Linux-Security

芒果牛奶 2021-02-23 16:17:29
linux Security 操作系统 SegmentFault linux-security


#!/bin/bash
cat <<EOF
*************************************************************************************
***** linux基线检查脚本
*************************************************************************************
***** 输出结果/tmp/linux_security.txt
*************************************************************************************
EOF
FILE_PATH="/tmp/linux_security.txt"
#########检查系统更新##################
system_update_check(){
num=`yum check-update|grep 'updates'|wc -l`
if [ $num -gt 1 ];then
echo -e "系统更新是否通过:NO \n">>$FILE_PATH
else
echo -e "系统更新是否通过:YES \n">>$FILE_PATH
fi
}
#############检查swap分区##############
swap_check(){
swap_sizes=`free -m|grep 'Swap'|awk '{print $2}'`
if [ -z $swap_sizes ];then
echo -e "没有swap系统分区 \n">>$FILE_PATH
else
if [ $swap_sizes -lt 1000 ];then
echo -e "swap 分区设置过小 \n">>$FILE_PATH
else
echo -e "swap 分区检查:YES \n">>$FILE_PATH
fi
fi
}
#############检查必要软件#############
soft_install_check(){
num=`rpm -qa|egrep '^sysstat-|^man-|^wget-|^screen-|^ntp-'|wc -l`
if [ $num -lt 5 ];then
echo -e "sysstat,man,wget,screen,ntp安装是否通过:NO \n">>$FILE_PATH
else
echo -e "sysstat,man,wget,screen,ntp安装是否通过:YES \n">>$FILE_PATH
fi
}
############查看时钟时间#############
clock_time_type(){
clock_type=`ls -l /etc/localtime |awk -F"/" '{print $8}'`
if [ -n "$clock_type" ];then
echo -e "系统时区为:$clock_type \n">>$FILE_PATH
else
echo -e "请检查是否有设置时区 \n">>$FILE_PATH
fi
}
#####检查空密码########
passwd_check(){
num=`awk -F":" '{if($2=="") print $1}' /etc/shadow|wc -l`
if [ $num -gt 0 ];then
echo -e "空口令账号检测是否通过:NO \n">>$FILE_PATH
else
echo -e "空口令账号检测是否通过:YES \n">>$FILE_PATH
fi
}
#####检查用户uid是否为0########
passwd_uid_check(){
num=`awk -F":" '{if($3=="0" && $1!="root") print $1}' /etc/passwd|wc -l`
if [ $num -gt 0 ];then
echo -e "非root账户UID检测是否通过:NO \n">>$FILE_PATH
else
echo -e "非root账户UID检测是否通过:YES \n">>$FILE_PATH
fi
}
#########检查umask############
user_umask_check(){
root_umask=`umask`
user_umask=`grep -A 1 '\$UID -gt 199' /etc/profile|grep 'umask'|awk '{print $2}'`
if [ $root_umask == "0022" ] && [ $user_umask == "002" ];then
echo -e "账户umask检测是否通过:YES \n">>$FILE_PATH
else
echo -e "账户umask检测是否通过:NO \n">>$FILE_PATH
fi
}
########检查重要文件权限##########
file_lsattr_check(){
num=0
files=(/etc/passwd /etc/shadow)
for file in ${files[*]}
do
attr=`lsattr $file|awk '{print $1}'`
if [ $attr != "----i--------e-" ];then
num=$(($num+1))
fi
done
if [ $num -eq 0 ];then
echo -e "重要文件设置是否通过:YES \n">>$FILE_PATH
else
echo -e "重要文件设置是否通过:NO \n">>$FILE_PATH
fi
}
###########ssh 协议和密码认证################
ssh_config_check(){
echo -e "检查sshd_config配置文件: \n">>$FILE_PATH
#####检查项######
check_items=(ListenAddress Protocol StrictModes MaxAuthTries MaxSessions PubkeyAuthentication PasswordAuthentication PermitEmptyPasswords X11Forwarding)
#######参考值#############
proposal_value=("参考实际情况" 2 yes 5 5 yes no no no)
i=0
for item in ${check_items[*]}
do
value=`grep $item /etc/ssh/sshd_config|grep -v '^#'|awk '{print $2}'`
echo "${check_items[$i]}:${value} 建议值:${proposal_value[$i]}">>$FILE_PATH
i=$(($i+1))
done
}
############防火墙服务状态####################
firewall_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/iptables status>>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status firewalld.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
############ntp服务状态####################
ntp_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/ntpd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status ntpd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
############auditd服务状态####################
auditd_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/auditd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status auditd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
#############检查不必要的服务###############
service_check(){
echo "检查系统多余服务,centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATH
echo "检查系统多余服务,centos7:postfix.service tuned.service irqbalance.service">>$FILE_PATH
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
cent6_num=`chkconfig --list|egrep '3:on|3:启用'|egrep 'acpid|ip6tables|netfs|postfix|udev-post'|wc -l`
if [ $cent6_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \n">>$FILE_PATH
fi
else
cent7_num=`systemctl list-unit-files --type=service|grep 'enabled'|egrep 'postfix.service|tuned.service|irqbalance.service'|wc -l`
if [ $cent7_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \n">>$FILE_PATH
fi
fi
}
############检查文件打开数情况##############
file_check(){
system_file_limit=`cat /proc/sys/fs/file-max`
#current_open_file=`lsof|wc -l`
user_file_limit=`ulimit -a|grep 'open files'|awk '{print $4}'`
echo "系统打开数限制:$system_file_limit">>$FILE_PATH
echo "用户进程打开数限制:$user_file_limit">>$FILE_PATH
}
echo `date +%Y%m%d`>$FILE_PATH
system_update_check
swap_check
soft_install_check
clock_time_type
passwd_check
passwd_uid_check
user_umask_check
file_lsattr_check
ssh_config_check
firewall_check
ntp_check
auditd_check
service_check
file_check
版权声明
本文为[芒果牛奶]所创,转载请带上原文链接,感谢
https://segmentfault.com/a/1190000039262959

  1. 头条面试官:说说Kafka的消费者提交方式,怎么实现的
  2. 什么是HTTPS以及如何实施HTTPS?
  3. vue使用sdk进行七牛上传
  4. k8s-dns
  5. JavaScript 邮箱验证 - 正则验证
  6. k8s-dashboard
  7. HashMap连环问你能答出几道?
  8. Where does memory overflow occur in the JVM? What are the reasons for this?
  9. How many questions can you answer?
  10. k8s-cronjob
  11. spring注解--Transactional
  12. k8s-cert
  13. Will the Spring Festival holiday be extended to February 27 in 2021? Here comes the response
  14. Headline Interviewer: talk about Kafka's consumer submission method, how to achieve it
  15. 【k8s集群】搭建步骤
  16. k8s-kubeadm
  17. k8s-etcd
  18. What is HTTPS and how to implement it?
  19. Java中使用HashMap改进查找性能
  20. maven发布jar包运行时找不到类问题
  21. J2EE
  22. Vue uses SDK to upload seven cows
  23. k8s-dns
  24. JavaScript mailbox verification - regular verification
  25. k8s-dashboard
  26. How many questions can you answer?
  27. Spring annotation -- transactional
  28. [k8s cluster] construction steps
  29. k8s-kubeadm
  30. k8s-etcd
  31. Using HashMap to improve search performance in Java
  32. There is no class problem when Maven publishes jar package
  33. JavaScriptBOM操作
  34. J2EE
  35. k8s-prometheus-memory
  36. k8s-prometheus disk
  37. k8s-prometheus
  38. JavaScript BOM operation
  39. k8s-prometheus-memory
  40. k8s-prometheus disk
  41. k8s-prometheus
  42. Linux Disk Command
  43. Linux FS
  44. 使用docker-compose &WordPress建站
  45. Linux Command
  46. This time, thoroughly grasp the depth of JavaScript copy
  47. Linux Disk Command
  48. Linux FS
  49. Using docker compose & WordPress to build a website
  50. Linux Command
  51. 摊牌了,我 HTTP 功底贼好!
  52. shiro 报 Submitted credentials for token
  53. It's a showdown. I'm good at it!
  54. Shiro submitted credentials for token
  55. Linux Stress test
  56. Linux Root Disk Extension
  57. Linux Stress test
  58. Linux Root Disk Extension
  59. Redis高级客户端Lettuce详解
  60. springboot学习-综合运用(一)