每天一博--第七天 CnetOS8安全加固
服务器安全加固
目前已经将加固方案写成了脚本,方面后面的服务器加固
第一部分脚本内容
#########################################################################
# File Name: security_backup.sh
# Author:Superjay09
# mail: xxxxxxxxx.com
# Created Time: 2019-12-11
#########################################################################
#!/bin/bash
WORKDIR=$(cd $(dirname $0);pwd)
BACKUPDIR=/opt/backup
FILE=(/etc/passwd /etc/shadow \
/etc/group /etc/gshadow \
/etc/profile /etc/bashrc \
/etc/motd /etc/sysctl.conf \
/etc/rsyslog.conf /etc/inittab \
/etc/init.d/* /etc/aliases \
/etc/sudoers /etc/ssh/sshd_config \
/etc/login.defs /etc/pam.d/sudo \
/etc/pam.d/system-auth /etc/pam.d/systemd-user \
/etc/pam.d/su /etc/pam.d/cockpit \
/etc/cron* /var/log/btmp \
/var/log/wtmp /var/log/messages \
/etc/security/* /var/log/lastlog \
/var/spool/cron /var/log/firewalld)
write(){
if [ ! -d "$BACKUPDIR" ];then
mkdir -p $BACKUPDIR
fi
PER_FILE=$BACKUPDIR/per-file
SPE_FILE=$BACKUPDIR/spe-file
for per in ${FILE[@]};do
FILE_PER=$(stat -c "%a" $per)
FILE_SPE=$(lsattr -l $per | awk '{print $2}')
cp -r $per $BACKUPDIR
echo $per $FILE_PER >>$PER_FILE
echo $per $FILE_SPE >>$SPE_FILE
done
}
zip(){
tar cf backfile.tar.gz $BACKUPDIR/* > /dev/null 2>&1
mv backfile.tar.gz /opt
rm -rf $BACKUPDIR
}
ask(){
read -p "Do you need to secure the system? [Y|y/N|n] " answer
case $answer in
Y|y)
source $WORKDIR/UG-operation.sh
;;
N|n)
break
;;
esac
}`
NTPDATE_STATE=$(rpm -qa ntpdate)
if [ "$?" != "0" ];then
echo -e "\033[32mSynchronizing time.....Please wait."
echo ""
yum -y install ntpdate > /dev/null 2>&1
ntpdate ntp1.aliyun.com > /dev/null 2>&1
echo -e "\033[32mTime synchronization complete\033[0m"
echo ""
else
echo -e "\033[32mSynchronizing time.....Please wait."
echo ""
ntpdate ntp1.aliyun.com > /dev/null 2>&1
echo -e "\033[32mTime synchronization complete\033[0m"
echo ""
fi
if [ ! -f "/opt/backfile.tar.gz" ];then
write
zip
source $WORKDIR/security_config.sh
else
SYS_DATE=$(date +"%Y%m%d%H%M%S")
PER_FILE_DATE=$(stat /opt/backfile.tar.gz | grep Modify | awk -F. '{print $1}' | awk '{print $2 $3}' | sed 's/\-//g' | sed 's/\://g')
if (($SYS_DATE-$PER_FILE_DATE>1339200));then
write
zip
echo ""
ask
else
echo -e "\033[32mSystem security has been strengthened.Please select another operation\033[0m"
echo ""
ask
fi
fi
第二部分
#########################################################################
# File Name: security_config.sh
# Author:Superjay09
# mail: [email protected]
# Created Time: 2019-11-27
#########################################################################
#/bin/bash
WORKDIR=$(cd "$(dirname $0)";pwd)
if [ `whoami` == "root" ];then
####################GET SYSTEM INFORMATION####################
SYSTEM_VERSION=$(cat /etc/redhat-release)
SYSTEM_CPU_MODEL=$(cat /proc/cpuinfo | grep "model name" | awk -F: '{print $2}')
SYSTEM_CPU_NUMBERS=$(grep 'physical id' /proc/cpuinfo | sort -u | wc -l)
SYSTEM_CPU_CORE=$(grep 'core id' /proc/cpuinfo | sort -u | wc -l)
SYSTEM_CPU_PROCESSOR=$(grep 'processor' /proc/cpuinfo | sort -u | wc -l)
AVAILABLE_MEMORY_SIZE=$(free -m | grep "Mem" | awk '{print $2}')
SYSTEM_DISK_SIZE=$(lsblk | grep disk | awk '{print $4}')
echo ""
echo "#----------------------SYSTEM BRIEF INFORMATION-----------------------#"
echo -e "\033[32mSystem_version: $SYSTEM_VERSION\033[0m"
echo -e "\033[32mSystem_cpu_model: $SYSTEM_CPU_MODEL\033[0m"
echo -e "\033[32mSystem_cpu_numbers: $SYSTEM_CPU_NUMBERS\033[0m"
echo -e "\033[32mSystem_cpu_core: $SYSTEM_CPU_CORE\033[0m"
echo -e "\033[32mSystem_cpu_processor: $SYSTEM_CPU_PROCESSOR\033[0m"
echo -e "\033[32mAviailable_memory_size: $AVAILABLE_MEMORY_SIZE MB\033[0m"
echo -e "\033[32mSystem_disk_size: $SYSTEM_DISK_SIZE\033[0m"
echo "#---------------------------------------------------------------------#"
echo ""
###############################################################
#####################CHECKING SYSTEM USER######################
NOPASSWD=$(awk -F: '($2==""){print $1}' /etc/shadow)
INROOT=$(awk -F: '($3==0){print $1}' /etc/passwd)
if [ -z "$NOPASSWD" ];then
echo -e "\033[32mUsers who do not have a blank password for this system\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
for user in $NOPASSWD;
do
echo -e "\033[31m[$user] is a blank password\033[0m"
echo -e "\033[31mDeactivating [$user] account\033[0m"
echo ""
echo "#################################################################"
passwd -l $user > /dev/null 2>&1
done
fi
if [ "$INROOT" == "root" ];then
echo ""
echo -e "\033[32mOnly root has administrator rights in the system\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
for permission in $INROOT;
do
echo -e "\033[31mUser [$permission] has administrator privileges\033[0m"
echo -e "\033[31mPlease confirm whether to add for administrator\033[0m"
echo ""
done
fi
##############################################################
#########################DISABLE ICMP#########################
ICMP_CONFIG="/proc/sys/net/ipv4/icmp_echo_ignore_all"
echo ""
if [ `cat $ICMP_CONFIG` == "0" ];then
echo -e "\033[32mDisabling ICMP operation\033[0m"
echo "1" > $ICMP_CONFIG
echo -e "\033[32mPing operation disabled\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo -e "\033[32mPing operation disabled\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
#############################################################
####################OPENSSH CONFIG###########################
cp -r /etc/ssh/sshd_config /etc/ssh/sshd_config.default
cp -r $WORKDIR/sshd_config /etc/ssh/
BANNER_FILE="/etc/banner"
if [ -s "$BANNER_FILE" ];then
echo ""
echo -e "\033[32mBanner information has been established\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
if [ -f "/etc/issue" ] && [ -f "/etc/issue.net" ];then
mv /etc/issue /etc/issue.bak
mv /etc/issue.net /etc/issue.net.bak
fi
cp -r $WORKDIR/banner $BANNER_FILE
if [ -s "$BANNER_FILE" ];then
echo ""
echo -e "\033[32mBanner information has been established\033[0m"
echo ""
echo "#-------------------------------------------------------------------- -#"
else
echo ""
echo -e "\033[31mBanner information changed failed\033[0m"
echo ""
echo "#------------------------------------------------------------------- --#"
fi
systemctl restart sshd.service
fi
############################################################
SSHD_TIME_STAMP=$(stat /etc/ssh/sshd_config | grep Modify | awk -F. '{print $1}' | awk '{print $2 $3}' | sed 's/\-//g' | sed 's/\://g')
SYSTEM_DATE=$(date +"%Y%m%d%H%M%S")
SSHD_FILE_PERMISSION=$(stat -c '%n %a' /etc/ssh/sshd_config | awk '{print $2}')
if (($SYSTEM_DATE-$SSHD_TIME_STAMP<30 && $SSHD_FILE_PERMISSION=="600"));then
echo ""
echo -e "\033[32mThe SSH service configuration of the system is complete, please exit the shell and try again\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo -e "\033[31mSystem SSH service configuration failed\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
exit 1
fi
#############################################################
#######################UMASK SETTING#########################
BASHRC_UMASK_STATE=$(grep "umask 027" /etc/bashrc)
if [ "$?" != "0" ];then
echo "umask 027" >> /etc/bashrc
echo "umask 027" >> /etc/profile
SECOND_UMASK_STATE=$(grep "umask 027" /etc/bashrc)
if [ "$?" == "0" ];then
echo ""
echo -e "\033[32mBashrc configuration complete\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo ""
echo -e "\033[31mBashrc configuration failed\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
else
echo ""
echo -e "\033[32mBashrc configuration complate\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
#############################################################
####################PASSWORD LENGTH SETTING##################
DEFS="/etc/login.defs"
cp -r $DEFS /etc/login.defs.default
MAX_DAY_LINES=$(sed -n "/PASS_MAX_DAYS/=" $DEFS | tail -n 1)
MIN_DAY_LINES=$(sed -n "/PASS_MIN_DAYS/=" $DEFS | tail -n 1)
MIN_LEN_LINES=$(sed -n "/PASS_MIN_LEN/=" $DEFS | tail -n 1)
WARN_AGE_LINES=$(sed -n "/PASS_WARN_AGE/=" $DEFS | tail -n 1)
DEFS_VERIFY=$(sed -n "$MAX_DAY_LINES p" $DEFS | awk '{print $NF}')
if [ "$DEFS_VERIFY" != "90" ];then
sed -i "$MAX_DAY_LINES c\PASS_MAX_DAYS 90" $DEFS
sed -i "$MIN_DAY_LINES c\PASS_MIN_DAYS 80" $DEFS
sed -i "$MIN_LEN_LINES c\PASS_MIN_LEN 8" $DEFS
sed -i "$WARN_AGE_LINES c\PASS_WARN_AGE 7" $DEFS
SECOND_DEFS_VERIFY=$(sed -n "$MAX_DAY_LINES p" $DEFS | awk '{print $NF}')
if [ "$SECOND_DEFS_VERIFY" == "90" ];then
echo ""
echo -e "\033[32mMaximum password validity: 90\033[0m"
echo -e "\033[32mMinimum password validity: 80\033[0m"
echo -e "\033[32mPassword length: 8\033[0m"
echo -e "\033[32mReminder before password expiration: 7\033[0m"
echo ""
else
echo -e "\033[31mPassword validity setting failed\033[0m"
fi
else
echo ""
echo -e "\033[32mMaximum password validity: 90\033[0m"
echo -e "\033[32mMinimum password validity: 80\033[0m"
echo -e "\033[32mPassword length: 8\033[0m"
echo -e "\033[32mReminder before password expiration: 7\033[0m"
echo ""
fi
AUTH_FILE="/etc/pam.d/system-auth"
cp -r $AUTH_FILE /etc/pam.d/system-auth.default
DENY_LINE_NUMBERS=$(sed -n '/\/=' $AUTH_FILE | head -n 1)
DENY_VERIFY_EXISTENCE=$(sed -n "$DENY_LINE_NUMBERS p" $AUTH_FILE | awk '{print $(NF-1)}')
if [ "$DENY_VERIFY_EXISTENCE" != "even_deny_root" ];then
sed -i "$DENY_LINE_NUMBERS i\auth" $AUTH_FILE
sed -i "$DENY_LINE_NUMBERS s/$/ required/" $AUTH_FILE
sed -i "$DENY_LINE_NUMBERS s/$/ pam_tally2.so deny=3 unlock_time=1800 even_deny_root root_unlock_time=1800/" $AUTH_FILE
SECOND_DENY_VERIFY=$(sed -n "$DENY_LINE_NUMBERS p" $AUTH_FILE | awk '{print $(NF-1)}')
if [ "$SECOND_DENY_VERIFY" == "even_deny_root" ];then
echo -e "\033[32mLogin lock setting succeeded"
echo ""
else
echo -e "\033[31mLogin lock setting failed"
echo ""
fi
else
echo -e "\033[32mLogin lock setting succeeded"
echo ""
fi
AUTH_LINE_NUMBER=$(sed -n '/pam_pwquality.so/=' $AUTH_FILE)
let AUTH_LINE_NEXT=$AUTH_LINE_NUMBER+1
VERIFY_EXISTENCE=$(sed -n "$AUTH_LINE_NEXT p" $AUTH_FILE | awk '{print $(NF-8)}')
if [ "$VERIFY_EXISTENCE" != "try_first_pass" ];then
sed -i "$AUTH_LINE_NUMBER s/^/#/" $AUTH_FILE
sed -i "$AUTH_LINE_NUMBER a\password" $AUTH_FILE
sed -i "$AUTH_LINE_NEXT s/$/ sufficient/" $AUTH_FILE
sed -i "$AUTH_LINE_NEXT s/$/ pam_cracklib.so try_first_pass/" $AUTH_FILE
sed -i "$AUTH_LINE_NEXT s/$/ minlen=8 difok=3 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 retry=3 type=/" $AUTH_FILE
SHADOW_LINE_NUMBER=$(sed -n '/pam_unix.so sha512 shadow/=' $AUTH_FILE)
sed -i "$SHADOW_LINE_NUMBER s/$/ remember=3/" $AUTH_FILE
SECOND_VERIFY_EXISTENCE=$(sed -n "$AUTH_LINE_NEXT p" $AUTH_FILE | awk '{print $(NF-8)}')
if [ "$SECOND_VERIFY_EXISTENCE" == "try_first_pass" ];then
echo -e "\033[32mPassword security policy has been set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo -e "\033[31mPassword security policy has been set failed\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
else
echo -e "\033[32mPassword security policy has been set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
#############################################################
####################CTRL ALT DELETE########################
CAD_FILE="/usr/lib/systemd/system/ctrl-alt-del.target"
if [ -z "$CAD_FILE" ];then
rm -rf /usr/lib/systemd/system/ctrl-alt-del.target
if [ "$?" == "0" ];then
echo ""
echo -e "\033[32mCTRL+ALT+DELETE disabled\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo ""
echo -e "\033[31mSetup failed\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
else
echo ""
echo -e "\033[32mCTRL+ALT+DELETE disabled\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
############################################################
####################ROOT PERMISSION##########################
ROOT_PERMISSION=$(stat -c "%a" /root)
if [ "$ROOT_PERMISSION" == "700" ];then
echo -e "\033[32mThe root directory permission is 700\033[0m"
else
echo -e "\033[32mModifying root permissions.......\033[0m"
chmod -R 700 /root
SECOND_ROOT_PERMISSION=$(stat -c "%a" /root)
if [ "$SECOND_ROOT_PERMISSION" == "700" ];then
echo -e "\033[32mModifyed success[0m"
else
echo -e "\033[32mModifyed failed[0m"
fi
fi
############################################################
####################SESSION TIMEOUT#########################
TMOUT_STATUS=$(grep "TMOUT=300" /etc/profile)
if [ "$?" != "0" ];then
echo "export TMOUT=300" >> /etc/profile
SECOND_TMOUT_STATUS=$(grep "TMOUT=300" /etc/profile)
if [ "$?" == "0" ];then
echo ""
echo -e "\033[32mSystem timeout set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo ""
echo -e "\033[31mSystem timeout set failed\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
else
echo ""
echo -e "\033[32mSystem timeout set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
############################################################
####################HISTORY SETTING#########################
HISTORY_STATUS=$(grep "HISTSIZE=100" /etc/profile)
if [ "$?" != "0" ];then
echo "export HISTSIZE=5" >> /etc/profile
echo "export HISTTIMEFORMAT="%F %T `whoami`"" >>/etc/profile
SECOND_HISTORY_STATUS=$(grep "HISTSIZE=100" /etc/profile)
if [ "$?" == "0" ];then
echo ""
echo -e "\033[32mSystem history set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo ""
echo -e "\033[31mSystem history set failed\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
else
echo ""
echo -e "\033[32mSystem history set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
############################################################
####################NOSPOOF SETTING#########################
NOSPOOF_STATUS=$(grep "nospoof on" /etc/host.conf)
if [ "$?" != "0" ];then
echo "nospoof on" >> /etc/host.conf
SECOND_NOSPOOF_STATUS=$(grep "nospoof on" /etc/host.conf)
if [ "$?" == "0" ];then
echo ""
echo -e "\033[32mIP nospoof set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo ""
echo -e "\033[31mIP nospoof set failed\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
else
echo ""
echo -e "\033[32mIPspoof set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
############################################################
####################CRON/AT USER SETTING####################
if [ -f "/etc/cron.deny" ] || [ -f "/etc/at.deny" ];then
rm -rf /etc/cron.deny /etc/at.deny
if [ -s "/etc/cron.allow" ] && [ -s "/etc/at.allow" ];then
echo ""
echo -e "\033[32mCron and at set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
echo "root" > /etc/cron.allow
echo "root" > /etc/at.allow
echo ""
echo -e "\033[31mCron and at set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
fi
############################################################
####################FILE OWNER/GROUP SETTING################
echo ""
#File owner and group change
NEED_CHANGE=(/var/spool/cron /etc/cron* /etc/passwd /etc/shadow /etc/group /etc/gshadow /var/log/btmp /var/log/wtmp /var/log/messages /etc/security /etc/sysctl.conf )
OWNGP_FILE="$WORKDIR/OWNGP.list"
OWNGP_CHANGE_FILE="$WORKDIR/OWNGP_CHANGE.list"
if [ -s "$OWNGP_FILE" ];then
echo "" > $OWNGP_FILE
echo "" > $OWNGP_CHANGE_FILE
for owngp in ${NEED_CHANGE[@]};do
JUDGE_OWNER=$(stat -c "%n %U %G" $owngp | awk '{print $2}')
JUDGE_GROUP=$(stat -c "%n %U %G" $owngp | awk '{print $3}')
if [ "$JUDGE_OWNER" != "root" ] || [ "$JUDGE_GROUP" != "root" ];then
chown -R root:root $owngp
echo "<${owngp##*/}> OWNER:$JUDGE_OWNER GROUP:$JUDGE_GROUP" >> $OWNGP_CHANGE_FILE
else
echo "<${owngp##*/}> OWNER:$JUDGE_OWNER GROUP:$JUDGE_GROUP" >> $OWNGP_FILE
fi
done
printf "%-10s\t %s\t %s\n" $(cat $OWNGP_FILE)
fi
echo ""
echo "#---------------------------------------------------------------------#"
############################################################
#######################RC UMASK############################
SYSTEM_RC_UMASK_FILE="/etc/rc.d/init.d/functions"
SYSTEM_RC_UMASK_STATUS=$(grep "umask 022" $SYSTEM_RC_UMASK_FILE)
if [ "$?" == "0" ];then
echo ""
echo -e "\033[32mSystem default umask set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
SECOND_UMASK_STATUS=$(sed -n "/\/p" $SYSTEM_RC_UMASK_FILE)
if [ -n "$SECOND_UMASK_STATUS" ];then
sed -i "/\/a\umask 022" $SYSTEM_RC_UMASK_FILE
echo ""
echo -e "\033[32mSystem default umask set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
sed -i "$a\umask 022" $SYSTEM_RC_UMASK_FILE
echo ""
echo -e "\033[32mSystem default umask set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
fi
##########################################################
#######################CORE DUMP##########################
CORE_DUMP_SET_FILE="/etc/security/limits.conf"
CORE_DUMP_SET_STATUS=$(grep "* soft core 0" $CORE_DUMP_SET_FILE)
if [ "$?" == "0" ];then
echo ""
echo -e "\033[32mSystem core dump set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
else
cat <<EOF >>/etc/security/limits.conf
* soft core 0
* hard core 0
EOF
echo ""
echo -e "\033[32mSystem core dump set successfully\033[0m"
echo ""
echo "#---------------------------------------------------------------------#"
fi
###########################################################
FILE_OF_400=(/etc/cron.* /etc/at.allow /etc/motd /var/spool/cron /var/log/firewalld)
FILE_OF_600=(/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/sysctl.conf /etc/ssh/sshd_config /etc/rsyslog.conf)
FILE_OF_750=(/etc/inittab /etc/init.d/* /etc/security)
FILE_OF_644=(/var/log/audit /var/log/btmp* /var/log/boot.log* /var/log/lastlog /var/log/messages*)
C400_FILE=$WORKDIR/C400.list
C600_FILE=$WORKDIR/C600.list
C750_FILE=$WORKDIR/C750.list
C644_FILE=$WORKDIR/C644.list
#Set file to "r--.---.---"
if [ -e "$C400_FILE" ];then
echo "" > $C400_FILE
else
touch $C400_FILE
fi
for C400 in ${FILE_OF_400[@]};do
FILE_PER=$(stat -c "%a" $C400)
if [ "$FILE_PER" != "400" ];then
chmod -R 400 $C400
SECOND_FILE_PER=$(stat -c "%a" $C400)
if [ "$SECOND_FILE_PER" == "400" ];then
echo "FILE:${C400} PERMISSION:<$SECOND_FILE_PER>" >> $C400_FILE
else
echo -e "\033[31mPermission modification failed\033[0m"
fi
else
echo "FILE:${C400} PERMISSION:<$FILE_PER>" >> $C400_FILE
fi
done
echo ""
echo -e "\033[32mFile permissions\033[0m"
printf "%-30s\t %s\n" $(cat $C400_FILE)
echo ""
echo "#---------------------------------------------------------------------#"
#Set file to "rw-.---.---"
if [ -e "$C600_FILE" ];then
echo "" > $C600_FILE
else
touch $C600_FILE
fi
for C600 in ${FILE_OF_600[@]};do
FILE_PER=$(stat -c "%a" $C600)
if [ "$FILE_PER" != "600" ];then
chmod -R 600 $C600
SECOND_FILE_PER=$(stat -c "%a" $C600)
if [ "$SECOND_FILE_PER" == "600" ];then
echo "FILE:${C600} PERMISSION:<$SECOND_FILE_PER>" >> $C600_FILE
else
echo -e "\033[31mPermission modification failed\033[0m"
fi
else
echo "FILE:${C600} PERMISSION:<$FILE_PER>" >> $C600_FILE
fi
done
echo ""
echo -e "\033[32mFile permissions\033[0m"
printf "%-30s\t %s\n" $(cat $C600_FILE)
echo ""
echo "#---------------------------------------------------------------------#"
#Set file to "rwx.r-x.---"
if [ -e "$C750_FILE" ];then
echo "" > $C750_FILE
else
touch $C750_FILE
fi
for C750 in ${FILE_OF_750[@]};do
FILE_PER=$(stat -c "%a" $C750)
if [ "$FILE_PER" != "750" ];then
chmod -R 750 $C750
SECOND_FILE_PER=$(stat -c "%a" $C750)
if [ "$SECOND_FILE_PER" == "750" ];then
echo "FILE:${C750} PERMISSION:<$SECOND_FILE_PER>" >> $C750_FILE
else
echo -e "\033[31mPermission modification failed\033[0m"
fi
else
echo "FILE:${C750} PERMISSION:<$FILE_PER>" >> $C750_FILE
fi
done
echo ""
echo -e "\033[32mFile permissions\033[0m"
printf "%-30s\t %s\n" $(cat $C750_FILE)
echo ""
echo "#---------------------------------------------------------------------#"
#Set file to "rw-.r--.r--"
if [ -e "$C644_FILE" ];then
echo "" > $C644_FILE
else
touch $C644_FILE
fi
for C644 in ${FILE_OF_644[@]};do
FILE_PER=$(stat -c "%a" $C644)
if [ "$FILE_PER" != "644" ];then
chmod -R 644 $C644
SECOND_FILE_PER=$(stat -c "%a" $C644)
if [ "$SECOND_FILE_PER" == "644" ];then
echo "FILE:${C644} PERMISSION:<$SECOND_FILE_PER>" >> $C644_FILE
else
echo -e "\033[31mPermission modification failed\033[0m"
fi
else
echo "FILE:${C644} PERMISSION:<$FILE_PER>" >> $C644_FILE
fi
done
echo ""
echo -e "\033[32mFile permissions\033[0m"
printf "%-30s\t %s\n" $(cat $C644_FILE)
echo ""
echo "#---------------------------------------------------------------------#"
###########################################################
#########################SPEICAL PER#######################
SPEICAL_DIR_PER=(/var/log/*)
SPEICAL_FILE_PER=(/etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/profile /etc/bashrc /etc/cron.allow /etc/at.allow /etc/sudoers)
SPEICAL_DIR_PER_FILE="$WORKDIR/SDPF.list"
SPEICAL_FILE_PER_FILE="$WORKDIR/SFPF.list"
if [ -e "$SPEICAL_DIR_PER_FILE" ] || [ -e "$SPEICAL_FILE_PER_FILE" ];then
echo "" > $SPEICAL_DIR_PER_FILE
echo "" > $SPEICAL_FILE_PER_FILE
else
touch $SPEICAL_DIR_PER_FILE
touch $SPEICAL_FILE_PER_FILE
fi
for SDP in ${SPEICAL_DIR_PER[@]};do
SDP_STATUS=$(lsattr $SDP | cut -d "-" -f 6)
if [ "$SDP" != "a" ];then
chattr +a $SDP
if [ "$?" == "0" ];then
echo "FILE:${SDP} STATUS:Success" >> $SPEICAL_DIR_PER_FILE
else
echo -e "\033[31mChanged failed\033[0m"
fi
else
echo "FILE:${SDP} STATUS:Success" >> $SPEICAL_DIR_PER_FILE
fi
done
echo ""
echo -e "\033[32mSpeical file permissions [a]\033[0m"
printf "%-40s\t %s\n" $(cat $SPEICAL_DIR_PER_FILE)
echo ""
echo "#---------------------------------------------------------------------#"
for SFP in ${SPEICAL_FILE_PER[@]};do
SDP_STATUS=$(lsattr $SFP | cut -d "-" -f 5)
if [ "$SFP" != "i" ];then
chattr +i $SFP
if [ "$?" == "0" ];then
echo "FILE:${SFP} STATUS:Success" >> $SPEICAL_FILE_PER_FILE
else
echo -e "\033[31mChanged failed\033[0m"
fi
else
echo "FILE:${SFP} STATUS:Success" >> $SPEICAL_FILE_PER_FILE
fi
done
echo ""
echo -e "\033[32mSpeical file permissions [i]\033[0m"
printf "%-40s\t %s\n" $(cat $SPEICAL_FILE_PER_FILE)
echo ""
echo "#---------------------------------------------------------------------#"
#######################################################
sleep 2
clear
source $WORKDIR/create_user.sh
else
echo -e "\033[31mCurrent user is not root, exiting......\033[0m"
exit 1
fi
第三部分
#########################################################################
# File Name: test11.sh
# Author:Superjay09
# mail: [email protected]
# Created Time: 2019-12-09
#########################################################################
#!/bin/bash
WORKDIR=$(cd "$(dirname $0)";pwd)
BACKUPDIR=/opt/backup
cat $WORKDIR/careful
echo
ACTION=(Auto-Create-UG Manually-Create-UG Configure-Sudo Exit)
ABOUT_USER_FILE=(/etc/passwd /etc/shadow /etc/group /etc/gshadow /var/log/lastlog)
change(){
for CST in ${ABOUT_USER_FILE[@]};do
USER_STATE1=$(lsattr $CST | awk -F "-" '{print $5}')
USER_STATE2=$(lsattr $CST | awk -F "-" '{print $6}')
if [ "$USER_STATE1" == "i" ] || [ "$USER_STATE2" == "a" ];then
chattr -i $CST
chattr -a $CST
fi
done
}
addper(){
for sec_cst in ${ABOUT_USER_FILE[@]:0:3};do
chattr +i $sec_cst
done
chattr +a /var/log/lastlog
}
creuser(){
useradd $user >>/dev/null 2>&1
if [ "$?" == "0" ];then
echo "#----------------------------------------------------------------#"
echo -e "\033[32mUser created Successfully\033[0m"
echo "#----------------------------------------------------------------#"
else
echo "#----------------------------------------------------------------#"
echo -e "\033[31mUser created failed\033[0m"
echo "#----------------------------------------------------------------#"
fi
}
cregroup(){
groupadd $group >>/dev/null 2>&1
if [ "$?" == "0" ];then
echo "#----------------------------------------------------------------#"
echo -e "\033[32mGroup created Successfully\033[0m"
echo "#----------------------------------------------------------------#"
else
echo "#----------------------------------------------------------------#"
echo -e "\033[31mGroup created failed\033[0m"
echo "#----------------------------------------------------------------#"
addper
fi
}
confpass(){
USER_PASSWD=$(pwgen -s 12 -c -n -y | head -n 1)
echo "$USER_PASSWD" | passwd --stdin $user >>/dev/null 2>&1
if [ "$?" == "0" ];then
echo "#----------------------------------------------------------------#"
printf "%-30s\t %s\n" "User:$user Password:$USER_PASSWD"
echo "#----------------------------------------------------------------#"
addper
else
echo "#----------------------------------------------------------------#"
echo -e "\033[31mFailed to set password\033[0m"
echo "#----------------------------------------------------------------#"
addper
fi
}
echo -e "\033[32mPlease select your action: \033[0m"
select act in ${ACTION[@]};do
case $act in
Auto-Create-UG)
echo -e "\033[32mAutomatic creation users only support basic creation. For complex operations, please select Manual creation!\033[0m"
echo -e "\033[32mPlease choose user or group you need to create: \033[0m"
select needug in User Group Exit;do
case $needug in
User)
change
while :
do
read -p "Please enter the user name you want to used: " user
USER_IN=$(id $user >>/dev/null 2>&1)
if [ "$?" == "0" ];then
echo "#----------------------------------------------------------------#"
echo -e "\033[31mUser <$user> already exists\033[0m"
echo "#----------------------------------------------------------------#"
else
USER_IN_GROUP=$(cat /etc/group | grep "\<$user\>" | awk -F ":" '{print $1}')
if [ "$USER_IN_GROUP" == "$user" ];then
echo "#----------------------------------------------------------------#"
read -p "< $user > group already exists,whether the < $user > group can be deleted [Y|y/N|n] ? " userenter
case $userenter in
Y|y)
groupdel $user
if [ "$?" == "0" ];then
creuser
confpass
break
else
echo "#----------------------------------------------------------------#"
echo -e "\033[31mFailed to deleted group,please check it\033[0m"
echo "#----------------------------------------------------------------#"
addper
break
fi
;;
N|n)
addper
break
;;
esac
else
creuser
confpass
break
fi
fi
done
break
;;
Group)
change
while :
do
read -p "Please enter the group name you want to used: " group
GROUP_IN=$(cat /etc/group | grep "\<$group\>" | awk -F ":" '{print $1}')
if [ "$GROUP_IN" == "$group" ];then
echo "#----------------------------------------------------------------#"
echo -e "\033[31mGroup <$group> already exists\033[0m"
echo "#----------------------------------------------------------------#"
else
cregroup
break
fi
done
break
;;
Exit)
break
;;
esac
done
;;
Manually-Create-UG)
change
while :
do
echo -e "\033[32mPlease press a command:[Enter exit() to exit] \033[0m"
read command
if [ "$command" == "exit()" ];then
addper
break
fi
COMMAND_ACTION=$($command)
if [ "$?" == "0" ];then
echo "#----------------------------------------------------------------#"
echo -e "\033[32mCommand Successfully\033[0m"
echo "#----------------------------------------------------------------#"
addper
else
echo "#----------------------------------------------------------------#"
echo -e "\033[31mCommand failed\033[0m"
echo "#----------------------------------------------------------------#"
addper
fi
done
;;
Configure-Sudo)
cp -r /etc/sudoers /opt/sudoers.bak
tar rPf /opt/backfile.tar.gz /opt/sudoers.bak 2>/dev/null
rm -rf /opt/sudoers.bak
SUDOERS_STATE1=$(lsattr /etc/sudoers | awk -F "-" '{print $5}')
SUDOERS_STATE2=$(lsattr /etc/sudoers | awk -F "-" '{print $6}')
if [ "$SUDOERS_STATE1" == "i" ];then
chattr -i /etc/sudoers
chmod 700 /etc/sudoers
elif [ "$SUDOERS_STATE2" == "a" ];then
chattr -a /etc/sudoers
chmod 700 /etc/sudoers
fi
vim /etc/sudoers
chmod 440 /etc/sudoers
chattr +i /etc/sudoers
;;
Exit)
break
;;
esac
done
第四部分
#########################################################################
# File Name: reback.sh
# Author:Superjay09
# mail: [email protected]
# Created Time: 2019-12-12
#########################################################################
#!/bin/bash
WORKDIR=$(cd $(dirname $0);pwd)
tar -xP -f /opt/backfile.tar.gz opt/backup/per-file -C $WORKDIR
tar -xP -f /opt/backfile.tar.gz opt/backup/spe-file -C $WORKDIR
ORIGINAL_SPE_LIST=$(cat $WORKDIR/opt/backup/spe-file | awk '{print $1}')
for SCHANGE in $ORIGINAL_SPE_LIST;
do
ORIGINAL_SPE=$(grep "$SCHANGE" $WORKDIR/opt/backup/spe-file | awk '{print $2}' | head -n 1)
if [ "$ORIGINAL_SPE" == "Immutable" ];then
chattr -i $SCHANGE
elif [ "$ORIGINAL_SPE" == "Append_Only" ];then
chattr -a $SCHANGE
fi
sleep 5
done
echo "Successfully..."
ORIGINAL_PER_LIST=$(cat $WORKDIR/opt/backup/per-file | awk '{print $1}')
for CHANGE in $ORIGINAL_PER_LIST;
do
ORIGINAL_PER=$(grep "$CHANGE" $WORKDIR/opt/backup/per-file | awk '{print $2}' | head -n 1)
chmod $ORIGINAL_PER $CHANGE
done
echo "Successfully..."
rm -rf $WORKDIR/opt
整合成可执行的bin程序
Install头部
#########################################################################
# File Name: install.sh
# Author:Superjay09
# mail: [email protected]
# Created Time: 2019-12-12
#########################################################################
#!/bin/bash
if [ `whoami` == "root" ];then
INSTALL_DIR=/opt/security
if [ ! -d "$INSTALL_DIR" ];then
mkdir -p $INSTALL_DIR
fi
sed -n -e '1,/^exit 0$/!p' $0 > "${INSTALL_DIR}/security.tar.gz" 2>/dev/null
cd $INSTALL_DIR
tar xvf security.tar.gz >/dev/null 2>&1
echo -e "\033[32mPlease choose operation: \033[0m"
select opera in "ALL-Operation" "Create-User-or-Group" "Reback" "Exit";do
case $opera in
ALL-Operation)
$INSTALL_DIR/security_backup.sh
;;
Create-User-or-Group)
$INSTALL_DIR/UG-operation.sh
;;
Reback)
$INSTALL_DIR/reback.sh
;;
Exit)
break
;;
esac
done
rm -rf $INSTALL_DIR
else
echo -e "\033[31mCurrent user is not root, exiting......\033[0m"
fi
exit 0
banner文件
######################################################################
# W E L C O M E T O #
# ___ __ __ __ __ ___ _ ___ _ _____ __ #
# |_ _| \/ | \/ |_ _| |/ / \ | |/ _ \ \ / / #
# | || |\/| | |\/| || || ' /| \| | | | \ \ /\ / / #
# | || | | | | | || || . \| |\ | |_| |\ V V / #
# |___|_| |_|_| |_|___|_|\_\_| \_|\___/ \_/\_/ #
# #
#########################PROMPT INFORMATION###########################
# #
# This server is the private property of <沈阳文拓网络科技有限公司>. #
# All your operations will be recorded. Please operate carefully to #
# avoid data loss.Please contact the administrator if you have any #
# questions. #
# #
######################################################################
careful文件
#################################################################################
# ____ _____ ____ _ ____ _____ _____ _ _ _ _ #
# | __ )| ____| / ___| / \ | _ \| ____| ___| | | | | | | #
# | _ \| _| | | / _ \ | |_) | _| | |_ | | | | | | | #
# | |_) | |___ | |___ / ___ \| _ <| |___| _| | |_| | |___| |___ #
# |____/|_____| \____/_/ \_\_| \_\_____|_| \___/|_____|_____| #
# #
#################################################################################
# #
# Please note: you must create a user here that can be used to #
# manage the server. This tool will guide you to create users, #
# create user groups, and configure sudo. The server has been #
# optimized for security. Failure to create through this tool #
# will result in creation failure. #
# #
#################################################################################
结果图
