基於centos系統,系統基本檢查及鞏固

時間  2021-03-13
標籤 linux centos 安全 bash ssh spa 設計 日誌 code 欄目 CentOS 简体版
原文   原文鏈接

 

基於centos系統,系統基本檢查及鞏固linux

#!/bin/bash #version 1.0 #author by 網服務 cat <<EOF *************************************************************************************
***** linux基線檢查腳本 *****
*************************************************************************************
***** linux基線配置規範設計 *****
***** 輸出結果out.txt *****
************************************************************************************* EOF echo "***************************"
echo "帳號策略檢查中..."
echo "***************************" passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'` passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'` passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'` passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'` if [ $passmax -le 90 -a $passmax -gt 0];then
  echo "口令生存週期爲${passmax}天,符合要求" >> out.txt else
  echo "口令生存週期爲${passmax}天,不符合要求,建議設置不大於90天" >> out.txt fi


if [ $passmin -ge 6 ];then
  echo "口令更改最小時間間隔爲${passmin}天,符合要求" >> out.txt else
  echo "口令更改最小時間間隔爲${passmin}天,不符合要求,建議設置大於等於6天" >> out.txt fi


if [ $passlen -ge 8 ];then
  echo "口令最小長度爲${passlen},符合要求" >> out.txt else
  echo "口令最小長度爲${passlen},不符合要求,建議設置最小長度大於等於8" >> out.txt fi


if [ $passage -ge 30 -a $passage -lt $passmax ];then
  echo "口令過時警告時間天數爲${passage},符合要求" >> out.txt else
  echo "口令過時警告時間天數爲${passage},不符合要求,建議設置大於等於30並小於口令生存週期" >> out.txt fi


echo "***************************"
echo "帳號是否會主動註銷檢查中..."
echo "***************************"
cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}' 
if [ $? -eq 0 ];then TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'` if [ $TMOUT -le 600 -a $TMOUT -ge 10 ];then
    echo "帳號超時時間${TMOUT}秒,符合要求" >> out.txt else
    echo "帳號超時時間${TMOUT}秒,不符合要求,建議設置小於600秒" >> out.txt fi
else
  echo "帳號超時不存在自動註銷,不符合要求,建議設置小於600秒" >> out.txt fi #grub和lilo密碼是否設置檢查 cat /etc/grub.conf | grep password 2> /dev/null
if [ $? -eq 0 ];then
  echo "已設置grub密碼,符合要求" >> out.txt else
  echo "沒有設置grub密碼,不符合要求,建議設置grub密碼" >> out.txt fi


cat /etc/lilo.conf | grep password 2> /dev/null
if [ $? -eq 0 ];then
  echo "已設置lilo密碼,符合要求" >> out.txt else
  echo "沒有設置lilo密碼,不符合要求,建議設置lilo密碼" >> out.txt fi #查找非root帳號UID爲0的帳號 UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd` flag=0
for i in $UIDS do
  if [ $i = 0 ];then
    echo "存在非root帳號的帳號UID爲0,不符合要求" >> out.txt else flag=1
  fi
done
if [ $flag = 1 ];then
  echo "不存在非root帳號的帳號UID爲0,符合要求" >> out.txt fi #檢查umask設置 umask1=`cat /etc/profile | grep umask | grep -v ^# | awk '{print $2}'` umask2=`cat /etc/csh.cshrc | grep umask | grep -v ^# | awk '{print $2}'` umask3=`cat /etc/bashrc | grep umask | grep -v ^# | awk 'NR!=1{print $2}'` flags=0
for i in $umask1 do
  if [ $i = "027" ];then
    echo "/etc/profile文件中所設置的umask爲${i},符合要求" >> out.txt else flags=1
  fi
done
if [ $flags = 1 ];then
  echo "/etc/profile文件中所所設置的umask爲${i},不符合要求,建議設置爲027" >> out.txt fi flags=0
for i in $umask2 do
  if [ $i = "027" ];then
    echo "/etc/csh.cshrc文件中所設置的umask爲${i},符合要求" >> out.txt else flags=1
  fi
done  
if [ $flags = 1 ];then
  echo "/etc/csh.cshrc文件中所所設置的umask爲${i},不符合要求,建議設置爲027" >> out.txt fi flags=0
for i in $umask3 do
  if [ $i = "027" ];then
    echo "/etc/bashrc文件中所設置的umask爲${i},符合要求" >> out.txt else flags=1
  fi
done
if [ $flags = 1 ];then
  echo "/etc/bashrc文件中所設置的umask爲${i},不符合要求,建議設置爲027" >> out.txt fi








echo "***************************"
echo "檢查重要文件權限中..."
echo "***************************" file1=`ls -l /etc/passwd | awk '{print $1}'` file2=`ls -l /etc/shadow | awk '{print $1}'` file3=`ls -l /etc/group | awk '{print $1}'` file4=`ls -l /etc/securetty | awk '{print $1}'` file5=`ls -l /etc/services | awk '{print $1}'` file6=`ls -l /etc/xinetd.conf | awk '{print $1}'` file7=`ls -l /etc/grub.conf | awk '{print $1}'` file8=`ls -l /etc/lilo.conf | awk '{print $1}'` if [ $file1 = "-rw-r--r--" ];then
  echo "/etc/passwd文件權限爲644,符合要求" >> out.txt else
  echo "/etc/passwd文件權限不爲644,不符合要求,建議設置權限爲644" >> out.txt fi


if [ $file2 = "-r--------" ];then
  echo "/etc/shadow文件權限爲400,符合要求" >> out.txt else
  echo "/etc/shadow文件權限不爲400,不符合要求,建議設置權限爲400" >> out.txt fi


if [ $file3 = "-rw-r--r--" ];then
  echo "/etc/group文件權限爲644,符合要求" >> out.txt else
  echo "/etc/group文件權限不爲644,不符合要求,建議設置權限爲644" >> out.txt fi


if [ $file4 = "-rw-------" ];then
  echo "/etc/security文件權限爲600,符合要求" >> out.txt else
  echo "/etc/security文件權限不爲600,不符合要求,建議設置權限爲600" >> out.txt fi


if [ $file5 = "-rw-r--r--" ];then
  echo "/etc/services文件權限爲644,符合要求" >> out.txt else
  echo "/etc/services文件權限不爲644,不符合要求,建議設置權限爲644" >> out.txt fi


if [ $file6 = "-rw-------" ];then
  echo "/etc/xinetd.conf文件權限爲600,符合要求" >> out.txt else
  echo "/etc/xinetd.conf文件權限不爲600,不符合要求,建議設置權限爲600" >> out.txt fi


if [ $file7 = "-rw-------" ];then
  echo "/etc/grub.conf文件權限爲600,符合要求" >> out.txt else
  echo "/etc/grub.conf文件權限不爲600,不符合要求,建議設置權限爲600" >> out.txt fi


if [ -f /etc/lilo.conf ];then
  if [ $file8 = "-rw-------" ];then
    echo "/etc/lilo.conf文件權限爲600,符合要求" >> out.txt else
    echo "/etc/lilo.conf文件權限不爲600,不符合要求,建議設置權限爲600" >> out.txt fi
  
else
  echo "/etc/lilo.conf文件夾不存在"
fi


cat /etc/security/limits.conf | grep -V ^# | grep core if [ $? -eq 0 ];then soft=`cat /etc/security/limits.conf | grep -V ^# | grep core | awk {print $2}` for i in $soft do
    if [ $i = "soft" ];then
      echo "* soft core 0 已經設置" >> out.txt fi
    if [ $i = "hard" ];then
      echo "* hard core 0 已經設置" >> out.txt fi
  done
else 
  echo "沒有設置core,建議在/etc/security/limits.conf中添加* soft core 0和* hard core 0" >> out.txt fi




echo "***************************"
echo "檢查ssh配置文件中..."
echo "***************************"
cat /etc/ssh/sshd_config | grep -v ^# |grep "PermitRootLogin no"
if [ $? -eq 0 ];then
  echo "已經設置遠程root不能登錄,符合要求" >> out.txt else
  echo "不已經設置遠程root不能登錄,不符合要求,建議/etc/ssh/sshd_config添加PermitRootLogin no" >> out.txt fi #檢查telnet是否開啓 telnetd=`cat /etc/xinetd.d/telnet | grep disable | awk '{print $3}'` if [ $telnetd = "yes" ];then
  echo "檢測到telnet服務開啓,不符合要求,建議關閉telnet" >> out.txt fi Protocol=`cat /etc/ssh/sshd_config | grep -v ^# | grep Protocol | awk '{print $2}'` if [ $Protocol = 2 ];then
  echo "openssh使用ssh2協議,符合要求" >> out.txt fi
if [ $Protocol = 1 ];then
  echo "openssh使用ssh1協議,不符合要求" >> out.txt fi #檢查保留歷時命令條數 HISTSIZE=`cat /etc/profile|grep HISTSIZE|head -1|awk -F[=] '{print $2}'` if [ $HISTSIZE -eq 5 ];then
  echo "保留歷時命令條數爲$HISTSIZE,符合要求" >> out.txt else
  echo "保留歷時命令條數爲$HISTSIZE,不符合要求,建議/etc/profile的HISTSIZE設置爲5" >> out.txt fi #檢查重要文件的屬性 flag=0
for ((x=1;x<=15;x++)) do apend=`lsattr /etc/passwd | cut -c $x` if [ $apend = "i" ];then
    echo "/etc/passwd文件存在i安全屬性" >> out.txt flag=1
  fi
  if [ $apend = "a" ];then
    echo "/etc/passwd文件存在a安全屬性" >> out.txt flag=1
  fi
done
if [ $flag = 0 ];then
  echo "/etc/passwd文件不存在相關安全屬性,建議使用chattr +i或chattr +a防止/etc/passwd被刪除或修改" >> out.txt fi flag=0
for ((x=1;x<=15;x++)) do apend=`lsattr /etc/shadow | cut -c $x` if [ $apend = "i" ];then
    echo "/etc/shadow文件存在i安全屬性" >> out.txt flag=1
  fi
  if [ $apend = "a" ];then
    echo "/etc/shadow文件存在a安全屬性" >> out.txt flag=1
  fi
done
if [ $flag = 0 ];then
  echo "/etc/shadow文件不存在相關安全屬性,建議使用chattr +i或chattr +a防止/etc/shadow被刪除或修改" >> out.txt fi flag=0
for ((x=1;x<=15;x++)) do apend=`lsattr /etc/gshadow | cut -c $x` if [ $apend = "i" ];then
    echo "/etc/gshadow文件存在i安全屬性" >> out.txt flag=1
  fi
  if [ $apend = "a" ];then
    echo "/etc/gshadow文件存在a安全屬性" >> out.txt flag=1
  fi
done
if [ $flag = 0 ];then
  echo "/etc/gshadow文件不存在相關安全屬性,建議使用chattr +i或chattr +a防止/etc/gshadow被刪除或修改" >> out.txt fi flag=0
for ((x=1;x<=15;x++)) do apend=`lsattr /etc/group | cut -c $x` if [ $apend = "i" ];then
    echo "/etc/group文件存在i安全屬性" >> out.txt flag=1
  fi
  if [ $apend = "a" ];then
    echo "/etc/group文件存在a安全屬性" >> out.txt flag=1
  fi
done
if [ $flag = 0 ];then
  echo "/etc/group文件不存在相關安全屬性,建議使用chattr +i或chattr +a防止/etc/group被刪除或修改" >> out.txt fi #檢查snmp默認團體口令public、private if [ -f /etc/snmp/snmpd.conf ];then public=`cat /etc/snmp/snmpd.conf | grep public | grep -v ^# | awk '{print $4}'` private=`cat /etc/snmp/snmpd.conf | grep private | grep -v ^# | awk '{print $4}'` if [ $public = "public" ];then
    echo "發現snmp服務存在默認團體名public,不符合要求" >> out.txt fi
  if [[ $private = "private" ]];then
    echo "發現snmp服務存在默認團體名private,不符合要求" >> out.txt fi
else
  echo "snmp服務配置文件不存在,可能沒有運行snmp服務" 
fi #檢查主機信任關係 rhosts=`find / -name .rhosts` rhosts2=`find / -name hosts.equiv` for i in $rhosts do
  if [ -f $i ];then
  echo "找到信任主機關係,請查看${i}文件,請自行判斷是否屬於正常業務需求,建議刪除信任IP" >> out.txt fi 
done #檢查日誌審覈功能是否開啓 service auditd status if [ $? = 0 ];then
  echo "系統日誌審覈功能已開啓,符合要求" >> out.txt fi
if [ $? = 3 ];then
  echo "系統日誌審覈功能已關閉,不符合要求,建議service auditd start開啓" >> out.txt fi #檢查磁盤動態空間,是否大於等於80% space=`df -h | awk -F "[ %]+" 'NR!=1{print $5}'` for i in $space do
  if [ $i -ge 80 ];then
    echo "警告!磁盤存儲容量大於80%,建議擴充磁盤容量或者刪除垃圾文件" >> out.txt fi
done


echo "***************************"
echo "*** 檢查完畢 ***"
echo "***************************"
相關文章
相關標籤/搜索
每日一句
    每一个你不满意的现在,都有一个你没有努力的曾经。
本站公眾號
   歡迎關注本站公眾號,獲取更多信息
聯繫我們 最近搜索 最新文章 沪ICP备13005482号-10 MyBatis教程 SQL 教程 MySQL教程 Java 教程 Thymeleaf 教程 Hibernate教程 Spring教程 Redis教程