以下是centos7基线检查脚本:
1 #!/bin/bash 2 #version v1.0 by pensar 3 #操作系统linux 配置规范--centos7 4 cat <<EOF 5 *************************************************************** 6 linux安全配置检查脚本: 7 1. 输出结果在/tmp/check/目录下查看 8 2.检查范围及检查项(共计4大类,33项) 9 *日志审计配置*: 10 [1]检查Cron任务授权 11 [2]检查是否对syslog登录事件记录 12 [3]检查是否对rsyslog.conf配置审核 13 [4]检查系统日志读写权限 14 [5]检查是否对远程日志服务器配置 15 *系统文件管理*: 16 [1]检查是否对登录超时时间配置 17 [2]检查系统磁盘状态 18 [3]检查是否禁止匿名FTP访问 19 [4]检查是否修改FTP banner 信息 20 [5]检查是否关闭不必要的服务 21 [6]检查系统core dump状态 22 [7]检查系统补丁 23 *用户账号配置*: 24 [1]检查是否存在无用账号 25 [2]检查不同用户是否共享账号 26 [3]检查是否删除或锁定无用账号 27 [4]检查是否存在无用用户组 28 [5]检查是否指定用户组成员使用su命令 29 [6]检查密码长度及复杂度策略 30 [7]检查是否对用户远程登录进行限制 31 [8]检查是否配置加密协议 32 [9]检查是否配置密码的生存期 33 [10]检查用户缺省访问权限 34 [11]检查passwd group文件安全权限 35 [12]检查是否存在除root之外UID为0的用户 36 [13]检查是否配置环境变量 37 [14]检查是否对远程连接的安全性进行配置 38 [15]检查是否对用户的umask进行配置 39 [16]检查是否对重要目录和文件的权限进行设置 40 [17]检查是否存在未授权的suid/sgid文件 41 [18]检查是否存在异常隐含文件 42 *网络通信配置*: 43 [1]检查是否对基本网络服务进行配置 44 [2]检查是否开启NFS服务 45 [3]检查常规网络服务是否运行正常 46 *************************************************************** 47 EOF 48 mkdir /tmp/check 49 str1=`/sbin/ifconfig -a | grep inet | grep -v 127.0.0.1 | grep -v inet6 | awk '{print $2}' | tr -d "addr:" | head -n 1` 50 str=`date +%Y%m%d%H%M`_"$str1" 51 52 echo "----**日志审计配置**----" >> /tmp/check/${str}_out.txt 53 echo "[1] 检查Cron任务授权" >> /tmp/check/${str}_out.txt 54 if [ -e /etc/cron.deny ] && [ -e /etc/at.deny ];then 55 CRON_DENY=`ls -l /etc/cron.deny | awk '{print $1}'` 56 AT_DENY=`ls -l /etc/at.deny | awk '{print $1}'` 57 echo "/etc/cron.deny文件授权情况为:${CRON_DENY:1:9}" >> /tmp/check/${str}_out.txt 58 echo "/etc/at.deny文件授权情况为:${AT_DENY:1:9}" >> /tmp/check/${str}_out.txt 59 echo "{'Check_point':'检查Cron任务授权','Check_result':{'/etc/cron.deny文件授权情况为':'${CRON_DENY:1:9}','/etc/at.deny文件授权情况为':'${AT_DENY:1:9}'}}" >> /tmp/check/${str}_dict.txt 60 CRON=`cat /etc/rsyslog.conf | grep "cron.*"` 61 echo "/etc/rsyslog.conf的配置情况为:${CRON}" >> /tmp/check/${str}_out.txt 62 else 63 echo "未找到/etc/cron.deny和/etc/at.deny配置文件" >> /tmp/check/${str}_out.txt 64 fi 65 66 echo "----------------------------" >> /tmp/check/${str}_out.txt 67 echo "[2]检查是否对syslog登录事件记录" >> /tmp/check/${str}_out.txt 68 if [ -e /etc/syslog.conf ];then 69 Clog=`cat /etc/syslog.conf | grep /var/log/secure | grep -E "authpriv.*"` 70 echo "/etc/syslog.conf的配置为:${Clog}" >> /tmp/check/${str}_out.txt 71 else 72 echo "未找到/etc/syslog.conf配置文件" >> /tmp/check/${str}_out.txt 73 fi 74 75 echo "----------------------------" >> /tmp/check/${str}_out.txt 76 echo "[3]检查是否对rsyslog.conf配置审核" >> /tmp/check/${str}_out.txt 77 if [ -e /etc/rsyslog.conf ];then 78 LOG=`cat /etc/rsyslog.conf | grep @loghost` 79 echo "rsyslog.conf文件的配置为${LOG}" >> /tmp/check/${str}_out.txt 80 else 81 echo "未找到/etc/rsyslog.conf配置文件" >> /tmp/check/${str}_out.txt 82 fi 83 84 echo "----------------------------" >> /tmp/check/${str}_out.txt 85 echo "[4]检查系统日志读写权限" >> /tmp/check/${str}_out.txt 86 if [ -e /var/log/messages ];then 87 MESSAGES=`ls -l /var/log/messages | awk '{print $1}'` 88 echo "/var/log/messages的文件权限为:${MESSAGES:1:9}" >> /tmp/check/${str}_out.txt 89 else 90 echo "未找到/var/log/messages的文件" >> /tmp/check/${str}_out.txt 91 fi 92 if [ -e /var/log/secure ];then 93 SECURE=`ls -l /var/log/secure | awk '{print $1}'` 94 echo "/var/log/secure 的文件权限为:${SECURE:1:9}" >> /tmp/check/${str}_out.txt 95 else 96 echo "未找到/var/log/secure的文件" >> /tmp/check/${str}_out.txt 97 fi 98 99 if [ -e /var/log/maillog ];then 100 MAILLOG=`ls -l /var/log/maillog | awk '{print $1}'` 101 echo "/var/log/maillog 的文件权限为:${MAILLOG:1:9}" >> /tmp/check/${str}_out.txt 102 else 103 echo "未找到/var/log/maillog的文件" >> /tmp/check/${str}_out.txt 104 fi 105 106 if [ -e /var/log/cron ];then 107 CRON=`ls -l /var/log/cron | awk '{print $1}'` 108 echo "/var/log/cron 的文件权限为:${CRON:1:9}" >> /tmp/check/${str}_out.txt 109 else 110 echo "未找到/var/log/cron的文件" >> /tmp/check/${str}_out.txt 111 fi 112 if [ -e /var/log/spooler ];then 113 SPOOLER=`ls -l /var/log/spooler | awk '{print $1}'` 114 echo "/var/log/spooler 的文件权限为:${SPOOLER:1:9}" >> /tmp/check/${str}_out.txt 115 else 116 echo "未找到/var/log/spooler的文件" >> /tmp/check/${str}_out.txt 117 fi 118 119 if [ -e /var/log/boot/log ];then 120 LOG=`ls -l /var/log/boot/log | awk '{print $1}'` 121 echo "/var/log/boot/log 的文件权限为:${LOG:1:9}" >> /tmp/check/${str}_out.txt 122 else 123 echo "未找到/var/log/boot/log的文件" >> /tmp/check/${str}_out.txt 124 fi 125 126 echo "----------------------------" >> /tmp/check/${str}_out.txt 127 echo "[5]检查是否对远程日志服务器配置" >> /tmp/check/${str}_out.txt 128 if [ -e /etc/rsyslog.conf ];then 129 RSYS=`cat /etc/rsyslog.conf | grep "@${str1}" | grep $' ' | grep .*` 130 echo "远程日志服务器配置情况为:${RSYS}" >> /tmp/check/${str}_out.txt 131 else 132 echo "未找到/etc/rsyslog.conf配置文件" >> /tmp/check/${str}_out.txt 133 fi 134 echo "----------------------------" >> /tmp/check/${str}_out.txt 135 echo "" 136 echo "----**系统文件管理**----" >> /tmp/check/${str}_out.txt 137 echo "[1]检查是否对登录超时时间配置" >> /tmp/check/${str}_out.txt 138 if [ -e /etc/profile ] && [ -e /etc/bashrc ]; then 139 TMOUT=`cat /etc/profile | grep HISTTIMEFORMAT | grep TMOUT` 140 if [ -n ${TMOUT} ]; then 141 echo "/etc/profile的超时时间设置情况为:${TMOUT}" >> /tmp/check/${str}_out.txt 142 FORMAT=`cat /etc/bashrc | grep export | grep HISTTIMEFORMAT` 143 if [ -n ${FORMAT} ];then 144 echo "/etc/bashrc的设置为${FORMAT}" >> /tmp/check/${str}_out.txt 145 else 146 echo "/etc/bashrc不存在对应配置" >> /tmp/check/${str}_out.txt 147 fi 148 else 149 echo "/etc/profile文件不存在对应配置" >> /tmp/check/${str}_out.txt 150 fi 151 else 152 echo "不存在/etc/profile文件以及/etc/bashrc文件" >> /tmp/check/${str}_out.txt 153 fi 154 155 156 echo "----------------------------" >> /tmp/check/${str}_out.txt 157 echo "[2]检查系统磁盘状态" >> /tmp/check/${str}_out.txt 158 DF=`df -h | awk 'NR!=1{print $5}' | awk -F[\%] '{print $1}'` 159 for i in $DF 160 do 161 if [ $i -ge 80 ];then 162 flag=1 163 else 164 flag=0 165 fi 166 done 167 if [ $flag = 1 ];then 168 echo "系统磁盘使用率大于80%" >> /tmp/check/${str}_out.txt 169 else [ $flag = 0 ] 170 echo "系统磁盘状态小于80%" >> /tmp/check/${str}_out.txt 171 fi 172 173 echo "----------------------------" >> /tmp/check/${str}_out.txt 174 echo "[3]检查是否禁止匿名FTP访问" >> /tmp/check/${str}_out.txt 175 if [ -e /etc/vsftpd.conf ];then 176 cat /etc/vsftpd.conf | grep "anonymous_enable=NO" 177 if [ $? -eq 0 ]; then 178 echo "/etc/vsftpd.conf文件有设置:anonymous_enable=NO" >> /tmp/check/${str}_out.txt 179 else 180 echo "不符合规范,需编辑/etc/vsftpd.conf文件,设置:anonymous_enable=NO" >> /tmp/check/${str}_out.txt 181 fi 182 else 183 echo "未找到/etc/vsftpd.conf文件" >> /tmp/check/${str}_out.txt 184 fi 185 186 echo "----------------------------" >> /tmp/check/${str}_out.txt 187 echo "[4]检查是否修改FTP banner 信息" >> /tmp/check/${str}_out.txt 188 if [ -e /etc/vsftpd.d/vsftpd.conf ];then 189 BANNER=`cat /etc/vsftpd.d/vsftpd.conf | grep ftpd_banner | grep -F[=] awk '{print $1}'` 190 if [ -n ${BANNER} ];then 191 echo "banner信息为${BANNER}" >> /tmp/check/${str}_out.txt 192 else 193 echo "未设置banner信息" >> /tmp/check/${str}_out.txt 194 fi 195 else 196 echo "未找到/etc/vsftpd.d/vsftpd.conf文件" >> /tmp/check/${str}_out.txt 197 fi 198 199 if [ -e /etc/ftpaccess ];then 200 cat /etc/ftpaccess | grep "banner /path/to/ftpbanner" 201 if [ -e -eq 0 ];then 202 echo "/etc/ftpaccess文件中已经设置banner路径" >> /tmp/check/${str}_out.txt 203 else 204 echo "/etc/ftpaccess文件中未设置banner路径" >> /tmp/check/${str}_out.txt 205 fi 206 else 207 echo "不存在/etc/ftpaccess文件" >> /tmp/check/${str}_out.txt 208 fi 209 210 echo "----------------------------" >> /tmp/check/${str}_out.txt 211 echo "[5]检查是否关闭不必要的服务" >> /tmp/check/${str}_out.txt 212 SERVICE=`ps -ef` 213 echo "系统服务情况为${SERVICE}" >> /tmp/check/${str}_out.txt 214 SER_LIST=`systemctl list-units -all --type=service` 215 echo "服务有${SER_LIST}" >> /tmp/check/${str}_out.txt 216 if [ -e /etc/xinetd.conf ];then 217 echo "在/etc/xinetd.conf文件中禁止不必要的基本网络服务" >> /tmp/check/${str}_out.txt 218 else 219 echo "未找到/etc/xinetd.conf文件" >> /tmp/check/${str}_out.txt 220 fi 221 222 223 echo "----------------------------" >> /tmp/check/${str}_out.txt 224 echo "[6]检查系统core dump状态" >> /tmp/check/${str}_out.txt 225 if [ -e /etc/security/limits.conf ];then 226 cat /etc/security/limits.conf | grep * | grep soft | grep core | grep 0 227 if [ $? -eq 0 ];then 228 cat /etc/security/limits.conf | grep * | grep hard | grep core | grep 0 229 if [ $? -eq 0 ];then 230 echo "/etc/security/limits.conf符合安全配置" >> /tmp/check/${str}_out.txt 231 else 232 echo "/etc/security/limits.conf未安装规范进行设置" >> /tmp/check/${str}_out.txt 233 fi 234 else 235 echo "/etc/security/limits.conf未安装规范进行设置" >> /tmp/check/${str}_out.txt 236 fi 237 else 238 echo "未找到/etc/security/limits.conf配置文件" >> /tmp/check/${str}_out.txt 239 fi 240 241 echo "----------------------------" >> /tmp/check/${str}_out.txt 242 echo "[7]检查系统补丁" >> /tmp/check/${str}_out.txt 243 OS=`uname -a` 244 echo "系统版本情况为${OS}" >> /tmp/check/${str}_out.txt 245 246 247 248 echo "----**用户账号配置**----" >> /tmp/check/${str}_out.txt 249 echo "[1]检查是否存在无用账号" >> /tmp/check/${str}_out.txt 250 passwd=`ls -l /etc/passwd | awk '{print $1}'` 251 if [ "${passwd:1:9}" = "rw-r--r--" ]; then 252 echo "/etc/passwd文件权限为644,符合规范" >> /tmp/check/${str}_out.txt 253 else 254 echo "/etc/passwd文件权限为${passwd:1:9},不符合规范" >> /tmp/check/${str}_out.txt 255 fi 256 PASSWD_U=`cat /etc/passwd | awk -F[:] '{print $1}'` 257 echo "查看是否存在无用账号:${PASSWD_U}" >> /tmp/check/${str}_out.txt 258 259 260 echo "----------------------------" >> /tmp/check/${str}_out.txt 261 echo "[2]检查不同用户是否共享账号" >> /tmp/check/${str}_out.txt 262 PASS=`cat /etc/passwd | awk -F[:] '{print $1}'` 263 echo "cat /etc/passwd结果为${PASS}" >> /tmp/check/${str}_out.txt 264 #查看所有账号,与管理员确认是否有共享账号 265 266 echo "----------------------------" >> /tmp/check/${str}_out.txt 267 echo "[3]检查是否删除或锁定无用账号" >> /tmp/check/${str}_out.txt 268 NOlogin=`cat /etc/passwd | grep nologin | awk -F[:] '{print $1}'` 269 echo "shell域中为nologin的账户有${NOlogin}" >> /tmp/check/${str}_out.txt 270 271 272 echo "----------------------------" >> /tmp/check/${str}_out.txt 273 echo "[4]检查是否存在无用用户组" >> /tmp/check/${str}_out.txt 274 GROUP=`ls -l /etc/group | awk '{print $1}'` 275 echo "/etc/group文件权限为${GROUP}" >> /tmp/check/${str}_out.txt 276 GROUP_U=`cat /etc/group | awk -F[:] '{print $1}'` 277 echo "/etc/group用户组有${GROUP}" >> /tmp/check/${str}_out.txt 278 279 280 echo "----------------------------" >> /tmp/check/${str}_out.txt 281 echo "[5]检查是否指定用户组成员使用su命令" >> /tmp/check/${str}_out.txt 282 if [ -e /etc/pam.d/su ];then 283 SUFFI=`cat /etc/pam.d/su | grep auth | grep sufficient | grep pam_rootok.so` 284 REQUIRED=`cat /etc/pam.d/su | grep auth | grep required | grep group=` 285 echo "是否指定用户组成员情况为${SUFFI} ${REQUIRED}" >> /tmp/check/${str}_out.txt 286 else 287 echo "未找到/etc/pam.d/su配置文件" >> /tmp/check/${str}_out.txt 288 fi 289 290 291 292 echo "----------------------------" >> /tmp/check/${str}_out.txt 293 echo "[6]检查密码长度及复杂度策略" >> /tmp/check/${str}_out.txt 294 if [ -e /etc/pam.d/system-auth ];then 295 passComplexity=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so"` 296 passucredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e ucredit | awk '{print $4}'` 297 passlcredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e lcredit | awk '{print $5}'` 298 passdcredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e dcredit | awk '{print $6}'` 299 passocredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e ocredit | awk '{print $7}'` 300 echo "密码复杂度策略为:${passComplexity}" >> /tmp/check/${str}_out.txt 301 echo "密码复杂度策略中设置的大写字母个数为:${passucredit}" >> /tmp/check/${str}_out.txt 302 echo "密码复杂度策略中设置的小写字母个数为:${passlcredit}" >> /tmp/check/${str}_out.txt 303 echo "密码复杂度策略中设置的数字个数为:${passdcredit}" >> /tmp/check/${str}_out.txt 304 echo "密码复杂度策略中设置的特殊字符个数为:${passocredit}" >> /tmp/check/${str}_out.txt 305 else 306 ehco "不存在/etc/pam.d/system-auth文件" >> /tmp/check/${str}_out.txt 307 fi 308 309 echo "----------------------------" >> /tmp/check/${str}_out.txt 310 echo "[7]检查是否对用户远程登录进行限制" >> /tmp/check/${str}_out.txt 311 cat /etc/securetty | grep "#" | grep tty 312 if [ $? -eq 0 ];then 313 echo "注释掉所有tty设备" >> /tmp/check/${str}_out.txt 314 else 315 echo "未注释掉所有tty设备" >> /tmp/check/${str}_out.txt 316 fi 317 318 RootLogin=`cat /etc/ssh/sshd_config | grep PermitRootLogin | awk '{print $2}'` 319 if [ "${RootLogin}" == "yes" ];then 320 echo "/etc/ssh/sshd_config中PermitRootLogin配置为yes" >> /tmp/check/${str}_out.txt 321 else [ "${RootLogin}" == "no" ] 322 echo "/etc/ssh/sshd_config中PermitRootLogin配置为no" >> /tmp/check/${str}_out.txt 323 fi 324 325 326 327 echo "----------------------------" >> /tmp/check/${str}_out.txt 328 echo "[8]检查是否配置加密协议" >> /tmp/check/${str}_out.txt 329 SSH=`ps -elf | grep ssh` 330 echo "ssh服务状态为${SSH}" >> /tmp/check/${str}_out.txt 331 if [ -e /etc/ssh/sshd_config ];then 332 cat /etc/ssh/sshd_config | grep "Host*" | grep "Protocol 2" 333 if [ $? -eq 0 ];then 334 echo "/etc/ssh/sshd_config文件符合安全配置" >> /tmp/check/${str}_out.txt 335 else 336 echo "/etc/ssh/sshd_config文件中未找到相应配置" >> /tmp/check/${str}_out.txt 337 fi 338 else 339 echo "未找到/etc/ssh/sshd_config文件" >> /tmp/check/${str}_out.txt 340 fi 341 342 343 echo "----------------------------" >> /tmp/check/${str}_out.txt 344 echo "[9]检查是否配置密码的生存期" >> /tmp/check/${str}_out.txt 345 if [ -e /etc/login.defs ];then 346 passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'` 347 passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'` 348 passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'` 349 passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'` 350 echo "口令生存周期天数为: ${passmax}" >> /tmp/check/${str}_out.txt 351 echo "口令更改最小时间间隔为天数为:${passmin}" >> /tmp/check/${str}_out.txt 352 echo "口令最小长度天数为:${passlen}" >> /tmp/check/${str}_out.txt 353 echo "口令过期告警时间天数为:${passage}" >> /tmp/check/${str}_out.txt 354 else 355 echo "未找到/etc/login.defs配置文件" >> /tmp/check/${str}_out.txt 356 fi 357 358 echo "----------------------------" >> /tmp/check/${str}_out.txt 359 echo "[10]检查用户缺省访问权限" >> /tmp/check/${str}_out.txt 360 fileumask=`cat /etc/login.defs | grep -i umask | awk '{print $2}'` 361 if [ -n $fileumask ]; then 362 echo "/etc/login.defs文件的umask的值为:${fileumask}" >> /tmp/check/${str}_out.txt 363 else 364 echo "/etc/login.defs文件未配置umask值" >> /tmp/check/${str}_out.txt 365 fi 366 367 368 echo "----------------------------" >> /tmp/check/${str}_out.txt 369 echo "[11]检查passwd group文件安全权限" >> /tmp/check/${str}_out.txt 370 371 grep ^+: /etc/passwd /etc/shadow /etc/group 372 if [ $? -eq 0 ];then 373 echo "低于安全要求" >> /tmp/check/${str}_out.txt 374 else 375 echo "符合安全要求" >> /tmp/check/${str}_out.txt 376 fi 377 passwd=`ls -l /etc/passwd | awk '{print $1}'` 378 echo "/etc/passwd文件权限为${passwd:1:9}" >> /tmp/check/${str}_out.txt 379 ETC_group=`ls -l /etc/group | awk '{print $1}'` 380 echo "/etc/group文件权限为${passwd:1:9}" >> /tmp/check/${str}_out.txt 381 382 igroup=`lsattr /etc/group | grep i` 383 if [ "$igroup" = "i" ]; then 384 echo "/etc/group文件存在i属性文件" >> /tmp/check/${str}_out.txt 385 else 386 echo "/etc/group文件不存在i文件属性" >> /tmp/check/${str}_out.txt 387 fi 388 ipasswd=`lsattr /etc/passwd | grep i` 389 if [ "$igshadow" = "i" ]; then 390 echo "/etc/passwd存在i属性文件" >> /tmp/check/${str}_out.txt 391 else 392 echo "/etc/passwd不存在i文件属性" >> /tmp/check/${str}_out.txt 393 fi 394 395 396 echo "----------------------------" >> /tmp/check/${str}_out.txt 397 echo "[12]检查是否存在除root之外UID为0的用户" >> /tmp/check/${str}_out.txt 398 uids=`awk -F[:] 'NR!=1{print $3}' /etc/passwd` #NR!=1意思的除了第一行不显示。1代表具体的行数 399 flag=0 400 for i in $uids 401 do 402 if [ $i = 0 ]; then 403 echo "存在非root账号的账号UID为0,不符合要求" >> /tmp/check/${str}_out.txt 404 else 405 flag=1 406 fi 407 done 408 if [ $flag = 1 ]; then 409 echo "不存在非root账号的UID为0,符合要求" >> /tmp/check/${str}_out.txt 410 fi 411 412 413 414 echo "----------------------------" >> /tmp/check/${str}_out.txt 415 echo "[13]检查是否配置环境变量" >> /tmp/check/${str}_out.txt 416 echo $PATH | egrep '(^|:)(.|:|$)' 417 if [ $? -eq 0 ];then 418 echo "检查是否包含父目录,低于安全要求" >> /tmp/check/${str}_out.txt 419 else 420 echo "检查是否包含父目录,符合安全要求" >> /tmp/check/${str}_out.txt 421 fi 422 423 echo "----------------------------" >> /tmp/check/${str}_out.txt 424 echo "[14]检查是否对远程连接的安全性进行配置" >> /tmp/check/${str}_out.txt 425 filerhosts=`find / -maxdepth 3 -type f -name .rhosts 2>/dev/null` 426 if [ -n "$filerhosts" ]; then 427 echo "rhosts文件路径为:${filerhosts}" >> /tmp/check/${str}_out.txt 428 else 429 echo "未找到.rhosts文件" >> /tmp/check/${str}_out.txt 430 fi 431 432 fileequiv=`find / -maxdepth 2 -name hosts.equiv 2>/dev/null` 433 if [ -n "$fileequiv" ]; then 434 echo "hosts.equiv文件路径为:${fileequiv}" >> /tmp/check/${str}_out.txt 435 else 436 echo "未找到hosts.equiv文件" >> /tmp/check/${str}_out.txt 437 fi 438 filenetrc=`find / -maxdepth 3 -name .netrc 2>/dev/null` 439 if [ -n "$filenetrc" ]; then 440 echo "netrc文件路径为:${filenetrc}" >> /tmp/check/${str}_out.txt 441 else 442 echo "未找到.netrc文件" >> /tmp/check/${str}_out.txt 443 fi 444 445 echo "----------------------------" >> /tmp/check/${str}_out.txt 446 echo "[15]检查是否对用户的umask进行配置" >> /tmp/check/${str}_out.txt 447 if [ -e /etc/profile ];then 448 PROFILE1=`cat /etc/profile | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'` 449 PROFILE2=`cat /etc/profile | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'` 450 if [ -n "$PROFILE" ]; then 451 echo "在/etc/profile文件中umask的值为:${PROFILE}和${PROFILE1}" >> /tmp/check/${str}_out.txt 452 else 453 echo "在/etc/profile文件中未找到umask值" >> /tmp/check/${str}_out.txt 454 fi 455 fi 456 457 csh=`cat /etc/csh.login | grep -i umask` 458 if [ -n "$csh" ]; then 459 echo "在/etc/csh.login文件中umask的内容为:${csh}" >> /tmp/check/${str}_out.txt 460 else 461 echo "在/etc/csh.login文件中未找到umask值" >> /tmp/check/${str}_out.txt 462 fi 463 464 cshrc1=`cat /etc/csh.cshrc | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'` 465 cshrc2=`cat /etc/csh.cshrc | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'` 466 if [ -n "$cshrc" ]; then 467 echo "在/etc/csh.cshrc文件中umask的值为:${cshrc1}和${cshrc2}" >> /tmp/check/${str}_out.txt 468 else 469 echo "在/etc/csh.login文件中未找到umask值" >> /tmp/check/${str}_out.txt 470 fi 471 472 if [ -e /etc/bashrc ];then 473 bashrc1=`cat /etc/bashrc | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'` 474 bashrc2=`cat /etc/bashrc | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'` 475 if [ -n "$bashrc1" ] && [ -n "$bashrc2" ]; then 476 echo "在/etc/bashrc文件中umask内容为:${bashrc1}和${bashrc2}" >> /tmp/check/${str}_out.txt 477 else 478 echo "在/etc/bashrc文件中未找到umask值" >> /tmp/check/${str}_out.txt 479 fi 480 fi 481 482 echo "----------------------------" >> /tmp/check/${str}_out.txt 483 echo "[16]检查是否对重要目录和文件的权限进行设置" >> /tmp/check/${str}_out.txt 484 etc=`ls -l / | grep etc | awk '{print $1}'` 485 if [ "${etc:1:9}" = "rwxr-x---" ]; then 486 echo "/etc/权限为750,符合规范" >> /tmp/check/${str}_out.txt 487 else 488 echo "/etc/文件权限为${etc:1:9},不符合规范" >> /tmp/check/${str}_out.txt 489 fi 490 491 Shadow=`ls -l /etc/shadow | awk '{print $1}'` 492 if [ "${shadow:1:9}" = "rw-------" ]; then 493 echo "/etc/shadow文件权限为600,符合规范" >> /tmp/check/${str}_out.txt 494 else 495 echo "/etc/shadow文件权限为${Shadow:1:9},不符合规范" >> /tmp/check/${str}_out.txt 496 fi 497 498 Passwd=`ls -l /etc | grep passwd | awk '{print $1}'` 499 if [ "${passwd:1:9}" = "rw-r--r--" ]; then 500 echo "/etc/passwd文件权限为644,符合规范" >> /tmp/check/${str}_out.txt 501 else 502 echo "/etc/passwd文件权限为${Passwd:1:9},不符合规范" >> /tmp/check/${str}_out.txt 503 fi 504 505 Group=`ls -l /etc | grep group | awk '{print $1}'` 506 if [ "${Group:1:9}" = "rw-r--r--" ]; then 507 echo "/etc/passwd文件权限为644,符合规范" >> /tmp/check/${str}_out.txt 508 else 509 echo "/etc/passwd文件权限为${Group:1:9},不符合规范" >> /tmp/check/${str}_out.txt 510 fi 511 512 513 echo "----------------------------" >> /tmp/check/${str}_out.txt 514 echo "[17]检查是否存在未授权的suid/sgid文件" >> /tmp/check/${str}_out.txt 515 for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print "/./"$2 }'`; do 516 RESULT=`find $PART -type f -xdev ( -perm -04000 -o -perm -02000 ) -print` 517 if [ -n $RESULT ];then 518 flag=1 519 else 520 flag=0 521 fi 522 done 523 if [ $flag -eq 0 ];then 524 echo "返回值为空,符合规范" >> /tmp/check/${str}_out.txt 525 else [ $flag -eq 1 ] 526 echo "返回值不为空,不符合规范" >> /tmp/check/${str}_out.txt 527 fi 528 529 echo "----------------------------" >> /tmp/check/${str}_out.txt 530 echo "[18]检查是否存在异常隐含文件" >> /tmp/check/${str}_out.txt 531 find / -name ".. *" -print 532 HIDDEN=`find / -name ".. *" -print; find / -name "...*" -print | cat -v` 533 if [ -n ${XINETD} ];then 534 echo "隐藏文件有${HIDDEN}" >> /tmp/check/${str}_out.txt 535 else 536 echo "没有隐藏文件" >> /tmp/check/${str}_out.txt 537 fi 538 539 echo "----**网络通信配置**----" >> /tmp/check/${str}_out.txt 540 echo "[1]检查是否对基本网络服务进行配置" >> /tmp/check/${str}_out.txt 541 XINETD=`ls -l /etc/xinetd.d` 542 echo "/etc/xinetd.d目录中的包含的基本的网络服务的配置文件为${XINETD}" >> /tmp/check/${str}_out.txt 543 544 echo "----------------------------" >> /tmp/check/${str}_out.txt 545 echo "[2]检查是否开启NFS服务" >> /tmp/check/${str}_out.txt 546 systemctl status nfs 547 if [ $? -eq 0 ];then 548 echo "已开启nfs服务" >> /tmp/check/${str}_out.txt 549 else [ $? -eq 3 ] 550 echo "未开启nfs服务" >> /tmp/check/${str}_out.txt 551 fi 552 553 echo "----------------------------" >> /tmp/check/${str}_out.txt 554 echo "[3]检查常规网络服务是否运行正常" >> /tmp/check/${str}_out.txt 555 #若无telnet命令 556 telnet localhost 80 557 if [ $? -eq 0 ];then 558 echo "80服务正常运行" >> /tmp/check/${str}_out.txt 559 telnet localhost 25 560 if [ $? -eq 0 ];then 561 echo "25服务正常运行" >> /tmp/check/${str}_out.txt 562 fi 563 telnet localhost 110 564 if [ $? -eq 0 ];then 565 echo "110服务正常运行" >> /tmp/check/${str}_out.txt 566 fi 567 telnet localhost 143 568 if [ $? -eq 0 ];then 569 echo "143服务正常运行" >> /tmp/check/${str}_out.txt 570 fi 571 telnet localhost 443 572 if [ $? -eq 0 ];then 573 echo "443服务正常运行" >> /tmp/check/${str}_out.txt 574 fi 575 telnet localhost 21 576 if [ $? -eq 0 ];then 577 echo "21服务正常运行" >> /tmp/check/${str}_out.txt 578 fi 579 else 580 echo "系统未安装telnet命令" >> /tmp/check/${str}_out.txt 581 fi