yindun
/
ansible-devops
1
0
Fork 1
Code Issues Pull Requests Packages Projects Releases Wiki Activity
ansible-devops/scripts/linux_security_hardening.sh

181 lines
9.8 KiB
Bash
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

#!/bin/bash
##############################################################################################################################
#脚本功能:
#1.口令定期更换策略设置个90天最小密码长度为8位密码过期警告提前7天。
#2.口令复杂度设置密码长度至少为12位包含至少四种字符类型大写字母、小写字母、数字、特殊字符
#3.登录失败处理策略设置登录失败次数为5次锁定时间为10分钟。
#4.登录连接超时默认配置设置登录连接超时时间为10分钟。
#5.日志本地保存时间设置为6个月。
#6.禁止root ssh远程登录
#7.启动日志与审计服务rsyslog和auditd
#8.sshd开启PAM认证
#9.安装系统工具
##############################################################################################################################
# 定义新的配置参数
LOGIN_DEFS_POLICY_MAX_DAYS="PASS_MAX_DAYS 90"
LOGIN_DEFS_POLICY_MIN_DAYS="PASS_MIN_DAYS 0"
LOGIN_DEFS_POLICY_MIN_LEN="PASS_MIN_LEN 8"
LOGIN_DEFS_POLICY_WARN_AGE="PASS_WARN_AGE 7"
# 编辑/etc/login.defs配置文件
echo "正在编辑 /etc/login.defs 文件..."
# 检查并替换或添加设置
if grep -q "^PASS_MAX_DAYS" /etc/login.defs; then
sed -i "s/^PASS_MAX_DAYS.*/${LOGIN_DEFS_POLICY_MAX_DAYS}/" /etc/login.defs
fi
if grep -q "^PASS_MIN_DAYS" /etc/login.defs; then
sed -i "s/^PASS_MIN_DAYS.*/${LOGIN_DEFS_POLICY_MIN_DAYS}/" /etc/login.defs
fi
if grep -q "^PASS_MIN_LEN" /etc/login.defs; then
sed -i "s/^PASS_MIN_LEN.*/${LOGIN_DEFS_POLICY_MIN_LEN}/" /etc/login.defs
fi
if grep -q "^PASS_WARN_AGE" /etc/login.defs; then
sed -i "s/^PASS_WARN_AGE.*/${LOGIN_DEFS_POLICY_WARN_AGE}/" /etc/login.defs
fi
# 编辑/etc/security/pwquality.conf配置文件口令复杂度
PWQUALITY_POLICY_MINLEN="minlen = 12"
PWQUALITY_POLICY_MINCLASS="minclass = 4"
PWQUALITY_POLICY_DCREDIT="dcredit = -1"
PWQUALITY_POLICY_UCREDIT="ucredit = -1"
PWQUALITY_POLICY_LCREDIT="lcredit = -1"
PWQUALITY_POLICY_OCREDIT="ocredit = -1"
PWQUALITY_POLICY_FOR_ROOT="enforce_for_root"
PWQUALITY_POLICY_DIFOK="difok = 5"
echo "正在编辑 /etc/security/pwquality.conf 文件配置文件口令复杂度"
if grep -q "^minlen" /etc/security/pwquality.conf; then
sed -i "s/^minlen.*/${PWQUALITY_POLICY_MINLEN}/" /etc/security/pwquality.conf
elif grep -q "^# minlen" /etc/security/pwquality.conf; then
sed -i "s/^# minlen.*/${PWQUALITY_POLICY_MINLEN}/" /etc/security/pwquality.conf
fi
if grep -q "^minclass" /etc/security/pwquality.conf; then
sed -i "s/^minclass.*/${PWQUALITY_POLICY_MINCLASS}/" /etc/security/pwquality.conf
elif grep -q "^# minclass" /etc/security/pwquality.conf; then
sed -i "s/^# minclass.*/${PWQUALITY_POLICY_MINCLASS}/" /etc/security/pwquality.conf
fi
if grep -q "^dcredit" /etc/security/pwquality.conf; then
sed -i "s/^dcredit.*/${PWQUALITY_POLICY_DCREDIT}/" /etc/security/pwquality.conf
elif grep -q "^# dcredit" /etc/security/pwquality.conf; then
sed -i "s/^# dcredit.*/${PWQUALITY_POLICY_DCREDIT}/" /etc/security/pwquality.conf
fi
if grep -q "^ucredit" /etc/security/pwquality.conf; then
sed -i "s/^ucredit.*/${PWQUALITY_POLICY_UCREDIT}/" /etc/security/pwquality.conf
elif grep -q "^# ucredit" /etc/security/pwquality.conf; then
sed -i "s/^# ucredit.*/${PWQUALITY_POLICY_UCREDIT}/" /etc/security/pwquality.conf
fi
if grep -q "^lcredit" /etc/security/pwquality.conf; then
sed -i "s/^lcredit.*/${PWQUALITY_POLICY_LCREDIT}/" /etc/security/pwquality.conf
elif grep -q "^# lcredit" /etc/security/pwquality.conf; then
sed -i "s/^# lcredit.*/${PWQUALITY_POLICY_LCREDIT}/" /etc/security/pwquality.conf
fi
if grep -q "^ocredit" /etc/security/pwquality.conf; then
sed -i "s/^ocredit.*/${PWQUALITY_POLICY_OCREDIT}/" /etc/security/pwquality.conf
elif grep -q "^# ocredit" /etc/security/pwquality.conf; then
sed -i "s/^# ocredit.*/${PWQUALITY_POLICY_OCREDIT}/" /etc/security/pwquality.conf
fi
if grep -q "^enforce_for_root" /etc/security/pwquality.conf; then
:
elif grep -q "^# enforce_for_root" /etc/security/pwquality.conf; then
sed -i "s/^# enforce_for_root/${PWQUALITY_POLICY_FOR_ROOT}/" /etc/security/pwquality.conf
fi
if grep -q "^difok" /etc/security/pwquality.conf; then
sed -i "s/^difok.*/${PWQUALITY_POLICY_DIFOK}/" /etc/security/pwquality.conf
elif grep -q "^# difok.*" /etc/security/pwquality.conf; then
sed -i "s/^# difok.*/${PWQUALITY_POLICY_DIFOK}/" /etc/security/pwquality.conf
fi
# 执行以下命令,来更新`system-auth`和`password-auth`文件
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/system-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=5 \2/ }' /etc/pam.d/system-auth && sed -ri "s/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=5\3/" /etc/pam.d/system-auth
sleep 2s
egrep -q "^\s*password\s+requisite\s+pam_pwquality.so\s+" /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+try_first_pass)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1try_first_pass \2/ }' /etc/pam.d/password-auth && sed -ri '/^\s*password\s+requisite\s+pam_pwquality.so\s+/ { /^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*(\s+retry=[0-9]+)(\s+.*)?$/! s/^(\s*password\s+requisite\s+pam_pwquality.so\s+)(.*)$/\1retry=5 \2/ }' /etc/pam.d/password-auth && sed -ri "s/(^\s*password\s+requisite\s+pam_pwquality.so(\s+\S+)*\s+)retry=[0-9]+(\s+.*)?$/\1retry=5\3/" /etc/pam.d/password-auth
# 密码验证失败处理策略
echo "正在编辑 /etc/pam.d/password-auth 文件配置密码验证失败处理策略"
if grep -Pq "^auth\s*required\s*pam_faillock.so\s*authfail\s*even_deny_root\s*deny=5\s*unlock_time=600\s*$" /etc/pam.d/system-auth; then
:
else
sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent even_deny_root deny=5 unlock_time=600\nauth required pam_faillock.so authfail even_deny_root deny=5 unlock_time=600" /etc/pam.d/system-auth
fi
if grep -Pq "^auth\s*required\s*pam_faillock.so\s*authfail\s*even_deny_root\s*deny=5\s*unlock_time=600\s*$" /etc/pam.d/password-auth; then
:
else
sed -ri "/^auth.*pam_env.so$/i auth required pam_faillock.so preauth silent even_deny_root deny=5 unlock_time=600\nauth required pam_faillock.so authfail even_deny_root deny=5 unlock_time=600" /etc/pam.d/password-auth
fi
# 终端超时自动登出设置要求针对所有用户自动登退时间为600s
echo "正在编辑 /etc/profile 文件配置终端超时自动登出设置要求针对所有用户自动登退时间为600s"
if grep -q "^export TMOUT" /etc/profile; then
sed -i "s/^export TMOUT.*/export TMOUT=600/" /etc/profile
else
echo "export TMOUT=600" >> /etc/profile
fi
# 设置日志本地保存时间6个月
echo "正在编辑 /etc/logrotate.conf 文件设置日志本地保存时间6个月"
if grep -q "^rotate" /etc/logrotate.conf; then
sed -i "s/rotate.*/rotate 26/" /etc/logrotate.conf
fi
# 禁止root ssh远程登录
echo "正在编辑 /etc/ssh/sshd_config 文件禁止root ssh远程登录"
if grep -q "^PermitRootLogin" /etc/ssh/sshd_config; then
sed -i "s/^PermitRootLogin.*/PermitRootLogin no/" /etc/ssh/sshd_config
else
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
fi
if grep -q "^PubkeyAuthentication" /etc/ssh/sshd_config; then
sed -i "s/^PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config
else
sed -i "s/^#PubkeyAuthentication.*/PubkeyAuthentication yes/" /etc/ssh/sshd_config
fi
# 禁用 ssh DNS 解析
if grep -q "^UseDNS" /etc/ssh/sshd_config; then
sed -i "s/^UseDNS.*/UseDNS no/" /etc/ssh/sshd_config
else
sed -i "s/^#UseDNS.*/UseDNS no/" /etc/ssh/sshd_config
fi
# 开启ssh PAM认证
if grep -q "^UsePAM" /etc/ssh/sshd_config; then
sed -i "s/^UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
else
sed -i "s/^#UsePAM.*/UsePAM yes/" /etc/ssh/sshd_config
fi
# 重启sshd服务,生效配置
echo "正在重启sshd服务....."
if grep -Pq '^PubkeyAuthentication yes' /etc/ssh/sshd_config;then
systemctl restart sshd
fi
sleep 2s
# 开启rsyslog服务开启auditd服务
echo "正在启动rsyslog和auditd服务"
systemctl restart rsyslog.service
systemctl start rsyslog.service && systemctl enable rsyslog.service
sleep 2s
systemctl start auditd.service && systemctl enable auditd.service
echo "请自行修改操作系统默认密码。并做好密码保存。"
echo "已禁止root ssh远程登录请使用scloudadmin账号登录如无法登录请通过ipmi远程控制登录"
#9.安装系统工具
echo "安装sysstat ipmitool vim pciutils net-tools工具包"
dnf -y install sysstat.x86_64
dnf -y install ipmitool.x86_64
dnf -y install vim
dnf -y install pciutils.x86_64
dnf -y install net-tools.x86_64
echo "所有操作已完成。"
Reference in New Issue View Git Blame Copy Permalink