# -*- coding: UTF-8 -*-
# #!/usr/bin/python
import commands
import os
import utility_function
#系统安全加固模块
#检查系统账号是否为空密码
def account_check():
#检查空密码的命令
_name_null = []
_cmd_check_name = r'''awk -F: '($2==""){print $1}' /etc/shadow'''
_cmd_freeze = 'passwd -l '
status, result = commands.getstatusoutput(_cmd_check_name)
if status == 0:
if len(result) == 0:
_name_null.append("无空密码账号")
return _name_null
else:
#冻结空密码装好
_cmd_temp = result.split()
for i in _cmd_temp:
status, result = commands.getstatusoutput(_cmd_freeze + i)
if status == 0:
_name_null.append("冻结空密码"+i+"用户")
else:
_name_null.append("冻结空密码"+i+"用户失败"+result)
else:
return _name_null.append('运行检查空密码账号命令失败')
return _name_null
#查看UID为零的账号除了root用户外有就锁定
def uuid_check():
_cmd_uuid_check = 'awk -F: \'($3==0){print $1}\' /etc/passwd'
_cmd_freeze = 'passwd -l '
_uuid_null = []
status, result = commands.getstatusoutput(_cmd_uuid_check)
if status == 0:
_result_temp = result.split()
if len(_result_temp) > 1:
for i in _result_temp:
_uuid_null.append("UUID为零的账户"+i+"请检查是否正常")
else:
_uuid_null.append(('UID为零的账号只有'+result+'账号'))
else:
_uuid_null.append('检测UID为零的账号失败了')
return _uuid_null
#添加口令策略,加强口令的复杂度等,降低被猜解的可能性。
def passwd_set_config():
_passwd_set_cmd = r'''sed -i 's/^\(PASS_MAX_DAYS\).*/\1 90/' /etc/login.defs'''
_passwd_set_temp = []
status, result = commands.getstatusoutput(_passwd_set_cmd)
if status == 0:
_passwd_set_temp.append('口令最大天数已经更改为90天')
else:
_passwd_set_temp.append('口令最大天数修改失败')
return _passwd_set_temp
#对SSH服务进行安全加固,防止暴力破解成功。
def ssh_set():
_ssh_set_temp = []
_ssh_get_Protocol = r'''grep '^Protocol' /etc/ssh/sshd_config'''
_ssh_get_MaxAuthTries = r'''grep '^MaxAuthTries' /etc/ssh/sshd_config'''
_ssh_set_Protocol = r'''sed -i 's/^\(Protocol\).*/\1 2/' /etc/ssh/sshd_config'''
_ssh_set_MaxAuthTries = r'''sed -i 's/^\(MaxAuthTries\).*/\1 3/' /etc/ssh/sshd_config'''
_Protocol_add = r'''echo 'Protocol 2' >>/etc/ssh/sshd_config'''
_MaxAuthTries_add = r'''echo 'MaxAuthTries 3' >>/etc/ssh/sshd_config'''
_Protocol_name = 'Protocol'
_MaxAuthTries_name = 'MaxAuthTries'
_Protocol_set_temp = utility_function.data_set(_ssh_get_Protocol, _ssh_set_Protocol, _Protocol_add, _Protocol_name)
_ssh_set_temp.append(_Protocol_set_temp)
_MaxAuthTries_set_temp = utility_function.data_set(_ssh_get_MaxAuthTries, _ssh_set_MaxAuthTries, _MaxAuthTries_add, _MaxAuthTries_name)
_ssh_set_temp.append(_MaxAuthTries_set_temp)
return _ssh_set_temp
#设置默认的umask值,增强安全性。
def umask_set():
_umask_get_umask = r'''grep '^umask' /etc/profile'''
_umask_set_umask = r'''sed -i 's/^\(umask\).*/\1 027/' /etc/profile'''
_umask_add = r'''echo 'umask 027' >>/etc/profile'''
_umask_name = 'umask'
_umask_set_temp = utility_function.data_set(_umask_get_umask, _umask_set_umask, _umask_add, _umask_name)
return [_umask_set_temp]
#设置系统登录后,连接超时时间,增强安全性。
def tmout_time():
_TMOUT_get_TMOUT = r'''grep '^TMOUT' /etc/profile'''
_TMOUT_set_TMOUT = r'''sed -i 's/^\(TMOUT=\).*/\1180/' /etc/profile'''
_TMOUT_add = r'''echo 'TMOUT=180' >>/etc/profile'''
_TMOUT_name = 'TMOUT'
_TMOUT_set_temp = utility_function.data_set(_TMOUT_get_TMOUT, _TMOUT_set_TMOUT, _TMOUT_add, _TMOUT_name)
return [_TMOUT_set_temp]
#通过脚本代码实现记录所有用户的登录操作日志,防止出现安全事件后无据可查。
def logs_all_set():
_logs_set_temp = []
_logs_get_logs = r'''grep '^history' /etc/profile'''
_logs_set_logs = r'''echo -e "history \n\
USER=`whoami` \n\
USER_IP=`who -u am i 2>/dev/null| awk '{print $NF}'|sed -e 's/[()]//g'` \n\
if [ "$USER_IP" = "" ]; then \n\
USER_IP=`hostname` \n\
fi \n\
if [ ! -d /var/log/history ]; then \n\
mkdir /var/log/history \n\
chmod 777 /var/log/history \n\
fi \n\
if [ ! -d /var/log/history/${LOGNAME} ]; then \n\
mkdir /var/log/history/${LOGNAME} \n\
chmod 300 /var/log/history/${LOGNAME} \n\
fi \n\
export HISTSIZE=4096 \n\
DT=`date +"%Y%m%d_%H:%M:%S"` \n\
export HISTFILE="/var/log/history/${LOGNAME}/${USER}@${USER_IP}_$DT" \n\
chmod 600 /var/log/history/${LOGNAME}/*history* 2>/dev/null" >>/etc/profile'''
_logs_name = '全部日志记录配置'
logs_status, logs_value = commands.getstatusoutput(_logs_get_logs)
if logs_status == 0 or logs_status == 256:
if len(logs_value) > 0:
_logs_set_temp.append("记录日志配置已存在,请自行查看")
else:
status_set_logs, data_set_logs = commands.getstatusoutput(_logs_set_logs)
if status_set_logs == 0:
_logs_set_temp.append("添加" + _logs_name + "成功")
else:
_logs_set_temp.append("添加" + _logs_name + "失败")
else:
_logs_set_temp.append("修改" + _logs_name + "失败")
return _logs_set_temp
#关闭防火墙和selinux
def selinux_firewalld():
selinux_firewalld_temp = []
selinux_cmd = r'''sed -i "s/SELINUX=enforcing/SELINUX=disabled/g" /etc/sysconfig/selinux'''
selinux_data = os.system(selinux_cmd)
selinux_temp = os.system('setenforce 0')
if selinux_data != 0 and selinux_temp != 0:
selinux_firewalld_temp.append('关闭selinux失败')
else:
selinux_firewalld_temp.append('关闭selinux成功')
firewalld_cmd = os.system('systemctl stop firewalld.service')
firewalld_disable = os.system('systemctl disable firewalld.service')
if firewalld_cmd != 0 and firewalld_disable != 0:
selinux_firewalld_temp.append('关闭firewalld失败')
else:
selinux_firewalld_temp.append('关闭firewalld成功')
return selinux_firewalld_temp
#加速yum和配置打开最大文件数
if __name__=='__main__':
a = account_check()
b = uuid_check()
c = passwd_set_config()
d = ssh_set()
e = umask_set()
f = tmout_time()
g = logs_all_set()
for i in g:
print(i)
