centos7 && redhat7 安全加固,记录下
#!/bin/bash
# 修改root用户名
root_user=${ROOT_USER:-admin}
#指定新sss_root用户密码
sss_passwd=Sssw2022
#添加运维用户
oper_user=sysadmin
#指定运维用户密码
oper_passwd=sys!Sss
#是否开启普通用户免密sudo 0关闭 1开启
flag=1
#添加开发用户
dev_user=devops
#指定开发用户密码
dev_passwd=soft#Sss
# 日志函数
log() {
echo "$@" | tee -a /tmp/security_update.log
}
# 错误处理函数
error_exit() {
log "ERROR: $1"
exit 1
}
function add_root_user() {
log "###############################"
check_user=`head -n 1 /etc/passwd | awk -F ":" '{print $1}'`
if [[ $root_user == $check_user ]]; then
log "用户已存在:"`/usr/bin/whoami`
else
log "user add ${root_user}"
sed -i "1i ${root_user}:x:0:0:root:/root:/bin/bash" /etc/passwd
echo "${sss_passwd}" | passwd ${root_user} --stdin > /dev/null 2>&1 || error_exit "Failed to set password for ${root_user}"
log "user ${root_user} 密码已修改"
passwd -l root || error_exit "Failed to lock root account"
fi
}
function add_oper_user(){
echo "###############################" | tee -a /tmp/security_update.log
if id -u ${oper_user} >/dev/null 2>&1; then
echo "用户已存在:"${oper_user} | tee -a /tmp/security_update.log
else
echo "user add ${oper_user}" | tee -a /tmp/security_update.log
groupadd ${oper_user}
useradd -g ${oper_user} ${oper_user}
echo "${oper_passwd}" | passwd ${oper_user} --stdin > /dev/null 2>&1
echo "user ${oper_user} 密码已修改" | tee -a /tmp/security_update.log
fi
}
function add_dev_user(){
echo "###############################" | tee -a /tmp/security_update.log
if id -u ${dev_user} >/dev/null 2>&1; then
echo "用户已存在:"${dev_user} | tee -a /tmp/security_update.log
else
echo "user add ${dev_user}" | tee -a /tmp/security_update.log
groupadd ${dev_user}
useradd -g ${dev_user} ${dev_user}
echo "${dev_passwd}" | passwd ${dev_user} --stdin > /dev/null 2>&1
echo "user ${dev_user} 密码已修改" | tee -a /tmp/security_update.log
fi
}
function add_sudoers(){
if [ ${flag} -eq "1" ]; then
echo "###############################" | tee -a /tmp/security_update.log
touch /etc/sudoers.d/${oper_user}_sudoers
echo "" > /etc/sudoers.d/${oper_user}_sudoers
cat >> /etc/sudoers.d/${oper_user}_sudoers <<EOF
${root_user} ALL=(ALL) ALL
${oper_user} ALL=(ALL) NOPASSWD: ALL
${dev_user} ALL=(ALL) NOPASSWD: ALL
EOF
echo "add sudoers 完成" | tee -a /tmp/security_update.log
else
echo "###############################" | tee -a /tmp/security_update.log
touch /etc/sudoers.d/${oper_user}_sudoers
echo "" > /etc/sudoers.d/${oper_user}_sudoers
cat >> /etc/sudoers.d/${oper_user}_sudoers <<EOF
${root_user} ALL=(ALL) ALL
${oper_user} ALL=(ALL) ALL
${dev_user} ALL=(ALL) ALL
EOF
echo "add sudoers 完成" | tee -a /tmp/security_update.log
fi
}
function close_root_ssh(){
check_permit=`grep "PermitRootLogin no" /etc/ssh/sshd_config | wc -l`
if [ ${check_permit} -eq "0" ]; then
echo "###############################" | tee -a /tmp/security_update.log
sed -i '/#PermitRootLogin yes/a\PermitRootLogin no' /etc/ssh/sshd_config
#sed -i '/#PermitEmptyPasswords no/a\PasswordAuthentication no' /etc/ssh/sshd_config
sed -i '/#MaxAuthTries 6/a\MaxAuthTries 3' /etc/ssh/sshd_config
systemctl restart sshd | tee -a /tmp/security_update.log
echo "user root 禁用ssh远程登录" | tee -a /tmp/security_update.log
fi
}
function update_passwd_policy_min(){
check_update=`grep -n "password.*requisite.*pam_pwquality.so" /etc/pam.d/system-auth | wc -l`
if [ ${check_update} -eq "1" ]; then
echo "###############################" | tee -a /tmp/security_update.log
#口令最小长度为8,至少包含一个小写字母,至少包含一个大写字母,至少包含一个数字,至少包含一个特殊符号,root用户强制执行复杂性策略
check_row_num=`grep -n "password.*requisite.*pam_pwquality.so" /etc/pam.d/system-auth | awk -F ":" '{print $1}'`
sed -i -e "${check_row_num} s/^/#/" /etc/pam.d/system-auth
sed -i '/#password.*requisite.*pam_pwquality.so/a\password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root' /etc/pam.d/system-auth
#账号锁定时间不小于1分钟
check_row_num=`grep -n "auth.*required.*pam_sepermit.so" /etc/pam.d/sshd | awk -F ":" '{print $1}'`
sed -i -e "${check_row_num} s/^/#/" /etc/pam.d/sshd
sed -i '/#auth.*required.*pam_sepermit.so/a\auth required pam_tally2.so deny=3 unlock_time=120 even_deny_root root_unlock_time=120' /etc/pam.d/sshd
echo "口令复杂性策略已添加" | tee -a /tmp/security_update.log
else
echo "###############################" | tee -a /tmp/security_update.log
#口令最小长度为8,至少包含一个小写字母,至少包含一个大写字母,至少包含一个数字,至少包含一个特殊符号,root用户强制执行复杂性策略
check_row_num=`grep -n "#password.*requisite.*pam_pwquality.so" /etc/pam.d/system-auth | awk -F ":" '{print $1}'`
num=`echo $[${check_row_num} + 1]`
sed -i "${num}d" /etc/pam.d/system-auth
sed -i '/#password.*requisite/a\password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= minlen=8 lcredit=-1 ucredit=-1 dcredit=-1 ocredit=-1 enforce_for_root' /etc/pam.d/system-auth
#账号锁定时间不小于1分钟
check_row_num=`grep -n "auth.*required.*pam_sepermit.so" /etc/pam.d/sshd | awk -F ":" '{print $1}'`
num=`echo $[${check_row_num} + 1]`
sed -i "${num}d" /etc/pam.d/sshd
sed -i '/#auth.*required.*pam_sepermit.so/a\auth required pam_tally2.so deny=3 unlock_time=120 even_deny_root root_unlock_time=120' /etc/pam.d/sshd
echo "口令复杂性策略已更新" | tee -a /tmp/security_update.log
fi
}
function search_user_empty_passwd(){
echo "###############################" | tee -a /tmp/security_update.log
awk -F: 'length($2)==0 {print $1}' /etc/shadow | while read line
do
echo "禁止存在空密码用户:$line 请添加密码或删除账号!!!" | tee -a /tmp/security_update.log
done
}
function update_default_permissions(){
check_profile=`grep -n "umask 002" /etc/profile | wc -l`
check_bashrc=`grep -n "umask 002" /etc/bashrc | wc -l`
if [ ${check_profile} -eq "1" ]; then
echo "###############################" | tee -a /tmp/security_update.log
#降低创建的目录和文件的默认权限
check_row_num=`grep -n "umask 002" /etc/profile | awk -F ":" '{print $1}'`
num=`echo $[${check_row_num} + 2]`
sed -i "${check_row_num} s/umask 002/umask 027/" /etc/profile
sed -i "${num} s/umask 022/umask 027/" /etc/profile
source /etc/profile
fi
if [ ${check_bashrc} -eq "1" ]; then
#降低创建的目录和文件的默认权限
check_row_num=`grep -n "umask 002" /etc/bashrc | awk -F ":" '{print $1}'`
num=`echo $[${check_row_num} + 2]`
sed -i "${check_row_num} s/umask 002/umask 027/" /etc/bashrc
sed -i "${num} s/umask 022/umask 027/" /etc/bashrc
source /etc/bashrc
echo "创建目录和文件的默认权限已修改" | tee -a /tmp/security_update.log
fi
}
function update_selinux(){
check_selinux=`grep -n "SELINUX=enforcing" /etc/sysconfig/selinux | wc -l`
if [ ${check_selinux} -eq "1" ]; then
echo "###############################" | tee -a /tmp/security_update.log
#降低selinux审核级别
sed -i "s/SELINUX=enforcing/SELINUX=permissive/" /etc/sysconfig/selinux
setenforce 0
fi
}
add_root_user || error_exit "Failed to add root user"
add_oper_user || error_exit "Failed to add oper user"
add_dev_user
add_sudoers
close_root_ssh
update_passwd_policy_min
search_user_empty_passwd
update_default_permissions
update_selinux