#!/bin/bash
cy() {
#檢查密碼重用是否受限制
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep 'password' $1 |grep sufficient |grep remember &> /dev/null
if [[ $? -eq 0 ]];then
echo "[cy] already exists"
else
grep 'use_authtok' $1 &> /dev/null
if [[ $? -eq 0 ]];then #這行存在則末尾加字符
sed -i 's/use_authtok$/& remember=5/' $1
else
echo "[cy] No such line"
exit 1
fi
fi
}
li() {
#確保SSH LogLevel設置爲INFO
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep '^LogLevel INFO' $1 &> /dev/null
if [[ $? -eq 0 ]];then
echo "[li] already exists"
else #先刪除已經存在參數,再追加
sed -i "/^LogLevel/ d" $1
echo 'LogLevel INFO' >> $1
fi
}
kx() {
#設置SSH空閒超時退出時間
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep '^ClientAliveInterval 300' $1 &> /dev/null
a=$?
grep '^ClientAliveCountMax 2' $1 &> /dev/null
b=$?
if [[ $a -eq 0 ]] && [[ $b -eq 0 ]];then
echo "[kx] already exists"
else
sed -i "/^ClientAliveInterval/ d" $1
sed -i "/^ClientAliveCountMax/ d" $1
echo "ClientAliveInterval 300" >> $1
echo "ClientAliveCountMax 2" >> $1
fi
}
aq() {
#SSHD強制使用V2安全協議
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep '^Protocol 2' $1 &> /dev/null
if [[ $? -eq 0 ]];then
echo "[aq] already exists"
else
sed -i "/^Protocol/ d" $1
echo 'Protocol 2' >> $1
fi
}
ma() {
#確保SSH MaxAuthTries設置爲3到6之間
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep '^MaxAuthTries 4' $1 &> /dev/null
if [[ $? -eq 0 ]];then
echo "[ma] already exists"
else
sed -i "/^MaxAuthTries/ d" $1
echo 'MaxAuthTries 4' >> $1
fi
}
jg() {
#設置密碼修改最小間隔時間
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep '^PASS_MIN_DAYS 7' $1 &> /dev/null
if [[ $? -eq 0 ]];then
echo "[jg] already exists"
else
sed -i "/^PASS_MIN_DAYS/ d" $1
echo 'PASS_MIN_DAYS 7' >> $1
chage --mindays 7 root
fi
}
sx() {
#設置密碼失效時間
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep '^PASS_MAX_DAYS 90' $1 &> /dev/null
if [[ $? -eq 0 ]];then
echo "[sx] already exists"
else
sed -i "/^PASS_MAX_DAYS/ d" $1
echo 'PASS_MAX_DAYS 90' >> $1
chage --maxdays 90 root
fi
}
fz() {
#密碼複雜度檢查
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep '^minlen=10' $1 &> /dev/null
a=$?
grep '^minclass=3' $1 &> /dev/null
b=$?
if [[ $a -eq 0 ]] && [[ $b -eq 0 ]];then
echo "[fz] already exists"
else
sed -i "/^minlen/ d" $1
sed -i "/^minclass/ d" $1
echo "minlen=10" >> $1
echo "minclass=3" >> $1
fi
}
fz_liu() {
#密碼複雜度檢查-6版本
if [[ ! -f $1 ]];then
echo "$1 not found"
exit 1
fi
grep 'password' $1 |grep requisite |grep minclass=3 $1 &> /dev/null
if [[ $? -eq 0 ]];then
echo "[fz_liu] already exists"
else
grep 'pam_cracklib.so' $1 &> /dev/null
if [[ $? -eq 0 ]];then #這行存在則末尾加字符
sed -i 's/type=$/& minlen=11 minclass=3/' $1
else
echo "[fz_liu] No such line"
exit 1
fi
fi
}
grep ' 7.' /etc/redhat-release &>/dev/null
if [[ $? -eq 0 ]];then
#檢查密碼重用是否受限制
cy /etc/pam.d/password-auth
cy /etc/pam.d/system-auth
#確保SSH LogLevel設置爲INFO
li /etc/ssh/sshd_config
#設置SSH空閒超時退出時間
kx /etc/ssh/sshd_config
#SSHD強制使用V2安全協議
aq /etc/ssh/sshd_config
#確保SSH MaxAuthTries設置爲3到6之間
ma /etc/ssh/sshd_config
#設置密碼修改最小間隔時間
jg /etc/login.defs
#設置密碼失效時間
#sx /etc/login.defs
#密碼複雜度檢查
fz /etc/security/pwquality.conf
exit
fi
grep ' 6.' /etc/redhat-release &>/dev/null
if [[ $? -eq 0 ]];then
#檢查密碼重用是否受限制
cy /etc/pam.d/password-auth
cy /etc/pam.d/system-auth
#設置SSH空閒超時退出時間
kx /etc/ssh/sshd_config
#確保SSH MaxAuthTries設置爲3到6之間
ma /etc/ssh/sshd_config
#設置密碼修改最小間隔時間
jg /etc/login.defs
#設置密碼失效時間
#sx /etc/login.defs
#密碼複雜度-六
fz_liu /etc/pam.d/password-auth
fz_liu /etc/pam.d/system-auth
#確保SSH LogLevel設置爲INFO
li /etc/ssh/sshd_config
exit
else
echo "System does not support"
fi
shell腳本-----基線加固腳本---ali-baseline.sh
發表評論
所有評論
還沒有人評論,想成為第一個評論的人麼? 請在上方評論欄輸入並且點擊發布.