安全加固脚本及解析等保2.0(仅供参考)以上博客,我自己 cp 使用的时候出了点错,重新排版一下

$ cat linux_sec.sh

#!/bin/bash
echo "已对密码进行加固,如果输入错误密码超过3次,则锁定账户!!"
echo "备份文件!"
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
n=`cat /etc/pam.d/sshd | grep "auth required pam_tally2.so "|wc -l`
if [ $n -eq 0 ];then
sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root root_unlock_time=60' /etc/pam.d/sshd
fi
echo "输入密码必须包含数字,大小写字母"
echo "备份文件!"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -e "14 i\password    requisite     pam_cracklib.so minlen=10 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3" -i /etc/pam.d/system-auth
sed -e '15d'  -i /etc/pam.d/system-auth
echo "不允许root进行ssh"
echo "备份文件!"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i  "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
echo "备份文件!"
cp /etc/shadow  /etc/shadow.bak
cp /etc/passwd  /etc/passwd.bak
echo "锁定用户"
for i in adm  lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
echo "备份文件!"
echo "设置用户登录超时"
cp /etc/profile /etc/profile.bak
echo "export TMOUT=300 readonly TMOUT  " >> /etc/profile
echo "备份文件!" 
cp /etc/login.defs   /etc/login.defs.bak
read -p  "设置密码失效前多少天通知用户:" a
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE    '$a'' /etc/login.defs
read -p  "设置密码修改之间最小的天数:" b
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS   '$b'' /etc/login.defs
read -p  "设置密码最多可多少天不修改:" c
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS   '$c'' /etc/login.defs
read -p  "设置密码最短的长度:" d
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN     '$d'' /etc/login.defs
echo "备份文件!"
echo "设置用户权限配置文件的权限"
cp /etc/passwd /etc/passwd.bak
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
echo "确保三权分立账户存在"
useradd audit
usermod -G audit audit
useradd op 
usermod -G op op
useradd security 
usermod -G security security
echo "备份文件!"
echo "确保root是唯一超级帐户"
check_root_uniqueness(){
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
}    
echo "确保root是唯一超级帐户"
check_root_uniqueness(){
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
}    
echo "SSHD强制使用V2安全协议"
echo "Protocol 2" >> /etc/ssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
echo "禁止SSH空密码用户登录"
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config
yum -y install audit
systemctl start auditd

echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules

echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
service auditd restart
systemctl status auditd 
echo "启用安全审计功能!!"

解析:

  1. 密码复杂度设置
echo "已对密码进行加固,如果输入错误密码超过3次,则锁定账户!!"
echo "备份文件!"
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
n=`cat /etc/pam.d/sshd | grep "auth required pam_tally2.so "|wc -l`
if [ $n -eq 0 ];then
sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root root_unlock_time=60' /etc/pam.d/sshd
fi
  1. 输入密码必须包含数字,大小写字母
echo "输入密码必须包含数字,大小写字母"
echo "备份文件!"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -e "14 i\password    requisite     pam_cracklib.so minlen=10 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3" -i /etc/pam.d/system-auth
sed -e '15d'  -i /etc/pam.d/system-auth
  1. 不允许root进行ssh
echo "不允许root进行ssh"
echo "备份文件!"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i  "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
  1. 锁定用户
echo "备份文件!"
cp /etc/shadow  /etc/shadow.bak
cp /etc/passwd  /etc/passwd.bak
echo "锁定用户"
for i in adm  lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
  1. 设置登录超时配置
echo "备份文件!"
echo "设置用户登录超时"
cp /etc/profile /etc/profile.bak
echo "export TMOUT=300 readonly TMOUT  " >> /etc/profile
  1. 禁用用户
    passwd -l
    解锁用户
    passwd -u
  2. 修改默认密码策略
echo "备份文件!" 
cp /etc/login.defs   /etc/login.defs.bak
read -p  "设置密码失效前多少天通知用户:" a
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE    '$a'' /etc/login.defs
read -p  "设置密码修改之间最小的天数:" b
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS   '$b'' /etc/login.defs
read -p  "设置密码最多可多少天不修改:" c
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS   '$c'' /etc/login.defs
read -p  "设置密码最短的长度:" d
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN     '$d'' /etc/login.defs

chage -l root # 查询用户的密码到期时间等信息
usermod -e “Oct 27,2023” test 账户过期时间
格式:usermod -e “时间” 账户名

  1. 设置用户权限配置文件的权限
echo "备份文件!"
echo "设置用户权限配置文件的权限"
cp /etc/passwd /etc/passwd.bak
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
  1. 确保三权分立账户存在
echo "确保三权分立账户存在"
useradd audit
usermod -G audit audit
useradd op 
usermod -G op op
useradd security 
usermod -G security security
  1. 启用安全审计功能
#!/bin/bash
yum -y install audit
systemctl start auditd

echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/rules.d/audit.rules

echo "-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-w /etc/sudoers -p wa -k scope
-w /etc/sudoers.d/ -p wa -k scope" >> /etc/audit/audit.rules
service auditd restart
systemctl status auditd 
echo "启用安全审计功能!!"
  1. 确保root是唯一超级帐户
echo "备份文件!"
echo "确保root是唯一超级帐户"
cp /etc/passwd /etc/passwd.bak 
check_root_uniqueness(){undefined
cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$'
}
  1. SSHD强制使用V2安全协议
    配置文件:/etc/ssh/sshd_config(取消注释):LogLevel INFO
    添加:Protocol 2
echo "备份文件!"
echo "SSHD强制使用V2安全协议"
cp /etc/ssh/ssh_config /etc/ssh/ssh_config.bak 
echo "Protocol 2" >> /etc/ssh/sshd_config
sed -i 's/#LogLevel INFO/LogLevel INFO/' /etc/ssh/sshd_config
  1. 禁止SSH空密码用户登录
echo "备份文件!"
echo "禁止SSH空密码用户登录"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i 's/#PermitEmptyPasswords no/PermitEmptyPasswords no/' /etc/ssh/sshd_config