满足Ubuntu系统的等保三级合规标准脚本
说明:该脚本根据部分网络资源进行修改,这个脚本内容的各个配置参数仅适用于我个人,如需使用请先找台测试机进行测试相关配置策略,无问题后才在正式环境中进行加固。
#!/bin/bash
## 定义告警界别
log::info() {
printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[32mINFO: $@ \033[0m\n"
}
log::warning() {
printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[33mWARNING: $@ \033[0m\n"
}
log::err() {
printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[31mERROR: $@ \033[0m\n"
}
## 用途: 操作系统安全加固配置脚本(符合等保要求-三级要求)
os::Security() {
log::info "正在进行->系统软件升级"
# apt-get update -y
# apt-get upgrade -y
# log::info "正在进行->操作系统安全加固(符合等保要求-三级要求)配置"
#log::info "安装libpam-cracklib"
#apt-get update -y
apt install libpam-cracklib -y
## 添加审计员账号和设置密码
useradd -m auditor
echo "auditor:nV0sGPyC$K" | chpasswd
echo "auditor ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head " >>/etc/sudoers
# chown -R auditor:auditor /var/log
## 添加安全员账号
useradd -m securitor
echo "securitor:Ydm_M@w2f0" | chpasswd
# chown -R securitor:securitor /etc
# (1) 系统用户核查配置
log::info "[-] 锁定或者删除多余的系统账户以及创建低权限用户"
defaultuser=(root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve syslog messagebus _apt uuidd ntp sshd _chrony statd)
for i in $(cat /etc/passwd | cut -d ":" -f 1,7); do
flag=0
name=${i%%:*}
terminal=${i##*:}
if [[ "${terminal}" == "/bin/bash" || "${terminal}" == "/bin/sh" ]]; then
log::warning "${i} 用户,shell终端为 /bin/bash 或者 /bin/sh"
fi
for j in ${defaultuser[@]}; do
if [[ "${name}" == "${j}" ]]; then
flag=1
break
fi
done
if [[ $flag -eq 0 ]]; then
log::warning "${i} 非默认用户"
fi
done
echo "============================================================================================="
echo " "
## 暂时先关闭
# # (2) 设置密码长度、有效期、密码复杂度
log::info "[-] 用户口令复杂性策略设置 (密码过期周期PASS_MAX_DAYS 90天、到期前30天提示、密码长度至少8、复杂度设置至少有一个大写ucredit,小写lcredit、数字dcredit、特殊字符ocredit、尝试次数retry为三次)"
egrep -q "^\s*PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MIN_DAYS 7/" /etc/login.defs || echo "PASS_MIN_DAYS 7" >>/etc/login.defs
egrep -q "^\s*PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MAX_DAYS 90/" /etc/login.defs || echo "PASS_MAX_DAYS 90" >>/etc/login.defs
egrep -q "^\s*PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$/\PASS_WARN_AGE 30/" /etc/login.defs || echo "PASS_WARN_AGE 14" >>/etc/login.defs
egrep -q "^\s*PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$/\PASS_MIN_LEN 8/" /etc/login.defs || echo "PASS_MIN_LEN 8" >>/etc/login.defs
egrep -q "^password\s.+pam_cracklib.so\s+\w+.*$" /etc/pam.d/common-password && sed -ri '/^password\s.+pam_cracklib.so/{s/pam_cracklib.so\s+\w+.*$/pam_cracklib.so retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-4 ocredit=-1/g;}' /etc/pam.d/common-password
egrep -q "^password\s.+pam_unix.so\s+\w+.*$" /etc/pam.d/common-password && sed -ri '/^password\s.+pam_unix.so/{s/pam_unix.so\s+\w+.*$/pam_unix.so obscure use_authtok try_first_pass sha512 minlen=8/g;}' /etc/pam.d/common-password
# # 需同时执行命令设置root密码失效时间
# chage --maxdays 90 root
# # 需同时执行命令为root用户设置:
# chage --mindays 7 root
# echo "============================================================================================="
# echo " "
# (3) 设置umask值
log::info "[-] 配置用户 umask 为027 "
log::info "查询默认状态为$umask"
egrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 027/" /etc/profile || echo "umask 027" >>/etc/profile
echo "============================================================================================="
echo " "
# (4) 删除潜在威胁文件
log::info "[-] 删除潜在威胁文件 "
find / -maxdepth 3 -name hosts.equiv | xargs rm -rf
find / -maxdepth 3 -name .netrc | xargs rm -rf
find / -maxdepth 3 -name .rhosts | xargs rm -rf
echo "============================================================================================="
echo " "
## 暂时先关闭
# (5) SSHD 服务安全加固设置
log::info "[-] sshd 服务安全加固设置"
# # 禁止root远程登录(推荐配置-根据需求配置)
# egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
## 设置SSH空闲超时退出时间,可降低未授权用户访问其他用户ssh会话的风险
# egrep -q "^\s*#ClientAliveInterval\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*#ClientAliveInterval\s+.+$/ClientAliveInterval 600/" /etc/ssh/sshd_config || echo "ClientAliveInterval 600" >>/etc/ssh/sshd_config
# egrep -q "^\s*#ClientAliveCountMax\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*#ClientAliveCountMax\s+.+$/ClientAliveCountMax 3/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 3" >>/etc/ssh/sshd_config
# echo "============================================================================================="
echo " "
## 暂时先关闭
# (6) 用户远程登录失败次数与终端超时设置
# log::info "[-] 用户远程连续登录失败10次锁定帐号10分钟包括root账号"
sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/sshd
sed -ri '2a auth required pam_tally2.so onerr=fail deny=10 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/sshd
# # 桌面登陆失败次数与终端超时设置(可选)
# sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/login
# sed -ri '2a auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300' /etc/pam.d/login
log::info "[-] 设置登录超时时间为5分钟 "
egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=300/" /etc/profile || echo -e "export TMOUT=300" >>/etc/profile
echo "============================================================================================="
echo " "
# (6) 用户终端执行的历史命令记录
log::info "[-] 用户终端执行的历史命令记录 "
egrep -q "^HISTSIZE\W\w+.*$" /etc/profile && sed -ri "s/^HISTSIZE\W\w+.*$/HISTSIZE=10000/" /etc/profile || echo "HISTSIZE=10000" >>/etc/profile
egrep -q "^HISTFILESIZE\W\w+.*$" /etc/profile && sed -ri "s/^HISTFILESIZE\W\w+.*$/HISTFILESIZE=10000/" /etc/profile || echo "HISTFILESIZE=10000" >>/etc/profile
egrep -q "^HISTTIMEFORMAT\W\w+.*$" /etc/profile && sed -ri 's/^HISTTIMEFORMAT\W\w+.*$/export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S `whoami` "/' /etc/profile || echo 'export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S `whoami` "' >>/etc/profile
source /etc/profile
echo "============================================================================================="
echo " "
# (7)设置系统的最大进程数和最大文件打开数
log::info "[-] Linux 系统的最大进程数和最大文件打开数设置"
egrep -q "root soft nofile 65535" /etc/security/limits.conf && sed -ri "s/root soft nofile 65535/root soft nofile 65535 /" /etc/security/limits.conf || echo "root soft nofile 65535" >>/etc/security/limits.conf
egrep -q "root hard nofile 65535" /etc/security/limits.conf && sed -ri "s/root hard nofile 65535/root hard nofile 65535 /" /etc/security/limits.conf || echo "root hard nofile 65535" >>/etc/security/limits.conf
egrep -q "\* soft nofile 65535" /etc/security/limits.conf && sed -ri "s/\* soft nofile 65535/\* soft nofile 65535 /" /etc/security/limits.conf || echo "* soft nofile 65535" >>/etc/security/limits.conf
egrep -q "\* hard nofile 65535" /etc/security/limits.conf && sed -ri "s/\* hard nofile 65535/\* hard nofile 65535 /" /etc/security/limits.conf || echo "* hard nofile 65535" >>/etc/security/limits.conf
egrep -q "root soft nproc 65535" /etc/security/limits.conf && sed -ri "s/root soft nproc 65535/root soft nproc 65535 /" /etc/security/limits.conf || echo "root soft nproc 65535" >>/etc/security/limits.conf
egrep -q "root hard nproc 65535" /etc/security/limits.conf && sed -ri "s/root hard nproc 65535/root hard nproc 65535 /" /etc/security/limits.conf || echo "root hard nproc 65535" >>/etc/security/limits.conf
egrep -q "\* soft nproc 65535" /etc/security/limits.conf && sed -ri "s/\* soft nproc 65535/\* soft nproc 65535 /" /etc/security/limits.conf || echo "* soft nproc 65535" >>/etc/security/limits.conf
egrep -q "\* hard nproc 65535" /etc/security/limits.conf && sed -ri "s/\* hard nproc 65535/\* hard nproc 65535 /" /etc/security/limits.conf || echo "* hard nproc 65535" >>/etc/security/limits.conf
echo "============================================================================================="
echo " "
# (8)系统参数优化
# log::info "[-] Linux 系统参数优化设置"
# tee -a /etc/sysctl.conf <<'EOF'
# # 禁止使用swap,尽量使用物理内存加快处理速度
# vm.swappiness = 0
# kernel.sysrq = 1
# # 调整提升服务器负载能力之外,还能够防御小流量的Dos、CC和SYN攻击
# ## 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
# net.ipv4.tcp_syncookies = 1
# ## 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
# net.ipv4.tcp_tw_reuse = 1
# ## 表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭
# # net.ipv4.tcp_tw_recycle = 1
# ##表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间
# net.ipv4.tcp_fin_timeout = 60
# ## 服务端SYN+ACK包的重试次数
# net.ipv4.tcp_synack_retries = 2
# #在内核放弃建立连接之前发送SYN包的数量。
# net.ipv4.tcp_syn_retries = 2
# net.ipv4.tcp_fastopen = 3
# #关闭tcp的连接传输的慢启动,即先休止一段时间,再初始化拥塞窗口
# net.ipv4.tcp_slow_start_after_idle = 0
# # 优化TCP的可使用端口范围及提升服务器并发能力(注意一般流量小的服务器上没必要设置如下参数)
# net.ipv4.tcp_keepalive_time = 1200
# ## 表示SYN队列长度,默认1024,改成8192,可以容纳更多等待连接的网络连接数
# net.ipv4.tcp_max_syn_backlog = 8192
# ## 表示系统同时保持TIME_WAIT套接字的最大数量
# net.ipv4.tcp_max_tw_buckets = 5000
# ## 表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000
# net.ipv4.ip_local_port_range = 1024 65535
# # 优化核套接字TCP的缓存区
# ## 网络设备接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
# net.core.netdev_max_backlog = 8192
# ## Linux kernel参数,表示socket监听的backlog(监听队列)上限
# net.core.somaxconn = 8192
# ## 指定了接收套接字缓冲区大小的最大值(以字节为单位)
# net.core.rmem_max = 12582912
# ## 指定了接收套接字缓冲区大小的缺省值(以字节为单位)
# net.core.rmem_default = 6291456
# ## 定义发送窗口的最大大小;对于更大的 BDP 来说,这个大小也应该更大
# net.core.wmem_max = 12582912
# ## 定义发送窗口的最大大小;对于更大的 BDP 来说,这个大小也应该更大
# net.core.wmem_default = 6291456
# EOF
# sysctl -p
# #(9)禁用telnet ftp服务
# log::info "[-] 禁用telnet ftp服务"
# echo "deb http://archive.ubuntu.com/ubuntu/ trusty main universe restricted multiverse" >> /etc/apt/sources.list
# apt-get update -y
# apt-get install sysv-rc-conf -y
# sysv-rc-conf telnet off
# sysv-rc-conf ftp off
# echo "============================================================================================="
# echo " "
#(10)开启安全审计
log::info "[-] 开启日志审计服务"
apt-get install auditd -y
systemctl restart auditd
echo "============================================================================================="
echo " "
#(11)设置日志属性
log::info "[-] 设置日志属性"
egrep -q "week" /etc/logrotate.conf && sed -ri "s/week/month/" /etc/logrotate.conf
egrep -q "rotate 4" /etc/logrotate.conf && sed -ri "s/rotate 4/rotate 6/" /etc/logrotate.conf
egrep -q "rotate 1" /etc/logrotate.conf && sed -ri "s/rotate 1/rotate 6/" /etc/logrotate.conf
echo "============================================================================================="
echo " "
# (12)开启相关的安全事件,主要开启cron和daemon
log::info "[-] 开启cron和daemon日志记录"
egrep -q "^#cron" /etc/rsyslog.d/50-default.conf && sed -ri "s/^#cron/cron/" /etc/rsyslog.d/50-default.conf
egrep -q "^#daemon" /etc/rsyslog.d/50-default.conf && sed -ri "s/^#daemon/daemon/" /etc/rsyslog.d/50-default.conf
service rsyslog restart
# (13)更改日志文件属性,使文件只可追加不可修改
log::info "[-] 更改cron和daemon日志文件属性"
chattr +a /var/log/cron.log #如果不存在则忽略
chattr +a /var/log/daemon.log
# (14) 设置用户权限配置文件的权限
log::info "[-] 设置用户权限配置文件的权限"
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 0644 /etc/group
chmod 0644 /etc/passwd
chmod 0400 /etc/shadow
chmod 0400 /etc/gshadow
echo "============================================================================================="
echo " "
log::info "加固完成"
echo "============================================================================================="
echo " "
}
#
# 安全加固过程临时文件清理为基线镜像做准备
# unalias rm
# find ~/.trash/* -delete
find /home/ -type d -name .trash -exec find {} -delete \;
find /var/log -name "*.gz" -delete
find /var/log -name "*log.*" -delete
find /var/log -name "vmware-*.*.log" -delete
find /var/log -name "*.log-*" -delete
find /var/log -name "*.log" -exec truncate -s 0 {} \;
# find /tmp/* -delete
# 开始执行加固
os::Security
# 输出加固后的结果
log::info "查看密码长度与有效期设置"
cat /etc/login.defs | grep PASS_ | grep -v '#'
log::info "密码复杂度设置"
cat /etc/pam.d/common-password | grep "pam_cracklib.so"
log::info "查看口令重复次数设置"
cat /etc/pam.d/common-password | grep "use_authtok"
log::info "查看回话超时设置"
echo "会话超时时间为$TMOUT秒"
log::info "查看历史记录条数设置"
echo "历史记录条数为$HISTSIZE条"
log::info "查看历史命令时间戳"
history | tail -n 5
log::info "查看ssh登陆失败次数与终端超时设置"
cat /etc/pam.d/sshd | grep "pam_tally2.so"
log::info "查看桌面登陆失败次数与终端超时设置"
cat /etc/pam.d/login | grep "pam_tally2.so"
log::info "查看umask设置"
umask
log::info "查看用户最大文件打开数"
cat /etc/security/limits.conf | grep nofile | grep -v '#'
log::info "查看用户最大进程数"
cat /etc/security/limits.conf | grep nproc | grep -v '#'
log::info "查看审计服务是否开启"
service auditd status
log::info "查看审计日志配置"
more /etc/logrotate.conf | grep -v "^#\|^$"