#!/bin/bash

echo "updata V1.0 by csc  2014-11-10"

VER="v1.3d"

VERSION="System Security configuration "${VER}", by WuHan Tianyu, 2013-07-19."

echo $VERSION


SET_NTP()

{

#set ntp

echo -e "\n>>>>>  begin to set ntp ..."

ntpstatus=`ps -ef|grep ntp|grep -v grep|wc -l`

if [ $ntpstatus != 0 ];then

  grep "^server" /etc/ntp.conf|grep -v "127.127.1.0";

  echo "ntpserver No. is "`grep "^server" /etc/ntp.conf|grep -v "127.127.1.0"|wc -l`;

else

  crontab -l|grep -v "^#"|grep ntp > /dev/null

  if test $? -eq 0;then

    crontab -l|grep -v "^#"|grep ntp

    echo "ntpserver No. is "`crontab -l|grep -v "^#"|grep ntp|wc -l`;

  else

    echo "0 12 * * * ntpdate 127.0.0.1" >> /var/spool/cron/root

    crontab -l|grep -v "^#"|grep ntp

    echo "ntpserver No. is "`crontab -l|grep -v "^#"|grep ntp|wc -l`;

  fi

fi

}


SET_TIMEOUT_LOGOUT()

{

#system timeout auto logout

echo -e "\n>>>>>  begin to set system timeout auto logout ..."

cat /etc/profile |grep -v ^\#|grep .|grep -i tmout >> /dev/null

if test $? -ne 0;then

  echo "export TMOUT=180" >> /etc/profile

else

  sed -i "s/.*TMOUT.*/TMOUT=180/" /etc/profile

fi

echo "your system will auto logout at 180s"

}


SET_IDLE_LOGOUT()

{

#system idle auto logout

echo -e "\n>>>>>  begin to set system idle auto logout ..."

cat /etc/csh.cshrc |grep -v ^\#|grep .|grep -i autologout >> /dev/null

if test $? -ne 0;then

  echo "set autologout=30" >> /etc/csh.cshrc

fi

echo "your system will auto logout at idle "`cat /etc/csh.cshrc |grep -v ^\#|grep .|grep -i autologout|awk -F= '{printf $2}'`"m"

}



SET_ICMP_REDIRECTS()

{

#disable icmp redirects

echo -e "\n>>>>>  begin to set disable icmp redirects ..."

n=`sysctl -a|grep net.ipv4.conf.all.accept_redirects|sed 's/\(.*\)\(.\)$/\2/'`

if [ $n != 0 ];then

  echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf

fi

sysctl -p > /dev/null

echo "icmp redirects disabled"

}


SET_LOGON_BANNER()

{

#set logon banner

echo -e "\n>>>>>  begin to set disable logon banner ..."

if [ ! -s /etc/motd ];then

  echo "This is TianYu's Server!" >> /etc/motd

fi

echo -e "system logon banner is:\n--------\n"`cat /etc/motd`"\n--------"

}


SET_SSH_BANNER()

{

#set ssh logon banner

echo -e "\n>>>>>  begin to set ssh logon banner ..."

BANNER="Welcome -- set_secure "${VER}

SSHBANNER=`grep -v ^\# /etc/ssh/sshd_config|grep -i banner`

if [ $? -eq 1 ];then

  echo "Banner /etc/sshbanner" >> /etc/ssh/sshd_config

fi


echo $BANNER > /etc/sshbanner

chmod 644 /etc/sshbanner

echo -e "system ssh banner is:\n--------\n"`cat /etc/sshbanner`"\n--------"

}


SET_SELINUX_DISABLE()

{

#disable selinux

echo -e "\n>>>>>  begin to set disable selinux ..."

grep SELINUX=disabled /etc/selinux/config >/dev/null

if test $? -ne 0 ;then

  sed -i -e "s/SELINUX=.*/SELINUX=disabled/g"  /etc/selinux/config 

fi

setenforce 0 2> /dev/null

echo "SELINUX is disabled"

}


SET_TIMEMASK_HISTORY()

{

#time mark for history

echo -e "\n>>>>>  begin to set time mark for history ..."

grep -i histtimeformat /etc/profile > /dev/null

if [[ $? == 1 ]];then

  echo "export HISTTIMEFORMAT=\"%F %T \"" >> /etc/profile

fi

echo "history is marked by time"

}


SET_UMASK()

{

#set all user's umask

echo -e "\n>>>>>  begin to set user's umask ..."

grep -v ^\# /etc/profile|grep -i ^umask > /dev/null

if test $? -eq 1;then

  echo "umask 027" >> /etc/profile

else

  sed -i "s/^umask.*/umask 027/" /etc/profile

fi

echo "set user's umask eq 027"

}


SET_SYS_CORE_DUMP()

{

#set system core dump

echo -e "\n>>>>>  begin to set system core dump ..."

cat /etc/security/limits.conf|grep -v ^\#|grep .|grep -e "soft.*core"

if test $? -eq 1;then

  echo "* soft core 0" >> /etc/security/limits.conf

else

  sed -i "s/[^\#].*soft.*core.*/\* soft core 0/" /etc/security/limits.conf

fi

cat /etc/security/limits.conf|grep -v ^\#|grep .|grep -e "hard.*core"

if test $? -eq 1;then

  echo "* hard core 0" >> /etc/security/limits.conf

else

  sed -i "s/.*hard.*core.*/\* hard core 0/" /etc/security/limits.conf

fi

echo "set system core dump done"

}


#旧密码不能使用 5次之内

SET_OLD_PASSWD_SAVE()

{

#set old passwd save

echo -e "\n>>>>>  begin to set old passwd save ..."

grep -v ^\# /etc/pam.d/system-auth|grep "password.*pam_unix.so.*remember.*" > /dev/null

if test $? -eq 1;then

  touch /etc/security/opasswd

  chown root:root /etc/security/opasswd

  chmod 600 /etc/security/opasswd

  sed -i "s/password.*pam_unix.so.*/password\tsufficient\tpam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5/" /etc/pam.d/system-auth

fi

echo "the old passwd will save in /etc/security/opasswd"

}


SET_PASSWD_STRENGTH()

{

#set passwd strength

echo -e "\n>>>>>  begin to set passwd strength ..."

grep -v ^\# /etc/pam.d/system-auth|grep "password.*pam_cracklib.so.*" > /dev/null

if test $? -eq 0;then

  sed -i "s/password.*pam_cracklib.so.*/password\trequisite\tpam_cracklib.so minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1 minclass=2/g" /etc/pam.d/system-auth

else

  echo "set passwd strength failed"

  exit 1

fi

echo "set passwd strength success"

}


SET_DEL_USER()

{

#delete unused users

echo -e "\n>>>>>  begin to delete unused users ..."

userdel adm

userdel lp

userdel sync

userdel shutdown

userdel halt

userdel news

userdel uucp

userdel operator

userdel gopher

userdel games

userdel smmsp

groupdel adm

groupdel lp

groupdel news

groupdel uucp

groupdel dip

}


SET_DEL_SERVICE()

{

#delete unused services

echo -e "\n>>>>>  begin to delete unused services ..."

chkconfig chargen-dgram off

chkconfig chargen-stream off

chkconfig daytime-dgram off

chkconfig daytime-stream off

chkconfig echo-dgram off

chkconfig echo-stream off

chkconfig eklogin off

chkconfig ekrb5-telnet off

chkconfig gssftp off

chkconfig klogin off

chkconfig krb5-telnet off

chkconfig kshell off

chkconfig rsync off

chkconfig tcpmux-server off

chkconfig tftp off

chkconfig time-dgram off

chkconfig time-stream off

chkconfig postfix off

chkconfig rsyncd off

chkconfig rlogin off

chkconfig rsh off

chkconfig rexec  off

chkconfig snmpd off

chkconfig sendmail off

chkconfig telnet off

chkconfig smartd off

chkconfig cups off

chkconfig cups-config-daemon off

}


SET_PASSWD_VALIDITY()

{

echo -e "\n>>>>>  begin to set passwork validity ..."

sed -i "s/PASS_MAX_DAYS.*[0-9]/PASS_MAX_DAYS\t90/g" /etc/login.defs

sed -i "s/PASS_MIN_DAYS.*[0-9]/PASS_MIN_DAYS\t6/g" /etc/login.defs

sed -i "s/PASS_MIN_LEN.*[0-9]/PASS_MIN_LEN\t6/g" /etc/login.defs

sed -i "s/PASS_WARN_AGE.*[0-9]/PASS_WARN_AGE\t30/g" /etc/login.defs

echo "your password will expired erery 90 days"

}


#登入失败5次后,锁定10秒

SET_SYSTEM_AUTOLOCK()

{

#system will lock after input bad passwd 6 time

echo -e "\n>>>>>  begin to set system autolock ..."

grep -v ^\# /etc/pam.d/system-auth|grep "auth.*pam_tally2.so.*" > /dev/null

if test $? -eq 0;then

  sed -i "s/auth.*pam_tally2.so.*/auth\trequired\tpam_tally2.so deny=5  unlock_time=300 even_deny_root root_unlock_time=10/g" /etc/pam.d/system-auth

else

  n=`cat -n /etc/pam.d/system-auth|grep "auth.*pam_unix.so"|awk '{print $1}'`

  sed -i "${n:=5}i\auth\trequired\tpam_tally2.so deny=5  unlock_time=300 even_deny_root root_unlock_time=10" /etc/pam.d/system-auth

fi

echo "system will lock after input bad passwd 5 times"

}


SET_SYSTEM_LOGFILE()

{

echo -e "\n>>>>>  begin to set system log file ..."

#set system save users action

touch /var/log/pacct

accton /var/log/pacct

echo "system will save users's action , you can use command 'lastcomm [user name] -f /var/log/pacct' to see it"


#设备应配置日志功能,记录对与设备相关的安全事件

grep -v ^\# /etc/syslog.conf|grep "/var/adm/message" > /dev/null

if test $? -eq 0;then

  sed -i "s#.*/var/adm/message.*#*.err;kern.debug;daemon.notice;\t/var/adm/message#" /etc/syslog.conf

else

  echo -e "*.err;kern.debug;daemon.notice;\t/var/adm/message" >> /etc/syslog.conf

fi

echo "system will save security events in /var/adm/message"


#设备应配置日志功能,记录用户使用SU命令的情况,记录不良的尝试记录

touch /var/log/secure

grep -v ^\# /etc/syslog.conf|grep "/var/log/secure" > /dev/null

if test $? -eq 0;then

  sed -i "s#.*/var/log/secure.*#authpriv.*\t/var/log/secure#" /etc/syslog.conf

else

  echo -e "authpriv.*\t/var/log/secure" >> /etc/syslog.conf

fi

echo "system will save normal user's SU action in /var/log/secure"

service syslog restart > /dev/null

}


SET_PERMIT_ROOTLOGIN()

{

echo -e "\n>>>>>  begin to set permit root login ..."

#set allow root login

sed -i "s#PermitRootLogin\s*[y n Y N].*#PermitRootLogin yes#" /etc/ssh/sshd_config

echo "system will permit root login"

}


##############################################################################

USER=`whoami`

if [ $USER != root ]; then

  echo "Must be root to run this script, please login as root and re-try!"

  exit

fi


# see if configuration is already being applied

if [ -f "/etc/set_secure.conf" ]; then

  echo "************************************************************************************************"

  LAST_SET=`tail -n 1 /etc/set_secure.conf`

  echo "LAST SETTING: "${LAST_SET}

  echo "************************************************************************************************"

  echo -n "System Security configuration has already been applied, do you want to set again?(Y/N)"

  read RET_SURE

  if [ "$RET_SURE" != "Y" ] && [ "$RET_SURE" != "y" ]; then

echo "Abort Setting!"

exit;

  fi 

else

  if [ "$1" != "yes" ]; then

  echo -n "Starting to system security setting, are you sure?(Y/N)"

    read RET_SURE

    if [ "$RET_SURE" != "Y" ] && [ "$RET_SURE" != "y" ]; then

echo "Abort Setting!"

exit;

    fi 

  fi

fi


###################  Beging to security setting ###################

SET_NTP

SET_TIMEOUT_LOGOUT

SET_IDLE_LOGOUT

SET_ICMP_REDIRECTS

SET_LOGON_BANNER

SET_SSH_BANNER

SET_PERMIT_ROOTLOGIN

SET_SELINUX_DISABLE

SET_TIMEMASK_HISTORY

SET_UMASK

SET_SYS_CORE_DUMP

SET_OLD_PASSWD_SAVE

SET_PASSWD_STRENGTH

SET_DEL_USER

SET_DEL_SERVICE

SET_PASSWD_VALIDITY

SET_SYSTEM_AUTOLOCK

SET_SYSTEM_LOGFILE

###################  End security setting ###################

echo -e "\n>>>>>  restart sshd ..."

service sshd restart


NOW_TIME=`date +%Y%m%d-%H:%M.%S` 

echo $NOW_TIME"  "$VERSION >> /etc/set_secure.conf


echo ""

echo "**********************************************"

echo "              All Finished!"

echo "**********************************************"