安全基线脚本

安全基线脚本

#!/bin/bashexport PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binNAME="syscheck"HOSTNAME=`uname -n`DATE=`date +%Y%m%d`BASEPATH="/tmp/$NAME"FILE="$DATE"_"$HOSTNAME"_autosh.logVERSION=`cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/'`TIMESERVERIP=2.2.2.2function check_checklog(){if [ ! -d $BASEPATH ]; thenmkdir -p $BASEPATHcd $BASEPATHtouch "$FILE"echo "$BASEPATH/$FILE create sucess!" > $BASEPATH/script.logelseecho "$BASEPATH/$FILE already exist" > $BASEPATH/script.logfi>$BASEPATH/$FILE}function bak_file(){  for i in /etc/passwd /etc/shadow /etc/gshadow /etc/group /etc/pam.d/password-auth-ac /etc/pam.d/system-auth-ac /etc/login.defs /etc/profile /etc/pam.d/su /etc/csh.cshrc /etc/sysctl.conf /etc/csh.login /etc/bashrc do if [ ! -f $i.bak ];then  cp $i{,.bak}  echo "-------------------back file finish--------------------------" >>  $BASEPATH/$FILE  ls $i.bak  >>  $BASEPATH/$FILE else  echo "------------------back file already existed--------------------------" >>  $BASEPATH/$FILE  ls $i.bak   >>  $BASEPATH/$FILE fidone#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function login_policy(){LOGIN_POLICY=`grep "pam_tally2.so" /etc/pam.d/password-auth-ac`LOGIN_POLICY_1=`grep "pam_tally2.so" /etc/pam.d/system-auth-ac`if [ -n "$LOGIN_POLICY" ];thensed -i '/pam_tally2.so/c\auth        required      pam_tally2.so deny=5  even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-acecho "****parameter_password_auth_ac lock policy replace finish****" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILEelsesed -i '/^# User/a \auth        required      pam_tally2.so deny=5  even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-acecho "****parameter_password_auth_ac lock policy append finish****" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_tally2.so"  >>$BASEPATH/$FILEfiif [ -n "$LOGIN_POLICY_1" ];thensed -i '/pam_tally2.so/c\auth        required      pam_tally2.so deny=5  even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-acecho "****parameter_system_auth_ac lock policy replace finish****" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILEelsesed -i '/^# User/a \auth        required      pam_tally2.so deny=5  even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-acecho "****parameter_system_auth_ac lock policy append finish****" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_tally2.so"  >>$BASEPATH/$FILEfi}function create_user(){USE=linuxadminfor i in $USE ;doif  ! id ${i}   &>/dev/null ;thenuseradd $i >>$BASEPATH/$FILEecho 'q1w2e3r4'|passwd --stdin $i  &> /dev/nullusermod -G wheel $USEecho "---------------create_user $USE finish---------------"  >>$BASEPATH/$FILEid $i >>$BASEPATH/$FILEelse   echo "**** user $USE  already exist**** " && exit 2 fidone}function file_lock_set(){echo "---------------file_lock_set finish---------------" >>$BASEPATH/$FILEfor i in /etc/passwd /etc/shadow /etc/group /etc/gshadowdo if [ `lsattr ${i} | cut -c 5` = i ];then   echo " ${i} 存在i安全属性" >> $BASEPATH/$FILEelse   chattr +i $i   lsattr $i >> $BASEPATH/$FILEfidone}function user_lock_set(){echo "---------------user_lock_set finish---------------" >>$BASEPATH/$FILEfor i in adm lp mail uucp operator games gopher ftp nobody nobody4 noaccess listen webservd  dbus avahi mailnull smmsp nscd vcsa rpc rpcuser nfs  pcap ntp haldaemon distcache apache webalizer squid xfs gdm sabayon named ;doid $i &>/dev/nullif [ $? -eq 0 ];then    usermod -L $i &>/dev/null#echo  "****use_lock_set finish****" >>$BASEPATH/$FILE echo "--------------------------------- " >> $BASEPATH/$FILE echo "user  $i  Has been locked" >> $BASEPATH/$FILEelse  echo "--------------------------------- " >> $BASEPATH/$FILE  echo "user $i no found" >> $BASEPATH/$FILEfidone}function history_num_set(){HISTSIZE=`cat /etc/profile|grep HISTSIZE|head -1|awk -F[=] '{print $2}'`if [ $HISTSIZE -eq 10 ];then#echo -e "\033[1;34m ****保留历史命令条数为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILEecho  " ****保留历史命令条数为${HISTSIZE}****" >>$BASEPATH/$FILEelse  sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile  echo "历史命令条数更改为10" >> $BASEPATH/$FILE#echo -e "\033[1;34m ****历史命令条数更改为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILE  source /etc/profilefi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function change_open_file_num(){#change open file numberecho `echo ""` >> $BASEPATH/$FILEecho "---------------change open file number----------------" >> $BASEPATH/$FILEcat >> /etc/security/limits.conf <<EOF*        soft   core      0*        hard   core      0*        soft   nproc    65535*        hard   nproc    65535*        soft   nofile   65535*        hard   nofile   65535EOFgrep -v "#"  /etc/security/limits.conf >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}#设置只有wheel组用户才能su到rootfunction group_permissions_set(){echo "---------------group_permissions_set finish---------------" >>$BASEPATH/$FILEsed -i '/pam_rootok.so/a\auth required    pam_wheel.so   group=wheel' /etc/pam.d/su ls "/etc/pam.d/su" >>$BASEPATH/$FILE  grep -v "#" /etc/pam.d/su | grep wheel.so  >>$BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}#设置用户umaskfunction user_permissions_set(){echo "---------------user_permissions_set finish---------------" >>$BASEPATH/$FILEsed -i '/UMASK/c \UMASK 027' /etc/login.defsls /etc/login.defs  >>$BASEPATH/$FILE grep UMASK /etc/login.defs >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/bashrcls /etc/bashrc >>$BASEPATH/$FILE  grep -v "#" /etc/bashrc | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/profilels /etc/profile >>$BASEPATH/$FILE grep -v "#" /etc/profile | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/csh.cshrcls /etc/csh.cshrc >>$BASEPATH/$FILE grep -v "#" /etc/csh.cshrc | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^setenv/a \set umask 077' /etc/csh.loginls /etc/csh.login >>$BASEPATH/$FILE grep -v "#" /etc/csh.login | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function system_dir_file_permissions_set(){chmod 750 /etc/rc0.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc1.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc2.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc3.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc4.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc5.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc6.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc.d/init.d/ >> $BASEPATH/$FILEchmod 750 /tmp >> $BASEPATH/$FILE#chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILEchmod 600 /etc/security >> $BASEPATH/$FILE#chmod 400 /etc/shadow #chmod 644 /etc/passwd #chmod 644 /etc/services #chmod 644 /etc/groupif [ -f /etc/xinetd.conf ];then chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILEelse echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILEfiecho "---------------system_dir_file_permissions_set finish---------------" >> $BASEPATH/$FILEls -ld /etc/rc0.d/ >> $BASEPATH/$FILEls -ld /etc/rc1.d/ >> $BASEPATH/$FILEls -ld /etc/rc2.d/ >> $BASEPATH/$FILEls -ld /etc/rc3.d/ >> $BASEPATH/$FILEls -ld /etc/rc4.d/ >> $BASEPATH/$FILEls -ld /etc/rc5.d/ >> $BASEPATH/$FILEls -ld /etc/rc.d/init.d/  >> $BASEPATH/$FILEls -ld /tmp  >> $BASEPATH/$FILE#ls /etc/xinetd.conf >> $BASEPATH/$FILEls -ld /etc/security >> $BASEPATH/$FILEls -l /etc/shadow >> $BASEPATH/$FILE ls -l /etc/passwd >> $BASEPATH/$FILEls -l /etc/services >> $BASEPATH/$FILEls -l /etc/group >> $BASEPATH/$FILEif [ -f /etc/xinetd.conf ];then ls -l  /etc/xinetd.conf >> $BASEPATH/$FILEelse echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILEfi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function sys_kernel_parameter_set(){echo "---------------sys_kernel_parameter_set finish---------------" >>$BASEPATH/$FILEls /etc/sysctl.conf >>$BASEPATH/$FILEecho "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.confecho "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.confecho "net.ipv4.ip_forward=0" >> /etc/sysctl.confecho "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.confecho "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.confsysctl -p >>$BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function rhel6_stop_service(){#set bannerecho `echo ""` >> $BASEPATH/$FILEecho "---------------set banner----------------" >> $BASEPATH/$FILEecho '"Authorized access only"' > /etc/motdcat /etc/motd >> $BASEPATH/$FILE#stop NetworkManager#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE#/etc/init.d/NetworkManager stop >> $BASEPATH/$FILE#chkconfig NetworkManager off >> $BASEPATH/$FILE#chkconfig --list | grep NetworkManager >> $BASEPATH/$FILE#stop iptablesecho `echo ""` >> $BASEPATH/$FILEecho "---------------stop iptables---------------" >> $BASEPATH/$FILE#iptables -F#/etc/init.d/iptables stop >> $BASEPATH/$FILE#/etc/init.d/ip6tables stop >> $BASEPATH/$FILE#chkconfig iptables off >> $BASEPATH/$FILE#chkconfig ip6tables off >> $BASEPATH/$FILE#chkconfig --list | grep iptables >> $BASEPATH/$FILE#chkconfig --list | grep ip6tables >> $BASEPATH/$FILE#stop selinuxecho `echo ""` >> $BASEPATH/$FILEecho "---------------set selinux---------------" >> $BASEPATH/$FILEsed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/configgrep "disabled" /etc/selinux/config >> $BASEPATH/$FILE#stop telnet_server#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE#yum remove telnet-server -y >> $BASEPATH/$FILE#set root romote accessecho `echo ""` >> $BASEPATH/$FILEecho "---------------set root romote access---------------" >> $BASEPATH/$FILEsed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_configgrep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILE/etc/init.d/sshd restart >> $BASEPATH/$FILEchkconfig --list | grep sshd >> $BASEPATH/$FILE#stop OS other servicesecho "---------------stop OS other services---------------" >> $BASEPATH/$FILEfor i in acpid bluetooth  postfix rhnsd rhsmcertddorpm -qa | grep $i &>/dev/null  if [ $? -eq 0 ];then    chkconfig  $i  off >> $BASEPATH/$FILE else    echo " $i services no found " >> $BASEPATH/$FILE  fichkconfig --list | grep $i >> $BASEPATH/$FILEdone}function rhel6_pass_policy(){awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defsecho "------------password controls set finish-----------------" >> $BASEPATH/$FILEsed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILECRACK_PASS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/password-auth-ac`CRACK_SYS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/system-auth-ac`UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac`UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac`if [ -n "$CRACK_PASS_POLICY" ];thensed -i '/type=/c \password    requisite     pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEelsesed -i '$a \password    requisite     pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEfiif [ -n "$CRACK_SYS_POLICY" ];thensed -i '/type=/c \password    requisite     pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEelsesed -i '$a \password    requisite     pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac pam_cracklib.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_PASS_POLICY" ];thensed -i '/use_authtok/c \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_SYS_POLICY" ];thensed -i '/use_authtok/c \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function rhel6_para_set(){grep "TMOUT=300" /etc/profile >> $BASEPATH/$FILEif [ $? -eq 0 ];thenecho "TMOUT already set" >> $BASEPATH/$FILEelsesed -i '$a \export TMOUT=300' /etc/profilegrep "TMOUT" /etc/profile >> $BASEPATH/$FILEfi#modify default init#grep "id:3:initdefault:" /etc/inittab#if [ $? -eq 0 ];#then#sed -i  '/^id/d' /etc/inittab#sed -i '$c \id:3:initdefault:' /etc/inittab#echo "inittab  change finish" >> $BASEPATH/$FILE#else#sed -i  '/^id/d' /etc/inittab#sed -i '$a \id:3:initdefault:' /etc/inittab#echo "inittab append finish" >> $BASEPATH/$FILE#fi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function rhel6_timeserver_set(){rpm -qa | grep ntp &>/dev/nullif [ $? -eq 0 ];thensed -i '/^# Please/a server '$TIMESERVERIP'     iburst' /etc/ntp.confecho "--------------------ntp server set finish---------------------" >>  $BASEPATH/$FILE ls /etc/ntp.conf  >> $BASEPATH/$FILE sed -n '22p' /etc/ntp.conf >> $BASEPATH/$FILEelse echo "ntp server no found"fi}function rhel7_timeserver_set(){rpm -qa | grep chrony &>/dev/nullif [ $? -eq 0 ];thensed -i '/^# Please/a server '$TIMESERVERIP'     iburst' /etc/chrony.confecho "--------------------chrony server set finish---------------------" >>  $BASEPATH/$FILE ls /etc/chrony.conf >> $BASEPATH/$FILE sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILEelse echo "chronyd server no found start install" yum -y install chrony &>/dev/null     if [ $? -eq 0 ];then        echo " chrony install finish " >> $BASEPATH/$FILE   sed -i '/^# Please/a server '$TIMESERVERIP'     iburst' /etc/chrony.confecho "--------------------chrony server set finish---------------------" >>  $BASEPATH/$FILE            ls /etc/chrony.conf >> $BASEPATH/$FILE             sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILE else   echo "chrony install failed"  >> $BASEPATH/$FILE fifiecho "-----------------------------------------------------------------" >>  $BASEPATH/$FILE}function rhel7_stop_service(){#set bannerecho `echo ""` >> $BASEPATH/$FILEecho "---------------set banner----------------" >> $BASEPATH/$FILEecho '"Authorized access only"' > /etc/motdcat /etc/motd >> $BASEPATH/$FILE#stop NetworkManager#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE#systemctl stop NetworkManager >> $BASEPATH/$FILE#systemctl disable NetworkManager >> $BASEPATH/$FILE#systemctl list-unit-files | grep NetworkManager >> $BASEPATH/$FILE#stop iptablesecho `echo ""` >> $BASEPATH/$FILEecho "---------------stop firewall---------------" >> $BASEPATH/$FILEiptables -Fsystemctl stop firewalld >> $BASEPATH/$FILEsystemctl disable firewalld >> $BASEPATH/$FILEsystemctl list-unit-files | grep firewalld >> $BASEPATH/$FILE#stop selinuxecho `echo ""` >> $BASEPATH/$FILEecho "---------------set selinux---------------" >> $BASEPATH/$FILEsed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/configgrep "disabled" /etc/selinux/config >> $BASEPATH/$FILE#stop telnet_server#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE#yum remove telnet-server -y >> $BASEPATH/$FILE#set root romote accessecho `echo ""` >> $BASEPATH/$FILEecho "---------------set root romote access---------------" >> $BASEPATH/$FILEsed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_configgrep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILEsystemctl restart sshd >> $BASEPATH/$FILEsystemctl list-unit-files | grep sshd.service >> $BASEPATH/$FILE#stop OS other servicesecho "---------------stop OS other services---------------" >> $BASEPATH/$FILEfor i in bluetooth.target postfix rhnsd rhsmcertddorpm -qa | grep $i &>/dev/nullif [ $? -eq 0 ];then   systemctl stop $i &>/dev/null   systemctl disable  $i &>/dev/nullelse  echo " $i services no found " >> $BASEPATH/$FILEfisystemctl list-unit-files | grep $i >> $BASEPATH/$FILEdone#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function rhel7_pass_policy(){awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defsecho "------------password controls set finish-----------------" >> $BASEPATH/$FILEsed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILEPWQUALITY_PASS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/password-auth-ac`PWQUALITY_SYS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/system-auth-ac`UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac`UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac`#retry 定义登录/修改密码失败时,可以重试的次数#minlen 定义用户密码的最小长度为8位#lcredit=-1 定义用户密码中最少有1个小写字母#dcredit=-1 定义用户密码中最少有1个数字#ocredit=-1 定义用户密码中最少有1个特殊字符#ucredit=-2 定义用户密码中最少有2个大写字母#remember=5 修改用户密码时最近5次用过的旧密码就不能重用了if [ -n "$PWQUALITY_PASS_POLICY" ];thensed -i '/authtok_type=/c \password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILEelsesed -i '$a \password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEfiif [ -n "$PWQUALITY_SYS_POLICY" ];thensed -i '/authtok_type=/c \password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILEelsesed -i '$a \password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac pam_pwquality.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_PASS_POLICY" ];thensed -i '/use_authtok/c \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_SYS_POLICY" ];thensed -i '/use_authtok/c \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}function rhel7_para_set(){grep "TMOUT=300" /etc/profileif [ $? -eq 0 ];thenecho "TMOUT already set" >> $BASEPATH/$FILEelsesed -i '$a \export TMOUT=300' /etc/profilegrep "TMOUT" /etc/profile >> $BASEPATH/$FILEfi#systemctl set-default multi-user.target >> $BASEPATH/$FILE#systemctl get-default >> $BASEPATH/$FILEecho "rhel7 parameter set finished" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >>  $BASEPATH/$FILE}check_checkloglogin_policycreate_userbak_filefile_lock_setuser_lock_setgroup_permissions_setuser_permissions_setsystem_dir_file_permissions_setsys_kernel_parameter_sethistory_num_setchange_open_file_numif [ $VERSION = 6 ];then    rhel6_stop_service    rhel6_pass_policy    rhel6_para_set    rhel6_timeserver_set    echo "centos 6  init finish" >>$BASEPATH/$FILE    #echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中"echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m"else    [ $VERSION = 7 ]    rhel7_stop_service    rhel7_pass_policy    rhel7_para_set    rhel7_timeserver_set   echo "centos 7  init finish" >>$BASEPATH/$FILE    #echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中"echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m"fi


©著作权归作者所有:来自51CTO博客作者wx5b0938db0a971的原创作品,如需转载,请注明出处,否则将追究法律责任