<code class="shell">#!/bin/bash
cat <<EOF
*************************************************************************************
***** linux基线查看脚本
*************************************************************************************
***** 输入后果/tmp/linux_security.txt
*************************************************************************************
EOF
FILE_PATH="/tmp/linux_security.txt"
#########查看零碎更新##################
system_update_check(){
num=`yum check-update|grep 'updates'|wc -l`
if [ $num -gt 1 ];then
echo -e "零碎更新是否通过:NO \n">>$FILE_PATH
else
echo -e "零碎更新是否通过:YES \n">>$FILE_PATH
fi
}
#############查看swap分区##############
swap_check(){
swap_sizes=`free -m|grep 'Swap'|awk '{print $2}'`
if [ -z $swap_sizes ];then
echo -e "没有swap零碎分区 \n">>$FILE_PATH
else
if [ $swap_sizes -lt 1000 ];then
echo -e "swap 分区设置过小 \n">>$FILE_PATH
else
echo -e "swap 分区查看:YES \n">>$FILE_PATH
fi
fi
}
#############查看必要软件#############
soft_install_check(){
num=`rpm -qa|egrep '^sysstat-|^man-|^wget-|^screen-|^ntp-'|wc -l`
if [ $num -lt 5 ];then
echo -e "sysstat,man,wget,screen,ntp装置是否通过:NO \n">>$FILE_PATH
else
echo -e "sysstat,man,wget,screen,ntp装置是否通过:YES \n">>$FILE_PATH
fi
}
############查看时钟工夫#############
clock_time_type(){
clock_type=`ls -l /etc/localtime |awk -F"/" '{print $8}'`
if [ -n "$clock_type" ];then
echo -e "零碎时区为:$clock_type \n">>$FILE_PATH
else
echo -e "请查看是否有设置时区 \n">>$FILE_PATH
fi
}
#####查看空明码########
passwd_check(){
num=`awk -F":" '{if($2=="") print $1}' /etc/shadow|wc -l`
if [ $num -gt 0 ];then
echo -e "空口令账号检测是否通过:NO \n">>$FILE_PATH
else
echo -e "空口令账号检测是否通过:YES \n">>$FILE_PATH
fi
}
#####检查用户uid是否为0########
passwd_uid_check(){
num=`awk -F":" '{if($3=="0" && $1!="root") print $1}' /etc/passwd|wc -l`
if [ $num -gt 0 ];then
echo -e "非root账户UID检测是否通过:NO \n">>$FILE_PATH
else
echo -e "非root账户UID检测是否通过:YES \n">>$FILE_PATH
fi
}
#########查看umask############
user_umask_check(){
root_umask=`umask`
user_umask=`grep -A 1 '\$UID -gt 199' /etc/profile|grep 'umask'|awk '{print $2}'`
if [ $root_umask == "0022" ] && [ $user_umask == "002" ];then
echo -e "账户umask检测是否通过:YES \n">>$FILE_PATH
else
echo -e "账户umask检测是否通过:NO \n">>$FILE_PATH
fi
}
########查看重要文件权限##########
file_lsattr_check(){
num=0
files=(/etc/passwd /etc/shadow)
for file in ${files[*]}
do
attr=`lsattr $file|awk '{print $1}'`
if [ $attr != "----i--------e-" ];then
num=$(($num+1))
fi
done
if [ $num -eq 0 ];then
echo -e "重要文件设置是否通过:YES \n">>$FILE_PATH
else
echo -e "重要文件设置是否通过:NO \n">>$FILE_PATH
fi
}
###########ssh 协定和明码认证################
ssh_config_check(){
echo -e "查看sshd_config配置文件: \n">>$FILE_PATH
#####查看项######
check_items=(ListenAddress Protocol StrictModes MaxAuthTries MaxSessions PubkeyAuthentication PasswordAuthentication PermitEmptyPasswords X11Forwarding)
#######参考值#############
proposal_value=("参考理论状况" 2 yes 5 5 yes no no no)
i=0
for item in ${check_items[*]}
do
value=`grep $item /etc/ssh/sshd_config|grep -v '^#'|awk '{print $2}'`
echo "${check_items[$i]}:${value} 倡议值:${proposal_value[$i]}">>$FILE_PATH
i=$(($i+1))
done
}
############防火墙服务状态####################
firewall_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/iptables status>>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status firewalld.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
############ntp服务状态####################
ntp_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/ntpd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status ntpd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
############auditd服务状态####################
auditd_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/auditd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status auditd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
#############查看不必要的服务###############
service_check(){
echo "查看零碎多余服务,centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATH
echo "查看零碎多余服务,centos7:postfix.service tuned.service irqbalance.service">>$FILE_PATH
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
cent6_num=`chkconfig --list|egrep '3:on|3:启用'|egrep 'acpid|ip6tables|netfs|postfix|udev-post'|wc -l`
if [ $cent6_num -eq 0 ];then
echo -e "零碎多余服务是否敞开:YES \n">>$FILE_PATH
else
echo -e "零碎多余服务是否敞开:NO \n">>$FILE_PATH
fi
else
cent7_num=`systemctl list-unit-files --type=service|grep 'enabled'|egrep 'postfix.service|tuned.service|irqbalance.service'|wc -l`
if [ $cent7_num -eq 0 ];then
echo -e "零碎多余服务是否敞开:YES \n">>$FILE_PATH
else
echo -e "零碎多余服务是否敞开:NO \n">>$FILE_PATH
fi
fi
}
############查看文件关上数状况##############
file_check(){
system_file_limit=`cat /proc/sys/fs/file-max`
#current_open_file=`lsof|wc -l`
user_file_limit=`ulimit -a|grep 'open files'|awk '{print $4}'`
echo "零碎关上数限度:$system_file_limit">>$FILE_PATH
echo "用户过程关上数限度:$user_file_limit">>$FILE_PATH
}
echo `date +%Y%m%d`>$FILE_PATH
system_update_check
swap_check
soft_install_check
clock_time_type
passwd_check
passwd_uid_check
user_umask_check
file_lsattr_check
ssh_config_check
firewall_check
ntp_check
auditd_check
service_check
file_check
搞代码网(gaodaima.com)提供的所有资源部分来自互联网,如果有侵犯您的版权或其他权益,请说明详细缘由并提供版权或权益证明然后发送到邮箱[email protected],我们会在看到邮件的第一时间内为您处理,或直接联系QQ:872152909。本网站采用BY-NC-SA协议进行授权
转载请注明原文链接:LinuxSecurity
转载请注明原文链接:LinuxSecurity
