Linux系统三级等保整改脚本

国标2.0标准三级等保要求整改脚本
## 涉及的等保合规要求
>身份鉴别
访问控制
安全审计
入侵防范
恶意代码防范

### 具体整改项目

| 高 | 身份鉴别 | 检查是否设置口令生存周期                             |
|---|------|------------------------------------------|
| 高 | 身份鉴别 | 检查是否设置口令更改最小间隔天数                         |
| 高 | 身份鉴别 | 检查口令最小长度                                 |
| 高 | 访问控制 | 检查是否使用PAM认证模块禁止wheel组之外的用户su为root        |
| 高 | 身份鉴别 | 检查是否设置口令过期前警告天数                          |
| 高 | 资源控制 | 检查是否禁止root用户远程登录                         |
| 高 | 访问控制 | 配置cron、at的安全性                            |
| 高 | 访问控制 | 是否开启SELinux                              |
| 高 | 入侵防范 | 查看是否启用了主机防火墙、TCP SYN保护机制设置               |
| 中 | 访问控制 | 检查重要文件属性设置                               |
| 中 | 访问控制 | 检查用户umask设置                              |
| 中 | 身份鉴别 | 检查密码重复使用次数限制                             |
| 中 | 访问控制 | 检查重要目录或文件权限设置                            |
| 中 | 访问控制 | 检查系统openssh安全配置                          |
| 低 | 身份鉴别 | 检查是否设置ssh登录前警告Banner                     |
| 低 | 身份鉴别 | 检查是否配置远程日志功能                             |
| 低 | 身份鉴别 | 检查是否设置系统引导管理器密码                          |
| 低 | 身份鉴别 | 检查是否配置定时自动屏幕锁定（适用于具备图形界面的设备）             |
| 低 | 入侵防范 | 检查是否限制远程登录IP范围                           |
| 低 | 访问控制 | 检查别名文件/etc/aliases（或/etc/mail/aliases）配置 |
| 低 | 身份鉴别 | 检查账户认证失败次数限制                             |

## Linux系统层三级整改脚本(更新中)
```bash
#/bin/bash
#仅适用于CentOS7.x系列
#Update 2021.12.03 by Nathan

#操作记录日志文件
oplog=./oplog.log
#备份文件目录
oriDir=./oriDir
''

if [ ! -d $oriDir ];then mkdir $oriDir -p;fi
time="`date +%s`"
function copy {
	pathName=$(echo "$1"|cut -c 2-|sed 's!/!·!g')
	mkdir -p $oriDir/$time
	cp -frp $1 $oriDir/$time/$pathName >/dev/null 2>&1
}

function update {
	echo "[`date +%F\ %H:%M:%S`] [SUCCESS] Success to update item \`$1\` from \`$2\`" >> $oplog
}

function warn {
	echo "[`date +%F\ %H:%M:%S`] [WARN] $1" >> $oplog
}

function error {
	case $1 in 
		nofile)
			echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no \`$4\` file" >> $oplog
			;;
		noitem)
			echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no item in \`$4\` file" >> $oplog
			;;
		noset)
			echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting value \`$2\` to \`$3\` failed,please check file about \`$4\` by manual" >> $oplog
			;;
		exists)
			echo "[`date +%F\ %H:%M:%S`] [WARN] Configuration item \`$2\` already exists by \`$3\` ,skip file \`$4\`" >> $oplog
			;;
	esac
}

function cmd {
    if [[ $1 == '' ]];then echo '';exit 0;fi
    resCmd=$(/usr/bin/whereis $1|awk '{print $2}')
    echo $resCmd
}

#高危修复
copy /etc/login.defs 
#检查口令生存周期//默认9999
if [ -f /etc/login.defs ];then
	res=$(sed -n "/^PASS_MAX_DAYS.*/p" /etc/login.defs)
	if [[ $res == '' ]];then 
		error noitem PASS_MAX_DAYS 90 /etc/login.defs
	else
		sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs
		update PASS_MAX_DAYS /etc/login.defs
	fi
else 
	error nofile PASS_MAX_DAYS 90 /etc/login.defs
fi

#检查口令更改最小间隔天数//默认0
if [ -f /etc/login.defs ];then
	res=$(sed -n "/^PASS_MIN_DAYS.*/p" /etc/login.defs)
	if [[ $res == '' ]];then 
		error noitem PASS_MIN_DAYS 2 /etc/login.defs
	else
		sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 2/g' /etc/login.defs
		update PASS_MIN_DAYS /etc/login.defs
	fi
else 
	error nofile PASS_MIN_DAYS 2 /etc/login.defs
fi

#检查口令最小长度//默认5
if [ -f /etc/login.defs ];then
	res=$(sed -n "/^PASS_MIN_LEN.*/p" /etc/login.defs)
	if [[ $res == '' ]];then 
		error noitem PASS_MIN_LEN 8 /etc/login.defs
	else
		sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/g' /etc/login.defs
		update PASS_MIN_LEN /etc/login.defs
	fi
else 
	error nofile PASS_MIN_LEN 8 /etc/login.defs
fi

#检查口令过期前警告天数//默认7
if [ -f /etc/login.defs ];then
	res=$(sed -n "/^PASS_WARN_AGE.*/p" /etc/login.defs)
	if [[ $res == '' ]];then 
		error noitem PASS_WARN_AGE 30 /etc/login.defs
	else
		sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 30/g' /etc/login.defs
		update PASS_WARN_AGE /etc/login.defs
	fi
else 
	error nofile PASS_WARN_AGE 30 /etc/login.defs
fi

copy /etc/ssh/sshd_config
#检查是否禁止root用户远程ssh登录
if [ -f /etc/ssh/sshd_config ];then
	res1=$(sed -n "/^PermitRootLogin.*/p" /etc/ssh/sshd_config)
	res2=$(sed -n "/^#PermitRootLogin.*/p" /etc/ssh/sshd_config)
	if [[ $res1 == '' ]] && [[ $res2 == '' ]];then 
		sed -i '38i\PermitRootLogin no' /etc/ssh/sshd_config
	elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then
		sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config
	elif [[ $res1 != '' ]];then	
		sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config	
	fi
	update PermitRootLogin /etc/ssh/sshd_config	
	warn 'Please reload sshd service by manual,because value of `PermitRootLogin` is updated'
else 
	error nofile PermitRootLogin no /etc/ssh/sshd_config
fi

copy /etc/pam.d/su
#检查是否使用PAM认证模块禁止wheel组之外的用户su为root//默认无
if [ -f /etc/pam.d/su ];then
	res=$(cat /etc/pam.d/su|grep -B 1 'auth sufficient pam_rootok.so'|grep 'auth required pam_wheel.so group=wheel'|wc -l)
	if [[ $res == 0 ]]; then
		sed -i '2i\auth sufficient pam_rootok.so\nauth required pam_wheel.so group=wheel' /etc/pam.d/su
		update 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/pam.d/su
		warn "Please add user to wheel group,cmd:\`usermod –G wheel username\`"
	else
		error exists 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' 'add config' /etc/pam.d/su
	fi
else 
	error nofile 'add config' 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/login.defs
fi

copy /etc/pam.d/login
#检查是否禁止root用户远程telnet登录//默认无
if [ -f /etc/pam.d/login ];then
	res=$(cat /etc/pam.d/login|grep 'auth required pam_securetty.so'|wc -l)
	if [[ $res == 0 ]]; then
		sed -i '2i\auth required pam_securetty.so' /etc/pam.d/login
		update 'auth required pam_securetty.so' /etc/pam.d/login
	else
		error exists 'auth required pam_securetty.so' 'add config' /etc/pam.d/login
	fi
else 
	error nofile 'add config' 'auth required pam_securetty.so' /etc/pam.d/login
fi

copy /etc/selinux/config
#检查SELinux是否开启//默认enforce
if [ -f /etc/selinux/config ];then
	res=$(sed -n "/^SELINUX=.*/p" /etc/selinux/config)
	if [[ $res == '' ]];then 
		error noitem SELINUX permissive /etc/selinux/config
	else
		sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config
		update SELINUX /etc/selinux/config
		setenforce 0
	fi
else 
	error nofile SELINUX permissive /etc/selinux/config
fi

#检查防火墙状态
copy /etc/firewalld/zones/public.xml
if [[ "$( systemctl  is-active firewalld.service)" != 'active' ]]; then
	systemctl restart sshd
	sshPort=$(netstat -luntp|grep sshd|awk '{print $4}'|awk -F: '{print $NF}'|uniq)
	sed -i 's!</zone>!  <port protocol="tcp" port="$sshPort"/>\n</zone>!g' /etc/firewalld/zones/public.xml
	systemctl enable firewalld.service
	systemctl start firewalld.service
fi

#中危修复
#检查重要文件属性设置//默认无 
userFile='gshadow shadow passwd group'
for i in $userFile; do
	if [[ -f /etc/$i ]]; then
		copy /etc/$i
		`cmd chattr` +i /etc/$i
		res=$(`cmd lsattr` /etc/$i|awk -F\- '{print $5}')
		if [[ $res == 'i' ]]; then
			update i /etc/$i 
		else
			error noset chattr i /etc/$i
		fi
	else
		error nofile chattr i /etc/$i
	fi
done

#检查密码重复使用次数限制//默认无
copy /etc/pam.d/system-auth
if [ -f /etc/pam.d/system-auth ];then
		sed -i 's/$^password\s*sufficient\s*pam_unix.so.*use_authtok$$/\1 remember=5/g' /etc/pam.d/system-auth
		res=$(grep -E '^password\s*sufficient\s*pam_unix.so.*remember=5$' /etc/pam.d/system-auth|awk -F= '{print $NF}')
		if [[ $res == '5' ]]; then
			update 'remember=5' /etc/pam.d/system-auth
		else
			error noset sed remember=5 /etc/pam.d/system-auth
		fi
else 
	error nofile sed remember=5 /etc/pam.d/system-auth
fi

#检查重要目录或文件权限设置
p750File='/etc/rc.d/rc3.d /etc/rc.d/rc6.d /etc/rc.d/rc5.d /etc/rc.d/rc1.d /etc/rc.d/rc4.d /etc/rc.d/rc0.d /etc/rc.d/rc2.d /etc/rc.d/init.d'
#p600File='/etc/security /etc/default/grub /etc/shadow'
for i in $p750File; do
	if [[ -d $i ]]; then
		copy $i
		`cmd chmod` 750 $i
		res=$(`cmd ls` -dl $i|awk '{print $1}')
		if [[ $res == "drwxr-x---." ]] || [[ $res =~ "drwxr-x--t." ]]; then
			update chmod $i 
		else
			error noset chmod 750 $i
		fi
	else
		error nofile chmod 750 $i
	fi
done

#检查是否设置ssh登录前警告Banner//默认无
echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner
chown bin:bin /etc/ssh_banner
chmod 644 /etc/ssh_banner
if [ -f /etc/ssh/sshd_config ];then
	res1=$(sed -n "/^Banner.*/p" /etc/ssh/sshd_config)
	res2=$(sed -n "/^#Banner.*/p" /etc/ssh/sshd_config)
	if [[ $res1 == '' ]] && [[ $res2 == '' ]];then 
		sed -i '123i\Banner /etc/ssh_banner' /etc/ssh/sshd_config
	elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then
		sed -i 's!^#Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config
	elif [[ $res1 != '' ]];then	
		sed -i 's!^Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config	
	fi
	update Banner /etc/ssh/sshd_config	
	warn 'Please reload sshd service by manual,because value of `Banner` is updated'
else 
	error nofile PermitRootLogin no /etc/ssh/sshd_config
fi

#检查账户认证失败次数限制//默认无
copy /etc/pam.d/sshd
if [ -f /etc/pam.d/sshd ];then
	res=$(cat /etc/pam.d/sshd|grep 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time'|wc -l)
	if [[ $res == 0 ]]; then
		sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd
		update 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd
	else
		error exists 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' 'add config' /etc/pam.d/sshd
	fi
else 
	error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd
fi 
if [ -f /etc/pam.d/system-auth ];then
	res=$(cat /etc/pam.d/system-auth|grep 'auth required pam_tally2.so deny=5 unlock_time=300'|wc -l)
	if [[ $res == 0 ]]; then
		sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth
		update 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth
	else
		error exists 'auth required pam_tally2.so deny=5 unlock_time=300' 'add config' /etc/pam.d/system-auth
	fi
else 
	error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth
fi

echo 'Please remember to create a normal user and add it as an administrator, 
otherwise you may not be able to login to the host again.

chattr -i /etc/passwd /etc/group /etc/gshadow /etc/shadow
	useradd username
	echo "password"|passwd --stdin username
	usermod -G wheel username
	chattr +i /etc/passwd /etc/group /etc/gshadow /etc/shadow
	'
#done
```