#!/bin/bash # File Name: system_safe_check.sh # Version: V1.0 # Author: sanshi # Organization: https://9133w.cn/sources/ # Created Time : 2022-04-08 20:59:53 # Description: ################################################################# RED="\033[31m" # GREEN="\033[32m" # YELLOW="\033[33m" # PURPLE="\033[35m" # COLOURLESS="\033[0m" # ################################################################# [ $USER != "root" ] && echo "root permit need." && exit 0 set tag_nice=0 tag_bad=0 result_file=/tmp/safety.txt >$result_file red_e() { echo -e "${RED}$@$COLOURLESS" | tee -a $result_file ((tag_bad++)) } green_e() { echo -e "${GREEN}$@$COLOURLESS" | tee -a $result_file ((tag_nice++)) } yellow_e() { echo -e "${YELLOW}$@$COLOURLESS" | tee -a $result_file ((tag_bad++)) } purple_e() { echo -e "${PURPLE}$@$COLOURLESS" |tee -a $result_file } #获取服务器系统类型 function get_os_type { os_type='' systemnum='' arch='' if [ -f /etc/redhat-release ];then grep -qi centos /etc/redhat-release && os_type='CentOS' grep -i red /etc/redhat-release | grep -i hat && os_type='RHEL' systemnum=$(grep -o '[0-9]' /etc/redhat-release | head -1) arch=$(sed "s/.*release \([0-9].[0-9]\).*/\1/g" /etc/redhat-release) fi } get_os_type ################################################################ export LANG="en_US.UTF-8" day=`date +%Y%m%d` ################################################################ #密码安全策略 purple_e "--密码安全策略--" echo '--------------------' de_1="密码最长使用天数............." de_2="密码最短使用天数............." de_3="密码设置最短长度............." de_4="密码到期前警告天............." PASS_MAX_DAYS=`grep "PASS_MAX_DAYS" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'` : ${PASS_MAX_DAYS:=0} [ $PASS_MAX_DAYS -le 90 ] && green_e "$de_1:$PASS_MAX_DAYS" [ $PASS_MAX_DAYS -le 180 -a $PASS_MAX_DAYS -gt 90 ] && yellow_e "$de_1:$PASS_MAX_DAYS" [ $PASS_MAX_DAYS -gt 180 ] && red_e "$de_1:$PASS_MAX_DAYS" PASS_MIN_DAYS=`grep "PASS_MIN_DAYS" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'` : ${PASS_MIN_DAYS:=0} [ $PASS_MIN_DAYS -ge 1 ] && green_e "$de_2:$PASS_MIN_DAYS" [ $PASS_MIN_DAYS -lt 1 ] && yellow_e "$de_2:$PASS_MIN_DAYS" PASS_MIN_LEN=`grep "PASS_MIN_LEN" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'` : ${PASS_MIN_LEN:=0} [ $PASS_MIN_LEN -lt 8 ] && red_e "$de_3:$PASS_MIN_LEN" [ $PASS_MIN_LEN -ge 8 ] && green_e "$de_3:$PASS_MIN_LEN" PASS_WARN_AGE=`grep "PASS_WARN_AGE" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'` : ${PASS_WARN_AGE:=0} [ $PASS_WARN_AGE -ge 7 ] && green_e "$de_4:$PASS_WARN_AGE" [ $PASS_WARN_AGE -lt 7 -a $PASS_WARN_AGE -ge 1 ] && yellow_e "$de_4:$PASS_WARN_AGE" [ $PASS_WARN_AGE -lt 1 ] && red_e "$de_4:$PASS_WARN_AGE" # ##密码复杂度策略 echo purple_e "--密码复杂度策略--" echo '--------------------' de_5="用户密码至少包含一个数字....." de_6="用户密码至少包含一个小写....." de_7="用户密码至少包含一个大写....." de_8="用户密码至少包含一个特殊....." de_9="用户密码最短长度不能超过....." de_10="用户密码修改可尝试错误次....." de_11="前后两次密码至少不同位数....." de_12="用户密码是否适用root用户....." case $os_type in CentOS|RHEL) case $systemnum in 5|6|7|8) pam_pwquality=$(egrep -v "^(s*)#" /etc/pam.d/system-auth |grep password |grep pam_pwquality.so) pam_cracklib=$(egrep -v "^(s*)#" /etc/pam.d/system-auth |grep password |grep pam_cracklib.so) if [ -n "$pam_cracklib" ];then dcredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep dcredit |awk -F'dcredit=-' '{print $2}' |awk '{print $1}'` lcredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep lcredit |awk -F'lcredit=-' '{print $2}' |awk '{print $1}'` ucredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep ucredit |awk -F'ucredit=-' '{print $2}' |awk '{print $1}'` ocredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep ocredit |awk -F'ocredit=-' '{print $2}' |awk '{print $1}'` retry=`grep pam_cracklib.so /etc/pam.d/system-auth |grep retry |awk -F'retry=' '{print $2}' |awk '{print $1}'` minlen=`grep pam_cracklib.so /etc/pam.d/system-auth |grep minlen |awk -F'minlen=' '{print $2}' |awk '{print $1}'` difok=`grep pam_cracklib.so /etc/pam.d/system-auth |grep difok |awk -F'difok=' '{print $2}' |awk '{print $1}'` enforce_for_root=`grep pam_cracklib.so /etc/pam.d/system-auth |grep enforce_for_root` elif [ -n "${pam_pwquality}" ];then dcredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep dcredit |awk -F'dcredit=-' '{print $2}' |awk '{print $1}'` lcredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep lcredit |awk -F'lcredit=-' '{print $2}' |awk '{print $1}'` ucredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep ucredit |awk -F'ucredit=-' '{print $2}' |awk '{print $1}'` ocredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep ocredit |awk -F'ocredit=-' '{print $2}' |awk '{print $1}'` retry=`grep pam_pwquality.so /etc/pam.d/system-auth |grep retry |awk -F'retry=' '{print $2}' |awk '{print $1}'` minlen=`grep pam_pwquality.so /etc/pam.d/system-auth |grep minlen |awk -F'minlen=' '{print $2}' |awk '{print $1}'` difok=`grep pam_pwquality.so /etc/pam.d/system-auth |grep difok |awk -F'difok=' '{print $2}' |awk '{print $1}'` enforce_for_root=`grep pam_pwquality.so /etc/pam.d/system-auth |grep enforce_for_root` fi ;; esac ;; esac : ${dcredit:=0} : ${lcredit:=0} : ${ucredit:=0} : ${ocredit:=0} : ${retry:=0} : ${minlen:=0} : ${difok:=0} : ${enforce_for_root:=0} [ $dcredit -ge 1 ] && green_e "$de_5:$dcredit" || red_e "$de_5:$dcredit" [ $lcredit -ge 1 ] && green_e "$de_6:$lcredit" || red_e "$de_6:$lcredit" [ $ucredit -ge 1 ] && green_e "$de_7:$ucredit" || red_e "$de_7:$ucredit" [ $ocredit -ge 1 ] && green_e "$de_8:$ocredit" || red_e "$de_8:$ocredit" [ $minlen -ge 8 ] && green_e "$de_9:$minlen" || red_e "$de_9:$minlen" [ $retry -ge 3 ] && green_e "$de_10:$retry" || red_e "$de_10:$retry" [ $difok -ge 3 ] && green_e "$de_11:$difok" || red_e "$de_11:$difok" [ $enforce_for_root -eq 1 ] && green_e "$de_12:$enforce_for_root" || red_e "$de_12:$enforce_for_root" #系统安全设置 echo purple_e "--系统安全设置--" echo '--------------------' de_13="连续错误登陆的最大次数......." de_14="普通用户锁定后解锁时间......." de_15="root用户锁定后解锁时间......." de_16="用户锁定是否也包括root......." de_17="记..住..密..码..次..数......." de_18="系统内是否有空口令账号......." de_19="i.d为0的非root用户个数......." de_20="配置wheel组用户.su切换......." de_21="普通用户umask值.预设置......." de_22="系统配置登录超时设置值......." de_23="不要记录空用户登录信息......." de_24="配置用户的密码尝试次数......." de_25="记录用户上次登录的时间......." de_35="系统已禁用ctrl+alt+del......." de_36="禁止普通用户重起服务器......." de_37="是否禁止.usb使用的权限......." de_45="NTPD时间服务的当前状态......." de_46="NTPD时间服务器地址配置......." de_84="系统中是否存在异常用户......." de_85="系统中是否存在异常组........." de_86="有shell权限的非root用户......" de_87="/etc/passwd等的ACL权限......." de_88="字符界面登录界面告警信息....." de_89="/etc/{issue,.net}是否存在...." de_90="禁止系统生成tty3到tty6控制台." de_91="grub界面超时时间设置........." de_125="root用户TTY登录权限.........." case $os_type in CentOS|RHEL) case $systemnum in 5|6|7|8) deny_time=`grep pam_tally2.so /etc/pam.d/system-auth |grep deny |awk -F'deny=' '{print $2}' |awk '{print $1}'` unlocktime=`grep pam_tally2.so /etc/pam.d/system-auth |grep unlock_time |awk -F'unlock_time=' '{print $2}' |awk '{print $1}'` root_unlocktime=`grep pam_tally2.so /etc/pam.d/system-auth |grep root_unlock_time |awk -F'root_unlock_time=' '{print $2}' |awk '{print $1}'` even_deny_root=`egrep auth /etc/pam.d/system-auth |grep pam_tally2.so |grep -c even_deny_root` ;; esac ;; esac if [[ -n "${deny_time}" ]];then deny_time=${deny_time} else case $os_type in CentOS|RHEL) case $systemnum in 5|6|7|8) deny_time=`grep pam_tally2.so /etc/pam.d/login |grep deny |awk -F'deny=' '{print $2}' |awk '{print $1}'` ;; esac ;; esac fi if [[ -n "${unlocktime}" ]];then unlocktime=${unlocktime} else case $os_type in CentOS|RHEL) case $systemnum in 5|6|7|8) unlocktime=`grep pam_tally2.so /etc/pam.d/login |grep unlock_time |awk -F'unlock_time=' '{print $2}' |awk '{print $1}'` ;; esac ;; esac fi : ${deny_time:=0} : ${unlocktime:=0} : ${root_unlocktime:=0} : ${even_deny_root:=0} [ $deny_time -eq 6 ] && green_e "$de_13:$deny_time" || yellow_e "$de_13:$deny_time" [ $unlocktime -eq 300 ] && green_e "$de_14:$unlocktime" || yellow_e "$de_14:$unlocktime" [ $root_unlocktime -eq 300 ] && green_e "$de_15:$root_unlocktime" || yellow_e "$de_15:$root_unlocktime" [ $even_deny_root -eq 1 ] && green_e "$de_16:$even_deny_root" || yellow_e "$de_16:$even_deny_root" #检查密码次数设置 case $os_type in CentOS|RHEL) case $systemnum in 5|6|7|8) rem_time=$(grep -v "^#" /etc/pam.d/system-auth |egrep password |grep pam_unix.so |grep remember |awk -F'remember=' '{print $2}' |awk '{print $1}') ;; esac ;; esac : ${rem_time:=0} [ $rem_time -eq 5 ] && green_e "$de_17:$rem_time" || yellow_e "$de_17:$rem_time" #检查是否存在空口令账号 emptypasswd=`awk -F: '($2 == "!!") { print $1 }' /etc/shadow | wc -l` : ${emptypasswd:=0} [ $emptypasswd -eq 0 ] && green_e "$de_18:$emptypasswd" || yellow_e "$de_18:$emptypasswd" #检查系统中是否存在其它id为0的用户 uid0=`awk -F: '($3 == 0) { print $1 }' /etc/passwd |grep -v root | wc -l` : ${uid0:=0} [ $uid0 -eq 0 ] && green_e "$de_19:$uid0" || red_e "$de_19:$uid0" #使用PAM认证模块禁止wheel组之外的用户su到root su_wheel=`grep -v '^#' /etc/pam.d/su |grep auth |grep pam_wheel.so |grep use_uid |grep -c root_only` : ${su_wheel:=0} [ $su_wheel -eq 1 ] && green_e "$de_20:$su_wheel" || red_e "$de_20:$su_wheel" #用户umask值设置 umask_v=$(egrep -v "^(\s*)#" /etc/profile |grep -i umask|sed -n '1p' |awk '{print $2}') : {$umask_v:=022} [ $umask_v = "002" ] && green_e "$de_21:$umask_v" || red_e "$de_21:$umask_v" #远程连接的超时时间(s) tmout=`grep -v "^#" /etc/profile |grep -i TMOUT |egrep -o '[0-9].*'` : ${tmout:=0} [ $tmout -eq 300 ] && green_e "$de_22:$tmout" || yellow_e "$de_22:$tmout" #系统登陆安全设置 LOG_UNKFAIL_ENAB=`cat /etc/login.defs |grep -v "^#" |grep LOG_UNKFAIL_ENAB |awk '{print $2}'` LOGIN_RETRIES=`cat /etc/login.defs |grep -v "^#" |grep LOGIN_RETRIES |awk '{print $2}'` LASTLOG_ENAB=`cat /etc/login.defs |grep -v "^#" |grep LASTLOG_ENAB |awk '{print $2}'` : ${LOG_UNKFAIL_ENAB:=NULL} : ${LOGIN_RETRIES:=0} : ${LASTLOG_ENAB:=NULL} [ $LOG_UNKFAIL_ENAB = "yes" ] && green_e "$de_23:$LOG_UNKFAIL_ENAB" || red_e "$de_23:$LOG_UNKFAIL_ENAB" [ $LOGIN_RETRIES -eq 6 ] && green_e "$de_24:$LOGIN_RETRIES" || red_e "$de_24:$LOGIN_RETRIES" [ $LASTLOG_ENAB = "yes" ] && green_e "$de_25:$LASTLOG_ENAB" ||red_e "$de_25:$LASTLOG_ENAB" #是否禁用ctrl+alt+del case $os_type in CentOS|RHEL) case $systemnum in 6) ctrl_alt_del=`[ -f /etc/init/control-alt-delete.conf ] && grep -v "^#" /etc/init/control-alt-delete.conf |grep "control-alt-delete"` if [[ -n "${ctrl_alt_del}" ]];then let CTRL_ALT_DEL=1 else let CTRL_ALT_DEL=0 fi ;; 5) ctrl_alt_del=`grep -v "^#" /etc/inittab |grep ctrlaltdel` if [[ -n "${ctrl_alt_del}" ]];then let CTRL_ALT_DEL=1 else let CTRL_ALT_DEL=0 fi ;; 7|8) ctrl_alt_del=`ls /usr/lib/systemd/system/ctrl-alt-del.target 2>/dev/nul` if [[ -n "${ctrl_alt_del}" ]];then let CTRL_ALT_DEL=1 else let CTRL_ALT_DEL=0 fi ;; esac ;; esac [ $CTRL_ALT_DEL -eq 0 ] && green_e "$de_35:$CTRL_ALT_DEL" || yellow_e "$de_35:$CTRL_ALT_DEL" #是否禁用usb存储设备 BAN_USB=`[ -f /etc/modprobe.d/usb-storage.conf ] && grep "install usb-storage /bin/ture" /etc/modprobe.d/usb-storage.conf` if [[ -n $BAN_USB ]];then let BAN_USB=1 else let BAN_USB=0 fi [ $BAN_USB -eq 0 ] && green_e "$de_37:$BAN_USB" || yellow_e "$de_37:$BAN_USB" #是否禁止普通用户重起服务器权限 case $os_type in CentOS|RHEL) if [ -f /usr/bin/consolehelper ];then permission_consolehelper=`stat /usr/bin/consolehelper |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` if [ "${permission_consolehelper}" = "744" ];then let BAN_REBOOT=0 else let BAN_REBOOT=1 fi else let BAN_REBOOT=2 fi ;; esac [ $BAN_REBOOT -eq 0 ] && green_e "$de_36:$BAN_REBOOT" || red_e "$de_36:$BAN_REBOOT" ##检查ntp服务是否正常 which ntpq &>/dev/null if [ $? -eq 0 ];then case $systemnum in 5|6) service ntpd status &>/dev/null if [ $? -eq 0 ];then NTPD_STATUS=1 fi ;; 7|8) systemctl status ntpd.service &> /dev/null if [ $? -eq 0 ];then NTPD_STATUS=1 fi ;; esac fi which chronyc &>/dev/null if [ $? -eq 0 ];then case $systemnum in 7|8) systemctl status chronyd.service &>/dev/null if [ $? -eq 0 ];then NTPD_STATUS=1 fi ;; esac fi : ${NTPD_STATUS:=0} [ $NTPD_STATUS -eq 1 ] && green_e "$de_45:$NTPD_STATUS" || yellow_e "$de_45:$NTPD_STATUS" #检查ntpd服务器设置 if [ -f /etc/ntp.conf ];then ntp_servers=$(egrep -v '^(\s*)#' /etc/ntp.conf 2>/dev/null |grep -v ^$ |grep '^server' |egrep -v "pool.ntp.org|127.127.1.0" |awk '{print $2}' |tr '\n' ';' |sed "s/\;$//g") fi if [ -f /etc/chrony.conf -a ! -f /etc/ntp.conf ];then ntp_servers=$(egrep -v '^(\s*)#' /etc/chrony.conf 2>/dev/null |grep -v ^$ | grep '^server' |egrep -v "pool.ntp.org|127.127.1.0" |awk '{print $2}' |tr '\n' ';' |sed "s/\;$//g") fi : ${ntp_servers:=null} [ $ntp_servers != "null" ] && green_e "$de_46:$ntp_servers" || red_e "$de_46:$ntp_servers" #检查是否有以下账号games、uucp、lp、ftp、news、rpcuser、mail user_check=$(grep -v ^# /etc/passwd |awk -F: '{print $1}' |egrep -c "games|uucp|lp|ftp|news|rpcuser|mail") [ $user_check -eq 0 ] && green_e "$de_84:$user_check" || red_e "$de_84:$user_check" #检查是否有以下组lp、mail、news、uucp、games、ftp、floppy、mailnull GROUP_CHECK=$(grep -v ^# /etc/group |awk -F: '{print $1}' |egrep -c "lp|mail|news|uucp|games|ftp|floppy|mailnull") : ${GROUP_CHECK:=0} [ $GROUP_CHECK -eq 0 ] && green_e "$de_85:$GROUP_CHECK" || red_e "$de_85:$GROUP_CHECK" #检查包含shell权限的非root账号 bash_user=$(grep -v root /etc/passwd |egrep -c 'bin/bash') : ${bash_user:=0} [ $bash_user -eq 0 ] && green_e "$de_86:$bash_user" || yellow_e "$de_86:$bash_user" #检查以下文件是否配置acl权限:/etc/passwd,/etc/group,/etc/shadow user_acl=`ls -l /etc/passwd /etc/group /etc/shadow | grep -c '+'` [ $user_acl -eq 0 ] && green_e "$de_87:$user_acl" || red_e "$de_87:$user_acl" #用户字符界面登录后,系统显示业务使用警告信息 grep 'authorization' /etc/motd | grep -q "monitor" &>/dev/null && let WARN_MESG=1 || let WARN_MESG=0 [ $WARN_MESG -eq 1 ] && green_e "$de_88:$WARN_MESG" || yellow_e "$de_88:$WARN_MESG" #删除多余提示信息文件 /etc/issue和/etc/issue.net [ -f /etc/issue -o -f /etc/issue.net ] && let DEL_MESG_FILE=1 || let DEL_MESG_FILE=0 [ $DEL_MESG_FILE -eq 0 ] && green_e "$de_89:$DEL_MESG_FILE" || yellow_e "$de_89:$DEL_MESG_FILE" #禁止系统生成tty3到tty6控制台 TTY_SET=`ps aux | grep '/sbin/mingetty' | grep -v grep | grep -c tty[3-6]` [ $TTY_SET -eq 0 ] && green_e "$de_90:$TTY_SET" || red_e "$de_90:$TTY_SET" #grub超时设置 case $systemnum in 5|6) grub_time=$(grep -v ^# /etc/grub.conf |grep timeout |awk -F'=' '{print $2}') ;; 7|8) grub_time=$(grep -i GRUB_TIMEOUT /etc/default/grub |awk -F= '{print $2}') ;; esac : ${grub_time:=0} [ $grub_time -eq 0 ] && green_e "$de_91:$grub_time" || yellow_e "$de_91:$grub_time" #是否允许root登录tty root_tty=$(cat /etc/securetty 2> /dev/null |egrep -v '^(\s*)#' |grep -v ^$ |grep tty) if [ -n "$root_tty" ];then ROOT_TTY=1 else ROOT_TTY=0 fi [ $ROOT_TTY -eq 0 ] && green_e "$de_125:$ROOT_TTY" || yellow_e "$de_125:$ROOT_TTY" #系统资源限制设置 echo purple_e "--系统资源限制设置--" echo '--------------------' de_26="应用程序转储文件最大值(硬)..." de_27="应用程序转储文件最大值(软)..." de_28="单程序打开最大文件句柄数(硬)." de_29="单程序打开最大文件句柄数(软)." de_30="单个程序创建最大线程数(硬)..." de_31="单个程序创建最大线程数(软)..." hard_core=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep hard |grep core |uniq | grep '\*' | awk '{print $NF}'` soft_core=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep soft |grep core |uniq | grep '\*' | awk '{print $NF}'` hard_nofile=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep hard |grep nofile |uniq | grep '\*' |awk '{print $NF}'` soft_nofile=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep soft |grep nofile |uniq | grep '\*' |awk '{print $NF}'` hard_nproc=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep hard |grep nproc |uniq |grep '\*' | awk '{print $NF}'` soft_nproc=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep soft |grep nproc |uniq |grep '\*' | awk '{print $NF}'` : ${hard_core:=0} : ${soft_core:=0} : ${hard_nofile:=0} : ${soft_nofile:=0} : ${hard_nproc:=0} : ${soft_nproc:=0} [ $hard_core -ge 102400 ] && green_e "$de_26:$hard_core" || yellow_e "$de_26:$hard_core" [ $soft_core -ge 102400 -a $soft_core -le $hard_core ] && green_e "$de_27:$soft_core" || yellow_e "$de_27:$soft_core" [ $hard_nofile -ge 65535 ] && green_e "$de_28:$hard_nofile" || yellow_e "$de_28:$hard_nofile" [ $soft_nofile -ge 65535 -a $soft_nofile -le $hard_nofile ] && green_e "$de_29:$soft_nofile" || yellow_e "$de_29:$soft_nofile" [ $hard_nproc -ge 4096 ] && green_e "$de_30:$hard_nproc" || yellow_e "$de_30:$hard_nproc" [ $soft_nproc -ge 4096 -a $soft_nproc -le $hard_nproc ] && green_e "$de_31:$soft_nproc" || yellow_e "$de_31:$soft_nproc" #历史命令设置 echo purple_e "--历史命令设置--" echo '--------------------' de_32="历史命令输出记录数..........." de_33="历史命令文件记录数..........." de_34="历史命令时间戳设置..........." HISTSIZE=`grep -v ^# /etc/profile |grep "^HISTSIZE=" |awk -F= '{print $2}'` HISTFILESIZE=`grep -v ^# /etc/profile |grep "HISTFILESIZE=" |awk -F= '{print $2}'` HISTIMEFORMAT=`grep -v ^# /etc/profile |grep HISTTIMEFORMAT |grep "export" |awk -F '"' '{print $2}'` : ${HISTSIZE:=0} : ${HISTFILESIZE:=0} : ${HISTIMEFORMAT:=null} [ $HISTSIZE -eq 1000 ] && green_e "$de_32:$HISTSIZE" || yellow_e "$de_32:$HISTSIZE" [ $HISTFILESIZE -eq 5000 ] && green_e "$de_33:$HISTFILESIZE" || yellow_e "$de_33:$HISTFILESIZE" [[ $HISTIMEFORMAT =~ "%F %T" ]] && green_e "$de_34:$HISTIMEFORMAT" || yellow_e "$de_34:$HISTIMEFORMAT" #系统服务 echo purple_e "--系统服务--" echo '--------------------' de_38="防火墙是否已开启............." de_39="SELINUX.是否开启............." de_40="是否禁止..telnet............." de_41="r/syslog是否开启............." de_92="服务状态检查:vsftpd.........." de_93="服务状态检查:rlogin.........." de_94="服务状态检查:rcp............." de_95="服务状态检查:tftp............" de_96="服务状态检查:imap............" de_97="服务状态检查:cyrus..........." de_98="服务状态检查:qpopper........." de_99="服务状态检查:upower.........." de_100="服务状态检查:avahi-daemon...." de_101="服务状态检查:bluetooth......." de_102="服务状态检查:cups............" de_103="服务状态检查:cups-browsed...." de_104="服务状态检查:dnsmasq........." de_105="服务状态检查:firewalld......." de_106="服务状态检查:ModemManager...." de_107="服务状态检查:Sendmail........" de_108="服务状态检查:postfix........." de_109="服务状态检查:wpa_supplicant.." de_110="服务状态检查:ypbind.........." de_111="服务状态检查:xinetd.........." #防火墙使用情况 case $os_type in CentOS|RHEL) case $systemnum in 5|6) service iptables status &>/dev/null if [ $? -eq 0 ];then FIREWALL_STATUS=1 else FIREWALL_STATUS=0 fi ;; 7|8) systemctl status firewalld.service &>/dev/null if [ $? -eq 0 ];then FIREWALL_STATUS=1 else FIREWALL_STATUS=0 fi ;; esac ;; esac [ $FIREWALL_STATUS -eq 0 ] && green_e "$de_38:$FIREWALL_STATUS" || yellow_e "$de_38:$FIREWALL_STATUS" #SELINUX 是否已开启 get_enforce=`getenforce` : ${get_enforce:=0} [ $get_enforce != "Enforcing" ] && green_e "$de_39:$get_enforce" || yellow_e "$de_39:$get_enforce" #禁止telnet服务 case $os_type in CentOS|RHEL) case $systemnum in 5|6) telnet=`chkconfig --list | grep telnet 2> /dev/null` if [[ -n $telnet ]];then service xinted status &>/dev/null if [ $? -eq 0 ];then if [ -f /etc/xinetd.d/telnet ];then disable=`grep -v '^\s*#' /etc/xinetd.d/telnet | grep 'disable' | awk -F'=' '{print $2}' | sed 's/\s*//' 2> /dev/null` if [[ -n $disable && $disable == 'no' ]];then TELNET_STATUS=1 else TELNET_STATUS=0 fi else TELNET_STATUS=0 fi else TELNET_STATUS=0 fi else TELNET_STATUS=2 fi ;; 7|8) telnet=$(systemctl list-unit-files --no-pager | grep telnet.socket 2> /dev/null) if [[ -n $telnet ]];then systemctl status telnet.socket &>/dev/null if [ $? -eq 0 ];then TELNET_STATUS=1 else TELNET_STATUS=0 fi else TELNET_STATUS=2 fi ;; esac ;; esac [ $TELNET_STATUS -eq 0 ] && green_e "$de_40:$TELNET_STATUS" || yellow_e "$de_40:$TELNET_STATUS" #syslog/rsyslog是否开启 case $systemnum in 5) service syslog status &>/dev/null syslog=$? if [ "${syslog}" -eq 0 ];then SYSLOG_STATUS=1 else SYSLOG_STATUS=0 fi ;; 7|8) systemctl status systemd-journald.service &>/dev/null systemd_journald=$? if [ "${systemd_journald}" -eq 0 ];then SYSLOG_STATUS=1 else SYSLOG_STATUS=0 fi ;; 6) service rsyslog status &>/dev/null rsyslog=$? if [ "${rsyslog}" -eq 0 ];then SYSLOG_STATUS=1 else SYSLOG_STATUS=0 fi ;; esac [ $SYSLOG_STATUS -eq 1 ] && green_e "$de_41:$SYSLOG_STATUS" || red_e "$de_41:$SYSLOG_STATUS" ############### check_ser() { ser_name=$1 tag_info=$2 case $systemnum in 5|6) ser_exited=$(chkconfig --list | grep $ser_name 2> /dev/null) if [[ -n $ser_exited ]];then service $ser_name status &>/dev/null if [ $? -eq 0 ];then CHECK_SER=1 else CHECK_SER=0 fi fi ;; 7|8) ser_exited=$(systemctl list-unit-files --no-pager | grep ${ser_name}.service 2> /dev/null) if [[ -n $ser_exited ]];then systemctl status ${ser_name}.service &>/dev/null if [ $? -eq 0 ];then CHECK_SER=1 else CHECK_SER=0 fi fi ;; esac : ${CHECK_SER:=0} [ $CHECK_SER -eq 0 ] && green_e "$tag_info:$CHECK_SER" || yellow_e "$tag_info:$CHECK_SER" } ################ check_ser vsftpd $de_92 check_ser rlogin $de_93 check_ser rcp $de_94 check_ser tftp $de_95 check_ser imap $de_96 check_ser cyrus $de_97 check_ser qpopper $de_98 check_ser upower $de_99 check_ser avahi-daemon $de_100 check_ser bluetooth $de_101 check_ser cups $de_102 check_ser cups-browsed $de_103 check_ser dnsmasq $de_104 check_ser firewalld $de_105 check_ser ModemManager $de_106 check_ser Sendmail $de_107 check_ser postfix $de_108 check_ser wpa_supplicant $de_109 check_ser ypbind $de_110 check_ser xinetd $de_111 #审计配置 echo purple_e "--审计配置--" echo '--------------------' de_42="audit是否配置并开启.........." de_43="log文件最大大小(MB).........." de_44="audit.保持log的数量.........." #audit是否配置并开启 case $systemnum in 7|8) systemctl status auditd.service &> /dev/null audit=$? if [ "${audit}" -eq 0 ];then AUDIT_STATUS=1 else AUDIT_STATUS=0 fi ;; *) service auditd status &>/dev/null audit=$? if [ "${audit}" -eq 0 ];then AUDIT_STATUS=1 else AUDIT_STATUS=0 fi ;; esac NUM_LOG=`grep -v ^# /etc/audit/auditd.conf |grep num_log |awk -F= '{print $2}' |sed 's/[[:space:]]//g'` MAX_LOG_FILE=`grep -v ^# /etc/audit/auditd.conf |grep 'max_log_file ' |awk -F= '{print $2}' |sed 's/[[:space:]]//g'` if [[ -n ${MAX_LOG_FILE} ]];then MAX_LOG_FILE=${MAX_LOG_FILE} else MAX_LOG_FILE=NULL fi if [[ -n ${NUM_LOG} ]];then NUM_LOG=${NUM_LOG} else NUM_LOG=NULL fi [ $AUDIT_STATUS -eq 1 ] && green_e "$de_42:$AUDIT_STATUS" || red_e "$de_42:$AUDIT_STATUS" [ $NUM_LOG -ge 4 ] && green_e "$de_44:$NUM_LOG" || yellow_e "$de_44:$NUM_LOG" [ $MAX_LOG_FILE -eq 50 ] && green_e "$de_43:$MAX_LOG_FILE" || yellow_e "$de_43:$MAX_LOG_FILE" #重要文件权限 echo purple_e "--重要文件权限--" echo '--------------------' de_47="/boot/grub/grub.conf........." de_48="/etc/crontab................." de_49="/etc/securetty..............." de_50="/etc/hosts.allow............." de_51="/etc/hosts.deny.............." de_52="/etc/inittab................." de_53="/etc/login.defs.............." de_54="/etc/profile................." de_55="/var/log/messages............" de_56="/var/log/secure.............." de_57="/var/log/maillog............." de_58="/var/log/cron................" de_59="/var/log/spooler............." de_60="/var/log/boot.log............" de_61="/etc/bashrc.................." de_62="/etc/passwd.................." de_112="SUID检查:/usr/bin/chage......" de_113="SUID检查:/usr/bin/wall......." de_114="SUID检查:/usr/bin/chfn......." de_115="SUID检查:/usr/bin/chsh......." de_116="SUID检查:/usr/bin/newgrp....." de_117="SUID检查:/usr/bin/write......" de_118="SUID检查:/bin/mount.........." de_119="SUID检查:/bin/umount........." de_120="SUID检查:/bin/ping..........." de_121="/etc/init.d/目录下脚本......." de_122="/etc/group..................." de_123="/etc/shadow.................." de_124="家目录下存在.netrc/.rhosts..." ##检查重要文件权限 CRONTAB=`stat /etc/crontab 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` SECURETTY=`stat /etc/securetty 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` HOSTS_ALLOW=`stat /etc/hosts.allow 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` HOSTS_DENY=`stat /etc/hosts.deny 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` INITTAB=`stat /etc/inittab 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` LOGIN_DEFS=`stat /etc/login.defs 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` PROFILE=`stat /etc/profile 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` LOG_MESSAGES=`stat /var/log/messages 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` LOG_SECURE=`stat /var/log/secure 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` LOG_MAILLOG=`stat /var/log/maillog 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` LOG_CRON=`stat /var/log/cron 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` LOG_SPOOLER=`stat /var/log/spooler 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` LOG_BOOT=`stat /var/log/boot.log 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` ETC_PASS=`stat /etc/passwd 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` BASHRC=`stat /etc/bashrc 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` ETC_GROUP=`stat /etc/group 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` ETC_SHADOW=`stat /etc/shadow 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` ETC_INIT=`stat /etc/init.d/ 2> /dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` case $systemnum in 5|6) GRUB_CONF=`stat /boot/grub/grub.conf 2>/dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` ;; 7|8) GRUB_CONF=`stat /boot/grub2/grub.cfg 2>/dev/null|grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5` ;; esac : ${GRUB_CONF:=000} : ${CRONTAB:=000} : ${SECURETTY:=000} : ${HOSTS_DENY:=000} : ${HOSTS_ALLOW:=000} : ${INITTAB:=000} : ${LOGIN_DEFS:=000} : ${PROFILE:=000} : ${LOG_MESSAGES:=000} : ${LOG_SECURE:=000} : ${LOG_MAILLOG:=000} : ${LOG_CRON:=000} : ${LOG_SPOOLER:=000} : ${LOG_BOOT:=000} : ${ETC_PASS:=000} : ${BASHRC:=000} : ${ETC_GROUP:=000} : ${ETC_SHADOW:=000} : ${ETC_INIT:=000} [ $GRUB_CONF = "600" ] && green_e "$de_47:$GRUB_CONF" || red_e "$de_47:$GRUB_CONF" [ $CRONTAB = "400" ] && green_e "$de_48:$CRONTAB" || red_e "$de_48:$CRONTAB" [ $SECURETTY = "400" ] && green_e "$de_49:$SECURETTY" || red_e "$de_49:$SECURETTY" [ $HOSTS_DENY = "644" ] && green_e "$de_51:$HOSTS_DENY" || red_e "$de_51:$HOSTS_DENY" [ $HOSTS_ALLOW = "644" ] && green_e "$de_50:$HOSTS_ALLOW" || red_e "$de_50:$HOSTS_ALLOW" [ $INITTAB = "600" ] && green_e "$de_52:$INITTAB" || red_e "$de_52:$INITTAB" [ $LOGIN_DEFS = "644" ] && green_e "$de_53:$LOGIN_DEFS" || red_e "$de_53:$LOGIN_DEFS" [ $PROFILE = "644" ] && green_e "$de_54:$PROFILE" || red_e "$de_54:$PROFILE" [ $LOG_MESSAGES = "600" ] && green_e "$de_55:$LOG_MESSAGES" || red_e "$de_55:$LOG_MESSAGES" [ $LOG_SECURE = "600" ] && green_e "$de_56:$LOG_SECURE" || red_e "$de_56:$LOG_SECURE" [ $LOG_MAILLOG = "600" ] && green_e "$de_57:$LOG_MAILLOG" || red_e "$de_57:$LOG_MAILLOG" [ $LOG_CRON = "600" ] && green_e "$de_58:$LOG_CRON" || red_e "$de_58:$LOG_CRON" [ $LOG_SPOOLER = "600" ] && green_e "$de_59:$LOG_SPOOLER" || red_e "$de_59:$LOG_SPOOLER" [ $LOG_BOOT = "600" ] && green_e "$de_60:$LOG_BOOT" || red_e "$de_60:$LOG_BOOT" [ $ETC_PASS = "644" ] && green_e "$de_62:$ETC_PASS" || red_e "$de_62:$ETC_PASS" [ $ETC_GROUP = "644" ] && green_e "$de_122:$ETC_GROUP" || red_e "$de_122:$ETC_GROUP" [ $ETC_SHADOW = "600" ] && green_e "$de_123:$ETC_PASS" || red_e "$de_123:$ETC_SHADOW" [ $BASHRC = "644" ] && green_e "$de_61:$BASHRC" || red_e "$de_61:$BASHRC" [ $ETC_INIT = "700" ] && green_e "$de_121:$ETC_INIT" || red_e "$de_121:$ETC_INIT" ############ sudo_check() { c_name=$1 info_n=$2 [ -f $c_name ] && ls -lrt $c_name |awk '{print $1}' |grep 's' &>/dev/null if [ $? -eq 0 ];then FILE_SUID=1 else FILE_SUID=0 fi [ $FILE_SUID -eq 0 ] && green_e "$info_n:$FILE_SUID" || red_e "$info_n:$FILE_SUID" } ############ sudo_check /usr/bin/chage $de_112 sudo_check /usr/bin/wall $de_113 sudo_check /usr/bin/chfn $de_114 sudo_check /usr/bin/chsh $de_115 sudo_check /usr/bin/newgrp $de_116 sudo_check /usr/bin/write $de_117 sudo_check /bin/mount $de_118 sudo_check /bin/umount $de_119 sudo_check /bin/ping $de_120 #检查主目录下是否有以下文件.netrc和.rhosts file_list=$(find /root/ /home/ -type f -name ".netrc" -o -name ".rhosts") if [ -n "$file_list" ];then DEL_HOME_FILE=1 else DEL_HOME_FILE=0 fi [ $DEL_HOME_FILE -eq 0 ] && green_e "$de_124:$DEL_HOME_FILE" || red_e "$de_124:$DEL_HOME_FILE" #ssh配置 echo purple_e "--ssh文件配置--" echo '--------------------' de_63="ssh端口是否22................" de_64="ssh协议是否2................." de_65="记录信息级别................." de_66="最大重试次数................." de_67="允许密码验证................." de_68="RhostsRSAAuthentication功能.." de_69="是否允许设置空密码..........." de_70="登陆前检查用户文件和目录属性." de_71="指定密码类型................." de_72="指定MAC算法用于数据完整性保护" de_73="是否对远程主机名反向解析....." ssh_Port=`grep -v "^#" /etc/ssh/sshd_config |grep Port |awk '{print $2}'` ssh_Protocol=`grep -v "^#" /etc/ssh/sshd_config |grep Protocol |awk '{print $2}'` ssh_loglevel=`grep -v "^#" /etc/ssh/sshd_config |grep LogLevel |awk '{print $2}'` ssh_maxauthtries=`grep -v "^#" /etc/ssh/sshd_config |grep MaxAuthTries |awk '{print $2}'` ssh_password=`grep -v "^#" /etc/ssh/sshd_config |grep PasswordAuthentication |awk '{print $2}'` ssh_rss=`grep -v "^#" /etc/ssh/sshd_config |grep RhostsRSAAuthentication |awk '{print $2}'` ssh_permitpwd=`grep -v "^#" /etc/ssh/sshd_config |grep PermitEmptyPasswords |awk '{print $2}'` ssh_strictmodes=`grep -v "^#" /etc/ssh/sshd_config |grep StrictModes |awk '{print $2}'` ssh_ciphers=`grep -v "^#" /etc/ssh/sshd_config |grep Ciphers |awk '{print $2}'` ssh_macs=`grep -v "^#" /etc/ssh/sshd_config |grep MACs |awk '{print $2}'` ssh_dns=`grep -v "^#" /etc/ssh/sshd_config |grep UseDNS |awk '{print $2}'` : ${ssh_Port:=22} : ${ssh_Protocol:=1} : ${ssh_loglevel:=INFO} : ${ssh_maxauthtries:=6} : ${ssh_password:=no} : ${ssh_rss:=no} : ${ssh_permitpwd:=no} : ${ssh_strictmodes:=yes} : ${ssh_ciphers:=any} : ${ssh_macs:=any} : ${ssh_dns:=yes} [ $ssh_Port -ne 22 ] && green_e "$de_63:$ssh_Port" || yellow_e "$de_63:$ssh_Port" [ $ssh_Protocol -eq 2 ] && green_e "$de_64:$ssh_Protocol" || yellow_e "$de_64:$ssh_Protocol" [ $ssh_loglevel = "INFO" ] && green_e "$de_65:$ssh_loglevel" || yellow_e "$de_65:$ssh_loglevel" [ $ssh_maxauthtries -eq 3 ] && green_e "$de_66:$ssh_maxauthtries" || yellow_e "$de_66:$ssh_maxauthtries" [ $ssh_password = "yes" ] && green_e "$de_67:$ssh_password" ||yellow_e "$de_67:$ssh_password" [ $ssh_rss = "no" ] && green_e "$de_68:$ssh_rss" || yellow_e "$de_68:$ssh_rss" [ $ssh_permitpwd = "no" ] && green_e "$de_69:$ssh_permitpwd" || yellow_e "$de_69:$ssh_permitpwd" [ $ssh_strictmodes = "yes" ] && green_e "$de_70:$ssh_strictmodes" || yellow_e "$de_70:$ssh_strictmodes" [ $ssh_ciphers = "3des-cbc" ] && green_e "$de_71:$ssh_ciphers" || yellow_e "$de_71:$ssh_ciphers" [ $ssh_dns = "no" ] && green_e "$de_73:$ssh_dns" || yellow_e "$de_73:$ssh_dns" [[ $ssh_macs =~ "hmac-sha1" && $ssh_macs =~ "hmac-md5" ]] && green_e "$de_72:$ssh_macs" || yellow_e "$de_72:$ssh_macs" #内核参数配置 echo purple_e "--核参数配置--" echo '--------------------' de_74="主备IP地址切换控制机制......." de_75="是否关闭路径MTU探测功能......" de_76="是否接收重写过的数据包......." de_77="默认是否接收重写过的数据包..." de_78="允许发送重定向消息(router)." de_79="只接受来自网关的重定向icmp包." de_80="最大的syn包队列设置.........." de_81="tcp.keepalive设置(时间:s)." de_82="tcp.keepalive设置(次数)...." de_83="tcp.keepalive设置(间隔:s)." promote_secondaries=`cat /proc/sys/net/ipv4/conf/all/promote_secondaries` ip_no_pmtu_disc=`cat /proc/sys/net/ipv4/ip_no_pmtu_disc` all_accept_redirects=`cat /proc/sys/net/ipv4/conf/all/accept_redirects` default_accept_redirects=`cat /proc/sys/net/ipv4/conf/default/accept_redirects` all_send_redirects=`cat /proc/sys/net/ipv4/conf/all/send_redirects` all_secure_redirects=`cat /proc/sys/net/ipv4/conf/all/secure_redirects` tcp_max_syn_backlog=`cat /proc/sys/net/ipv4/tcp_max_syn_backlog` tcp_keepalive_time=`cat /proc/sys/net/ipv4/tcp_keepalive_time` tcp_keepalive_probes=`cat /proc/sys/net/ipv4/tcp_keepalive_probes` tcp_keepalive_intvl=`cat /proc/sys/net/ipv4/tcp_keepalive_intvl` [ $promote_secondaries -eq 1 ] && green_e "$de_74:$promote_secondaries" || yellow_e "$de_74:$promote_secondaries" [ $ip_no_pmtu_disc -eq 1 ] && green_e "$de_75:$ip_no_pmtu_disc" || yellow_e "$de_75:$ip_no_pmtu_disc" [ $all_accept_redirects -eq 0 ] && green_e "$de_76:$all_accept_redirects" || yellow_e "$de_76:$all_accept_redirects" [ $default_accept_redirects -eq 0 ] && green_e "$de_77:$default_accept_redirects" || yellow_e "$de_77:$default_accept_redirects" [ $all_send_redirects -eq 0 ] && green_e "$de_78:$all_send_redirects" || yellow_e "$de_78:$all_send_redirects" [ $all_secure_redirects -eq 0 ] && green_e "$de_79:$all_secure_redirects" || yellow_e "$de_79:$all_secure_redirects" [ $tcp_max_syn_backlog -eq 4096 ] && green_e "$de_80:$tcp_max_syn_backlog" || yellow_e "$de_80:$tcp_max_syn_backlog" [ $tcp_keepalive_time -eq 150 ] && green_e "$de_81:$tcp_keepalive_time" || yellow_e "$de_81:$tcp_keepalive_time" [ $tcp_keepalive_probes -eq 5 ] && green_e "$de_82:$tcp_keepalive_probes" || yellow_e "$de_82:$tcp_keepalive_probes" [ $tcp_keepalive_intvl -eq 6 ] && green_e "$de_83:$tcp_keepalive_intvl" || yellow_e "$de_83:$tcp_keepalive_intvl" clear sleep 1 echo | tee -a $result_file echo '--------++--------安全基线-------++------------' | tee -a $result_file echo | tee -a $result_file health_base=`awk "BEGIN{print $tag_nice/($tag_nice+$tag_bad)*100}"` health_per=${health_base%.*} if [ $health_per -ge 80 ] then purple_e "系统当前处于合格状态,健康度为: $health_per %." elif [ $health_per -ge 50 -a $health_per -lt 80 ] then purple_e "系统当前处于亚健康状态,健康度为: $health_per %,请注意关注." else purple_e "系统当前处于危险状态,健康度低于: $health_per %,请抓紧优化." fi echo purple_e "总检测指标数量为: $(echo $tag_nice + $tag_bad | bc)" purple_e "达标的指标数量为: $tag_nice" purple_e "详细的结果请查看: $result_file " echo | tee -a $result_file echo '--------++--------安全基线-------++------------' | tee -a $result_file echo unset tag_nice tag_bad exit 0