#!/bin/bash
echo "updata V1.0 by csc 2014-11-10"
VER="v1.3d"
VERSION="System Security configuration "${VER}", by WuHan Tianyu, 2013-07-19."
echo $VERSION
SET_NTP()
{
#set ntp
echo -e "\n>>>>> begin to set ntp ..."
ntpstatus=`ps -ef|grep ntp|grep -v grep|wc -l`
if [ $ntpstatus != 0 ];then
grep "^server" /etc/ntp.conf|grep -v "127.127.1.0";
echo "ntpserver No. is "`grep "^server" /etc/ntp.conf|grep -v "127.127.1.0"|wc -l`;
else
crontab -l|grep -v "^#"|grep ntp > /dev/null
if test $? -eq 0;then
crontab -l|grep -v "^#"|grep ntp
echo "ntpserver No. is "`crontab -l|grep -v "^#"|grep ntp|wc -l`;
else
echo "0 12 * * * ntpdate 127.0.0.1" >> /var/spool/cron/root
crontab -l|grep -v "^#"|grep ntp
echo "ntpserver No. is "`crontab -l|grep -v "^#"|grep ntp|wc -l`;
fi
fi
}
SET_TIMEOUT_LOGOUT()
{
#system timeout auto logout
echo -e "\n>>>>> begin to set system timeout auto logout ..."
cat /etc/profile |grep -v ^\#|grep .|grep -i tmout >> /dev/null
if test $? -ne 0;then
echo "export TMOUT=180" >> /etc/profile
else
sed -i "s/.*TMOUT.*/TMOUT=180/" /etc/profile
fi
echo "your system will auto logout at 180s"
}
SET_IDLE_LOGOUT()
{
#system idle auto logout
echo -e "\n>>>>> begin to set system idle auto logout ..."
cat /etc/csh.cshrc |grep -v ^\#|grep .|grep -i autologout >> /dev/null
if test $? -ne 0;then
echo "set autologout=30" >> /etc/csh.cshrc
fi
echo "your system will auto logout at idle "`cat /etc/csh.cshrc |grep -v ^\#|grep .|grep -i autologout|awk -F= ‘{printf $2}‘`"m"
}
SET_ICMP_REDIRECTS()
{
#disable icmp redirects
echo -e "\n>>>>> begin to set disable icmp redirects ..."
n=`sysctl -a|grep net.ipv4.conf.all.accept_redirects|sed ‘s/\(.*\)\(.\)$/\2/‘`
if [ $n != 0 ];then
echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
fi
sysctl -p > /dev/null
echo "icmp redirects disabled"
}
SET_LOGON_BANNER()
{
#set logon banner
echo -e "\n>>>>> begin to set disable logon banner ..."
if [ ! -s /etc/motd ];then
echo "This is TianYu‘s Server!" >> /etc/motd
fi
echo -e "system logon banner is:\n--------\n"`cat /etc/motd`"\n--------"
}
SET_SSH_BANNER()
{
#set ssh logon banner
echo -e "\n>>>>> begin to set ssh logon banner ..."
BANNER="Welcome -- set_secure "${VER}
SSHBANNER=`grep -v ^\# /etc/ssh/sshd_config|grep -i banner`
if [ $? -eq 1 ];then
echo "Banner /etc/sshbanner" >> /etc/ssh/sshd_config
fi
echo $BANNER > /etc/sshbanner
chmod 644 /etc/sshbanner
echo -e "system ssh banner is:\n--------\n"`cat /etc/sshbanner`"\n--------"
}
SET_SELINUX_DISABLE()
{
#disable selinux
echo -e "\n>>>>> begin to set disable selinux ..."
grep SELINUX=disabled /etc/selinux/config >/dev/null
if test $? -ne 0 ;then
sed -i -e "s/SELINUX=.*/SELINUX=disabled/g" /etc/selinux/config
fi
setenforce 0 2> /dev/null
echo "SELINUX is disabled"
}
SET_TIMEMASK_HISTORY()
{
#time mark for history
echo -e "\n>>>>> begin to set time mark for history ..."
grep -i histtimeformat /etc/profile > /dev/null
if [[ $? == 1 ]];then
echo "export HISTTIMEFORMAT=\"%F %T \"" >> /etc/profile
fi
echo "history is marked by time"
}
SET_UMASK()
{
#set all user‘s umask
echo -e "\n>>>>> begin to set user‘s umask ..."
grep -v ^\# /etc/profile|grep -i ^umask > /dev/null
if test $? -eq 1;then
echo "umask 027" >> /etc/profile
else
sed -i "s/^umask.*/umask 027/" /etc/profile
fi
echo "set user‘s umask eq 027"
}
SET_SYS_CORE_DUMP()
{
#set system core dump
echo -e "\n>>>>> begin to set system core dump ..."
cat /etc/security/limits.conf|grep -v ^\#|grep .|grep -e "soft.*core"
if test $? -eq 1;then
echo "* soft core 0" >> /etc/security/limits.conf
else
sed -i "s/[^\#].*soft.*core.*/\* soft core 0/" /etc/security/limits.conf
fi
cat /etc/security/limits.conf|grep -v ^\#|grep .|grep -e "hard.*core"
if test $? -eq 1;then
echo "* hard core 0" >> /etc/security/limits.conf
else
sed -i "s/.*hard.*core.*/\* hard core 0/" /etc/security/limits.conf
fi
echo "set system core dump done"
}
#旧密码不能使用 5次之内
SET_OLD_PASSWD_SAVE()
{
#set old passwd save
echo -e "\n>>>>> begin to set old passwd save ..."
grep -v ^\# /etc/pam.d/system-auth|grep "password.*pam_unix.so.*remember.*" > /dev/null
if test $? -eq 1;then
touch /etc/security/opasswd
chown root:root /etc/security/opasswd
chmod 600 /etc/security/opasswd
sed -i "s/password.*pam_unix.so.*/password\tsufficient\tpam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5/" /etc/pam.d/system-auth
fi
echo "the old passwd will save in /etc/security/opasswd"
}
SET_PASSWD_STRENGTH()
{
#set passwd strength
echo -e "\n>>>>> begin to set passwd strength ..."
grep -v ^\# /etc/pam.d/system-auth|grep "password.*pam_cracklib.so.*" > /dev/null
if test $? -eq 0;then
sed -i "s/password.*pam_cracklib.so.*/password\trequisite\tpam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=2/g" /etc/pam.d/system-auth
else
echo "set passwd strength failed"
exit 1
fi
echo "set passwd strength success"
}
SET_DEL_USER()
{
#delete unused users
echo -e "\n>>>>> begin to delete unused users ..."
userdel adm
userdel lp
userdel sync
userdel shutdown
userdel halt
userdel news
userdel uucp
userdel operator
userdel gopher
userdel games
userdel smmsp
groupdel adm
groupdel lp
groupdel news
groupdel uucp
groupdel dip
}
SET_DEL_SERVICE()
{
#delete unused services
echo -e "\n>>>>> begin to delete unused services ..."
chkconfig chargen-dgram off
chkconfig chargen-stream off
chkconfig daytime-dgram off
chkconfig daytime-stream off
chkconfig echo-dgram off
chkconfig echo-stream off
chkconfig eklogin off
chkconfig ekrb5-telnet off
chkconfig gssftp off
chkconfig klogin off
chkconfig krb5-telnet off
chkconfig kshell off
chkconfig rsync off
chkconfig tcpmux-server off
chkconfig tftp off
chkconfig time-dgram off
chkconfig time-stream off
chkconfig postfix off
chkconfig rsyncd off
chkconfig rlogin off
chkconfig rsh off
chkconfig rexec off
chkconfig snmpd off
chkconfig sendmail off
chkconfig telnet off
chkconfig smartd off
chkconfig cups off
chkconfig cups-config-daemon off
}
SET_PASSWD_VALIDITY()
{
echo -e "\n>>>>> begin to set passwork validity ..."
sed -i "s/PASS_MAX_DAYS.*[0-9]/PASS_MAX_DAYS\t90/g" /etc/login.defs
sed -i "s/PASS_MIN_DAYS.*[0-9]/PASS_MIN_DAYS\t6/g" /etc/login.defs
sed -i "s/PASS_MIN_LEN.*[0-9]/PASS_MIN_LEN\t6/g" /etc/login.defs
sed -i "s/PASS_WARN_AGE.*[0-9]/PASS_WARN_AGE\t30/g" /etc/login.defs
echo "your password will expired erery 90 days"
}
#登入失败5次后,锁定10秒
SET_SYSTEM_AUTOLOCK()
{
#system will lock after input bad passwd 6 time
echo -e "\n>>>>> begin to set system autolock ..."
grep -v ^\# /etc/pam.d/system-auth|grep "auth.*pam_tally2.so.*" > /dev/null
if test $? -eq 0;then
sed -i "s/auth.*pam_tally2.so.*/auth\trequired\tpam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=10/g" /etc/pam.d/system-auth
else
n=`cat -n /etc/pam.d/system-auth|grep "auth.*pam_unix.so"|awk ‘{print $1}‘`
sed -i "${n:=5}i\auth\trequired\tpam_tally2.so deny=5 unlock_time=300 even_deny_root root_unlock_time=10" /etc/pam.d/system-auth
fi
echo "system will lock after input bad passwd 5 times"
}
SET_SYSTEM_LOGFILE()
{
echo -e "\n>>>>> begin to set system log file ..."
#set system save users action
touch /var/log/pacct
accton /var/log/pacct
echo "system will save users‘s action , you can use command ‘lastcomm [user name] -f /var/log/pacct‘ to see it"
#设备应配置日志功能,记录对与设备相关的安全事件
grep -v ^\# /etc/syslog.conf|grep "/var/adm/message" > /dev/null
if test $? -eq 0;then
sed -i "s#.*/var/adm/message.*#*.err;kern.debug;daemon.notice;\t/var/adm/message#" /etc/syslog.conf
else
echo -e "*.err;kern.debug;daemon.notice;\t/var/adm/message" >> /etc/syslog.conf
fi
echo "system will save security events in /var/adm/message"
#设备应配置日志功能,记录用户使用SU命令的情况,记录不良的尝试记录
touch /var/log/secure
grep -v ^\# /etc/syslog.conf|grep "/var/log/secure" > /dev/null
if test $? -eq 0;then
sed -i "s#.*/var/log/secure.*#authpriv.*\t/var/log/secure#" /etc/syslog.conf
else
echo -e "authpriv.*\t/var/log/secure" >> /etc/syslog.conf
fi
echo "system will save normal user‘s SU action in /var/log/secure"
service syslog restart > /dev/null
}
SET_PERMIT_ROOTLOGIN()
{
echo -e "\n>>>>> begin to set permit root login ..."
#set allow root login
sed -i "s#PermitRootLogin\s*[y n Y N].*#PermitRootLogin yes#" /etc/ssh/sshd_config
echo "system will permit root login"
}
##############################################################################
USER=`whoami`
if [ $USER != root ]; then
echo "Must be root to run this script, please login as root and re-try!"
exit
fi
# see if configuration is already being applied
if [ -f "/etc/set_secure.conf" ]; then
echo "************************************************************************************************"
LAST_SET=`tail -n 1 /etc/set_secure.conf`
echo "LAST SETTING: "${LAST_SET}
echo "************************************************************************************************"
echo -n "System Security configuration has already been applied, do you want to set again?(Y/N)"
read RET_SURE
if [ "$RET_SURE" != "Y" ] && [ "$RET_SURE" != "y" ]; then
echo "Abort Setting!"
exit;
fi
else
if [ "$1" != "yes" ]; then
echo -n "Starting to system security setting, are you sure?(Y/N)"
read RET_SURE
if [ "$RET_SURE" != "Y" ] && [ "$RET_SURE" != "y" ]; then
echo "Abort Setting!"
exit;
fi
fi
fi
################### Beging to security setting ###################
SET_NTP
SET_TIMEOUT_LOGOUT
SET_IDLE_LOGOUT
SET_ICMP_REDIRECTS
SET_LOGON_BANNER
SET_SSH_BANNER
SET_PERMIT_ROOTLOGIN
SET_SELINUX_DISABLE
SET_TIMEMASK_HISTORY
SET_UMASK
SET_SYS_CORE_DUMP
SET_OLD_PASSWD_SAVE
SET_PASSWD_STRENGTH
SET_DEL_USER
SET_DEL_SERVICE
SET_PASSWD_VALIDITY
SET_SYSTEM_AUTOLOCK
SET_SYSTEM_LOGFILE
################### End security setting ###################
echo -e "\n>>>>> restart sshd ..."
service sshd restart
NOW_TIME=`date +%Y%m%d-%H:%M.%S`
echo $NOW_TIME" "$VERSION >> /etc/set_secure.conf
echo ""
echo "**********************************************"
echo " All Finished!"
echo "**********************************************"