安全基线脚本
16lz
2021-03-31
安全基线脚本
#!/bin/bashexport PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/binNAME="syscheck"HOSTNAME=`uname -n`DATE=`date +%Y%m%d`BASEPATH="/tmp/$NAME"FILE="$DATE"_"$HOSTNAME"_autosh.logVERSION=`cat /etc/redhat-release|sed -r 's/.* ([0-9]+)\..*/\1/'`TIMESERVERIP=2.2.2.2function check_checklog(){if [ ! -d $BASEPATH ]; thenmkdir -p $BASEPATHcd $BASEPATHtouch "$FILE"echo "$BASEPATH/$FILE create sucess!" > $BASEPATH/script.logelseecho "$BASEPATH/$FILE already exist" > $BASEPATH/script.logfi>$BASEPATH/$FILE}function bak_file(){ for i in /etc/passwd /etc/shadow /etc/gshadow /etc/group /etc/pam.d/password-auth-ac /etc/pam.d/system-auth-ac /etc/login.defs /etc/profile /etc/pam.d/su /etc/csh.cshrc /etc/sysctl.conf /etc/csh.login /etc/bashrc do if [ ! -f $i.bak ];then cp $i{,.bak} echo "-------------------back file finish--------------------------" >> $BASEPATH/$FILE ls $i.bak >> $BASEPATH/$FILE else echo "------------------back file already existed--------------------------" >> $BASEPATH/$FILE ls $i.bak >> $BASEPATH/$FILE fidone#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function login_policy(){LOGIN_POLICY=`grep "pam_tally2.so" /etc/pam.d/password-auth-ac`LOGIN_POLICY_1=`grep "pam_tally2.so" /etc/pam.d/system-auth-ac`if [ -n "$LOGIN_POLICY" ];thensed -i '/pam_tally2.so/c\auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-acecho "****parameter_password_auth_ac lock policy replace finish****" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILEelsesed -i '/^# User/a \auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/password-auth-acecho "****parameter_password_auth_ac lock policy append finish****" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILEfiif [ -n "$LOGIN_POLICY_1" ];thensed -i '/pam_tally2.so/c\auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-acecho "****parameter_system_auth_ac lock policy replace finish****" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILEelsesed -i '/^# User/a \auth required pam_tally2.so deny=5 even_deny_root root_unlock_time=300' /etc/pam.d/system-auth-acecho "****parameter_system_auth_ac lock policy append finish****" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_tally2.so" >>$BASEPATH/$FILEfi}function create_user(){USE=linuxadminfor i in $USE ;doif ! id ${i} &>/dev/null ;thenuseradd $i >>$BASEPATH/$FILEecho 'q1w2e3r4'|passwd --stdin $i &> /dev/nullusermod -G wheel $USEecho "---------------create_user $USE finish---------------" >>$BASEPATH/$FILEid $i >>$BASEPATH/$FILEelse echo "**** user $USE already exist**** " && exit 2 fidone}function file_lock_set(){echo "---------------file_lock_set finish---------------" >>$BASEPATH/$FILEfor i in /etc/passwd /etc/shadow /etc/group /etc/gshadowdo if [ `lsattr ${i} | cut -c 5` = i ];then echo " ${i} 存在i安全属性" >> $BASEPATH/$FILEelse chattr +i $i lsattr $i >> $BASEPATH/$FILEfidone}function user_lock_set(){echo "---------------user_lock_set finish---------------" >>$BASEPATH/$FILEfor i in adm lp mail uucp operator games gopher ftp nobody nobody4 noaccess listen webservd dbus avahi mailnull smmsp nscd vcsa rpc rpcuser nfs pcap ntp haldaemon distcache apache webalizer squid xfs gdm sabayon named ;doid $i &>/dev/nullif [ $? -eq 0 ];then usermod -L $i &>/dev/null#echo "****use_lock_set finish****" >>$BASEPATH/$FILE echo "--------------------------------- " >> $BASEPATH/$FILE echo "user $i Has been locked" >> $BASEPATH/$FILEelse echo "--------------------------------- " >> $BASEPATH/$FILE echo "user $i no found" >> $BASEPATH/$FILEfidone}function history_num_set(){HISTSIZE=`cat /etc/profile|grep HISTSIZE|head -1|awk -F[=] '{print $2}'`if [ $HISTSIZE -eq 10 ];then#echo -e "\033[1;34m ****保留历史命令条数为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILEecho " ****保留历史命令条数为${HISTSIZE}****" >>$BASEPATH/$FILEelse sed -i "s/HISTSIZE=1000/HISTSIZE=10/" /etc/profile echo "历史命令条数更改为10" >> $BASEPATH/$FILE#echo -e "\033[1;34m ****历史命令条数更改为${HISTSIZE}**** \033[0m" >>$BASEPATH/$FILE source /etc/profilefi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function change_open_file_num(){#change open file numberecho `echo ""` >> $BASEPATH/$FILEecho "---------------change open file number----------------" >> $BASEPATH/$FILEcat >> /etc/security/limits.conf <<EOF* soft core 0* hard core 0* soft nproc 65535* hard nproc 65535* soft nofile 65535* hard nofile 65535EOFgrep -v "#" /etc/security/limits.conf >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}#设置只有wheel组用户才能su到rootfunction group_permissions_set(){echo "---------------group_permissions_set finish---------------" >>$BASEPATH/$FILEsed -i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel' /etc/pam.d/su ls "/etc/pam.d/su" >>$BASEPATH/$FILE grep -v "#" /etc/pam.d/su | grep wheel.so >>$BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}#设置用户umaskfunction user_permissions_set(){echo "---------------user_permissions_set finish---------------" >>$BASEPATH/$FILEsed -i '/UMASK/c \UMASK 027' /etc/login.defsls /etc/login.defs >>$BASEPATH/$FILE grep UMASK /etc/login.defs >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/bashrcls /etc/bashrc >>$BASEPATH/$FILE grep -v "#" /etc/bashrc | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/profilels /etc/profile >>$BASEPATH/$FILE grep -v "#" /etc/profile | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^[[:space:]]/s/umask 002/umask 077/g' /etc/csh.cshrcls /etc/csh.cshrc >>$BASEPATH/$FILE grep -v "#" /etc/csh.cshrc | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILEsed -i '/^setenv/a \set umask 077' /etc/csh.loginls /etc/csh.login >>$BASEPATH/$FILE grep -v "#" /etc/csh.login | grep umask >>$BASEPATH/$FILEecho "-------------------------------------------------" >>$BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function system_dir_file_permissions_set(){chmod 750 /etc/rc0.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc1.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc2.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc3.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc4.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc5.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc6.d/ >> $BASEPATH/$FILEchmod 750 /etc/rc.d/init.d/ >> $BASEPATH/$FILEchmod 750 /tmp >> $BASEPATH/$FILE#chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILEchmod 600 /etc/security >> $BASEPATH/$FILE#chmod 400 /etc/shadow #chmod 644 /etc/passwd #chmod 644 /etc/services #chmod 644 /etc/groupif [ -f /etc/xinetd.conf ];then chmod 600 /etc/xinetd.conf >> $BASEPATH/$FILEelse echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILEfiecho "---------------system_dir_file_permissions_set finish---------------" >> $BASEPATH/$FILEls -ld /etc/rc0.d/ >> $BASEPATH/$FILEls -ld /etc/rc1.d/ >> $BASEPATH/$FILEls -ld /etc/rc2.d/ >> $BASEPATH/$FILEls -ld /etc/rc3.d/ >> $BASEPATH/$FILEls -ld /etc/rc4.d/ >> $BASEPATH/$FILEls -ld /etc/rc5.d/ >> $BASEPATH/$FILEls -ld /etc/rc.d/init.d/ >> $BASEPATH/$FILEls -ld /tmp >> $BASEPATH/$FILE#ls /etc/xinetd.conf >> $BASEPATH/$FILEls -ld /etc/security >> $BASEPATH/$FILEls -l /etc/shadow >> $BASEPATH/$FILE ls -l /etc/passwd >> $BASEPATH/$FILEls -l /etc/services >> $BASEPATH/$FILEls -l /etc/group >> $BASEPATH/$FILEif [ -f /etc/xinetd.conf ];then ls -l /etc/xinetd.conf >> $BASEPATH/$FILEelse echo "/etc/xinetd.conf no found" >> $BASEPATH/$FILEfi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function sys_kernel_parameter_set(){echo "---------------sys_kernel_parameter_set finish---------------" >>$BASEPATH/$FILEls /etc/sysctl.conf >>$BASEPATH/$FILEecho "net.ipv4.conf.all.accept_redirects=0" >> /etc/sysctl.confecho "net.ipv4.icmp_echo_ignore_broadcasts=1" >> /etc/sysctl.confecho "net.ipv4.ip_forward=0" >> /etc/sysctl.confecho "net.ipv4.conf.all.send_redirects=0" >> /etc/sysctl.confecho "net.ipv4.conf.all.accept_source_route=0" >> /etc/sysctl.confsysctl -p >>$BASEPATH/$FILE #echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function rhel6_stop_service(){#set bannerecho `echo ""` >> $BASEPATH/$FILEecho "---------------set banner----------------" >> $BASEPATH/$FILEecho '"Authorized access only"' > /etc/motdcat /etc/motd >> $BASEPATH/$FILE#stop NetworkManager#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE#/etc/init.d/NetworkManager stop >> $BASEPATH/$FILE#chkconfig NetworkManager off >> $BASEPATH/$FILE#chkconfig --list | grep NetworkManager >> $BASEPATH/$FILE#stop iptablesecho `echo ""` >> $BASEPATH/$FILEecho "---------------stop iptables---------------" >> $BASEPATH/$FILE#iptables -F#/etc/init.d/iptables stop >> $BASEPATH/$FILE#/etc/init.d/ip6tables stop >> $BASEPATH/$FILE#chkconfig iptables off >> $BASEPATH/$FILE#chkconfig ip6tables off >> $BASEPATH/$FILE#chkconfig --list | grep iptables >> $BASEPATH/$FILE#chkconfig --list | grep ip6tables >> $BASEPATH/$FILE#stop selinuxecho `echo ""` >> $BASEPATH/$FILEecho "---------------set selinux---------------" >> $BASEPATH/$FILEsed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/configgrep "disabled" /etc/selinux/config >> $BASEPATH/$FILE#stop telnet_server#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE#yum remove telnet-server -y >> $BASEPATH/$FILE#set root romote accessecho `echo ""` >> $BASEPATH/$FILEecho "---------------set root romote access---------------" >> $BASEPATH/$FILEsed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_configgrep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILE/etc/init.d/sshd restart >> $BASEPATH/$FILEchkconfig --list | grep sshd >> $BASEPATH/$FILE#stop OS other servicesecho "---------------stop OS other services---------------" >> $BASEPATH/$FILEfor i in acpid bluetooth postfix rhnsd rhsmcertddorpm -qa | grep $i &>/dev/null if [ $? -eq 0 ];then chkconfig $i off >> $BASEPATH/$FILE else echo " $i services no found " >> $BASEPATH/$FILE fichkconfig --list | grep $i >> $BASEPATH/$FILEdone}function rhel6_pass_policy(){awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defsecho "------------password controls set finish-----------------" >> $BASEPATH/$FILEsed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILECRACK_PASS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/password-auth-ac`CRACK_SYS_POLICY=`grep "pam_cracklib.so" /etc/pam.d/system-auth-ac`UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac`UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac`if [ -n "$CRACK_PASS_POLICY" ];thensed -i '/type=/c \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEelsesed -i '$a \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEfiif [ -n "$CRACK_SYS_POLICY" ];thensed -i '/type=/c \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac cracklib.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEelsesed -i '$a \password requisite pam_cracklib.so try_first_pass retry=3 type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac pam_cracklib.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_PASS_POLICY" ];thensed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_SYS_POLICY" ];thensed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function rhel6_para_set(){grep "TMOUT=300" /etc/profile >> $BASEPATH/$FILEif [ $? -eq 0 ];thenecho "TMOUT already set" >> $BASEPATH/$FILEelsesed -i '$a \export TMOUT=300' /etc/profilegrep "TMOUT" /etc/profile >> $BASEPATH/$FILEfi#modify default init#grep "id:3:initdefault:" /etc/inittab#if [ $? -eq 0 ];#then#sed -i '/^id/d' /etc/inittab#sed -i '$c \id:3:initdefault:' /etc/inittab#echo "inittab change finish" >> $BASEPATH/$FILE#else#sed -i '/^id/d' /etc/inittab#sed -i '$a \id:3:initdefault:' /etc/inittab#echo "inittab append finish" >> $BASEPATH/$FILE#fi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function rhel6_timeserver_set(){rpm -qa | grep ntp &>/dev/nullif [ $? -eq 0 ];thensed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/ntp.confecho "--------------------ntp server set finish---------------------" >> $BASEPATH/$FILE ls /etc/ntp.conf >> $BASEPATH/$FILE sed -n '22p' /etc/ntp.conf >> $BASEPATH/$FILEelse echo "ntp server no found"fi}function rhel7_timeserver_set(){rpm -qa | grep chrony &>/dev/nullif [ $? -eq 0 ];thensed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/chrony.confecho "--------------------chrony server set finish---------------------" >> $BASEPATH/$FILE ls /etc/chrony.conf >> $BASEPATH/$FILE sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILEelse echo "chronyd server no found start install" yum -y install chrony &>/dev/null if [ $? -eq 0 ];then echo " chrony install finish " >> $BASEPATH/$FILE sed -i '/^# Please/a server '$TIMESERVERIP' iburst' /etc/chrony.confecho "--------------------chrony server set finish---------------------" >> $BASEPATH/$FILE ls /etc/chrony.conf >> $BASEPATH/$FILE sed -n '3p' /etc/chrony.conf >> $BASEPATH/$FILE else echo "chrony install failed" >> $BASEPATH/$FILE fifiecho "-----------------------------------------------------------------" >> $BASEPATH/$FILE}function rhel7_stop_service(){#set bannerecho `echo ""` >> $BASEPATH/$FILEecho "---------------set banner----------------" >> $BASEPATH/$FILEecho '"Authorized access only"' > /etc/motdcat /etc/motd >> $BASEPATH/$FILE#stop NetworkManager#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------stop NetworkManager---------------" >> $BASEPATH/$FILE#systemctl stop NetworkManager >> $BASEPATH/$FILE#systemctl disable NetworkManager >> $BASEPATH/$FILE#systemctl list-unit-files | grep NetworkManager >> $BASEPATH/$FILE#stop iptablesecho `echo ""` >> $BASEPATH/$FILEecho "---------------stop firewall---------------" >> $BASEPATH/$FILEiptables -Fsystemctl stop firewalld >> $BASEPATH/$FILEsystemctl disable firewalld >> $BASEPATH/$FILEsystemctl list-unit-files | grep firewalld >> $BASEPATH/$FILE#stop selinuxecho `echo ""` >> $BASEPATH/$FILEecho "---------------set selinux---------------" >> $BASEPATH/$FILEsed -i 's/SELINUX=enforcing/SELINUX=disabled/g' /etc/selinux/configgrep "disabled" /etc/selinux/config >> $BASEPATH/$FILE#stop telnet_server#echo `echo ""` >> $BASEPATH/$FILE#echo "---------------remove telnet server---------------" >> $BASEPATH/$FILE#yum remove telnet-server -y >> $BASEPATH/$FILE#set root romote accessecho `echo ""` >> $BASEPATH/$FILEecho "---------------set root romote access---------------" >> $BASEPATH/$FILEsed -i s/#PermitRootLogin\ yes/PermitRootLogin\ no/ /etc/ssh/sshd_configgrep "PermitRootLogin" /etc/ssh/sshd_config >> $BASEPATH/$FILEsystemctl restart sshd >> $BASEPATH/$FILEsystemctl list-unit-files | grep sshd.service >> $BASEPATH/$FILE#stop OS other servicesecho "---------------stop OS other services---------------" >> $BASEPATH/$FILEfor i in bluetooth.target postfix rhnsd rhsmcertddorpm -qa | grep $i &>/dev/nullif [ $? -eq 0 ];then systemctl stop $i &>/dev/null systemctl disable $i &>/dev/nullelse echo " $i services no found " >> $BASEPATH/$FILEfisystemctl list-unit-files | grep $i >> $BASEPATH/$FILEdone#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function rhel7_pass_policy(){awk '$1 ~ /PASS_MAX_DAYS/{$2="\t"90}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_DAYS/{$2="\t"6}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_MIN_LEN/{$2="\t"8}1' /etc/login.defs 1<>/etc/login.defsawk '$1 ~ /PASS_WARN_AGE/{$2="\t"30}1' /etc/login.defs 1<>/etc/login.defsecho "------------password controls set finish-----------------" >> $BASEPATH/$FILEsed -n '25,28p' /etc/login.defs >> $BASEPATH/$FILEPWQUALITY_PASS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/password-auth-ac`PWQUALITY_SYS_POLICY=`grep "pam_pwquality.so" /etc/pam.d/system-auth-ac`UNIX_PASS_POLICY=`grep "pam_unix.so" /etc/pam.d/password-auth-ac`UNIX_SYS_POLICY=`grep "pam_unix.so" /etc/pam.d/system-auth-ac`#retry 定义登录/修改密码失败时,可以重试的次数#minlen 定义用户密码的最小长度为8位#lcredit=-1 定义用户密码中最少有1个小写字母#dcredit=-1 定义用户密码中最少有1个数字#ocredit=-1 定义用户密码中最少有1个特殊字符#ucredit=-2 定义用户密码中最少有2个大写字母#remember=5 修改用户密码时最近5次用过的旧密码就不能重用了if [ -n "$PWQUALITY_PASS_POLICY" ];thensed -i '/authtok_type=/c \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILEelsesed -i '$a \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac cracklib.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_cracklib.so" >>$BASEPATH/$FILEfiif [ -n "$PWQUALITY_SYS_POLICY" ];thensed -i '/authtok_type=/c \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac pam_pwquality.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILEelsesed -i '$a \password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= dcredit=-1 ocredit=-1 ucredit=-1 lcredit=1 minclass=3 minlen=8' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac pam_pwquality.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_pwquality.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_PASS_POLICY" ];thensed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/password-auth-acecho "parameter_password_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/password-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfiif [ -n "$UNIX_SYS_POLICY" ];thensed -i '/use_authtok/c \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so replace finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEelsesed -i '$a \password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=6' /etc/pam.d/system-auth-acecho "parameter_system_auth_ac unix.so append finish" >> $BASEPATH/$FILEcat /etc/pam.d/system-auth-ac|grep "pam_unix.so" >>$BASEPATH/$FILEfi#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}function rhel7_para_set(){grep "TMOUT=300" /etc/profileif [ $? -eq 0 ];thenecho "TMOUT already set" >> $BASEPATH/$FILEelsesed -i '$a \export TMOUT=300' /etc/profilegrep "TMOUT" /etc/profile >> $BASEPATH/$FILEfi#systemctl set-default multi-user.target >> $BASEPATH/$FILE#systemctl get-default >> $BASEPATH/$FILEecho "rhel7 parameter set finished" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE#echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++" >> $BASEPATH/$FILE}check_checkloglogin_policycreate_userbak_filefile_lock_setuser_lock_setgroup_permissions_setuser_permissions_setsystem_dir_file_permissions_setsys_kernel_parameter_sethistory_num_setchange_open_file_numif [ $VERSION = 6 ];then rhel6_stop_service rhel6_pass_policy rhel6_para_set rhel6_timeserver_set echo "centos 6 init finish" >>$BASEPATH/$FILE #echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中"echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m"else [ $VERSION = 7 ] rhel7_stop_service rhel7_pass_policy rhel7_para_set rhel7_timeserver_set echo "centos 7 init finish" >>$BASEPATH/$FILE #echo "centos $VERSION 设置完成,输出结果保存在$BASEPATH目录下$FILE文件中"echo -e "\033[1;34m 输出结果在$BASEPATH目录下$FILE文件中 \033[0m"fi更多相关文章
- Ulysses 22 发布功能加强,允许自定义分组颜色
- 手把手教你 Netty 实现自定义协议!
- 专栏 | 使用zabbix-agent2自定义插件获取https证书过期时间
- 大赞Xilinx SDAccel:把FPGA开发带入软件定义时代
- 单位em和rem区别,box-sizing定义边界,VW和VH,字体图标,定位原理
- flex模拟移动商城首页页面布局/grid布局的相关属性
- 2021-03-28:定义一种数:可以表示成若干(数量>1)连续正数和的数 。比
- 是德科技:高速数字化仪上自定义信号实时处理应用
- 函数的声明和定义