linux安全配置檢查腳本_v0.8

腳本環境：RHEL6.*

腳本說明：該腳本做用爲純執行檢測不涉及更改配置等操做，與直接上來就改安全配置等基線腳本相比相對安全一些。雖然如此，在你執行該腳本以前仍然建議你備份或快照一下目標系統。

代碼部分：

#! /bin/bash
cat <<EOF
*************************************************************************
linux安全配置掃描腳本:
1. 輸出結果也能夠在當前目錄的out.txt中查看
2. 檢查範圍：
 -》帳號策略檢查
 -》帳號註銷檢查
 -》GRUB密碼檢查
 -》LILO密碼檢查
 -》非root帳號但UID爲0的用戶檢查
 -》/etc/profile中umask默認值檢查
 -》/etc/csh.cshrc中umask默認值檢查
 -》/etc/bashrc中umask默認值檢查
 -》重要文件權限檢查
 -》內核文件dump配置檢查

*************************************************************************
EOF
rm -rf ./out.txt
echo -e "\n"
echo "[1] 帳號策略檢查中..."
passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'`
passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'`
passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`
if [ $passmax -le 90 -a $passmax -gt 0 ];then
echo " [OK]口令生存週期爲${passmax}天，符合要求" >> out.txt
else
echo " [ X ] 口令生存週期爲${passmax}天，不符合要求,建議設置不大於90天" >> out.txt
fi
if [ $passmin -ge 6 ];then
echo " [OK]口令更改最小時間間隔爲${passmin}天，符合要求" >> out.txt
else
echo " [ X ] 口令更改最小時間間隔爲${passmin}天，不符合要求，建議設置大於等於6天" >> out.txt
fi
if [ $passlen -ge 8 ];then
echo " [OK]口令最小長度爲${passlen},符合要求" >> out.txt
else
echo " [ X ] 口令最小長度爲${passlen},不符合要求，建議設置最小長度大於等於8" >> out.txt
fi
if [ $passage -ge 30 -a $passage -lt $passmax ];then
echo " [OK]口令過時警告時間天數爲${passage},符合要求" >> out.txt
else
echo " [ X ] 口令過時警告時間天數爲${passage},不符合要求，建議設置大於等於30並小於口令生存週期" >> out.txt
fi
echo "..."
echo 'check over'
echo -e "\n"
echo "[2] 帳號註銷檢查中..."
TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
if [ ! $TMOUT ];then
echo " [ X ] 帳號超時不存在自動註銷,不符合要求，建議設置小於600秒" >> out.txt
else
if [ $TMOUT -le 600 -a $TMOUT -ge 10 ] ; then
echo " [ √ ] 帳號超時時間${TMOUT}秒,符合要求" >> out.txt
else
echo " [ X ] 帳號超時時間$TMOUT秒,不符合要求，建議設置小於600秒" >> out.txt
fi
fi
echo "..."
echo 'check over'
echo -e "\n"
echo "[3] GRUB密碼檢查中..."
grup_pwd=`cat /etc/grub.conf | grep -v ^# | grep password 2> /dev/null`
if [ $? -eq 0 ];then
echo " [ √ ] 已設置grub密碼,符合要求" >> out.txt
else
echo " [ X ] 沒有設置grub密碼，不符合要求,建議設置grub密碼" >> out.txt
fi
echo "..."
echo "check over"
echo -e "\n"
echo "[4] LILO密碼檢查中..."
if [ ! -f /etc/lilo.conf ] ; then
echo " [ √ ] lilo.conf配置文件不存在，系統可能不是經過LILO引導" >> out.txt
else
lilo_pwd=`cat /etc/lilo.conf | grep -v ^# | grep password &> /dev/null`
if [ $? -eq 0 ];then
echo " [ √ ] 已設置lilo密碼,符合要求" >> out.txt
else
echo " [ X ] 沒有設置lilo密碼，不符合要求,建議設置lilo密碼(操做有風險，需慎重!)" >> out.txt
fi
fi
echo "..."
echo "check over"
echo -e "\n"

echo "[5] 非root帳號但UID爲0的用戶檢查中..."
UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`
flag=0
for i in $UIDS
do
  if [ $i = 0 ];then
     flag=1
  fi
done
  if [ $flag != 1 ];then
    echo " [ √ ] 不存在root帳號外的UID爲0的異經常使用戶" >> out.txt
  else
    echo " [ X ] 存在非root但UID爲0的異經常使用戶，請馬上進行排查" >> out.txt
  fi
echo "..."
echo "check over"
echo -e "\n"

echo "[6] /etc/profile中umask默認值檢查中..."
umask1=`cat /etc/profile | grep umask | grep -v '^#' | awk '{print $2}'`
flags=0

for i in $umask1
do
  if [ $i = "027" ];then
    flags=1
  fi
done
if [ $flags = 1 ];then
  echo " [ √ ] /etc/profile文件中所設置的umask爲${i},符合要求" >> out.txt
else
  echo " [ X ] /etc/profile文件中所設置的umask爲${i},不符合要求" >> out.txt
  echo "      【理論上建議設置值爲027,但因系統重要程度不一樣請根據具體狀況慎重操做,如不肯定請暫忽略此項】" >> out.txt
fi
echo "..."
echo "check over"
echo -e "\n"


echo "[7] /etc/csh.cshrc中umask默認值檢查中..."
umask2=`cat /etc/csh.cshrc | grep umask | grep -v '^#' | awk '{print $2}'`
flags=0

for i in $umask2
do
  if [ $i = "027" ];then
    flags=1
  fi
done
if [ $flags = 1 ];then
  echo " [ √ ] /etc/csh.cshrc文件中所設置的umask爲${i},符合要求" >> out.txt
else
  echo " [ X ] /etc/csh.cshrc文件中所設置的umask爲${i},不符合要求" >> out.txt
  echo "      【理論上建議設置值爲027,但因系統重要程度不一樣請根據具體狀況慎重操做,如不肯定請暫忽略此項】" >> out.txt
fi
echo "..."
echo "check over"
echo -e "\n"


echo "[8] /etc/bashrc中umask默認值檢查中..."
umask3=`cat /etc/bashrc | grep umask | grep -v '^    #' | awk '{print $2}'`
flags=0

for i in $umask3
do
  if [ $i = "027" ];then
    flags=1
  fi
done
if [ $flags = 1 ];then
  echo " [ √ ] /etc/bashrc文件中所設置的umask爲${i},符合要求" >> out.txt
else
  echo " [ X ] /etc/bashrc文件中所設置的umask爲${i},不符合要求" >> out.txt
  echo "      【理論上建議設置值爲027,但因系統重要程度不一樣請根據具體狀況慎重操做,如不肯定請暫忽略此項】" >> out.txt
fi
echo "..."
echo "check over"
echo -e "\n"


echo "[9] 重要文件權限檢查中..."
file1=`ls -l /etc/passwd | awk '{print $1}'`
if [ $file1 = "-rw-r--r--." ];then
  echo " [ √ ] /etc/passwd文件權限爲644，符合要求" >> out.txt
else
  echo " [ X ] /etc/passwd文件權限爲[$file1.],不符合要求" >> out.txt
fi

file2=`ls -l /etc/shadow | awk '{print $1}'`
if [ $file2 = "-rw-r--r--." ] || [ $file2 = "----------." ];then
  echo " [ √ ] /etc/shadow文件權限爲400或000，符合要求" >> out.txt
else
  echo " [ X ] /etc/shadow文件權限爲${file2},不符合要求" >> out.txt
fi

file3=`ls -l /etc/group | awk '{print $1}'`
if [ $file3 = "-rw-r--r--." ];then
  echo " [ √ ] /etc/group文件權限爲644，符合要求" >> out.txt
else
  echo " [ X ] /etc/group文件權限爲$file3，不符合要求" >> out.txt
fi

file4=`ls -l /etc/securetty | awk '{print $1}'`
if [ $file4 = "-rw-------." ];then
  echo " [ √ ] /etc/security文件權限爲600，符合要求" >> out.txt
else
  echo " [ X ] /etc/security文件權限不爲600，不符合要求，建議設置權限爲600" >> out.txt
fi

file5=`ls -l /etc/services | awk '{print $1}'`
if [ $file5 = "-rw-r--r--." ];then
  echo " [ √ ] /etc/services文件權限爲644，符合要求" >> out.txt
else
  echo " [ X ] /etc/services文件權限不爲644，不符合要求，建議設置權限爲644" >> out.txt
fi

file6=`ls -l /etc/xinetd.conf | awk '{print $1}'`
if [ !-f $file6 ];then
  echo " [ √ ] /etc/xinetd.conf文件不存在,暫略此項" >> out.txt
else
  if [ $file6 = "-rw-------." ];then
    echo " [ √ ] /etc/xinetd.conf文件權限爲600，符合要求" >> out.txt
  else
    echo " [ X ] /etc/xinetd.conf文件權限不爲600，不符合要求，建議設置權限爲600" >> out.txt
  fi
fi

file7=`ls -l /etc/grub.conf | awk '{print $1}'`
if [ $file7 = "-rw-------." ];then
  echo " [ √ ] /etc/grub.conf文件權限爲600，符合要求" >> out.txt
else
  echo " [ X ] /etc/grub.conf文件權限爲$file7，不符合要求，建議設置權限爲600" >> out.txt
fi

file8=`ls -l /etc/lilo.conf | awk '{print $1}'`
if [ -f /etc/lilo.conf ];then
  if [ $file8 = "-rw-------" ];then
    echo " [ √ ] /etc/lilo.conf文件權限爲600，符合要求" >> out.txt
  else
    echo " [ X ] /etc/lilo.conf文件權限不爲600，不符合要求，建議設置權限爲600" >> out.txt
  fi
else
  echo " [ √ ] /etc/lilo.conf文件不存在,暫略此項" >> out.txt
fi
echo "..."
echo "check over"
echo -e "\n"


echo "[10] 內核文件dump配置檢查中..."
cat /etc/security/limits.conf | grep -v ^# | grep core
if [ $? = 0 ];then
  #soft=`cat /etc/security/limits.conf| grep -V ^# | grep core | awk {print $2}`
  soft=`cat /etc/security/limits.conf| grep -v '^#' | awk '{print $2}'` &> /dev/null
  for i in $soft
  do
    if [ $i = "soft" ];then
      echo -e " [ √ ] 內核文件dump配置檢查[*\tsoft\tcore\t0]已經設置" >> out.txt
    fi
    if [ $i = "hard" ];then
      echo -e " [ √ ] 內核文件dump配置檢查[*\thard\tcore\t0]已經設置" >> out.txt 
    fi
  done
else
  echo -e " [ X ] 沒有設置core，建議在/etc/security/limits.conf中添加[*\tsoft\tcore\t0]和[*\thard\tcore\t0]" >> out.txt
fi
echo "..."
echo "check over"
echo -e "\n"


echo "--------------------------------------------------------------------------"
echo ""
echo "掃描結果："
echo ""
cat ./out.txt
echo ""
echo "--------------------------------------------------------------------------"
echo ""

 執行結果：

[root@localhost ~]# ./linuxCheck.sh 
*************************************************************************
linux安全配置掃描腳本:
1. 輸出結果也能夠在當前目錄的out.txt中查看
2. 檢查範圍：
 -》帳號策略檢查
 -》帳號註銷檢查
 -》GRUB密碼檢查
 -》LILO密碼檢查
 -》非root帳號但UID爲0的用戶檢查
 -》/etc/profile中umask默認值檢查
 -》/etc/csh.cshrc中umask默認值檢查
 -》/etc/bashrc中umask默認值檢查
 -》重要文件權限檢查
 -》內核文件dump配置檢查

*************************************************************************


[1] 帳號策略檢查中...
...
check over


[2] 帳號註銷檢查中...
...
check over


[3] GRUB密碼檢查中...
...
check over


[4] LILO密碼檢查中...
...
check over


[5] 非root帳號但UID爲0的用戶檢查中...
...
check over


[6] /etc/profile中umask默認值檢查中...
...
check over


[7] /etc/csh.cshrc中umask默認值檢查中...
...
check over


[8] /etc/bashrc中umask默認值檢查中...
...
check over


[9] 重要文件權限檢查中...
ls: cannot access /etc/xinetd.conf: No such file or directory
ls: cannot access /etc/lilo.conf: No such file or directory
...
check over


[10] 內核文件dump配置檢查中...
* soft    core            0
...
check over


--------------------------------------------------------------------------

掃描結果：

 [ X ] 口令生存週期爲99999天，不符合要求,建議設置不大於90天
 [ X ] 口令更改最小時間間隔爲0天，不符合要求，建議設置大於等於6天
 [ X ] 口令最小長度爲5,不符合要求，建議設置最小長度大於等於8
 [ X ] 口令過時警告時間天數爲7,不符合要求，建議設置大於等於30並小於口令生存週期
 [ X ] 帳號超時不存在自動註銷,不符合要求，建議設置小於600秒
 [ √ ] 已設置grub密碼,符合要求
 [ √ ] lilo.conf配置文件不存在，系統可能不是經過LILO引導
 [ √ ] 不存在root帳號外的UID爲0的異經常使用戶
 [ X ] /etc/profile文件中所設置的umask爲022,不符合要求
      【理論上建議設置值爲027,但因系統重要程度不一樣請根據具體狀況慎重操做,如不肯定請暫忽略此項】
 [ X ] /etc/csh.cshrc文件中所設置的umask爲022,不符合要求
      【理論上建議設置值爲027,但因系統重要程度不一樣請根據具體狀況慎重操做,如不肯定請暫忽略此項】
 [ X ] /etc/bashrc文件中所設置的umask爲022,不符合要求
      【理論上建議設置值爲027,但因系統重要程度不一樣請根據具體狀況慎重操做,如不肯定請暫忽略此項】
 [ √ ] /etc/passwd文件權限爲644，符合要求
 [ √ ] /etc/shadow文件權限爲400或000，符合要求
 [ √ ] /etc/group文件權限爲644，符合要求
 [ √ ] /etc/security文件權限爲600，符合要求
 [ √ ] /etc/services文件權限爲644，符合要求
 [ √ ] /etc/xinetd.conf文件不存在,暫略此項
 [ X ] /etc/grub.conf文件權限爲lrwxrwxrwx.，不符合要求，建議設置權限爲600
 [ √ ] /etc/lilo.conf文件不存在,暫略此項
 [ √ ] 內核文件dump配置檢查[*    soft    core    0]已經設置
 [ √ ] 內核文件dump配置檢查[*    hard    core    0]已經設置

--------------------------------------------------------------------------