}
histfilesize
#106检查是否安装OS补丁
os(){
echo "#106 检查是否安装OS补丁"
if command -v apt &>/dev/null; then
update_command="apt update && apt upgrade -y >> /dev/null"
elif command -v yum &>/dev/null; then
update_command="yum check-update >> /dev/null && yum update -y >> /dev/null"
elif command -v zypper &>/dev/null; then
update_command="zypper refresh && zypper update -y >> /dev/null"
else
action "无法确定系统类型或找不到适用的包管理工具" /bin/false
exit 1
fi
eval "$update_command"
if [ $? -eq 0 ]; then
action "系统更新完成" /bin/ture
else
action "系统更新失败,请检查错误信息" /bin/false
fi
}
os
#107是否设置ssh登录前警告Banner
ssh_banner_ner(){
echo "#107 ssh_banner登录前设置"
banner_file="/etc/ssh_banner"
banner_content="Authorized only. All activity will be monitored and reported"
sshd_config_file="/etc/ssh/sshd_config"
banner_config="Banner /etc/ssh_banner"
if [ -f "$banner_file" ]; then
action "文件 $banner_file 已存在" /bin/true
else
touch "$banner_file"
chown bin:bin "$banner_file"
chmod 644 "$banner_file"
echo "$banner_content" > "$banner_file"
action "已创建 $banner_file 文件并写入内容" /bin/true
fi
if grep -q "$banner_config" "$sshd_config_file"; then
action "sshd_config 文件中已存在 Banner 配置" /bin/false
else
echo "$banner_config" >> "$sshd_config_file"
action "已添加 Banner 配置到 sshd_config 文件" /bin/true
fi
if command -v systemctl >/dev/null; then
systemctl restart sshd
action"已重启 sshd 服务" /bin/true
elif command -v service >/dev/null; then
service sshd restart
action "已重启 sshd 服务" /bin/true
else
action "无法确定系统使用的服务管理工具,请手动重启 sshd 服务" /bin/false
fi
}
ssh_banner_ner
#108 ssh_banner登录后设置
ssh_banner(){
echo "#108 ssh_banner登录后设置"
motd_file="/etc/motd"
motd_content="Login success. All activity will be monitored and reported"
if [ -f "$motd_file" ]; then
echo "$motd_content" > "$motd_file"
action "motd文件存在已修改" /bin/true
else
echo "$motd_content" >"$motd_file"
action "motd文件已创建并写入" /bin/true
fi
}
ssh_banner
#109检查是否更改默认的telnet登录警告Banner
telnet(){
echo "#109 telnet警告 设置"
banner_file="/etc/ssh_banner"
banner_content=" Authorized only. All activity will be monitored and reported "
sshd_config_file="/etc/ssh/sshd_config"
banner_config="Banner /etc/ssh_banner"
touch "$banner_file"
chown bin:bin "$banner_file"
chmod 644 "$banner_file"
echo "$banner_content" >> "$banner_file"
if grep -q "$banner_config" "$sshd_config_file"; then
action "sshd_config 文件中已存在 Banner 配置" /bin/false
else
echo "$banner_config" >> "$sshd_config_file"
action "已添加 Banner 配置到 sshd_config 文件" /bin/true
fi
if command -v systemctl >/dev/null; then
systemctl restart sshd
action "已重启 sshd 服务" /bin/true
elif command -v service >/dev/null; then
service sshd restart
action "已重启 sshd 服务" /bin/true
else
action "无法确定系统使用的服务管理工具,请手动重启 sshd 服务" /bin/false
fi
}
telnet
#110
#111
#112rsyslog是否启用记录cron行为日志功能
rsyslog_cron() {
echo "#112 rsyslog是否启用记录cron行为日志功能"
filelog="/etc/rsyslog.conf"
file="var/log/cron"
neirong="cron.*"$file""
if [ -f "$filelog" ]; then
cp "$filelog" ${filelog}.${time}bak
echo "$neirong" >> "$filelog"
if [ ! -f "$file" ]; then
touch "$file"
chmod 755 "$file"
action "cron 文件已创建" /bin/true
else
action "cron 文件已存在" /bin/false
fi
else
action "rsyslog.conf配置 文件不存在" /bin/false
fi
}
rsyslog_cron
#113syslog是否启用记录cron行为日志功能
syslog_cron() {
echo "#113 syslog_cron"
filelog="/etc/syslog.conf"
file="var/log/cron"
neirong="cron.*"$file""
if [ -f "$filelog" ]; then
echo "$neirong" >> "$filelog"
if [ ! -f "$file" ]; then
touch "$file"
chmod 755 "$file"
action "cron 文件已创建" /bin/true
else
action "cron 文件已存在" /bin/false
fi
else
action "syslog.conf配置 文件不存在" /bin/false
fi
}
syslog_cron
#114syslog-ng是否启用记录cron行为日志功能
syslog_ng_cron(){
echo "#114 cron 日志功能"
filelog="/etc/syslog-ng/syslog-ng.conf"
file="/var/log/cron"
neirong=" filter f_cron { facility(cron); }; destination cron { file("$file"); }; log { source(src); filter(f_cron); destination(cron); };"
if [ -f "$filelog" ]; then
cp "$filelog" "$filelog".backup
echo "$neirong" >> "$filelog"
if [ ! -f "$file" ]; then
touch "$file"
chmod 755 "$file"
action "cron 文件已创建" /bin/true
else
action "cron 文件已存在" /bin/false
fi
else
action "syslog-ng.conf配置 文件不存在" /bin/false
fi
}
syslog_ng_cron
#115检查是否记录成功登陆日志
login(){
echo "#115 登录情况日志"
day=$(date +"%a %b %e")
last | grep "$day" >/dev/null
if [ $? -eq 0 ]; then
action "成功记录登录记录" /bin/true
else
action "未成功记录登录记录" /bin/false
fi
}
login
#116
#117
#118检查syslog-ng是否配置安全事件日志
syslog_ng_anquan(){
echo "#118 syslog安全日志"
filelog="/etc/syslog-ng/syslog-ng.conf"
file="/var/adm/msgs"
neirong=" filter f_msgs { level(err) or facility(kern) and level(debug) or facility(daemon) and level(notice); }; destination msgs { file("$file"); }; log { source(src); filter(f_msgs); destination(msgs); }; "
if [ -f "$filelog" ]; then
cp "$filelog" ${filelog}-${time}.bak
grep "$file" "$filelog" >/dev/null
if [ $? -ne 0 ]; then
echo "$neirong" >> "$filelog"
if [ ! -f "$file" ]; then
touch "$file"
chmod 666 "$file"
action "创建日志文件" /bin/true
else
service syslog restart
action "syslog-ng服务重启" /bin/true
fi
else
action "rslog-ng配置文件内容已经存在" /bin/false
fi
else
action "rslog-ng配置文件不存在" /bin/false
fi
}
syslog_ng_anquan
#117,119检查rsyslog是否配置安全事件日志
rsyslog_anquan(){
echo "#117,119 rsyslog安全日志"
filelog="/etc/rsyslog.conf"
file="/var/adm/messages"
neirong="*.err;kern.debug;daemon.notice /var/adm/messages"
if [ -f "$filelog" ]; then
cp "$filelog" "$filelog".backupan
grep "$file" "$filelog" >/dev/null
if [ $? -ne 0 ];then
sed -i "75i$neirong" "$filelog"
if [ ! -f "$file" ];then
touch "$file"
chmod 666 "$file"
action "创建日志文件" /bin/true
else
service rsyslog restart
action "rsyslog服务重启" /bin/true
fi
else
action "rsyslog配置文件内容已经存在" /bin/true
fi
else
action "rsyslog配置文件不存在" /bin/false
fi
}
rsyslog_anquan
#120检查是否配置su命令使用情况记录
su(){
echo "#120 su 命令使用情况"
if grep -q "Red Hat Enterprise Linux Server 5" /etc/redhat-release; then
echo "编辑 /etc/syslog.conf 文件"
sed -i 's/^authpriv\.\*.*$/authpriv.* \/var\/log\/secure/' /etc/syslog.conf
fi
if [[ -f /etc/rsyslog.conf || -f /etc/syslog-ng/syslog-ng.conf ]]; then
if grep -q "Red Hat Enterprise Linux Server 6" /etc/redhat-release || \
grep -q "openSUSE release 11" /etc/SuSE-release; then
echo "编辑 /etc/rsyslog.conf 文件"
sed -i 's/^authpriv\.\*.*$/authpriv.* \/var\/log\/secure/' /etc/rsyslog.conf
elif grep -q "SuSE Linux Enterprise Server 9" /etc/SuSE-release; then
echo "编辑 /etc/syslog.conf 文件"
sed -i 's/^authpriv\.\*.*$/authpriv.* \/var\/log\/secure/' /etc/syslog.conf
elif grep -q "SUSE Linux Enterprise Server 10" /etc/SuSE-release || \
grep -q "SUSE Linux Enterprise Server 11" /etc/SuSE-release; then
echo "编辑 /etc/syslog-ng/syslog-ng.conf 文件"
sed -i '/filter f_secure {/a\ facility(authpriv);' /etc/syslog-ng/syslog-ng.conf
sed -i '/destination priverr {/a\ file("/var/log/secure");' /etc/syslog-ng/syslog-ng.conf
sed -i '/log {/a\ source(src); filter(f_secure); destination(priverr);' /etc/syslog-ng/syslog-ng.conf
fi
fi
touch /var/log/secure
if command -v systemctl &>/dev/null; then
systemctl restart rsyslog.service
elif command -v service &>/dev/null; then
service syslog restart
else
action "无法确定系统类型或找不到适用的服务管理工具" /bin/false
exit 1
fi
action "syslog 配置已修改并服务已重启" /bin/true
}
su
#121
#122
#123 rsyslog 远程日志功能
rsyslog(){
echo "#123 rsyslog 远程日志功能"
ip="192.168.0.1"
mail="*.*"
file="/etc/rsyslog.conf"
if [ -f "$file" ]; then
cp "$file" "$file".backup
echo "$mial" @"$ip" >> "$file"
systemctl restart rsyslog
action "rsyslog 已经重启" /bin/true
else
action "rsyslog.conf 文件" /bin/false
fi
}
rsyslog
#124 syslog_ng远程日志功能
syslog_ng_conf(){
echo "#124 syslog_ng远程日志功能"
file="/etc/syslog-ng.conf"
ip="192.168.0.1"
shu="514"
if [ -f "$file" ]; then
cp "$file" "$file".backup
echo "destination logserver { udp("$ip" port("$shu"));};log {source(src);destination(logserver);};" >> "$file"
systemctl restart syslog-ng
action "syslog-ng 已经重启" /bin/true
else
action "syslog-ng文件" /bin/false
fi
}
syslog_ng_conf
#125 syslog远程日志功能
syslog(){
echo "#125 syslog远程日志功能"
mail="*.*"
ip="192.168.0.1"
file=/etc/syslog.conf
if [ -f "$file" ]; then
cp "$file" "$file".backup
echo "$mail @$ip" >> "$file"
service syslog restart
action "syslog 已经重启" /bin/true
else
action "syslog.conf文件" /bin/false
fi
}
syslog
# 设置 主机拒绝策略文件/etc/hosts.deny 的属组和属主为root
host_deny(){
echo "#设置主机拒绝策略文件/etc/hosts.deny 的属组和属主为root"
chown root:root /etc/hosts.deny
if [ "$?" == 0 ]
then
action "chown root:root /etc/hosts.deny" /bin/true
else
action "chown root:root /etc/hosts.deny" /bin/false
fi
}
host_deny
# 设置 主机允许策略文件/etc/hosts.allow的权限为644
host_all(){
echo "#设置 主机允许策略文件/etc/hosts.allow的权限为644"
chmod 644 /etc/hosts.allow
if [ "$?" == 0 ]
then
action "chmod 644 /etc/hosts.allow" /bin/true
else
action "chmod 644 /etc/hosts.allow" /bin/false
fi
}
host_all
# 设置 主机拒绝策略文件/etc/hosts.deny的权限为644
host_de(){
echo "#设置主机拒绝策略文件/etc/hosts.deny的权限为644"
chmod 644 /etc/hosts.deny
if [ "$?" == 0 ]
then
action "" /bin/true
else
action "" /bin/false
fi
}
host_de
# 设置用户/组 的用户和密码文件属主属组为root
userpass(){
echo "#设置用户/组 的用户和密码文件属主属组为root"
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
if [ "$?" == 0 ]
then
action "chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow" /bin/true
else
action "chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow" /bin/false
fi
}
userpass
# 设置组文件 的权限为0644
group(){
echo "#设置组文件 的权限为0644"
chmod 0644 /etc/group
if [ "$?" == 0 ]
then
action "chmod 0644 /etc/group" /bin/true
else
action "chmod 0644 /etc/group" /bin/false
fi
}
group
# 设置用户文件 的权限为644
passwdfile(){
echo "#设置用户文件 的权限为644"
chmod 0644 /etc/passwd
if [ "$?" == 0 ]
then
action "chmod 0644 /etc/passwd" /bin/true
else
action "chmod 0644 /etc/passwd" /bin/false
fi
}
# 设置用户的密码文件为0400只读,禁止修改用户密码
shadow_file(){
echo "#设置用户的密码文件为0400只读,禁止修改用户密码"
chmod 0400 /etc/shadow
if [ "$?" == 0 ]
then
action "chmod 0400 /etc/shadow" /bin/true
else
action "chmod 0400 /etc/shadow" /bin/false
fi
}
shadow_file
# 设置组密码文件为0400制度, 禁止修改组密码
gshadow_file(){
echo "#设置组密码文件为0400制度, 禁止修改组密码"
chmod 0400 /etc/gshadow
if [ "$?" == 0 ]
then
action "chmod 0400 /etc/gshadow" /bin/true
else
action "chmod 0400 /etc/gshadow" /bin/false
fi
}
gshadow_file
# 设置sshd主配置文件属主属组为root
sshd_root(){
echo "#设置sshd主配置文件属主属组为root"
chown root:root /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "chown root:root /etc/ssh/sshd_config" /bin/true
else
action "chown root:root /etc/ssh/sshd_config" /bin/false
fi
}
sshd_root
# 设置sshd主配置文件权限为0600
sshd_limits(){
echo "#设置sshd主配置文件权限为0600"
chmod 600 /etc/ssh/sshd_config
if [ "$?" == 0 ]
then
action "chmod 600 /etc/ssh/sshd_config" /bin/true
else
action "chmod 600 /etc/ssh/sshd_config" /bin/false
fi
}
sshd_root
# 设置/etc/profile文件属主属组为root
fprfile_env(){
echo "#设置/etc/profile文件属主属组为root"
chown root:root /etc/profile
if [ "$?" == 0 ]
then
action "chown root:root /etc/profile" /bin/true
else
action "chown root:root /etc/profile" /bin/false
fi
}
fprfile_env
# 设置/etc/profile文件权限为644
profile_limits(){
echo "#设置/etc/profile文件权限为644"
chmod 644 /etc/profile
if [ "$?" == 0 ]
then
action "chmod 644 /etc/profile" /bin/true
else
action "chmod 644 /etc/profile" /bin/false
fi
}
profile_limits
# 开机自启安全审计服务并现在启动
audit_enable(){
echo "#开机自启安全审计服务并现在启动"
systemctl enable --now auditd
if [ "$?" == 0 ]
then
action "systemctl enable --now auditd" /bin/true
else
action "systemctl enable --now auditd" /bin/false
fi
}
audit_enable
# 开机自启日志服务并现在启动
rsyslog_log(){
echo "#开机自启日志服务并现在启动"
systemctl enable --now rsyslog
if [ "$?" == 0 ]
then
action "systemctl enable --now rsyslog" /bin/true
else
action "systemctl enable --now rsyslog" /bin/false
fi
}
rsyslog_log
# 定义安全审计规则
anquanshengji(){
cp /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules-${time}
echo "#定义安全审计规则"
echo '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' >> /etc/audit/rules.d/audit.rules
if [ "$?" == 0 ]
then
action "/etc/audit/rules.d/audit.rules" /bin/true
else
action "/etc/audit/rules.d/audit.rules" /bin/false
fi
}
anquanshengji
# 定义安全设计规则
anquansheji(){
cp /etc/audit/audit.rules /etc/audit/audit.rules-${time}
echo "#定义安全设计规则"
echo '-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete' >> /etc/audit/audit.rules
if [ "$?" == 0 ]
then
action "/etc/audit/audit.rules " /bin/true
else
action "/etc/audit/audit.rules " /bin/false
fi
}
anquansheji
# 定义安全审计规则
anquansheji_rulesd(){
echo "#定义安全审计规则"
echo ' -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity' >> /etc/audit/rules.d/audit.rules
if [ "$?" == 0 ]
then
action "/etc/audit/rules.d/audit.rules" /bin/true
else
action "/etc/audit/rules.d/audit.rules" /bin/false
fi
}
anquansheji_rulesd
# 定义安全审计规则
anquansheji_audit(){
echo ' -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity' >> /etc/audit/audit.rules
if [ "$?" == 0 ]
then
action "/etc/audit/audit.rules" /bin/true
else
action "/etc/audit/audit.rules" /bin/false
fi
}
anquansheji_audit
# 定义安全审计规则
anquansheji_rulesd_file(){
echo ' -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope' >> /etc/audit/rules.d/audit.rules
if [ "$?" == 0 ]
then
action "/etc/audit/rules.d/audit.rules" /bin/true
else
action "/etc/audit/rules.d/audit.rules" /bin/false
fi
}
anquansheji_rulesd_file
# 定义安全审计规则
anquansheji_audit_file(){
echo ' -w /etc/sudoers -p wa -k scope -w /etc/sudoers.d/ -p wa -k scope' >> /etc/audit/audit.rules
if [ "$?" == 0 ]
then
action "/etc/audit/audit.rules" /bin/true
else
action "/etc/audit/audit.rules" /bin/false
fi
}
anquansheji_audit_file
# 暂停rpcbind服务--nfs需要依赖rpcbind服务来实现客户端和服务器的路由请求
systemctl disable --now rpcbind &>/dev/null
systemctl disable --now rpcbind.socket &>/dev/null
#执行日志写入
bash_run
# systemctl stop rpcbind &>/dev/null
# systemctl stop rpcbind.socket &>/dev/null
# systemctl disable rpcbind.socket &>/dev/null
# systemctl disable rpcbind.socket &>/dev/null
action "CentOS Linux 7基线标准系统-等保三级-基线加固已完成!!" /bin/true