Linux小脚本加固系统安全

楼主^#

更多发布于：2013-03-05 09:47

[] 1


	今天有朋友在Linux的群里喊需要写一个脚本，来实现对100多台Linux系统的统一安全配置，然后求助人来写这个脚本。我闲来无事，就接下来了。都是非常基础的语法，没有做过优化，只是简单的实现了他提的要求，现在把脚本发下，如果有人愿意跟我一起改进或者有什么建议的请发站内信给我，大家一起讨论。这个脚本最后有一点小问题，就是在追加审计策略的时候，脚本只能执行一次，如果执行两次，最后在策略追加时会报错，并且/etc/audit/audit.rules会不断增加，这个问题我后期会优化，使其执行多少次的结果都是一样的。 #!/bin/bash DIR=/etc ################################################################# ##/etc/login.defs ##PASS_MAX_DAYS echo "正在修改/etc/login.defs..." sleep 1 max=`cat $DIR/login.defs \|grep ^PASS_MAX_DAYS \|awk '{print $2}'` if [ $max != 90 ];then sed -i '/^PASS_MAX_DAYS/s/'"$max"'/90/g' $DIR/login.defs fi ##PASS_MIN_DAYS min=`cat $DIR/login.defs \|grep ^PASS_MIN_DAYS \|awk '{print $2}'` if [ $min != 0 ];then sed -i '/^PASS_MIN_DAYS/s/'"$min"'/0/g' $DIR/login.defs fi ##PASS_MIN_LEN len=`cat $DIR/login.defs \|grep ^PASS_MIN_LEN \|awk '{print $2}'` if [ $len != 8 ];then sed -i '/^PASS_MIN_LEN/s/'"$len"'/8/g' $DIR/login.defs fi ##PASS_WARN_AGE warn=`cat $DIR/login.defs \|grep ^PASS_WARN_AGE \| awk '{print $2}'` if [ $warn != 7 ];then sed -i '/^PASS_WARN_AGE/s/'"$warn"'/7/g' $DIR/login.defs fi ########################################################### echo "正在修改用户组..." sleep 1 sed -i 's/^uucp/#;/g' /etc/passwd sed -i 's/^nuucp/#;/g' /etc/passwd sed -i 's/^lp/#;/g' /etc/passwd sed -i 's/^news/#;/g' /etc/passwd sed -i 's/^games/#a;/g' /etc/passwd sed -i 's/^uucp/#;/g' /etc/shadow sed -i 's/^nuucp/#;/g' /etc/shadow sed -i 's/^lp/#;/g' /etc/shadow sed -i 's/^news/#;/g' /etc/shadow sed -i 's/^games/#;/g' /etc/shadow sed -i 's/^uucp/#;/g' /etc/group sed -i 's/^nuucp/#;/g' /etc/group sed -i 's/^lp/#;/g' /etc/group sed -i 's/^news/#;/g' /etc/group sed -i 's/^games/#;/g' /etc/group ############################################### echo "正在修改禁止管理员远程登录..." sed -i 's/^#PermitRootLogin yes/PermitRootLogin no/g' /etc/ssh/sshd_config ############################################### echo "正在修改系统命令行保存条目..." sleep 1 cat /etc/profile \|grep ^HISTSIZE > /dev/null if [ $? == 0 ];then sed -i 's/^HISTSIZE=[0-9]\{1,4\}/HISTSIZE=30/g' /etc/profile fi cat /etc/profile \|grep ^HISTFILESIZE > /dev/null if [ $? == 1 ];then echo "HISTFILESIZE=30" >> /etc/profile fi ############################################### echo "正在修改系统启动级别..." sleep 1 init=`cat /etc/inittab \|grep ^id \|cut -d ":" -f 2` if [ $init != 3 ];then sed -i '/^id/s/'"${init}"'/3/g' /etc/inittab fi ############################################## echo "正在启用审计策略..." echo "# Enable auditing" >> /etc/audit/audit.rules echo "-e 1" >> /etc/audit/audit.rules echo "## login configuration and information" >> /etc/audit/audit.rules echo "-w /etc/login.defs -p wa -k CFG_login.defs" >> /etc/audit/audit.rules echo "-w /etc/securetty -p wa -k CFG_securetty" >> /etc/audit/audit.rules echo "-w /var/log/faillog -p wa -k LOG_faillog" >> /etc/audit/audit.rules echo "-w /var/log/lastlog -p wa -k LOG_lastlog" >> /etc/audit/audit.rules echo "-w /var/log/tallylog -p wa -k LOG_tallylog" >> /etc/audit/audit.rules echo " " >> /etc/audit/audit.rules echo "## directory operations" >> /etc/audit/audit.rules echo "#-a entry,always -S mkdir -S mkdirat -S rmdir" >> /etc/audit/audit.rules echo " " >> /etc/audit/audit.rules.bak echo " " >> /etc/audit/audit.rules echo "## cron configuration ; scheduled jobs" >> /etc/audit/audit.rules echo "-w /etc/cron.allow -p wa -k CFG_cron.allow" >> /etc/audit/audit.rules echo "-w /etc/cron.deny -p wa -k CFG_cron.deny" >> /etc/audit/audit.rules echo "-w /etc/cron.d/ -p wa -k CFG_cron.d" >> /etc/audit/audit.rules echo "-w /etc/cron.daily/ -p wa -k CFG_cron.daily" >> /etc/audit/audit.rules echo "-w /etc/cron.hourly/ -p wa -k CFG_cron.hourly" >> /etc/audit/audit.rules echo "-w /etc/cron.monthly/ -p wa -k CFG_cron.monthly" >> /etc/audit/audit.rules echo "-w /etc/cron.weekly/ -p wa -k CFG_cron.weekly" >> /etc/audit/audit.rules echo "-w /etc/crontab -p wa -k CFG_crontab" >> /etc/audit/audit.rules echo "-w /var/spool/cron/root -k CFG_crontab_root" >> /etc/audit/audit.rules echo " " >> /etc/audit/audit.rules echo " " >> /etc/audit/audit.rules echo "## user, group, password databases" >> /etc/audit/audit.rules echo "-w /etc/group -p wa -k CFG_group" >> /etc/audit/audit.rules echo "-w /etc/passwd -p wa -k CFG_passwd" >> /etc/audit/audit.rules echo "-w /etc/gshadow -k CFG_gshadow" >> /etc/audit/audit.rules echo "-w /etc/shadow -k CFG_shadow" >> /etc/audit/audit.rules echo "-w /etc/security/opasswd -k CFG_opasswd" >> /etc/audit/audit.rules echo " " >> /etc/audit/audit.rules echo "# ----- File System audit rules -----" >> /etc/audit/audit.rules echo "正在重启审计服务..." /sbin/service auditd restart ################################################################## sleep 1 echo "脚本执行成功"