Linux/Windows 安全加固脚本
作者:Sec-Labs | 发布时间:
Security baseline
Linux/Windows 安全加固脚本
建议完全阅读脚本后使用,部分配置需自定义,本脚本仅供参考,因运行本脚本产生的问题本人不负任何责任。
项目地址
https://github.com/pssss/Security-Baseline
Useage
Linux
仅建议在装机阶段使用,centos6.sh适用Redhat6、CentOS6系列系统,centos7.sh适用Redhat7、CentOS7系列系统,其余Linux发行版未测试,不建议直接使用。
将centos*.sh 及 centos.conf传至同一目录:
chmod +x ./centos*.sh ./centos*.sh
Windows
仅建议在装机阶段使用,适用于Windows Server 2008及Windows Server 2012,其余Windows Server版未测试,不建议直接使用。
将win.bat 及 win.ini 上传至同一目录,右键win.bat ,以管理员身份运行。
核心代码
Centos
centos6.sh
#!/bin/bash
# 20170122 配置/etc/passwd 、 /etc/shadow 缺省权限设置 ,缺省注释“禁止root从远程登录”
# 20170125 手动创建/etc/security/opasswd,解决首次登录配置密码时提示 "passwd: Authentication token manipulation error"
# 20170129 放宽/etc/passwd、/etc/shadow、/etc/security的权限,解决图形界面oracle用户无法登录的问题
# 20190710 感谢@hack2012 的建议,添加备份操作,分离配置参数
source ./centos.conf
echo \*\*\*\* 开始自动配置安全基线
# 设置口令长度最小值和密码复杂度策略
echo
echo \*\*\*\* 设置口令长度最小值和密码复杂度策略
# 大写字母、小写字母、数字、特殊字符 4选3
# 配置system-auth
cp /etc/pam.d/system-auth /etc/pam.d/'system-auth-'`date +%Y%m%d`.bak
egrep -q "^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$" /etc/pam.d/system-auth && sed -ri "s/^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$/\password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1/" /etc/pam.d/system-auth || echo "password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1" >> /etc/pam.d/system-auth
# 配置password-auth
cp /etc/pam.d/password-auth /etc/pam.d/'password-auth-'`date +%Y%m%d`.bak
egrep -q "^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$" /etc/pam.d/password-auth && sed -ri "s/^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$/\password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1/" /etc/pam.d/password-auth || echo "password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1" >> /etc/pam.d/password-auth
# 配置login.defs
cp /etc/login.defs /etc/'login.defs-'`date +%Y%m%d`.bak
egrep -q "^\s*PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$/\PASS_MIN_LEN $minlen/" /etc/login.defs || echo "PASS_MIN_LEN $minlen" >> /etc/login.defs
# 设置口令生存周期(可选,缺省不配置)
:<<!
echo
echo \*\*\*\* 设置口令生存周期
egrep -q "^\s*PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MAX_DAYS $PASS_MAX_DAYS/" /etc/login.defs || echo "PASS_MAX_DAYS $PASS_MAX_DAYS" >> /etc/login.defs
egrep -q "^\s*PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MIN_DAYS $PASS_MIN_DAYS/" /etc/login.defs || echo "PASS_MIN_DAYS $PASS_MIN_DAYS" >> /etc/login.defs
egrep -q "^\s*PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$/\PASS_WARN_AGE $PASS_WARN_AGE/" /etc/login.defs || echo "PASS_WARN_AGE $PASS_WARN_AGE" >> /etc/login.defs
!
# 密码重复使用次数限制
echo
echo \*\*\*\* 记住3次已使用的密码
# 配置system-auth
egrep -q "^\s*password\s*sufficient\s*pam_unix.so.*$" /etc/pam.d/system-auth && sed -ri "s/^\s*password\s*sufficient\s*pam_unix.so.*$/\password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember/" /etc/pam.d/system-auth || echo "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember" >> /etc/pam.d/system-auth
# 配置password-auth
egrep -q "^\s*password\s*sufficient\s*pam_unix.so.*$" /etc/pam.d/password-auth && sed -ri "s/^\s*password\s*sufficient\s*pam_unix.so.*$/\password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember/" /etc/pam.d/password-auth || echo "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember" >> /etc/pam.d/password-auth
# 锁定与设备运行、维护等工作无关的账号
echo
echo \*\*\*\* 锁定与设备运行、维护等工作无关的账号
cp /etc/shadow /etc/'shadow-'`date +%Y%m%d`.bak
passwd -l adm&>/dev/null 2&>/dev/null; passwd -l daemon&>/dev/null 2&>/dev/null; passwd -l bin&>/dev/null 2&>/dev/null; passwd -l sys&>/dev/null 2&>/dev/null; passwd -l lp&>/dev/null 2&>/dev/null; passwd -l uucp&>/dev/null 2&>/dev/null; passwd -l nuucp&>/dev/null 2&>/dev/null; passwd -l smmsplp&>/dev/null 2&>/dev/null; passwd -l mail&>/dev/null 2&>/dev/null; passwd -l operator&>/dev/null 2&>/dev/null; passwd -l games&>/dev/null 2&>/dev/null; passwd -l gopher&>/dev/null 2&>/dev/null; passwd -l ftp&>/dev/null 2&>/dev/null; passwd -l nobody&>/dev/null 2&>/dev/null; passwd -l nobody4&>/dev/null 2&>/dev/null; passwd -l noaccess&>/dev/null 2&>/dev/null; passwd -l listen&>/dev/null 2&>/dev/null; passwd -l webservd&>/dev/null 2&>/dev/null; passwd -l rpm&>/dev/null 2&>/dev/null; passwd -l dbus&>/dev/null 2&>/dev/null; passwd -l avahi&>/dev/null 2&>/dev/null; passwd -l mailnull&>/dev/null 2&>/dev/null; passwd -l nscd&>/dev/null 2&>/dev/null; passwd -l vcsa&>/dev/null 2&>/dev/null; passwd -l rpc&>/dev/null 2&>/dev/null; passwd -l rpcuser&>/dev/null 2&>/dev/null; passwd -l nfs&>/dev/null 2&>/dev/null; passwd -l sshd&>/dev/null 2&>/dev/null; passwd -l pcap&>/dev/null 2&>/dev/null; passwd -l ntp&>/dev/null 2&>/dev/null; passwd -l haldaemon&>/dev/null 2&>/dev/null; passwd -l distcache&>/dev/null 2&>/dev/null; passwd -l webalizer&>/dev/null 2&>/dev/null; passwd -l squid&>/dev/null 2&>/dev/null; passwd -l xfs&>/dev/null 2&>/dev/null; passwd -l gdm&>/dev/null 2&>/dev/null; passwd -l sabayon&>/dev/null 2&>/dev/null; passwd -l named&>/dev/null 2&>/dev/null
echo \*\*\*\* 锁定帐号完成
# 用户认证失败次数限制
echo
echo \*\*\*\* 连续登录失败5次锁定帐号5分钟
cp /etc/pam.d/sshd /etc/pam.d/'sshd-'`date +%Y%m%d`.bak
cp /etc/pam.d/login /etc/pam.d/'login-'`date +%Y%m%d`.bak
sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/system-auth /etc/pam.d/password-auth
sed -ri "1a auth required pam_tally2.so deny=$deny unlock_time=300 even_deny_root root_unlock_time=30" /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/system-auth /etc/pam.d/password-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/sshd || sed -ri '/^password\s+.+(\s*#.*)?\s*$/i\account required pam_tally2.so' /etc/pam.d/sshd
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/login || sed -ri '/^password\s+.+(\s*#.*)?\s*$/i\account required pam_tally2.so' /etc/pam.d/login
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/system-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account required pam_tally2.so' /etc/pam.d/system-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/password-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account required pam_tally2.so' /etc/pam.d/password-auth
# 用户的umask安全配置
echo
echo \*\*\*\* 配置umask为022
cp /etc/profile /etc/'profile-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/profile || echo "umask 022" >> /etc/profile
cp /etc/csh.login /etc/'csh.login-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/csh.login && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.login || echo "umask 022" >>/etc/csh.login
cp /etc/csh.cshrc /etc/'csh.cshrc-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/csh.cshrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.cshrc || echo "umask 022" >> /etc/csh.cshrc
cp /etc/bashrc /etc/'bashrc-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/bashrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/bashrc || echo "umask 022" >> /etc/bashrc
# 重要目录和文件的权限设置
echo
echo \*\*\*\* 设置重要目录和文件的权限
chmod 755 /etc; chmod 750 /etc/rc.d/init.d; chmod 777 /tmp; chmod 600 /etc/inetd.conf&>/dev/null 2&>/dev/null; chmod 755 /etc/passwd; chmod 755 /etc/shadow; chmod 644 /etc/group; chmod 755 /etc/security; chmod 644 /etc/services; chmod 750 /etc/rc*.d
# 用户目录缺省访问权限设置
echo
echo \*\*\*\* 设置用户目录默认权限为022
egrep -q "^\s*(umask|UMASK)\s+\w+.*$" /etc/login.defs && sed -ri "s/^\s*(umask|UMASK)\s+\w+.*$/UMASK 022/" /etc/login.defs || echo "UMASK 022" >> /etc/login.defs
# 登录超时设置
echo
echo \*\*\*\* 设置登录超时时间为10分钟
cp /etc/ssh/sshd_config /etc/ssh/'sshd_config-'`date +%Y%m%d`.bak
egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=$TMOUT/" /etc/profile || echo "export TMOUT=$TMOUT" >> /etc/profile
egrep -q "^\s*.*ClientAliveInterval\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*ClientAliveInterval\s\w+.*$/ClientAliveInterval $TMOUT/" /etc/ssh/sshd_config || echo "ClientAliveInterval $TMOUT " >> /etc/ssh/sshd_config
# SSH登录前警告Banner
echo
echo \*\*\*\* 设置ssh登录前警告Banner
cp /etc/issue /etc/'issue-'`date +%Y%m%d`.bak
egrep -q "WARNING" /etc/issue || (echo "**************WARNING**************" >> /etc/issue;echo "Authorized only. All activity will be monitored and reported." >> /etc/issue)
egrep -q "^\s*(banner|Banner)\s+\W+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*(banner|Banner)\s+\W+.*$/Banner \/etc\/issue/" /etc/ssh/sshd_config || echo "Banner /etc/issue" >> /etc/ssh/sshd_config
# SSH登录后Banner
echo
echo \*\*\*\* 设置ssh登录后Banner
cp /etc/motd /etc/'motd-'`date +%Y%m%d`.bak
egrep -q "WARNING" /etc/motd || (echo "**************WARNING**************" >> /etc/motd;echo "Login success. All activity will be monitored and reported." >> /etc/motd)
# 日志文件非全局可写
echo
echo \*\*\*\* 设置日志文件非全局可写
chmod 755 /var/log/messages; chmod 775 /var/log/spooler; chmod 775 /var/log/mail&>/dev/null 2&>/dev/null; chmod 775 /var/log/cron; chmod 775 /var/log/secure; chmod 775 /var/log/maillog; chmod 775 /var/log/localmessages&>/dev/null 2&>/dev/null
# 记录su命令使用情况
echo
echo \*\*\*\* 配置并记录su命令使用情况
cp /etc/rsyslog.conf /etc/'rsyslog.conf-'`date +%Y%m%d`.bak
egrep -q "^\s*authpriv\.\*\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*authpriv\.\*\s+.+$/authpriv.* \/var\/log\/secure/" /etc/rsyslog.conf || echo "authpriv.* /var/log/secure" >> /etc/rsyslog.conf
# 记录安全事件日志
echo
echo \*\*\*\* 配置安全事件日志审计
touch /var/log/adm&>/dev/null; chmod 755 /var/log/adm
egrep -q "^\s*\*\.err;kern.debug;daemon.notice\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*\*\.err;kern.debug;daemon.notice\s+.+$/*.err;kern.debug;daemon.notice \/var\/log\/adm/" /etc/rsyslog.conf || echo "*.err;kern.debug;daemon.notice /var/log/adm" >> /etc/rsyslog.conf
# 禁用telnet服务
echo
echo \*\*\*\* 配置禁用telnet服务
cp /etc/services /etc/'services-'`date +%Y%m%d`.bak
egrep -q "^\s*telnet\s+\d*.+$" /etc/services && sed -ri "/^\s*telnet\s+\d*.+$/s/^/#/" /etc/services
# 禁止root远程登录(缺省不配置)
:<<!
echo
echo \*\*\*\* 禁止root远程SSH登录
egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
!
# 配置SNMP配置(需自定义username password IP)
echo
echo \*\*\*\* 配置SNMP默认团体字
cp /etc/snmp/snmpd.conf /etc/snmp/'snmpd.conf-'`date +%Y%m%d`.bak
cat > /etc/snmp/snmpd.conf <<EOF
com2sec $SNMP_user default $SNMP_password
group $SNMP_group v1 $SNMP_user
group $SNMP_group v2c $SNMP_user
view systemview included .1 80
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view $SNMP_view included .1.3.6.1.4.1.2021.80
access $SNMP_group "" any noauth exact systemview none none
access $SNMP_group "" any noauth exact $SNMP_view none none
dontLogTCPWrappersConnects yes
trapcommunity $SNMP_password
authtrapenable 1
trap2sink $SNMP_ip
agentSecName $SNMP_user
rouser $SNMP_user
defaultMonitors yes
linkUpDownNotifications yes
EOF
# 禁止匿名用户登录FTP
echo
echo \*\*\*\* 禁止匿名用户登录FTP
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/'vsftpd.conf-'`date +%Y%m%d`.bak
chkconfig --list|grep vsftpd > /dev/null && sed -ri "/^\s*anonymous_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anonymous_enable=NO" >> /etc/vsftpd/vsftpd.conf
# 禁止root用户登录FTP
echo
echo \*\*\*\* 禁止root用户登录FTP
chkconfig --list|grep vsftpd > /dev/null && echo "root" >> /etc/vsftpd/ftpusers
# 禁用ctrl+alt+del组合键
echo
echo \*\*\*\* 禁用ctrl+alt+del组合键
cp /etc/init/control-alt-delete.conf /etc/init/'control-alt-delete.conf-'`date +%Y%m%d`.bak
egrep -q "^\s*exec\s+/sbin/shutdown\s+.+$" /etc/init/control-alt-delete.conf && sed -ri "s/^\s*exec\s+\/sbin\/shutdown\s+.+$/exec \/usr\/bin\/logger \-p authpriv.notice \-t init 'Ctrl-Alt-Del was pressed and ignored'/" /etc/init/control-alt-delete.conf || echo "exec /usr/bin/logger -p authpriv.notice -t init 'Ctrl-Alt-Del was pressed and ignored' " >> /etc/init/control-alt-delete.conf
# 删除潜在威胁文件
echo
echo \*\*\*\* 删除潜在威胁文件
find / -maxdepth 3 -name hosts.equiv | xargs -i mv {} {}.bak
find / -maxdepth 3 -name .netrc | xargs -i mv {} {}.bak
find / -maxdepth 3 -name .rhosts | xargs -i mv {} {}.bak
# 限制不必要的服务
echo
echo \*\*\*\* 限制不必要的服务
chkconfig chargen-dgram off&>/dev/null 2&>/dev/null;chkconfig chargen-stream off&>/dev/null 2&>/dev/null;chkconfig daytime-dgram off&>/dev/null 2&>/dev/null;chkconfig daytime-stream off&>/dev/null 2&>/dev/null;chkconfig discard-dgram off&>/dev/null 2&>/dev/null;chkconfig discard-stream off&>/dev/null 2&>/dev/null;chkconfig echo-dgram off&>/dev/null 2&>/dev/null;chkconfig echo-stream off&>/dev/null 2&>/dev/null;chkconfig time-dgram off&>/dev/null 2&>/dev/null;chkconfig time-stream off&>/dev/null 2&>/dev/null;chkconfig rexec off&>/dev/null 2&>/dev/null;chkconfig rlogin off&>/dev/null 2&>/dev/null;chkconfig rsh off&>/dev/null 2&>/dev/null;chkconfig talk off&>/dev/null 2&>/dev/null;chkconfig telnet off&>/dev/null 2&>/dev/null;chkconfig tftp off&>/dev/null 2&>/dev/null;chkconfig rsync off&>/dev/null 2&>/dev/null;chkconfig xinetd off&>/dev/null 2&>/dev/null;chkconfig nfs off&>/dev/null 2&>/dev/null;chkconfig nfslock off&>/dev/null 2&>/dev/null
# 历史命令设置
echo
echo \*\*\*\* 设置保留历史命令的条数为30,并加上时间戳
egrep -q "^\s*HISTSIZE\s*\W+[0-9].+$" /etc/profile && sed -ri "s/^\s*HISTSIZE\W+[0-9].+$/HISTSIZE=$history_num/" /etc/profile || echo "HISTSIZE=$history_num" >> /etc/profile
egrep -q "^\s*HISTTIMEFORMAT\s*\S+.+$" /etc/profile && sed -ri "s/^\s*HISTTIMEFORMAT\s*\S+.+$/HISTTIMEFORMAT='%F %T | '/" /etc/profile || echo "HISTTIMEFORMAT='%F %T | '" >> /etc/profile
egrep -q "^\s*export\s*HISTTIMEFORMAT.*$" /etc/profile || echo "export HISTTIMEFORMAT" >> /etc/profile
# 限制FTP用户上传的文件所具有的权限
echo
echo \*\*\*\* 限制FTP用户上传的文件所具有的权限
chkconfig --list|grep vsftpd > /dev/null && sed -ri "/^\s*write_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "write_enable=NO" >> /etc/vsftpd/vsftpd.conf
chkconfig --list|grep vsftpd > /dev/null && sed -ri "/^\s*ls_recurse_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ls_recurse_enable=NO" >> /etc/vsftpd/vsftpd.conf
chkconfig --list|grep vsftpd > /dev/null && sed -ri "/^\s*anon_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anon_umask=077" >> /etc/vsftpd/vsftpd.conf
chkconfig --list|grep vsftpd > /dev/null && sed -ri "/^\s*local_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "local_umask=022" >> /etc/vsftpd/vsftpd.conf
# 限制FTP用户登录后能访问的目录
echo
echo \*\*\*\* 限制FTP用户登录后能访问的目录
chkconfig --list|grep vsftpd > /dev/null && sed -ri "/^\s*chroot_local_user\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "chroot_local_user=NO" >> /etc/vsftpd/vsftpd.conf
# 配置自动屏幕锁定(适用于具备图形界面的设备)
echo
echo \*\*\*\* 对于有图形界面的系统配置10分钟屏幕锁定
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true \
--set /apps/gnome-screensaver/lock_enabled true \
--type int \
--set /apps/gnome-screensaver/idle_delay 10 \
--type string \
--set /apps/gnome-screensaver/mode blank-only
# FTP Banner 设置
echo
echo \*\*\*\* FTP Banner 设置
chkconfig --list|grep vsftpd > /dev/null && sed -ri "/^\s*ftpd_banner\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ftpd_banner='Authorized only. All activity will be monitored and reported.'" >> /etc/vsftpd/vsftpd.conf
# 配置"用户下次登录时需更改密码"
echo
echo \*\*\*\* 配置下次登录时配置root密码
chage -d0 root
# 手动创建/etc/security/opasswd,解决首次登录配置密码时提示"passwd: Authentication token manipulation error"
mv /etc/security/opasswd /etc/security/opasswd.old
touch /etc/security/opasswd
#结束centos7.sh
#!/bin/bash
# 20170122 配置/etc/passwd 、 /etc/shadow 缺省权限设置 ,缺省注释“禁止root从远程登录”
# 20170125 手动创建/etc/security/opasswd,解决首次登录配置密码时提示 "passwd: Authentication token manipulation error"
# 20170126 缺省注释“用户下次登录时需更改密码”
# 20170129 放宽/etc/passwd、/etc/shadow、/etc/security的权限,解决图形界面oracle无法登录的问题
# 20180524 登录超时时间由5分钟改为10分钟,启用“root用户下次登录时需更改密码”
# 20180703 默认不覆盖/etc/issue内容
# 20180813 更新禁用ctrl+alt+del组合键,添加RedHat 7.X支持
# 20181115 更改history条数为30条并添加时间戳;修复一处日志配置错误;优化登录超时配置;chkconfig替换为systemctl
# 20190710 感谢@hack2012 的建议,添加备份操作,分离配置参数
source ./centos.conf
echo \*\*\*\* 开始自动配置安全基线
# 设置口令长度最小值和密码复杂度策略
echo
echo \*\*\*\* 设置口令长度最小值和密码复杂度策略
# 大写字母、小写字母、数字、特殊字符 4选3,可自行配置
# 配置system-auth
cp /etc/pam.d/system-auth /etc/pam.d/'system-auth-'`date +%Y%m%d`.bak
egrep -q "^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$" /etc/pam.d/system-auth && sed -ri "s/^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$/\password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1/" /etc/pam.d/system-auth || echo "password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1" >> /etc/pam.d/system-auth
# 配置password-auth
cp /etc/pam.d/password-auth /etc/pam.d/'password-auth-'`date +%Y%m%d`.bak
egrep -q "^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$" /etc/pam.d/password-auth && sed -ri "s/^\s*password\s*(requisite|required)\s*pam_cracklib.so.*$/\password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1/" /etc/pam.d/password-auth || echo "password requisite pam_cracklib.so try_first_pass retry=3 minlen=$minlen dcredit=-1 ocredit=-1 lcredit=-1" >> /etc/pam.d/password-auth
# 配置login.defs
cp /etc/login.defs /etc/'login.defs-'`date +%Y%m%d`.bak
egrep -q "^\s*PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_LEN\s+\S*(\s*#.*)?\s*$/\PASS_MIN_LEN $minlen/" /etc/login.defs || echo "PASS_MIN_LEN $minlen" >> /etc/login.defs
# 设置口令生存周期(可选,缺省不配置)
:<<!
echo
echo \*\*\*\* 设置口令生存周期
egrep -q "^\s*PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MAX_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MAX_DAYS $PASS_MAX_DAYS/" /etc/login.defs || echo "PASS_MAX_DAYS $PASS_MAX_DAYS" >> /etc/login.defs
egrep -q "^\s*PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_MIN_DAYS\s+\S*(\s*#.*)?\s*$/\PASS_MIN_DAYS $PASS_MIN_DAYS/" /etc/login.defs || echo "PASS_MIN_DAYS $PASS_MIN_DAYS" >> /etc/login.defs
egrep -q "^\s*PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)PASS_WARN_AGE\s+\S*(\s*#.*)?\s*$/\PASS_WARN_AGE $PASS_WARN_AGE/" /etc/login.defs || echo "PASS_WARN_AGE $PASS_WARN_AGE" >> /etc/login.defs
!
# 密码重复使用次数限制
echo
echo \*\*\*\* 记住3次已使用的密码
# 配置system-auth
egrep -q "^\s*password\s*sufficient\s*pam_unix.so.*$" /etc/pam.d/system-auth && sed -ri "s/^\s*password\s*sufficient\s*pam_unix.so.*$/\password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember/" /etc/pam.d/system-auth || echo "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember" >> /etc/pam.d/system-auth
# 配置password-auth
egrep -q "^\s*password\s*sufficient\s*pam_unix.so.*$" /etc/pam.d/password-auth && sed -ri "s/^\s*password\s*sufficient\s*pam_unix.so.*$/\password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember/" /etc/pam.d/password-auth || echo "password sufficient pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=$remember" >> /etc/pam.d/password-auth
# 锁定与设备运行、维护等工作无关的账号
echo
echo \*\*\*\* 锁定与设备运行、维护等工作无关的账号
cp /etc/shadow /etc/'shadow-'`date +%Y%m%d`.bak
passwd -l adm&>/dev/null 2&>/dev/null; passwd -l daemon&>/dev/null 2&>/dev/null; passwd -l bin&>/dev/null 2&>/dev/null; passwd -l sys&>/dev/null 2&>/dev/null; passwd -l lp&>/dev/null 2&>/dev/null; passwd -l uucp&>/dev/null 2&>/dev/null; passwd -l nuucp&>/dev/null 2&>/dev/null; passwd -l smmsplp&>/dev/null 2&>/dev/null; passwd -l mail&>/dev/null 2&>/dev/null; passwd -l operator&>/dev/null 2&>/dev/null; passwd -l games&>/dev/null 2&>/dev/null; passwd -l gopher&>/dev/null 2&>/dev/null; passwd -l ftp&>/dev/null 2&>/dev/null; passwd -l nobody&>/dev/null 2&>/dev/null; passwd -l nobody4&>/dev/null 2&>/dev/null; passwd -l noaccess&>/dev/null 2&>/dev/null; passwd -l listen&>/dev/null 2&>/dev/null; passwd -l webservd&>/dev/null 2&>/dev/null; passwd -l rpm&>/dev/null 2&>/dev/null; passwd -l dbus&>/dev/null 2&>/dev/null; passwd -l avahi&>/dev/null 2&>/dev/null; passwd -l mailnull&>/dev/null 2&>/dev/null; passwd -l nscd&>/dev/null 2&>/dev/null; passwd -l vcsa&>/dev/null 2&>/dev/null; passwd -l rpc&>/dev/null 2&>/dev/null; passwd -l rpcuser&>/dev/null 2&>/dev/null; passwd -l nfs&>/dev/null 2&>/dev/null; passwd -l sshd&>/dev/null 2&>/dev/null; passwd -l pcap&>/dev/null 2&>/dev/null; passwd -l ntp&>/dev/null 2&>/dev/null; passwd -l haldaemon&>/dev/null 2&>/dev/null; passwd -l distcache&>/dev/null 2&>/dev/null; passwd -l webalizer&>/dev/null 2&>/dev/null; passwd -l squid&>/dev/null 2&>/dev/null; passwd -l xfs&>/dev/null 2&>/dev/null; passwd -l gdm&>/dev/null 2&>/dev/null; passwd -l sabayon&>/dev/null 2&>/dev/null; passwd -l named&>/dev/null 2&>/dev/null
echo \*\*\*\* 锁定帐号完成
# 用户认证失败次数限制
echo
echo \*\*\*\* 连续登录失败5次锁定帐号5分钟
cp /etc/pam.d/sshd /etc/pam.d/'sshd-'`date +%Y%m%d`.bak
cp /etc/pam.d/login /etc/pam.d/'login-'`date +%Y%m%d`.bak
sed -ri "/^\s*auth\s+required\s+pam_tally2.so\s+.+(\s*#.*)?\s*$/d" /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/system-auth /etc/pam.d/password-auth
sed -ri "1a auth required pam_tally2.so deny=$deny unlock_time=300 even_deny_root root_unlock_time=30" /etc/pam.d/sshd /etc/pam.d/login /etc/pam.d/system-auth /etc/pam.d/password-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/sshd || sed -ri '/^password\s+.+(\s*#.*)?\s*$/i\account required pam_tally2.so' /etc/pam.d/sshd
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/login || sed -ri '/^password\s+.+(\s*#.*)?\s*$/i\account required pam_tally2.so' /etc/pam.d/login
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/system-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account required pam_tally2.so' /etc/pam.d/system-auth
egrep -q "^\s*account\s+required\s+pam_tally2.so\s*(\s*#.*)?\s*$" /etc/pam.d/password-auth || sed -ri '/^account\s+required\s+pam_permit.so\s*(\s*#.*)?\s*$/a\account required pam_tally2.so' /etc/pam.d/password-auth
# 用户的umask安全配置
echo
echo \*\*\*\* 配置umask为022
cp /etc/profile /etc/'profile-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/profile && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/profile || echo "umask 022" >> /etc/profile
cp /etc/csh.login /etc/'csh.login-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/csh.login && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.login || echo "umask 022" >>/etc/csh.login
cp /etc/csh.cshrc /etc/'csh.cshrc-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/csh.cshrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/csh.cshrc || echo "umask 022" >> /etc/csh.cshrc
cp /etc/bashrc /etc/'bashrc-'`date +%Y%m%d`.bak
egrep -q "^\s*umask\s+\w+.*$" /etc/bashrc && sed -ri "s/^\s*umask\s+\w+.*$/umask 022/" /etc/bashrc || echo "umask 022" >> /etc/bashrc
# 重要目录和文件的权限设置
echo
echo \*\*\*\* 设置重要目录和文件的权限
chmod 755 /etc; chmod 750 /etc/rc.d/init.d; chmod 777 /tmp; chmod 700 /etc/inetd.conf&>/dev/null 2&>/dev/null; chmod 755 /etc/passwd; chmod 755 /etc/shadow; chmod 644 /etc/group; chmod 755 /etc/security; chmod 644 /etc/services; chmod 750 /etc/rc*.d
# 用户目录缺省访问权限设置
echo
echo \*\*\*\* 设置用户目录默认权限为022
egrep -q "^\s*(umask|UMASK)\s+\w+.*$" /etc/login.defs && sed -ri "s/^\s*(umask|UMASK)\s+\w+.*$/UMASK 022/" /etc/login.defs || echo "UMASK 022" >> /etc/login.defs
# 登录超时设置
echo
echo \*\*\*\* 设置登录超时时间为10分钟
cp /etc/ssh/sshd_config /etc/ssh/'sshd_config-'`date +%Y%m%d`.bak
egrep -q "^\s*(export|)\s*TMOUT\S\w+.*$" /etc/profile && sed -ri "s/^\s*(export|)\s*TMOUT.\S\w+.*$/export TMOUT=$TMOUT/" /etc/profile || echo "export TMOUT=$TMOUT" >> /etc/profile
egrep -q "^\s*.*ClientAliveInterval\s\w+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*.*ClientAliveInterval\s\w+.*$/ClientAliveInterval $TMOUT/" /etc/ssh/sshd_config || echo "ClientAliveInterval $TMOUT " >> /etc/ssh/sshd_config
# SSH登录前警告Banner
echo
echo \*\*\*\* 设置ssh登录前警告Banner
cp /etc/issue /etc/'issue-'`date +%Y%m%d`.bak
egrep -q "WARNING" /etc/issue || (echo "**************WARNING**************" >> /etc/issue;echo "Authorized only. All activity will be monitored and reported." >> /etc/issue)
egrep -q "^\s*(banner|Banner)\s+\W+.*$" /etc/ssh/sshd_config && sed -ri "s/^\s*(banner|Banner)\s+\W+.*$/Banner \/etc\/issue/" /etc/ssh/sshd_config || echo "Banner /etc/issue" >> /etc/ssh/sshd_config
# SSH登录后Banner
echo
echo \*\*\*\* 设置ssh登录后Banner
cp /etc/motd /etc/'motd-'`date +%Y%m%d`.bak
egrep -q "WARNING" /etc/motd || (echo "**************WARNING**************" >> /etc/motd;echo "Login success. All activity will be monitored and reported." >> /etc/motd)
# 日志文件非全局可写
echo
echo \*\*\*\* 设置日志文件非全局可写
chmod 755 /var/log/messages; chmod 775 /var/log/spooler; chmod 775 /var/log/mail&>/dev/null 2&>/dev/null; chmod 775 /var/log/cron; chmod 775 /var/log/secure; chmod 775 /var/log/maillog; chmod 775 /var/log/localmessages&>/dev/null 2&>/dev/null
# 记录su命令使用情况
echo
echo \*\*\*\* 配置并记录su命令使用情况
cp /etc/rsyslog.conf /etc/'rsyslog.conf-'`date +%Y%m%d`.bak
egrep -q "^\s*authpriv\.\*\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*authpriv\.\*\s+.+$/authpriv.* \/var\/log\/secure/" /etc/rsyslog.conf || echo "authpriv.* /var/log/secure" >> /etc/rsyslog.conf
# 记录安全事件日志
echo
echo \*\*\*\* 配置安全事件日志审计
touch /var/log/adm&>/dev/null; chmod 755 /var/log/adm
semanage fcontext -a -t security_t '/var/log/adm'
restorecon -v '/var/log/adm'&>/dev/null
egrep -q "^\s*\*\.err;kern.debug;daemon.notice\s+.+$" /etc/rsyslog.conf && sed -ri "s/^\s*\*\.err;kern.debug;daemon.notice\s+.+$/*.err;kern.debug;daemon.notice \/var\/log\/adm/" /etc/rsyslog.conf || echo "*.err;kern.debug;daemon.notice /var/log/adm" >> /etc/rsyslog.conf
# 禁用telnet服务
echo
echo \*\*\*\* 配置禁用telnet服务
cp /etc/services /etc/'services-'`date +%Y%m%d`.bak
egrep -q "^\s*telnet\s+\d*.+$" /etc/services && sed -ri "/^\s*telnet\s+\d*.+$/s/^/# /" /etc/services
# 禁止root远程登录(暂不配置)
:<<!
echo
echo \*\*\*\* 禁止root远程SSH登录
egrep -q "^\s*PermitRootLogin\s+.+$" /etc/ssh/sshd_config && sed -ri "s/^\s*PermitRootLogin\s+.+$/PermitRootLogin no/" /etc/ssh/sshd_config || echo "PermitRootLogin no" >> /etc/ssh/sshd_config
!
# 配置SNMP默认团体字
echo
echo \*\*\*\* 配置SNMP默认团体字
cp /etc/snmp/snmpd.conf /etc/snmp/'snmpd.conf-'`date +%Y%m%d`.bak
cat > /etc/snmp/snmpd.conf <<EOF
com2sec $SNMP_user default $SNMP_password
group $SNMP_group v1 $SNMP_user
group $SNMP_group v2c $SNMP_user
view systemview included .1 80
view systemview included .1.3.6.1.2.1.1
view systemview included .1.3.6.1.2.1.25.1.1
view $SNMP_view included .1.3.6.1.4.1.2021.80
access $SNMP_group "" any noauth exact systemview none none
access $SNMP_group "" any noauth exact $SNMP_view none none
dontLogTCPWrappersConnects yes
trapcommunity $SNMP_password
authtrapenable 1
trap2sink $SNMP_ip
agentSecName $SNMP_user
rouser $SNMP_user
defaultMonitors yes
linkUpDownNotifications yes
EOF
# 禁止匿名用户登录FTP
echo
echo \*\*\*\* 禁止匿名用户登录FTP
cp /etc/vsftpd/vsftpd.conf /etc/vsftpd/'vsftpd.conf-'`date +%Y%m%d`.bak
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*anonymous_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anonymous_enable=NO" >> /etc/vsftpd/vsftpd.conf
# 禁止root用户登录FTP
echo
echo \*\*\*\* 禁止root用户登录FTP
systemctl list-unit-files|grep vsftpd > /dev/null && echo "root" >> /etc/vsftpd/ftpusers
# 禁用ctrl+alt+del组合键
echo
echo \*\*\*\* 禁用ctrl+alt+del组合键
mv /usr/lib/systemd/system/ctrl-alt-del.target /usr/lib/systemd/system/'ctrl-alt-del.target-'`date +%Y%m%d`.bak&>/dev/null 2&>/dev/null
# 删除潜在威胁文件
echo
echo \*\*\*\* 删除潜在威胁文件
find / -maxdepth 3 -name hosts.equiv | xargs -i mv {} {}.bak
find / -maxdepth 3 -name .netrc | xargs -i mv {} {}.bak
find / -maxdepth 3 -name .rhosts | xargs -i mv {} {}.bak
# 限制不必要的服务
echo
echo \*\*\*\* 限制不必要的服务
systemctl disable rsh&>/dev/null 2&>/dev/null;systemctl disable talk&>/dev/null 2&>/dev/null;systemctl disable telnet&>/dev/null 2&>/dev/null;systemctl disable tftp&>/dev/null 2&>/dev/null;systemctl disable rsync&>/dev/null 2&>/dev/null;systemctl disable xinetd&>/dev/null 2&>/dev/null;systemctl disable nfs&>/dev/null 2&>/dev/null;systemctl disable nfslock&>/dev/null 2&>/dev/null
# 历史命令设置
echo
echo \*\*\*\* 设置保留历史命令的条数为30,并加上时间戳
egrep -q "^\s*HISTSIZE\s*\W+[0-9].+$" /etc/profile && sed -ri "s/^\s*HISTSIZE\W+[0-9].+$/HISTSIZE=$history_num/" /etc/profile || echo "HISTSIZE=$history_num" >> /etc/profile
egrep -q "^\s*HISTTIMEFORMAT\s*\S+.+$" /etc/profile && sed -ri "s/^\s*HISTTIMEFORMAT\s*\S+.+$/HISTTIMEFORMAT='%F %T | '/" /etc/profile || echo "HISTTIMEFORMAT='%F %T | '" >> /etc/profile
egrep -q "^\s*export\s*HISTTIMEFORMAT.*$" /etc/profile || echo "export HISTTIMEFORMAT" >> /etc/profile
# 限制FTP用户上传的文件所具有的权限
echo
echo \*\*\*\* 限制FTP用户上传的文件所具有的权限
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*write_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "write_enable=NO" >> /etc/vsftpd/vsftpd.conf
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*ls_recurse_enable\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ls_recurse_enable=NO" >> /etc/vsftpd/vsftpd.conf
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*anon_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "anon_umask=077" >> /etc/vsftpd/vsftpd.conf
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*local_umask\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "local_umask=022" >> /etc/vsftpd/vsftpd.conf
# 限制FTP用户登录后能访问的目录
echo
echo \*\*\*\* 限制FTP用户登录后能访问的目录
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*chroot_local_user\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "chroot_local_user=NO" >> /etc/vsftpd/vsftpd.conf
# 配置自动屏幕锁定(适用于具备图形界面的设备)
echo
echo \*\*\*\* 对于有图形界面的系统配置10分钟屏幕锁定
gconftool-2 --direct \
--config-source xml:readwrite:/etc/gconf/gconf.xml.mandatory \
--type bool \
--set /apps/gnome-screensaver/idle_activation_enabled true \
--set /apps/gnome-screensaver/lock_enabled true \
--type int \
--set /apps/gnome-screensaver/idle_delay 10 \
--type string \
--set /apps/gnome-screensaver/mode blank-only
# FTP Banner 设置
echo
echo \*\*\*\* FTP Banner 设置
systemctl list-unit-files|grep vsftpd > /dev/null && sed -ri "/^\s*ftpd_banner\s*\W+.+$/s/^/#/" /etc/vsftpd/vsftpd.conf && echo "ftpd_banner='Authorized only. All activity will be monitored and reported.'" >> /etc/vsftpd/vsftpd.conf
# 配置NTP
echo
echo \*\*\*\* 配置NTP
cp /etc/chrony.conf /etc/'chrony.conf-'`date +%Y%m%d`.bak
systemctl list-unit-files|grep chronyd.service > /dev/null && egrep -q "^\s*server\s+\w[.]\w+.*$" /etc/chrony.conf && sed -ri "/^\s*server\s+\w[.]\w+.*$/s/^/# /" /etc/chrony.conf
systemctl list-unit-files|grep chronyd.service > /dev/null && sed -ri "/^\s*maxdistance\s*\W+.+$/s/^/#/" /etc/chrony.conf && echo "maxdistance 16" >> /etc/chrony.conf
systemctl start chronyd.service > /dev/null
systemctl list-unit-files|grep chronyd.service > /dev/null && egrep -q "^\s*server\s+\w+.*$" /etc/chrony.conf && sed -ri "s/^\s*server\s+\w+.*$/server $NTP_ip iburst/" /etc/chrony.conf || sed -ri "/^\s*#\s+Please\s+.*$/a\server $NTP_ip iburst" /etc/chrony.conf
systemctl restart chronyd.service > /dev/null
systemctl enable chronyd.service&>/dev/null 2
/usr/sbin/iptables -I INPUT -p UDP --dport 161 -j ACCEPT
hwclock -w > /dev/null
# 配置"root用户下次登录时需更改密码"
echo
echo \*\*\*\* 配置root下次登录时配置root密码
chage -d0 root
# 手动创建/etc/security/opasswd,解决首次登录配置密码时提示"passwd: Authentication token manipulation error"
mv /etc/security/opasswd /etc/security/opasswd.old
touch /etc/security/opasswdcentos.conf
#口令相关配置
minlen=12
PASS_MAX_DAYS=180
PASS_MIN_DAYS=14
PASS_WARN_AGE=14
remember=3
deny=5
#登录超时时间
TMOUT=600
#SNMP相关配置
SNMP_user=testuser
SNMP_group=testgroup
SNMP_view=testview
SNMP_password=dont_use_public
SNMP_ip=127.0.0.1
#history命令打印的历史命令条数
history_num=30
#NTP服务器
NTP_ip=120.25.108.11Windows
win.bat
@Rem 20180116 发现【启用并正确配置WSUS】部分配置不生效,添加部分注册表配置,配置完重启生效,不过组策略里还是显示未配置,暂未找到原因。
@Rem 20180122 在“正确配置WSUS”项中新增了一项配置:对于有已登录用户的计算机,计划的自动更新安装不执行重新启动。
@Rem 20180208 更新关于组策略不显示自动更新相关配置的解释:组策略的修改结果会保存在两个地方:1. 注册表 2. 组策略历史文件(C:\WINDOWS\system32\GroupPolicy\Machine\Registry)注册表里的结果是给应用对象读取来生效的;组策略历史文件是组策略读取的,只是组策略的状态记录,所以组策略里显示“未配置”。
@Rem 20180614 注释“禁用DHCP Client服务”,Server 2012中Network Location Awareness服务和DHCP Client存在依存关系,禁用DHCP服务会导致网络配置失效
@Rem 20190711 配置参数分离,添加NTP配置
@echo off
title Windows 安全加固脚本
echo [Unicode]>win.inf
echo Unicode=yes>>win.inf
echo [System Access]>>win.inf
for /f "delims=" %%i in ('type "win.ini"^| find /i "="') do set %%i
@Rem 启用密码复杂度策略
echo **** 启用密码复杂度策略
echo PasswordComplexity = 1 >>win.inf
@Rem 配置密码长度最小值为minlen
echo **** 配置密码长度最小值为minlen
echo MinimumPasswordLength = %minlen% >>win.inf
@Rem 更改管理员账户名称为admin
echo **** 更改管理员帐户名称为admin_name
echo NewAdministratorName = "%admin_name%" >>win.inf
@Rem 配置帐户锁定阈值为deny
echo **** 配置帐户锁定阈值为deny
echo LockoutBadCount = %deny%>>win.inf
@Rem 配置“强制密码历史”
echo **** 记住N次已使用的密码
echo PasswordHistorySize = %remember% >>win.inf
echo=
@Rem 删除或禁用高危账户
echo **** 禁用Guest用户
echo EnableGuestAccount = 0 >>win.inf
echo=
@Rem 配置“复位帐户锁定计数器”时间
echo **** 5分钟后重置帐户锁定计数器
echo ResetLockoutCount = 5 >>win.inf
echo=
@Rem 配置帐户锁定时间
echo **** 设置帐户锁定时间为5分钟
echo LockoutDuration = 5 >>win.inf
echo=
@Rem 配置密码最长使用期限(可选,缺省不配置)
echo **** 设置180天更改密码(可选)
echo MaximumPasswordAge = %PASS_MAX_DAYS% >>win.inf
echo=
echo [Event Audit]>>win.inf
@Rem 配置日志审核策略
echo **** 配置日志审核策略
echo AuditSystemEvents = 3 >>win.inf
echo AuditLogonEvents = 3 >>win.inf
echo AuditObjectAccess = 3 >>win.inf
echo AuditPrivilegeUse = 3 >>win.inf
echo AuditPolicyChange = 3 >>win.inf
echo AuditAccountManage = 3 >>win.inf
echo AuditProcessTracking = 3 >>win.inf
echo AuditDSAccess = 3 >>win.inf
echo AuditAccountLogon = 3 >>win.inf
echo=
@Rem 正确配置Windows日志
echo **** 正确配置Windows日志(当日志文件大于128M时按需覆盖事件)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v MaxSize /t REG_DWORD /d 0x8000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\System" /v Retention /t REG_DWORD /d 0x00000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v MaxSize /t REG_DWORD /d 0x8000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Application" /v Retention /t REG_DWORD /d 0x00000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v MaxSize /t REG_DWORD /d 0x8000000 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\eventlog\Security" /v Retention /t REG_DWORD /d 0x00000000 /f
echo=
echo [Privilege Rights]>>win.inf
@Rem 限制可关闭系统的帐户和组
echo **** 配置仅“Administrators”用户组可关闭系统
echo SeShutdownPrivilege = *S-1-5-32-544 >>win.inf
echo=
@Rem 限制可从远端关闭系统的帐户和组
echo **** 配置仅“Administrators”用户组可从远端关闭系统
echo SeRemoteShutdownPrivilege = *S-1-5-32-544 >>win.inf
echo=
@Rem 限制“取得文件或其它对象的所有权”的帐户和组
echo **** 配置仅“Administrators”用户组可取得文件或其它对象的所有权
echo SeTakeOwnershipPrivilege = *S-1-5-32-544 >>win.inf
echo=
@Rem 配置“允许本地登录”策略
echo **** 配置仅“Administrators”和“Users”用户组可本地登录
echo SeInteractiveLogonRight = *S-1-5-32-544,*S-1-5-32-545 >>win.inf
echo=
@Rem 配置“从网络访问此计算机”策略
echo **** 配置仅“Administrators”和“Users”用户组可从网络访问此计算机
echo SeNetworkLogonRight = *S-1-5-32-544,*S-1-5-32-545 >>win.inf
echo=
@Rem 删除可匿名访问的共享和命名管道
echo **** 将“网络访问: 可匿名访问的共享”、“网络访问: 可匿名访问的命名管道”,配置为空
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v NullSessionShares /t REG_MULTI_SZ /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\LanmanServer\Parameters" /v NullSessionPipes /t REG_MULTI_SZ /f
echo=
@Rem 限制匿名用户连接
echo **** 将“网络访问: 不允许 SAM 帐户和共享的匿名枚举”、“网络访问: 不允许 SAM 帐户的匿名枚举”,配置为“启用”
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymoussam /t REG_DWORD /d 0x00000001 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous /t REG_DWORD /d 0x00000001 /f
echo=
@Rem 更改SNMP服务的默认public团体(需先安装SNMP服务,自定义password、IP)
echo **** 修改SNMP团体字为:SNMP_password,指定管理端SNMP_IP
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\ValidCommunities" /v %SNMP_password% /t REG_DWORD /d 0x00000004 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\SNMP\Parameters\PermittedManagers" /v 1 /t REG_SZ /d %SNMP_ip% /f
echo=
@Rem 关闭Windows自动播放
echo **** 启用“关闭自动播放策略”且对所有驱动器生效
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0x000000ff /f
reg add "HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer" /v NoDriveTypeAutoRun /t REG_DWORD /d 0x000000ff /f
echo=
@Rem 禁止Windows自动登录
echo **** 禁止Windows自动登录
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" /v AutoAdminLogon /t REG_SZ /d 0 /f
echo=
@Rem 正确配置“锁定会话时显示用户信息”策略
echo **** 配置锁定会话时不显示用户信息
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" /v DontDisplayLockedUserId /t REG_DWORD /d 0x00000003 /f
echo=
@Rem 正确配置“提示用户在密码过期之前进行更改”策略
echo **** 配置在密码过期前14天提示更改密码
reg add "HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon" /v PasswordExpiryWarning /t REG_DWORD /d 0x0000000e /f
echo=
@Rem 禁用Windows磁盘默认共享
echo **** 删除并禁用Windows磁盘默认共享
for /f "tokens=1 delims= " %%i in ('net share') do (
net share %%i /del ) >nul 2>nul
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareServer /t REG_DWORD /d 0x00000000 /f
reg add "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters" /v AutoShareWks /t REG_DWORD /d 0x00000000 /f
echo=
@Rem 共享文件夹的权限设置(供运维人员参考)
echo **** 将共享文件夹中“Everyone(任何人)”权限删掉
for /f "tokens=2" %%i in ('net share') do (
cacls %%i /r "everyone" /e ) >nul 2>nul
echo=
@Rem 启用Windows数据执行保护(DEP)
echo **** 设置仅为基本Windows程序和服务启用DEP
@Rem Server 2008:
bcdedit /set nx OptIn
@Rem Server 2003:
@Rem /noexecute=optin
echo=
@Rem 启用“不显示最后用户名”策略
echo **** 配置登录屏幕上不要显示上次登录的用户名
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System" /v DontDisplayLastUserName /t REG_DWORD /d 0x00000001 /f
echo=
@Rem 启用并正确配置WSUS(自定义WSUS地址)
echo **** 启用并正确配置WSUS(自动下载并通知安装)
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v AUOptions /t REG_DWORD /d 0x00000003 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoRebootWithLoggedOnUsers /t REG_DWORD /d 0x00000001 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v NoAutoUpdate /t REG_DWORD /d 0x00000000 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallDay /t REG_DWORD /d 0x00000000 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v ScheduledInstallTime /t REG_DWORD /d 0x00000003 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU" /v UseWUServer /t REG_DWORD /d 0x00000001 /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUServer /t REG_SZ /d %WSUS_ip% /f
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate" /v WUStatusServer /t REG_SZ /d %WSUS_ip% /f
echo=
@Rem 启用并正确配置NTP(自定义NTP地址)
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Parameters" /v NtpServer /t REG_SZ /d %NTP_ip%,0x9 /f
w32tm /config /manualpeerlist:"%NTP_ip%" /syncfromflags:manual /update
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\TimeProviders\NtpServer" /v Enabled /t REG_DWORD /d 0x00000001 /f
reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\W32Time\Config" /v AnnounceFlags /t REG_DWORD /d 0x00000005 /f
sc config "W32Time" start= delayed-auto >nul 2>nul
netsh firewall add portopening protocol = UDP port =123 name = NTPSERVER >nul 2>nul
net start w32time >nul 2>nul || net stop w32time >nul 2>nul && net start w32time >nul 2>nul && w32tm /resync >nul 2>nul
w32tm /resync >nul 2>nul
echo=
@Rem 启用并正确配置屏幕保护程序
echo **** 启用屏幕保护程序,等待时间为10分钟,并设置在恢复时需要密码保护
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v SCRNSAVE.EXE /t REG_SZ /d C:\Windows\system32\scrnsave.scr /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure /t REG_SZ /d 1 /f
reg add "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut /t REG_SZ /d %TMOUT% /f
echo=
@Rem 禁用“登录时无须按 Ctrl+Alt+Del”策略
echo **** “交互式登录: 无须(不需要)按 Ctrl+Alt+Del”,配置为“已禁用(停用)”
reg add "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Currentversion\Policies\System" /v disablecad /t REG_DWORD /d 0x00000000 /f
echo=
@Rem 禁用不必要的服务
echo **** 禁用以下服务:Windows Internet Name Service (WINS)、Remote Access Connection Manager、Simple TCP/IP Services、Simple Mail Transport Protocol (SMTP) 、DHCP Client、DHCP Server、Message Queuing
wmic service where name="SimpTcp" call stopservice >nul 2>nul
sc config "SimpTcp" start= disabled >nul 2>nul
wmic service where name="SMTPSVC" call stopservice >nul 2>nul
sc config "SMTPSVC" start= disabled >nul 2>nul
wmic service where name="WINS" call stopservice >nul 2>nul
sc config "WINS" start= disabled >nul 2>nul
wmic service where name="RasMan" call stopservice >nul 2>nul
sc config "RasMan" start= disabled >nul 2>nul
wmic service where name="DHCPServer" call stopservice >nul 2>nul
sc config "DHCPServer" start= disabled >nul 2>nul
@Rem wmic service where name="DHCP" call stopservice >nul 2>nul
@Rem sc config "DHCP" start= disabled >nul 2>nul
wmic service where name="MSMQ" call stopservice >nul 2>nul
sc config "MSMQ" start= disabled >nul 2>nul
echo=
@Rem 安装最新补丁包和补丁
echo **** 检测是否安装补丁
wmic qfe get hotfixid >nul 2>nul || echo 尚未安装补丁,请安装!
echo=
@Rem 配置“用户下次登录时需更改密码”
echo **** 设置administrator(admin)用户下次登录必须更改密码
net user Administrator /logonpasswordchg:yes >nul 2>nul
net user %admin_name% /logonpasswordchg:yes >nul 2>nul
echo=
echo [Version]>>win.inf
echo signature="$CHICAGO$">>win.inf
echo Revision=1 >>win.inf
secedit /configure /db win.sdb /cfg win.inf
del win.inf /q
del win.sdb /q
echo=
echo=
echo=
echo=
echo 【配置完成,部分配置重启系统后生效】
echo=
echo=
echo=
echo=
echo 按任意键退出
pause
goto exitwin.ini
#口令相关配置
minlen=12
PASS_MAX_DAYS=180
remember=3
deny=5
#屏幕超时时间
TMOUT=600
#自定义管理员用户名
admin_name=admin
#SNMP相关配置
SNMP_password=dont_use_public
SNMP_ip=127.0.0.1
#WSUS配置
WSUS_ip=http://127.0.0.1
#NTP配置
NTP_ip=120.25.108.11
标签:工具分享, 系统加固