linux加固脚本

环境：linux

1、日常加固

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82

[root@smartcommunity-master01 tmp]# more jg.sh #! /bin/bash # copyright by hwb # Function:对账户的密码的一些加固 read -p "设置密码最多可多少天不修改：" A read -p "设置密码修改之间最小的天数：" B read -p "设置密码最短的长度：" C read -p "设置密码失效前多少天通知用户：" D sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS '$A'' /etc/login.defs sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS '$B'' /etc/login.defs sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN '$C'' /etc/login.defs sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE '$D'' /etc/login.defs echo "已对密码进行加固，新用户不得和旧密码相同，且新密码必须同时包含数字、小写字母，大写字母！！" sed -i '/pam_pwquality.so/c\password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= difok=1 minlen =8 ucredit=-1 lcredit=-1 dcredit=-1' /etc/pam.d/system-auth echo "已对密码进行加固，如果输入错误密码超过3次，则锁定账户！！" n=`cat /etc/pam.d/sshd | grep "auth required pam_tally2.so "|wc -l` if [ $n -eq 0 ];then sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=150 even_deny_root root_unlock_time300' /etc/pam.d/sshd fi echo "已设置禁止root用户远程登录！！" sed -i '/PermitRootLogin/c\PermitRootLogin no' /etc/ssh/sshd_config read -p "设置历史命令保存条数：" E read -p "设置账户自动注销时间：" F sed -i '/^HISTSIZE/c\HISTSIZE='$E'' /etc/profile sed -i '/^HISTSIZE/a\TMOUT='$F'' /etc/profile echo "已设置只允许wheel组的用户可以使用su命令切换到root用户！" sed -i '/pam_wheel.so use_uid/c\auth required pam_wheel.so use_uid ' /etc/pam.d/su n=`cat /etc/login.defs | grep SU_WHEEL_ONLY | wc -l` if [ $n -eq 0 ];then echo SU_WHEEL_ONLY yes >> /etc/login.defs fi echo "即将对系统中的账户进行检查...." echo "系统中有登录权限的用户有：" awk -F: '($7=="/bin/bash"){print $1}' /etc/passwd echo "********************************************" echo "系统中UID=0的用户有：" awk -F: '($3=="0"){print $1}' /etc/passwd echo "********************************************" N=`awk -F: '($2==""){print $1}' /etc/shadow|wc -l` echo "系统中空密码用户有：$N" if [ $N -eq 0 ];then  echo "恭喜你，系统中无空密码用户！！"  echo "********************************************" else  i=1  while [ $N -gt 0 ]  do  None=`awk -F: '($2==""){print $1}' /etc/shadow|awk 'NR=='$i'{print}'`  echo "------------------------"  echo $None  echo "必须为空用户设置密码！！"  passwd $None  let N--  done  M=`awk -F: '($2==""){print $1}' /etc/shadow|wc -l`  if [ $M -eq 0 ];then  echo "恭喜，系统中已经没有空密码用户了！"  else echo "系统中还存在空密码用户：$M"  fi fi echo "即将对系统中重要文件进行锁定，锁定后将无法添加删除用户和组" read -p "警告：此脚本运行后将无法添加删除用户和组！！确定输入Y，取消输入N；Y/N：" i case $i in  [Y,y])  chattr +i /etc/passwd  chattr +i /etc/shadow  chattr +i /etc/group  chattr +i /etc/gshadow  echo "锁定成功！" ;;  [N,n])  chattr -i /etc/passwd  chattr -i /etc/shadow  chattr -i /etc/group  chattr -i /etc/gshadow  echo "取消锁定成功！！" ;;  *)  echo "请输入Y/y or N/n" esac

2、开启操作日志记录

?

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

1，修改/etc/profile文件 [root@CentOS7-2 ~]# vi /etc/profile  //追加如下内容     USER=`whoami`  USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'`  if [ "$USER_IP" = "" ]; then  USER_IP=`hostname`  fi  if [ ! -d /var/log/history ]; then  mkdir /var/log/history  chmod 777 /var/log/history  fi  if [ ! -d /var/log/history/${LOGNAME} ]; then  mkdir /var/log/history/${LOGNAME}  chmod 300 /var/log/history/${LOGNAME}  fi  export HISTSIZE=4096  DT=`date +"%Y%m%d_%H:%M:%S"`  export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT"  chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null   2，使/etc/profile生效 [root@CentOS7-2 ~]# source /etc/profile   3，查看 [root@CentOS7-2 ~]# ll /var/log/history/ total 0 d-wx------ 2 root root 6 Jun  1 13:02 root