#!/bin/bash
#######################################################
#1.增加审计用户 设置密码 设置权限
#######################################################
password='Simple@2022!'
useradd shenji
echo $password | passwd shenji --stdin > /dev/null 2>&1
echo "已修改shenji密码"
chmod -v u+w /etc/sudoers
cat >> /etc/sudoers <<EOF
shenji ALL = (root) NOPASSWD: /usr/bin/cat , /usr/bin/less , /usr/bin/more , /usr/bin/tail , /usr/bin/head
EOF
#######################################################
#2.umask参数由022修改为027
#######################################################
sed -i 'swumask.*022wumask 027wg' /etc/profile
echo "已修改umask"
#######################################################
#3.su权限
#######################################################
cat >> /etc/pam.d/su <<EOF
auth required pam_wheel.so use_uid
EOF
echo "已修改su权限"
#######################################################
#4.配置口令有效期策略
#######################################################
#sed -i 'swPASS_MAX_DAYS.*99999wPASS_MAX_DAYS 90wg' /etc/login.defs
#sed -i 'swPASS_MIN_DAYS.*0wPASS_MAX_DAYS 80wg' /etc/login.defs
#sed -i 'swPASS_MIN_LEN.*5wPASS_MAX_DAYS 10wg' /etc/login.defs
#sed -i 'swPASS_WARN_AGE.*7wPASS_MAX_DAYS 30wg' /etc/login.defs
cat > /etc/login.defs <<EOF
#
# Please note that the parameters in this configuration file control the
# behavior of the tools from the shadow-utils component. None of these
# tools uses the PAM mechanism, and the utilities that use PAM (such as the
# passwd command) should therefore be configured elsewhere. Refer to
# /etc/pam.d/system-auth for more information.
#
# *REQUIRED*
# Directory where mailboxes reside, _or_ name of file, relative to the
# home directory. If you _do_ define both, MAIL_DIR takes precedence.
# QMAIL_DIR is for Qmail
#
#QMAIL_DIR Maildir
MAIL_DIR /var/spool/mail
#MAIL_FILE .mail
# Password aging controls:
#
# PASS_MAX_DAYS Maximum number of days a password may be used.
# PASS_MIN_DAYS Minimum number of days allowed between password changes.
# PASS_MIN_LEN Minimum acceptable password length.
# PASS_WARN_AGE Number of days warning given before a password expires.
#
PASS_MAX_DAYS 180
PASS_MIN_DAYS 80
PASS_MIN_LEN 10
PASS_WARN_AGE 30
#
# Min/max values for automatic uid selection in useradd
#
UID_MIN 1000
UID_MAX 60000
# System accounts
SYS_UID_MIN 201
SYS_UID_MAX 999
#
# Min/max values for automatic gid selection in groupadd
#
GID_MIN 1000
GID_MAX 60000
# System accounts
SYS_GID_MIN 201
SYS_GID_MAX 999
#
# If defined, this command is run when removing a user.
# It should remove any at/cron/print jobs etc. owned by
# the user to be removed (passed as the first argument).
#
#USERDEL_CMD /usr/sbin/userdel_local
#
# If useradd should create home directories for users by default
# On RH systems, we do. This option is overridden with the -m flag on
# useradd command line.
#
CREATE_HOME yes
# The permission mask is initialized to this value. If not specified,
# the permission mask will be initialized to 022.
UMASK 077
# This enables userdel to remove user groups if no members exist.
#
USERGROUPS_ENAB yes
# Use SHA512 to encrypt password.
ENCRYPT_METHOD SHA512
EOF
cat > /etc/pam.d/system-auth <<EOF
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=300
account required pam_tally2.so
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
password requisite pam_cracklib.so retry=3 difok=3 minlen=10 ucredit=-1 lcredit=-2 dcredit=-1 ocredit=-1
EOF
echo "已修改口令有效期策略"
#######################################################
#5.配置登录失败处理策略
#######################################################
cat > /etc/pam.d/system-auth <<EOF
#%PAM-1.0
# This file is auto-generated.
# User changes will be destroyed the next time authconfig is run.
auth required pam_tally2.so deny=3 unlock_time=300 even_deny_root root_unlock_time=300
account required pam_tally2.so
auth required pam_env.so
auth required pam_faildelay.so delay=2000000
auth sufficient pam_fprintd.so
auth sufficient pam_unix.so nullok try_first_pass
auth requisite pam_succeed_if.so uid >= 1000 quiet_success
auth required pam_deny.so
account required pam_unix.so
account sufficient pam_localuser.so
account sufficient pam_succeed_if.so uid < 1000 quiet
account required pam_permit.so
password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type=
password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok
password required pam_deny.so
session optional pam_keyinit.so revoke
session required pam_limits.so
-session optional pam_systemd.so
session [success=1 default=ignore] pam_succeed_if.so service in crond quiet use_uid
session required pam_unix.so
EOF
echo "已修改配置登录失败处理策略"
#######################################################
#6.日志备份
#######################################################
mkdir /home/dpan/log
touch /home/dpan/log/logback.sh
cat >> /home/dpan/log/logback.sh <<EOF
cd /home/dpan/log
tar -zcf messages_$(date +%Y%m%d).zip /var/log/messages
tar -zcf secure_$(date +%Y%m%d).zip /var/log/secure
tar -zcf audit_$(date +%Y%m%d).zip /var/log/audit/audit.log
tar -zcf nginx_access_$(date +%Y%m%d).zip /var/log/nginx/access.log
tar -zcf nginx_error_$(date +%Y%m%d).zip /var/log/nginx/error.log
tar -zcf nginx_8081_$(date +%Y%m%d).zip /etc/nginx/conf.d/8081.conf
tar -zcf nginx_default__$(date +%Y%m%d).zip /etc/nginx/conf.d/default.conf
EOF
chmod +x /home/dpan/log/logback.sh
cat >>/var/spool/cron/root <<EOF
30 23 * * * sh /home/dpan/log/logback.sh
EOF
echo "已修改日志备份"
上一篇
centos7.9迁移anolis7.9
2022-09-22
下一篇
Nginx漏洞&报错合集
2022-08-11