系统安全检测脚本

作者: admin 分类: Shell脚本 发布时间: 2019-05-16 15:11
############################################################
# File Name: sec_check.sh
# Author: 寻音
# E-mail: lnhxzwb@126.com
# Created Time: Tue 27 Feb 2019 03:06:07 PM CST
#==================================================================
#本脚本运行环境为Centos 7以上版本,其它系统请参照修改
#!/bin/bash

#备份相关配置文件
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
cp /etc/login.defs  /etc/login.defs.bak
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
cp /etc/rsyslog.conf /etc/rsyslog.conf.bak
cp /etc/profile  /etc/profile.bak

#创建用户
useradd admin
echo "Qunniao.net" | passwd --stdin admin &>/dev/null

set -x

#帐号检查
user_check()
{
echo "特殊帐号及无用帐号检查中....."
none_passwd=$(awk -F: '($2 == "") { print $1 }' /etc/shadow)
root_check=$(awk -F: '($3==0) {print $1}' /etc/passwd)
if [ `$none_passwd|wc -l` == 0 ];then
if [ $root_check == root ];then
cut -d: -f1 /etc/passwd |egrep -v "root|bin" |xargs passwd -l
echo "检查已完成,帐号符合要求"
echo "==========================================="
else
echo "UUID为0的帐号为:$root_check"
fi
else
echo "存在空口令帐号: $none_passwd"
fi
}

#密码复杂度设置

passwd_set()
{
echo "密码复杂度设置中....."
echo "password requisite pam_cracklib.so ucredit=-1 lcredit=-1 dcredit=-1" >>/etc/pam.d/system-auth
sed -i 's/PASS_MAX_DAYS[ \t]*99999/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config 
systemctl restart sshd
}

#登陆失败次数限制
login_out()
{
echo "分录相关限制设置中....."
#限制用户远程登录
# sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=10' /etc/pam.d/sshd #root同时限制
sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/sshd
#限制用户从tty登录
#sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 lock_time=300 even_deny_root root_unlock_time=10' /etc/pam.d/login #root同时限制
sed -i '/#%PAM-1.0/a\auth required pam_tally2.so deny=5 lock_time=300 ' /etc/pam.d/login
}

#文件设置访问权限
file_chmod()
{
echo "用户密码文件设置访问权限......"
chmod 644 /etc/passwd 
chmod 400 /etc/shadow 
chmod 644 /etc/group
chmod 644 /etc/services
}

#日志安全审计

log_check()
{
echo "日志安全审计检查中......"
log_service=$(ps -ef | grep rsyslogd|grep -v "grep" |wc -l)
auditd_service=$(ps -ef | grep auditd |egrep -v "grep|kauditd"|wc -l)
if [ $log_service == 1 ];then
echo "日志服务已开启"
else
systemctl start rsyslog
systemctl enable rsyslog
fi
if [ $auditd_service == 1 ];then
echo "auditd服务已开启"
else
systemctl start auditd
systemctl enable auditd
fi

#日志
sed -i '/authpriv.\*/a\*.err;kern.debug;daemon.notice /var/adm/messages' /etc/rsyslog.conf
sed -i '/authpriv.\*/a\*.warning /var/log/rsyslog' /etc/rsyslog.conf
touch /var/adm/messages
chmod 666 /var/adm/messages
cat << EOF >>/etc/logrotate.conf
{
monthly #按月存储
rotate 6 #循环日志数量为6
maxsize 100M #文件大小为100M
}
EOF
sed -i 's/num_logs = 5/num_logs = 6/' /etc/audit/auditd.conf
sed -i 's/max_log_file = 8/max_log_file = 20/' /etc/audit/auditd.conf
read -p "请输入日志服务器地址:" log_ip
echo "*.* @${log_ip}" >>/etc/rsyslog.conf
systemctl restart rsyslog
systemctl restart auditd
sed -i 's/HISTSIZE=1000/HISTSIZE=50/' /etc/profile #保留历史命令的条数
echo "export TMOUT=180" >> /etc/profile #系统超时登录时间
source /etc/profile
}

#时间服务检查
ntp_service()
{
echo "时间服务检查....."
ntp_server=$(ps -aux |grep ntpd |grep -v grep|wc -l)
if [ $ntp_server == 1 ];then
echo "server ntp1.aliyun.com" >> /etc/ntp.conf
systemctl restart ntpd
else
systemctl enable ntpd
echo "server ntp1.aliyun.com" >> /etc/ntp.conf
systemctl restart ntpd
fi
}

#禁止生成core文件
lim()
{
echo "* hard core 0" >>/etc/security/limits.conf
echo "* soft core 0" >>/etc/security/limits.conf
}

#增强TCP/IP协议安全配置

tcp_sec()
{
echo "增强TCP/IP协议安全配置......"
cat << EOF >> /etc/sysctl.conf
net.ipv4.conf.default.secure_redirects = 0 
net.ipv4.conf.all.secure_redirects = 0 
net.ipv4.icmp_echo_ignore_broadcasts = 1 
net.ipv4.conf.all.accept_redirects = 0 
net.ipv4.conf.default.accept_redirects = 0 
net.ipv4.tcp_syncookies = 1 
net.ipv4.tcp_max_syn_backlog = 4096 
net.ipv4.conf.all.rp_filter = 1 
net.ipv4.conf.default.rp_filter = 1 
net.ipv4.conf.all.accept_source_route = 0 
net.ipv4.conf.default.accept_source_route = 0
EOF
sysctl -p
}

#路由协议安全增强配置

route_sec()
{
echo "路由协议安全增强配置....."
#启动tcp_syncookies
echo 1 > /proc/sys/net/ipv4/tcp_syncookies
#禁止数据包转发:
echo 0 > /proc/sys/net/ipv4/ip_forward
#启用IP Spoofing
echo 1 > /proc/sys/net/ipv4/conf/lo/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/all/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/eth0/rp_filter
echo 1 > /proc/sys/net/ipv4/conf/default/rp_filter
}

main ()
{
user_check
passwd_set
login_out
file_chmod
log_check
ntp_service
lim
tcp_sec
route_sec
}

main
echo "安全相关检测完成!!!!"



温馨提示:如无特殊说明,本站文章均为作者原创,转载请注明出处!

发表评论