CentOS基线检测脚本

本脚本适用于CentOS 7.5-7.9版本，其他版本不详

1.检查系统信息

查看代码

echo " "
echo "############################ 系统信息 ############################"
Release=$(cat /etc/redhat-release 2>/dev/null)
Kernel=$(uname -r)
Virt_CPUs=$(grep "processor" /proc/cpuinfo | wc -l)
CPU_Type=$(grep "model name" /proc/cpuinfo | awk -F ': ' '{print $2}' | sort | uniq)
Mem_total=$(free -h  |grep Mem: |awk -F ' ' '{print $2}')
Disk_total=$(fdisk -l |grep "Disk /dev/sd" |awk -F ' ' '{print $2$3$4}' |cut -d ',' -f1)

echo "   发行版本：$Release"
echo "       内核：$Kernel"
echo "逻辑CPU个数: $Virt_CPUs"
echo "    CPU型号: $CPU_Type"
echo "   内存大小: $Mem_total"
echo "   磁盘大小: $Disk_total"

2.1检查ssh登录配置

echo " "
echo "##SSH配置检查 ############################"
passage1=`cat /etc/ssh/sshd_config | grep ^MaxAuthTries | awk '{print $2}'`
passage2=`cat /etc/ssh/sshd_config | grep ^PasswordAuthentication | awk '{print $2}'`
passage3=`cat /etc/ssh/sshd_config | grep ^RSAAuthentication | awk '{print $2}'`
passage4=`cat /etc/ssh/sshd_config | grep ^PubkeyAuthentication | awk '{print $2}'`

if [ $passage1 -eq 5 ] && [[ "$passage2" == "yes" ]] && [[ "$passage3" == "yes" ]] && [[ "$passage4" == "yes" ]];then
    echo ""
    echo "检查通过"
else
    echo ""
    echo "检查不通过"
fi

2.2修复ssh登录配置

查看代码

echo -e "\033[1;33m配置文件路径：/etc/ssh/sshd_config \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^RSAAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
#统计不是以“#”开头，有MaxAuthTries字段的行数
MaxAuth_num=$(cat /etc/ssh/sshd_config | grep MaxAuthTries | grep -v ^#|wc -l)
#统计不是以“#”开头，有PasswordAuthentication字段的行数
PasswordAuth_num=$(cat /etc/ssh/sshd_config | grep PasswordAuthentication | grep -v ^#|wc -l)
#统计不是以“#”开头，有RSAAuthentication字段的行数
RSAAuth_num=$(cat /etc/ssh/sshd_config | grep RSAAuthentication | grep -v ^#|wc -l)
#统计不是以“#”开头，有PubkeyAuthentication字段的行
PubkeyAuth_num=$(cat /etc/ssh/sshd_config | grep PubkeyAuthentication | grep -v ^#|wc -l)
if [ $MaxAuth_num -eq 0 ];then
    sed -i '$aMaxAuthTries	yes' /etc/ssh/sshd_config
	#在最后一行插入sed -i '$a
elif [ $MaxAuth_num -eq 1 ];then
	line_num=$(sed -n '/^MaxAuthTries/=' /etc/ssh/sshd_config)	
	#匹配/^MaxAuthTries/的行数给line_num赋值
	sed -i "$line_num"'c MaxAuthTries	5' /etc/ssh/sshd_config
	#在"$line_num"所在的行替换为MaxAuthTries	5
else
	sed -i '/^MaxAuthTries/d' /etc/ssh/sshd_config
	sed -i '$aMaxAuthTries	yes' /etc/ssh/sshd_config
fi
if [ $PasswordAuth_num -eq 0 ];then
    sed -i '$aPasswordAuthentication	yes' /etc/ssh/sshd_config
elif [ $PasswordAuth_num -eq 1 ];then
	line_num=$(sed -n '/^PasswordAuthentication/=' /etc/ssh/sshd_config)	
	sed -i "$line_num"'c PasswordAuthentication	yes' /etc/ssh/sshd_config
else
	sed -i '/^PasswordAuthentication/d' /etc/ssh/sshd_config
	sed -i '$aPasswordAuthentication	yes' /etc/ssh/sshd_config
fi
if [ $RSAAuth_num -eq 0 ];then
    sed -i '$aRSAAuthentication	yes' /etc/ssh/sshd_config
elif [ $RSAAuth_num -eq 1 ];then
	line_num=$(sed -n '/^RSAAuthentication/=' /etc/ssh/sshd_config)	
	sed -i "$line_num"'c RSAAuthentication	yes' /etc/ssh/sshd_config
else
	sed -i '/^RSAAuthentication/d' /etc/ssh/sshd_config
	sed -i '$aRSAAuthentication	yes' /etc/ssh/sshd_config
fi
if [ $PubkeyAuth_num -eq 0 ];then
    sed -i '$aPubkeyAuthentication	yes' /etc/ssh/sshd_config
elif [ $PubkeyAuth_num -eq 1 ];then
	line_num=$(sed -n '/^PubkeyAuthentication/=' /etc/ssh/sshd_config)	
	sed -i "$line_num"'c PubkeyAuthentication	yes' /etc/ssh/sshd_config
else
	sed -i '/^PubkeyAuthentication/d' /etc/ssh/sshd_config
	sed -i '$aPubkeyAuthentication	yes' /etc/ssh/sshd_config
fi
systemctl restart sshd
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^RSAAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"

3.1检查账号策略

echo ""
echo "## 检查账号策略 ############################"
passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'`
passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`

if [ -n "$passmin" ] && [ -n "$passage" ];then
    if [ $passmin -eq 2 ] && [ $passage -eq 5 ];then
    echo ""
    echo "检查通过"
else
    echo ""
    echo "检查不通过"
fi

3.2修复账号策略

查看代码

echo -e "\033[1;33m配置文件路径：/etc/login.defs \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
passmin_num=$(cat /etc/login.defs | grep PASS_MIN_DAYS | grep ^#P|wc -l)
passage_num=$(cat /etc/login.defs | grep PASS_WARN_AGE | grep ^#P|wc -l)
if [ $passmin_num -eq 1 ];then
	line_num=$(sed -n '/^#PASS_MIN_DAYS/=' /etc/login.defs)	
	
	sed -i "$line_num"'c PASS_MIN_DAYS	2' /etc/login.defs
else
	line_num=$(sed -n '/^PASS_MIN_DAYS/=' /etc/login.defs)	
	if [ $line_num ];then
		sed -i "$line_num"'c PASS_MIN_DAYS	2' /etc/login.defs
		echo -e "\033[1;36m PASS_MIN_DAYS修复成功,请重新检查! \033[0m"
	else
		echo "请手动检查配置文件/etc.lokin.defs中的PASS_MIN_DAYS项"
		echo -e "\033[1;31m PASS_MIN_DAYS修复失败! \033[0m"
    fi
fi

if [ $passage_num -eq 1 ];then
	line_num=$(sed -n '/^#PASS_WARN_AGE/=' /etc/login.defs)	
	sed -i "$line_num"'c PASS_WARN_AGE	5' /etc/login.defs
	echo -e "\033[1;36m PASS_WARN_AGE修复成功,请重新检查! \033[0m"
else
	line_num=$(sed -n '/^PASS_WARN_AGE/=' /etc/login.defs)	
	if [ $line_num ];then
		sed -i "$line_num"'c PASS_WARN_AGE	5' /etc/login.defs
    	echo -e "\033[1;36m PASS_WARN_AGE修复成功,请重新检查! \033[0m"
 	else
 		echo "请手动检查配置文件/etc.lokin.defs中的PASS_WARN_AGE项"
		echo -e "\033[1;31m PASS_WARN_AGE修复失败! \033[0m"
	fi
fi
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"

4.1检查密码复杂度

查看代码

echo ""
echo "## 检查密码复杂度 ############################"		
complexity=$(cat /etc/pam.d/system-auth |grep "pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1")
complexity_cracklib=$(cat /etc/pam.d/system-auth |grep "password requisite pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1")
if [ -n "$complexity" ];then
    echo ""
    echo "检查通过"
elif [ -n "$complexity_cracklib" ];then
	echo ""
    echo "检查通过"
else
    echo ""
    echo "检查不通过"
fi

4.2.修复密码复杂度

查看代码

echo -e "\033[1;33m配置文件路径：/etc/pam.d/system-auth \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^password" /etc/pam.d/system-auth
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
LIN_NUM=$(sed -n '/pam_pwquality.so/=' /etc/pam.d/system-auth)
LIN_num_cracklib=$(sed -n '/pam_cracklib.so/=' /etc/pam.d/system-auth)
if [ $LIN_NUM ];then
	sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
elif [ $LIN_num_cracklib ];then
	sed -i "$LIN_num_cracklib"'c password    requisite   pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1  ' /etc/pam.d/system-auth
else
	sed -i '4i\password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
fi
#sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^password" /etc/pam.d/system-auth
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"

5.1检查密码登录锁

echo ""
echo "## 检查密码登录锁 ############################"
lock=$(cat /etc/pam.d/sshd |grep "pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300")
if [ -n "$lock" ];then
    echo ""
    echo "检查通过" 
else
    echo ""
    echo "检查不通过"
fi
echo "查看用户登录失败次数:pam_tally2 --user root"
echo "解锁指定用户:pam_tally2 -r -u root"

5.2 修复密码登录锁

查看代码

 echo -e "\033[1;33m配置文件路径：/etc/pam.d/sshd \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^auth" /etc/pam.d/sshd
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
LIN_NUM=$(sed -n '/pam_tally2.so/=' /etc/pam.d/sshd)  
if [ $LIN_NUM ];then
	sed -i "$LIN_NUM"'c auth       required     pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
else
	sed -i '2i\auth       required     pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
fi
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^auth" /etc/pam.d/sshd
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"

6.1检查root用户权限

echo ""
echo "## 检查root用户权限 ############################"
UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`
flag=0
for i in $UIDS
do
	if [ $i = 0 ];then
        echo ""
        echo "检查不通过"
	else
		flag=1
	fi
done
	if [ $flag = 1 ];then
        echo ""
        echo "检查通过"
	fi

7.1检查登录超时时间

查看代码

echo ""
echo "## $1. $2检查 ############################"
result=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
if [ "$result" ];then
	TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
	if [ $TMOUT -eq 600 ];then
    	echo ""
        echo "检查通过" 
	else
        echo ""
        echo "检查不通过" 
	fi
else
    echo "账号超时不存在自动注销,不符合要求，建议设置为600秒"
    echo ""
    echo "检查不通过"  
fi

7.2 修复登录超时时间

查看代码

echo -e "\033[1;33m配置文件路径：/etc/profile \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "TMOUT" /etc/profile
grep -n "^HISTSIZE" /etc/profile
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
result=$(cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}')
if [ "$result" ];then
	LIN_NUM=$(sed -n '/TMOUT/=' /etc/profile)
	sed -i "$LIN_NUM"'c export TMOUT=600' /etc/profile
else
	echo "export TMOUT=600" >> /etc/profile
fi
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^TMOUT" /etc/profile
grep -n "^HISTSIZE" /etc/profile
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"

8.1 检查默认锁定用户

echo ""
echo "## $1. $2检查 ############################"
flag=0
checkuserlist=""
UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
for _user in ${UserList};do
	if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then
		if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
			continue       
		else
			checkuserlist=${_user}" "${checkuserlist}
			flag=1
		fi
	fi
done       
if [ ${flag} -eq 0 ];then
	echo "检查通过"
else
	#echo "用户 ${checkuserlist}锁定检查未通过，不符合要求"
	echo "检查不通过"
fi

8.2 修复默认锁定用户

查看代码

 UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
for _user in ${UserList};do
    if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then
            if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
                continue
            else
	passwd -l ${_user}
            fi
    fi
done
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"

9.1 检查NTP时钟同步

查看代码

echo ""
echo "## 检查NTP时钟同步 ############################"
if [ `grep ntpserver /etc/hosts |wc -l` -eq 1 ] && [ `grep ntpserver /etc/ntp.conf |wc -l` -eq 1 ] && [ `cat /etc/ntp.conf |grep "ntpserver minpoll" |wc -l` -eq 1 ] && [ `cat /etc/sysconfig/ntpd |grep "\-x \-p /var/run/ntpd.pid \-g"|wc -l` -eq 1 ];then
	echo "检查通过"
else
	echo "检查不通过"
fi

9.2 修复NTP时钟同步

查看代码

echo -e "\033[1;33m配置文件路径：/etc/hosts \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
cat /etc/hosts
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
if [ `cat /etc/hosts |grep ntpserver | wc -l` -eq 0 ];then
	echo "########ntp server#######" >> /etc/hosts
	echo "10.14.1.11	ntpserver" >> /etc/hosts
else
	sed -i '/##ntp server##/d' /etc/hosts
    sed -i '/ntpserver/d' /etc/hosts
	echo "########ntp server#######" >> /etc/hosts
	echo "10.14.1.11	ntpserver" >> /etc/hosts
fi
#2./etc/ntp.conf
mv /etc/ntp.conf /etc/ntp.conf.bl.`date +%Y%m%d%H%M%S`
cat <<EOF > /etc/ntp.conf
driftfile /var/lib/ntp/drift
server ntpserver minpoll 4 maxpoll 4 prefer
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF
#3./etc/sysconfig/ntpd
LIN_NUM=$(sed -n '/OPTIONS/=' /etc/sysconfig/ntpd)
sed -i "$LIN_NUM"'c OPTIONS="-x -p /var/run/ntpd.pid -g"' /etc/sysconfig/ntpd
systemctl restart ntpd.service
systemctl enable ntpd.service
echo -e "\033[1;36mNo.$1 修复成功,已重启ntpd服务,可使用ntpq -p验证,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
cat /etc/hosts
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"

查看所有代码:（最新版）

查看代码

#!/bin/sh
#########################################
#  基线检查脚本,适用于CentOS/RedHat 7.X
#  security baseline check 
#########################################
 
#环境变量PATH没设好，在cron里执行时有很多命令会找不到
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
source /etc/profile
 
[ $(id -u) -gt 0 ] && echo "请用root用户执行此脚本！" && exit 1
centosVersion=$(awk '{print $(NF-1)}' /etc/redhat-release)
if [[ $centosVersion < 7.5 ]];then
	echo "CentOS Version $centosVersion it not supported , Check exit!!"
	exit 1;
fi
#版本
VERSION="Linux Base Check V3.1
#v1.2.2020-08-21修复ntp配置错误；
#v1.3.2020-08-24修复必须操作系统大于Centos7.5以上版本才能使用该脚本；
#v1.4.2021-08-21新增ntp配置脚本；
#v2.0.2022-05-20修复各种替换配置文件的BUG问题；
#V3.0.2023-01-10修复代码BUG，使得脚本可反复执行；
#v3.1.2023-01-31加入for循环对多配置参数进行注释。"

#日志相关
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
[ -f $PROGPATH ] && PROGPATH="."
LOGPATH="$PROGPATH/log"
[ -e $LOGPATH ] || mkdir $LOGPATH
RESULTFILE="$LOGPATH/HostBaseCheck-`hostname`-`date +%Y%m%d`.txt"

##################
#A. log out      #
##################
function outLog(){
	if [ x"$1" == x"ok" ];then
		echo -e "$2 \e[1;32m检查通过\e[0m，符合要求。" 
	elif [ x"$1" == x"err" ];then
		echo -e "$2 \e[1;33;41m检查未通过\e[0m，不符合要求，建议整改。"
	else
		echo -e "$2"
	fi
}

###################
#B.Usage
###################
function Usage(){
cat <<EOF	
基线检查脚本：Version $VERSION

Usage:sh $0 [check | repair num ]

举例:
检查命令：sh $0 check
修复命令：sh $0 repair 3
EOF
}

########################
#C.getSystemStatus
########################
function getSystemStatus(){
	echo ""
	echo "############################ 系统信息 ############################"
	Release=$(cat /etc/redhat-release 2>/dev/null)
	Kernel=$(uname -r)
	Virt_CPUs=$(grep "processor" /proc/cpuinfo | wc -l)
	CPU_Type=$(grep "model name" /proc/cpuinfo | awk -F ': ' '{print $2}' | sort | uniq)
	Mem_total=$(free -h  |grep Mem: |awk -F ' ' '{print $2}')
	Disk_total=$(fdisk -l |grep "Disk /dev/sd" |awk -F ' ' '{print $2$3$4}' |cut -d ',' -f1)

	echo "   发行版本：$Release"
	echo "       内核：$Kernel"
	echo "逻辑CPU个数: $Virt_CPUs"
	echo "    CPU型号: $CPU_Type"
	echo "   内存大小: $Mem_total"
	echo "   磁盘大小: $Disk_total"
}


#####################
#1.checkAccountStatus
#####################
function checkAccountStatus(){
	echo ""
	echo "## $1. $2检查 ############################"
	passmin=`cat /etc/login.defs | grep ^PASS_MIN_DAYS | awk '{print $2}'`
	passage=`cat /etc/login.defs | grep ^PASS_WARN_AGE | awk '{print $2}'`
	if [ -n "$passmin" ] && [ -n "$passage" ];then
		if [ "$passmin" -eq 2 ] && [ "$passage" -eq 5 ];then
			outLog ok $2
		else
			outLog err $2
		fi
	else
		outLog err $2
	fi
}

#####################
#1.repairAccount
#####################
function repairAccount(){
echo -e "\033[1;33m修复配置文件路径：/etc/login.defs \033[0m"
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
echo " "


#Num_passmin=`sed -n "/"^PASS_MIN_DAYS"/=" /etc/login.defs`
Num_passmin=`cat /etc/login.defs | grep -n ^PASS_MIN_DAYS | awk -F[:] '{print $1}'`
if [ "$Num_passmin" ];then
	Count_passmin=1
	for a in $Num_passmin
	do
	if [ "$Count_passmin" == 1 ];then
		sed -i $a'c PASS_MIN_DAYS	2' /etc/login.defs
	else
		sed -i $a'c \#PASS_MIN_DAYS 重复配置已替换' /etc/login.defs
	fi
	Count_passmin=$Count_passmin+1
	done
else
	echo "PASS_MIN_DAYS	2" >> /etc/login.defs
fi


Num_passage=`cat /etc/login.defs | grep -n ^PASS_WARN_AGE | awk -F[:] '{print $1}'`
if [ "$Num_passage" ];then
	Count_passage=1
	for a in $Num_passage
	do
	if [ "$Count_passage" == 1 ];then
		sed -i $a'c PASS_WARN_AGE	5' /etc/login.defs
	else
		sed -i $a'c \#PASS_WARN_AGE 重复配置已替换' /etc/login.defs
	fi
	Count_passage=$Count_passage+1
	done
else
	echo "PASS_WARN_AGE   5" >> /etc/login.defs
fi
sed -i '/重复配置已替换/d' /etc/login.defs
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


######################
#2.checkPassComplexity
######################
function checkPassComplexity(){
        echo ""
        echo "## $1. $2检查 ############################"		
	complexity=$(cat /etc/pam.d/system-auth |grep "password" |grep "requisite" |grep "pam_pwquality.so" |grep "minlen=10" |grep "dcredit=-1" |grep "ucredit=-1" |grep "lcredit=-1" |grep "ocredit=-1")
	complexity_cracklib=$(cat /etc/pam.d/system-auth |grep "password" |grep "requisite" |grep "pam_cracklib.so" |grep "retry=3" |grep "minlen=10" |grep "dcredit=-1" |grep "ucredit=-1" |grep "lcredit=-1" |grep "ocredit=-1")
	if [ "$complexity" ];then
		outLog ok $2
	elif [ "$complexity_cracklib" ];then
		outlog ok $2	
	else
		outLog err $2 
	fi
}


######################
#2.repairPassComplexity
######################
function repairPassComplexity(){
	echo -e "\033[1;33m修复配置文件路径：/etc/pam.d/system-auth \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^password" /etc/pam.d/system-auth
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	LIN_NUM=$(sed -n '/pam_pwquality.so/=' /etc/pam.d/system-auth)
	LIN_num_cracklib=$(sed -n '/pam_cracklib.so/=' /etc/pam.d/system-auth)
	if [ "$LIN_NUM" ];then
		sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
	elif [ "$LIN_num_cracklib" ];then
		sed -i "$LIN_num_cracklib"'c password    requisite   pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1  ' /etc/pam.d/system-auth
	else
		sed -i '4i\password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
	fi
	#sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^password" /etc/pam.d/system-auth
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


######################
#3.checkLoginLock
######################
function checkLoginLock(){
	echo ""
	echo "## $1. $2检查 ############################"
	lock=$(cat /etc/pam.d/sshd |grep "pam_tally2.so" |grep "deny=5" |grep "unlock_time=300" |grep "even_deny_root=5" |grep "root_unlock_time=300")
	if [ "$lock" ];then
		outLog ok $2 
	else
		outLog err $2 
	fi
}

######################
#3.repairloginLock
######################
#查看用户登录失败次数:pam_tally2 --user root
#解锁指定用户:pam_tally2 -r -u root
function repairloginLock(){
	echo -e "\033[1;33m修复配置文件路径：/etc/pam.d/sshd \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^auth" /etc/pam.d/sshd
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	LIN_NUM=$(sed -n '/pam_tally2.so/=' /etc/pam.d/sshd)  
	if [ "$LIN_NUM" ];then
		sed -i "$LIN_NUM"'c auth 	   required 	pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
	else
		sed -i '2i\auth 	   required 	pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
	fi
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^auth" /etc/pam.d/sshd
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


###################
#4.checkRootUid
###################
function checkRootUid(){
	echo ""
	echo "## $1. $2检查 ############################"
	UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`
	flag=0
	for i in $UIDS
	do
		if [ "$i" = 0 ];then
			outLog err $2 
		else
			flag=1
		fi
	done
		if [ "$flag" = 1 ];then
			outLog ok $2 
		fi
}

###################
#4.repairRootUid
###################
function repairRootUid(){
	echo -e "\033[1;33m该项目修复风险极大，请手动检查。路径为：/etc/passwd \033[0m"
	echo -e "\033[1;36mNo.$1 用户标识号为0权限的账号如下,请手动检查修复! \033[0m"
	awk -F":" '{if ($3==0) print (NR,$0) }'  /etc/passwd
}


###################
#5.checkSshStatus
###################
function checkSshStatus(){
	echo ""
	echo "## $1. $2检查 ############################"
	passage1=`cat /etc/ssh/sshd_config | grep ^MaxAuthTries | awk '{print $2}'`
	passage2=`cat /etc/ssh/sshd_config | grep ^PasswordAuthentication | awk '{print $2}'`
	passage3=`cat /etc/ssh/sshd_config | grep ^PubkeyAuthentication | awk '{print $2}'`
	if [ "$passage1" -eq 5 ] && [ "$passage2" == "yes" ] && [ "$passage3" == "yes" ];then
		outLog ok $2
	else
		outLog err $2
	fi
} 

###################
#5.repairSshStatus
###################
function repairSshStatus(){
echo -e "\033[1;33m修复配置文件路径：/etc/ssh/sshd_config \033[0m"
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
echo " "
Num_MaxAuthTries=`sed -n /^"MaxAuthTries"/= /etc/ssh/sshd_config`
Num_PasswordAuthentication=`sed -n /^"PasswordAuthentication"/= /etc/ssh/sshd_config`
Num_PubkeyAuthentication=`sed -n /^"PubkeyAuthentication"/= /etc/ssh/sshd_config`

if [ "$Num_MaxAuthTries" ];then
	Count_MaxAuthTries=1
	for a in $Num_MaxAuthTries
	do
	if [ "$Count_MaxAuthTries" == 1 ];then
		sed -i $a'c MaxAuthTries 5' /etc/ssh/sshd_config
	else
		sed -i $a'c \#MaxAuthTries 重复配置已替换' /etc/ssh/sshd_config
	fi
	Count_MaxAuthTries=$Count_MaxAuthTries+1
	done
else
	echo "MaxAuthTries 5" >> /etc/ssh/sshd_config
fi

if [ "$Num_PasswordAuthentication" ];then
	Count_PasswordAuthentication=1
	for a in $Num_PasswordAuthentication
	do
	if [ "$Count_PasswordAuthentication" == 1 ];then
		sed -i $a'c PasswordAuthentication yes' /etc/ssh/sshd_config
	else
		sed -i $a'c \#PasswordAuthentication 重复配置已替换' /etc/ssh/sshd_config
	fi
	Count_PasswordAuthentication=$Count_PasswordAuthentication+1
	done
else
	echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
fi


if [ "$Num_PubkeyAuthentication" ];then
	Count_PubkeyAuthentication=1
	for a in $Num_PubkeyAuthentication
	do
	if [ "$Count_PubkeyAuthentication" == 1 ];then
		sed -i $a'c PubkeyAuthentication yes' /etc/ssh/sshd_config
	else
		sed -i $a'c \#PubkeyAuthentication 重复配置已替换' /etc/ssh/sshd_config
	fi
	Count_PubkeyAuthentication=$Count_PubkeyAuthentication+1
	done
else
	echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
fi

sed -i '/重复配置已替换/d' /etc/ssh/sshd_config
systemctl restart sshd
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


###################
#6.checkTimeOut
###################
function checkTimeOut(){
	echo ""
	echo "## $1. $2检查 ############################"
	Check_TMOUT=`cat /etc/profile | grep "^export TMOUT" | awk -F[=] '{print $2}'`
	#Check_History=`cat /etc/profile | grep "^HISTSIZE" | awk -F[=] '{print $2}'`
	if [ "$Check_TMOUT" ];then
		#if [ $TMOUT -le 900 ] && [ $HISTSIZE -eq 100000 ];then
		if [ "$TMOUT" -le 900 ];then
			outLog ok $2 
		else
			outLog err $2 
		fi
	else
		echo -e "\033[1;33m不存在超时注销!不符合要求，要求设置为600秒 \033[0m"
		outLog err $2 
	fi
}

###################
#6.repairTimeOut
###################
function repairTimeOut(){
	echo -e "\033[1;33m修复配置文件路径：/etc/profile \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^export TMOUT" /etc/profile
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	Repair_TMOUT=$(cat /etc/profile | grep "^export TMOUT" | head -n1)
	if [ "$Repair_TMOUT" ];then
		Count_TMOUT=1
		#普通方案：Num_TMOUT=$(sed -n "/^export TMOUT/=" /etc/profile)
		#循环方案
		for p in `cat /etc/profile |grep -n ^"export TMOUT="|awk -F[:] '{print $1}'`
		do
		Num_TMOUT=$(echo $p |awk -F':' '{print $1}')
		if [ "$Count_TMOUT" == 1 ];then
			sed -i $Num_TMOUT'c export TMOUT=900' /etc/profile
		else
			sed -i ${Num_TMOUT}'c #export TMOUT 重复配置已替换' /etc/profile
			#sed -i ${Num_TMOUT}"c \#export TMOUT 重复配置已替换" /etc/profile
		fi
		Count_TMOUT=$Count_TMOUT+1
		done
	else
		echo "export TMOUT=900" >> /etc/profile
	fi
	sed -i '/重复配置已替换/d' /etc/profile
	source /etc/profile
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^export TMOUT" /etc/profile
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


######################
#7.checkHistorySize
###################### 
function checkHistorySize(){
	echo ""
	echo "## $1. $2检查 ############################"
	Check_History=`cat /etc/profile | grep "^HISTSIZE" | awk -F[=] '{print $2}'`
	if [ "$Check_History" ];then
		if [ "$HISTSIZE" -ge 100000 ];then
			outLog ok $2 
		else
			outLog err $2 
		fi
	else
		echo -e "\033[1;33m没有配置HISTSIZE参数!不符合要求，要求设置为100000 \033[0m"
		outLog err $2 
	fi
}


######################
#7.repairHistorySize
######################
function repairHistorySize(){
	echo -e "\033[1;33m修复配置文件路径：/etc/profile \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^HISTSIZE" /etc/profile
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	History_Size=$(cat /etc/profile | grep -n ^"HISTSIZE" | head -n1)
	if [ "$History_Size" ];then
		Count_History=1
		#Num_History=$(sed -n '/'"$History_Size"'/=' /etc/profile)
		for q in `cat /etc/profile |grep -n ^"HISTSIZE"|awk -F[:] '{print $1}'`
		do
		Num_History=$(echo $q |awk -F':' '{print $1}')
		if [ "$Count_History" == 1 ];then
			sed -i $Num_History'c HISTSIZE=100000' /etc/profile
		else
			sed -i "${Num_History}c \#HISTSIZE 重复配置已替换" /etc/profile
		fi
		Count_History=$Count_History+1
		done
	else
		echo "HISTSIZE=100000" >> /etc/profile
	fi
	sed -i '/重复配置已替换/d' /etc/profile
	source /etc/profile
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^HISTSIZE" /etc/profile
	grep -n "^#HISTSIZE" /etc/profile
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


########################
#8.checkNtpSet
########################
function checkNtpSet(){
echo ""
echo "## $1. $2检查 ############################"
NtpSet1=`cat /etc/ntp.conf |grep "server" |grep "ntp-t.gwmfc.com" |grep "prefer"`
NtpSet2=`cat /etc/sysconfig/ntpd |grep "\-x \-p /var/run/ntpd.pid \-g"|wc -l`
if [ "$NtpSet1" ] && [ "$NtpSet2" -eq 1 ];then
	outLog ok $2
else
	outLog err $2
fi
}

########################
#8.repairNtpSet
#1.停止并取消chrony.service服务
#  systemctl status chrony.service
#  systemctl stop chrony.service
#  systemctl disable chrony.service
#2.启动ntpd服务
#  systemctl enable ntpd.service
#  systemctl start ntpd.service
########################
function repairNtpSet(){
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo -e "\033[1;33m修复配置文件路径：/etc/hosts \033[0m"
	cat /etc/hosts
	echo -e "\033[1;33m修复配置文件路径：/etc/ntp.conf \033[0m"
	cat /etc/ntp.conf |grep "server"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	sed -i '/##ntp server##/d' /etc/hosts
	sed -i '/ntpserver/d' /etc/hosts

	
#2./etc/ntp.conf
cat <<EOF > /etc/ntp.conf
driftfile /var/lib/ntp/drift
server ntp-t.gwmfc.com minpoll 4 maxpoll 4 prefer
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF


#3./etc/sysconfig/ntpd
LIN_NUM=$(sed -n '/OPTIONS/=' /etc/sysconfig/ntpd)
sed -i "$LIN_NUM"'c OPTIONS="-x -p /var/run/ntpd.pid -g"' /etc/sysconfig/ntpd
systemctl start ntpd.service
systemctl enable ntpd.service
echo -e "\033[1;36mNo.$1 修复成功,已重启ntpd服务,可使用ntpq -p验证,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
echo -e "\033[1;33m修复配置文件路径：/etc/ntp.conf \033[0m"
cat /etc/hosts
echo -e "\033[1;33m修复配置文件路径：/etc/ntp.conf \033[0m"
cat /etc/ntp.conf |grep "server"
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


######################
#9.checkSysConfigSet
######################
function checkSysConfigSet(){
        echo ""
        echo "## $1. $2检查 ############################"
	sysconfig=$(cat /etc/motd |grep 'SYSTEM-A:'|wc -l)
	if [ "$sysconfig" -eq 1 ];then
		outLog ok $2
	else
		outLog err $2
	fi
}


######################
#9.repairSysConfigSet
######################
function repairSysConfigSet(){
	echo -e "\033[1;33m修复配置文件路径：/etc/motd \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	cat /etc/motd
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
description=$(cat /etc/motd |grep 'SYSTEM-A:'|wc -l)
description2=$(cat /etc/motd |grep 'APPSYSTEM:'|wc -l)
description3=$(cat /etc/motd |grep 'DESCRIPTION:'|wc -l)
if [ "$description" -eq 0 ] && [ "$description2" -eq 0 ] && [ "$description3" -eq 0 ];then
cat << EOF >> /etc/motd
#####################################
#  APPSYSTEM: 系统的名字是啥
#   SYSTEM-A: 系统管理员A角
#   SYSTEM-B: 系统管理员B角
#DESCRIPTION: 这台机器干啥的
#####################################
EOF
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
elif [ "$description" -eq 1 ];then
	echo -e "\033[1;36mNo.$1 配置文件中存在主机描述，请手动检查正确性！\033[0m"
else
	echo -e "\033[1;33m主机描述重复配置${description}次，请手动检查修复\033[0m"
fi
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
cat /etc/motd
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}


######################
#10.checkEdrStatus
######################
function checkEdrStatus(){
        echo ""
        echo "## $1. $2检查 ############################"
	if [ `ps -aux |grep edr|wc -l` -ge 2 ];then
		outLog ok $2
		#echo "杀毒软件状态已开启，符合要求"
	else
		outLog err $2
		#echo "杀毒软件状态未开启，不符合要求"
	fi
}

######################
#10.repairtEdr
######################
function repairtEdr(){
	echo -e "\033[1;36mNo.$1请联系安全团队手动修复!!\033[0m"
	echo -e "\033[1;33mEDR安装命令：\033[0m"
	echo -e "\033[1;33mwget --no-check-certificate https://10.15.32.15:4430/download_installer_linux.php -O linux_edr_installer.tar.gz && tar -xzvf linux_edr_installer.tar.gz && ./agent_installer.sh -c\033[0m"
}


#######################
#11.checkFirewallStatus
#######################
function checkFirewallStatus(){
        echo ""
        echo "## $1. $2检查 ############################"
    if [ -f /usr/bin/systemctl ];then
		if [ `systemctl status firewalld | grep 'active (running)' |wc -l` -eq 1 ];then
		outLog ok $2
        else
		outLog err $2	
        fi
    else
        outLog info "操作系统版本低，请升级或更新到主推版本"
    fi
}

#######################
#11.repairFirewall
#######################
function repairFirewall(){
echo -e "\e[1;31m依据端口开通情况，请手动修复!!\e[0m"
}


######################
#12.checkUserLoginSet
######################
function checkUserLoginSet(){   
        echo ""
        echo "## $1. $2检查 ############################"
	if [ `su - root -c env |grep  PS1|wc -l` -eq 1 ];then
		outLog ok $2
	else
		outLog err $2
	fi
}

######################
#12.repairUserLoginSet
######################
function repairUserLoginSet(){
echo -e "\033[1;33m修复配置文件路径：/etc/profile\033[0m"
Check_PS1=`cat /etc/profile |grep PS1`
if [ "$Check_PS1" ];then
echo -e "\033[1;31mNo.$1 配置已存在,无需重复修复! \033[0m"
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
source /etc/profile
else
cat <<EOF >> /etc/profile
user_id=\`id -u\`
if [ "\$user_id" = "0" ]; then
	export PS1='\$LOGNAME'"@"\$(hostname)":"'\$PWD'"#"
else
	export PS1='\$LOGNAME'"@"\$(hostname)":"'\$PWD'"$"
fi
EOF
fi
}


####################
#13.checkLockUser
####################
function checkLockUser(){
	echo ""
        echo "## $1. $2检查 ############################"
	flag=0
	checkuserlist=""
	UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
	for _user in ${UserList};do
		if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then
			if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
				continue       
			else
				checkuserlist=${_user}" "${checkuserlist}
				flag=1
			fi
		fi
	done       
	if [ "$flag" -eq 0 ];then
		#echo "用户锁定检查通过，符合要求"
		outLog ok $2
	else
		echo "用户 ${checkuserlist}锁定检查未通过，不符合要求"
		outLog err $2
	fi
 
}

####################
#13.repairLockUser
####################
function repairLockUser(){
	UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
	for _user in ${UserList};do
		if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then				
			if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
			continue
            else
			passwd -l ${_user}
            fi
        fi
	done
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
}


##################
#   Check all
##################
function checkBaseLine(){
	getSystemStatus
	checkAccountStatus 1 账号策略
	checkPassComplexity 2 密码复杂度
	checkLoginLock 3 密码登录锁
	checkRootUid 4 root用户权限
	checkSshStatus 5 ssh策略检查
	checkTimeOut 6 登录超时时间
	checkHistorySize 7 历史命令记录条数设置
	checkNtpSet 8 NTP时钟同步
	checkSysConfigSet 9 系统管理员注释
	checkEdrStatus 10 杀毒软件状态
	checkFirewallStatus 11 防火墙状态
	checkUserLoginSet 12 用户登录配置
	checkLockUser 13 默认锁定用户
}
 

#############################################
#                 Main
#############################################
if [ "$#" -lt 1 ] || [ "$1" == "-h" ]; then
	Usage
else
	if [ "$1" == "check" ];then
		checkBaseLine | tee -a  $RESULTFILE
		echo
		echo "检查结果：$RESULTFILE"
	elif [ "$1" == "repair" ];then
		case $2 in
			1)
				repairAccount 1
			;;
			2)
				repairPassComplexity 2
			;;
			3)
				repairloginLock 3
			;;
			4)
				repairRootUid 4
			;;
			5)
				repairSshStatus 5
			;;
			6)
				repairTimeOut 6
			;;
			7)
				repairHistorySize 7
			;;
			8)
				repairNtpSet 8
			;;
			9)
				repairSysConfigSet 9
			;;
			10)
				repairtEdr 10
			;;
			11)
				repairFirewall 11
			;;
			12)
				repairUserLoginSet 12
			;;
			13)
				repairLockUser 13				
			;;
			all)
			echo "为避免风险,暂不支持全部修复."
			;;
			*)
			Usage
			echo -e "\e[31m`date` You input number it not exist! \e[0m"
    		;;
		esac
	fi
fi

posted @ 2022-10-21 14:26 Magiclala 阅读(548) 评论(0) 编辑收藏举报

会员力量，点亮园子希望

刷新页面返回顶部

Magiclala的博客

CentOS基线检测脚本

公告