Linux一鍵加固自動化腳本，合適自己才是最好的

Linux加固是一個基礎性工作，非常的必要，針對Linux的加固一般都比較謹慎，因為加固不慎可能會影響業務正常運行，因此Linux加固分為了兩個部分；

第一個部分：針對剛剛做完系統，需要針對性的把基礎安全統一加固一下，往往結合無人值守安裝+一鍵加固腳本來執行，這部分需要運維安全對腳本加固內容進行評估，結合業務來指定。非常節省人力。

第二個部分：是針對已經運行上線的Linux服務器，這部分一般都是安全檢查，然後評估是否修復，進行人工或者半自動的方式修復。

今天給大家放送的是一鍵加固的Linux shell 腳本。大家結合自己的業務進行調整即可。具體代碼如下：

main：一鍵加固腳本

#!/bin/bash

#此腳本用於XX現網linux基線修復，涉及18條檢查項，檢查項列表如下：

#檢查是否設置口令更改最小間隔天數

#檢查是否設置口令過期前警告天數

#檢查系統core dump設置

##檢查歷史命令設置

#檢查密碼重複使用次數限制

#檢查是否設置口令生存週期

#檢查口令最小長度

#檢查是否設置命令行界面超時退出

#檢查系統是否禁用ctrl+alt+del組合鍵

#檢查設備密碼複雜度策略

#檢查是否配置用戶所需最小權限

#檢查是否設置ssh成功登錄後Banner

#檢查用戶umask設置

#檢查重要目錄或文件權限設置

#檢查是否設置ssh登錄前警告Banner

##檢查是否禁止root用戶遠程登錄

#檢查系統openssh安全配置

#檢查是否已修改系統banner信息

#腳本開發者：嚴偉

#版本：第2版

##############################################################################

#腳本運行前備份所有涉及到的文件，共17個

cp /etc/login.defs /etc/login.defs.bak

cp /etc/security/limits.conf /etc/security/limits.conf.bak

cp /etc/profile /etc/profile.bak

cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak

cp /etc/inittab /etc/inittab.bak

cp /etc/motd /etc/motd.bak

cp /etc/xinetd.conf /etc/xinetd.conf.bak

cp /etc/group /etc/group.bak

cp /etc/shadow /etc/shadow.bak

cp /etc/services /etc/services.bak

cp /etc/security /etc/security.bak

cp /etc/passwd /etc/passwd.bak

cp /etc/grub.conf /etc/grub.conf.bak

cp /boot/grub/grub.conf /boot/grub/grub.conf.bak

cp /etc/lilo.conf /etc/lilo.conf.bak

cp /etc/ssh_banner /etc/ssh_banner.bak

cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak

cp /etc/aliases /etc/aliases.bak

#############################################################################

#修復設置口令更改最小間隔天數

MINDAY=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_MIN_DAYS | awk '{print $1}'`

sed -i ''$MINDAY's/.*PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' /etc/login.defs

#############################################################################

#修復設置口令過期前警告天數

WARNDAY=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_WARN_AGE | awk '{print $1}'`

sed -i ''$WARNDAY's/.*PASS_WARN_AGE.*/PASS_WARN_AGE 7/' /etc/login.defs

#############################################################################

#修復系統core dump設置

HARD=`cat /etc/security/limits.conf | grep "hard core"`

if [ -z "$HARD" ]

then

echo "* hard core 0" >>/etc/security/limits.conf

else

sed -i 's/.*hard core.*/* hard core 0'/g /etc/security/limits.conf

fi

SOFT=`cat /etc/security/limits.conf | grep "soft core"`

if [ -z "$SOFT" ]

then

echo "* soft core 0" >>/etc/security/limits.conf

else

sed -i 's/.*soft core.*/* soft core 0'/g /etc/security/limits.conf

fi

##############################################################################

##修復歷史命令設置

#sed -i 's/.*HISTSIZE=.*/HISTSIZE=5'/g /etc/profile

###############################################################################

#修復密碼重複使用次數限制

REMEMBER=`cat -n /etc/pam.d/system-auth | grep -v ".*#.*" | grep "password sufficient pam_unix.so" | awk '{print $1}'`

sed -i ''$REMEMBER's/$/ &remember=5/' /etc/pam.d/system-auth

###############################################################################

#修復是否設置口令生存週期

MAXDAY=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_MAX_DAYS | awk '{print $1}'`

sed -i ''$MAXDAY's/.*PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/' /etc/login.defs

###############################################################################

#修復口令最小長度

MINLEN=`cat -n /etc/login.defs | grep -v ".*#.*" | grep PASS_MIN_LEN | awk '{print $1}'`

sed -i ''$MINLEN's/.*PASS_MIN_LEN.*/PASS_MIN_LEN 8/' /etc/login.defs

#################################################################################

#修復是否設置命令行界面超時退出

TMOUT=`cat /etc/profile | grep "export TMOUT="`

if [ -z "$TMOUT" ]

then

echo "export TMOUT=600" >>/etc/profile

else

sed -i 's/.*export TMOUT=.*/export TMOUT=600'/g /etc/profile

fi

##################################################################################

#修復系統是否禁用ctrl+alt+del組合鍵

CTRL=`cat /etc/inittab | grep "ca::ctrlaltdel"`

if [ -n "$CTRL" ]

then

LINE=`cat -n /etc/inittab | grep -v ".*#.*" | grep "ca::ctrlaltdel" | awk '{print $1}'`

sed -i ''$LINE's/^//' /etc/inittab

fi

###################################################################################

#修復設備密碼複雜度策略

sed -i 's/.*pam_cracklib.*/password requisite pam_cracklib.so difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1'/g /etc/pam.d/system-auth

###################################################################################

#修復設置ssh成功登錄後Banner

if [ -f /etc/motd ]

then

echo "Login success. All activity will be monitored and reported " > /etc/motd

else

touch /etc/motd

echo "Login success. All activity will be monitored and reported " > /etc/motd

fi

####################################################################################

#修復用戶umask設置

ACTUAL=`umask`

policy=0027

if [ "$ACTUAL" != "$policy" ]

then

echo "umask 027" >>/etc/profile

fi

#####################################################################################

#修復重要目錄或文件權限設置

chmod 600 /etc/xinetd.conf

chmod 644 /etc/group

chmod 400 /etc/shadow

chmod 644 /etc/services

chmod 600 /etc/security

chmod 644 /etc/passwd

chmod 600 /etc/grub.conf

chmod 600 /boot/grub/grub.conf

chmod 600 /etc/lilo.conf

#####################################################################################

#修復設置ssh登錄前警告Banner

if [ -f /etc/ssh_banner ]

then

chown bin:bin /etc/ssh_banner

else

touch /etc/ssh_banner

chown bin:bin /etc/ssh_banner

fi

chmod 644 /etc/ssh_banner

echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner

sed -i 's/.*Banner.*/Banner \/etc\/ssh_banner'/g /etc/ssh/sshd_config

#######################################################################################

##修復禁止root用戶遠程登錄

#ROOT=`cat /etc/ssh/sshd_config | grep -v "^#" | grep PermitRootLogin`

#if [ -z "$ROOT" ]

#then

#echo "PermitRootLogin no" >>/etc/ssh/sshd_config

#else

#LINEROOT=`cat -n /etc/ssh/sshd_config | grep -v ".*#.*" | grep PermitRootLogin | awk '{print $1}'`

#sed -i ''$LINEROOT's/.*PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config

#fi

#修復已修改系統banner信息

mv /etc/issue.net /etc/issue.net.bak

mv /etc/issue /etc/issue.bak

## 別名文件更改修復

sed -i 's/games/#games/g' /etc/aliases

sed -i 's/games/#system/g' /etc/aliases

sed -i 's/games/#uucp/g' /etc/aliases

sed -i 's/games/#dumper/g' /etc/aliases

sed -i 's/games/#decode/g' /etc/aliases

sed -i 's/games/#ingres/g' /etc/aliases

sed -i 's/games/#toor/g' /etc/aliases

sed -i 's/games/#manager/g' /etc/aliases

sed -i 's/games/#operator/g' /etc/aliases

#hosts.allow 和 hosts.deny 限制配置修復

echo "sshd:192.168.0.0/255.255.0.0 172.21.0.0/255.255.0.0 10.0.0.0/255.0.0.0" >>/etc/hosts.allow

echo "sshd:all" >>/etc/hosts.deny

#core dump 配置安全修改

#echo "ulimit -S -c unlimited">>/etc/profile

#log 日至文件權限修改

if [ -f /etc/syslog.conf ]

then

LOGDIR=`cat /etc/syslog.conf | grep -v "^[ ]*#"|sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`

chmod 600 $LOGDIR

fi

if [ -f /etc/rsyslog.conf ]

then

LOGDIR=`cat /etc/rsyslog.conf | grep -v "^[ ]*#"|sed '/^#/d' |sed '/^$/d' |awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`

chmod 600 $LOGDIR

fi

###############################################################################################################

for i in daemon bin sys adm lp uucp nuucp smmsp games ftp mail sync shutdown halt news operator gopher nobody

do

sed -i s/''$i':.:'/''$i':!!:'/g 2.txt

done