服务器安全基线检查
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 | !!!超强警告!!!该脚本修改范围与权限很大,请仔细阅读是否适用自己的系统,以避免对正常使用造成影响。该脚本修改范围与权限很大,请仔细阅读是否适用自己的系统,以避免对正常使用造成影响。该脚本修改范围与权限很大,请仔细阅读是否适用自己的系统,以避免对正常使用造成影响。 #! /bin/bash # Linux 服务器安全基线检测 # 更新记录: # 2017.09.25 完成初版编辑 by tdcqma # 2017.09.26 调通各个脚本检查项,添加检查类别与项目,并优化输出格式 by tdcqma echo -e "\n\n ***** Linux server baseline scan ***** \n\n" # 设置hstory时间戳 echo "[1] 设置hstory时间戳" histroy_time_user=` cat /etc/profile | grep HISTTIMEFORMAT` if [ ! -z "histroy_time_user" ]; then echo -e 'export HISTTIMEFORMAT="%F %T `whoami`" ' >> /etc/profile echo -e ` source /etc/profile ` fi echo -e " -----------\n 设置成功!\n -----------\n" #暂锁默认自带账户 echo -e "[2] 暂锁默认自带账户\n" passwd -l dbus passwd -l vcsa passwd -l games passwd -l nobody passwd -l avahi passwd -l haldaemon passwd -l gopher passwd -l ftp passwd -l mailnull passwd -l mail passwd -l shutdown passwd -l halt passwd -l uucp passwd -l operator passwd -l sync passwd -l adm passwd -l lp echo -e "\n -----------\n 设置成功!\n -----------\n" #设置密码复杂度,ucredit/lcredit大小写,ocredit标点符号,dcredit数字,retry输入次数,difok新旧重复度 echo -e "[3] 设置密码复杂度\n" if [ -z "`cat /etc/pam.d/system-auth | grep -v " ^ #" | grep "pam_cracklib.so"`" ];then sed -i '/password required pam_deny.so/a\password required pam_cracklib.so try_first_pass minlen=8 ucredit=-1 lcredit=-1 ocredit=-1 dcredit=-1 retry=3 difok=5' /etc/pam .d /system-auth fi echo -e " -----------\n 设置成功!\n -----------\n" #设置连续登录失败暂锁机制,deny最大次数,unlock_time解锁时间(秒),但根据/lib/security 实际情况来 echo -e "[4] 设置连续登录失败暂锁机制\n" if [ -z "`cat /etc/pam.d/system-auth | grep -v " ^ #" | grep "pam_tally2.so"`" ];then if [ -z "`cat /etc/pam.d/system-auth | grep -v " ^ #" | grep "pam_tally2.so" | grep auth`" ];then sed -i '/auth include system-auth/a\auth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam .d /system-auth fi if [ -z "`cat /etc/pam.d/system-auth | grep -v " ^ #" | grep "pam_tally2.so" | grep account`" ]; then sed -i '/account include system-auth/a\account required pam_tally2.so' /etc/pam .d /system-auth fi fi if [ -z "`cat /etc/pam.d/sshd | grep -v " ^ #" | grep "pam_tally2.so"`" ];then if [ -z "`cat /etc/pam.d/sshd | grep -v " ^ #" | grep "pam_tally2.so" | grep auth`" ];then sed -i '/auth required pam_deny.so/a\auth required pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam .d /sshd fi if [ -z "`cat /etc/pam.d/sshd | grep -v " ^ #" | grep "pam_tally2.so"` | grep account" ];then sed -i '/account required pam_unix.so/a\account required pam_tally2.so' /etc/pam .d /sshd fi fi echo -e " -----------\n 设置成功!\n -----------\n" #检查密码重复使用次数 echo -e "[5] 检查密码重复使用次数\n" if [ -z "`cat /etc/pam.d/system-auth | grep password | grep remember`" ]; then sed -i '/password sufficient pam_unix.so/s/$/& remember=5/' /etc/pam .d /system-auth fi echo -e " -----------\n 设置成功!\n -----------\n" #设置操作超时锁定 echo -e "[6] 设置操作超时锁定\n" if [ -z "`cat /etc/profile | grep -v " ^ #" | grep TMOUT`" ];then echo -e "\nexport TMOUT=1800" >> /etc/profile fi echo -e " -----------\n 设置成功!\n -----------\n" #修改密码时效 echo -e "[7] 设置修改密码时效\n" sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login .defs sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login .defs #sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs sed -i '/PASS_MIN_DAYS/s/0/6/' /etc/login .defs echo -e " -----------\n 设置成功!\n -----------\n" #修改默认访问权限 echo -e "[8] 设置修改默认访问权限\n" sed -i '/UMASK/s/077/027/' /etc/login .defs echo -e " -----------\n 设置成功!\n -----------\n" #设置重要文件目录权限 echo -e "[9] 设置修改重要文件目录权限\n" chmod 644 /etc/passwd chmod 600 /etc/xinetd .conf &> /dev/null chmod 600 /etc/inetd .conf &> /dev/null chmod 644 /etc/group &> /dev/null chmod 000 /etc/shadow &> /dev/null chmod 644 /etc/services &> /dev/null chmod 600 /etc/security &> /dev/null chmod 750 /etc/ &> /dev/null #启动了nscd服务导致设置权限以后无法登陆 chmod 750 /etc/rc6 .d &> /dev/null chmod 750 /tmp &> /dev/null chmod 750 /etc/rc0 .d/ &> /dev/null chmod 750 /etc/rc1 .d/ &> /dev/null chmod 750 /etc/rc2 .d/ &> /dev/null chmod 750 /etc/rc4 .d &> /dev/null chmod 750 /etc/rc5 .d/ &> /dev/null chmod 750 /etc/rc3 .d chmod 750 /etc/rc .d /init .d/ chmod 600 /etc/grub .conf chmod 600 /boot/grub/grub .conf chmod 600 /etc/lilo .conf &> /dev/null chmod 700 /bin/ping chmod 700 /usr/bin/finger &> /dev/null chmod 700 /usr/bin/who chmod 700 /usr/bin/w chmod 700 /usr/bin/locate chmod 700 /usr/bin/whereis chmod 700 /sbin/ifconfig chmod 700 /usr/bin/pico &> /dev/null chmod 700 /bin/vi chmod 700 /usr/bin/which chmod 700 /usr/bin/gcc chmod 700 /usr/bin/make chmod 700 /bin/rpm echo -e " -----------\n 设置成功!\n -----------\n" #检查用户umask设置 echo -e "[10] 设置修改用户umask配置\n" sed -i '/umask/s/002/077/' /etc/csh .cshrc sed -i '/umask/s/002/077/' /etc/bashrc sed -i '/umask/s/002/077/' /etc/profile csh_login=` cat /etc/csh .login | grep -i "umask" ` if [ -z "$csh_login" ]; then echo -e "/numask 077" >> /etc/csh .login fi echo -e " -----------\n 设置成功!\n -----------\n" #检查是否设置ssh登录前告警banner echo -e "[11] 设置SSH登录前告警Banner\n" sshbanner= "/etc/ssh_banner" if [ ! -f "$sshbanner" ]; then touch /etc/ssh_banner chown bin:bin /etc/ssh_banner chmod 644 /etc/ssh_banner echo -e "Authorized only.All activity will be monitored and reported" > /etc/ssh_banner echo -e "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config /etc/init .d /sshd restart fi echo -e " -----------\n 设置成功!\n -----------\n" #设置最大失败尝试登陆次数 echo -e "[12] 设置最大失败尝试登录次数\n" sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config #使用dns反向解析 sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config echo -e " -----------\n 设置成功!\n -----------\n" #FTP关闭 echo -e "[13] 设置关闭FTP\n" ftpstatus= echo -e "`/etc/init.d/vsftpd status`|grep stop" if [ ! -z "ftpstatus" ]; then echo -e ` /etc/init .d /vsftpd stop` fi echo -e " -----------\n 设置成功!\n -----------\n" #检查重要文件属性设置 echo -e "[14] 设置重要文件属性\n" chattr +i /etc/passwd chattr +i /etc/shadow chattr +i /etc/group chattr +i /etc/gshadow chattr +a /root/ .bash_history echo -e " -----------\n 设置成功!\n -----------\n" #审计服务开启 echo -e "[15] 设置开启审计服务\n" log_auditd= echo -e "`/etc/init.d/auditd status`|grep stop" if [ ! -z "log_auditd" ]; then echo -e ` /etc/init .d /auditd start` fi echo -e " -----------流量\n 设置成功!\n -----------\n" #日志审计设置 echo -e "[16] 设置日志审计\n" if [ ! -f "/etc/rsyslog.conf" ] && [ ! -f "/etc/syslog.conf" ] && [ ! -f "/etc/syslog-ng/syslog-ng.conf" ]; then echo "{tput setaf 1}syslog not installed!!!${tput sgr0}" exit fi if [ ! -f "/var/log/cron" ]; then touch /var/log/cron chmod 775 /var/log/cron fi if [ ! -f "/var/adm/messages" ]; then mkdir /var/adm touch /var/adm/messages chmod 666 /var/adm/messages fi if [ -f "/etc/rsyslog.conf" ]; then if [ -z "`cat /etc/rsyslog.conf | grep " ^ cron .* " | grep " /var/log/cron "`" ]; then echo -e "cron.* /var/log/cron" >> /etc/rsyslog .conf fi if [ -z "`cat /etc/rsyslog.conf | grep " /var/adm/messages "`" ]; then echo -e "*.err;kern.debug;daemon.notice /var/adm/messages" >> /etc/rsyslog .conf fi fi echo -e " -----------\n 设置成功!\n -----------\n" #禁止wheel组以外的用户su为root echo -e "[17] 设置禁止wheel组以外的用户su为root\n" if [ -z "`cat /etc/pam.d/su | grep -v " ^ #" | grep pam_wheel.so`" ];then if [ -z "`cat /etc/pam.d/su | grep -v " ^ #" | grep pam_rootok.so`" ];then sed -i 'auth sufficient pam_rootok.so' /etc/pam .d /su sed -i '/ pam_rootok.so /a \auth required pam_wheel.so group=wheel' /etc/pam .d /su else sed -i '/pam_rootok.so/a\auth required pam_wheel.so group=wheel' /etc/pam .d /su fi fi echo -e " -----------\n 设置成功!\n -----------\n" #禁止core dump 设置 echo -e "[18] 设置禁止coredump\n" chk_core=` grep core /etc/security/limits .conf | grep - v "^#" ` if [ -z "$chk_core" ]; then echo "* soft core 0" >> /etc/security/limits .conf echo "* hard core 0" >> /etc/security/limits .conf fi echo -e " -----------\n 设置成功!\n -----------\n" #uid和sgid权限文件并修改文件权限为755 echo -e "[19] 设置uid和sgid权限文件\n" find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /bin/mount /bin/umount /bin/ping /sbin/netreport - type f -perm /600 | xargs chmod 755 /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /bin/mount /bin/umount /bin/ping /sbin/netreport echo -e " -----------\n 设置成功!\n -----------\n" echo -e " --All scan is over-- \n" |
以上脚本完成基于Linux发行版:Red Hat Enterprise Linux Server release 6.1
【推荐】编程新体验,更懂你的AI,立即体验豆包MarsCode编程助手
【推荐】凌霞软件回馈社区,博客园 & 1Panel & Halo 联合会员上线
【推荐】抖音旗下AI助手豆包,你的智能百科全书,全免费不限次数
【推荐】轻量又高性能的 SSH 工具 IShell:AI 加持,快人一步