#!/usr/bin/env bash
export LANG=en\_US.UTF-8
function usage()
{
cat << EOF
usage: $0 options
OPTIONS:
help Show this message
check Only check the configuration, but will not change!
init Automately change all configuration to user defined!
EOF
}
case $1 in
help)
usage
exit 1
;;
check)
AUTOFIX=0
;;
init)
AUTOFIX=1
;;
\*)
usage
exit 1
;;
esac
##判断版本信息
if \[ -f /etc/os-release \]; then
OSVERSION=\`awk '/VERSION\_/{print $NF}' /etc/os-release | awk -F '\[="\]+' '{print $2}'\`
if \[ ${OSVERSION} != 'V10' \]; then
echo -e "Peaese check whether the OS version is kylin\_v10!!!"
exit 1
fi
else
echo -e "Please check whether the OS version is kylin\_v10!!!"
exit 1
fi
CHECKTOTAL=0
CHECKFAILED=0
CHECKERROR=0
function add\_check\_item\_total
{
CHECKTOTAL=$\[CHECKTOTAL+1\]
}
function add\_check\_item\_failed
{
\[ $CHECKERROR -ne 0 \] && CHECKFAILED=$\[CHECKFAILED+1\]
}
function add\_check\_item\_error
{
CHECKERROR=$\[CHECKERROR+1\]
}
#Configure password policies
echo -e "1.Checking password validity starting..."
CHECKERROR=0
value=\`gawk '/^ \*PASS\_MAX\_DAYS/{print $2}' /etc/login.defs\`
if \[ $value != 60 \]; then
echo -e "\\tPASS\_MAX\_DAYS is not 60 !!!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -ri "/^ \*PASS\_MAX\_DAYS \*/c PASS\_MAX\_DAYS 60" /etc/login.defs && echo -e "\\t==>fixed"
fi
value=\`gawk '/^ \*PASS\_MIN\_LEN/{print $2}' /etc/login.defs\`
if \[ $value != 8 \]; then
echo -e "\\tPASS\_MIN\_LEN is not 8 !!!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -ri "/^ \*PASS\_MIN\_LEN \*/c PASS\_MIN\_LEN 8" /etc/login.defs && echo -e "\\t==>fixed"
fi
echo -e "Checking password validity done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
echo -e "2.Checking password complexity starting ..."
CHECKERROR=0
value=\`gawk -F"pam\_pwquality.so" '/pam\_pwquality.so/{print $2}' /etc/pam.d/system-auth\`
new\_val=\`grep 'try\_first\_pass local\_users\_only enforce\_for\_root retry=3 minlen=8 minclass=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1' /etc/pam.d/system-auth \`
if \[ $? != 0 \]; then
echo -e "\\tpam\_pwquality.so config: $value !!!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i "s/^\[#\]\\{0,1\\}password requisite pam\_pwquality.so try\_first\_pass.\*/password requisite pam\_pwquality.so try\_first\_pass local\_users\_only enforce\_for\_root retry=3 minlen=8 minclass=3 dcredit=-1 ucredit=-1 ocredit=-1 lcredit=-1/g" /etc/pam.d/system-auth && echo -e "\\t==>fixed"
fi
echo -e "Checking password complexity done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
echo -e "3.Checking password multiplexing starting ..."
CHECKERROR=0
value=\`grep 'pam\_pwhistory.so use\_authtok remember=5 enforce\_for\_root' /etc/pam.d/system-auth\`
if \[ $? != 0 \]; then
echo -e "\\tconfig remember is not 5!!!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i "/pam\_pwquality.so/a\\password required pam\_pwhistory.so use\_authtok remember=5 enforce\_for\_root" /etc/pam.d/system-auth && echo -e "\\t==>fixed"
fi
echo -e "Checking password multiplexing done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
echo -e "4.Checking password locking starting ..."
CHECKERROR=0
value=\`grep 'audit deny=5 even\_deny\_root unlock\_time=600' /etc/pam.d/system-auth\`
if \[ $? != 0 \]; then
echo -e "\\taudit deny=5 even\_deny\_root unlock\_time=600 is not config !!!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i '/audit deny=3 even\_deny\_root unlock\_time=60/ s/deny=3/deny=5/g;s/unlock\_time=60/unlock\_time=600/g' /etc/pam.d/password-auth && sed -i '/audit deny=3 even\_deny\_root unlock\_time=60/ s/deny=3/deny=5/g;s/unlock\_time=60/unlock\_time=600/g' /etc/pam.d/system-auth && echo -e "\\t==>fixed"
fi
echo -e "hecking password locking done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check account policies
echo -e "5.Checking non root user with UID 0 ..."
CHECKERROR=0
value=\`awk -F: '($3 == 0) { print $1 }' /etc/passwd |grep -v root\`
if \[ -n "$value" \]; then
for user in "$value"
do
echo -e "\\tUID 0 user is: $user !!!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && /usr/sbin/userdel $user --force >/dev/null 2>&1 && echo -e "\\t==>fixed"
done
fi
echo -e "Checking non root user with UID 0 done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check /etc/profile
echo "6.Checking timeout starting ..."
CHECKERROR=0
value=\`grep "export TMOUT=180" /etc/profile \`
if \[ $? != 0 \]; then
echo -e "\\tTimeOut is not config !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && echo "export TMOUT=180" >> /etc/profile && echo -e "\\t==>fixed"
fi
echo "Checking timeout done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
\# Check Banner configuration
echo "7.Checking banner starting ..."
CHECKERROR=0
function check\_banner {
value=\`grep "Banner /etc/issue.net" /etc/ssh/sshd\_config\`
if \[\[ "$value" =~ ^\\#.\* \]\]; then
echo -e "\\tbanner Uncommented"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i '152s/^/#/' /etc/ssh/sshd\_config && echo -e "\\t==> fixed"
fi
}
echo "Checking banner done ! "
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check umask
echo "8.Checking umask starting ..."
CHECKERROR=0
value=\`grep -m 1 "umask 0.\*" /etc/profile | awk '{print $2}'\`
if \[ $value != 027 \]; then
echo -e "\\tumask Not equal to 027"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i 's/umask 0.\*/umask 027/g' /etc/profile && sed -i 's/umask 0.\*/umask 027/g' /etc/bashrc && echo -e "\\t==>fixed"
fi
echo "Checking umask done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check alias
echo "9.Checking alias starting ..."
CHECKERROR=0
value=\`grep ls ~/.bashrc\`
if \[ $? -ne 0 \]; then
echo -e "\\talias is not config !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i '7a alias ls='"'"'ls -aol'"'"'' ~/.bashrc && echo -e "\\t==>fixed"
fi
echo "Checking alias done !"
add\_check\_item\_total
add\_check\_item\_failed
echo
#Check ICMP
echo "10.Checking ICMP starting ..."
CHECKERROR=0
value=\`cat /proc/sys/net/ipv4/icmp\_echo\_ignore\_all\`
if \[ $value -ne 1 \]; then
echo -e "\\tICMP is not config !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && echo 1 > /proc/sys/net/ipv4/icmp\_echo\_ignore\_all && echo -e "\\t==>fixed"
fi
echo "Checking ICMP done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check multi
echo "11.Checking multi starting ..."
CHECKERROR=0
value=\`cat /etc/host.conf | awk '{print $2}'\`
if \[ $value != off \]; then
echo -e "\\tmulti is not config !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i 's/on/off/' /etc/host.conf && echo -e "\\t==>fixed"
fi
echo "Checking multi done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check auditd
echo "12.Checking auditd starting ..."
CHECKERROR=0
value=\`grep num\_logs /etc/audit/auditd.conf | awk '{print $NF}'\`
if \[ $value -ne 5 \]; then
echo -e "\\tauditd is not config !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i "s/^\[#\]\\{0,1\\}num\_logs.\*/num\_logs = 4/g" /etc/audit/auditd.conf && sed -i "s/^\[#\]\\{0,1\\}max\_log\_file =.\*/max\_log\_file = 50/g" /etc/audit/auditd.conf && sed -i "s/^\[#\]\\{0,1\\}flush.\*/flush = NONE/g" /etc/audit/auditd.conf
cat << EOF >> /etc/audit/rules.d/audit.rules
\-a exit,always -F arch=b64 -S execve -k exec
\-a exit,always -F arch=b32 -S execve -k exec
\-w /etc/crontab -p wa -k crontab
\-w /etc/hosts -p wa -k hosts
\-w /etc/hosts.allow -p wa -k hosts-allow
\-w /etc/hosts.deny -p wa -k hosts-deny
\-w /etc/fstab -p wa -k fstab
\-w /etc/passwd -p wa -k passwd
\-w /etc/shadow -p wa -k shadow
\-w /etc/group -p wa -k group
\-w /etc/gshadow -p wa -k gshadow
\-w /etc/chrony.conf -p wa -k ntp
\-w /etc/sysctl.conf -p wa -k sysctl
\-w /etc/security/limits.conf -p wa -k limits
\-w /boot/grub2/grub.cfg -p wa -k grub
\-w /etc/ssh/sshd\_config -p wa -k ssh
\-w /etc/udev/rules.d/ -p wa -k udev
\-w /etc/profile -p wa -k profile
\-w /etc/kdump.conf -p wa -k kdump
\-w /etc/lvm/lvm.conf -p wa -k lvm
\-w /etc/login.defs -p wa -k login-defs
\-w /etc/rsyslog.conf -p wa -k rsyslog
\-w /etc/locale.conf -p wa -k i18n
\-w /etc/sysconfig/network -p wa -k network
\-w /etc/multipath.conf -p wa -k multipath
EOF
echo -e "\\t==>fixed"
fi
echo "Checking auditd done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check runlevel
echo "13.Checking runlevel starting ..."
CHECKERROR=0
value=\`systemctl get-default\`
if \[ $value != multi-user.target \]; then
echo -e "\\tSystem runlevel is : $value"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && systemctl set-default multi-user.target >/dev/null 2>&1 && echo -e "\\t==>fixed"
fi
echo "Checking runlevel done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
\# Check permission of file or diretory
echo "14Checking file and diretory security policies "
CHECKERROR=0
chmod -R 750 /etc/rc.d/init.d/
chmod -R 750 /etc/pam.d/
function file\_permission\_check {
value=\`/bin/ls -ld "$1" 2>/dev/null\`
if \[ $? -eq 0 \]; then
#value=\`echo $value |gawk '{print $1}'\`
num=\`stat -c %a "$1" \`
if \[ $num != "$3" \]; then
echo -e "\\t$1 with incorrect permission : $value"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && /bin/chmod $3 "$1" && echo -e "\\t==>fixed"
fi
else
echo -e "Error occur when ls $1"
fi
}
file\_permission\_check /bin/rpm "-rwxr-x---" 700
file\_permission\_check /etc/exports "-rw-------" 600
file\_permission\_check /etc/hosts "-rw-------" 600
file\_permission\_check /var/log/messages "-rw-rw-rw-" 644
file\_permission\_check /etc/rsyslog.conf "-rw-rw----" 640
file\_permission\_check /var/log/wtmp "-rw-rw----" 660
file\_permission\_check /var/log/lastlog "-rw-r-----" 640
file\_permission\_check /etc/passwd "-rw-r--r--" 644
file\_permission\_check /etc/shadow "-rw-------" 600
file\_permission\_check /etc/pam.d "-rwxr-x---" 750
file\_permission\_check /etc/security "-rwx-----" 700
file\_permission\_check /etc/sysconfig "-rwxr-x--x" 751
file\_permission\_check /etc/crontab "-rw-------" 600
file\_permission\_check /etc/cron.allow "-r--------" 400
file\_permission\_check /etc/ssh "-rwxr-x---" 750
file\_permission\_check /etc/sysctl.conf "-r--------" 400
file\_permission\_check /etc/rc.d/init.d/ "-rwxr-x---" 750
echo "Checking file/diretory permission done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check Remote Logging
echo "15.Checking rsyslog starting ..."
CHECKERROR=0
value=\`grep "\*.\* 21.10.1.1" /etc/rsyslog.conf\`
if \[ $? != 0 \]; then
echo -e "\\trsyslog is not config !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i '$a\\\*.\* 21.10.1.1' /etc/rsyslog.conf && systemctl restart rsyslog && echo -e "\\t==>fixed"
fi
echo "Checking rsyslog done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check Time Synchronization Services
echo "16.Checking chrony starting ..."
CHECKERROR=0
value=\`egrep "server ntp2.aliyun.com" /etc/chrony.conf\`
if \[ $? != 0 \]; then
echo -e "\\tchrony is not config !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && sed -i '$a\\server ntp2.aliyun.com iburst' /etc/chrony.conf && systemctl restart chronyd.service && echo -e "\\t==>fixed"
fi
echo "Checking chrony done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check ctrl-alt-del.target
echo "17.Checking ctrl-alt-del.target starting ..."
if \[ -f /usr/lib/systemd/system/ctrl-alt-del.target \]; then
echo -e "\\t ctrl-alt-del.target is Not disabled !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && rm -rf /usr/lib/systemd/system/ctrl-alt-del.target && init q && echo -e "\\t==>fixed"
fi
echo "Checking ctrl-alt-del.target done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
#Check close service
echo "18.close service starting ..."
value=\`systemctl status firewalld\`
if \[ $? -eq 0 \]; then
echo -e "\\tThe service did not stop !!"
add\_check\_item\_error
\[ $AUTOFIX -ne 0 \] && for service in autofs dnsmasq firewalld rhnsd rhsmcertd bluetooth cups-browsed cups postfix ModemManager rpcbind rpc-statd nfs-server nfs-idmapd nfs-config nfs-mountd upower gssproxy gdm avahi-daemon dmraid-activation firstboot-graphical iscsid libvirtd mdmonitor microcode qemu-guest-agent spice-vdagentd nfs-client.target zebra ypbind rlogin.socket rsh.socket rexec.socket xinetd
do
value1=\`systemctl is-enabled "$service" 2>/dev/null\`
value2=\`systemctl is-active "$service" 2>/dev/null\`
\[ "$value1" == "enabled" \] && systemctl disable $service 2> /dev/null
\[ "$value2" == "active" \] && systemctl stop $service >/dev/null
done
fi
echo "Checking close service done !"
add\_check\_item\_total
add\_check\_item\_failed
echo ""
echo "Total checked item : \[$CHECKTOTAL\], Failed item : \[$CHECKFAILED\] "