Linux-Security

#!/bin/bash
cat <>$FILE_PATH
else
echo -e "系统更新是否通过:YES \n">>$FILE_PATH
fi
}

#############检查swap分区##############

swap_check(){
swap_sizes=`free -m|grep 'Swap'|awk '{print $2}'`
if [ -z $swap_sizes ];then
echo -e "没有swap系统分区 \n">>$FILE_PATH
else
if [ $swap_sizes -lt 1000 ];then
echo -e "swap 分区设置过小 \n">>$FILE_PATH
else
echo -e "swap 分区检查:YES \n">>$FILE_PATH
fi
fi
}

#############检查必要软件#############

soft_install_check(){
num=`rpm -qa|egrep '^sysstat-|^man-|^wget-|^screen-|^ntp-'|wc -l`
if [ $num -lt 5 ];then
echo -e "sysstat,man,wget,screen,ntp安装是否通过:NO \n">>$FILE_PATH
else
echo -e "sysstat,man,wget,screen,ntp安装是否通过:YES \n">>$FILE_PATH
fi
}

############查看时钟时间#############

clock_time_type(){
clock_type=`ls -l /etc/localtime |awk -F"/" '{print $8}'`
if [ -n "$clock_type" ];then
echo -e "系统时区为:$clock_type \n">>$FILE_PATH
else
echo -e "请检查是否有设置时区 \n">>$FILE_PATH
fi
}


#####检查空密码########

passwd_check(){
num=`awk -F":" '{if($2=="") print $1}' /etc/shadow|wc -l`
if [ $num -gt 0 ];then
echo -e "空口令账号检测是否通过:NO \n">>$FILE_PATH
else
echo -e "空口令账号检测是否通过:YES \n">>$FILE_PATH
fi
}


#####检查用户uid是否为0########

passwd_uid_check(){
num=`awk -F":" '{if($3=="0" && $1!="root") print $1}' /etc/passwd|wc -l`
if [ $num -gt 0 ];then
echo -e "非root账户UID检测是否通过:NO \n">>$FILE_PATH
else
echo -e "非root账户UID检测是否通过:YES \n">>$FILE_PATH
fi
}

#########检查umask############

user_umask_check(){
root_umask=`umask`
user_umask=`grep -A 1 '\$UID -gt 199' /etc/profile|grep 'umask'|awk '{print $2}'`
if [ $root_umask == "0022" ] && [ $user_umask == "002" ];then
echo -e "账户umask检测是否通过:YES \n">>$FILE_PATH
else
echo -e "账户umask检测是否通过:NO \n">>$FILE_PATH
fi
}

########检查重要文件权限##########

file_lsattr_check(){
num=0
files=(/etc/passwd /etc/shadow)
for file in ${files[*]}
do
attr=`lsattr $file|awk '{print $1}'`
if [ $attr != "----i--------e-" ];then
num=$(($num+1))
fi
done
if [ $num -eq 0 ];then
echo -e "重要文件设置是否通过:YES \n">>$FILE_PATH
else
echo -e "重要文件设置是否通过:NO \n">>$FILE_PATH
fi
}


###########ssh 协议和密码认证################

ssh_config_check(){
echo -e "检查sshd_config配置文件: \n">>$FILE_PATH

#####检查项######

check_items=(ListenAddress Protocol StrictModes MaxAuthTries MaxSessions PubkeyAuthentication PasswordAuthentication PermitEmptyPasswords X11Forwarding)

#######参考值#############

proposal_value=("参考实际情况" 2 yes 5 5 yes no no no)
i=0
for item in ${check_items[*]}
do
value=`grep $item /etc/ssh/sshd_config|grep -v '^#'|awk '{print $2}'`
echo "${check_items[$i]}:${value} 建议值:${proposal_value[$i]}">>$FILE_PATH
i=$(($i+1))
done
}

############防火墙服务状态####################

firewall_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/iptables status>>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status firewalld.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
fi
}

############ntp服务状态####################

ntp_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/ntpd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status ntpd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
fi
}


############auditd服务状态####################

auditd_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/auditd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status auditd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
fi
}

#############检查不必要的服务###############

service_check(){
echo "检查系统多余服务,centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATH
echo "检查系统多余服务,centos7:postfix.service tuned.service irqbalance.service">>$FILE_PATH
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
cent6_num=`chkconfig --list|egrep '3:on|3:启用'|egrep 'acpid|ip6tables|netfs|postfix|udev-post'|wc -l`
if [ $cent6_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \n">>$FILE_PATH
fi
else
cent7_num=`systemctl list-unit-files --type=service|grep 'enabled'|egrep 'postfix.service|tuned.service|irqbalance.service'|wc -l`
if [ $cent7_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \n">>$FILE_PATH
fi
fi
}

############检查文件打开数情况##############

file_check(){
system_file_limit=`cat /proc/sys/fs/file-max`
#current_open_file=`lsof|wc -l`
user_file_limit=`ulimit -a|grep 'open files'|awk '{print $4}'`
echo "系统打开数限制:$system_file_limit">>$FILE_PATH
echo "用户进程打开数限制:$user_file_limit">>$FILE_PATH
}

echo `date +%Y%m%d`>$FILE_PATH
system_update_check
swap_check
soft_install_check
clock_time_type
passwd_check
passwd_uid_check
user_umask_check
file_lsattr_check
ssh_config_check
firewall_check
ntp_check
auditd_check
service_check
file_check

你可能感兴趣的:(linux)