关于linux:LinuxSecurity

#!/bin/bashcat <<EOF****************************************************************************************** linux基线查看脚本****************************************************************************************** 输入后果/tmp/linux_security.txt*************************************************************************************EOFFILE_PATH="/tmp/linux_security.txt"#########查看零碎更新##################system_update_check(){num=`yum check-update|grep 'updates'|wc -l`if [ $num -gt 1 ];thenecho -e "零碎更新是否通过:NO \n">>$FILE_PATHelseecho -e "零碎更新是否通过:YES \n">>$FILE_PATHfi}#############查看swap分区##############swap_check(){swap_sizes=`free -m|grep 'Swap'|awk '{print $2}'`if [ -z $swap_sizes ];thenecho -e "没有swap零碎分区 \n">>$FILE_PATHelseif [ $swap_sizes -lt 1000 ];thenecho -e "swap 分区设置过小 \n">>$FILE_PATHelseecho -e "swap 分区查看:YES \n">>$FILE_PATHfifi}#############查看必要软件#############soft_install_check(){num=`rpm -qa|egrep '^sysstat-|^man-|^wget-|^screen-|^ntp-'|wc -l`if [ $num -lt 5 ];thenecho -e "sysstat,man,wget,screen,ntp装置是否通过:NO \n">>$FILE_PATHelseecho -e "sysstat,man,wget,screen,ntp装置是否通过:YES \n">>$FILE_PATHfi}############查看时钟工夫#############clock_time_type(){clock_type=`ls -l /etc/localtime |awk -F"/" '{print $8}'`if [ -n "$clock_type" ];thenecho -e "零碎时区为:$clock_type \n">>$FILE_PATHelseecho -e "请查看是否有设置时区 \n">>$FILE_PATHfi}#####查看空明码########passwd_check(){num=`awk -F":" '{if($2=="") print $1}' /etc/shadow|wc -l`if [ $num -gt 0 ];thenecho -e "空口令账号检测是否通过:NO \n">>$FILE_PATHelseecho -e "空口令账号检测是否通过:YES \n">>$FILE_PATHfi}#####检查用户uid是否为0########passwd_uid_check(){num=`awk -F":" '{if($3=="0" && $1!="root") print $1}' /etc/passwd|wc -l`if [ $num -gt 0 ];thenecho -e "非root账户UID检测是否通过:NO \n">>$FILE_PATHelseecho -e "非root账户UID检测是否通过:YES \n">>$FILE_PATHfi}#########查看umask############user_umask_check(){root_umask=`umask`user_umask=`grep -A 1 '\$UID -gt 199' /etc/profile|grep 'umask'|awk '{print $2}'`if [ $root_umask == "0022" ] && [ $user_umask == "002" ];thenecho -e "账户umask检测是否通过:YES \n">>$FILE_PATHelseecho -e "账户umask检测是否通过:NO \n">>$FILE_PATHfi}########查看重要文件权限##########file_lsattr_check(){num=0files=(/etc/passwd /etc/shadow)for file in ${files[*]}doattr=`lsattr $file|awk '{print $1}'`if [ $attr != "----i--------e-" ];thennum=$(($num+1))fidoneif [ $num -eq 0 ];thenecho -e "重要文件设置是否通过:YES \n">>$FILE_PATHelseecho -e "重要文件设置是否通过:NO \n">>$FILE_PATHfi}###########ssh 协定和明码认证################ssh_config_check(){echo -e "查看sshd_config配置文件: \n">>$FILE_PATH#####查看项######check_items=(ListenAddress Protocol StrictModes MaxAuthTries MaxSessions PubkeyAuthentication PasswordAuthentication PermitEmptyPasswords X11Forwarding)#######参考值#############proposal_value=("参考理论状况" 2 yes 5 5 yes no no no)i=0for item in ${check_items[*]}dovalue=`grep $item /etc/ssh/sshd_config|grep -v '^#'|awk '{print $2}'`echo "${check_items[$i]}:${value} 倡议值:${proposal_value[$i]}">>$FILE_PATHi=$(($i+1))done}############防火墙服务状态####################firewall_check(){grep 'release 6' /etc/redhat-release >>/dev/nullif [ $? -eq 0 ];then/etc/init.d/iptables status>>/dev/nullif [ $? -eq 0 ];thenecho -e "防火墙状态是否通过:YES \n">>$FILE_PATHelseecho -e "防火墙状态是否通过:NO \n">>$FILE_PATHfielsesystemctl status firewalld.service >>/dev/nullif [ $? -eq 0 ];thenecho -e "防火墙状态是否通过:YES \n">>$FILE_PATHelseecho -e "防火墙状态是否通过:NO \n">>$FILE_PATHfifi}############ntp服务状态####################ntp_check(){grep 'release 6' /etc/redhat-release >>/dev/nullif [ $? -eq 0 ];then/etc/init.d/ntpd status>>/dev/nullif [ $? -eq 0 ];thenecho -e "ntp状态是否通过:YES \n">>$FILE_PATHelseecho -e "ntp状态是否通过:NO \n">>$FILE_PATHfielsesystemctl status ntpd.service >>/dev/nullif [ $? -eq 0 ];thenecho -e "ntp状态是否通过:YES \n">>$FILE_PATHelseecho -e "ntp状态是否通过:NO \n">>$FILE_PATHfifi}############auditd服务状态####################auditd_check(){grep 'release 6' /etc/redhat-release >>/dev/nullif [ $? -eq 0 ];then/etc/init.d/auditd status>>/dev/nullif [ $? -eq 0 ];thenecho -e "auditd状态是否通过:YES \n">>$FILE_PATHelseecho -e "auditd状态是否通过:NO \n">>$FILE_PATHfielsesystemctl status auditd.service >>/dev/nullif [ $? -eq 0 ];thenecho -e "auditd状态是否通过:YES \n">>$FILE_PATHelseecho -e "auditd状态是否通过:NO \n">>$FILE_PATHfifi}#############查看不必要的服务###############service_check(){echo "查看零碎多余服务，centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATHecho "查看零碎多余服务，centos7:postfix.service tuned.service irqbalance.service">>$FILE_PATHgrep 'release 6' /etc/redhat-release >>/dev/nullif [ $? -eq 0 ];thencent6_num=`chkconfig --list|egrep '3:on|3:启用'|egrep 'acpid|ip6tables|netfs|postfix|udev-post'|wc -l`if [ $cent6_num -eq 0 ];thenecho -e "零碎多余服务是否敞开:YES \n">>$FILE_PATHelseecho -e "零碎多余服务是否敞开:NO \n">>$FILE_PATHfielsecent7_num=`systemctl list-unit-files --type=service|grep 'enabled'|egrep 'postfix.service|tuned.service|irqbalance.service'|wc -l`if [ $cent7_num -eq 0 ];thenecho -e "零碎多余服务是否敞开:YES \n">>$FILE_PATHelseecho -e "零碎多余服务是否敞开:NO \n">>$FILE_PATHfifi}############查看文件关上数状况##############file_check(){system_file_limit=`cat /proc/sys/fs/file-max`#current_open_file=`lsof|wc -l`user_file_limit=`ulimit -a|grep 'open files'|awk '{print $4}'`echo "零碎关上数限度:$system_file_limit">>$FILE_PATHecho "用户过程关上数限度:$user_file_limit">>$FILE_PATH}echo `date +%Y%m%d`>$FILE_PATHsystem_update_checkswap_checksoft_install_checkclock_time_typepasswd_checkpasswd_uid_checkuser_umask_checkfile_lsattr_checkssh_config_checkfirewall_checkntp_checkauditd_checkservice_checkfile_check