参考:
(132条消息) Linux系统安全加固脚本linux安全加固脚本河 静的博客-CSDN博客
新增了两条检查项,并更新部分内容
脚本
security-baseline.sh 内容如下:
#!/bin/bash
#
#***********************************************************************
#FileName:security-baseline.sh
#Installation:Mini
#SystemOS(适用os): 1.Kylin Linux Advanced Server release V10 (SP2) /(Sword)-x86_64-Build09/20210524
# 2.
#Function:
# 1.修改已经存在的账户的密码过期时间
# 2.修改用户命令提示符
# 3.关闭selinux
# 4.关闭防火墙,NetworkManager,iptables等服务
# 5.设置口令失效提示
# 6.禁止root远程登陆
# 7.设置登陆失败账户锁定策略
# 8.设置密码复杂度
# 9.设置口令生存周期
# 10.设置口令重复使用次数
# 11.删除或锁定无关账号
# 12.禁止root远程telnet登录
# 13.设置ssh登录策略
# 14.设置用户所需最小权限
# 15.检查别名文件配置
# 16.启用cron行为日志功能
# 17.禁止ICMP重定向
# 18.关闭IP转发
# 19.设置登录超时策略
# 20.设置历史记录输出条数
# 21.修改SNMP服务默认团体字
# 22.设置ssh登陆前警告
# 23.禁止不必要的系统账号ftp登录
# 24.限制ftp用户权限
# 25.禁止匿名ftp登录
# 26.检查是否限制用户su到root[可选]
# 27.检查是否设置文件与目录缺省权限
#***********************************************************************
. /etc/init.d/functions
Optional="Optional"
Mandatory="Mandatory"
function insert {
local file=$1
local type=$2
local msg=$3
local line_num=$(cat -n $file | grep -w $type | head -1 | awk '{print $1}')
local num=$[ $line_num-1 ]
sed -i "${num}a $msg" $file
}
function backup_cfgfile {
#配置文件要写绝对路径
local cfgfile=$1
local bakfile=$cfgfile.bak.$(date +"%Y_%m_%d-%H:%M:%S")
test -e $cfgfile && /bin/cp -f $cfgfile $bakfile && echo $bakfile >> /tmp/bakfile
}
function prt_msg {
local level=$1
local msg=$2
printf "[%-10s] %-50s " $level "$msg"
}
function get_release {
egrep -q "VERSION_ID" /etc/os-release | awk -F'"' '{print $2}'
}
function svc_ctl {
local version=$(get_release)
local op=$1
local svcname=$2
case $version in
6.*)
test -e /etc/rd.d/init.d/$svcname on && \
case $op in
enable)
chkconfig $svcname on;;
disable)
chkconfig $svcname off;;
*)
service $svcname $op;;
esac;;
7.*)
test -e /usr/lib/systemd/system/$svcname.service && \
systemctl $op $svcname;;
esac
}
#修改已经存在的账户的密码过期时间
function kylin_sec_change_account_expiretime {
#(强制)
#修改用户最短最长使用时间 2 180
#
local cfgfile=/etc/passwd
local name=$(cat $cfgfile | grep -wE 'bash|sh' | grep -v ^root | awk -F ":" '{print $1}')
prt_msg $Mandatory "Check exist account and change expire time for password..."
if [ -n "$name" ];then
for i in $name
do
passwd -n 2 -x 180 $i 2>&1 > /dev/null
done
printf "OK!\n"
else
printf "Do not exist account,OK\n"
fi
}
#修改用户命令提示符
function kylin_sec_login_prompt {
egrep -q 'PS1' /etc/profile
if [ $? -ne 0 ];then
echo 'export PS1="[\u@\h \w]\\$"' >> /etc/profile
. /etc/profile
fi
export PS1='[\u@\h \w]\\$'
egrep -q 'HISTTIMEFORMAT' /etc/profile
if [ $? -ne 0 ];then
echo 'export HISTTIMEFORMAT="%F %T `whoami` "' >> /etc/profile
. /etc/profile
fi
export HISTTIMEFORMAT="%F %T `whoami`"
}
#关闭selinux
function kylin_sec_disable_selinux {
local cfgfile=/etc/sysconfig/selinux
prt_msg $Mandatory "Checking selinux status for disables..."
sed -i 's/SELINUX=.*/SELINUX=disabled/g' $cfgfile
setenforce 0 & >/dev/null
printf "OK!\n"
}
#关闭防火墙,NetworkManager,iptables等服务
#关闭NetworkManager,使用network接管网络
function kylin_sec_disable_unused_services {
local version=$(egrep "VERSION_ID" /etc/os-release | cut -d\" -f2 | cut -c 2-3)
if [ "$version" == "" ];then
return
fi
if [ $version -eq 10 ];then
systemctl disable firewalld &>/dev/null
systemctl disable NetworkManager &>/dev/null
systemctl stop firewalld &>/dev/null
systemctl stop NetworkManager &>/dev/null
iptables -F
else
chkconfig iptables off &>/dev/null
chkconfig NetworkManager off &>/dev/null
chkconfig ksm off &>/dev/null
chkconfig ksmtuned off &>/dev/null
services iptables stop &>/dev/null
services NetworkManager stop &>/dev/null
services ksm stop &>/dev/null
services ksmtuned stop &>/dev/null
fi
}
#设置口令失效提示
function kylin_sec_pass_warn_age {
#optional
#sent warning message for user when password expired
#vi /etc/login.defs and write PASS_WARN_AGE
#cat /etc/login.defs
local cfgfile=/etc/login.defs
prt_msg $Optional "Checking PASS_WARN_AGE 7..."
egrep -v "#" $cfgfile | egrep -q "^PASS_WARN_AGE[ ]*.7"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Failed\n"
printf "Fixing PASS_WARN_AGE in %s\n" $cfgfile
backup_cfgfile $cfgfile
echo "PASS_WARN_AGE 7" >> $cfgfile
fi
}
#禁止root远程登陆
function kylin_sec_disable_ssh_rootlogin {
#force
#forbid root user to log in remotely
#modify the /etc/ssh/sshd_config and modify "PermitRootLogin=yes" to "PermitRootLogin=no",then restart sshd
#test user root remotely log in
#1:root login failed and prompt "Not on system Console"
#2:normal user login and su root
local level=mandatory
local cfgfile=/etc/ssh/sshd_config
local chkexpr="PermitRootLogin[ ]*no"
prt_msg $Mandatory "Checking 'PermitRootLogin no'..."
egrep -v "#" $cfgfile | egrep -q "$chkexpr"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing PermitRootLogin to no...\n"
backup_cfgfile $cfgfile
sed -i -e "s/^PermitRootLogin.*/PermitRootLogin no/" $cfgfile
svc_ctl restart sshd
fi
}
#设置登陆失败账户锁定策略
function kylin_sec_account_locking_policy {
#force
#此麒麟0524版本对标的是centos8,在8后就用pam_faillock.so替换掉了pam_tally2.so模块
#此麒麟0524版本安装后默认开启本地登录失败策略,策略为登录失败三次锁定60s,包含root
#改函数设置的策略是本地或远程用户登陆失败三次即锁定,锁定时间是60s,包含root
local cfgfile_auth=/etc/pam.d/system-auth
local cfgfile_sshd=/etc/pam.d/sshd
local cfgfile_pass=/etc/pam.d/password-auth
prt_msg $Mandatory "Checking local account locking policy..."
egrep -v "#" $cfgfile_auth | egrep -q '^auth[ ]*.*unlock_time=60|^account[ ]*required[ ]*pam_faillock.so'
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing account locking policy...\n"
backup_cfgfile $cfgfile_auth
sed -i -e "/^auth[ ]*required[ ]*pam_env.so/a auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60" $cfgfile_auth
sed -i -e "/^-auth[ ]*sufficient[ ]*pam_sss.so use_first_pass/a auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60" $cfgfile_auth
sed -i -e "/^auth[ ]*\[default=die\][ ]*.*/a auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60" $cfgfile_auth
sed -i -e "/^auth[ ]*required[ ]*pam_unix.so/a account required pam_faillock.so"
fi
prt_msg $Mandatory "Checking password account locking policy..."
egrep -v "#" $cfgfile_pass | egrep -q '^auth[ ]*.*unlock_time=60|^account[ ]*required[ ]*pam_faillock.so|account[ ]*required[ ]*pam_unix.so$'
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing password auth pam policy...\n"
backup_cfgfile $cfgfile_pass
sed -i -e "/^auth[ ]*required[ ]*pam_env.so/a auth required pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60" $cfgfile_pass
sed -i -e "/^-auth[ ]*sufficient[ ]*pam_sss.so use_first_pass/a auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60" $cfgfile_pass
sed -i -e "/^auth[ ]*\[default=die\][ ]*.*/a auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60" $cfgfile_pass
sed -i -e "/^auth[ ]*required[ ]*pam_deny.so/a account required pam_unix.so" $cfgfile_pass
fi
prt_msg $Mandatory "Checking ssh account locking policy..."
egrep -v "#" $cfgfile_sshd | egrep -q "pam_tally2.so[ ]*deny=3.*unlock_time=60"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing sshd auth pam policy...\n"
backup_cfgfile $cfgfile_sshd
sed -i -e "/^#%PAM-1.0/a auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root unlock_time=60" $cfgfile_sshd
fi
}
#设置密码复杂度
function kylin_sec_passwd_complexity {
#option
#数值为-1 时代表至少需要相应字符一位、数值为-2 时代表需要需要相应字符两位,依次类推。
#minlen = 8 最小长度8位
#difok = 5 新旧密码最少5个字符不同
#dcredit = -1 最少一个数字
#lcredit = -1 最少一个小写字符
#ucredit = -1 最少一个大写字符
#ocredit = -1 最少一个特殊字符
#retry = 1 一次错误后返回错误信息
#type=xxx 密码提示文本
#try_first_pass:当pam_unix验证模块与password验证类型一起使用时,该选项主要用来防止用户新设定的密码与以前的旧密码相同。
local cfgfile=/etc/pam.d/system-auth
prt_msg $Mandatory "Checking password complexity..."
egrep -v "#" $cfgfile | egrep "pam_cracklib.so" | egrep -q "minlen"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing password complexity...\n"
backup_cfgfile $cfgfile
sed -i -e "s|password[ ]*requisite[ ]*pam_pwquality.*only|#password requisite pam_pwquality.so try_first_pass local_users_only|" $cfgfile
sed -i -e "/.*pam_pwquality.so.*/a password requisite pam_cracklib.so try_first_pass minlen=8 difok=5 dcredit=-1 lcredit=-1 ocredit=-1 retry=1 type= " $cfgfile
fi
}
#设置口令生存周期
function kylin_sec_pass_max_days {
#force
#PASS_MAX_DAYS 表示密码最长使用期限
#PASS_MIN_LEN 检查口令最小长度
#PASS_MIN_DAYS 表示密码最短使用期限
local cfgfile=/etc/login.defs
prt_msg $Mandatory "Settiny password max days..."
sed -i.bak -e "s|PASS_MAX_DAYS.*|PASS_MAX_DAYS 90|g" \
-e "s|PASS_MIN_LEN.*|PASS_MIN_LEN 8|g" \
-e "s|PASS_MIN_DAYS.*|PASS_MIN_DAYS 2|g" $cfgfile
printf "OK!\n"
}
#设置口令重复使用次数
function kylin_sec_password_remembers {
#option
#查看system-auth模块,添加”password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5“
local cfgfile=/etc/pam.d/system-auth
prt_msg $Optional "Checking password remembers..."
egrep -v "#" $cfgfile | egrep -q "^password[ ]*sufficient[ ]*.*authtok[ ]*.*remember=.*"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing password remembers...\n"
backup_cfgfile $cfgfile
sed -i -e "s/password[ ]*sufficient[ ]*pam_unix.so.*authtok/password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5/" $cfgfile
fi
}
#删除或锁定无关账号
function kylin_sec_lock_login {
#force
local cfgfile=/etc/passwd
prt_msg $Mandatory "Locking account of /sbin/nologin..."
for account in $(egrep "/sbin/nologin" /etc/passwd | cut -f 1 -d ":")
do
passwd -l $account 2>&1 > /dev/null
done
printf "OK!\n"
}
function kylin_sec_disable_root_telnet {
#麒麟系统Mini安装后,默认telnet不能使用,此项无需关心
local cfgfile=/etc/xinetd.d/telnet
prt_msg $Mandatory "Checking telnet for root login..."
if [ ! -e $cfgfile ];then
printf "OK!\n"
return 0
fi
lsof -Pn -i4TCP:23 -s TCP:LISTEN 2>&1 > /dev/null
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing to disable root login telnet...\n"
sed -i -e "s|disable *=.*|disable = yes|g" $cfgfile
svc_ctl restart xinetd
fi
}
#设置ssh登录策略
function kylin_sec_ssh_policy {
local cfgfile=/etc/ssh/sshd_config
backup_cfgfile $cfgfile
/bin/cp -af $cfgfile $cfgfile.tmp
awk '
/^Protocol/ { $2 = "2" };
/^X11Forwarding/ { $2 = "yes" };
/^IgnoreRhosts/ { $2 = "yes" };
/(^#|^)PermitRootLogin/ {
$1 = "PermitRootLogin";
$2 = "no" };
/^PermitEmptyPasswords/ { $2 = "no" };
/^#Banner/ {
$1 = "Banner";
$2 = "/etc/issue" }
{ print }' $cfgfile.tmp > $cfgfile
rm -f $cfgfile.tmp
svc_ctl restart sshd
}
#设置用户所需最小权限
function kylin_sec_min_privileges {
#1:/etc/passwd 所有用户可读,root用户可写-rw-r--r--
#执行chmod 644 /etc/passwd
#2:/etc/shadow 只有用户可读,-r--------
#执行chmod 600 /etc/shadow
#3:/etc/group 必须所有用户可读,root用户可写-rw-r--r--
#执行chmod 644 /etc/group
prt_msg $Mandatory "Setting permissions for security files..."
chmod 644 /etc/passwd
chmod 600 /etc/shadow
chmod 644 /etc/group
printf "OK!\n"
}
#检查别名文件配置
function kylin_sec_aliases {
local cfgfile1=/etc/aliases
local cfgfile2=/etc/mail/aliases
backup_cfgfile $cfgfile1
sed -i -e 's/^game.*/#&/g' \
-e 's/^ingres.*/#&/g' \
-e 's/^system.*/#&/g' \
-e 's/^toor.*/#&/g' \
-e 's/^uucp.*/#&/g' \
-e 's/&manager.*/#&/g' \
-e 's/^dumper.*/#&/g' \
-e 's/^operator.*/#&/g' \
-e 's/^decode.*/#&/g' \
-e 's/^root.*/#&/g' $cfgfile1
if [ -e $cfgfile2 ];then
backup_cfgfile $cfgfile2
sed -i -e 's/^game.*/#&/g' \
-e 's/^ingres.*/#&/g' \
-e 's/^system.*/#&/g' \
-e 's/^toor.*/#&/g' \
-e 's/^uucp.*/#&/g' \
-e 's/&manager.*/#&/g' \
-e 's/^dumper.*/#&/g' \
-e 's/^operator.*/#&/g' \
-e 's/^decode.*/#&/g' \
-e 's/^root.*/#&/g' $cfgfile2
fi
#/usr/bin/newaliases 此命令安装postfix后提供
}
#启用cron行为日志功能
function kylin_sec_syslog_cron {
local cfgfile=/etc/rsyslog.conf
prt_msg $Mandatory "Checking syslog for crontab..."
egrep -v "#" $cfgfile | egrep -q "cron\.\*"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Fixing syslog fot crontab..."
echo "con.* /var/log/cron" >> $cfgfile
svc_ctl restart rsyslog
printf "Done\n"
fi
}
#禁止ICMP重定向
function kylin_sec_ipv4_accept_redirects {
local cfgfile=/etc/sysctl.conf
prt_msg $Mandatory "Checking ipv4 accept redirects..."
egrep -v "#" $cfgfile | egrep -q "net.ipv4.conf.all.accept_redirects=0"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing ipv4 accept redirects..."
bakcup_cfgfile $cfgfile
echo "net.ipv4.conf.all.accept_redirects=0" >> $cfgfile
sysctl -p 2>&1 >/dev/null
printf "Done\n"
fi
}
#关闭IP转发
function kylin_sec_disable_ip_forward {
local cfgfile=/etc/sysctl.conf
prt_msg $Mandatory "Checking ip forward..."
egrep -v "#" $cfgfile | egrep -q "net.ipv4.ip_forward=0"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing to set net.ipv4.ip_forward=0..."
backup_cfgfile $cfgfile
echo "net.ipv4.ip_forward=0" >> $cfgfile
sysctl -p 2>&1 > /dev/null
printf "Done\n"
fi
}
#设置登录超时策略
function kylin_sec_login_timeout {
local cfgfile=/etc/profile
prt_msg $Mandatory "Checking shell login timeout..."
egrep -v "#" $cfgfile | egrep -q "TMOUT="
if [ $? -eq 0 ];then
egrep -q "export TMOUT=300" $cfgfile
if [ $? -eq 0 ];then
printf "OK!\n"
return
fi
printf "OK!\n"
sed -i -e "s|TMOUT=.*|export TMOUT=300|g" $cfgfile
else
printf "Need to change\n"
printf "Fixing shell login timeout..."
backup_cfgfile $cfgfile
echo "export TMOUT=300" >> $cfgfile
printf "Done\n"
fi
}
#设置历史记录输出条数
function kylin_sec_histsize {
local cfgfile=/etc/profile
prt_msg $Mandatory "Checking shell histsize..."
egrep -v "#" $cfgfile | egrep -q "HISTSIZE="
if [ $? -eq 0 ];then
printf "OK!\n"
sed -i -e "s|HISTSIZE=.*|HISTSIZE=100|g" $cfgfile
else
printf "Need to change\n"
printf "Fixing shell histsize..."
backup_cfgfile $cfgfile
echo "HISTSIZE=100" >> $cfgfile
printf "Done\n"
fi
}
#修改SNMP服务默认团体字
function kylin_sec_fix_snmpd_default_community {
local cfgfile=/etc/snmp/snmpd.conf
rpm -qa | egrep "^net-snmp-5.*"
if [ $? -eq 0 ];then
prt_msg $Mandatory "Checking default community for snmp..."
backup_cfgfile $cfgfile
sed -i -e "s|^#com2sec[ ]*notConfigUser[ ]*.*|com2sec notConfigUser default cs2ccom|g" /etc/snmp/snmpd.conf
printf "OK!\n"
else
prt_msg $Mandatory "snmp is not installed..."
printf "OK!\n"
fi
}
#设置ssh登陆前警告
function kylin_sec_config_ssh_banner {
local cfgfile_banner=/etc/ssh_banner
local cfgfile_sshd=/etc/ssh/sshd_config
prt_msg $Mandatory "Checking ssh banner..."
echo "Authorized only. All activity will be monitored and reported" > $cfgfile_banner
chown bin:bin $cfgfile_banner
sed -i -e "s|.*Banner.*|Banner /etc/ssh_banner|g" $cfgfile_sshd
svc_ctl restart sshd 2>&1 > /dev/null
printf "OK!\n"
}
#禁止不必要的系统账号ftp登录
function kylin_sec_disable_rootlogin_ftp {
local cfgfile=/etc/vsftpd/ftpusers
rpm -qa | egrep -q "vsftp"
if [ $? -eq 0 ];then
prt_msg $Mandatory "Checking root login vsftpd..."
egrep -v "#" $cfgfile | egrep -q "root"
if [ $? -eq 0];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Disabling root login vsftpd...\n"
backup_cfgfile $cfgfile
echo "root" >> $cfgfile
fi
else
prt_msg $Mandatory "vsftp is not installed..."
printf "OK!\n"
return 1
fi
}
#限制ftp用户权限
function kylin_sec_vsftpd_chroot {
local cfgfile=/etc/vsftpd/vsftpd.conf
local chroot_list_file=/etc/vsftpd/chroot_list
prt_msg $Mandatory "Checking vsftpd chroot setting..."
egrep -v "#" $cfgfile | egrep -q "chroot_local_user=YES"
if [ $? -eq 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing vsftpd chroot_local_user=YES..."
backup_cfgfile $cfgfile
sed -i -e 's|.*chroot_local_user.*|chroot_local_user=YES|g' \
-e 's|.*chroot_list_enable.*|chroot_list_enable=YES|g' \
-e 's|.*chroot_list_file|chroot_list_file|g' $cfgfile
backup_cfgfile $chroot_list_file
> $chroot_list_file
for user in $(egrep -v "/sbin/nologin" /etc/passwd | grep -v root | awk -F: '{if($3 >= 100) print $1}')
do
echo $user >> $chroot_list_file
done
svc_ctl restart vsftpd
fi
}
#禁止匿名ftp登录
function kylin_sec_disable_anonyftp {
local cfgfile=/etc/passwd
rpm -qa | egrep -q "vsftp"
if [ $? -eq 0 ];then
prt_msg $Mandatory "Checking anonymous ftp account..."
egrep -v "#" $cfgfile | egrep -q "^ftp"
if [ $? -ne 0 ];then
printf "OK!\n"
else
printf "Need to change\n"
printf "Fixing anonymous ftp acccount...\n"
backup_cfgfile $cfgfile
sed -i -e "/ftp/d" $cfgfile
svc_ctl restart vsftpd
fi
backup_cfgfile /etc/vsftpd/vsftpd.conf
sed -i -e 's|[#]*anonymous_enable=YES|anonymous_enable=NO|g' /etc/vsftpd/vsftpd.conf
else
prt_msg $Mandatory "vsftp is not installed..."
printf "OK!\n"
fi
}
#检查是否限制用户su到root[可选]
function kylin_sec_su_restricted_to_root {
#
# 检查是否限制用户su到root 需要配置普通用户可切换到root,否则将不能远程登录到root
# 注:添加方法为:usermod –G wheel username
# 请给下面的username赋值
#local username="huisrv"
local username=""
local cfgfile=/etc/pam.d/su
prt_msg $Optional "Checking su is restricted to root..."
if [ "$username" == "" ];then
printf "No settings for normal users\n"
return
fi
egrep -q '^auth.*required.*pam_wheel.so.*use_uid' $cfgfile
if [ $? -ne 0 ];then
sed -i 's/^#\(.*auth.*required.*pam_wheel.so.*use_uid\)/\1/' $cfgfile
printf "Uncommented pam_wheel.so line\n"
elif egrep -q '^auth.*required.*pam_wheel.so.*use_uid' $cfgfile
then
printf "pam_wheel.so line already enabled\n"
else
# Add the line at the beginning of the file
sed -i '1i auth sufficient pam_rootok.so\nauth required pam_wheel.so use_uid' $cfgfile
printf "Added pam_wheel.so line\n"
fi
usermod -aG wheel $username
printf "OK!\n"
}
# 检查是否设置文件与目录缺省权限
function kylin_sec_set_files_and_directories_permissions {
local cfgfile=/etc/profile
prt_msg $Mandatory "Checking set for files and directories..."
egrep -q "umask.*022" $cfgfile
if [ $? -eq 0 ];then
printf "Need to change\n"
sed -i -e "s|umask.*022|umask 027|g" $cfgfile
fi
printf "OK!\n"
}
kylin_sec_change_account_expiretime
kylin_sec_login_prompt
kylin_sec_disable_selinux
kylin_sec_disable_unused_services
kylin_sec_pass_warn_age
kylin_sec_disable_ssh_rootlogin
kylin_sec_account_locking_policy
kylin_sec_passwd_complexity
kylin_sec_pass_max_days
kylin_sec_password_remembers
kylin_sec_lock_login
kylin_sec_disable_root_telnet
kylin_sec_ssh_policy
kylin_sec_min_privileges
kylin_sec_aliases
kylin_sec_syslog_cron
kylin_sec_ipv4_accept_redirects
kylin_sec_disable_ip_forward
kylin_sec_login_timeout
kylin_sec_histsize
kylin_sec_fix_snmpd_default_community
kylin_sec_config_ssh_banner
kylin_sec_disable_rootlogin_ftp
#上一个函数检测到vsftp未安装的话,则不执行后两个函数
if [ $? -ne 1 ];then
kylin_sec_vsftpd_chroot
kylin_sec_disable_anonyftp
fi
kylin_sec_su_restricted_to_root
kylin_sec_set_files_and_directories_permissions
使用如下
bash security-baseline.sh
``·
