服务器基线加固脚本_Suse 系统基线加固脚本-第一弹

最近写了一些操作系统加固的脚本，操作系统包括：Centos/RedHat、Ubuntu、Suse、Debian、Solaris，本文主要是Suse的脚本，后续更新其他操作系统的脚本

「听到内心」外面太吵，要学会听见自己内心的声音

话不多说，直接上代码吧。

脚本参数说明:

#!/bin/sh 指定执行脚本的shell类型

# file: /etc/profile 脚本修改涉及到的文件

# default: umask值大于等于027 修改内容的默认值

# return: result=SUCCESS/ENOSUPPORT 脚本返回的结果

# tested: centos5 centos7 unbuntu suse12 该脚本已经在这些系统上测试过

# baseline: 检查用户缺省UMASK 该脚本对应的检查项

检查口令策略设置是否符合复杂度要求

#!/bin/sh

# file: /etc/pam.d/system-auth /etc/pam.d/common-password [ todo /etc/pam.d/passwd]

# default: password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=

# password requisite pam_cracklib.so try_first_pass retry=3

# return: result=SUCCESS/ENOSUPPORT

# tested: centos5 centos7 suse12

# baseline: 检查口令策略设置是否符合复杂度要求

# content: /etc/pam.d/system-auth文件中minclass大于等于2，minlen大于等于6

# write_config_file file_name key value type cmp

_write_pam_config_file_common()

{

file_name=$1

set_key=$2

set_value=$3

set_type=$4

vul_cmp=$5

curr_value=`cat $file_name|egrep -v "^#|^$"|grep -w "$set_key" --color=never|sed "s/^.*$set_key=//g"|sed 's/\s.*$//g'`

if [ ! -n "$curr_value" ]; then

echo "add "$set_key" to "$file_name

sed -i "s/$.*$set_type$$.*$$/\1 $set_key=$set_value\2/g" $file_name

else

if [ "$vul_cmp" == "lt" ]; then

if [ $curr_value -lt $set_value ]; then

echo $set_key" last = "$curr_value

echo "set "$set_key" to "$set_value

sed -i "s/$.*$set_type.*$$set_key=[0-9]*$.*$/\1$set_key=$set_value\2/g" $file_name

else

echo $set_key " last = "$curr_value " already fix"

fi

elif [ "$vul_cmp" == "gt" ]; then

if [ $curr_value -gt $set_value ]; then

echo $set_key" last = "$curr_value

echo "set "$set_key" to "$set_value

sed -i "s/$.*$set_type.*$$set_key=[0-9]*$.*$/\1$set_key=$set_value\2/g" $file_name

else

echo $set_key " last = "$curr_value " already fix"

fi

fi

fi

}

# _write_pam_config_file_cracklib_minclass conf_filename

_write_pam_config_file_cracklib_minclass()

{

file_name=$1

set_line=`grep "pam_cracklib.so" $file_name|grep --color=never "ucredit="`

if [ ! -n "$set_line" ]; then

echo "add ucredit to pam_cracklib.so file = "$file_name

sed -i 's/$.*pam_cracklib.so$$.*$$/\1 ucredit=-1\2/g' $file_name

else

echo "ucredit already set"

fi

set_line=`grep "pam_cracklib.so" $file_name|grep "--color=never dcredit="`

if [ ! -n "$set_line" ]; then

echo "add dcredit to pam_cracklib.so file = "$file_name

sed -i 's/$.*pam_cracklib.so$$.*$$/\1 dcredit=-1\2/g' $file_name

else

echo "dcredit already set"

fi

}

autofix()

{

fix_minlen=0

fix_minclass=0

FILE_LIST="/etc/pam.d/system-auth /etc/pam.d/common-password"

for conf_file in $FILE_LIST; do

echo "check "$conf_file

if [ -f $conf_file ]; then

echo "backup..."$conf_file

cp $conf_file $conf_file"_&