赞
踩
#!/bin/bash
#####################操作系统环境初始化含常用加固#################################
#说明:1.脚本需要使用root用户执行 version 3.2
# 2.centos8,rockylinux8,centos7,ubuntu18,ubuntu20,版本测试无问题
# 3.脚本中系统判断只区分是否 linux或ubuntu 未做小版本判断
# 4.磁盘分区等操作部分与实际系统环境有关,使用前慎重查看本地环境,修改脚本
# 5.系统加固:密码周期,复杂度,登录超时时间,登录失败锁定,历史记录条目
#
############################################################################
function usercreate() {
grep testuser /etc/group &>/dev/null
if [ $? -ne 0 ];then
groupadd -g 1001 testusert #部分GNU linux会占用1000组需要更改其他id
fi
id 1001
if [ $? -ne 0 ];then
useradd -m testuser -s /bin/bash -g testuser -u 1001
echo testuser:testuser | chpasswd
cat /proc/version |grep "Ubuntu" &>/dev/null
if [ $? == '0' ]
then
usermod -G 27 testuser
fi
echo 'testuser ALL=(ALL) NOPASSWD:ALL' >> /etc/sudoers #sudo免输入密码
echo -e "\e[32m `id testuser` \e[0m"
fi
}
function workcreate() {
lsblk
echo -e "\e[31m 有破坏性的操作,请谨慎执行 \e[0m"
read -p "选择要使用的空磁盘? [例如:sdb/vdb ,直接回车则在/分区建立]" input
case "$input" in
sd* | vd*)
echo -e "\e[32m------------------- 创建work lv ------------------\e[0m"
pvcreate /dev/$input
vgcreate workvg /dev/$input
#lvcreate -L 99G -n worklv workvg #指定大小创建lv
lvcreate -l 100%VG -n worklv workvg #百分百使用vg空间创建lv
mkfs.ext4 /dev/workvg/worklv
lvdisplay /dev/workvg/worklv &>/dev/null
if [ $? == '0' ];then
echo -e "\e[32m----------------- 自动挂载work lv ----------------\e[0m"
echo '/dev/mapper/workvg-worklv /work ext4 defaults 0 0' >> /etc/fstab
mkdir /work
mount /work
chown neuqsoft:neuqsoft /work
echo -e "\e[32m `df -h |grep work` \e[0m"
else
ehco "请检查 worklv 是否建立成功"
fi
;;
*)
mkdir /work
chown testuser:testuser /work
echo "跳过建磁盘分区, 在 / 所在分区创建 work 目录"
;;
esac
}
function safepwd() {
grep ^[^#] /etc/security/pwquality.conf|grep $1 &>/dev/null
if [ $? -ne '0' ];then
sed -i "/$1/a$1 = $2" /etc/security/pwquality.conf
echo -e "# 配置密码含$3"
else
echo -e "\e[31m 原系统已配置密码含`grep ^[^#] /etc/security/pwquality.conf|grep $1 |awk -F"=" '{print $2}'` $3\e[0m" # 密码长度
fi
}
function osProtective() {
echo -e "\e[32m---------------- 设置中文系统时区----------------\e[0m"
timedatectl &>/dev/null
if [ $? = '0' ];then
timedatectl set-timezone "Asia/Shanghai"
timedatectl
elif [ -f /usr/share/zoneinfo/Asia/Shanghai ];then
cp /usr/share/zoneinfo/Asia/Shanghai /etc/localtime && date -R
else
echo "时区修改失败,请检查系统环境"
fi
echo -e "\e[32m---------------- history 命令加时间戳----------------\e[0m"
grep ^[^#].*HISTTIMEFORMAT /etc/profile &>/dev/null
if [ $? != '0' ];then
echo 'export HISTTIMEFORMAT="%F %T `whoami`: "' >> /etc/profile && source /etc/profile
echo -e "# 设置 history 命令加时间戳"
elif [[ -n $(grep '^[^#].*HISTTIMEFORMAT="%F %T `whoami`: "' /etc/profile) ]]; then
echo -e "\e[31m# 原系统已配置过 history 命令加时间戳\e[0m"
else
sed -i '/^[^#].*HISTTIMEFORMAT/s/^/#/' /etc/profile
echo 'export HISTTIMEFORMAT="%F %T `whoami`: "' >> /etc/profile && source /etc/profile
echo -e "\e[31m# 已修改原系统已配置 history 命令格式为:日期+时间+用户名\e[0m"
fi
echo -e "\e[32m---------------- 设置密码周期、长度要求 ------------------\e[0m"
sed -i "/PASS_MAX_DAYS/s/`sed -n '/^PASS_MAX_DAYS/p' /etc/login.defs |awk '{print $2}'`/90/g" /etc/login.defs
echo -e "# 设置密码过期时间90天"
sed -i 's/^#\?PASS_MIN_LEN.*/PASS_MIN_LEN 8/' /etc/login.defs
echo -e "# 设置密码最小长度8"
echo -e "# 现生效密码周期、长度要求"
grep -v "#" /etc/login.defs | grep -E "PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_MIN_LEN|PASS_WARN_AGE"
echo -e "\e[32m---------------- 修改强密码策略 ------------------\e[0m"
cat /proc/version |grep "Ubuntu" &>/dev/null
if [ $? == '0' ];then
dpkg -l libpam-cracklib &>/dev/null
if [ $? -ne 0 ];then
apt-get install -y libpam-cracklib
dpkg -l libpam-cracklib &>/dev/null
if [ $? -ne 0 ];then
echo -e "\e[31m libpam-cracklib 安装失败\e[0m"
else
echo -e "\e[32m libpam-cracklib 安装成功\e[0m"
fi
else
echo -e "\e[33m libpam-cracklib 已经安装\e[0m"
fi
fi
cat /proc/version |grep "Ubuntu" &>/dev/null
if [ $? == '0' ];then
grep 'pam_unix.so.*remember' /etc/pam.d/common-password &>/dev/null
if [ $? -ne '0' ];then
sed -i '/pam_unix.so/s/$/ remember=3/' /etc/pam.d/common-password
echo -e "# 设置密码最近三次密码不能重复"
fi
sed -i '/pam_cracklib.so/s/^/#/' /etc/pam.d/common-password #源配置行加注释保存
sed -i '/pam_cracklib.so/apassword requisite pam_cracklib.so retry=3 minlen=8 difok=3 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
echo -e "# 设置密码复杂度:必须包含大写、小写、数字、特殊字符 最少各一个,新旧密码必须3个以上字符不一样"
echo -e "\e[32m重启系统后,强密码策略生效\e[0m"
fi
cat /proc/version |grep "Red Hat 4" &>/dev/null
if [ $? == '0' ];then
grep "password.*sufficient.*remember" /etc/pam.d/system-auth &>/dev/null
if [ $? -ne '0' ];then
sed -i '/password sufficient/s/$/ remember=3/' /etc/pam.d/system-auth # 禁止使用最近用过的3个密码
fi
echo -e "# 设置密码最近 `grep 'remember=.*' /etc/pam.d/system-auth |awk -F"=" '{print $2}'` 次密码不能重复"
grep "password.*requisite.*minlen" /etc/pam.d/system-auth &>/dev/null
if [ $? -ne '0' ];then
sed -i '/pam_pwquality.so/s/^/#/' /etc/pam.d/system-auth #禁用默认配置
sed -i '/pam_cracklib.so/s/^/#/' /etc/pam.d/system-auth
sed -i '/pam_pwquality.so/apassword requisite pam_cracklib.so try_first_pass retry=3 minlen=8 difok=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1' /etc/pam.d/system-auth
echo -e "# 设置密码复杂度:必须包含大写、小写、数字、特殊字符 最少各一个,新旧密码必须3个以上字符不一样"
echo -e "\e[32m重启系统后,强密码策略生效\e[0m"
fi
echo -e "\e[32m---------------- 禁止 root 用户远程登录 ------------------\e[0m"
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
echo -e "\e[32m重启系统后,禁止 root 用户远程登录生效\e[0m"
fi
cat /proc/version |grep "Red Hat 8" &>/dev/null
if [ $? == '0' ];then
declare -A dic
dic=([difok]="3,与原密码不重复" [minlen]="8,最小长度" [dcredit]="-1,最少一个数字" [ucredit]="-1,最少一个大写" [lcredit]="-1,最少一个小写" [ocredit]="-1,最少一个特殊字符" [retry]="3,重试次数")
for key in $(echo ${!dic[*]})
do
# echo "$key : ${dic[$key]}"
num=`echo "${dic[$key]}" | awk -F"," '{print $1}'`
note=`echo "${dic[$key]}" | awk -F"," '{print $2}'`
safepwd $key $num $note
done
grep ^[^#] /etc/security/pwquality.conf |grep enforce_for_root &>/dev/null
if [ $? -ne '0' ];then
sed -i '/enforce_for_root/aenforce_for_root' /etc/security/pwquality.conf
echo -e "# 配置密码策略对 root 用户有效"
else
echo -e "\e[31m 原系统已配置密码策略对 root 用户有效\e[0m" # 对 root 用户也生效
fi
echo -e "\e[32m强密码策略下次修改密码时生效\e[0m"
fi
echo -e "\e[32m---------------- 设置登录超时时间 ------------------\e[0m"
grep 'TMOUT' /etc/profile &>/dev/null
if [ $? -ne '0' ];then
sed -i '$a\export TMOUT=600' /etc/profile
echo -e "# 登录超时10分钟"
else
echo -e "\e[31m# 原系统已配置过登录超时时间 为 `grep 'TMOUT=' /etc/profile |awk -F"=" '{print $2}'` 秒\e[0m"
fi
echo -e "\e[32m---------------- 登录失败锁定 ------------------\e[0m"
cat /proc/version |grep -E 'Red Hat 4|Ubuntu' &>/dev/null
if [ $? == '0' ];then
grep 'auth.*required.*deny=' /etc/pam.d/login &>/dev/null
if [ $? -ne '0' ];then
sed -i '1a\auth required pam_tally2.so deny=3 unlock_time=120 even_deny_root root_unlock_time=120' /etc/pam.d/login
echo -e "# 限制终端用户登录失败 3 次锁定 120 秒"
else
echo -e "\e[31m# 原系统已配置过终端用户登录失败 `grep -o 'deny=[0-9]*' /etc/pam.d/login | awk -F"=" '{print $2}'` 次锁定\e[0m"
fi
grep 'auth.*required.*deny' /etc/pam.d/sshd &>/dev/null
if [ $? -ne '0' ];then
sed -i '1a\auth required pam_tally2.so deny=3 unlock_time=120 even_deny_root root_unlock_time=120' /etc/pam.d/sshd
echo -e "# 限制ssh用户登录失败 3 次锁定 120 秒"
else
echo -e "\e[31m# 原系统已配置过限制ssh用户登录失败 `grep -o 'deny=[0-9]*' /etc/pam.d/sshd | awk -F"=" '{print $2}'` 次锁定\e[0m"
fi
fi
cat /proc/version |grep "Red Hat 8" &>/dev/null
if [ $? == '0' ];then
grep 'auth.*deny=' /etc/pam.d/system-auth &>/dev/null
if [ $? -ne '0' ];then
sed -i '/auth.*sufficient.*pam_unix.so/iauth requisite pam_faillock.so preauth even_deny_root deny=3 unlock_time=120 # add by neuqsoft' /etc/pam.d/system-auth
sed -i '/auth.*sufficient.*pam_unix.so/aauth sufficient pam_faillock.so authsucc even_deny_root deny=2 unlock_time=60 # add by neuqsoft' /etc/pam.d/system-auth
sed -i '/auth.*sufficient.*pam_unix.so/aauth [default=die] pam_faillock.so authfail even_deny_root deny=2 unlock_time=60 # add by neuqsoft' /etc/pam.d/system-auth
echo -e "# 限制终端用户登录失败 3 次锁定 120 秒"
else
echo -e "\e[31m# 原系统已配置过终端用户登录失败 `grep -o 'auth.*requisite.*deny=[0-9]*' /etc/pam.d/system-auth | awk -F"=" '{print $2}'` 次锁定\e[0m"
fi
grep 'auth.*deny=' /etc/pam.d/password-auth &>/dev/null
if [ $? -ne '0' ];then
sed -i '/auth.*sufficient.*pam_unix.so/iauth requisite pam_faillock.so preauth even_deny_root deny=3 unlock_time=120 # add by neuqsoft' /etc/pam.d/password-auth
sed -i '/auth.*sufficient.*pam_unix.so/aauth sufficient pam_faillock.so authsucc even_deny_root deny=2 unlock_time=60 # add by neuqsoft' /etc/pam.d/password-auth
sed -i '/auth.*sufficient.*pam_unix.so/aauth [default=die] pam_faillock.so authfail even_deny_root deny=2 unlock_time=60 # add by neuqsoft' /etc/pam.d/password-auth
echo -e "# 限制终端用户登录失败 3 次锁定 120 秒"
else
echo -e "\e[31m# 原系统已配置过限制ssh用户登录失败 `grep -o 'auth.*requisite.*deny=[0-9]*' /etc/pam.d/password-auth | awk -F"=" '{print $2}'` 次锁定\e[0m"
fi
fi
cat /proc/version |grep "Red Hat" &>/dev/null
if [ $? == '0' ];then
echo -e "\e[32m---------------- 禁止 root 用户远程登录 ------------------\e[0m"
sed -i 's/PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
echo -e "\e[32m重启系统后,禁止 root 用户远程登录生效\e[0m"
fi
echo -e "\e[32m---------------- 初始化 完成 ------------------\e[0m"
}
function main() {
read -p "是否要建立 neuqsoft用户 ?[y/n]" input
if [ $input = "y" ];then
usercreate
sleep 3
else
echo "跳过建立 neuqsoft 用户"
sleep 2
fi
read -p "是否要建立 /work 目录 ?[y/n]" input
if [ $input = "y" ];then
workcreate
sleep 3
else
echo "跳过建磁盘分区, work 目录"
sleep 2
fi
read -p "是否进行安全加固 ?[y/n]" input
if [ $input = "y" ];then
osProtective
sleep 3
else
echo "跳过安全加固"
sleep 2
fi
}
if [ $UID != '0' ]
then
echo -e "\e[31m 请使用 root 用户执行 \e[0m"
else
main
fi
Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。