CentOS基线检测脚本
本脚本适用于CentOS 7.5-7.9版本,其他版本不详
1.检查系统信息
查看代码
echo " "
echo "############################ 系统信息 ############################"
Release=$(cat /etc/redhat-release 2>/dev/null)
Kernel=$(uname -r)
Virt_CPUs=$(grep "processor" /proc/cpuinfo | wc -l)
CPU_Type=$(grep "model name" /proc/cpuinfo | awk -F ': ' '{print $2}' | sort | uniq)
Mem_total=$(free -h  |grep Mem: |awk -F ' ' '{print $2}')
Disk_total=$(fdisk -l |grep "Disk /dev/sd" |awk -F ' ' '{print $2$3$4}' |cut -d ',' -f1)
echo "   发行版本:$Release"
echo "       内核:$Kernel"
echo "逻辑CPU个数: $Virt_CPUs"
echo "    CPU型号: $CPU_Type"
echo "   内存大小: $Mem_total"
echo "   磁盘大小: $Disk_total"2.1检查ssh登录配置
echo " "
echo "##SSH配置检查 ############################"
passage1=`cat /etc/ssh/sshd_config | grep ^MaxAuthTries | awk '{print $2}'`
passage2=`cat /etc/ssh/sshd_config | grep ^PasswordAuthentication | awk '{print $2}'`
passage3=`cat /etc/ssh/sshd_config | grep ^RSAAuthentication | awk '{print $2}'`
passage4=`cat /etc/ssh/sshd_config | grep ^PubkeyAuthentication | awk '{print $2}'`
if [ $passage1 -eq 5 ] && [[ "$passage2" == "yes" ]] && [[ "$passage3" == "yes" ]] && [[ "$passage4" == "yes" ]];then
    echo ""
    echo "检查通过"
else
    echo ""
    echo "检查不通过"
fi2.2修复ssh登录配置
查看代码
echo -e "\033[1;33m配置文件路径:/etc/ssh/sshd_config \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^RSAAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
#统计不是以“#”开头,有MaxAuthTries字段的行数
MaxAuth_num=$(cat /etc/ssh/sshd_config | grep MaxAuthTries | grep -v ^#|wc -l)
#统计不是以“#”开头,有PasswordAuthentication字段的行数
PasswordAuth_num=$(cat /etc/ssh/sshd_config | grep PasswordAuthentication | grep -v ^#|wc -l)
#统计不是以“#”开头,有RSAAuthentication字段的行数
RSAAuth_num=$(cat /etc/ssh/sshd_config | grep RSAAuthentication | grep -v ^#|wc -l)
#统计不是以“#”开头,有PubkeyAuthentication字段的行
PubkeyAuth_num=$(cat /etc/ssh/sshd_config | grep PubkeyAuthentication | grep -v ^#|wc -l)
if [ $MaxAuth_num -eq 0 ];then
    sed -i '$aMaxAuthTries	yes' /etc/ssh/sshd_config
	#在最后一行插入sed -i '$a
elif [ $MaxAuth_num -eq 1 ];then
	line_num=$(sed -n '/^MaxAuthTries/=' /etc/ssh/sshd_config)
	#匹配/^MaxAuthTries/的行数给line_num赋值
	sed -i "$line_num"'c MaxAuthTries	5' /etc/ssh/sshd_config
	#在"$line_num"所在的行替换为MaxAuthTries	5
else
	sed -i '/^MaxAuthTries/d' /etc/ssh/sshd_config
	sed -i '$aMaxAuthTries	yes' /etc/ssh/sshd_config
fi
if [ $PasswordAuth_num -eq 0 ];then
    sed -i '$aPasswordAuthentication	yes' /etc/ssh/sshd_config
elif [ $PasswordAuth_num -eq 1 ];then
	line_num=$(sed -n '/^PasswordAuthentication/=' /etc/ssh/sshd_config)
	sed -i "$line_num"'c PasswordAuthentication	yes' /etc/ssh/sshd_config
else
	sed -i '/^PasswordAuthentication/d' /etc/ssh/sshd_config
	sed -i '$aPasswordAuthentication	yes' /etc/ssh/sshd_config
fi
if [ $RSAAuth_num -eq 0 ];then
    sed -i '$aRSAAuthentication	yes' /etc/ssh/sshd_config
elif [ $RSAAuth_num -eq 1 ];then
	line_num=$(sed -n '/^RSAAuthentication/=' /etc/ssh/sshd_config)
	sed -i "$line_num"'c RSAAuthentication	yes' /etc/ssh/sshd_config
else
	sed -i '/^RSAAuthentication/d' /etc/ssh/sshd_config
	sed -i '$aRSAAuthentication	yes' /etc/ssh/sshd_config
fi
if [ $PubkeyAuth_num -eq 0 ];then
    sed -i '$aPubkeyAuthentication	yes' /etc/ssh/sshd_config
elif [ $PubkeyAuth_num -eq 1 ];then
	line_num=$(sed -n '/^PubkeyAuthentication/=' /etc/ssh/sshd_config)
	sed -i "$line_num"'c PubkeyAuthentication	yes' /etc/ssh/sshd_config
else
	sed -i '/^PubkeyAuthentication/d' /etc/ssh/sshd_config
	sed -i '$aPubkeyAuthentication	yes' /etc/ssh/sshd_config
fi
systemctl restart sshd
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^RSAAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"3.1检查账号策略
echo ""
echo "## 检查账号策略 ############################"
passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'`
passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`
if [ -n "$passmin" ] && [ -n "$passage" ];then
    if [ $passmin -eq 2 ] && [ $passage -eq 5 ];then
    echo ""
    echo "检查通过"
else
    echo ""
    echo "检查不通过"
fi3.2修复账号策略
查看代码
echo -e "\033[1;33m配置文件路径:/etc/login.defs \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
passmin_num=$(cat /etc/login.defs | grep PASS_MIN_DAYS | grep ^#P|wc -l)
passage_num=$(cat /etc/login.defs | grep PASS_WARN_AGE | grep ^#P|wc -l)
if [ $passmin_num -eq 1 ];then
	line_num=$(sed -n '/^#PASS_MIN_DAYS/=' /etc/login.defs)	
	sed -i "$line_num"'c PASS_MIN_DAYS	2' /etc/login.defs
else
	line_num=$(sed -n '/^PASS_MIN_DAYS/=' /etc/login.defs)
	if [ $line_num ];then
		sed -i "$line_num"'c PASS_MIN_DAYS	2' /etc/login.defs
		echo -e "\033[1;36m PASS_MIN_DAYS修复成功,请重新检查! \033[0m"
	else
		echo "请手动检查配置文件/etc.lokin.defs中的PASS_MIN_DAYS项"
		echo -e "\033[1;31m PASS_MIN_DAYS修复失败! \033[0m"
    fi
fi
if [ $passage_num -eq 1 ];then
	line_num=$(sed -n '/^#PASS_WARN_AGE/=' /etc/login.defs)
	sed -i "$line_num"'c PASS_WARN_AGE	5' /etc/login.defs
	echo -e "\033[1;36m PASS_WARN_AGE修复成功,请重新检查! \033[0m"
else
	line_num=$(sed -n '/^PASS_WARN_AGE/=' /etc/login.defs)
	if [ $line_num ];then
		sed -i "$line_num"'c PASS_WARN_AGE	5' /etc/login.defs
    	echo -e "\033[1;36m PASS_WARN_AGE修复成功,请重新检查! \033[0m"
 	else
 		echo "请手动检查配置文件/etc.lokin.defs中的PASS_WARN_AGE项"
		echo -e "\033[1;31m PASS_WARN_AGE修复失败! \033[0m"
	fi
fi
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"4.1检查密码复杂度
查看代码
echo ""
echo "## 检查密码复杂度 ############################"
complexity=$(cat /etc/pam.d/system-auth |grep "pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1")
complexity_cracklib=$(cat /etc/pam.d/system-auth |grep "password requisite pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1")
if [ -n "$complexity" ];then
    echo ""
    echo "检查通过"
elif [ -n "$complexity_cracklib" ];then
	echo ""
    echo "检查通过"
else
    echo ""
    echo "检查不通过"
fi4.2.修复密码复杂度
查看代码
echo -e "\033[1;33m配置文件路径:/etc/pam.d/system-auth \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^password" /etc/pam.d/system-auth
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
LIN_NUM=$(sed -n '/pam_pwquality.so/=' /etc/pam.d/system-auth)
LIN_num_cracklib=$(sed -n '/pam_cracklib.so/=' /etc/pam.d/system-auth)
if [ $LIN_NUM ];then
	sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
elif [ $LIN_num_cracklib ];then
	sed -i "$LIN_num_cracklib"'c password    requisite   pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1  ' /etc/pam.d/system-auth
else
	sed -i '4i\password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
fi
#sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^password" /etc/pam.d/system-auth
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"5.1检查密码登录锁
echo ""
echo "## 检查密码登录锁 ############################"
lock=$(cat /etc/pam.d/sshd |grep "pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300")
if [ -n "$lock" ];then
    echo ""
    echo "检查通过"
else
    echo ""
    echo "检查不通过"
fi
echo "查看用户登录失败次数:pam_tally2 --user root"
echo "解锁指定用户:pam_tally2 -r -u root"5.2 修复密码登录锁
查看代码
 echo -e "\033[1;33m配置文件路径:/etc/pam.d/sshd \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "^auth" /etc/pam.d/sshd
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
LIN_NUM=$(sed -n '/pam_tally2.so/=' /etc/pam.d/sshd)
if [ $LIN_NUM ];then
	sed -i "$LIN_NUM"'c auth       required     pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
else
	sed -i '2i\auth       required     pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
fi
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^auth" /etc/pam.d/sshd
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"6.1检查root用户权限
echo ""
echo "## 检查root用户权限 ############################"
UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`
flag=0
for i in $UIDS
do
	if [ $i = 0 ];then
        echo ""
        echo "检查不通过"
	else
		flag=1
	fi
done
	if [ $flag = 1 ];then
        echo ""
        echo "检查通过"
	fi7.1检查登录超时时间
查看代码
echo ""
echo "## $1. $2检查 ############################"
result=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
if [ "$result" ];then
	TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
	if [ $TMOUT -eq 600 ];then
    	echo ""
        echo "检查通过"
	else
        echo ""
        echo "检查不通过"
	fi
else
    echo "账号超时不存在自动注销,不符合要求,建议设置为600秒"
    echo ""
    echo "检查不通过"
fi7.2 修复登录超时时间
查看代码
echo -e "\033[1;33m配置文件路径:/etc/profile \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
grep -n "TMOUT" /etc/profile
grep -n "^HISTSIZE" /etc/profile
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
result=$(cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}')
if [ "$result" ];then
	LIN_NUM=$(sed -n '/TMOUT/=' /etc/profile)
	sed -i "$LIN_NUM"'c export TMOUT=600' /etc/profile
else
	echo "export TMOUT=600" >> /etc/profile
fi
echo -e "\033[1;36m 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
grep -n "^TMOUT" /etc/profile
grep -n "^HISTSIZE" /etc/profile
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"8.1 检查默认锁定用户
echo ""
echo "## $1. $2检查 ############################"
flag=0
checkuserlist=""
UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
for _user in ${UserList};do
	if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then
		if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
			continue
		else
			checkuserlist=${_user}" "${checkuserlist}
			flag=1
		fi
	fi
done
if [ ${flag} -eq 0 ];then
	echo "检查通过"
else
	#echo "用户 ${checkuserlist}锁定检查未通过,不符合要求"
	echo "检查不通过"
fi8.2 修复默认锁定用户
查看代码
 UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
for _user in ${UserList};do
    if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then
            if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
                continue
            else
	passwd -l ${_user}
            fi
    fi
done
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"9.1 检查NTP时钟同步
查看代码
echo ""
echo "## 检查NTP时钟同步 ############################"
if [ `grep ntpserver /etc/hosts |wc -l` -eq 1 ] && [ `grep ntpserver /etc/ntp.conf |wc -l` -eq 1 ] && [ `cat /etc/ntp.conf |grep "ntpserver minpoll" |wc -l` -eq 1 ] && [ `cat /etc/sysconfig/ntpd |grep "\-x \-p /var/run/ntpd.pid \-g"|wc -l` -eq 1 ];then
	echo "检查通过"
else
	echo "检查不通过"
fi9.2 修复NTP时钟同步
查看代码
echo -e "\033[1;33m配置文件路径:/etc/hosts \033[0m"
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
cat /etc/hosts
echo -e "\033[32m—————————————————————————修复前————————————————————————\033[0m"
echo " "
if [ `cat /etc/hosts |grep ntpserver | wc -l` -eq 0 ];then
	echo "########ntp server#######" >> /etc/hosts
	echo "10.14.1.11	ntpserver" >> /etc/hosts
else
	sed -i '/##ntp server##/d' /etc/hosts
    sed -i '/ntpserver/d' /etc/hosts
	echo "########ntp server#######" >> /etc/hosts
	echo "10.14.1.11	ntpserver" >> /etc/hosts
fi
#2./etc/ntp.conf
mv /etc/ntp.conf /etc/ntp.conf.bl.`date +%Y%m%d%H%M%S`
cat <<EOF > /etc/ntp.conf
driftfile /var/lib/ntp/drift
server ntpserver minpoll 4 maxpoll 4 prefer
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF
#3./etc/sysconfig/ntpd
LIN_NUM=$(sed -n '/OPTIONS/=' /etc/sysconfig/ntpd)
sed -i "$LIN_NUM"'c OPTIONS="-x -p /var/run/ntpd.pid -g"' /etc/sysconfig/ntpd
systemctl restart ntpd.service
systemctl enable ntpd.service
echo -e "\033[1;36mNo.$1 修复成功,已重启ntpd服务,可使用ntpq -p验证,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"
cat /etc/hosts
echo -e "\033[31m—————————————————————————修复后————————————————————————\033[0m"查看所有代码:(最新版)
查看代码
#!/bin/sh
#########################################
#  基线检查脚本,适用于CentOS/RedHat 7.X
#  security baseline check
#########################################
#环境变量PATH没设好,在cron里执行时有很多命令会找不到
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
source /etc/profile
[ $(id -u) -gt 0 ] && echo "请用root用户执行此脚本!" && exit 1
centosVersion=$(awk '{print $(NF-1)}' /etc/redhat-release)
if [[ $centosVersion < 7.5 ]];then
	echo "CentOS Version $centosVersion it not supported , Check exit!!"
	exit 1;
fi
#版本
VERSION="Linux Base Check V3.1
#v1.2.2020-08-21修复ntp配置错误;
#v1.3.2020-08-24修复必须操作系统大于Centos7.5以上版本才能使用该脚本;
#v1.4.2021-08-21新增ntp配置脚本;
#v2.0.2022-05-20修复各种替换配置文件的BUG问题;
#V3.0.2023-01-10修复代码BUG,使得脚本可反复执行;
#v3.1.2023-01-31加入for循环对多配置参数进行注释。"
#日志相关
PROGPATH=`echo $0 | sed -e 's,[\\/][^\\/][^\\/]*$,,'`
[ -f $PROGPATH ] && PROGPATH="."
LOGPATH="$PROGPATH/log"
[ -e $LOGPATH ] || mkdir $LOGPATH
RESULTFILE="$LOGPATH/HostBaseCheck-`hostname`-`date +%Y%m%d`.txt"
##################
#A. log out      #
##################
function outLog(){
	if [ x"$1" == x"ok" ];then
		echo -e "$2 \e[1;32m检查通过\e[0m,符合要求。"
	elif [ x"$1" == x"err" ];then
		echo -e "$2 \e[1;33;41m检查未通过\e[0m,不符合要求,建议整改。"
	else
		echo -e "$2"
	fi
}
###################
#B.Usage
###################
function Usage(){
cat <<EOF
基线检查脚本:Version $VERSION
Usage:sh $0 [check | repair num ]
举例:
检查命令:sh $0 check
修复命令:sh $0 repair 3
EOF
}
########################
#C.getSystemStatus
########################
function getSystemStatus(){
	echo ""
	echo "############################ 系统信息 ############################"
	Release=$(cat /etc/redhat-release 2>/dev/null)
	Kernel=$(uname -r)
	Virt_CPUs=$(grep "processor" /proc/cpuinfo | wc -l)
	CPU_Type=$(grep "model name" /proc/cpuinfo | awk -F ': ' '{print $2}' | sort | uniq)
	Mem_total=$(free -h  |grep Mem: |awk -F ' ' '{print $2}')
	Disk_total=$(fdisk -l |grep "Disk /dev/sd" |awk -F ' ' '{print $2$3$4}' |cut -d ',' -f1)
	echo "   发行版本:$Release"
	echo "       内核:$Kernel"
	echo "逻辑CPU个数: $Virt_CPUs"
	echo "    CPU型号: $CPU_Type"
	echo "   内存大小: $Mem_total"
	echo "   磁盘大小: $Disk_total"
}
#####################
#1.checkAccountStatus
#####################
function checkAccountStatus(){
	echo ""
	echo "## $1. $2检查 ############################"
	passmin=`cat /etc/login.defs | grep ^PASS_MIN_DAYS | awk '{print $2}'`
	passage=`cat /etc/login.defs | grep ^PASS_WARN_AGE | awk '{print $2}'`
	if [ -n "$passmin" ] && [ -n "$passage" ];then
		if [ "$passmin" -eq 2 ] && [ "$passage" -eq 5 ];then
			outLog ok $2
		else
			outLog err $2
		fi
	else
		outLog err $2
	fi
}
#####################
#1.repairAccount
#####################
function repairAccount(){
echo -e "\033[1;33m修复配置文件路径:/etc/login.defs \033[0m"
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
echo " "
#Num_passmin=`sed -n "/"^PASS_MIN_DAYS"/=" /etc/login.defs`
Num_passmin=`cat /etc/login.defs | grep -n ^PASS_MIN_DAYS | awk -F[:] '{print $1}'`
if [ "$Num_passmin" ];then
	Count_passmin=1
	for a in $Num_passmin
	do
	if [ "$Count_passmin" == 1 ];then
		sed -i $a'c PASS_MIN_DAYS	2' /etc/login.defs
	else
		sed -i $a'c \#PASS_MIN_DAYS 重复配置已替换' /etc/login.defs
	fi
	Count_passmin=$Count_passmin+1
	done
else
	echo "PASS_MIN_DAYS	2" >> /etc/login.defs
fi
Num_passage=`cat /etc/login.defs | grep -n ^PASS_WARN_AGE | awk -F[:] '{print $1}'`
if [ "$Num_passage" ];then
	Count_passage=1
	for a in $Num_passage
	do
	if [ "$Count_passage" == 1 ];then
		sed -i $a'c PASS_WARN_AGE	5' /etc/login.defs
	else
		sed -i $a'c \#PASS_WARN_AGE 重复配置已替换' /etc/login.defs
	fi
	Count_passage=$Count_passage+1
	done
else
	echo "PASS_WARN_AGE   5" >> /etc/login.defs
fi
sed -i '/重复配置已替换/d' /etc/login.defs
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
grep -n "^PASS_MAX_DAYS" /etc/login.defs
grep -n "^PASS_MIN_DAYS" /etc/login.defs
grep -n "^PASS_WARN_AGE" /etc/login.defs
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
######################
#2.checkPassComplexity
######################
function checkPassComplexity(){
        echo ""
        echo "## $1. $2检查 ############################"
	complexity=$(cat /etc/pam.d/system-auth |grep "password" |grep "requisite" |grep "pam_pwquality.so" |grep "minlen=10" |grep "dcredit=-1" |grep "ucredit=-1" |grep "lcredit=-1" |grep "ocredit=-1")
	complexity_cracklib=$(cat /etc/pam.d/system-auth |grep "password" |grep "requisite" |grep "pam_cracklib.so" |grep "retry=3" |grep "minlen=10" |grep "dcredit=-1" |grep "ucredit=-1" |grep "lcredit=-1" |grep "ocredit=-1")
	if [ "$complexity" ];then
		outLog ok $2
	elif [ "$complexity_cracklib" ];then
		outlog ok $2
	else
		outLog err $2
	fi
}
######################
#2.repairPassComplexity
######################
function repairPassComplexity(){
	echo -e "\033[1;33m修复配置文件路径:/etc/pam.d/system-auth \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^password" /etc/pam.d/system-auth
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	LIN_NUM=$(sed -n '/pam_pwquality.so/=' /etc/pam.d/system-auth)
	LIN_num_cracklib=$(sed -n '/pam_cracklib.so/=' /etc/pam.d/system-auth)
	if [ "$LIN_NUM" ];then
		sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
	elif [ "$LIN_num_cracklib" ];then
		sed -i "$LIN_num_cracklib"'c password    requisite   pam_cracklib.so retry=3 minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1  ' /etc/pam.d/system-auth
	else
		sed -i '4i\password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
	fi
	#sed -i "$LIN_NUM"'c password    requisite     pam_pwquality.so minlen=10 dcredit=-1 ucredit=-1 lcredit=-1 ocredit=-1 try_first_pass local_users_only retry=3 authtok_type=' /etc/pam.d/system-auth
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^password" /etc/pam.d/system-auth
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
######################
#3.checkLoginLock
######################
function checkLoginLock(){
	echo ""
	echo "## $1. $2检查 ############################"
	lock=$(cat /etc/pam.d/sshd |grep "pam_tally2.so" |grep "deny=5" |grep "unlock_time=300" |grep "even_deny_root=5" |grep "root_unlock_time=300")
	if [ "$lock" ];then
		outLog ok $2
	else
		outLog err $2
	fi
}
######################
#3.repairloginLock
######################
#查看用户登录失败次数:pam_tally2 --user root
#解锁指定用户:pam_tally2 -r -u root
function repairloginLock(){
	echo -e "\033[1;33m修复配置文件路径:/etc/pam.d/sshd \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^auth" /etc/pam.d/sshd
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	LIN_NUM=$(sed -n '/pam_tally2.so/=' /etc/pam.d/sshd)
	if [ "$LIN_NUM" ];then
		sed -i "$LIN_NUM"'c auth 	   required 	pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
	else
		sed -i '2i\auth 	   required 	pam_tally2.so deny=5 unlock_time=300 even_deny_root=5 root_unlock_time=300' /etc/pam.d/sshd
	fi
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^auth" /etc/pam.d/sshd
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
###################
#4.checkRootUid
###################
function checkRootUid(){
	echo ""
	echo "## $1. $2检查 ############################"
	UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`
	flag=0
	for i in $UIDS
	do
		if [ "$i" = 0 ];then
			outLog err $2
		else
			flag=1
		fi
	done
		if [ "$flag" = 1 ];then
			outLog ok $2
		fi
}
###################
#4.repairRootUid
###################
function repairRootUid(){
	echo -e "\033[1;33m该项目修复风险极大,请手动检查。路径为:/etc/passwd \033[0m"
	echo -e "\033[1;36mNo.$1 用户标识号为0权限的账号如下,请手动检查修复! \033[0m"
	awk -F":" '{if ($3==0) print (NR,$0) }'  /etc/passwd
}
###################
#5.checkSshStatus
###################
function checkSshStatus(){
	echo ""
	echo "## $1. $2检查 ############################"
	passage1=`cat /etc/ssh/sshd_config | grep ^MaxAuthTries | awk '{print $2}'`
	passage2=`cat /etc/ssh/sshd_config | grep ^PasswordAuthentication | awk '{print $2}'`
	passage3=`cat /etc/ssh/sshd_config | grep ^PubkeyAuthentication | awk '{print $2}'`
	if [ "$passage1" -eq 5 ] && [ "$passage2" == "yes" ] && [ "$passage3" == "yes" ];then
		outLog ok $2
	else
		outLog err $2
	fi
} 
###################
#5.repairSshStatus
###################
function repairSshStatus(){
echo -e "\033[1;33m修复配置文件路径:/etc/ssh/sshd_config \033[0m"
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
echo " "
Num_MaxAuthTries=`sed -n /^"MaxAuthTries"/= /etc/ssh/sshd_config`
Num_PasswordAuthentication=`sed -n /^"PasswordAuthentication"/= /etc/ssh/sshd_config`
Num_PubkeyAuthentication=`sed -n /^"PubkeyAuthentication"/= /etc/ssh/sshd_config`
if [ "$Num_MaxAuthTries" ];then
	Count_MaxAuthTries=1
	for a in $Num_MaxAuthTries
	do
	if [ "$Count_MaxAuthTries" == 1 ];then
		sed -i $a'c MaxAuthTries 5' /etc/ssh/sshd_config
	else
		sed -i $a'c \#MaxAuthTries 重复配置已替换' /etc/ssh/sshd_config
	fi
	Count_MaxAuthTries=$Count_MaxAuthTries+1
	done
else
	echo "MaxAuthTries 5" >> /etc/ssh/sshd_config
fi
if [ "$Num_PasswordAuthentication" ];then
	Count_PasswordAuthentication=1
	for a in $Num_PasswordAuthentication
	do
	if [ "$Count_PasswordAuthentication" == 1 ];then
		sed -i $a'c PasswordAuthentication yes' /etc/ssh/sshd_config
	else
		sed -i $a'c \#PasswordAuthentication 重复配置已替换' /etc/ssh/sshd_config
	fi
	Count_PasswordAuthentication=$Count_PasswordAuthentication+1
	done
else
	echo "PasswordAuthentication yes" >> /etc/ssh/sshd_config
fi
if [ "$Num_PubkeyAuthentication" ];then
	Count_PubkeyAuthentication=1
	for a in $Num_PubkeyAuthentication
	do
	if [ "$Count_PubkeyAuthentication" == 1 ];then
		sed -i $a'c PubkeyAuthentication yes' /etc/ssh/sshd_config
	else
		sed -i $a'c \#PubkeyAuthentication 重复配置已替换' /etc/ssh/sshd_config
	fi
	Count_PubkeyAuthentication=$Count_PubkeyAuthentication+1
	done
else
	echo "PubkeyAuthentication yes" >> /etc/ssh/sshd_config
fi
sed -i '/重复配置已替换/d' /etc/ssh/sshd_config
systemctl restart sshd
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
grep -n "^MaxAuthTries" /etc/ssh/sshd_config
grep -n "^PasswordAuthentication" /etc/ssh/sshd_config
grep -n "^PubkeyAuthentication" /etc/ssh/sshd_config
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
###################
#6.checkTimeOut
###################
function checkTimeOut(){
	echo ""
	echo "## $1. $2检查 ############################"
	Check_TMOUT=`cat /etc/profile | grep "^export TMOUT" | awk -F[=] '{print $2}'`
	#Check_History=`cat /etc/profile | grep "^HISTSIZE" | awk -F[=] '{print $2}'`
	if [ "$Check_TMOUT" ];then
		#if [ $TMOUT -le 900 ] && [ $HISTSIZE -eq 100000 ];then
		if [ "$TMOUT" -le 900 ];then
			outLog ok $2
		else
			outLog err $2
		fi
	else
		echo -e "\033[1;33m不存在超时注销!不符合要求,要求设置为600秒 \033[0m"
		outLog err $2
	fi
}
###################
#6.repairTimeOut
###################
function repairTimeOut(){
	echo -e "\033[1;33m修复配置文件路径:/etc/profile \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^export TMOUT" /etc/profile
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	Repair_TMOUT=$(cat /etc/profile | grep "^export TMOUT" | head -n1)
	if [ "$Repair_TMOUT" ];then
		Count_TMOUT=1
		#普通方案:Num_TMOUT=$(sed -n "/^export TMOUT/=" /etc/profile)
		#循环方案
		for p in `cat /etc/profile |grep -n ^"export TMOUT="|awk -F[:] '{print $1}'`
		do
		Num_TMOUT=$(echo $p |awk -F':' '{print $1}')
		if [ "$Count_TMOUT" == 1 ];then
			sed -i $Num_TMOUT'c export TMOUT=900' /etc/profile
		else
			sed -i ${Num_TMOUT}'c #export TMOUT 重复配置已替换' /etc/profile
			#sed -i ${Num_TMOUT}"c \#export TMOUT 重复配置已替换" /etc/profile
		fi
		Count_TMOUT=$Count_TMOUT+1
		done
	else
		echo "export TMOUT=900" >> /etc/profile
	fi
	sed -i '/重复配置已替换/d' /etc/profile
	source /etc/profile
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^export TMOUT" /etc/profile
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
######################
#7.checkHistorySize
######################
function checkHistorySize(){
	echo ""
	echo "## $1. $2检查 ############################"
	Check_History=`cat /etc/profile | grep "^HISTSIZE" | awk -F[=] '{print $2}'`
	if [ "$Check_History" ];then
		if [ "$HISTSIZE" -ge 100000 ];then
			outLog ok $2
		else
			outLog err $2
		fi
	else
		echo -e "\033[1;33m没有配置HISTSIZE参数!不符合要求,要求设置为100000 \033[0m"
		outLog err $2
	fi
}
######################
#7.repairHistorySize
######################
function repairHistorySize(){
	echo -e "\033[1;33m修复配置文件路径:/etc/profile \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	grep -n "^HISTSIZE" /etc/profile
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	History_Size=$(cat /etc/profile | grep -n ^"HISTSIZE" | head -n1)
	if [ "$History_Size" ];then
		Count_History=1
		#Num_History=$(sed -n '/'"$History_Size"'/=' /etc/profile)
		for q in `cat /etc/profile |grep -n ^"HISTSIZE"|awk -F[:] '{print $1}'`
		do
		Num_History=$(echo $q |awk -F':' '{print $1}')
		if [ "$Count_History" == 1 ];then
			sed -i $Num_History'c HISTSIZE=100000' /etc/profile
		else
			sed -i "${Num_History}c \#HISTSIZE 重复配置已替换" /etc/profile
		fi
		Count_History=$Count_History+1
		done
	else
		echo "HISTSIZE=100000" >> /etc/profile
	fi
	sed -i '/重复配置已替换/d' /etc/profile
	source /etc/profile
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
	echo " "
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
	grep -n "^HISTSIZE" /etc/profile
	grep -n "^#HISTSIZE" /etc/profile
	echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
########################
#8.checkNtpSet
########################
function checkNtpSet(){
echo ""
echo "## $1. $2检查 ############################"
NtpSet1=`cat /etc/ntp.conf |grep "server" |grep "ntp-t.gwmfc.com" |grep "prefer"`
NtpSet2=`cat /etc/sysconfig/ntpd |grep "\-x \-p /var/run/ntpd.pid \-g"|wc -l`
if [ "$NtpSet1" ] && [ "$NtpSet2" -eq 1 ];then
	outLog ok $2
else
	outLog err $2
fi
}
########################
#8.repairNtpSet
#1.停止并取消chrony.service服务
#  systemctl status chrony.service
#  systemctl stop chrony.service
#  systemctl disable chrony.service
#2.启动ntpd服务
#  systemctl enable ntpd.service
#  systemctl start ntpd.service
########################
function repairNtpSet(){
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo -e "\033[1;33m修复配置文件路径:/etc/hosts \033[0m"
	cat /etc/hosts
	echo -e "\033[1;33m修复配置文件路径:/etc/ntp.conf \033[0m"
	cat /etc/ntp.conf |grep "server"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
	sed -i '/##ntp server##/d' /etc/hosts
	sed -i '/ntpserver/d' /etc/hosts
#2./etc/ntp.conf
cat <<EOF > /etc/ntp.conf
driftfile /var/lib/ntp/drift
server ntp-t.gwmfc.com minpoll 4 maxpoll 4 prefer
includefile /etc/ntp/crypto/pw
keys /etc/ntp/keys
disable monitor
EOF
#3./etc/sysconfig/ntpd
LIN_NUM=$(sed -n '/OPTIONS/=' /etc/sysconfig/ntpd)
sed -i "$LIN_NUM"'c OPTIONS="-x -p /var/run/ntpd.pid -g"' /etc/sysconfig/ntpd
systemctl start ntpd.service
systemctl enable ntpd.service
echo -e "\033[1;36mNo.$1 修复成功,已重启ntpd服务,可使用ntpq -p验证,请重新检查! \033[0m"
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
echo -e "\033[1;33m修复配置文件路径:/etc/ntp.conf \033[0m"
cat /etc/hosts
echo -e "\033[1;33m修复配置文件路径:/etc/ntp.conf \033[0m"
cat /etc/ntp.conf |grep "server"
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
######################
#9.checkSysConfigSet
######################
function checkSysConfigSet(){
        echo ""
        echo "## $1. $2检查 ############################"
	sysconfig=$(cat /etc/motd |grep 'SYSTEM-A:'|wc -l)
	if [ "$sysconfig" -eq 1 ];then
		outLog ok $2
	else
		outLog err $2
	fi
}
######################
#9.repairSysConfigSet
######################
function repairSysConfigSet(){
	echo -e "\033[1;33m修复配置文件路径:/etc/motd \033[0m"
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	cat /etc/motd
	echo -e "\033[32m—————————————————————————操作前————————————————————————\033[0m"
	echo " "
description=$(cat /etc/motd |grep 'SYSTEM-A:'|wc -l)
description2=$(cat /etc/motd |grep 'APPSYSTEM:'|wc -l)
description3=$(cat /etc/motd |grep 'DESCRIPTION:'|wc -l)
if [ "$description" -eq 0 ] && [ "$description2" -eq 0 ] && [ "$description3" -eq 0 ];then
cat << EOF >> /etc/motd
#####################################
#  APPSYSTEM: 系统的名字是啥
#   SYSTEM-A: 系统管理员A角
#   SYSTEM-B: 系统管理员B角
#DESCRIPTION: 这台机器干啥的
#####################################
EOF
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
elif [ "$description" -eq 1 ];then
	echo -e "\033[1;36mNo.$1 配置文件中存在主机描述,请手动检查正确性!\033[0m"
else
	echo -e "\033[1;33m主机描述重复配置${description}次,请手动检查修复\033[0m"
fi
echo " "
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
cat /etc/motd
echo -e "\033[31m—————————————————————————操作后————————————————————————\033[0m"
}
######################
#10.checkEdrStatus
######################
function checkEdrStatus(){
        echo ""
        echo "## $1. $2检查 ############################"
	if [ `ps -aux |grep edr|wc -l` -ge 2 ];then
		outLog ok $2
		#echo "杀毒软件状态已开启,符合要求"
	else
		outLog err $2
		#echo "杀毒软件状态未开启,不符合要求"
	fi
}
######################
#10.repairtEdr
######################
function repairtEdr(){
	echo -e "\033[1;36mNo.$1请联系安全团队手动修复!!\033[0m"
	echo -e "\033[1;33mEDR安装命令:\033[0m"
	echo -e "\033[1;33mwget --no-check-certificate https://10.15.32.15:4430/download_installer_linux.php -O linux_edr_installer.tar.gz && tar -xzvf linux_edr_installer.tar.gz && ./agent_installer.sh -c\033[0m"
}
#######################
#11.checkFirewallStatus
#######################
function checkFirewallStatus(){
        echo ""
        echo "## $1. $2检查 ############################"
    if [ -f /usr/bin/systemctl ];then
		if [ `systemctl status firewalld | grep 'active (running)' |wc -l` -eq 1 ];then
		outLog ok $2
        else
		outLog err $2
        fi
    else
        outLog info "操作系统版本低,请升级或更新到主推版本"
    fi
}
#######################
#11.repairFirewall
#######################
function repairFirewall(){
echo -e "\e[1;31m依据端口开通情况,请手动修复!!\e[0m"
}
######################
#12.checkUserLoginSet
######################
function checkUserLoginSet(){
        echo ""
        echo "## $1. $2检查 ############################"
	if [ `su - root -c env |grep  PS1|wc -l` -eq 1 ];then
		outLog ok $2
	else
		outLog err $2
	fi
}
######################
#12.repairUserLoginSet
######################
function repairUserLoginSet(){
echo -e "\033[1;33m修复配置文件路径:/etc/profile\033[0m"
Check_PS1=`cat /etc/profile |grep PS1`
if [ "$Check_PS1" ];then
echo -e "\033[1;31mNo.$1 配置已存在,无需重复修复! \033[0m"
echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
source /etc/profile
else
cat <<EOF >> /etc/profile
user_id=\`id -u\`
if [ "\$user_id" = "0" ]; then
	export PS1='\$LOGNAME'"@"\$(hostname)":"'\$PWD'"#"
else
	export PS1='\$LOGNAME'"@"\$(hostname)":"'\$PWD'"$"
fi
EOF
fi
}
####################
#13.checkLockUser
####################
function checkLockUser(){
	echo ""
        echo "## $1. $2检查 ############################"
	flag=0
	checkuserlist=""
	UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
	for _user in ${UserList};do
		if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then
			if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
				continue
			else
				checkuserlist=${_user}" "${checkuserlist}
				flag=1
			fi
		fi
	done
	if [ "$flag" -eq 0 ];then
		#echo "用户锁定检查通过,符合要求"
		outLog ok $2
	else
		echo "用户 ${checkuserlist}锁定检查未通过,不符合要求"
		outLog err $2
	fi
}
####################
#13.repairLockUser
####################
function repairLockUser(){
	UserList="bin daemon adm lp mail operator games ftp nobody systemd-bus-proxy systemd-network dbus polkitd abrt unbound tss libstoragemgmt rpc colord usbmuxd saslauth geoclue rtkit radvd rpcuser nfsnobody qemu chrony setroubleshoot pulse gdm gnome-initial-setup sshd avahi postfix ntp tcpdump mysql gluster"
	for _user in ${UserList};do
		if [ `grep ^${_user} /etc/passwd |wc -l` -eq 1 ];then
			if [ `passwd -S ${_user} | awk '{print $2}'` = "LK" ] ;then
			continue
            else
			passwd -l ${_user}
            fi
        fi
	done
	echo -e "\033[1;36mNo.$1 修复成功,请重新检查! \033[0m"
}
##################
#   Check all
##################
function checkBaseLine(){
	getSystemStatus
	checkAccountStatus 1 账号策略
	checkPassComplexity 2 密码复杂度
	checkLoginLock 3 密码登录锁
	checkRootUid 4 root用户权限
	checkSshStatus 5 ssh策略检查
	checkTimeOut 6 登录超时时间
	checkHistorySize 7 历史命令记录条数设置
	checkNtpSet 8 NTP时钟同步
	checkSysConfigSet 9 系统管理员注释
	checkEdrStatus 10 杀毒软件状态
	checkFirewallStatus 11 防火墙状态
	checkUserLoginSet 12 用户登录配置
	checkLockUser 13 默认锁定用户
}
#############################################
#                 Main
#############################################
if [ "$#" -lt 1 ] || [ "$1" == "-h" ]; then
	Usage
else
	if [ "$1" == "check" ];then
		checkBaseLine | tee -a  $RESULTFILE
		echo
		echo "检查结果:$RESULTFILE"
	elif [ "$1" == "repair" ];then
		case $2 in
			1)
				repairAccount 1
			;;
			2)
				repairPassComplexity 2
			;;
			3)
				repairloginLock 3
			;;
			4)
				repairRootUid 4
			;;
			5)
				repairSshStatus 5
			;;
			6)
				repairTimeOut 6
			;;
			7)
				repairHistorySize 7
			;;
			8)
				repairNtpSet 8
			;;
			9)
				repairSysConfigSet 9
			;;
			10)
				repairtEdr 10
			;;
			11)
				repairFirewall 11
			;;
			12)
				repairUserLoginSet 12
			;;
			13)
				repairLockUser 13
			;;
			all)
			echo "为避免风险,暂不支持全部修复."
			;;
			*)
			Usage
			echo -e "\e[31m`date` You input number it not exist! \e[0m"
    		;;
		esac
	fi
fiCentOS基线检测脚本的更多相关文章
- Windows操作系统安全加固基线检测脚本
		一.背景信息 在我们的安全运维工作中经常需要进行安全基线配置和检查,所谓的安全基线配置就是系统的最基础的安全配置,安全基线检查涉及操作系统.中间件.数据库.甚至是交换机等网络基础设备的检查,面对如此繁 ... 
- windows基线检测脚本编写指南-powershell版
		前言: 因为工作的原因,要写windows下的基线检查脚本.之前没接触过,在网上找了半天也没找到现成的,无奈只好自己研究,最后还是成功完成了工作. 在我编写之后发现windows下的基线基本就是检 ... 
- 如何利用PowerShell完成的Windows服务器系统安全加固实践和基线检测
		0x00 前言简述 最近单位在做等保测评,由本人从事安全运维方面的工作(PS:曾经做过等保等方面的安全服务),所以自然而然的与信安的测评人员一起对接相关业务系统的检查,在做主机系统测评检查时发现了系统 ... 
- 完整的WindowsServer服务器系统初始化配置、安全策略加固和基线检查脚本等保2.0适用
		转载自:https://www.bilibili.com/read/cv14326780?spm_id_from=333.999.0.0 0x00 前言简述 最近单位在做等保测评,由于本人从事安全运维 ... 
- linux各版本基线检查脚本(centos6、centos7、ubuntu系列)
		以下是centos7基线检查脚本: #!/bin/bash #version v1. by pensar #操作系统linux 配置规范--centos7 cat <<EOF ****** ... 
- Linux安全基线检查脚本
		基线检查内容: 一:共享账号检查 配置名称:用户账号分配检查,避免共享账号存在配置要求:1.系统需按照实际用户分配账号; 2.避免不同用户间共享账号,避免用户账号和服务器间通信使用的账号共享.操作指南 ... 
- centos一键优化脚本
		centos一键优化脚本:细节:http://oldboy.blog.51cto.com/2561410/1336488网络状态优化:http://oldboy.blog.51cto.com/2561 ... 
- [转]CentOS开机启动脚本
		转载自http://www.2cto.com/os/201306/220559.html 我的一个Centos开机自启动脚本的制作 一.切换到/etc/init.d/ 二.制作sh脚本 v ... 
- Redis + keepalived 高可用行配置检测脚本
		Redis 在生产配置中:除redis集群.哨兵模式之外:主从模式还是比较普遍的. 配置 redis 多主从:由 keepalived 做 VIP 地址漂移.可以实现redis的高可用性. keepa ... 
- Centos开机自启动脚本的制作
		原文地址:http://www.2cto.com/os/201306/220559.html 我的一个Centos开机自启动脚本的制作 一.切换到/etc/init.d/ 二.制作sh脚本 v ... 
随机推荐
- Linux挂载新磁盘
			Linux挂载新磁盘 1. 查看磁盘 # df -lh # 查看磁盘占用情况,同时可以查看已挂载的磁盘及其挂载位置 # fdisk -l # 查看所有的磁盘分区 图中 /dev/sdb 下无分区信息, ... 
- 《最新出炉》系列初窥篇-Python+Playwright自动化测试-17-处理鼠标悬停
			1.简介 有些测试场景或者事件,playwright根本就没有直接提供方法去操作,而且也不可能把各种测试场景都全面覆盖提供方法去操作.比如:就像鼠标悬停,一般测试场景鼠标悬停分两种常见,一种是鼠标悬停 ... 
- open与fopen的区别
			1. 来源 从来源的角度看,两者能很好的区分开,这也是两者最显而易见的区别: open是UNIX系统调用函数(包括LINUX等),返回的是文件描述符(File Descriptor),它是文件在文件描 ... 
- Python+SVM
			# !/usr/bin/env python # encoding: utf-8 # SVM算法 支持向量机 from sklearn import svm import numpy as np fr ... 
- 今天的第二道tarjan:受欢迎的牛
			原题来自:USACO 2003 Fall 题目描述 每头奶牛都梦想成为牛棚里的明星.被所有奶牛喜欢的奶牛就是一头明星奶牛.所有奶牛都是自恋狂,每头奶牛总是喜欢自己的.奶牛之间的"喜欢&quo ... 
- AI图形算法的应用之一:通过图片模板对比发现油田漏油
			最近研究了一下OPENCV的图像算法,开发了一个小应用. 可以通过图像和模板进行对比,发现油田或其他作业区漏油. 直接上效果,模板如下 自己模拟了一个漏油的现场图片,如下 通过图形化算法,找到漏油点, ... 
- Unity - Windows获取屏幕分辨率、可用区域
			直接搜索最多的就是使用System.Windows.Form.Screen类,但因为unity用的是mono,不能正常使用这个方法 可使用win32api获取,这里只尝试了获取主要屏幕的分辨率,而且没 ... 
- STM32F3系列 ADC采样单端采样模式(基于LL库)
			STM32F3系列 ADC 单端采样(基于LL库) 芯片型号:STM32f303RBT6 开发软件:MDK5 & CubeMX & VS Code 目录 目录 STM32F3系列 AD ... 
- 20. 从零用Rust编写正反向代理,四层反向代理stream(tcp与udp)实现
			wmproxy wmproxy是由Rust编写,已实现http/https代理,socks5代理, 反向代理,静态文件服务器,内网穿透,配置热更新等, 后续将实现websocket代理等,同时会将实现 ... 
- 21. 从零用Rust编写正反向代理,tokio竟然这样对待socket!
			wmproxy wmproxy已用Rust实现http/https代理, socks5代理, 反向代理, 静态文件服务器,四层TCP/UDP转发,内网穿透,后续将实现websocket代理等,会将实现 ... 
