服务器安全基线检查

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
!!!超强警告!!!该脚本修改范围与权限很大,请仔细阅读是否适用自己的系统,以避免对正常使用造成影响。该脚本修改范围与权限很大,请仔细阅读是否适用自己的系统,以避免对正常使用造成影响。该脚本修改范围与权限很大,请仔细阅读是否适用自己的系统,以避免对正常使用造成影响。#! /bin/bash
 
# Linux 服务器安全基线检测
 
# 更新记录:
#   2017.09.25 完成初版编辑   by tdcqma
#   2017.09.26 调通各个脚本检查项,添加检查类别与项目,并优化输出格式 by tdcqma
 
echo -e "\n\n        ***** Linux server baseline scan *****     \n\n"
 
# 设置hstory时间戳
echo "[1] 设置hstory时间戳"
histroy_time_user=`cat /etc/profile|grep HISTTIMEFORMAT`
if [ ! -z "histroy_time_user" ];then
 echo -e 'export HISTTIMEFORMAT="%F %T `whoami`" ' >> /etc/profile
 echo -e  `source /etc/profile`
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#暂锁默认自带账户
echo -e "[2] 暂锁默认自带账户\n"
passwd -l dbus
passwd -l vcsa
passwd -l games
passwd -l nobody
passwd -l avahi
passwd -l haldaemon
passwd -l gopher
passwd -l ftp
passwd -l mailnull
passwd -l mail
passwd -l shutdown
passwd -l halt
passwd -l uucp
passwd -l operator
passwd -l sync
passwd -l adm
passwd -l lp
echo -e  "\n     -----------\n      设置成功!\n     -----------\n"
 
 
#设置密码复杂度,ucredit/lcredit大小写,ocredit标点符号,dcredit数字,retry输入次数,difok新旧重复度
echo -e "[3] 设置密码复杂度\n"
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_cracklib.so"`" ];then
    sed -i '/password    required      pam_deny.so/a\password    required      pam_cracklib.so  try_first_pass minlen=8 ucredit=-1   lcredit=-1   ocredit=-1 dcredit=-1 retry=3 difok=5' /etc/pam.d/system-auth
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
 
#设置连续登录失败暂锁机制,deny最大次数,unlock_time解锁时间(秒),但根据/lib/security 实际情况来
echo -e "[4] 设置连续登录失败暂锁机制\n"
if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally2.so"`" ];then
    if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally2.so" | grep auth`" ];then
        sed -i '/auth      include  system-auth/a\auth        required      pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/system-auth
    fi
    if [ -z "`cat /etc/pam.d/system-auth | grep -v "^#" | grep "pam_tally2.so" | grep account`" ];
    then
        sed -i '/account    include      system-auth/a\account  required    pam_tally2.so' /etc/pam.d/system-auth
    fi
fi
 
if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally2.so"`" ];then
    if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally2.so" | grep auth`" ];then
        sed -i '/auth        required      pam_deny.so/a\auth        required      pam_tally2.so deny=5 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/sshd
    fi
    if [ -z "`cat /etc/pam.d/sshd | grep -v "^#" | grep "pam_tally2.so"` | grep account" ];then
        sed -i '/account     required      pam_unix.so/a\account    required    pam_tally2.so' /etc/pam.d/sshd
    fi
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#检查密码重复使用次数
echo -e "[5] 检查密码重复使用次数\n"
if [ -z "`cat /etc/pam.d/system-auth | grep password | grep remember`" ];then
    sed -i '/password    sufficient    pam_unix.so/s/$/& remember=5/' /etc/pam.d/system-auth
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#设置操作超时锁定
echo -e "[6] 设置操作超时锁定\n"
if [ -z "`cat /etc/profile | grep -v "^#" | grep TMOUT`" ];then
    echo -e "\nexport TMOUT=1800" >> /etc/profile
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
 
#修改密码时效
echo -e "[7] 设置修改密码时效\n"
sed -i '/PASS_WARN_AGE/s/7/10/' /etc/login.defs
sed -i '/PASS_MIN_LEN/s/5/8/' /etc/login.defs
#sed -i '/PASS_MAX_DAYS/s/99999/90/' /etc/login.defs
sed -i '/PASS_MIN_DAYS/s/0/6/' /etc/login.defs
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#修改默认访问权限
echo -e "[8] 设置修改默认访问权限\n"
sed -i '/UMASK/s/077/027/' /etc/login.defs
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#设置重要文件目录权限
echo -e "[9] 设置修改重要文件目录权限\n"
chmod 644 /etc/passwd  
chmod 600 /etc/xinetd.conf &>/dev/null
chmod 600 /etc/inetd.conf &>/dev/null   
chmod 644 /etc/group &>/dev/null
chmod 000 /etc/shadow &>/dev/null
chmod 644 /etc/services &>/dev/null
chmod 600 /etc/security &>/dev/null
chmod 750 /etc/ &>/dev/null  #启动了nscd服务导致设置权限以后无法登陆
chmod 750 /etc/rc6.d &>/dev/null
chmod 750 /tmp &>/dev/null
chmod 750 /etc/rc0.d/ &>/dev/null
chmod 750 /etc/rc1.d/ &>/dev/null
chmod 750 /etc/rc2.d/ &>/dev/null
chmod 750 /etc/rc4.d &>/dev/null
chmod 750 /etc/rc5.d/ &>/dev/null
chmod 750 /etc/rc3.d   
chmod 750 /etc/rc.d/init.d/
chmod 600 /etc/grub.conf
chmod 600 /boot/grub/grub.conf
chmod 600 /etc/lilo.conf &>/dev/null
chmod 700 /bin/ping
chmod 700 /usr/bin/finger &>/dev/null
chmod 700 /usr/bin/who
chmod 700 /usr/bin/w
chmod 700 /usr/bin/locate
chmod 700 /usr/bin/whereis
chmod 700 /sbin/ifconfig
chmod 700 /usr/bin/pico &>/dev/null
chmod 700 /bin/vi
chmod 700 /usr/bin/which
chmod 700 /usr/bin/gcc
chmod 700 /usr/bin/make
chmod 700 /bin/rpm
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#检查用户umask设置
echo -e "[10] 设置修改用户umask配置\n"
sed -i '/umask/s/002/077/' /etc/csh.cshrc
sed -i '/umask/s/002/077/' /etc/bashrc
sed -i '/umask/s/002/077/' /etc/profile
csh_login=`cat /etc/csh.login | grep -i "umask"`
if [ -z "$csh_login" ];then
    echo -e "/numask 077" >>/etc/csh.login
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#检查是否设置ssh登录前告警banner
echo -e "[11] 设置SSH登录前告警Banner\n"
sshbanner="/etc/ssh_banner"
if [ ! -f "$sshbanner" ];then
    touch /etc/ssh_banner
    chown bin:bin /etc/ssh_banner
    chmod 644 /etc/ssh_banner
    echo -e "Authorized only.All activity will be monitored and reported" > /etc/ssh_banner
    echo -e "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
    /etc/init.d/sshd restart
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#设置最大失败尝试登陆次数
echo -e "[12] 设置最大失败尝试登录次数\n"
sed -i "s/#MaxAuthTries 6/MaxAuthTries 6/" /etc/ssh/sshd_config
#使用dns反向解析
sed -i "s/#UseDNS yes/UseDNS no/" /etc/ssh/sshd_config
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#FTP关闭
echo -e "[13] 设置关闭FTP\n"
ftpstatus= echo -e "`/etc/init.d/vsftpd status`|grep stop"
if [ ! -z "ftpstatus" ];then
 echo -e `/etc/init.d/vsftpd stop`
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#检查重要文件属性设置
echo -e "[14] 设置重要文件属性\n"
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
chattr +a /root/.bash_history
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#审计服务开启
echo -e "[15] 设置开启审计服务\n"
log_auditd= echo -e "`/etc/init.d/auditd status`|grep stop"
if [ ! -z "log_auditd" ];then
 echo -e `/etc/init.d/auditd start`
fi
echo -e  "     -----------流量\n      设置成功!\n     -----------\n"
 
#日志审计设置
echo -e "[16] 设置日志审计\n"
if [ ! -f "/etc/rsyslog.conf" ] && [ ! -f "/etc/syslog.conf" ] && [ ! -f "/etc/syslog-ng/syslog-ng.conf" ];then
    echo "{tput setaf 1}syslog not installed!!!${tput sgr0}"
    exit
fi
 
if [ ! -f "/var/log/cron" ];then
    touch /var/log/cron
    chmod 775 /var/log/cron
fi
 
if [ ! -f "/var/adm/messages" ];then
    mkdir /var/adm
    touch /var/adm/messages
    chmod 666 /var/adm/messages
fi
 
if [ -f "/etc/rsyslog.conf" ];then
    if [ -z "`cat /etc/rsyslog.conf | grep "^cron.*" | grep "/var/log/cron"`" ];then
        echo -e "cron.*        /var/log/cron" >> /etc/rsyslog.conf
    fi
    if [ -z "`cat /etc/rsyslog.conf | grep "/var/adm/messages"`" ];then
        echo -e "*.err;kern.debug;daemon.notice   /var/adm/messages" >>/etc/rsyslog.conf
    fi
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
 
#禁止wheel组以外的用户su为root
echo -e "[17] 设置禁止wheel组以外的用户su为root\n"
if [ -z "`cat /etc/pam.d/su | grep -v "^#" | grep pam_wheel.so`" ];then
    if [ -z "`cat /etc/pam.d/su | grep -v "^#" | grep pam_rootok.so`" ];then
        sed -i 'auth            sufficient      pam_rootok.so' /etc/pam.d/su
        sed -i '/
        pam_rootok.so/a\auth            required        pam_wheel.so group=wheel' /etc/pam.d/su
    else
        sed -i '/pam_rootok.so/a\auth            required        pam_wheel.so group=wheel' /etc/pam.d/su
    fi
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
 
#禁止core dump 设置
echo -e "[18] 设置禁止coredump\n"
chk_core=`grep core /etc/security/limits.conf | grep -v "^#"`
if [ -z "$chk_core" ];then
    echo "*               soft    core            0"  >> /etc/security/limits.conf
    echo "*               hard    core            0"  >> /etc/security/limits.conf
fi
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
#uid和sgid权限文件并修改文件权限为755
echo -e "[19] 设置uid和sgid权限文件\n"
find /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /bin/mount /bin/umount /bin/ping /sbin/netreport -type f -perm /600 | xargs chmod 755 /usr/bin/chage /usr/bin/gpasswd /usr/bin/wall /usr/bin/chfn /usr/bin/chsh /usr/bin/newgrp /usr/bin/write /usr/sbin/usernetctl /bin/mount /bin/umount /bin/ping /sbin/netreport
echo -e  "     -----------\n      设置成功!\n     -----------\n"
 
 
echo -e "       --All scan is over--        \n"

  以上脚本完成基于Linux发行版:Red Hat Enterprise Linux Server release 6.1

posted @   北海悟空  阅读(1653)  评论(0编辑  收藏  举报
点击右上角即可分享
微信分享提示