Linux script reinforces System Security

Today, a friend shouted in the Linux Group that he needed to write a script to implement unified security configuration for more than 100 Linux systems, and then asked someone to write the script. I have nothing to worry about. They are all very basic syntaxes and have not been optimized, but simply implemented his requirements. Now I will release the script, if someone is willing to improve with me or has any suggestions, please send me an insite email for discussion. This script has a small problem at last, that is, when an audit policy is appended, the script can only be executed once. If it is executed twice, an error will be reported when the policy is appended, and/etc/audit. rules will continue to increase. I will optimize this issue later, so that the results will be the same for the number of executions. #! /Bin/bash DIR =/etc ################################ ##################################/etc/login. defs # PASS_MAX_DAYSecho "modifying/etc/login. defs... "sleep 1max = 'cat $ DIR/login. defs | grep ^ PASS_MAX_DAYS | awk '{print $2} ''if [$ max! = 90]; then sed-I '/^ PASS_MAX_DAYS/s/' "$ max" '/90/G' $ DIR/login. defsfi # PASS_MIN_DAYSmin = 'cat $ DIR/login. defs | grep ^ PASS_MIN_DAYS | awk '{print $2} ''if [$ min! = 0]; then sed-I '/^ PASS_MIN_DAYS/' "$ min" '/0/G' $ DIR/login. defsfi # PASS_MIN_LENlen = 'cat $ DIR/login. defs | grep ^ PASS_MIN_LEN | awk '{print $2} ''if [$ len! = 8]; then sed-I '/^ PASS_MIN_LEN/s/' "$ len" '/8/G' $ DIR/login. defsfi # PASS_WARN_AGEwarn = 'cat $ DIR/login. defs | grep ^ PASS_WARN_AGE | awk '{print $2} ''if [$ warn! = 7]; then sed-I '/^ PASS_WARN_AGE/s/' "$ warn" '/7/G' $ DIR/login. defsfi ####################################### #################### echo "modifying user group... "sleep 1 sed-I's/^ uucp/# &/G'/etc/passwdsed-I's/^ nuucp/# &/G'/etc/passwdsed-I 's/^ lp/# &/G'/etc/passwdsed-I's/^ news/# &/G'/etc/passwdsed-I's/^ games/ # a &/G'/etc/passwd sed-I's/^ uucp/# &/G'/etc/shadowsed-I's/^ nuucp/# &/g '/etc/shadowsed-I's/^ l P/# &/G'/etc/shadowsed-I's/^ news/# &/G'/etc/shadowsed-I's/^ games/# &/g '/etc/shadow sed-I's/^ uucp/# &/G'/etc/groupsed-I's/^ nuucp/# &/G'/etc/groupsed -I's/^ lp/# &/G'/etc/groupsed-I's/^ news/# &/G'/etc/groupsed-I's/^ games/# &/G'/etc/group ############################# ################## echo "modifying to prohibit remote administrator login... "sed-I's/^ # PermitRootLogin yes/PermitRootLogin no/G'/etc/ssh/sshd_config ###### ######################################## # Echo "modifying the system command line to save the entry... "sleep 1cat/etc/profile | grep ^ HISTSIZE>/dev/nullif [$? = 0]; then sed-I's/^ HISTSIZE = [0-9] \ {1, 4 \}/HISTSIZE = 30/G'/etc/profileficat/etc/profile | grep ^ HISTFILESIZE> /dev/nullif [$? = 1]; then echo "HISTFILESIZE = 30">/etc/profilefi ########################### #################### echo "modifying the system startup level... "sleep 1 init = 'cat/etc/inittab | grep ^ id | cut-d": "-f 2' if [$ init! = 3]; then sed-I '/^ id/s/' "$ {init}" '/3/G'/etc/inittabfi ############ ################################### echo "audit policy being Enabled... "echo" # Enable auditing ">/etc/audit. rulesecho "-e 1">/etc/audit. rulesecho "# login configuration and information">/etc/audit. rulesecho "-w/etc/login. defs-p wa-k pai_login.defs ">/etc/audit. rulesecho "-w/etc/securetty-p wa-k pai_securetty">/etc/audit. rulesecho "-w/var/log/faillog-p wa-k LOG_faillog">/etc/audit. rulesecho "-w/var/log/lastlog-p wa-k LOG_lastlog">/etc/audit. rulesecho "-w/var/log/tallylog-p wa-k LOG_tallylog">/etc/audit. rulesecho "">/etc/audit. rulesecho "# directory operations">/etc/audit. rulesecho "#-a entry, always-S mkdir-S mkdirat-S rmdir">/etc/audit. rulesecho "">/etc/audit. rules. bakecho "">/etc/audit. rulesecho "# cron configuration & scheduled jobs">/etc/audit. rulesecho "-w/etc/cron. allow-p wa-k CFG_cron.allow ">/etc/audit. rulesecho "-w/etc/cron. deny-p wa-k CFG_cron.deny ">/etc/audit. rulesecho "-w/etc/cron. d/-p wa-k CFG_cron.d ">/etc/audit. rulesecho "-w/etc/cron. daily/-p wa-k CFG_cron.daily ">/etc/audit. rulesecho "-w/etc/cron. hourly/-p wa-k 1__cron.hourly ">/etc/audit. rulesecho "-w/etc/cron. monthly/-p wa-k CFG_cron.monthly ">/etc/audit. rulesecho "-w/etc/cron. weekly/-p wa-k CFG_cron.weekly ">/etc/audit. rulesecho "-w/etc/crontab-p wa-k CFG_crontab">/etc/audit. rulesecho "-w/var/spool/cron/root-k Export _crontab_root">/etc/audit. rulesecho "">/etc/audit. rulesecho "">/etc/audit. rulesecho "# user, group, password databases">/etc/audit. rulesecho "-w/etc/group-p wa-k pai_group">/etc/audit. rulesecho "-w/etc/passwd-p wa-k pai_passwd">/etc/audit. rulesecho "-w/etc/gshadow-k pai_gshadow">/etc/audit. rulesecho "-w/etc/shadow-k pai_shadow">/etc/audit. rulesecho "-w/etc/security/opasswd-k pai_opasswd">/etc/audit. rulesecho "">/etc/audit. rulesecho "# ----- File System audit rules -----">/etc/audit. rules echo "Restarting audit service... "/sbin/service auditd restart ################################# ################################# sleep 1 echo "Script Execution successful"