位置:海鸟网 > IT > linux/Unix >

Linux小脚本加固系统安全

今天有朋友在Linux的群里喊需要写一个脚本,来实现对100多台Linux系统的统一安全配置,然后求助人来写这个脚本。我闲来无事,就接下来了。 
都是非常基础的语法,没有做过优化,只是简单的实现了他提的要求,现在把脚本发下,如果有人愿意跟我一起改进或者有什么建议的请发站内信给我,大家一起讨论。
 
这个脚本最后有一点小问题,就是在追加审计策略的时候,脚本只能执行一次,如果执行两次,最后在策略追加时会报错,并且/etc/audit/audit.rules会不断增加,这个问题我后期会优化,使其执行多少次的结果都是一样的。
 
 
 
 #!/bin/bash
 
 
 
DIR=/etc
 
#################################################################
 
##/etc/login.defs
 
##PASS_MAX_DAYS
 
echo "正在修改/etc/login.defs..."
 
sleep 1
 
max=`cat $DIR/login.defs |grep ^PASS_MAX_DAYS |awk '{print $2}'`
 
if [ $max != 90 ];then
 
    sed -i '/^PASS_MAX_DAYS/s/'"$max"'/90/g' $DIR/login.defs
 
fi
 
 
 
##PASS_MIN_DAYS
 
min=`cat $DIR/login.defs |grep ^PASS_MIN_DAYS |awk '{print $2}'`
 
if [ $min != 0 ];then
 
    sed -i '/^PASS_MIN_DAYS/s/'"$min"'/0/g' $DIR/login.defs
 
fi
 
 
 
##PASS_MIN_LEN
 
len=`cat $DIR/login.defs |grep ^PASS_MIN_LEN |awk '{print $2}'`
 
if [ $len != 8 ];then
 
    sed -i '/^PASS_MIN_LEN/s/'"$len"'/8/g' $DIR/login.defs
 
fi
 
 
 
##PASS_WARN_AGE
 
warn=`cat $DIR/login.defs |grep ^PASS_WARN_AGE | awk '{print $2}'`
 
if [ $warn != 7 ];then
 
    sed -i '/^PASS_WARN_AGE/s/'"$warn"'/7/g' $DIR/login.defs
 
fi
 
 
 
###########################################################
 
 
 
echo "正在修改用户组..."
 
sleep 1
 
 
 
sed -i 's/^uucp/#&/g' /etc/passwd
 
sed -i 's/^nuucp/#&/g' /etc/passwd
 
sed -i 's/^lp/#&/g' /etc/passwd
 
sed -i 's/^news/#&/g' /etc/passwd
 
sed -i 's/^games/#a&/g' /etc/passwd
 
 
 
sed -i 's/^uucp/#&/g' /etc/shadow
 
sed -i 's/^nuucp/#&/g' /etc/shadow
 
sed -i 's/^lp/#&/g' /etc/shadow
 
sed -i 's/^news/#&/g' /etc/shadow
 
sed -i 's/^games/#&/g' /etc/shadow
 
 
 
sed -i 's/^uucp/#&/g' /etc/group
 
sed -i 's/^nuucp/#&/g' /etc/group
 
sed -i 's/^lp/#&/g' /etc/group
 
sed -i 's/^news/#&/g' /etc/group
 
sed -i 's/^games/#&/g' /etc/group
 
 
 
###############################################
 
 
 
echo "正在修改禁止管理员远程登录..."
 
sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config
 
 
 
###############################################
 
 
 
echo "正在修改系统命令行保存条目..."
 
sleep 1
 
cat /etc/profile |grep ^HISTSIZE > /dev/null
 
if [ $? == 0 ];then
 
    sed -i 's/^HISTSIZE=[0-9]{1,4}/HISTSIZE=30/g' /etc/profile
 
fi
 
cat /etc/profile |grep ^HISTFILESIZE > /dev/null
 
if [ $? == 1 ];then
 
    echo "HISTFILESIZE=30" >> /etc/profile
 
fi
 
 
 
###############################################
 
 
 
echo "正在修改系统启动级别..."
 
sleep 1
 
init=`cat /etc/inittab |grep ^id |cut -d ":" -f 2`
 
if [ $init != 3 ];then
 
    sed -i '/^id/s/'"${init}"'/3/g' /etc/inittab
 
fi
 
 
 
##############################################
 
 
 
echo "正在启用审计策略..."
 
echo "# Enable auditing" >> /etc/audit/audit.rules
 
echo "-e 1" >> /etc/audit/audit.rules
 
echo "## login configuration and information" >> /etc/audit/audit.rules
 
echo "-w /etc/login.defs -p wa -k CFG_login.defs" >> /etc/audit/audit.rules
 
echo "-w /etc/securetty -p wa -k CFG_securetty" >> /etc/audit/audit.rules
 
echo "-w /var/log/faillog -p wa -k LOG_faillog" >> /etc/audit/audit.rules
 
echo "-w /var/log/lastlog -p wa -k LOG_lastlog" >> /etc/audit/audit.rules
 
echo "-w /var/log/tallylog -p wa -k LOG_tallylog" >> /etc/audit/audit.rules
 
echo "                                          " >> /etc/audit/audit.rules
 
echo "## directory operations" >> /etc/audit/audit.rules
 
echo "#-a entry,always -S mkdir -S mkdirat -S rmdir" >> /etc/audit/audit.rules
 
echo "                                      " >> /etc/audit/audit.rules.bak
 
echo "                                         " >> /etc/audit/audit.rules
 
echo "## cron configuration & scheduled jobs" >> /etc/audit/audit.rules
 
echo "-w /etc/cron.allow -p wa -k CFG_cron.allow" >> /etc/audit/audit.rules
 
echo "-w /etc/cron.deny -p wa -k CFG_cron.deny" >> /etc/audit/audit.rules
 
echo "-w /etc/cron.d/ -p wa -k CFG_cron.d" >> /etc/audit/audit.rules
 
echo "-w /etc/cron.daily/ -p wa -k CFG_cron.daily" >> /etc/audit/audit.rules

echo "-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly" >> /etc/audit/audit.rules
 
echo "-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly" >> /etc/audit/audit.rules
 
echo "-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly" >> /etc/audit/audit.rules
 
echo "-w /etc/crontab -p wa -k CFG_crontab" >> /etc/audit/audit.rules
 
echo "-w /var/spool/cron/root -k CFG_crontab_root" >> /etc/audit/audit.rules
 
echo "                         " >> /etc/audit/audit.rules
 
echo "                         " >> /etc/audit/audit.rules
 
echo "## user, group, password databases" >> /etc/audit/audit.rules
 
echo "-w /etc/group -p wa -k CFG_group" >> /etc/audit/audit.rules
 
echo "-w /etc/passwd -p wa -k CFG_passwd" >> /etc/audit/audit.rules
 
echo "-w /etc/gshadow -k CFG_gshadow" >> /etc/audit/audit.rules
 
echo "-w /etc/shadow -k CFG_shadow" >> /etc/audit/audit.rules
 
echo "-w /etc/security/opasswd -k CFG_opasswd" >> /etc/audit/audit.rules
 
echo "                                      " >> /etc/audit/audit.rules
 
echo "# ----- File System audit rules -----" >> /etc/audit/audit.rules
 
 
 
echo "正在重启审计服务..."
 
/sbin/service auditd restart
 
 
 
##################################################################
 
 
 
sleep 1
 
echo "脚本执行成功"