#1. pwquality 점검
mv /etc/security/pwquality.conf /etc/security/pwquality_old.conf
echo -e "minlen = 8\ndcredit = -1\nucredit = -1\nlcredit = -1\nocredit = -1\n" | cat - /etc/security/pwquality_old.conf > /etc/security/pwquality.conf
rm /etc/security/pwquality_old.conf
#2. faillock 설정 (10번 이상 로그인 실패시 10분간 차단)
authselect select sssd --force
authselect enable-feature with-faillock
sed -i "/# deny = 3/a deny = 10" /etc/security/faillock.conf
#3. wheel 설정 (su root 가능 그룹)
sed -i 's/^#auth\s\+required\s\+pam_wheel.so\s\+use_uid/auth required pam_wheel.so use_uid/' /etc/pam.d/su
chgrp wheel /usr/bin/su
chmod 4750 /usr/bin/su
#4. password 규칙 설정
sed -i 's/^PASS_MAX_DAYS\s\+99999/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS\s\+0/PASS_MIN_DAYS 1/' /etc/login.defs
sed -i 's/^PASS_MIN_LEN\s\+5/PASS_MIN_LEN 8/' /etc/login.defs
#5. 불필요 계정 삭제
userdel lp
userdel ftp
#6. 세션 타임아웃 설정
echo "export TMOUT=600" >> /etc/profile
#7. rsyslog 설정
chmod 640 /etc/rsyslog.conf
#8. 불필요 suid, sgid, sticky bit 제거
chmod -s /usr/bin/newgrp
chmod -s /sbin/unix_chkpwd
chmod -s /usr/bin/at
#9. 로그인 메시지 변경
echo "Authorized users only." > /etc/issue
echo "Authorized users only." > /etc/issue.net
echo "All activities on this system are logged." > /etc/motd
sed -i 's/^#Banner none/Banner \/etc\/issue.net/' /etc/ssh/sshd_config
sed -i 's/^#PrintMotd/PrintMotd/' /etc/ssh/sshd_config
systemctl reload sshd
#10. ssh root login 차단 (wheel 그룹에 일반 사용자 추가 후 설정해야 함)
#usermod -aG wheel 사용자계정
#sed -i 's/PermitRootLogin\s\+yes/PermitRootLogin no/' /etc/ssh/sshd_config
#systemctl reload sshd