您当前的位置:首页 > 计算机 > 安全防护

满足Ubuntu系统的等保三级合规标准脚本

时间:09-15来源:作者:点击数:

满足Ubuntu系统的等保三级合规标准脚本

说明:该脚本根据部分网络资源进行修改,这个脚本内容的各个配置参数仅适用于我个人,如需使用请先找台测试机进行测试相关配置策略,无问题后才在正式环境中进行加固。

#!/bin/bash
## 定义告警界别
  
log::info() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[32mINFO: $@ \033[0m\n"
}
log::warning() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[33mWARNING: $@ \033[0m\n"
}
log::err() {
  printf "[$(date +'%Y-%m-%dT%H:%M:%S')]: \033[31mERROR: $@ \033[0m\n"
}
## 用途: 操作系统安全加固配置脚本(符合等保要求-三级要求)
os::Security() {
  log::info "正在进行->系统软件升级"
  # apt-get update -y
  # apt-get upgrade -y
  #  log::info "正在进行->操作系统安全加固(符合等保要求-三级要求)配置"
  #log::info "安装libpam-cracklib"
  #apt-get update -y
  apt install libpam-cracklib -y
  ## 添加审计员账号和设置密码
  useradd -m auditor
  echo "auditor:nV0sGPyC$K" | chpasswd
  echo "auditor ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head " >>/etc/sudoers
  # chown -R auditor:auditor /var/log
  ## 添加安全员账号
  useradd -m securitor
  echo "securitor:Ydm_M@w2f0" | chpasswd
  # chown -R securitor:securitor /etc
  # (1) 系统用户核查配置
  log::info "[-] 锁定或者删除多余的系统账户以及创建低权限用户"
  defaultuser=(root daemon bin sys sync games man lp mail news uucp proxy www-data backup list irc gnats nobody systemd-network systemd-resolve syslog messagebus _apt uuidd ntp sshd _chrony statd)
  for i in $(cat /etc/passwd | cut -d ":" -f 1,7); do
    flag=0
    name=${i%%:*}
    terminal=${i##*:}
    if [[ "${terminal}" == "/bin/bash" || "${terminal}" == "/bin/sh" ]]; then
      log::warning "${i} 用户,shell终端为 /bin/bash 或者 /bin/sh"
    fi
    for j in ${defaultuser[@]}; do
      if [[ "${name}" == "${j}" ]]; then
        flag=1
        break
      fi
    done
    if [[ $flag -eq 0 ]]; then
      log::warning "${i} 非默认用户"
    fi
  done
  echo "============================================================================================="
  echo "                                                                                             "
  ## 暂时先关闭
  # # (2) 设置密码长度、有效期、密码复杂度
  log::info "[-] 用户口令复杂性策略设置 (密码过期周期PASS_MAX_DAYS 90天、到期前30天提示、密码长度至少8、复杂度设置至少有一个大写ucredit,小写lcredit、数字dcredit、特殊字符ocredit、尝试次数retry为三次)"
  egrep -q "^\s*PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MIN_DAYS  7/" /etc/login.defs || echo "PASS_MIN_DAYS  7" >>/etc/login.defs
  egrep -q "^\s*PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MAX_DAYS  90/" /etc/login.defs || echo "PASS_MAX_DAYS  90" >>/etc/login.defs
  egrep -q "^\s*PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$/\PASS_WARN_AGE  30/" /etc/login.defs || echo "PASS_WARN_AGE  14" >>/etc/login.defs
  egrep -q "^\s*PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$/\PASS_MIN_LEN  8/" /etc/login.defs || echo "PASS_MIN_LEN  8" >>/etc/login.defs
  
  egrep -q "^password\s.+pam_cracklib.so\s+\w+.*$" /etc/pam.d/common-password && sed -ri '/^password\s.+pam_cracklib.so/{s/pam_cracklib.so\s+\w+.*$/pam_cracklib.so retry=3 minlen=8  ucredit=-1 lcredit=-1 dcredit=-4 ocredit=-1/g;}' /etc/pam.d/common-password
  egrep -q "^password\s.+pam_unix.so\s+\w+.*$" /etc/pam.d/common-password && sed -ri '/^password\s.+pam_unix.so/{s/pam_unix.so\s+\w+.*$/pam_unix.so obscure use_authtok try_first_pass sha512 minlen=8/g;}' /etc/pam.d/common-password
  # # 需同时执行命令设置root密码失效时间
  # chage --maxdays 90 root
  # # 需同时执行命令为root用户设置:
  # chage --mindays 7 root
  # echo "============================================================================================="
  # echo "                                                                                             "
  # (3) 设置umask值
  log::info "[-] 配置用户 umask 为027 "
  log::info "查询默认状态为$umask"
  egrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 027/" /etc/profile || echo "umask 027" >>/etc/profile
  echo "============================================================================================="
  echo "                                                                                             "
  # (4) 删除潜在威胁文件
  log::info "[-] 删除潜在威胁文件 "
  find / -maxdepth 3 -name hosts.equiv | xargs rm -rf
  find / -maxdepth 3 -name .netrc | xargs rm -rf
  find / -maxdepth 3 -name .rhosts | xargs rm -rf
  
  echo "============================================================================================="
  echo "                                                                                             "
  ## 暂时先关闭
  # (5) SSHD 服务安全加固设置
  log::info "[-] sshd 服务安全加固设置"
  # # 禁止root远程登录(推荐配置-根据需求配置)
  # egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
  ##  设置SSH空闲超时退出时间,可降低未授权用户访问其他用户ssh会话的风险
  # egrep -q "^\s*#ClientAliveInterval\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*#ClientAliveInterval\s+.+$/ClientAliveInterval 600/" /etc/ssh/sshd_config || echo "ClientAliveInterval 600" >>/etc/ssh/sshd_config
  # egrep -q "^\s*#ClientAliveCountMax\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*#ClientAliveCountMax\s+.+$/ClientAliveCountMax 3/" /etc/ssh/sshd_config || echo "ClientAliveCountMax 3" >>/etc/ssh/sshd_config
  # echo "============================================================================================="
  echo "                                                                                             "
  ## 暂时先关闭
  # (6) 用户远程登录失败次数与终端超时设置
  # log::info "[-] 用户远程连续登录失败10次锁定帐号10分钟包括root账号"
  sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/sshd
  sed -ri '2a auth required pam_tally2.so onerr=fail deny=10 unlock_time=600 even_deny_root root_unlock_time=600' /etc/pam.d/sshd
  # # 桌面登陆失败次数与终端超时设置(可选)
  # sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/login
  # sed -ri '2a auth required pam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=300' /etc/pam.d/login
  
  log::info "[-] 设置登录超时时间为5分钟 "
  egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=300/" /etc/profile || echo -e "export TMOUT=300" >>/etc/profile
  
  echo "============================================================================================="
  echo "                                                                                             "
  # (6) 用户终端执行的历史命令记录
  log::info "[-] 用户终端执行的历史命令记录 "
  egrep -q "^HISTSIZE\W\w+.*$" /etc/profile && sed -ri "s/^HISTSIZE\W\w+.*$/HISTSIZE=10000/" /etc/profile || echo "HISTSIZE=10000" >>/etc/profile
  egrep -q "^HISTFILESIZE\W\w+.*$" /etc/profile && sed -ri "s/^HISTFILESIZE\W\w+.*$/HISTFILESIZE=10000/" /etc/profile || echo "HISTFILESIZE=10000" >>/etc/profile
  egrep -q "^HISTTIMEFORMAT\W\w+.*$" /etc/profile && sed -ri 's/^HISTTIMEFORMAT\W\w+.*$/export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S  `whoami`  "/' /etc/profile || echo 'export HISTTIMEFORMAT="%Y-%m-%d %H:%M:%S  `whoami` "' >>/etc/profile
  
  source /etc/profile
  
  echo "============================================================================================="
  echo "                                                                                             "
  # (7)设置系统的最大进程数和最大文件打开数
  log::info "[-] Linux 系统的最大进程数和最大文件打开数设置"
  
  egrep -q "root soft nofile 65535" /etc/security/limits.conf && sed -ri "s/root soft nofile 65535/root soft nofile 65535 /" /etc/security/limits.conf || echo "root soft nofile 65535" >>/etc/security/limits.conf
  egrep -q "root hard nofile 65535" /etc/security/limits.conf && sed -ri "s/root hard nofile 65535/root hard nofile 65535 /" /etc/security/limits.conf || echo "root hard nofile 65535" >>/etc/security/limits.conf
  egrep -q "\* soft nofile 65535" /etc/security/limits.conf && sed -ri "s/\* soft nofile 65535/\* soft nofile 65535 /" /etc/security/limits.conf || echo "* soft nofile 65535" >>/etc/security/limits.conf
  egrep -q "\* hard nofile 65535" /etc/security/limits.conf && sed -ri "s/\* hard nofile 65535/\* hard nofile 65535 /" /etc/security/limits.conf || echo "* hard nofile 65535" >>/etc/security/limits.conf
  egrep -q "root soft nproc 65535" /etc/security/limits.conf && sed -ri "s/root soft nproc 65535/root soft nproc 65535 /" /etc/security/limits.conf || echo "root soft nproc 65535" >>/etc/security/limits.conf
  egrep -q "root hard nproc 65535" /etc/security/limits.conf && sed -ri "s/root hard nproc 65535/root hard nproc 65535 /" /etc/security/limits.conf || echo "root hard nproc 65535" >>/etc/security/limits.conf
  egrep -q "\* soft nproc 65535" /etc/security/limits.conf && sed -ri "s/\* soft nproc 65535/\* soft nproc 65535 /" /etc/security/limits.conf || echo "* soft nproc 65535" >>/etc/security/limits.conf
  egrep -q "\* hard nproc 65535" /etc/security/limits.conf && sed -ri "s/\* hard nproc 65535/\* hard nproc 65535 /" /etc/security/limits.conf || echo "* hard nproc 65535" >>/etc/security/limits.conf
  
  echo "============================================================================================="
  echo "                                                                                             "
  # (8)系统参数优化
  #   log::info "[-] Linux 系统参数优化设置"
  #   tee -a /etc/sysctl.conf <<'EOF'
  # # 禁止使用swap,尽量使用物理内存加快处理速度
  # vm.swappiness = 0
  # kernel.sysrq = 1
  # # 调整提升服务器负载能力之外,还能够防御小流量的Dos、CC和SYN攻击
  # ## 表示开启SYN Cookies。当出现SYN等待队列溢出时,启用cookies来处理,可防范少量SYN攻击,默认为0,表示关闭;
  # net.ipv4.tcp_syncookies = 1
  # ## 表示开启重用。允许将TIME-WAIT sockets重新用于新的TCP连接,默认为0,表示关闭;
  # net.ipv4.tcp_tw_reuse = 1
  # ## 表示开启TCP连接中TIME-WAIT sockets的快速回收,默认为0,表示关闭
  # # net.ipv4.tcp_tw_recycle = 1
  # ##表示如果套接字由本端要求关闭,这个参数决定了它保持在FIN-WAIT-2状态的时间
  # net.ipv4.tcp_fin_timeout = 60
  # ## 服务端SYN+ACK包的重试次数
  # net.ipv4.tcp_synack_retries = 2
  # #在内核放弃建立连接之前发送SYN包的数量。
  # net.ipv4.tcp_syn_retries = 2
  # net.ipv4.tcp_fastopen = 3
  # #关闭tcp的连接传输的慢启动,即先休止一段时间,再初始化拥塞窗口
  # net.ipv4.tcp_slow_start_after_idle = 0
  # # 优化TCP的可使用端口范围及提升服务器并发能力(注意一般流量小的服务器上没必要设置如下参数)
  # net.ipv4.tcp_keepalive_time = 1200
  # ## 表示SYN队列长度,默认1024,改成8192,可以容纳更多等待连接的网络连接数
  # net.ipv4.tcp_max_syn_backlog = 8192
  # ## 表示系统同时保持TIME_WAIT套接字的最大数量
  # net.ipv4.tcp_max_tw_buckets = 5000
  # ## 表示用于向外连接的端口范围。缺省情况下很小:32768到61000,改为1024到65000
  # net.ipv4.ip_local_port_range = 1024 65535
  # # 优化核套接字TCP的缓存区
  # ## 网络设备接收数据包的速率比内核处理这些包的速率快时,允许送到队列的数据包的最大数目
  # net.core.netdev_max_backlog = 8192
  # ## Linux kernel参数,表示socket监听的backlog(监听队列)上限
  # net.core.somaxconn = 8192
  # ## 指定了接收套接字缓冲区大小的最大值(以字节为单位)
  # net.core.rmem_max = 12582912
  # ## 指定了接收套接字缓冲区大小的缺省值(以字节为单位)
  # net.core.rmem_default = 6291456
  # ## 定义发送窗口的最大大小;对于更大的 BDP 来说,这个大小也应该更大
  # net.core.wmem_max = 12582912
  # ## 定义发送窗口的最大大小;对于更大的 BDP 来说,这个大小也应该更大
  # net.core.wmem_default = 6291456
  # EOF
  # sysctl -p
  # #(9)禁用telnet ftp服务
  # log::info "[-] 禁用telnet ftp服务"
  # echo "deb http://archive.ubuntu.com/ubuntu/ trusty main universe restricted multiverse" >> /etc/apt/sources.list
  # apt-get update -y
  # apt-get install sysv-rc-conf -y
  # sysv-rc-conf telnet off
  # sysv-rc-conf ftp off
  #   echo "============================================================================================="
  #   echo "                                                                                             "
  #(10)开启安全审计
  log::info "[-] 开启日志审计服务"
  apt-get install auditd -y
  systemctl restart auditd
  echo "============================================================================================="
  echo "                                                                                             "
  #(11)设置日志属性
  log::info "[-] 设置日志属性"
  egrep -q "week" /etc/logrotate.conf && sed -ri "s/week/month/" /etc/logrotate.conf
  egrep -q "rotate 4" /etc/logrotate.conf && sed -ri "s/rotate 4/rotate 6/" /etc/logrotate.conf
  egrep -q "rotate 1" /etc/logrotate.conf && sed -ri "s/rotate 1/rotate 6/" /etc/logrotate.conf
  
  echo "============================================================================================="
  echo "                                                                                             "
  # (12)开启相关的安全事件,主要开启cron和daemon
  log::info "[-] 开启cron和daemon日志记录"
  egrep -q "^#cron" /etc/rsyslog.d/50-default.conf && sed -ri "s/^#cron/cron/" /etc/rsyslog.d/50-default.conf
  egrep -q "^#daemon" /etc/rsyslog.d/50-default.conf && sed -ri "s/^#daemon/daemon/" /etc/rsyslog.d/50-default.conf
  
  service rsyslog restart
  # (13)更改日志文件属性,使文件只可追加不可修改
  log::info "[-] 更改cron和daemon日志文件属性"
  chattr +a /var/log/cron.log #如果不存在则忽略
  chattr +a /var/log/daemon.log
  # (14) 设置用户权限配置文件的权限
  log::info "[-] 设置用户权限配置文件的权限"
  chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
  chmod 0644 /etc/group
  chmod 0644 /etc/passwd
  chmod 0400 /etc/shadow
  chmod 0400 /etc/gshadow
  echo "============================================================================================="
  echo "                                                                                             "
  
  log::info "加固完成"
  echo "============================================================================================="
  echo "                                                                                             "
}
#
# 安全加固过程临时文件清理为基线镜像做准备
# unalias rm
# find ~/.trash/* -delete
find /home/ -type d -name .trash -exec find {} -delete \;
find /var/log -name "*.gz" -delete
find /var/log -name "*log.*" -delete
find /var/log -name "vmware-*.*.log" -delete
find /var/log -name "*.log-*" -delete
find /var/log -name "*.log" -exec truncate -s 0 {} \;
# find /tmp/* -delete
# 开始执行加固
os::Security
# 输出加固后的结果
log::info "查看密码长度与有效期设置"
cat /etc/login.defs | grep PASS_ | grep -v '#'
  
log::info "密码复杂度设置"
cat /etc/pam.d/common-password | grep "pam_cracklib.so"
  
log::info "查看口令重复次数设置"
cat /etc/pam.d/common-password | grep "use_authtok"
  
log::info "查看回话超时设置"
echo "会话超时时间为$TMOUT秒"
  
log::info "查看历史记录条数设置"
echo "历史记录条数为$HISTSIZE条"
  
log::info "查看历史命令时间戳"
history | tail -n 5
  
log::info "查看ssh登陆失败次数与终端超时设置"
cat /etc/pam.d/sshd | grep "pam_tally2.so"
  
log::info "查看桌面登陆失败次数与终端超时设置"
cat /etc/pam.d/login | grep "pam_tally2.so"
  
log::info "查看umask设置"
umask
  
log::info "查看用户最大文件打开数"
cat /etc/security/limits.conf | grep nofile | grep -v '#'
  
log::info "查看用户最大进程数"
cat /etc/security/limits.conf | grep nproc | grep -v '#'
  
log::info "查看审计服务是否开启"
service auditd status
  
log::info "查看审计日志配置"
more /etc/logrotate.conf | grep -v "^#\|^$"

 

方便获取更多学习、工作、生活信息请关注本站微信公众号城东书院 微信服务号城东书院 微信订阅号
推荐内容
相关内容
栏目更新
栏目热门