漏洞扫描，linux配置规范处理

#!/bin/bash

## set shortest length of password
filename=/etc/login.defs
if [ -f "$filename" ];then
  passminlen=`cat $filename|grep PASS_MIN_LEN|grep -v "#"`
  sed -i "s#$passminlen#PASS_MIN_LEN    8#g" $filename
  ## set password timeout.half of years
  passmaxdays=`cat $filename|grep PASS_MAX_DAYS|grep -v "#"`
  sed -i "s#$passmaxdays#PASS_MAX_DAYS   180#g" $filename
fi

filename=/etc/pam.d/system-auth

if [ -f "$filename" ];then
  pam_cracklib_so=`cat $filename|grep pam_cracklib.so|grep -v "#"`
  if [ -z "$pam_cracklib_so" ];then
    ## not exist pam_cracklib.so, need to add
    echo "password requisite pam_cracklib.so ucredit=-2 lcredit=-2 dcredit=-2" >> $filename
  fi 
fi

## limit su to root
filename=/etc/pam.d/su

if [ -f "$filename" ];then
  pam_rootok_so=`cat $filename|grep  pam_rootok.so|grep -v "#"`
  if [ -z "$pam_rootok_so" ];then
    ## empty,need add
    sed -i '2i auth sufficient pam_rootok.so' $filename
  fi
  
  wheel_group=`cat $filename|grep pam_wheel.so|grep -v "#"`
  if [ -z "$wheel_group" ];then
    sed -i '3i auth required pam_wheel.so group=wheel' $filename
  fi
fi


filename=/etc/profile

if [ -f "$filename" ];then

  ## get the 2 line data
  old_val=`sed -n 2p $filename`
  new_val="umask 027"
  if [ "$old_val" != "$new_val" ];then
    ## add config in the 2 line
    sed -i '2i umask 027' $filename
  fi
  
  ## add command line timeout quit.
  timeout_quit=`cat $filename|grep TMOUT=300|grep -v "#"`
  if [ -z "$timeout_quit" ];then 
    echo "export TMOUT=300" >> $filename
  fi
fi

filename=/etc/ssh/sshd_config

if [ -f "$filename" ];then
  rootlogin=`cat $filename|grep PermitRootLogin|grep -v "#"`
  if [ -z "$rootlogin" ];then
    echo "PermitRootLogin no" >> $filename
  else
   sed -i "s#$rootlogin#PermitRootLogin no#g" $filename
  fi
  
  if [ -f "/etc/init.d/sshd" ];then
    /etc/init.d/sshd restart
  fi
fi

filename=/etc/rsyslog.conf

if [ -f "$filename" ];then
  secure_log=`cat $filename|grep "authpriv.* /var/log/secure"|grep -v "#"`
  if [ -z "$secure_log" ];then
    echo "authpriv.* /var/log/secure" >> $filename
  fi
fi

filename=/var/log/secure

if [ ! -f "$filename" ];then
  touch $filename
fi
if [ -f "/etc/init.d/syslog" ];then
  /etc/init.d/syslog restart
fi
## delete ftp user
sed -i '/ftp:/d' /etc/passwd

filename=/etc/vsftpd.conf
if [ -f "$filename" ];then
  anonymous_enable=`cat $filename|grep "anonymous_enable="|grep -v "#"`
  if [ -z "$anonymous_enable" ];then
    echo "anonymous_enable=NO" >> $filename
  else
    sed -i "s#$anonymous_enable#anonymous_enable=NO#g" $filename
  fi
else
  touch $filename
  echo "anonymous_enable=NO" >> $filename 
fi

filename=/etc/vsftpd/vsftpd.conf
if [ -f $filename ];then
  anonymous_enable=`cat $filename|grep "anonymous_enable="|grep -v "#"`
  if [ -z "$anonymous_enable" ];then
    echo "anonymous_enable=NO" >> $filename
  else
    sed -i "s#$anonymous_enable#anonymous_enable=NO#g" $filename
  fi
else
  mkdir -p /etc/vsftpd/
  touch $filename
  echo "anonymous_enable=NO" >> $filename 
fi


filename=/etc/ftpusers

if [ -f "$filename" ];then
  root_text=`cat $filename|grep "root"|grep -v "#"`
  if [ -z "$root_text" ];then
    echo "root" >> $filename
  ## do not need to replace, due to there are only name in the ftpusers file
  fi
else
  touch $filename
  echo "root" >> $filename
fi


filename=/etc/vsftpd/ftpusers

if [ -f "$filename" ];then
  root_text=`cat $filename|grep "root"|grep -v "#"`
  if [ -z "$root_text" ];then
    echo "root" >> $filename
  ## do not need to replace, due to there are only name in the ftpusers file
  fi
else
  mkdir -p /etc/vsftpd
  touch $filename
  echo "root" >> $filename
fi

p_telnet=`rpm -qa|grep telnet`
if [[ $p_telnet =~ "telnet" ]];then
  ## have install telnet
  filename=/etc/xinetd.d/telnet
  if [ -f "$filename" ];then
     disable_text=`cat $filename|grep disable|grep -v "#"`
     if [ -z "$disable_text" ];then
       echo "disable = yes" >> $filename
     else
       sed "s#$disable_text#disable = yes#g" $filename
     fi
     service xinetd restart
  fi
fi
## delete 
netric_file=`find / -maxdepth 3 -name .netrc`

if [ ! -z "$netric_file" ];then
  mv $netric_file "$netric_file".bak
fi

hosts_equiv=`find / -maxdepth 3 -name hosts.equiv`

if [ ! -z "$hosts_equiv" ];then
  mv $hosts_equiv "$hosts_equiv".bak
fi


rhosts=`find / -maxdepth 3 -name .rhosts`

if [ ! -z "$rhosts" ];then
  mv $rhosts "$rhosts".bak
fi


function closeService(){
  chkconfig --level 0123456 $1 off > /dev/null 2>&1
}

closeService printer
closeService sendmail
closeService ypbind
closeService kshell
closeService lpd
closeService ident
closeService tftp
closeService time
closeService time-udp
closeService ntalk
closeService bootps
closeService chargen
closeService chargen-udp
closeService nfs
closeService daytime
closeService nfslock
closeService echo
closeService echo-udp
closeService discard
closeService discard-udp
closeService klogin


filename=/etc/vsftpd/chroot_list

if [ -f "$filename" ];then
  root_text=`cat $filename|grep "root"|grep -v "#"`
  if [ -z "$root_text" ];then
    echo "root" >> $filename
  ## limit root user access with no password
  fi
else
  touch $filename
  echo "root" >> $filename
fi


chmod 644 /etc/group
chmod 600 /etc/shadow
chmod 644 /etc/passwd


if [ -f "/etc/issue" ];then
  mv /etc/issue /etc/issue.bak
fi
if [ -f "/etc/issue.net" ];then
  mv /etc/issue.net /etc/issue.net.bak
fi