系统安全脚本

#!/bin/bash
echo "+ 请仔细审阅加固脚本内容"
echo "+ 务必在加固前进行镜像备份"
echo "+ 加固可能造成系统异常"
echo "+ 加固操作会对账户做出限制,需要定期修改"

echo "==================================="
echo "+ 升级sshd至最新"
yum update openssh -y

echo "==================================="
echo "+ 确保SSH LogLevel设置为INFO"
echo "+ 设置SSH空闲超时退出时间"
echo "+ 确保SSH MaxAuthTries设置为3到6之间"
echo "+ 禁止SSH空密码用户登录"
echo "+ 修改SSH默认端口"
echo "+ 禁止Root用户登录"

cd /etc/ssh/ && sed -i  's/^#LogLevel INFO/LogLevel INFO/' sshd_config \
 && sed -i 's/^#ClientAliveInterval 0/ClientAliveInterval 500/' sshd_config \
 && sed -i  's/^#ClientAliveCountMax 3/ClientAliveCountMax 0/' sshd_config \
 && sed -i  's/^#MaxAuthTries 6/MaxAuthTries 4/' sshd_config \
 && sed -i  's/^#PermitEmptyPasswords no/PermitEmptyPasswords no/' sshd_config \
 && sed -i  's/^#Port 22/Port 2222/' sshd_config \
 && sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/' sshd_config \
 && sed -i 's/^PermitRootLogin yes/PermitRootLogin no/' sshd_config
 #
echo "==================================="
echo "+ 设置密码修改最小间隔时间"
#sed -i.bak -e 's/^\(PASS_MIN_DAYS\).*/\1   7/' /etc/login.defs && chage --mindays 7 root
echo "==================================="
echo "+ 设置密码失效时间"
sed -i.bak -e 's/^\(PASS_MAX_DAYS\).*/\1   90/' /etc/login.defs && chage --maxdays 90 root

echo "==================================="
echo "+ 检查密码重用是否受限制"
sed -i.bak -e 's/^\(password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok\).*/\1 remember=5/' /etc/pam.d/system-auth &&  sed -i.bak -e 's/^\(password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok\).*/\1 remember=5/' /etc/pam.d/password-auth

echo "==================================="
echo "+ 密码复杂度检查"
sed -i  's/^# minlen = 9/minlen = 9/' /etc/security/pwquality.conf
sed -i  's/^# minclass = 0/minclass = 3/' /etc/security/pwquality.conf
sed -i.bak -e 's/^\(password    requisite     pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=\).*/\1 minlen=10 minclass=3/' /etc/pam.d/system-auth

echo "==================================="
echo "+ 设置登录失败处理"
# 因为禁用了root登录,所有不设置root登录错误限制。否则远程运维可能会不可用
# sed -i '4i auth       required     pam_tally2.so  onerr=fail deny=6 lock_time=3 even_deny_root root_unlock_time=3600' /etc/pam.d/system-auth
# sed -i '2i auth       required     pam_tally2.so  onerr=fail deny=6 lock_time=3 even_deny_root root_unlock_time=3600' /etc/pam.d/login 
# sed -i '2i auth       required     pam_tally2.so  onerr=fail deny=6 lock_time=3 even_deny_root root_unlock_time=3600' /etc/pam.d/sshd
sed -i '4i auth       required     pam_tally2.so  onerr=fail deny=6 lock_time=3' /etc/pam.d/system-auth
sed -i '2i auth       required     pam_tally2.so  onerr=fail deny=6 lock_time=3' /etc/pam.d/login 
sed -i '2i auth       required     pam_tally2.so  onerr=fail deny=6 lock_time=3' /etc/pam.d/sshd
echo "TMOUT=600" >> /etc/profile

echo "==================================="
echo "+ 添加新用户normal,请输入密码: 可以自行修改用户名"
adduser normal
passwd normal

echo "==================================="
echo "+ 限制默认账户的访问权限"
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd 
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow

echo "==================================="
echo "+ 设置Selinux为:permissive, 操作完成需要重启"
sed -i  's/^SELINUX=disabled/SELINUX=permissive/' /etc/selinux/config

echo "==================================="
echo "+ 检查修改结果"
echo "密码过期时间:应该为 7  90"
cat /etc/login.defs |grep PASS_MAX_DAYS
cat /etc/login.defs |grep PASS_MIN_DAYS
chage -l root

echo "登录失败策略模块开启状态, 应该为:pam_tally2.so  onerr=fail deny=6 lock_time=3 。不能出现,不能出现:even_deny_root root_unlock_time=3600"
cat /etc/pam.d/system-auth |grep pam_tally2.so
cat /etc/pam.d/login |grep pam_tally2.so
cat /etc/pam.d/sshd |grep pam_tally2.so

echo "密码复杂度要求,应该为: minlen = 9, minclass = 3"
cat /etc/security/pwquality.conf |grep minlen 
cat /etc/security/pwquality.conf |grep minclass

echo "ssh 服务端口:应该非 22端口"
cat /etc/ssh/sshd_config |grep Port

echo "敏感文件访问权限: Normal用户应该无权访问"
ls -l /etc/shadow

echo "会话超时自动退出时长: 应该为500"
cat /etc/profile | grep TMOUT

echo "检查Selinux状态: 重启后应该为-permissive"
getenforce

# touch /.autorelabel
#!/bin/bash

# 定义需要格式化的硬盘设备名和挂载点。
# 注意"/dev/sdb1"和"/mnt/mydisk"要替换成实际的
disk="/dev/vdb"
mount_point="/export"

# 格式化硬盘
echo "Formatting disk..."
sudo mkfs.xfs $disk

# 获取硬盘 UUID
uuid=$(sudo blkid -o value $disk | head -n1)

# 判断挂载点是否存在,如果不存在则创建
if [ ! -d $mount_point ]
then
  echo "Creating mount point..."
  sudo mkdir $mount_point
fi

# 挂载硬盘
echo "Mounting disk..."
sudo mount $disk $mount_point

# 设置永久挂载
echo "Setting up permanent mount..."
sudo echo "UUID=$uuid $mount_point xfs defaults 0 0" >> /etc/fstab

# 重新加载 /etc/fstab 文件
echo "Reloading /etc/fstab..."
sudo mount -a

echo "Done."

你可能感兴趣的:(系统安全脚本)