Shell功能
脚本获取域名的IP地址
自动检测公网IP地址并更新到公云PubYun
获取公网IP地址的多种方式
深入理解 Bash 中的管道与子 Shell:防止常见陷阱
CentOS和Ubuntu的Shell兼容点
主机之间ping命令检测
脚本匹配ip地址正则表达式
CentOS 7.x系统三级等保规范脚本
Shell数值计算的几种方法
脚本单实例运行的进程锁
主机通过客户端实时上传本地文件到对象存储
执行命令前关闭history记录
Bash中的变量声明与处理
sed:使用正则匹配IP地址
sed: 匹配并在中间位置插入字符
Find排除多个目录并按多个后缀查找文件
Linux主机巡检脚本
增加CPU使用率到指定范围
本文档使用 MrDoc 发布
-
+
home page
CentOS 7.x系统三级等保规范脚本
## 操作方式 新建bash文件,复制脚本源码到文件,执行脚本 ## 脚本源码 ```bash #/bin/bash #仅适用于CentOS7.x系列 #2021.12.03 by Nathan #操作记录日志文件 oplog=./oplog.log #备份文件目录 oriDir=./oriDir if [ ! -d $oriDir ];then mkdir $oriDir -p;fi time="`date +%s`" function copy { pathName=$(echo "$1"|cut -c 2-|sed 's!/!·!g') mkdir -p $oriDir/$time cp -frp $1 $oriDir/$time/$pathName >/dev/null 2>&1 } function update { echo "[`date +%F\ %H:%M:%S`] [SUCCESS] Success to update item \`$1\` from \`$2\`" >> $oplog } function warn { echo "[`date +%F\ %H:%M:%S`] [WARN] $1" >> $oplog } function error { case $1 in nofile) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no \`$4\` file" >> $oplog ;; noitem) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting item \`$2\` to \`$3\` failed,because there is no item in \`$4\` file" >> $oplog ;; noset) echo "[`date +%F\ %H:%M:%S`] [FAILED] Setting value \`$2\` to \`$3\` failed,please check file about \`$4\` by manual" >> $oplog ;; exists) echo "[`date +%F\ %H:%M:%S`] [WARN] Configuration item \`$2\` already exists by \`$3\` ,skip file \`$4\`" >> $oplog ;; esac } function cmd { if [[ $1 == '' ]];then echo '';exit 0;fi resCmd=$(/usr/bin/whereis $1|awk '{print $2}') echo $resCmd } #高危修复 copy /etc/login.defs #检查口令生存周期//默认9999 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MAX_DAYS.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MAX_DAYS 90 /etc/login.defs else sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs update PASS_MAX_DAYS /etc/login.defs fi else error nofile PASS_MAX_DAYS 90 /etc/login.defs fi #检查口令更改最小间隔天数//默认0 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MIN_DAYS.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MIN_DAYS 2 /etc/login.defs else sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 2/g' /etc/login.defs update PASS_MIN_DAYS /etc/login.defs fi else error nofile PASS_MIN_DAYS 2 /etc/login.defs fi #检查口令最小长度//默认5 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_MIN_LEN.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_MIN_LEN 8 /etc/login.defs else sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/g' /etc/login.defs update PASS_MIN_LEN /etc/login.defs fi else error nofile PASS_MIN_LEN 8 /etc/login.defs fi #检查口令过期前警告天数//默认7 if [ -f /etc/login.defs ];then res=$(sed -n "/^PASS_WARN_AGE.*/p" /etc/login.defs) if [[ $res == '' ]];then error noitem PASS_WARN_AGE 30 /etc/login.defs else sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 30/g' /etc/login.defs update PASS_WARN_AGE /etc/login.defs fi else error nofile PASS_WARN_AGE 30 /etc/login.defs fi copy /etc/ssh/sshd_config #检查是否禁止root用户远程ssh登录 if [ -f /etc/ssh/sshd_config ];then res1=$(sed -n "/^PermitRootLogin.*/p" /etc/ssh/sshd_config) res2=$(sed -n "/^#PermitRootLogin.*/p" /etc/ssh/sshd_config) if [[ $res1 == '' ]] && [[ $res2 == '' ]];then sed -i '38i\PermitRootLogin no' /etc/ssh/sshd_config elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config elif [[ $res1 != '' ]];then sed -i 's/^#PermitRootLogin.*/PermitRootLogin no/g' /etc/ssh/sshd_config fi update PermitRootLogin /etc/ssh/sshd_config warn 'Please reload sshd service by manual,because value of `PermitRootLogin` is updated' else error nofile PermitRootLogin no /etc/ssh/sshd_config fi copy /etc/pam.d/su #检查是否使用PAM认证模块禁止wheel组之外的用户su为root//默认无 if [ -f /etc/pam.d/su ];then res=$(cat /etc/pam.d/su|grep -B 1 'auth sufficient pam_rootok.so'|grep 'auth required pam_wheel.so group=wheel'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth sufficient pam_rootok.so\nauth required pam_wheel.so group=wheel' /etc/pam.d/su update 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/pam.d/su warn "Please add user to wheel group,cmd:\`usermod -G wheel username\`" else error exists 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' 'add config' /etc/pam.d/su fi else error nofile 'add config' 'auth sufficient pam_rootok.so & auth required pam_wheel.so group=wheel' /etc/login.defs fi copy /etc/pam.d/login #检查是否禁止root用户远程telnet登录//默认无 if [ -f /etc/pam.d/login ];then res=$(cat /etc/pam.d/login|grep 'auth required pam_securetty.so'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_securetty.so' /etc/pam.d/login update 'auth required pam_securetty.so' /etc/pam.d/login else error exists 'auth required pam_securetty.so' 'add config' /etc/pam.d/login fi else error nofile 'add config' 'auth required pam_securetty.so' /etc/pam.d/login fi copy /etc/selinux/config #检查SELinux是否开启//默认enforce if [ -f /etc/selinux/config ];then res=$(sed -n "/^SELINUX=.*/p" /etc/selinux/config) if [[ $res == '' ]];then error noitem SELINUX permissive /etc/selinux/config else sed -i 's/^SELINUX=.*/SELINUX=permissive/g' /etc/selinux/config update SELINUX /etc/selinux/config setenforce 0 fi else error nofile SELINUX permissive /etc/selinux/config fi #检查防火墙状态 copy /etc/firewalld/zones/public.xml if [[ "$( systemctl is-active firewalld.service)" != 'active' ]]; then systemctl restart sshd sshPort=$(netstat -luntp|grep sshd|awk '{print $4}'|awk -F: '{print $NF}'|uniq) sed -i "s!</zone>! <port protocol=\"tcp\" port=\"$sshPort\"/>\n</zone>!g" /etc/firewalld/zones/public.xml systemctl enable firewalld.service echo ' The firewall has been configured, but not started, please start manually: systemctl start firewalld.service WARNING: Please release all business ports before starting!!!' fi #中危修复 #检查重要文件属性设置//默认无 userFile='gshadow shadow passwd group' for i in $userFile; do if [[ -f /etc/$i ]]; then copy /etc/$i `cmd chattr` +i /etc/$i res=$(`cmd lsattr` /etc/$i|awk -F\- '{print $5}') if [[ $res == 'i' ]]; then update i /etc/$i else error noset chattr i /etc/$i fi else error nofile chattr i /etc/$i fi done #检查密码重复使用次数限制//默认无 copy /etc/pam.d/system-auth if [ -f /etc/pam.d/system-auth ];then sed -i 's/\(^password\s*sufficient\s*pam_unix.so.*use_authtok$\)/\1 remember=5/g' /etc/pam.d/system-auth res=$(grep -E '^password\s*sufficient\s*pam_unix.so.*remember=5$' /etc/pam.d/system-auth|awk -F= '{print $NF}') if [[ $res == '5' ]]; then update 'remember=5' /etc/pam.d/system-auth else error noset sed remember=5 /etc/pam.d/system-auth fi else error nofile sed remember=5 /etc/pam.d/system-auth fi #检查重要目录或文件权限设置 p750File='/etc/rc.d/rc3.d /etc/rc.d/rc6.d /etc/rc.d/rc5.d /etc/rc.d/rc1.d /etc/rc.d/rc4.d /etc/rc.d/rc0.d /etc/rc.d/rc2.d /etc/rc.d/init.d' #p600File='/etc/security /etc/default/grub /etc/shadow' for i in $p750File; do if [[ -d $i ]]; then copy $i `cmd chmod` 750 $i res=$(`cmd ls` -dl $i|awk '{print $1}') if [[ $res == "drwxr-x---." ]] || [[ $res =~ "drwxr-x--t." ]]; then update chmod $i else error noset chmod 750 $i fi else error nofile chmod 750 $i fi done #检查是否设置ssh登录前警告Banner//默认无 echo " Authorized only. All activity will be monitored and reported " > /etc/ssh_banner chown bin:bin /etc/ssh_banner chmod 644 /etc/ssh_banner if [ -f /etc/ssh/sshd_config ];then res1=$(sed -n "/^Banner.*/p" /etc/ssh/sshd_config) res2=$(sed -n "/^#Banner.*/p" /etc/ssh/sshd_config) if [[ $res1 == '' ]] && [[ $res2 == '' ]];then sed -i '123i\Banner /etc/ssh_banner' /etc/ssh/sshd_config elif [[ $res1 == '' ]] && [[ $res2 != '' ]];then sed -i 's!^#Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config elif [[ $res1 != '' ]];then sed -i 's!^Banner.*!Banner /etc/ssh_banner!g' /etc/ssh/sshd_config fi update Banner /etc/ssh/sshd_config warn 'Please reload sshd service by manual,because value of `Banner` is updated' else error nofile PermitRootLogin no /etc/ssh/sshd_config fi #检查账户认证失败次数限制//默认无 copy /etc/pam.d/sshd if [ -f /etc/pam.d/sshd ];then res=$(cat /etc/pam.d/sshd|grep 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd update 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd else error exists 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' 'add config' /etc/pam.d/sshd fi else error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300 no_lock_time' /etc/pam.d/sshd fi if [ -f /etc/pam.d/system-auth ];then res=$(cat /etc/pam.d/system-auth|grep 'auth required pam_tally2.so deny=5 unlock_time=300'|wc -l) if [[ $res == 0 ]]; then sed -i '2i\auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth update 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth else error exists 'auth required pam_tally2.so deny=5 unlock_time=300' 'add config' /etc/pam.d/system-auth fi else error nofile 'add config' 'auth required pam_tally2.so deny=5 unlock_time=300' /etc/pam.d/system-auth fi #设置sudoer用户免密登录 //默认需要密码后登陆root,该操作不属于等保要求,为方便操作而设置,如有必须要求,请手动修改 if [[ -f /etc/sudoers ]]; then res=$(sed -n "/^%wheel.*ALL=(ALL).*ALL$/p" /etc/sudoers) if [[ $res != '' ]]; then sed -i 's/^%wheel.*ALL=(ALL).*ALL$/%wheel ALL=(ALL) NOPASSWD: ALL/g' /etc/sudoers res1=$(cat /etc/sudoers|grep -E "^%wheel.*NOPASSWD.*ALL"|wc -l) if [[ $res1 != '0' ]]; then update '%wheel ALL=(ALL) NOPASSWD: ALL' /etc/sudoers else error noset 'modify' '%wheel ALL=(ALL) NOPASSWD: ALL' /etc/sudoers fi else error exists wheel 'NOPASSWD: ALL' /etc/sudoers fi else error nofile 'modify' '%wheel ALL=(ALL) NOPASSWD: ALL' /etc/sudoers fi echo 'Please remember to create a normal user and add it as an administrator, otherwise you may not be able to login to the host again. chattr -i /etc/passwd /etc/group /etc/gshadow /etc/shadow useradd username echo "password"|passwd --stdin username usermod -G wheel username chattr +i /etc/passwd /etc/group /etc/gshadow /etc/shadow ' #done ```
Nathan
Jan. 20, 2022, 11:41 a.m.
转发文档
Collection documents
Last
Next
手机扫码
Copy link
手机扫一扫转发分享
Copy link
Markdown文件
PDF文件
Docx文件
share
link
type
password
Update password