Linux-Security

Mango milk 2021-02-23 16:19:54
linux-security linux security 
#!/bin/bash
cat <<EOF
*************************************************************************************
***** linux Baseline check script
*************************************************************************************
***** Output results /tmp/linux_security.txt
*************************************************************************************
EOF
FILE_PATH="/tmp/linux_security.txt"
######### Check for system updates ##################
system_update_check(){
num=`yum check-update|grep 'updates'|wc -l`
if [ $num -gt 1 ];then
echo -e " Whether the system update passed :NO \n">>$FILE_PATH
else
echo -e " Whether the system update passed :YES \n">>$FILE_PATH
fi
}
############# Check swap Partition ##############
swap_check(){
swap_sizes=`free -m|grep 'Swap'|awk '{print $2}'`
if [ -z $swap_sizes ];then
echo -e " No, swap System partition \n">>$FILE_PATH
else
if [ $swap_sizes -lt 1000 ];then
echo -e "swap The partition setting is too small \n">>$FILE_PATH
else
echo -e "swap Partition check :YES \n">>$FILE_PATH
fi
fi
}
############# Check the necessary software #############
soft_install_check(){
num=`rpm -qa|egrep '^sysstat-|^man-|^wget-|^screen-|^ntp-'|wc -l`
if [ $num -lt 5 ];then
echo -e "sysstat,man,wget,screen,ntp Whether the installation passed or not :NO \n">>$FILE_PATH
else
echo -e "sysstat,man,wget,screen,ntp Whether the installation passed or not :YES \n">>$FILE_PATH
fi
}
############ Look at the clock time #############
clock_time_type(){
clock_type=`ls -l /etc/localtime |awk -F"/" '{print $8}'`
if [ -n "$clock_type" ];then
echo -e " The system time zone is :$clock_type \n">>$FILE_PATH
else
echo -e " Please check if the time zone is set \n">>$FILE_PATH
fi
}
##### Check the empty password ########
passwd_check(){
num=`awk -F":" '{if($2=="") print $1}' /etc/shadow|wc -l`
if [ $num -gt 0 ];then
echo -e " Check whether the empty password account passed :NO \n">>$FILE_PATH
else
echo -e " Check whether the empty password account passed :YES \n">>$FILE_PATH
fi
}
##### Check users uid Is it 0########
passwd_uid_check(){
num=`awk -F":" '{if($3=="0" && $1!="root") print $1}' /etc/passwd|wc -l`
if [ $num -gt 0 ];then
echo -e " Not root Account UID Check whether it passes :NO \n">>$FILE_PATH
else
echo -e " Not root Account UID Check whether it passes :YES \n">>$FILE_PATH
fi
}
######### Check umask############
user_umask_check(){
root_umask=`umask`
user_umask=`grep -A 1 '\$UID -gt 199' /etc/profile|grep 'umask'|awk '{print $2}'`
if [ $root_umask == "0022" ] && [ $user_umask == "002" ];then
echo -e " Account umask Check whether it passes :YES \n">>$FILE_PATH
else
echo -e " Account umask Check whether it passes :NO \n">>$FILE_PATH
fi
}
######## Check important file permissions ##########
file_lsattr_check(){
num=0
files=(/etc/passwd /etc/shadow)
for file in ${files[*]}
do
attr=`lsattr $file|awk '{print $1}'`
if [ $attr != "----i--------e-" ];then
num=$(($num+1))
fi
done
if [ $num -eq 0 ];then
echo -e " Whether important file settings pass :YES \n">>$FILE_PATH
else
echo -e " Whether important file settings pass :NO \n">>$FILE_PATH
fi
}
###########ssh Protocol and password authentication ################
ssh_config_check(){
echo -e " Check sshd_config The configuration file : \n">>$FILE_PATH
##### Check the item ######
check_items=(ListenAddress Protocol StrictModes MaxAuthTries MaxSessions PubkeyAuthentication PasswordAuthentication PermitEmptyPasswords X11Forwarding)
####### reference value #############
proposal_value=(" Refer to the actual situation " 2 yes 5 5 yes no no no)
i=0
for item in ${check_items[*]}
do
value=`grep $item /etc/ssh/sshd_config|grep -v '^#'|awk '{print $2}'`
echo "${check_items[$i]}:${value} recommended value :${proposal_value[$i]}">>$FILE_PATH
i=$(($i+1))
done
}
############ Firewall service status ####################
firewall_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/iptables status>>/dev/null
if [ $? -eq 0 ];then
echo -e " Whether the firewall status is passed :YES \n">>$FILE_PATH
else
echo -e " Whether the firewall status is passed :NO \n">>$FILE_PATH
fi
else
systemctl status firewalld.service >>/dev/null
if [ $? -eq 0 ];then
echo -e " Whether the firewall status is passed :YES \n">>$FILE_PATH
else
echo -e " Whether the firewall status is passed :NO \n">>$FILE_PATH
fi
fi
}
############ntp Service status ####################
ntp_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/ntpd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp Whether the status is passed or not :YES \n">>$FILE_PATH
else
echo -e "ntp Whether the status is passed or not :NO \n">>$FILE_PATH
fi
else
systemctl status ntpd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp Whether the status is passed or not :YES \n">>$FILE_PATH
else
echo -e "ntp Whether the status is passed or not :NO \n">>$FILE_PATH
fi
fi
}
############auditd Service status ####################
auditd_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/auditd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd Whether the status is passed or not :YES \n">>$FILE_PATH
else
echo -e "auditd Whether the status is passed or not :NO \n">>$FILE_PATH
fi
else
systemctl status auditd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd Whether the status is passed or not :YES \n">>$FILE_PATH
else
echo -e "auditd Whether the status is passed or not :NO \n">>$FILE_PATH
fi
fi
}
############# Check for unnecessary services ###############
service_check(){
echo " Check the system for redundant services ,centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATH
echo " Check the system for redundant services ,centos7:postfix.service tuned.service irqbalance.service">>$FILE_PATH
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
cent6_num=`chkconfig --list|egrep '3:on|3: Enable '|egrep 'acpid|ip6tables|netfs|postfix|udev-post'|wc -l`
if [ $cent6_num -eq 0 ];then
echo -e " Whether the redundant service of the system is shut down :YES \n">>$FILE_PATH
else
echo -e " Whether the redundant service of the system is shut down :NO \n">>$FILE_PATH
fi
else
cent7_num=`systemctl list-unit-files --type=service|grep 'enabled'|egrep 'postfix.service|tuned.service|irqbalance.service'|wc -l`
if [ $cent7_num -eq 0 ];then
echo -e " Whether the redundant service of the system is shut down :YES \n">>$FILE_PATH
else
echo -e " Whether the redundant service of the system is shut down :NO \n">>$FILE_PATH
fi
fi
}
############ Check the number of open files ##############
file_check(){
system_file_limit=`cat /proc/sys/fs/file-max`
#current_open_file=`lsof|wc -l`
user_file_limit=`ulimit -a|grep 'open files'|awk '{print $4}'`
echo " System open limit :$system_file_limit">>$FILE_PATH
echo " User process open limit :$user_file_limit">>$FILE_PATH
}
echo `date +%Y%m%d`>$FILE_PATH
system_update_check
swap_check
soft_install_check
clock_time_type
passwd_check
passwd_uid_check
user_umask_check
file_lsattr_check
ssh_config_check
firewall_check
ntp_check
auditd_check
service_check
file_check
版权声明
本文为[Mango milk ]所创,转载请带上原文链接,感谢
https://javamana.com/2021/02/20210223161659409m.html
  1. 头条面试官:说说Kafka的消费者提交方式,怎么实现的
  2. 什么是HTTPS以及如何实施HTTPS?
  3. vue使用sdk进行七牛上传
  4. k8s-dns
  5. JavaScript 邮箱验证 - 正则验证
  6. k8s-dashboard
  7. HashMap连环问你能答出几道?
  8. Where does memory overflow occur in the JVM? What are the reasons for this?
  9. How many questions can you answer?
  10. k8s-cronjob
  11. spring注解--Transactional
  12. k8s-cert
  13. Will the Spring Festival holiday be extended to February 27 in 2021? Here comes the response
  14. Headline Interviewer: talk about Kafka's consumer submission method, how to achieve it
  15. 【k8s集群】搭建步骤
  16. k8s-kubeadm
  17. k8s-etcd
  18. What is HTTPS and how to implement it?
  19. Java中使用HashMap改进查找性能
  20. maven发布jar包运行时找不到类问题
  21. J2EE
  22. Vue uses SDK to upload seven cows
  23. k8s-dns
  24. JavaScript mailbox verification - regular verification
  25. k8s-dashboard
  26. How many questions can you answer?
  27. Spring annotation -- transactional
  28. [k8s cluster] construction steps
  29. k8s-kubeadm
  30. k8s-etcd
  31. Using HashMap to improve search performance in Java
  32. There is no class problem when Maven publishes jar package
  33. JavaScriptBOM操作
  34. J2EE
  35. k8s-prometheus-memory
  36. k8s-prometheus disk
  37. k8s-prometheus
  38. JavaScript BOM operation
  39. k8s-prometheus-memory
  40. k8s-prometheus disk
  41. k8s-prometheus
  42. Linux Disk Command
  43. Linux FS
  44. 使用docker-compose &WordPress建站
  45. Linux Command
  46. This time, thoroughly grasp the depth of JavaScript copy
  47. Linux Disk Command
  48. Linux FS
  49. Using docker compose & WordPress to build a website
  50. Linux Command
  51. 摊牌了,我 HTTP 功底贼好!
  52. shiro 报 Submitted credentials for token
  53. It's a showdown. I'm good at it!
  54. Shiro submitted credentials for token
  55. Linux Stress test
  56. Linux Root Disk Extension
  57. Linux Stress test
  58. Linux Root Disk Extension
  59. Redis高级客户端Lettuce详解
  60. springboot学习-综合运用(一)