银河麒麟v10 PAM配置
前言
最近云厂家提供的虚拟机是银河麒麟v10系统,在查看 /var/log/secure 日志时,发现系统报错提示找不到 pam_tally2.so 模块。
问题现象
查看系统日志 /var/log/secure,发现如下报错信息:
Mar 24 16:14:53 localhost login[4060]: PAM unable to dlopen(/usr/lib64/security/pam_tally2.so): /usr/lib64/security/pam_tally2.so: cannot open shared object fil
e: No such file or directory
Mar 24 16:14:53 localhost login[4060]: PAM adding faulty module: /usr/lib64/security/pam_tally2.so
Mar 24 16:14:53 localhost login[4060]: PAM unable to dlopen(/usr/lib64/security/pam_cracklib.so): /usr/lib64/security/pam_cracklib.so: cannot open shared object
file: No such file or directory
Mar 24 16:14:53 localhost login[4060]: PAM adding faulty module: /usr/lib64/security/pam_cracklib.so
Mar 24 16:14:56 localhost login[4060]: pam_unix(login:session): session opened for user root(uid=0) by LOGIN(uid=0)
Mar 24 16:14:56 localhost login[4060]: ROOT LOGIN ON tty1
Apr 15 11:17:48 localhost polkitd[976]: Loading rules from directory /etc/polkit-1/rules.d
Apr 15 11:17:48 localhost polkitd[976]: Loading rules from directory /usr/share/polkit-1/rules.d
Apr 15 11:17:48 localhost polkitd[976]: Finished loading, compiling and executing 7 rules
Apr 15 11:17:48 localhost polkitd[976]: Acquired the name org.freedesktop.PolicyKit1 on the system bus
Apr 15 11:18:00 localhost login[1543]: PAM unable to dlopen(/usr/lib64/security/pam_tally2.so): /usr/lib64/security/pam_tally2.so: cannot open shared object fil
e: No such file or directory
Apr 15 11:18:00 localhost login[1543]: PAM adding faulty module: /usr/lib64/security/pam_tally2.so
Apr 15 11:18:00 localhost login[1543]: PAM unable to dlopen(/usr/lib64/security/pam_cracklib.so): /usr/lib64/security/pam_cracklib.so: cannot open shared object
file: No such file or directory
问题原因
银河麒麟v10系统中,PAM认证模块已经从 pam_tally2 升级为 pam_faillock,但系统配置文件中仍然引用了旧的 pam_tally2.so 模块,导致无法加载。
解决方案
方案说明
使用 pam_faillock 替代 pam_tally2 进行PAM认证配置。
配置参数说明
deny=5:允许失败次数为5次unlock_time=600:锁定时间为600秒(10分钟)fail_interval=900:失败计数时间窗口为900秒(15分钟)audit:记录审计日志silent:静默模式,不显示提示信息
配置步骤
1. 清理旧的faillock配置
# 注释掉旧的faillock配置(如果存在)
sed -i -c 's|^\(auth.*pam_faillock.so.*\)|#\1|' /etc/pam.d/system-auth
sed -i -c 's|^\(auth.*pam_faillock.so.*\)|#\1|' /etc/pam.d/password-auth
2. 配置system-auth文件
# 在pam_env.so后添加preauth配置
sed -i -c '/^auth.*pam_env.so/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/system-auth
# 在pam_unix.so后添加authfail配置
sed -i -c '/^auth.*pam_unix.so/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/system-auth
# 在pam_unix.so后添加authsucc配置
sed -i -c '/^auth.*pam_unix.so/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/system-auth
3. 配置password-auth文件
# 在pam_env.so后添加preauth配置
sed -i -c '/^auth.*pam_env.so/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/password-auth
# 在pam_unix.so后添加authfail配置
sed -i -c '/^auth.*pam_unix.so/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/password-auth
# 在pam_unix.so后添加authsucc配置
sed -i -c '/^auth.*pam_unix.so/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/password-auth
配置顺序说明
重要提示:sed的 a 命令是在匹配行后追加,因此需要倒序执行才能保证最终顺序正确。
最终配置文件中的顺序应该是:
1. preauth – 认证前检查
2. pam_unix.so – Unix认证
3. authfail – 认证失败处理
4. authsucc – 认证成功处理
验证配置
1. 查看配置文件
# 查看system-auth配置
cat /etc/pam.d/system-auth | grep faillock
# 查看password-auth配置
cat /etc/pam.d/password-auth | grep faillock
2. 测试失败锁定
# 故意输入错误密码5次后,账户应该被锁定
ssh user@hostname
# 查看失败记录
faillock --user username
# 手动解锁用户(如需要)
faillock --user username --reset
3. 查看日志
# 查看认证日志,确认不再有pam_tally2相关错误
tail -f /var/log/secure
常用管理命令
# 查看指定用户的失败登录记录
faillock --user username
# 重置指定用户的失败计数
faillock --user username --reset
# 查看所有用户的失败记录
faillock
注意事项
- 修改PAM配置前建议先备份原配置文件
- 配置错误可能导致无法登录系统,建议保持一个root会话
- 银河麒麟v10已不再支持
pam_tally2,必须使用pam_faillock - 配置参数可根据实际安全需求调整
下面是我这边的基线脚本(某些地方已脱敏)
#!/bin/bash
# **********************************************************
# Version: 1.0.1
# Update: 2026-02-06
# Desc: Rocky Linux 8 and Kylin Linux Advanced Server V10 安全加固脚本
# 功能:系统优化、用户安全、SSH加固、日志管理、防火墙配置等
# 支持:交互式菜单选择执行模块
# **********************************************************
# ------------------------------
# 常量声明
# ------------------------------
readonly EXIST_CODE_NORMAL=0
readonly EXIST_CODE_OTHER=1
readonly EXIST_CODE_WITHOUT_PERMISSION=2
readonly LOG_LEVEL_INFO='INFO'
readonly LOG_LEVEL_ERROR='ERROR'
# ------------------------------
# 日志函数
# ------------------------------
log() {
local now=$(date '+%Y-%m-%d %H:%M:%S')
printf '[%s][%s]: %s\n' "$now" "$1" "$2"
}
# ------------------------------
# 权限检查
# ------------------------------
if [ "$EUID" -ne 0 ]; then
log $LOG_LEVEL_ERROR "请以root权限运行脚本!"
exit $EXIST_CODE_WITHOUT_PERMISSION
fi
# ------------------------------
# 全局变量
# ------------------------------
datenow=$(date +%Y%m%d%H%M%S)
# ------------------------------
# 模块函数定义
# ------------------------------
# 模块1: 配置离线YUM源
configure_yum_repo() {
log $LOG_LEVEL_INFO "===== 开始执行: 配置离线YUM源 ====="
# 检查是否已存在离线源配置文件(根据系统类型判断)
if [ -f /etc/yum.repos.d/rocky8-local.repo ] || [ -f /etc/yum.repos.d/kylin10-local.repo ]; then
log $LOG_LEVEL_INFO "检测到已存在离线YUM源配置文件,跳过YUM源配置..."
return 0
fi
if [ -f /etc/os-release ]; then
. /etc/os-release
if [[ $ID == "rocky" ]]; then
log $LOG_LEVEL_INFO "检测到Rocky Linux 8系统,配置离线源..."
mkdir -p /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup/ 2>/dev/null
cat > /etc/yum.repos.d/rocky8-local.repo <<'EOF'
[rocky8-baseos]
name=Rocky Linux 8 - BaseOS
baseurl=ftp://10.194.106.166:221/Rocky-8.10-x86_64-dvd/BaseOS
enabled=1
gpgcheck=0
[rocky8-appstream]
name=Rocky Linux 8 - AppStream
baseurl=ftp://10.194.106.166:221/Rocky-8.10-x86_64-dvd/AppStream
enabled=1
gpgcheck=0
EOF
elif [[ $ID == "kylin" ]]; then
log $LOG_LEVEL_INFO "检测到麒麟V10系统,配置离线源..."
# 检测系统架构
arch=$(uname -m)
log $LOG_LEVEL_INFO "检测到系统架构: $arch"
# 根据架构确定ISO文件名
if [[ $arch == "x86_64" ]]; then
iso_file="/root/Kylin-Server-V10-SP3-2403-Release-20240426-x86_64.iso"
log $LOG_LEVEL_INFO "使用AMD64架构ISO: $iso_file"
elif [[ $arch == "aarch64" ]]; then
iso_file="/root/Kylin-Server-V10-SP3-2403-Release-20240426-arm64.iso"
log $LOG_LEVEL_INFO "使用ARM64架构ISO: $iso_file"
else
log $LOG_LEVEL_ERROR "不支持的架构: $arch"
return 1
fi
# 检查ISO文件是否存在
if [ ! -f "$iso_file" ]; then
log $LOG_LEVEL_ERROR "ISO文件不存在: $iso_file"
log $LOG_LEVEL_ERROR "请将ISO文件放置到 /root/ 目录"
return 1
fi
# 创建挂载点
mkdir -p /mnt/kylinv10
# 检查是否已经挂载
if mount | grep -q "/mnt/kylinv10"; then
log $LOG_LEVEL_INFO "/mnt/kylinv10 已挂载,跳过挂载操作"
else
# 挂载ISO
log $LOG_LEVEL_INFO "挂载ISO到 /mnt/kylinv10..."
mount -o loop "$iso_file" /mnt/kylinv10
if [ $? -ne 0 ]; then
log $LOG_LEVEL_ERROR "ISO挂载失败!"
return 1
fi
log $LOG_LEVEL_INFO "ISO挂载成功"
fi
# 配置开机自动挂载
if ! grep -q "/mnt/kylinv10" /etc/fstab; then
echo "$iso_file /mnt/kylinv10 iso9660 loop 0 0" >> /etc/fstab
log $LOG_LEVEL_INFO "已添加到 /etc/fstab 实现开机自动挂载"
fi
# 备份并配置YUM源
mkdir -p /etc/yum.repos.d/backup
mv /etc/yum.repos.d/*.repo /etc/yum.repos.d/backup/ 2>/dev/null
cat > /etc/yum.repos.d/kylin10-local.repo <<'EOF'
[kylin10-local-repo]
name=Kylin Linux Advanced Server V10 Local Repo
baseurl=file:///mnt/kylinv10
enabled=1
gpgcheck=0
EOF
log $LOG_LEVEL_INFO "麒麟V10本地YUM源配置完成"
else
log $LOG_LEVEL_ERROR "不支持的系统类型: $ID!"
return 1
fi
else
log $LOG_LEVEL_ERROR "未检测到系统信息!"
return 1
fi
# 清理并重建缓存
log $LOG_LEVEL_INFO "清理并重建YUM缓存..."
yum clean all && yum makecache
log $LOG_LEVEL_INFO "===== 完成: 配置离线YUM源 ====="
}
# 模块2: 安装基础工具
install_basic_tools() {
log $LOG_LEVEL_INFO "===== 开始执行: 安装基础工具 ====="
yum install -y wget curl vim net-tools lsof bash-completion gcc make cmake unzip zip telnet sysstat iotop fontconfig
if [ $? -eq 0 ]; then
log $LOG_LEVEL_INFO "基础工具安装成功"
else
log $LOG_LEVEL_ERROR "基础工具安装失败!"
return 1
fi
log $LOG_LEVEL_INFO "===== 完成: 安装基础工具 ====="
}
# 模块3: 系统基础配置
configure_system_basic() {
log $LOG_LEVEL_INFO "===== 开始执行: 系统基础配置 ====="
# 设置停掉桌面
log $LOG_LEVEL_INFO "设置停掉桌面..."
current_target=$(systemctl get-default)
if [[ "$current_target" != "multi-user.target" ]]; then
systemctl set-default multi-user.target
log $LOG_LEVEL_INFO "已设置默认运行级别为: multi-user.target"
else
log $LOG_LEVEL_INFO "默认运行级别已是: $current_target,跳过设置"
fi
# 检查rc.local可执行权限
log $LOG_LEVEL_INFO "检查/etc/rc.d/rc.local是否可执行..."
if [ -f /etc/rc.d/rc.local ] && [ ! -x /etc/rc.d/rc.local ]; then
chmod +x /etc/rc.d/rc.local
log $LOG_LEVEL_INFO "/etc/rc.d/rc.local 已添加可执行权限"
fi
# 根据IP设置Hostname
log $LOG_LEVEL_INFO "根据IP设置Hostname..."
ip_addr=$(ip addr show | grep -E 'inet.*brd' | grep -v '127.0.0.1' | awk '{print $2}' | cut -d '/' -f1 | head -n 1)
if [ -n "$ip_addr" ]; then
ip_last_octet=$(echo "$ip_addr" | awk -F '.' '{print $4}')
target_hostname="host${ip_last_octet}"
hostnamectl set-hostname "$target_hostname"
echo "$target_hostname" > /etc/hostname
log $LOG_LEVEL_INFO "已将主机名设置为: $target_hostname"
fi
# 禁止Ctrl+Alt+Del热键重启
log $LOG_LEVEL_INFO "禁止 Ctrl+Alt+Del 热键重启..."
systemctl mask ctrl-alt-del.target
log $LOG_LEVEL_INFO "===== 完成: 系统基础配置 ====="
}
# 模块4: 系统安全优化
configure_system_security() {
log $LOG_LEVEL_INFO "===== 开始执行: 系统安全优化 ====="
# 禁用SELinux
log $LOG_LEVEL_INFO "禁用SELinux..."
cp /etc/selinux/config /etc/selinux/config.bak.$datenow 2>/dev/null
sed -i -c 's/SELINUX=enforcing/SELINUX=disabled/' /etc/selinux/config
setenforce 0 2>/dev/null
log $LOG_LEVEL_INFO "当前SELinux状态: $(getenforce)"
# 设置SSH超时时间
log $LOG_LEVEL_INFO "设置SSH超时时间(5分钟)..."
if ! grep -q "export TMOUT=300" /etc/profile; then
cp /etc/profile /etc/profile.bak.$datenow
echo "export TMOUT=300" >> /etc/profile
fi
# 调整最大文件打开数
log $LOG_LEVEL_INFO "调整最大文件打开数..."
if ! grep -q "soft nofile 65535" /etc/security/limits.conf; then
cp /etc/security/limits.conf /etc/security/limits.conf.bak.$datenow
cat >> /etc/security/limits.conf <<'EOF'
* soft nofile 65535
* hard nofile 65535
* soft nproc 65565
* hard nproc 65565
EOF
fi
# 配置时间同步
log $LOG_LEVEL_INFO "设置时区并配置时间同步..."
ln -sf /usr/share/zoneinfo/Asia/Shanghai /etc/localtime
yum install -y chrony
cp /etc/chrony.conf /etc/chrony.conf.bak.$datenow 2>/dev/null
sed -i -c "/^pool.*pool.ntp.org.*/s/^/#/" /etc/chrony.conf
sed -i -c "/^#pool/a pool 10.196.68.160 iburst" /etc/chrony.conf
sed -i -c "/^#pool/a pool 10.202.125.129 iburst" /etc/chrony.conf
systemctl enable chronyd && systemctl restart chronyd
chronyc -a makestep
log $LOG_LEVEL_INFO "===== 完成: 系统安全优化 ====="
}
# 模块5: 用户与认证安全
configure_user_security() {
log $LOG_LEVEL_INFO "===== 开始执行: 用户与认证安全 ====="
# 配置密码策略
log $LOG_LEVEL_INFO "配置密码策略..."
cp /etc/login.defs /etc/login.defs.bak.$datenow 2>/dev/null
sed -i -c 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 89/' /etc/login.defs
sed -i -c 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/' /etc/login.defs
sed -i -c 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 28/' /etc/login.defs
sed -i -c 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/' /etc/login.defs
if ! grep -q "LOGIN_RETRIES" /etc/login.defs; then
echo -e "LOGIN_RETRIES 5\nLOGIN_TIMEOUT 60" >> /etc/login.defs
fi
# 配置PAM认证
log $LOG_LEVEL_INFO "配置PAM认证..."
cp -a /etc/pam.d/system-auth /etc/pam.d/system-auth.bak.$datenow 2>/dev/null
cp -a /etc/pam.d/password-auth /etc/pam.d/password-auth.bak.$datenow 2>/dev/null
# auth requisite pam_faillock.so preauth audit deny=3 even_deny_root unlock_time=60
# auth [default=die] pam_faillock.so authfail audit deny=3 even_deny_root unlock_time=60
# auth sufficient pam_faillock.so authsucc audit deny=3 even_deny_root unlock_time=60
# 各参数含义:
# deny=3: 允许失败尝试的最大次数(3次,高安全)
# even_deny_root: root账户也受限制,防止暴力破解
# unlock_time=600: 账户锁定时间(600秒 = 10分钟)
# fail_interval=900: 失败尝试的统计时间窗口(900秒 = 15分钟)
# 解锁方法:faillock --user 用户名 --reset
# 配置faillock
# 先注释掉旧的faillock配置(如果存在)
sed -i -c 's|^\(auth.*pam_faillock.so.*\)|#\1|' /etc/pam.d/system-auth
sed -i -c 's|^\(auth.*pam_faillock.so.*\)|#\1|' /etc/pam.d/password-auth
# 追加新的faillock配置(注意顺序:先追加authsucc,再追加authfail,最后追加preauth)
# 因为sed的a命令是在匹配行后追加,所以倒序执行才能保证最终顺序正确
sed -i -c '/^auth.*pam_env.so/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/system-auth
sed -i -c '/^auth.*pam_unix.so/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/system-auth
sed -i -c '/^auth.*pam_unix.so/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/system-auth
sed -i -c '/^auth.*pam_env.so/a auth required pam_faillock.so preauth silent audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/password-auth
sed -i -c '/^auth.*pam_unix.so/a auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/password-auth
sed -i -c '/^auth.*pam_unix.so/a auth [default=die] pam_faillock.so authfail audit deny=5 unlock_time=600 fail_interval=900' /etc/pam.d/password-auth
# 配置密码复杂度
log $LOG_LEVEL_INFO "配置密码复杂度要求..."
# 先注释掉旧的密码复杂度配置(如果存在)
sed -i -c 's|^\(password.*pam_pwquality.so.*\)|#\1|' /etc/pam.d/password-auth
sed -i -c 's|^\(password.*pam_pwquality.so.*\)|#\1|' /etc/pam.d/system-auth
# 追加新的密码复杂度配置
if ! grep -q "^password.*pam_pwquality.so.*minlen=8.*ucredit=-1.*lcredit=-1.*dcredit=-1.*ocredit=-1" /etc/pam.d/password-auth; then
sed -i -c '/^#password.*pam_pwquality.so/a password requisite pam_pwquality.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/password-auth
log $LOG_LEVEL_INFO "/etc/pam.d/password-auth 密码复杂度配置已更新"
fi
if ! grep -q "^password.*pam_pwquality.so.*minlen=8.*ucredit=-1.*lcredit=-1.*dcredit=-1.*ocredit=-1" /etc/pam.d/system-auth; then
sed -i -c '/^#password.*pam_pwquality.so/a password requisite pam_pwquality.so try_first_pass retry=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/system-auth
log $LOG_LEVEL_INFO "/etc/pam.d/system-auth 密码复杂度配置已更新"
fi
log $LOG_LEVEL_INFO "===== 完成: 用户与认证安全 ====="
}
# 模块6: SSH服务加固
configure_ssh_security() {
log $LOG_LEVEL_INFO "===== 开始执行: SSH服务加固 ====="
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak.$datenow 2>/dev/null
# 检查是否已经配置过
if ! grep -q "# 安全加固配置" /etc/ssh/sshd_config; then
cat >> /etc/ssh/sshd_config <<'EOF'
# 安全加固配置
Port 8822
Port 22
PermitRootLogin no
ClientAliveInterval 300
ClientAliveCountMax 3
MaxAuthTries 3
PermitEmptyPasswords no
Protocol 2
UsePAM yes
EOF
fi
# 确保关键配置
sed -i -c 's/#PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i -c 's/PermitRootLogin yes/PermitRootLogin no/' /etc/ssh/sshd_config
systemctl restart sshd.service && systemctl enable sshd.service
log $LOG_LEVEL_INFO "===== 完成: SSH服务加固 ====="
}
# 模块7: 日志系统配置
configure_logging() {
log $LOG_LEVEL_INFO "===== 开始执行: 日志系统配置 ====="
# 配置rsyslog
cp /etc/rsyslog.conf /etc/rsyslog.conf.bak.$datenow 2>/dev/null
sed -i -c 's/#\$ModLoad imudp/\$ModLoad imudp/' /etc/rsyslog.conf
sed -i -c 's/#\$UDPServerRun 514/\$UDPServerRun 514/' /etc/rsyslog.conf
# 添加远程日志服务器
if ! grep -q "10.208.7.123:514" /etc/rsyslog.conf; then
cat >> /etc/rsyslog.conf <<'EOF'
# 远程日志服务器配置
*.* @10.208.7.123:514
*.* @10.208.11.155:514
*.* @10.208.7.219:514
*.* @10.208.40.235:514
EOF
fi
# 配置日志保留
cp /etc/logrotate.conf /etc/logrotate.conf.bak.$datenow 2>/dev/null
sed -i -c '25s/rotate [0-9]\+/rotate 12/' /etc/logrotate.conf
sed -i -c '32s/rotate [0-9]\+/rotate 12/' /etc/logrotate.conf
systemctl restart rsyslog
log $LOG_LEVEL_INFO "===== 完成: 日志系统配置 ====="
}
# 模块8: 防火墙配置
configure_firewall() {
log $LOG_LEVEL_INFO "===== 暂时跳过,信创环境暂无对应策略 ====="
# log $LOG_LEVEL_INFO "===== 开始执行: 防火墙配置 ====="
# log $LOG_LEVEL_INFO "===== 完成: 防火墙配置 ====="
}
# 模块9: 系统增强配置
configure_system_enhancement() {
log $LOG_LEVEL_INFO "===== 开始执行: 系统增强配置 ====="
log $LOG_LEVEL_INFO "系统增强配置模块已预留,可根据需要添加其他增强功能"
log $LOG_LEVEL_INFO "===== 完成: 系统增强配置 ====="
}
# 模块10: 添加管理用户
add_admin_users() {
log $LOG_LEVEL_INFO "===== 开始执行: 添加管理用户 ====="
# 锁定无用系统账号
log $LOG_LEVEL_INFO "锁定无用系统账号..."
for user in games ftp news uucp; do
if id "$user" &>/dev/null; then
usermod -L "$user"
log $LOG_LEVEL_INFO "已锁定账号: $user"
fi
done
# 添加用户(如果不存在)
# 注意:密码需要符合PAM复杂度要求(至少8位,包含大小写字母、数字、特殊字符)
if ! id ywuser &>/dev/null; then
useradd ywuser
echo "ywuser:Yw@11123123aaasd." | chpasswd
log $LOG_LEVEL_INFO "用户 ywuser 创建成功"
else
log $LOG_LEVEL_INFO "用户 ywuser 已存在,跳过创建"
fi
log $LOG_LEVEL_INFO "===== 完成: 添加管理用户 ====="
}
# 模块11: 配置Zabbix监控
configure_zabbix() {
log $LOG_LEVEL_INFO "===== 开始执行: 配置Zabbix监控 ====="
# 检查标准路径
if [ -f "/etc/zabbix/zabbix_agentd.conf" ]; then
sed -i -c 's/Server=10.192.67.40/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50/g' /etc/zabbix/zabbix_agentd.conf
sed -i -c 's/Server=10.192.67.50/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50/g' /etc/zabbix/zabbix_agentd.conf
systemctl restart zabbix-agent && systemctl enable zabbix-agent
systemctl restart zabbix_agentd.service && systemctl enable zabbix_agentd.service 2>/dev/null
log $LOG_LEVEL_INFO "Zabbix代理已配置并重启"
# 检查自定义路径
elif [ -f "/usr/local/zabbix_agent/etc/zabbix_agentd.conf" ]; then
sed -i -c 's/Server=10.192.67.40/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50/g' /usr/local/zabbix_agent/etc/zabbix_agentd.conf
sed -i -c 's/Server=10.192.67.50/Server=10.196.69.70,10.196.68.166,10.196.69.71,10.192.67.33,10.192.67.35,10.192.67.40,10.192.67.50/g' /usr/local/zabbix_agent/etc/zabbix_agentd.conf
systemctl restart zabbix-agent && systemctl enable zabbix-agent
systemctl restart zabbix_agentd.service && systemctl enable zabbix_agentd.service 2>/dev/null
log $LOG_LEVEL_INFO "Zabbix代理(自定义路径)已配置并重启"
else
log $LOG_LEVEL_ERROR "Zabbix代理未安装,跳过配置"
fi
log $LOG_LEVEL_INFO "===== 完成: 配置Zabbix监控 ====="
}
# 模块12: 安装青藤agent
install_qingteng() {
log $LOG_LEVEL_INFO "===== 开始执行: 安装青藤agent ====="
curl -k -s -L 'https://10.196.165.48:8001/agent/download?k=167921544e17b7a554bfc40d1fdf7bb26293f962&group=1107&protocol=0&root=true&runAccount=root&userAdd=false&app=0&container=0' | bash
# 等待进程启动
sleep 3
# 检查titan进程是否存在来判断安装是否成功
if ps -ef | grep -v grep | grep titan > /dev/null 2>&1; then
log $LOG_LEVEL_INFO "青藤agent安装成功,titan进程已启动"
else
log $LOG_LEVEL_ERROR "青藤agent安装失败,未检测到titan进程"
fi
log $LOG_LEVEL_INFO "===== 完成: 安装青藤agent ====="
}
# ------------------------------
# 交互式菜单函数
# ------------------------------
show_menu() {
clear
cat <<'EOF'
╔════════════════════════════════════════════════════════════╗
║ Rocky Linux 8 / Kylin V10 安全加固脚本 - 菜单模式 ║
╚════════════════════════════════════════════════════════════╝
请选择要执行的模块(可多选,用空格分隔,如: 1 2 3):
[1] 配置离线YUM源
[2] 安装基础工具
[3] 系统基础配置(桌面/hostname/rc.local等)
[4] 系统安全优化(SELinux/超时/文件数/时间同步)
[5] 用户与认证安全(密码策略/PAM认证)
[6] SSH服务加固
[7] 日志系统配置
[8] 防火墙配置(iptables)
[9] 系统增强配置(预留模块)
[10] 添加管理用户
[11] 配置Zabbix监控
[12] 安装青藤agent
[A] 执行全部模块
[Q] 退出脚本
╔════════════════════════════════════════════════════════════╗
EOF
}
# 执行选中的模块
execute_modules() {
local selections="$1"
log $LOG_LEVEL_INFO "开始执行安全加固 ($datenow)..."
for choice in $selections; do
case $choice in
1) configure_yum_repo ;;
2) install_basic_tools ;;
3) configure_system_basic ;;
4) configure_system_security ;;
5) configure_user_security ;;
6) configure_ssh_security ;;
7) configure_logging ;;
8) configure_firewall ;;
9) configure_system_enhancement ;;
10) add_admin_users ;;
11) configure_zabbix ;;
12) install_qingteng ;;
13) install_uniprobe ;;
14) install_pp_monitor ;;
A|a)
configure_yum_repo
install_basic_tools
configure_system_basic
configure_system_security
configure_user_security
configure_ssh_security
configure_logging
configure_firewall
configure_system_enhancement
add_admin_users
configure_zabbix
install_qingteng
break
;;
Q|q)
log $LOG_LEVEL_INFO "用户退出脚本"
exit $EXIST_CODE_NORMAL
;;
*)
log $LOG_LEVEL_ERROR "无效的选项: $choice"
;;
esac
done
log $LOG_LEVEL_INFO "安全加固执行完成!"
}
# ------------------------------
# 主程序入口
# ------------------------------
main() {
local user_input
# 检查是否有命令行参数
if [ $# -gt 0 ]; then
# 使用命令行参数
user_input="$*"
log $LOG_LEVEL_INFO "检测到命令行参数: $user_input"
else
# 交互式模式:显示菜单并读取用户输入
show_menu
echo -n "请输入选项: "
read -r user_input
# 去除多余空格
user_input=$(echo "$user_input" | xargs)
fi
# 验证输入
if [ -z "$user_input" ]; then
log $LOG_LEVEL_ERROR "未输入任何选项!"
exit $EXIST_CODE_OTHER
fi
# 执行选中的模块
execute_modules "$user_input"
echo ""
log $LOG_LEVEL_INFO "所有操作已完成,请检查日志确认执行结果"
echo ""
}
# 执行主程序(传递所有命令行参数)
main "$@"
exit $EXIST_CODE_NORMAL