安全加固脚本及解析等保2.0（仅供参考）

#!/bin/bash
echo "已对密码进行加固，如果输入错误密码超过3次，则锁定账户！！"
echo "备份文件!"
cp /etc/pam.d/sshd /etc/pam.d/sshd.bak
n=`cat /etc/pam.d/sshd | grep "auth required pam_tally2.so "|wc -l`
if [ $n -eq 0 ];then
sed -i '/%PAM-1.0/a\auth required pam_tally2.so deny=3 unlock_time=60 even_deny_root root_unlock_time=60' /etc/pam.d/sshd
fi
echo "输入密码必须包含数字，大小写字母"
echo "备份文件!"
cp /etc/pam.d/system-auth /etc/pam.d/system-auth.bak
sed -e "14 i\password    requisite     pam_cracklib.so minlen=10 difok=3 lcredit=-1 ucredit=-1 dcredit=-1 try_first_pass retry=3" -i /etc/pam.d/system-auth
sed -e '15d'  -i /etc/pam.d/system-auth
echo "不允许root进行ssh"
echo "备份文件!"
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak
sed -i  "s/#PermitRootLogin yes/PermitRootLogin no/" /etc/ssh/sshd_config
service sshd restart
echo "备份文件!"
cp /etc/shadow  /etc/shadow.bak
cp /etc/passwd  /etc/passwd.bak
echo "锁定用户"
for i in adm  lp sync nobody halt news uucp operator games gopher ftp 123
do
passwd -l $i
done
echo "备份文件!"
echo "设置用户登录超时"
cp /etc/profile /etc/profile.bak
echo "export TMOUT=300 readonly TMOUT  " >> /etc/profile
echo "备份文件!" 
cp /etc/login.defs   /etc/login.defs.bak
read -p  "设置密码失效前多少天通知用户：" a
sed -i '/^PASS_WARN_AGE/c\PASS_WARN_AGE    '$a'' /etc/login.defs
read -p  "设置密码修改之间最小的天数：" b
sed -i '/^PASS_MIN_DAYS/c\PASS_MIN_DAYS   '$b'' /etc/login.defs
read -p  "设置密码最多可多少天不修改：" c
sed -i '/^PASS_MAX_DAYS/c\PASS_MAX_DAYS   '$c'' /etc/login.defs
read -p  "设置密码最短的长度：" d
sed -i '/^PASS_MIN_LEN/c\PASS_MIN_LEN &n