init_centos7.sh 脚本内容如下
脚本描述:脚本在 https://github.com/vtrois/spacepack上下载,根据脚本进行调整。CentOS7安全加固系列文章添加了一些加固项
#!/usr/bin/envbash##Author:SeatonJiang<seaton@vtrois.com>#GithubURL:https://github.com/vtrois/spacepack#License:MIT#Date:2020-08-13exportPATH=/usr/local/ *** in:/usr/local/bin:/ *** in:/bin:/usr/ *** in:/usr/bin:/root/binRGB_DANGER='\033[31;1m'RGB_WAIT='\033[37;2m'RGB_SUCCESS='\033[32m'RGB_WARNING='\033[33;1m'RGB_INFO='\033[36;1m'RGB_END='\033[0m'CHECK_CENTOS=$(cat/etc/redhat-release|sed-r's/.*([0-9] )\..*/\1/')CHECK_RAM=$(cat/proc/meminfo|grep"MemTotal"|awk-F""'{ram=$2/1000000}{printf("%.0f",ram)}')LOCK=/var/log/init_centos7_record.logtool_info(){echo-e"========================================================================================="echo-e"InitCentOS7Script"echo-e"Formoreinformationpleasevisithttps://github.com/vtrois/spacepack"echo-e"========================================================================================="}check_root(){if[[$EUID-ne0]];thenecho-e"${RGB_DANGER}Thisscriptmustberunasroot!${RGB_END}"exit1fi}check_lock(){if[!-f"$LOCK"];thentouch$LOCKelseecho-e"${RGB_DANGER}Detectsthattheinitializationiscompleteanddoesnotneedtobeinitializedanyfurther!${RGB_END}"exit1fi}check_os(){if["${CHECK_CENTOS}"!='7'];thenecho-e"${RGB_DANGER}ThisscriptmustberuninCentOS7!${RGB_END}"exit1fi}new_swap(){echo"=============swap=============">>${LOCK}2>&1if["${CHECK_RAM}"-le'2'];thenecho-en"${RGB_WAIT}Configuring...${RGB_END}"ddif=/dev/zeroof=/swapfilebs=1024count=1048576>>${LOCK}2>&1chmod600/swapfile>>${LOCK}2>&1mkswap/swapfile>>${LOCK}2>&1swapon/swapfile>>${LOCK}2>&1echo'/swapfileswapswapdefaults00'>>/etc/fstabecho'#Swap'>>/etc/sysctl.confecho'vm.swappiness=10'>>/etc/sysctl.confsysctl-p>>${LOCK}2>&1sysctl-nvm.swappiness>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"elseecho-e"${RGB_SUCCESS}Skip,noconfigurationneeded${RGB_END}"fi}open_bbr(){echo"=============bbr=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"echo"#BBR">>/etc/sysctl.confecho"net.core.default_qdisc=fq">>/etc/sysctl.confecho"net.ipv4.tcp_congestion_control=bbr">>/etc/sysctl.confsysctl-p>>${LOCK}2>&1sysctl-nnet.ipv4.tcp_congestion_control>>${LOCK}2>&1l *** od|grepbbr>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}disable_software(){echo"=============selinuxfirewalld=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"setenforce0>>${LOCK}2>&1sed-i's/^SELINUX=.*$/SELINUX=disabled/'/etc/selinux/configsystemctldisablefirewalld.service>>${LOCK}2>&1systemctlstopfirewalld.service>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}time_zone(){echo"=============timezone=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"rm-rf/etc/localtime>>${LOCK}2>&1ln-sf/usr/share/zoneinfo/Asia/Shanghai/etc/localtime>>${LOCK}2>&1ls-ln/etc/localtime>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}custom_profile(){echo"=============customprofile=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"cat>/etc/profile.d/centos7init.sh<<EOFPS1="\[\e[37;40m\][\[\e[32;40m\]\u\[\e[37;40m\]@\h\[\e[35;40m\]\W\[\e[0m\]]\\\\$"GREP_OPTIONS="--color=auto"aliasl='ls-AFhlt'aliasgrep='grep--color'aliasegrep='egrep--color'aliasfgrep='fgrep--color'exportHISTTIMEFORMAT="%Y-%m-%d%H:%M:%S"EOFcat/etc/profile.d/centos7init.sh>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}adjust_ulimit(){echo"=============adjustulimit=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"sed-i'/^#Endoffile/,$d'/etc/security/limits.confcat>>/etc/security/limits.conf<<EOF#Endoffile*softcoreunlimited* *** unlimited*softnproc1000000*hardnproc1000000*softnofile1000000*hardnofile1000000rootsoftcoreunlimitedroot *** unlimitedrootsoftnproc1000000roothardnproc1000000rootsoftnofile1000000roothardnofile1000000EOFcat/etc/security/limits.conf>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}kernel_optimum(){echo"=============kerneloptimum=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"[!-e"/etc/sysctl.conf_bak"]&&/bin/mv/etc/sysctl.conf{,_bak}cat>/etc/sysctl.conf<<EOF#Controlssourcerouteverificationnet.ipv4.conf.default.rp_filter=1net.ipv4.ip_nonlocal_bind=1net.ipv4.ip_forward=0net.ipv4.conf.all.accept_redirects=0net.ipv4.conf.all.accept_source_route=0net.ipv4.conf.default.accept_source_route=0net.ipv4.icmp_echo_ignore_broadcasts=1net.ipv4.conf.all.log_martians=1net.ipv4.conf.default.log_martians=1net.ipv4.conf.all.promote_secondaries=1net.ipv4.conf.default.promote_secondaries=1#ControlstheuseofTCPsyncookies#Numberofpid_maxkernel.core_uses_pid=1kernel.pid_max=1000000net.ipv4.tcp_syncookies=1#Controlsthemaximumsizeofamessage,inbytes#Controlsthedefaultmaxmimumsizeofamesagequeue#Controlsthemaximumsharedsegmentsize,inbytes#Controlsthemaximumnumberofsharedmemorysegments,inpageskernel.msgmnb=65536kernel.msgmax=65536kernel.shmmax=68719476736kernel.shmall=4294967296kernel.sysrq=1kernel.softlockup_panic=1kernel.printk=5#TCPkernelparamaternet.ipv4.tcp_mem=94500000915000000927000000net.ipv4.tcp_rmem=4096873804194304net.ipv4.tcp_wmem=4096163844194304net.ipv4.tcp_window_scaling=1net.ipv4.tcp_sack=1#Socketbuffernet.core.wmem_default=8388608net.core.rmem_default=8388608net.core.rmem_max=16777216net.core.wmem_max=16777216net.core.netdev_max_backlog=32768net.core.somaxconn=65535net.core.optmem_max=81920#TCPconnnet.ipv4.tcp_max_syn_backlog=262144net.ipv4.tcp_syn_retries=1net.ipv4.tcp_retries1=3net.ipv4.tcp_retries2=15#TCPconnreusenet.ipv4.tcp_timestamps=0net.ipv4.tcp_tw_reuse=1net.ipv4.tcp_fin_timeout=5net.ipv4.tcp_max_tw_buckets=7000net.ipv4.tcp_max_orphans=3276800net.ipv4.tcp_synack_retries=1#keepaliveconnnet.ipv4.tcp_keepalive_time=300net.ipv4.tcp_keepalive_intvl=30net.ipv4.tcp_keepalive_probes=3net.ipv4.ip_local_port_range=102465535net.ipv6.neigh.default.gc_thresh3=4096net.ipv4.neigh.default.gc_thresh3=4096EOFsysctl-p>>${LOCK}2>&1cat/etc/sysctl.conf>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}updatedb_optimum(){echo"=============updatedboptimum=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"sed-i's,media,media/data,'/etc/updatedb.confcat/etc/updatedb.conf>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}open_ipv6(){echo"=============openipv6=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"echo'#IPV6'>>/etc/sysctl.confecho'net.ipv6.conf.all.disable_ipv6=0'>>/etc/sysctl.confecho'net.ipv6.conf.default.disable_ipv6=0'>>/etc/sysctl.confecho'net.ipv6.conf.lo.disable_ipv6=0'>>/etc/sysctl.confsysctl-p>>${LOCK}2>&1cat/etc/sysctl.conf>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}disable_cad(){echo"=============disablecad=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"systemctlmaskctrl-alt-del.target>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}remove_users(){echo"=============removeusers=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"foruinadmlpsyncshutdownhaltmailoperatorgamesftpdouserdel${u}>>${LOCK}2>&1donecut-d:-f1/etc/passwd>>${LOCK}2>&1forginadmlpmailgamesftpdogroupdel${g}>>${LOCK}2>&1donecat/etc/group>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}sys_permissions(){echo"=============syspermissions=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"chmod644/etc/passwd>>${LOCK}2>&1chmod644/etc/group>>${LOCK}2>&1chmod000/etc/shadow>>${LOCK}2>&1chmod000/etc/gshadow>>${LOCK}2>&1ls-la/etc/passwd>>${LOCK}2>&1ls-la/etc/group>>${LOCK}2>&1ls-la/etc/shadow>>${LOCK}2>&1ls-la/etc/gshadow>>${LOCK}2>&1echo-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}password_policy(){echo"=============password policy=============">>${LOCK}2>&1echo-en"${RGB_WAIT}Configuring...${RGB_END}"sed-i's/^PASS_MAX_DAYS.*$/PASS_MAX_DAYS90/'/etc/login.defssed-i's/^PASS_MIN_DAYS.*$/PASS_MIN_DAYS10/'/etc/login.defscat/etc/login.defs>>${LOCK}2>&1cat>>/etc/security/pwquality.conf<<EOFminlen=8dcredit=-1ucredit=-1ocredit=-1lcredit=-1EOFecho-e"\r${RGB_SUCCESS}ConfigurationSuccess${RGB_END}"}change_useradd(){echo"=============changeuseradd=============">>