#1. pwquality 점검
mv /etc/security/pwquality.conf /etc/security/pwquality_old.conf
echo -e "minlen = 8\ndcredit = -1\nucredit = -1\nlcredit = -1\nocredit = -1\n" | cat - /etc/security/pwquality_old.conf > /etc/security/pwquality.conf
rm -f /etc/security/pwquality_old.conf
#2. 계정 잠금 설정 centos 7
sed -i '/auth\s\+required\s\+pam_env.so/a auth required pam_faillock.so preauth silent audit deny=10 unlock_time=600' /etc/pam.d/system-auth
sed -i '/auth\s\+sufficient\s\+pam_unix.so\s\+nullok\s\+try_first_pass/a auth [default=die] pam_faillock.so authfail audit deny=10 unlock_time=600' /etc/pam.d/system-auth
sed -i '/account\s\+required\s\+pam_permit.so/a account required pam_faillock.so' /etc/pam.d/system-auth
#3. wheel 설정
sed -i 's/^#auth\s\+required\s\+pam_wheel.so\s\+use_uid/auth required pam_wheel.so use_uid/' /etc/pam.d/su
#4. password 규칙 설정
sed -i 's/^PASS_MAX_DAYS\s\+99999/PASS_MAX_DAYS 90/' /etc/login.defs
sed -i 's/^PASS_MIN_DAYS\s\+0/PASS_MIN_DAYS 1/' /etc/login.defs
sed -i 's/^PASS_MIN_LEN\s\+5/PASS_MIN_LEN 8/' /etc/login.defs
#5. 불필요 계정 삭제
userdel lp
#6. 세션 타임아웃 설정
echo "export TMOUT=600" >> /etc/profile
#7. rsyslog 설정
chmod 640 /etc/rsyslog.conf
#8. 불필요 suid, sgid, sticky bit 제거
chmod -s /usr/bin/newgrp
chmod -s /sbin/unix_chkpwd
chmod -s /usr/bin/at
#9. ssh root login 차단 (wheel 그룹에 일반 사용자 추가 후 설정해야 함)
#usermod -aG wheel 사용자계정
#sed -i 's/PermitRootLogin\s\+yes/PermitRootLogin no/' /etc/ssh/sshd_config
#systemctl reload sshd