Linux-Security
Posted 芒果牛奶
tags:
篇首语:本文由小常识网(cha138.com)小编为大家整理,主要介绍了Linux-Security相关的知识,希望对你有一定的参考价值。
#!/bin/bash
cat <<EOF
*************************************************************************************
***** linux基线检查脚本
*************************************************************************************
***** 输出结果/tmp/linux_security.txt
*************************************************************************************
EOF
FILE_PATH="/tmp/linux_security.txt"
#########检查系统更新##################
system_update_check(){
num=`yum check-update|grep \'updates\'|wc -l`
if [ $num -gt 1 ];then
echo -e "系统更新是否通过:NO \\n">>$FILE_PATH
else
echo -e "系统更新是否通过:YES \\n">>$FILE_PATH
fi
}
#############检查swap分区##############
swap_check(){
swap_sizes=`free -m|grep \'Swap\'|awk \'{print $2}\'`
if [ -z $swap_sizes ];then
echo -e "没有swap系统分区 \\n">>$FILE_PATH
else
if [ $swap_sizes -lt 1000 ];then
echo -e "swap 分区设置过小 \\n">>$FILE_PATH
else
echo -e "swap 分区检查:YES \\n">>$FILE_PATH
fi
fi
}
#############检查必要软件#############
soft_install_check(){
num=`rpm -qa|egrep \'^sysstat-|^man-|^wget-|^screen-|^ntp-\'|wc -l`
if [ $num -lt 5 ];then
echo -e "sysstat,man,wget,screen,ntp安装是否通过:NO \\n">>$FILE_PATH
else
echo -e "sysstat,man,wget,screen,ntp安装是否通过:YES \\n">>$FILE_PATH
fi
}
############查看时钟时间#############
clock_time_type(){
clock_type=`ls -l /etc/localtime |awk -F"/" \'{print $8}\'`
if [ -n "$clock_type" ];then
echo -e "系统时区为:$clock_type \\n">>$FILE_PATH
else
echo -e "请检查是否有设置时区 \\n">>$FILE_PATH
fi
}
#####检查空密码########
passwd_check(){
num=`awk -F":" \'{if($2=="") print $1}\' /etc/shadow|wc -l`
if [ $num -gt 0 ];then
echo -e "空口令账号检测是否通过:NO \\n">>$FILE_PATH
else
echo -e "空口令账号检测是否通过:YES \\n">>$FILE_PATH
fi
}
#####检查用户uid是否为0########
passwd_uid_check(){
num=`awk -F":" \'{if($3=="0" && $1!="root") print $1}\' /etc/passwd|wc -l`
if [ $num -gt 0 ];then
echo -e "非root账户UID检测是否通过:NO \\n">>$FILE_PATH
else
echo -e "非root账户UID检测是否通过:YES \\n">>$FILE_PATH
fi
}
#########检查umask############
user_umask_check(){
root_umask=`umask`
user_umask=`grep -A 1 \'\\$UID -gt 199\' /etc/profile|grep \'umask\'|awk \'{print $2}\'`
if [ $root_umask == "0022" ] && [ $user_umask == "002" ];then
echo -e "账户umask检测是否通过:YES \\n">>$FILE_PATH
else
echo -e "账户umask检测是否通过:NO \\n">>$FILE_PATH
fi
}
########检查重要文件权限##########
file_lsattr_check(){
num=0
files=(/etc/passwd /etc/shadow)
for file in ${files[*]}
do
attr=`lsattr $file|awk \'{print $1}\'`
if [ $attr != "----i--------e-" ];then
num=$(($num+1))
fi
done
if [ $num -eq 0 ];then
echo -e "重要文件设置是否通过:YES \\n">>$FILE_PATH
else
echo -e "重要文件设置是否通过:NO \\n">>$FILE_PATH
fi
}
###########ssh 协议和密码认证################
ssh_config_check(){
echo -e "检查sshd_config配置文件: \\n">>$FILE_PATH
#####检查项######
check_items=(ListenAddress Protocol StrictModes MaxAuthTries MaxSessions PubkeyAuthentication PasswordAuthentication PermitEmptyPasswords X11Forwarding)
#######参考值#############
proposal_value=("参考实际情况" 2 yes 5 5 yes no no no)
i=0
for item in ${check_items[*]}
do
value=`grep $item /etc/ssh/sshd_config|grep -v \'^#\'|awk \'{print $2}\'`
echo "${check_items[$i]}:${value} 建议值:${proposal_value[$i]}">>$FILE_PATH
i=$(($i+1))
done
}
############防火墙服务状态####################
firewall_check(){
grep \'release 6\' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/iptables status>>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \\n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \\n">>$FILE_PATH
fi
else
systemctl status firewalld.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \\n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \\n">>$FILE_PATH
fi
fi
}
############ntp服务状态####################
ntp_check(){
grep \'release 6\' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/ntpd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \\n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \\n">>$FILE_PATH
fi
else
systemctl status ntpd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \\n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \\n">>$FILE_PATH
fi
fi
}
############auditd服务状态####################
auditd_check(){
grep \'release 6\' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/auditd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \\n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \\n">>$FILE_PATH
fi
else
systemctl status auditd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \\n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \\n">>$FILE_PATH
fi
fi
}
#############检查不必要的服务###############
service_check(){
echo "检查系统多余服务,centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATH
echo "检查系统多余服务,centos7:postfix.service tuned.service irqbalance.service">>$FILE_PATH
grep \'release 6\' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
cent6_num=`chkconfig --list|egrep \'3:on|3:启用\'|egrep \'acpid|ip6tables|netfs|postfix|udev-post\'|wc -l`
if [ $cent6_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \\n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \\n">>$FILE_PATH
fi
else
cent7_num=`systemctl list-unit-files --type=service|grep \'enabled\'|egrep \'postfix.service|tuned.service|irqbalance.service\'|wc -l`
if [ $cent7_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \\n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \\n">>$FILE_PATH
fi
fi
}
############检查文件打开数情况##############
file_check(){
system_file_limit=`cat /proc/sys/fs/file-max`
#current_open_file=`lsof|wc -l`
user_file_limit=`ulimit -a|grep \'open files\'|awk \'{print $4}\'`
echo "系统打开数限制:$system_file_limit">>$FILE_PATH
echo "用户进程打开数限制:$user_file_limit">>$FILE_PATH
}
echo `date +%Y%m%d`>$FILE_PATH
system_update_check
swap_check
soft_install_check
clock_time_type
passwd_check
passwd_uid_check
user_umask_check
file_lsattr_check
ssh_config_check
firewall_check
ntp_check
auditd_check
service_check
file_check以上是关于Linux-Security的主要内容,如果未能解决你的问题,请参考以下文章