zoukankan      html  css  js  c++  java
  • linux各版本基线检查脚本(centos6、centos7、ubuntu系列)

    以下是centos7基线检查脚本:

      1 #!/bin/bash
      2 #version v1.0 by pensar
      3 #操作系统linux 配置规范--centos7
      4 cat <<EOF
      5 ***************************************************************
      6  linux安全配置检查脚本:
      7     1. 输出结果在/tmp/check/目录下查看
      8     2.检查范围及检查项(共计4大类,33项)
      9 *日志审计配置* 10     [1]检查Cron任务授权
     11     [2]检查是否对syslog登录事件记录
     12     [3]检查是否对rsyslog.conf配置审核
     13     [4]检查系统日志读写权限
     14     [5]检查是否对远程日志服务器配置    
     15 *系统文件管理* 16     [1]检查是否对登录超时时间配置
     17     [2]检查系统磁盘状态
     18     [3]检查是否禁止匿名FTP访问
     19     [4]检查是否修改FTP banner 信息
     20     [5]检查是否关闭不必要的服务
     21     [6]检查系统core dump状态
     22     [7]检查系统补丁    
     23 *用户账号配置* 24     [1]检查是否存在无用账号
     25     [2]检查不同用户是否共享账号
     26     [3]检查是否删除或锁定无用账号
     27     [4]检查是否存在无用用户组
     28     [5]检查是否指定用户组成员使用su命令
     29     [6]检查密码长度及复杂度策略
     30     [7]检查是否对用户远程登录进行限制
     31     [8]检查是否配置加密协议
     32     [9]检查是否配置密码的生存期
     33     [10]检查用户缺省访问权限
     34     [11]检查passwd group文件安全权限
     35     [12]检查是否存在除root之外UID为0的用户
     36     [13]检查是否配置环境变量
     37     [14]检查是否对远程连接的安全性进行配置
     38     [15]检查是否对用户的umask进行配置
     39     [16]检查是否对重要目录和文件的权限进行设置
     40     [17]检查是否存在未授权的suid/sgid文件
     41     [18]检查是否存在异常隐含文件    
     42 *网络通信配置* 43     [1]检查是否对基本网络服务进行配置
     44     [2]检查是否开启NFS服务
     45     [3]检查常规网络服务是否运行正常
     46 ***************************************************************
     47 EOF
     48 mkdir /tmp/check
     49 str1=`/sbin/ifconfig -a | grep inet | grep -v 127.0.0.1 | grep -v inet6 | awk '{print $2}' | tr -d "addr:" | head -n 1`
     50 str=`date +%Y%m%d%H%M`_"$str1"
     51 
     52 echo "----**日志审计配置**----" >> /tmp/check/${str}_out.txt 
     53 echo "[1] 检查Cron任务授权" >> /tmp/check/${str}_out.txt 
     54 if [ -e /etc/cron.deny ] && [ -e /etc/at.deny ];then
     55     CRON_DENY=`ls -l /etc/cron.deny | awk '{print $1}'`
     56     AT_DENY=`ls -l /etc/at.deny | awk '{print $1}'`
     57     echo "/etc/cron.deny文件授权情况为:${CRON_DENY:1:9}" >> /tmp/check/${str}_out.txt 
     58     echo "/etc/at.deny文件授权情况为:${AT_DENY:1:9}" >> /tmp/check/${str}_out.txt 
     59     echo "{'Check_point':'检查Cron任务授权','Check_result':{'/etc/cron.deny文件授权情况为':'${CRON_DENY:1:9}','/etc/at.deny文件授权情况为':'${AT_DENY:1:9}'}}" >> /tmp/check/${str}_dict.txt 
     60     CRON=`cat /etc/rsyslog.conf | grep "cron.*"`
     61     echo "/etc/rsyslog.conf的配置情况为:${CRON}" >> /tmp/check/${str}_out.txt 
     62 else
     63     echo "未找到/etc/cron.deny和/etc/at.deny配置文件" >> /tmp/check/${str}_out.txt 
     64 fi
     65 
     66 echo "----------------------------" >> /tmp/check/${str}_out.txt 
     67 echo "[2]检查是否对syslog登录事件记录" >> /tmp/check/${str}_out.txt 
     68 if [ -e /etc/syslog.conf ];then
     69     Clog=`cat /etc/syslog.conf | grep /var/log/secure | grep -E "authpriv.*"`
     70     echo "/etc/syslog.conf的配置为:${Clog}" >> /tmp/check/${str}_out.txt 
     71 else
     72     echo "未找到/etc/syslog.conf配置文件" >> /tmp/check/${str}_out.txt 
     73 fi
     74 
     75 echo "----------------------------" >> /tmp/check/${str}_out.txt 
     76 echo "[3]检查是否对rsyslog.conf配置审核" >> /tmp/check/${str}_out.txt 
     77 if [ -e /etc/rsyslog.conf ];then
     78     LOG=`cat /etc/rsyslog.conf | grep @loghost` 
     79     echo "rsyslog.conf文件的配置为${LOG}" >> /tmp/check/${str}_out.txt 
     80 else
     81     echo "未找到/etc/rsyslog.conf配置文件" >> /tmp/check/${str}_out.txt 
     82 fi
     83 
     84 echo "----------------------------" >> /tmp/check/${str}_out.txt 
     85 echo "[4]检查系统日志读写权限" >> /tmp/check/${str}_out.txt 
     86 if [ -e /var/log/messages ];then
     87     MESSAGES=`ls -l /var/log/messages | awk '{print $1}'`
     88     echo "/var/log/messages的文件权限为:${MESSAGES:1:9}" >> /tmp/check/${str}_out.txt 
     89 else
     90     echo "未找到/var/log/messages的文件" >> /tmp/check/${str}_out.txt 
     91 fi
     92 if [ -e /var/log/secure ];then
     93     SECURE=`ls -l /var/log/secure | awk '{print $1}'`
     94     echo "/var/log/secure 的文件权限为:${SECURE:1:9}" >> /tmp/check/${str}_out.txt 
     95 else
     96     echo "未找到/var/log/secure的文件" >> /tmp/check/${str}_out.txt 
     97 fi
     98 
     99 if [ -e /var/log/maillog ];then
    100     MAILLOG=`ls -l /var/log/maillog | awk '{print $1}'`
    101     echo "/var/log/maillog 的文件权限为:${MAILLOG:1:9}" >> /tmp/check/${str}_out.txt 
    102 else
    103     echo "未找到/var/log/maillog的文件" >> /tmp/check/${str}_out.txt 
    104 fi
    105 
    106 if [ -e /var/log/cron ];then
    107     CRON=`ls -l /var/log/cron | awk '{print $1}'`
    108     echo "/var/log/cron 的文件权限为:${CRON:1:9}" >> /tmp/check/${str}_out.txt 
    109 else
    110     echo "未找到/var/log/cron的文件" >> /tmp/check/${str}_out.txt 
    111 fi
    112 if [ -e /var/log/spooler ];then
    113     SPOOLER=`ls -l /var/log/spooler | awk '{print $1}'`
    114     echo "/var/log/spooler 的文件权限为:${SPOOLER:1:9}" >> /tmp/check/${str}_out.txt 
    115 else
    116     echo "未找到/var/log/spooler的文件" >> /tmp/check/${str}_out.txt 
    117 fi
    118 
    119 if [ -e /var/log/boot/log ];then
    120     LOG=`ls -l /var/log/boot/log | awk '{print $1}'`
    121     echo "/var/log/boot/log 的文件权限为:${LOG:1:9}" >> /tmp/check/${str}_out.txt 
    122 else
    123     echo "未找到/var/log/boot/log的文件" >> /tmp/check/${str}_out.txt 
    124 fi
    125 
    126 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    127 echo "[5]检查是否对远程日志服务器配置" >> /tmp/check/${str}_out.txt 
    128 if [ -e /etc/rsyslog.conf ];then
    129     RSYS=`cat /etc/rsyslog.conf | grep "@${str1}" | grep $'	' | grep .*` 
    130     echo "远程日志服务器配置情况为:${RSYS}" >> /tmp/check/${str}_out.txt 
    131 else
    132     echo "未找到/etc/rsyslog.conf配置文件" >> /tmp/check/${str}_out.txt 
    133 fi
    134 echo "----------------------------" >> /tmp/check/${str}_out.txt
    135 echo ""
    136 echo "----**系统文件管理**----" >> /tmp/check/${str}_out.txt 
    137 echo "[1]检查是否对登录超时时间配置" >> /tmp/check/${str}_out.txt 
    138 if [ -e /etc/profile ] && [ -e /etc/bashrc ]; then
    139     TMOUT=`cat /etc/profile | grep HISTTIMEFORMAT | grep TMOUT`
    140     if [ -n ${TMOUT} ]; then
    141         echo "/etc/profile的超时时间设置情况为:${TMOUT}" >> /tmp/check/${str}_out.txt 
    142         FORMAT=`cat /etc/bashrc | grep export | grep HISTTIMEFORMAT`
    143         if [ -n ${FORMAT} ];then
    144             echo "/etc/bashrc的设置为${FORMAT}" >> /tmp/check/${str}_out.txt 
    145         else
    146             echo "/etc/bashrc不存在对应配置" >> /tmp/check/${str}_out.txt 
    147         fi
    148     else
    149         echo "/etc/profile文件不存在对应配置" >> /tmp/check/${str}_out.txt 
    150     fi
    151 else
    152     echo "不存在/etc/profile文件以及/etc/bashrc文件" >> /tmp/check/${str}_out.txt 
    153 fi
    154 
    155 
    156 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    157 echo "[2]检查系统磁盘状态" >> /tmp/check/${str}_out.txt 
    158 DF=`df -h | awk 'NR!=1{print $5}' | awk -F[\%] '{print $1}'`
    159 for i in $DF
    160 do
    161     if [ $i -ge 80 ];then
    162         flag=1
    163     else
    164         flag=0
    165     fi
    166 done
    167 if [ $flag = 1 ];then
    168     echo "系统磁盘使用率大于80%" >> /tmp/check/${str}_out.txt 
    169 else [ $flag = 0 ]
    170     echo "系统磁盘状态小于80%" >> /tmp/check/${str}_out.txt 
    171 fi    
    172     
    173 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    174 echo "[3]检查是否禁止匿名FTP访问" >> /tmp/check/${str}_out.txt 
    175 if [ -e /etc/vsftpd.conf ];then
    176     cat /etc/vsftpd.conf | grep "anonymous_enable=NO" 
    177     if [ $? -eq 0 ]; then
    178         echo "/etc/vsftpd.conf文件有设置:anonymous_enable=NO" >> /tmp/check/${str}_out.txt 
    179     else
    180         echo "不符合规范,需编辑/etc/vsftpd.conf文件,设置:anonymous_enable=NO" >> /tmp/check/${str}_out.txt 
    181     fi
    182 else
    183     echo "未找到/etc/vsftpd.conf文件" >> /tmp/check/${str}_out.txt 
    184 fi
    185 
    186 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    187 echo "[4]检查是否修改FTP banner 信息" >> /tmp/check/${str}_out.txt 
    188 if [ -e /etc/vsftpd.d/vsftpd.conf ];then
    189     BANNER=`cat /etc/vsftpd.d/vsftpd.conf | grep ftpd_banner | grep -F[=] awk '{print $1}'`
    190     if [ -n ${BANNER} ];then
    191         echo "banner信息为${BANNER}" >> /tmp/check/${str}_out.txt 
    192     else
    193         echo "未设置banner信息" >> /tmp/check/${str}_out.txt 
    194     fi
    195 else
    196     echo "未找到/etc/vsftpd.d/vsftpd.conf文件" >> /tmp/check/${str}_out.txt 
    197 fi
    198 
    199 if [ -e /etc/ftpaccess ];then
    200     cat /etc/ftpaccess | grep "banner /path/to/ftpbanner"
    201     if [ -e -eq 0 ];then
    202         echo "/etc/ftpaccess文件中已经设置banner路径" >> /tmp/check/${str}_out.txt 
    203     else
    204         echo "/etc/ftpaccess文件中未设置banner路径" >> /tmp/check/${str}_out.txt 
    205     fi
    206 else
    207     echo "不存在/etc/ftpaccess文件" >> /tmp/check/${str}_out.txt 
    208 fi
    209 
    210 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    211 echo "[5]检查是否关闭不必要的服务" >> /tmp/check/${str}_out.txt 
    212 SERVICE=`ps -ef`
    213 echo "系统服务情况为${SERVICE}" >> /tmp/check/${str}_out.txt 
    214 SER_LIST=`systemctl list-units -all --type=service`
    215 echo "服务有${SER_LIST}" >> /tmp/check/${str}_out.txt 
    216 if [ -e /etc/xinetd.conf ];then
    217     echo "在/etc/xinetd.conf文件中禁止不必要的基本网络服务" >> /tmp/check/${str}_out.txt 
    218 else
    219     echo "未找到/etc/xinetd.conf文件" >> /tmp/check/${str}_out.txt 
    220 fi
    221 
    222 
    223 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    224 echo "[6]检查系统core dump状态" >> /tmp/check/${str}_out.txt 
    225 if [ -e /etc/security/limits.conf ];then
    226     cat /etc/security/limits.conf | grep * | grep soft | grep core  | grep 0
    227     if [ $? -eq 0 ];then
    228         cat /etc/security/limits.conf | grep * | grep hard | grep core  | grep 0
    229         if [ $? -eq 0 ];then
    230             echo "/etc/security/limits.conf符合安全配置" >> /tmp/check/${str}_out.txt 
    231         else
    232             echo "/etc/security/limits.conf未安装规范进行设置" >> /tmp/check/${str}_out.txt 
    233         fi
    234     else
    235         echo "/etc/security/limits.conf未安装规范进行设置" >> /tmp/check/${str}_out.txt 
    236     fi
    237 else
    238     echo "未找到/etc/security/limits.conf配置文件"  >> /tmp/check/${str}_out.txt 
    239 fi
    240 
    241 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    242 echo "[7]检查系统补丁" >> /tmp/check/${str}_out.txt 
    243 OS=`uname -a`
    244 echo "系统版本情况为${OS}" >> /tmp/check/${str}_out.txt 
    245 
    246 
    247 
    248 echo "----**用户账号配置**----" >> /tmp/check/${str}_out.txt 
    249 echo "[1]检查是否存在无用账号" >> /tmp/check/${str}_out.txt 
    250 passwd=`ls -l /etc/passwd | awk '{print $1}'`
    251 if [ "${passwd:1:9}" = "rw-r--r--" ]; then
    252     echo "/etc/passwd文件权限为644,符合规范" >> /tmp/check/${str}_out.txt 
    253 else
    254     echo "/etc/passwd文件权限为${passwd:1:9},不符合规范" >> /tmp/check/${str}_out.txt 
    255 fi
    256 PASSWD_U=`cat /etc/passwd | awk -F[:] '{print $1}'`
    257 echo "查看是否存在无用账号:${PASSWD_U}" >> /tmp/check/${str}_out.txt 
    258 
    259     
    260 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    261 echo "[2]检查不同用户是否共享账号" >> /tmp/check/${str}_out.txt     
    262 PASS=`cat /etc/passwd | awk -F[:] '{print $1}'`
    263 echo "cat /etc/passwd结果为${PASS}" >> /tmp/check/${str}_out.txt 
    264 #查看所有账号,与管理员确认是否有共享账号    
    265     
    266 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    267 echo "[3]检查是否删除或锁定无用账号" >> /tmp/check/${str}_out.txt 
    268 NOlogin=`cat /etc/passwd | grep nologin | awk -F[:] '{print $1}'`
    269 echo "shell域中为nologin的账户有${NOlogin}" >> /tmp/check/${str}_out.txt 
    270 
    271     
    272 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    273 echo "[4]检查是否存在无用用户组" >> /tmp/check/${str}_out.txt 
    274 GROUP=`ls -l /etc/group | awk '{print $1}'`
    275 echo "/etc/group文件权限为${GROUP}" >> /tmp/check/${str}_out.txt 
    276 GROUP_U=`cat /etc/group | awk -F[:] '{print $1}'`
    277 echo "/etc/group用户组有${GROUP}" >> /tmp/check/${str}_out.txt 
    278 
    279     
    280 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    281 echo "[5]检查是否指定用户组成员使用su命令" >> /tmp/check/${str}_out.txt 
    282 if [ -e /etc/pam.d/su ];then
    283     SUFFI=`cat /etc/pam.d/su | grep auth | grep sufficient | grep pam_rootok.so`
    284     REQUIRED=`cat /etc/pam.d/su | grep auth | grep required | grep group=`
    285     echo "是否指定用户组成员情况为${SUFFI}
    ${REQUIRED}" >> /tmp/check/${str}_out.txt 
    286 else
    287     echo "未找到/etc/pam.d/su配置文件" >> /tmp/check/${str}_out.txt 
    288 fi
    289 
    290 
    291 
    292 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    293 echo "[6]检查密码长度及复杂度策略" >> /tmp/check/${str}_out.txt 
    294 if [ -e /etc/pam.d/system-auth ];then
    295     passComplexity=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so"`
    296     passucredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e ucredit | awk '{print $4}'`
    297     passlcredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e lcredit | awk '{print $5}'`
    298     passdcredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e dcredit | awk '{print $6}'`
    299     passocredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e ocredit | awk '{print $7}'`
    300     echo "密码复杂度策略为:${passComplexity}" >> /tmp/check/${str}_out.txt     
    301     echo "密码复杂度策略中设置的大写字母个数为:${passucredit}" >> /tmp/check/${str}_out.txt 
    302     echo "密码复杂度策略中设置的小写字母个数为:${passlcredit}" >> /tmp/check/${str}_out.txt 
    303     echo "密码复杂度策略中设置的数字个数为:${passdcredit}" >> /tmp/check/${str}_out.txt 
    304     echo "密码复杂度策略中设置的特殊字符个数为:${passocredit}" >> /tmp/check/${str}_out.txt 
    305 else
    306     ehco "不存在/etc/pam.d/system-auth文件" >> /tmp/check/${str}_out.txt 
    307 fi
    308     
    309 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    310 echo "[7]检查是否对用户远程登录进行限制" >> /tmp/check/${str}_out.txt 
    311 cat /etc/securetty | grep "#" | grep tty
    312 if [ $? -eq 0 ];then
    313     echo "注释掉所有tty设备" >> /tmp/check/${str}_out.txt 
    314 else
    315     echo "未注释掉所有tty设备" >> /tmp/check/${str}_out.txt 
    316 fi
    317 
    318 RootLogin=`cat /etc/ssh/sshd_config | grep PermitRootLogin | awk '{print $2}'`
    319 if [ "${RootLogin}" == "yes" ];then
    320     echo "/etc/ssh/sshd_config中PermitRootLogin配置为yes" >> /tmp/check/${str}_out.txt 
    321 else [ "${RootLogin}" == "no" ]
    322     echo "/etc/ssh/sshd_config中PermitRootLogin配置为no" >> /tmp/check/${str}_out.txt 
    323 fi
    324 
    325 
    326 
    327 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    328 echo "[8]检查是否配置加密协议" >> /tmp/check/${str}_out.txt 
    329 SSH=`ps -elf | grep ssh`
    330 echo "ssh服务状态为${SSH}"  >> /tmp/check/${str}_out.txt 
    331 if [ -e /etc/ssh/sshd_config ];then
    332     cat /etc/ssh/sshd_config | grep "Host*" | grep "Protocol 2"
    333     if [ $? -eq 0 ];then
    334         echo "/etc/ssh/sshd_config文件符合安全配置" >> /tmp/check/${str}_out.txt 
    335     else
    336         echo "/etc/ssh/sshd_config文件中未找到相应配置" >> /tmp/check/${str}_out.txt 
    337     fi
    338 else
    339     echo "未找到/etc/ssh/sshd_config文件" >> /tmp/check/${str}_out.txt 
    340 fi    
    341 
    342     
    343 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    344 echo "[9]检查是否配置密码的生存期" >> /tmp/check/${str}_out.txt 
    345 if [ -e /etc/login.defs ];then
    346     passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
    347     passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'`
    348     passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'`
    349     passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`
    350     echo "口令生存周期天数为: ${passmax}" >> /tmp/check/${str}_out.txt 
    351     echo "口令更改最小时间间隔为天数为:${passmin}" >> /tmp/check/${str}_out.txt 
    352     echo "口令最小长度天数为:${passlen}" >> /tmp/check/${str}_out.txt 
    353     echo "口令过期告警时间天数为:${passage}" >> /tmp/check/${str}_out.txt 
    354 else
    355     echo "未找到/etc/login.defs配置文件" >> /tmp/check/${str}_out.txt 
    356 fi
    357 
    358 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    359 echo "[10]检查用户缺省访问权限" >> /tmp/check/${str}_out.txt 
    360 fileumask=`cat /etc/login.defs | grep -i umask | awk '{print $2}'`
    361 if [ -n $fileumask ]; then    
    362     echo "/etc/login.defs文件的umask的值为:${fileumask}" >> /tmp/check/${str}_out.txt 
    363 else
    364     echo "/etc/login.defs文件未配置umask值" >> /tmp/check/${str}_out.txt 
    365 fi
    366 
    367 
    368 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    369 echo "[11]检查passwd group文件安全权限" >> /tmp/check/${str}_out.txt 
    370 
    371 grep ^+: /etc/passwd /etc/shadow /etc/group
    372 if [ $? -eq 0 ];then
    373     echo "低于安全要求" >> /tmp/check/${str}_out.txt 
    374 else
    375     echo "符合安全要求" >> /tmp/check/${str}_out.txt 
    376 fi
    377 passwd=`ls -l /etc/passwd | awk '{print $1}'`
    378 echo "/etc/passwd文件权限为${passwd:1:9}" >> /tmp/check/${str}_out.txt 
    379 ETC_group=`ls -l /etc/group | awk '{print $1}'`
    380 echo "/etc/group文件权限为${passwd:1:9}" >> /tmp/check/${str}_out.txt 
    381 
    382 igroup=`lsattr /etc/group | grep i`
    383 if [ "$igroup" = "i" ]; then
    384     echo "/etc/group文件存在i属性文件" >> /tmp/check/${str}_out.txt 
    385 else
    386     echo "/etc/group文件不存在i文件属性" >> /tmp/check/${str}_out.txt 
    387 fi
    388 ipasswd=`lsattr /etc/passwd | grep i`
    389 if [ "$igshadow" = "i" ]; then
    390     echo "/etc/passwd存在i属性文件" >> /tmp/check/${str}_out.txt 
    391 else
    392     echo "/etc/passwd不存在i文件属性" >> /tmp/check/${str}_out.txt 
    393 fi
    394 
    395     
    396 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    397 echo "[12]检查是否存在除root之外UID为0的用户" >> /tmp/check/${str}_out.txt 
    398 uids=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`  #NR!=1意思的除了第一行不显示。1代表具体的行数
    399 flag=0
    400 for i in $uids
    401 do 
    402     if [ $i = 0 ]; then
    403         echo "存在非root账号的账号UID为0,不符合要求" >> /tmp/check/${str}_out.txt 
    404     else    
    405         flag=1
    406     fi
    407 done
    408 if [ $flag = 1 ]; then
    409    echo "不存在非root账号的UID为0,符合要求" >> /tmp/check/${str}_out.txt 
    410 fi
    411 
    412     
    413     
    414 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    415 echo "[13]检查是否配置环境变量" >> /tmp/check/${str}_out.txt 
    416 echo $PATH | egrep '(^|:)(.|:|$)'
    417 if [ $? -eq 0 ];then
    418     echo "检查是否包含父目录,低于安全要求" >> /tmp/check/${str}_out.txt 
    419 else
    420     echo "检查是否包含父目录,符合安全要求" >> /tmp/check/${str}_out.txt 
    421 fi
    422 
    423 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    424 echo "[14]检查是否对远程连接的安全性进行配置" >> /tmp/check/${str}_out.txt 
    425 filerhosts=`find / -maxdepth 3 -type f -name .rhosts 2>/dev/null`
    426 if [ -n "$filerhosts" ]; then
    427     echo "rhosts文件路径为:${filerhosts}" >> /tmp/check/${str}_out.txt 
    428 else
    429     echo "未找到.rhosts文件" >> /tmp/check/${str}_out.txt 
    430 fi
    431 
    432 fileequiv=`find / -maxdepth 2 -name hosts.equiv 2>/dev/null`
    433 if [ -n "$fileequiv" ]; then
    434     echo "hosts.equiv文件路径为:${fileequiv}" >> /tmp/check/${str}_out.txt 
    435 else
    436     echo "未找到hosts.equiv文件" >> /tmp/check/${str}_out.txt 
    437 fi
    438 filenetrc=`find / -maxdepth 3 -name .netrc 2>/dev/null`
    439 if [ -n "$filenetrc" ]; then
    440     echo "netrc文件路径为:${filenetrc}" >> /tmp/check/${str}_out.txt 
    441 else
    442     echo "未找到.netrc文件" >> /tmp/check/${str}_out.txt 
    443 fi
    444 
    445 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    446 echo "[15]检查是否对用户的umask进行配置" >> /tmp/check/${str}_out.txt 
    447 if [ -e /etc/profile ];then
    448     PROFILE1=`cat /etc/profile | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'`
    449     PROFILE2=`cat /etc/profile | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'`
    450     if [ -n "$PROFILE" ]; then
    451         echo "在/etc/profile文件中umask的值为:${PROFILE}和${PROFILE1}" >> /tmp/check/${str}_out.txt 
    452     else
    453         echo "在/etc/profile文件中未找到umask值" >> /tmp/check/${str}_out.txt 
    454     fi
    455 fi
    456 
    457 csh=`cat /etc/csh.login | grep -i umask`
    458 if [ -n "$csh" ]; then
    459     echo "在/etc/csh.login文件中umask的内容为:${csh}" >> /tmp/check/${str}_out.txt 
    460 else
    461     echo "在/etc/csh.login文件中未找到umask值" >> /tmp/check/${str}_out.txt 
    462 fi
    463 
    464 cshrc1=`cat /etc/csh.cshrc | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'`
    465 cshrc2=`cat /etc/csh.cshrc | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'`
    466 if [ -n "$cshrc" ]; then
    467     echo "在/etc/csh.cshrc文件中umask的值为:${cshrc1}和${cshrc2}" >> /tmp/check/${str}_out.txt 
    468 else
    469     echo "在/etc/csh.login文件中未找到umask值" >> /tmp/check/${str}_out.txt 
    470 fi
    471 
    472 if [ -e /etc/bashrc ];then
    473     bashrc1=`cat /etc/bashrc | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'`
    474     bashrc2=`cat /etc/bashrc | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'`
    475     if [ -n "$bashrc1" ] && [ -n "$bashrc2" ]; then
    476         echo "在/etc/bashrc文件中umask内容为:${bashrc1}和${bashrc2}" >> /tmp/check/${str}_out.txt 
    477     else
    478         echo "在/etc/bashrc文件中未找到umask值" >> /tmp/check/${str}_out.txt 
    479     fi
    480 fi
    481 
    482 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    483 echo "[16]检查是否对重要目录和文件的权限进行设置" >> /tmp/check/${str}_out.txt 
    484 etc=`ls -l / | grep etc | awk '{print $1}'`
    485 if [ "${etc:1:9}" = "rwxr-x---" ]; then
    486     echo "/etc/权限为750,符合规范" >> /tmp/check/${str}_out.txt 
    487 else
    488     echo "/etc/文件权限为${etc:1:9},不符合规范" >> /tmp/check/${str}_out.txt 
    489 fi
    490 
    491 Shadow=`ls -l /etc/shadow | awk '{print $1}'`
    492 if [ "${shadow:1:9}" = "rw-------" ]; then
    493     echo "/etc/shadow文件权限为600,符合规范" >> /tmp/check/${str}_out.txt 
    494 else
    495     echo "/etc/shadow文件权限为${Shadow:1:9},不符合规范" >> /tmp/check/${str}_out.txt 
    496 fi
    497 
    498 Passwd=`ls -l /etc | grep passwd | awk '{print $1}'`
    499 if [ "${passwd:1:9}" = "rw-r--r--" ]; then
    500     echo "/etc/passwd文件权限为644,符合规范" >> /tmp/check/${str}_out.txt 
    501 else
    502     echo "/etc/passwd文件权限为${Passwd:1:9},不符合规范" >> /tmp/check/${str}_out.txt 
    503 fi
    504 
    505 Group=`ls -l /etc | grep group | awk '{print $1}'`
    506 if [ "${Group:1:9}" = "rw-r--r--" ]; then
    507     echo "/etc/passwd文件权限为644,符合规范" >> /tmp/check/${str}_out.txt 
    508 else
    509     echo "/etc/passwd文件权限为${Group:1:9},不符合规范" >> /tmp/check/${str}_out.txt 
    510 fi
    511 
    512 
    513 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    514 echo "[17]检查是否存在未授权的suid/sgid文件" >> /tmp/check/${str}_out.txt 
    515 for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print "/./"$2 }'`; do
    516     RESULT=`find $PART -type f -xdev ( -perm -04000 -o -perm -02000 ) -print`
    517         if [ -n $RESULT ];then
    518             flag=1
    519         else
    520             flag=0
    521         fi
    522 done
    523 if [ $flag -eq 0 ];then
    524     echo "返回值为空,符合规范" >> /tmp/check/${str}_out.txt 
    525 else [ $flag -eq 1 ]
    526     echo "返回值不为空,不符合规范" >> /tmp/check/${str}_out.txt 
    527 fi
    528 
    529 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    530 echo "[18]检查是否存在异常隐含文件" >> /tmp/check/${str}_out.txt 
    531 find  / -name ".. *" -print
    532 HIDDEN=`find  / -name ".. *" -print; find  / -name "...*" -print | cat -v`
    533 if [ -n ${XINETD} ];then
    534     echo "隐藏文件有${HIDDEN}" >> /tmp/check/${str}_out.txt 
    535 else
    536     echo "没有隐藏文件" >> /tmp/check/${str}_out.txt 
    537 fi
    538 
    539 echo "----**网络通信配置**----" >> /tmp/check/${str}_out.txt 
    540 echo "[1]检查是否对基本网络服务进行配置" >> /tmp/check/${str}_out.txt 
    541 XINETD=`ls  -l  /etc/xinetd.d`
    542 echo "/etc/xinetd.d目录中的包含的基本的网络服务的配置文件为${XINETD}" >> /tmp/check/${str}_out.txt 
    543     
    544 echo "----------------------------" >> /tmp/check/${str}_out.txt     
    545 echo "[2]检查是否开启NFS服务" >> /tmp/check/${str}_out.txt 
    546 systemctl status nfs
    547 if [ $? -eq 0 ];then
    548     echo "已开启nfs服务" >> /tmp/check/${str}_out.txt 
    549 else [ $? -eq 3 ]
    550     echo "未开启nfs服务" >> /tmp/check/${str}_out.txt 
    551 fi
    552 
    553 echo "----------------------------" >> /tmp/check/${str}_out.txt 
    554 echo "[3]检查常规网络服务是否运行正常" >> /tmp/check/${str}_out.txt 
    555 #若无telnet命令
    556 telnet localhost 80
    557 if [ $? -eq 0 ];then
    558     echo "80服务正常运行" >> /tmp/check/${str}_out.txt 
    559     telnet localhost 25
    560     if [ $? -eq 0 ];then
    561         echo "25服务正常运行" >> /tmp/check/${str}_out.txt 
    562     fi
    563     telnet localhost 110
    564     if [ $? -eq 0 ];then
    565         echo "110服务正常运行" >> /tmp/check/${str}_out.txt 
    566     fi
    567     telnet localhost 143
    568     if [ $? -eq 0 ];then
    569         echo "143服务正常运行" >> /tmp/check/${str}_out.txt 
    570     fi
    571     telnet localhost 443
    572     if [ $? -eq 0 ];then
    573         echo "443服务正常运行" >> /tmp/check/${str}_out.txt 
    574     fi
    575     telnet localhost 21
    576     if [ $? -eq 0 ];then
    577         echo "21服务正常运行" >> /tmp/check/${str}_out.txt 
    578     fi
    579 else
    580     echo "系统未安装telnet命令" >> /tmp/check/${str}_out.txt 
    581 fi
    centos 7基线检查
  • 相关阅读:
    Webpack 入门指迷--转载(题叶)
    浏览器工作原理理解
    Knockout.js初体验
    node.js链接mysql
    2020年度春季学习总结--第二周
    Python 爬取 热词并进行分类数据分析-[安全性改造]
    以 CheatEngine 为例的六个质量属性
    2020年度春季学习总结--第一周
    软件架构师如何工作-个人见解
    Steam 游戏 《Crashlands(崩溃大陆)》修改器制作-[先使用CE写,之后有时间的话改用CheatMaker](2020年寒假小目标12)
  • 原文地址:https://www.cnblogs.com/pythonal/p/10025224.html
Copyright © 2011-2022 走看看