#!/bin/bash ############################################################################################################################## #脚本功能: #1.口令定期更换策略设置个90天,最小密码长度为8位,密码过期警告提前7天。 #2.口令复杂度设置:密码长度至少为12位,包含至少四种字符类型(大写字母、小写字母、数字、特殊字符)。 #3.登录失败处理策略设置:登录失败次数为5次,锁定时间为10分钟。 #4.登录连接超时默认配置设置:登录连接超时时间为10分钟。 #5.日志本地保存时间设置为6个月。 #6.禁止root ssh远程登录 #7.启动日志与审计服务rsyslog和auditd #8.sshd开启PAM认证 #9.安装系统工具 ############################################################################################################################## # 定义新的配置参数 LOGIN_DEFS_POLICY_MAX_DAYS="PASS_MAX_DAYS 90" LOGIN_DEFS_POLICY_MIN_DAYS="PASS_MIN_DAYS 0" LOGIN_DEFS_POLICY_MIN_LEN="PASS_MIN_LEN 8" LOGIN_DEFS_POLICY_WARN_AGE="PASS_WARN_AGE 7" # 编辑/etc/login.defs配置文件 echo "正在编辑 /etc/login.defs 文件..." # 检查并替换或添加设置 if grep -q "^PASS_MAX_DAYS" /etc/login.defs; then sed -i "s/^PASS_MAX_DAYS.*/${LOGIN_DEFS_POLICY_MAX_DAYS}/" /etc/login.defs fi if grep -q "^PASS_MIN_DAYS" /etc/login.defs; then sed -i "s/^PASS_MIN_DAYS.*/${LOGIN_DEFS_POLICY_MIN_DAYS}/" /etc/login.defs fi if grep -q "^PASS_MIN_LEN" /etc/login.defs; then sed -i "s/^PASS_MIN_LEN.*/${LOGIN_DEFS_POLICY_MIN_LEN}/" /etc/login.defs fi if grep -q "^PASS_WARN_AGE" /etc/login.defs; then sed -i "s/^PASS_WARN_AGE.*/${LOGIN_DEFS_POLICY_WARN_AGE}/" /etc/login.defs fi # 编辑/etc/security/pwquality.conf配置文件口令复杂度 PWQUALITY_POLICY_MINLEN="minlen = 12" PWQUALITY_POLICY_MINCLASS="minclass = 4" PWQUALITY_POLICY_DCREDIT="dcredit = -1" PWQUALITY_POLICY_UCREDIT="ucredit = -1" PWQUALITY_POLICY_LCREDIT="lcredit = -1" PWQUALITY_POLICY_OCREDIT="ocredit = -1" PWQUALITY_POLICY_FOR_ROOT="enforce_for_root" PWQUALITY_POLICY_DIFOK="difok = 5" echo "正在编辑 /etc/security/pwquality.conf 文件配置文件口令复杂度" if grep -q "^minlen" /etc/security/pwquality.conf; then sed -i "s/^minlen.*/${PWQUALITY_POLICY_MINLEN}/" /etc/security/pwquality.conf elif grep -q "^# minlen" /etc/security/pwquality.conf; then sed -i "s/^# minlen.*/${PWQUALITY_POLICY_MINLEN}/" /etc/security/pwquality.conf fi if grep -q "^minclass" /etc/security/pwquality.conf; then sed -i "s/^minclass.*/${PWQUALITY_POLICY_MINCLASS}/" /etc/security/pwquality.conf elif grep -q "^# minclass" /etc/security/pwquality.conf; then sed -i "s/^# minclass.*/${PWQUALITY_POLICY_MINCLASS}/" /etc/security/pwquality.conf fi if grep -q "^dcredit" /etc/security/pwquality.conf; then sed -i "s/^dcredit.*/${PWQUALITY_POLICY_DCREDIT}/" /etc/security/pwquality.conf elif grep -q "^# dcredit" /etc/security/pwquality.conf; then sed -i "s/^# dcredit.*/${PWQUALITY_POLICY_DCREDIT}/" /etc/security/pwquality.conf fi if grep -q "^ucredit" /etc/security/pwquality.conf; then sed -i "s/^ucredit.*/${PWQUALITY_POLICY_UCREDIT}/" /etc/security/pwquality.conf elif grep -q "^# ucredit" /etc/security/pwquality.conf; then sed -i "s/^# ucredit.*/${PWQUALITY_POLICY_UCREDIT}/" /etc/security/pwquality.conf fi if grep -q "^lcredit" /etc/security/pwquality.conf; then sed -i "s/^lcredit.*/${PWQUALITY_POLICY_LCREDIT}/" /etc/security/pwquality.conf elif grep -q "^# lcredit" /etc/security/pwquality.conf; then sed -i "s/^# lcredit.*/${PWQUALITY_POLICY_LCREDIT}/" /etc/security/pwquality.conf fi if grep -q "^ocredit" /etc/security/pwquality.conf; then sed -i "s/^ocredit.*/${PWQUALITY_POLICY_OCREDIT}/" /etc/security/pwquality.conf elif grep -q "^# ocredit" /etc/security/pwquality.conf; then sed -i "s/^# ocredit.*/${PWQUALITY_POLICY_OCREDIT}/" /etc/security/pwquality.conf fi if grep -q "^enforce_for_root" /etc/security/pwquality.conf; then : elif grep -q "^# enforce_for_root" /etc/security/pwquality.conf; then sed -i "s/^# enforce_for_root/${PWQUALITY_POLICY_FOR_ROOT}/" /etc/security/pwquality.conf fi if grep -q "^difok" /etc/security/pwquality.conf; then sed -i "s/^difok.*/${PWQUALITY_POLICY_DIFOK}/" /etc/security/pwquality.conf elif grep -q "^# difok.*" /etc/security/pwquality.conf; then sed -i "s/^# difok.*/${PWQUALITY_POLICY_DIFOK}/" /etc/security/pwquality.conf fi # 执行以下命令,来更新`system-auth`和`password-auth`文件 egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=5 \2/ }' /etc/pam.d/system-auth && sed -ri "s/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=5\3/" /etc/pam.d/system-auth sleep 2s egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=5 \2/ }' /etc/pam.d/password-auth && sed -ri "s/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=5\3/" /etc/pam.d/password-auth # 密码验证失败处理策略 echo "正在编辑 /etc/pam.d/password-auth 文件配置密码验证失败处理策略" if grep -Pq "^auth\s*required\s*pam_faillock.so\s*authfail\s*even_deny_root\s*deny=5\s*unlock_time=600\s*$" /etc/pam.d/system-auth; then : else sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent even_deny_root deny=5 unlock_time=600\nauth required pam_faillock.so authfail even_deny_root deny=5 unlock_time=600" /etc/pam.d/system-auth fi if grep -Pq "^auth\s*required\s*pam_faillock.so\s*authfail\s*even_deny_root\s*deny=5\s*unlock_time=600\s*$" /etc/pam.d/password-auth; then : else sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent even_deny_root deny=5 unlock_time=600\nauth required pam_faillock.so authfail even_deny_root deny=5 unlock_time=600" /etc/pam.d/password-auth fi # 终端超时自动登出设置要求针对所有用户,自动登退时间为600s echo "正在编辑 /etc/profile 文件配置终端超时自动登出设置要求针对所有用户,自动登退时间为600s" if grep -q "^export TMOUT" /etc/profile; then sed -i "s/^export TMOUT.*/export TMOUT=600/" /etc/profile else echo "export TMOUT=600" >> /etc/profile fi # 设置日志本地保存时间6个月 echo "正在编辑 /etc/logrotate.conf 文件设置日志本地保存时间6个月" if grep -q "^rotate" /etc/logrotate.conf; then sed -i "s/rotate.*/rotate 26/" /etc/logrotate.conf fi # 禁止root ssh远程登录 echo "正在编辑 /etc/ssh/sshd_config 文件禁止root ssh远程登录" if grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then sed -i "s/^PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config else echo "PermitRootLogin no" >> /etc/ssh/sshd_config fi if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config else sed -i "s/^#PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config fi # 禁用 ssh DNS 解析 if grep -q "^UseDNS" /etc/ssh/sshd_config; then sed -i "s/^UseDNS.*/UseDNS no/" /etc/ssh/sshd_config else sed -i "s/^#UseDNS.*/UseDNS no/" /etc/ssh/sshd_config fi # 开启ssh PAM认证 if grep -q "^UsePAM" /etc/ssh/sshd_config; then sed -i "s/^UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config else sed -i "s/^#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config fi # 重启sshd服务,生效配置 echo "正在重启sshd服务....." if grep -Pq '^PubkeyAuthentication yes' /etc/ssh/sshd_config;then systemctl restart sshd fi sleep 2s # 开启rsyslog服务,开启auditd服务 echo "正在启动rsyslog和auditd服务" systemctl restart rsyslog.service systemctl start rsyslog.service && systemctl enable rsyslog.service sleep 2s systemctl start auditd.service && systemctl enable auditd.service echo "请自行修改操作系统默认密码。并做好密码保存。" echo "已禁止root ssh远程登录,请使用scloudadmin账号登录,如无法登录请通过ipmi远程控制登录" #9.安装系统工具 echo "安装sysstat ipmitool vim pciutils net-tools工具包" dnf -y install sysstat.x86_64 dnf -y install ipmitool.x86_64 dnf -y install vim dnf -y install pciutils.x86_64 dnf -y install net-tools.x86_64 echo "所有操作已完成。"