#!/bin/bash
#centos7.0以上版本通用的主機基線安全加強腳本。
#1.密碼安全:
#密碼修改的最大和最小間隔天數。
#密碼過期前告警天數。
#密碼複雜度:密碼長度、曆史密碼、密碼字元組合要求。
#
#2.root安全配置
#3.ssh登入安全項
#登入失敗鎖定次數
#登出不活動賬号,會話自動鎖定時間
#登入前和登入後的banner
#禁止root賬号直接登入。
#4.會話逾時設定
#5.日志審計.
######################################################################################################################
#基礎加強項
######################################################################################################################
#1. 密碼安全
#修改密碼檔案屬性
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 644 /etc/group
chmod 644 /etc/passwd
chmod 644 /etc/shadow
chmod 644 /etc/gshadow
chattr -i /etc/passwd
chattr -i /etc/shadow
#修改密碼政策
echo "===========修改密碼政策=============="
#密碼最長有效期
sed -i 's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS 90/g' /etc/login.defs
#密碼最短有效期
sed -i 's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS 7/g' /etc/login.defs
#密碼長度最小8位
sed -i 's/^PASS_MIN_LEN.*$/PASS_MIN_LEN 8/g' /etc/login.defs
#/usr/sbin/authconfig --passminlen=8 --update
#密碼過期提醒時間
sed -i 's/^PASS_WARN_AGE*$/PASS_WARN_AGE 7/g' /etc/login.defs
#停止密碼過期使用者
#sed -i 's/^INACTIVE.*$/INACTIVE=90/g' /etc/default/useradd
#密碼最少含有的符号為3種
#sed -i 's/^minclass = 2*$/minclass = 3/g' /etc/security/pwquality.conf
/usr/sbin/authconfig --passminclass=3 --update
/usr/sbin/authconfig --enablereqdigit --update
/usr/sbin/authconfig --enablerequpper --update
#設定root使用者密碼不過期,避免密碼都過期的時候都登入不上
chage --maxdays 9999 root
#sed -i '4a\password requisite pam_cracklib.so try_first_pass retry=3 dcredit=-1 lcredit=-1 ucredit=-1 ocredit=-1 minlen=8' /etc/pam.d/system-auth
#5次登入失敗後鎖定使用者
echo "===========5次失敗後鎖定使用者========="
#sed -i '4a\auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800' /etc/pam.d/system-auth
#sed -i '1a\auth required pam_tally2.so onerr=fail deny=5 unlock_time=1800' /etc/pam.d/sshd
#sed -i 's/^password *requisite.*retry=3.*$/password requisite pam_passwdqc.so min=disabled,disabled,12,10,7/g' /etc/pam.d/system-auth
#sed -i 's/^password *sufficient.*uthtok$/& remember=4/g' /etc/pam.d/system-auth
#處理密碼曆史檔案
if [ ! -e /etc/security/opasswd ]; then
touch /etc/security/opasswd
fi
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
#自動登出不活動控制台
echo "=============自動登出不活動控制台=========="
sed -i '/^HISTSIZE=/a TMOUT=600' /etc/profile
#2. root賬号安全
#禁止root直接ssh登入,必須通過普通賬号登入,然後su進入
#允許root控制台登入
#3. ssh安全加強配置
#配置ssh前,先增加1個普通使用者,避免配置ssh後root無法ssh的困局
groupadd ndadmin
useradd -m -g ndadmin -s /bin/bash ndadmin
echo "Onecloud@2020*" | passwd --stdin ndadmin
#配置SSH
sed -i '$a\#================= add by mgx ==================#' /etc/ssh/sshd_config
sed -i '$a\LoginGraceTime 600s' /etc/ssh/sshd_config
#sed -i '$a\PermitRootLogin no' /etc/ssh/sshd_config
sed -i '/^#PermitRootLogin/cPermitRootLogin no' /etc/ssh/sshd_config
sed -i '$a\AllowUsers ndadmin clouder' /etc/ssh/sshd_config
# 編輯 /etc/ssh/sshd_config,将 ClientAliveInterval 設定為 300 到 900,即 5-15 分鐘,将 ClientAliveCountMax 設定為 10。 ClientAliveInterval 900 ClientAliveCountMax 0
#ClientAliveInterval 0
sed -i '/^#ClientAliveInterval/cClientAliveInterval 600' /etc/ssh/sshd_config
sed -i '/^#ClientAliveCountMax/cClientAliveCountMax 10' /etc/ssh/sshd_config
#PermitEmptyPasswords no不允許空密碼
sed -i '/^#PermitEmptyPasswords/cPermitEmptyPasswords no' /etc/ssh/sshd_config
#MaxAuthTries 5 允許錯誤密碼嘗試5次
sed -i '/^#MaxAuthTries/cMaxAuthTries 5' /etc/ssh/sshd_config
#MaxSessions 10 允許同時登入的會話數10個
sed -i '/^#MaxSessions/cMaxSessions 10' /etc/ssh/sshd_config
systemctl restart sshd
#配置/etc/group,隻允許某些使用者登入
#sed -i '$a\wheel:x:10:ndadmin,clouder' /etc/group
echo "export TMOUT=300" >> /etc/profile
source /etc/profile
#4.登入安全
# 20分鍾不活動後鎖住GNOME桌面
echo "=============自動鎖住不活動GNOME桌面======="
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/idle_activation_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type bool --set /apps/gnome-screensaver/lock_enabled true
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type string --set /apps/gnome-screensaver/mode blank-only
gconftool-2 --direct --config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory --type int --set /apps/gnome-screensaver/idle_delay 20
#5. 審計規則
#配置審計檔案容量
echo "==========配置審計檔案容量=============="
sed -i 's/^max_log_file =.*$/max_log_file = 30000/g' /etc/audit/auditd.conf
sed -i 's/^max_log_file_action =.*$/max_log_file_action = KEEP_LOGS/g' /etc/audit/auditd.conf
#配置審計規則
echo "==========配置審計規則==========="
sed -i 's/^-D/-w \/var\/log -p war -F key=logWatch/g' /etc/audit/audit.rules
sed -i '8a\ rotate 7' /etc/logrotate.d/syslog
sed -i '9a\ size 10000k' /etc/logrotate.d/syslog
sed -i '10a\ compress' /etc/logrotate.d/syslog
#配置日志權限
touch /var/log/messages
chown root:root /var/log/messages
chmod 0600 /var/log/messages
touch /var/log/kern.log
chown root:root /var/log/kern.log
chmod 0600 /var/log/kern.log
touch /var/log/daemon.log
chown root:root /var/log/daemon.log
chmod 0600 /var/log/daemon.log
touch /var/log/syslog
chown root:root /var/log/syslog
chmod 0600 /var/log/syslog
touch /var/log/unused.log
chown root:root /var/log/unused.log
chmod 0600 /var/log/unused.log
touch /var/log/emerg.log
chown root:root /var/log/emerg.log
chmod 0600 /var/log/emerg.log
touch /var/log/crit.log
chown root:root /var/log/crit.log
chmod 0600 /var/log/crit.log
touch /var/log/alert.log
chown root:root /var/log/alert.log
chmod 0600 /var/log/alert.log
touch /var/log/warning.log
chown root:root /var/log/warning.log
chmod 0600 /var/log/warning.log
touch /var/log/err.log
chown root:root /var/log/err.log
chmod 0600 /var/log/err.log
#啟動syslog
systemctl enable rsyslog
systemctl start rsyslog
#6. 核心參數調優
#配置/etc/security/limits.conf
echo "===========修改程序最大數和最大檔案打開數============="
#sed -i '$a\#========add by mgx ==========#' /etc/security/limits.conf
sed -i '$a\* - nofile 20480' /etc/security/limits.conf
sed -i '$a\* soft nofile 65535' /etc/security/limits.conf
sed -i '$a\* hard nofile 65535' /etc/security/limits.conf
#sed -i '$a\#========end by mgx ==========#' /etc/security/limits.conf
echo "ulimit -SHn 65535" >> /etc/rc.local
echo "ulimit -c unlimited" >> /etc/profile
echo "ulimit -s unlimited" >> /etc/profile
echo "ulimit -SHn 65535" >> /etc/profile
source /etc/profile
#7.檔案權限設定
#修改檔案權限
chmod 644 /etc/passwd
chmod 644 /etc/group
chmod 644 /etc/shadow
chmod 644 /etc/services
chmod 644 /etc/security
chmod 644 /etc/grub.conf
chmod 644 /boot/grub/grub.conf
chmod 644 /etc/lilo.conf
chown root:root /etc/hosts.allow
chown root:root /etc/hosts.deny
chmod 644 /etc/hosts.deny
chmod 644 /etc/hosts.allow
######################################################################################################################
#增配加強項
######################################################################################################################
#1.配置SSH禁用不安全的算法
echo "Ciphers aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,arcfour" >> /etc/ssh/sshd_config
echo "MACs hmac-sha1,hmac-ripemd160" >> /etc/ssh/sshd_config
systemctl restart sshd