#!/bin/bash
# Author:韩伟
# Date: 2019-12-29
# 实现对用户密码策略的设定,如密码最长有效期等
date=`date +%Y-%m-%d`
read -p "是否设置密码策略[y/n]:" Y
if [ "$Y" == "y" ];then
read -p "设置密码最多可多少天不修改:" A
read -p "设置密码修改之间最小的天数:" B
read -p "设置密码最短的长度:" C
read -p "设置密码失效前多少天通知用户:" D
cp /etc/login.defs /etc/login.defs.${date}
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS '$A'' /etc/login.defs
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS '$B'' /etc/login.defs
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN '$C'' /etc/login.defs
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE '$D'' /etc/login.defs
else
break
fi
echo "已设置好密码策略......"
read -p "是否设置密码强度[y/n]:" Y
if [ "$Y" == "y" ];then
read -p "定义新密码中必须要有几个字符和旧密码不同:" AA
read -p "设置新密码的最小长度:" BB
read -p "设定新密码中可以包含的大写字母的最大数目。-1 至少一个:" CC
read -p "设定新密码中可以包含的小写字母的最大数目-1 至少一个:" DD
read -p "设定新密码中可以包含的数字的最大数目-1 至少一个: " EE
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.${date}
sed -i '/pam_pwquality.so/c\password requisite pam_pwquality.so try_first_pass local_users_only retry=3 authtok_type= difok='$AA' minlen='$BB' ucredit='$CC' lcredit='$DD' dcredit='$EE'' /etc/pam.d/system-auth
else
break
fi
echo "已设置密码强度"
# 对用户登录输入错误密码次数做限制
n=`cat /etc/pam.d/sshd | grep "auth required pam_tally2.so "|wc -l`
if [ $n -gt 0 ];then
echo "已经设置了错误密码限制,请核实"
fi
read -p "是否设置错误密码登录限制[y/n]: " Y
if [ "$Y" == "y" ];then
read -p "请输入限制次数: " num
read -p "请输入锁定时间(s):" time
echo $num $time
cp /etc/pam.d/sshd /etc/pam.d/sshd.${date}
sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny='${num}' unlock_time='$time' even_deny_root root_unlock_time='$time'' /etc/pam.d/sshd
sed -n '2,6p' /etc/pam.d/sshd
else
break
fi
echo "限制次数设定为'$num' 锁定时间 '$time' "
##设置历史命令保存条数和账户超时时间
read -p "设置历史命令保存条数和账户超时时间[y/n]:" Y
if [ "$Y" == "y" ];then
read -p "设置历史命令保存条数:" E
read -p "设置账户自动注销时间:" F
cp /etc/profile /etc/profile.${date}
sed -i '/^HISTSIZE/c\HISTSIZE='$E'' /etc/profile
sed -i '/^HISTSIZE/a\TMOUT='$F'' /etc/profile
else
break
fi
echo "设置历史命令保存条数为'$E' 账户超时时间为'$F'"
##设置只有指定用户组才能使用su命令切换到root用户
read -p " 设置只有指定用户组才能使用su命令切换到root用户 [y/n]:" Y
if [ "$Y" == "y" ];then
cp /etc/pam.d/su /etc/pam.d/su.${date}
sed -i '/pam_wheel.so use_uid/c\auth required pam_wheel.so use_uid ' /etc/pam.d/su
n=`cat /etc/login.defs | grep SU_WHEEL_ONLY | wc -l`
if [ $n -eq 0 ];then
echo SU_WHEEL_ONLY yes >> /etc/login.defs
fi
else
break
fi
# 对系统中的用户做检查,加固系统
echo "系统中有登录权限的用户有:"
awk -F: '($7=="/bin/bash"){print $1}' /etc/passwd
echo "********************************************"
echo "系统中UID=0的用户有:"
awk -F: '($3=="0"){print $1}' /etc/passwd
echo "********************************************"
N=`awk -F: '($2==""){print $1}' /etc/shadow|wc -l`
echo "系统中空密码用户有:$N"
if [ $N -eq 0 ];then
echo "恭喜你,系统中无空密码用户!!"
echo "********************************************"
else
i=1
while [ $N -gt 0 ]
do
None=`awk -F: '($2==""){print $1}' /etc/shadow|awk 'NR=='$i'{print}'`
echo "------------------------"
echo $None
echo "必须为空用户设置密码!!"
passwd $None
let N--
done
M=`awk -F: '($2==""){print $1}' /etc/shadow|wc -l`
if [ $M -eq 0 ];then
echo "恭喜,系统中已经没有空密码用户了!"
else
echo "系统中还存在空密码用户:$M"
fi
fi
##对重要的文件进行锁定,即使ROOT用户也无法删除
echo "对重要文件锁定:/etc/passwd /etc/shadow /etc/gshadow"
read -p "警告:此脚本运行后将无法添加删除用户和组!!确定输入Y,取消输入N;Y/N:" i
case $i in
[Y,y])
chattr +i /etc/passwd
chattr +i /etc/shadow
chattr +i /etc/group
chattr +i /etc/gshadow
echo "锁定成功!"
;;
[N,n])
chattr -i /etc/passwd
chattr -i /etc/shadow
chattr -i /etc/group
chattr -i /etc/gshadow
echo "取消锁定成功!!"
;;
*)
echo "请输入Y/y or N/n"
esac