安全巡检脚本(分模块)

安全巡检

版本以及IP信息

echo -------------IP及版本-------------------
echo -------------IP地址-------------------
echo "正在检查IP地址....."
ip=$(ifconfig -a | grep -w inet | awk '{print $2}')
if [ -n "$ip" ];then
        (echo "[*]本机IP地址信息:" && echo "$ip")
else
        echo "[!!!]本机未配置IP地址"
fi
printf "\n"

echo -------------版本信息------------------
echo "正在检查系统内核版本....." 
corever=$(uname -a)
if [ -n "$corever" ];then
        (echo "[*]系统内核版本信息:" && echo "$corever") 
else
        echo "[!!!]未发现内核版本信息" 
fi
printf "\n" 

echo "正在检查系统发行版本....." 
systemver=$(cat /etc/redhat-release)
if [ -n "$systemver" ];then
        (echo "[*]系统发行版本:" && echo "$systemver") 
else
        echo "[!!!]未发现发行版本信息" 
fi
printf "\n"

ARP攻击查看

echo -------------ARP------------------
echo -------------ARP表项-------------
echo "正在查看ARP表项....." 
arp=$(arp -a -n)
if [ -n "$arp" ];then
        (echo "[*]ARP表项如下:" && echo "$arp") 
else
        echo "[未发现arp表]" 
fi
printf "\n" 

echo -------------ARP攻击-------------
echo "正在检测是否存在ARP攻击....." 
arpattack=$(arp -a -n | awk '{++S[$4]} END {for(a in S) {if($2>1) print $2,a,S[a]}}')
if [ -n "$arpattack" ];then
        (echo "[!!!]发现存在ARP攻击:" && echo "$arpattack") | tee -a $danger_file 
else
        echo "[*]未发现ARP攻击"
fi
printf "\n" 

端口开放以及高危端口查看

端口开放脚本
echo ------------查看端口情况-----------------
echo -------------查看开放端口--------------
echo -------------查看TCP开放端口--------------
#TCP或UDP端口绑定在0.0.0.0、127.0.0.1、192.168.1.1这种IP上只表示这些端口开放
#只有绑定在0.0.0.0上局域网才可以访问
echo "正在检查TCP开放端口....." 
listenport=$(netstat -anltp | grep LISTEN | awk  '{print $4,$7}' | sed 's/:/ /g' | awk '{print $2,$3}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq)
if [ -n "$listenport" ];then
        (echo "[*]该服务器开放TCP端口以及对应的服务:" && echo "$listenport") 
else
        echo "[!!!]系统未开放TCP端口" 
fi
printf "\n" 

accessport=$(netstat -anltp | grep LISTEN | awk  '{print $4,$7}' | egrep "(0.0.0.0|:::)" | sed 's/:/ /g' | awk '{print $(NF-1),$NF}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq)
if [ -n "$accessport" ];then
        (echo "[!!!]以下TCP端口面向局域网或互联网开放,请注意!" && echo "$accessport") 
else
        echo "[*]端口未面向局域网或互联网开放" 
fi
printf "\n" 

echo -------------查看UDP开放端口--------------
echo "正在检查UDP开放端口....." 
udpopen=$(netstat -anlup | awk  '{print $4,$NF}' | grep : | sed 's/:/ /g' | awk '{print $2,$3}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq)
if [ -n "$udpopen" ];then
        (echo "[*]该服务器开放UDP端口以及对应的服务:" && echo "$udpopen") 
else
        echo "[!!!]系统未开放UDP端口" 
fi
printf "\n"

udpports=$(netstat -anlup | awk '{print $4}' | egrep "(0.0.0.0|:::)" | awk -F: '{print $NF}' | sort -n | uniq)
if [ -n "$udpports" ];then
        echo "[*]以下UDP端口面向局域网或互联网开放:" 
        for port in $udpports
        do
                nc -uz 127.0.0.1 $port
                if [ $? -eq 0 ];then
                        echo $port  
                fi
        done
else
        echo "[*]未发现在UDP端口面向局域网或互联网开放." 
fi
printf "\n" 
高危端口列表
病毒木马

31:木马Master Paradise、HackersParadise
99:后门程序ncx99
121:木马BO jammerkillahV
135:DCOM服务,冲击波病毒利用,建议关闭
445:Microsoft-DS,为共享默认开放,震荡波病毒利用,一般应关闭
456:木马HACKERS PARADISE
555:木马PhAse1.0、Stealth Spy、IniKiller
666:木马Attack FTP、Satanz Backdoor
1001:木马Silencer,WebEx
1011:木马Doly
1024:动态端口的开始,木马yai
1025:inetinfo.exe(互联网信息服务)木马netspy
1070:木马Psyber Stream,Streaming Audio
1234:木马SubSeven2.0、Ultors Trojan
1243:木马SubSeven1.0/1.9
1245:木马Vodoo,GabanBus,NetBus,Vodoo
1492:木马FTP99CMP
1509:木马Psyber Streaming Server
1524:许多攻击脚本安装一个后门SHELL在这个端口
1524:FreeBSD (FBRK) Rootkit backdoor
1600:木马Shivka-Burka
1807:木马SpySender
1981:木马ShockRave
1984:Fuckit Rootkit
1999:木马BackDoor,yai
2000:木马GirlFriend 1.3、Millenium 1.0
2001:木马Millenium 1.0、Trojan Cow,黑洞2001
2006:CB Rootkit or w00tkit Rootkit SSH server
2023:木马Pass Ripper
2115:木马Bugs
2128:MRK
2140:木马Deep Throat 1.0/3.0,The Invasor
2565:木马Striker
2583:木马Wincrash 2.0
2801:木马Phineas Phucker
2847:诺顿反病毒服务
3024:木马WinCrash
3129:木马Master Paradise
3150:木马The Invasor,deep throat
3210:木马SchoolBus
3333:木马Prosiak
3700:木马Portal of Doom
3996:木马RemoteAnything
4060:木马RemoteAnything
4092:木马WinCrash
4590:木马ICQTrojan
4950:木马IcqTrojan
5000:木马blazer5,Sockets de Troie默认开放5000端口,一般应关闭
5001:木马Sockets de Troie
5321:木马Sockets de Troie
5400:木马Blade Runner
5401:木马Blade Runner
5402:木马Blade Runner
5550:木马xtcp
5569:木马Robo-Hack
5742:木马WinCrash1.03
6267:木马广外女生
6400:木马The tHing
6666:rogue IRC bot 
6667:rogue IRC bot 
6668:rogue IRC bot 
6669:rogue IRC bot 
6670:木马Deep Throat
6671:木马Deep Throat 3.0
6883:木马DeltaSource
6939:木马Indoctrination
6969:木马Gatecrasher、Priority
7000:木马Remote Grab
7000:Possible rogue IRC bot
7300:木马NetMonitor
7301:木马NetMonitor
7306:木马NetMonitor,NetSpy1.0
7307:木马NetMonitor
7308:木马NetMonitor
7511:木马聪明基因
7597:木马Quaz
7626:木马冰河
7676:木马Giscier
7789:木马ICKiller
8011:木马way2.4
8225:木马灰鸽子
8311:木马初恋情人
9400:木马Incommand 1.0
9401:木马Incommand 1.0
9402:木马Incommand 1.0
9872:木马Portal of Doom
9873:木马Portal of Doom
9874:木马Portal of Doom
9875:木马Portal of Doom
9899:木马InIkiller
9989:木马iNi-Killer
10067:木马iNi-Killer
10167:木马iNi-Killer
11000:木马SennaSpy
11233:木马Progenic trojan
12076:木马Telecommando
12223:木马Hack‘99 KeyLogger
12345:木马NetBus1.60/1.70、GabanBus
12346:木马NetBus1.60/1.70、GabanBus
12361:木马Whack-a-mole
13000:Possible Universal Rootkit (URK) SSH server
14856:Optic Kit (Tux)
16959:木马Subseven
16969:木马Priority
19191:木马蓝色火焰
20000:木马Millennium
20001:木马Millennium
20034:木马NetBus Pro
21554:木马GirlFriend
22222:木马Prosiak
23444:木马网络公牛
23456:木马Evil FTP、Ugly FTP
25000:Possible Universal Rootkit (URK) component
26274:木马Delta
27374:木马Subseven 2.1
29812:FreeBSD (FBRK) Rootkit default backdoor port
30100:木马NetSphere
30129:木马Masters Paradise
30303:木马Socket23
30999:木马Kuang
31337:木马BO(Back Orifice)
31337:Historical backdoor port
31338:木马BO(Back Orifice),DeepBO
31339:木马NetSpy DK
31666:木马BOWhack
32982:Solaris Wanuk
33333:木马Prosiak
33369:Volc Rootkit SSH server (divine)
34324:木马Tiny Telnet Server、BigGluck、TN
40412:木马The Spy
40421:木马Masters Paradise
40422:木马Masters Paradise
40423:木马Masters Paradise
40426:木马Masters Paradise
43210:木马SchoolBus 1.0/2.0
44445:木马Happypig
47018:Possible Universal Rootkit (URK) component
47107:T0rn
47262:木马Delta
50505:木马Sockets de Troie
50766:木马Fore
53001:木马Remote Windows Shutdown
54320:木马bo2000
54321:木马SchoolBus 1.0/2.0
60922:zaRwT.KiT
61466:木马Telecommando
62883:Possible FreeBSD (FBRK) Rootkit default backdoor port
65000:木马Devil 1.03
65535:FreeBSD Rootkit (FBRK) telnet port

#挖矿矿池
#格式:端口号:相关挖矿类型描述:对应进程名
#X:代表未知进程
1111:挖矿木马:X
2222:挖矿木马:X
3333:挖矿木马:X
3367:ZCL挖矿木马(zclassic.f2pool.com):ZecMiner64
3377:ZEN挖矿木马(zencash.f2pool.com):ZecMiner64
3636:RVN挖矿木马(raven.f2pool.com):(sgminer|ccminer)
4444:挖矿木马:X
5555:挖矿木马:X
5730:DCR挖矿木马(dcr.f2pool.com):
5740:多功能挖矿木马([raven|xzc|dcr].f2pool.com):(ccminer|sgminer|cpuminer-avx2)
5750:PGN挖矿木马(pigeon.f2pool.com):(sgminer|ccminer)
6666:挖矿木马:X
6688:ETH挖矿木马(eth.f2pool.com):EthDcrMiner64
7777:ETH挖矿木马(eth.f2pool.com):EthDcrMiner64
8008:ETH挖矿木马(eth.f2pool.com):EthDcrMiner64
8118:ETC挖矿木马(etc.f2pool.com):EthDcrMiner64
8220:8220挖矿木马:X
8332:挖矿木马:X
8333:挖矿木马:X
8888:挖矿木马:X
9008:XVG挖矿木马(xvg-blake2s.f2pool.com):ccminer
9009:XVG挖矿木马(xvg-scrypt.f2pool.com):X
9010:XVG挖矿木马(xvg-x17.f2pool.com):sgminer
9011:XVG挖矿木马(xvg-groestl.f2pool.com):X
9012:XVG挖矿木马(xvg-lyra.f2pool.com):(sgminer|ccminer)
9221:BTM挖矿木马(btm.f2pool.com):(HSPMinerBTMiner_NebuTech)
9327:litecoin挖矿:X
9332:bitcoin挖矿:X
9501:BCD挖矿木马(bcd-pool.beepool.org):ccminer
9502:BTM挖矿木马(btm-pool.beepool.org):BTMinerNebuTech
9503:HC挖矿木马(hc-pool.beepool.org):X
9504:SUQA挖矿木马(suqa-pool.beepool.org):X
9505:AE挖矿木马(ae-pool.beepool.org):(bminer|qskg_ae|HSPMinerAE)
9507:BEAM挖矿木马(beam-pool.beepool.org):beam-cuda-miner
9509:DASH挖矿木马(dash-pool.beepool.org):X
9510:GRIN挖矿木马(grin-pool.beepool.org):miner
9518:ETC挖矿木马(etc-pool.beepool.org):EthDcrMiner64
9522:BCX挖矿木马(bcx-pool.beepool.org):ccminer
9530:ETH挖矿木马(eth-pool.beepool.org):EthDcrMiner64
9531:RVN挖矿木马(rvn-pool.beepool.org):ccminer
9540:MOAC挖矿木马(moac-pool.beepool.org):EthDcrMiner64
9568:DCR挖矿木马(dcr-pool.beepool.org):X
9999:挖矿木马:X
11110:DGB挖矿木马(dgb-sha256d.f2pool.com):X
11112:DGB挖矿木马(dgb-groestl.f2pool.com):X
11113:DGB挖矿木马(dgb-skein.f2pool.com):X
11114:DGB挖矿木马(dgb-qubit.f2pool.com):X
13333:ETN挖矿木马(etn.f2pool.com):(xmrig|NsCpuCNMiner64|xmrig-nvidia|ccminer-x64|xmrig-amd|NsGpuCNMiner)
13531:XMR挖矿木马(xmr.f2pool.com):(xmrig|NsCpuCNMiner64|NsGpuCNMiner|xmrig-nvidia|xmrig-amd)
13541:XMR挖矿木马(xmr-classic.f2pool.com):X
13654:XDAG挖矿木马(xdag.f2pool.com):DaggerGpuMiner
14433:挖矿木马:X
14444:挖矿木马:X
15555:PASC挖矿木马(pasc.f2pool.com):EthDcrMiner64
20012:GIN挖矿木马(gin.f2pool.com):ccminer-x64
20581:挖矿木马:X
20593:MONA挖矿木马(mona.f2pool.com):ccminer-x64
45560:XMR挖矿木马(xmr.pool.minergate.com):xmr-stak
45590:挖矿木马:X
45700:minergate.com挖矿木马:X
45790:挖矿木马:X
52137:WMAMiner挖矿蠕虫:X
55335:挖矿木马:X
65333:挖矿木马:X

#代理
1080:shadansocks客户端

#其他
高危端口检查脚本
echo -------------TCP高危端口--------------
echo "正在检查TCP高危端口....." 
tcpport=`netstat -anlpt | awk '{print $4}' | awk -F: '{print $NF}' | sort | uniq | grep '[0-9].*'`
count=0
if [ -n "$tcpport" ];then
        for port in $tcpport
        do
                for i in `cat /tmp/dangerstcpports`
                do
                        tcpport=`echo $i | awk -F "[:]" '{print $1}'`
                        desc=`echo $i | awk -F "[:]" '{print $2}'`
                        process=`echo $i | awk -F "[:]" '{print $3}'`
                        if [ $tcpport == $port ];then
                                echo "$tcpport,$desc,$process" | tee -a $danger_file 
                                count=count+1
                        fi
                done
        done
fi
if [ $count = 0 ];then
        echo "[*]未发现TCP危险端口" 
else
        echo "[!!!]请人工对TCP危险端口进行关联分析与确认" 
fi
printf "\n" 

echo -------------UDP高危端口--------------
echo "正在检查UDP高危端口....."
udpport=`netstat -anlpu | awk '{print $4}' | awk -F: '{print $NF}' | sort | uniq | grep '[0-9].*'`
count=0
if [ -n "$udpport" ];then
        for port in $udpport
        do
                for i in `cat /tmp/dangersudpports`
                do
                        udpport=`echo $i | awk -F "[:]" '{print $1}'`
                        desc=`echo $i | awk -F "[:]" '{print $2}'`
                        process=`echo $i | awk -F "[:]" '{print $3}'`
                        if [ $udpport == $port ];then
                                echo "$udpport,$desc,$process" | tee -a $danger_file 
                                count=count+1
                        fi
                done
        done
fi
if [ $count = 0 ];then
        echo "[*]未发现UDP危险端口" 
else
        echo "[!!!]请人工对UDP危险端口进行关联分析与确认"
fi
printf "\n" 

网络连接情况

echo ------------网络连接---------------------
echo "正在检查网络连接情况....." | $saveresult
netstat=$(netstat -anlp | grep ESTABLISHED)
netstatnum=$(netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}')
if [ -n "$netstat" ];then
        (echo "[*]网络连接情况:" && echo "$netstat") | $saveresult
        if [ -n "$netstatnum" ];then
                (echo "[*]各个状态的数量如下:" && echo "$netstatnum") | $saveresult
        fi
else
        echo "[*]未发现网络连接" | $saveresult
fi
printf "\n" | $saveresult

网卡模式

echo -------------网卡模式---------------------
echo "正在检查网卡模式....." | $saveresult
ifconfigmode=$(ifconfig -a | grep flags | awk -F '[: = < >]' '{print "网卡:",$1,"模式:",$5}')
if [ -n "$ifconfigmode" ];then
        (echo "网卡工作模式如下:" && echo "$ifconfigmode") | $saveresult
else
        echo "[*]未找到网卡模式相关信息,请人工分析" | $saveresult
fi
printf "\n" | $saveresult

echo "正在分析是否有网卡处于混杂模式....." | $saveresult
Promisc=`ifconfig | grep PROMISC | gawk -F: '{ print $1}'`
if [ -n "$Promisc" ];then
        (echo "[!!!]网卡处于混杂模式:" && echo "$Promisc") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现网卡处于混杂模式" | $saveresult
fi
printf "\n" | $saveresult

echo "正在分析是否有网卡处于监听模式....." | $saveresult
Monitor=`ifconfig | grep -E "Mode:Monitor" | gawk -F: '{ print $1}'`
if [ -n "$Monitor" ];then
        (echo "[!!!]网卡处于监听模式:" && echo "$Monitor") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现网卡处于监听模式" | $saveresult
fi
printf "\n" | $saveresult

启动项

echo -------------系统自启动项-----------------------
echo "正在检查系统自启动项....." | $saveresult
systemchkconfig=$(systemctl list-unit-files | grep enabled | awk '{print $1}')
if [ -n "$systemchkconfig" ];then
        (echo "[*]系统自启动项如下:" && echo "$systemchkconfig")  | $saveresult
else
        echo "[*]未发现系统自启动项" | $saveresult
fi
printf "\n" | $saveresult

echo -------------危险启动项-----------------------
echo "正在检查危险启动项....." | $saveresult
dangerstarup=$(chkconfig --list | grep -E ":on|启用" | awk '{print $1}' | grep -E "\.(sh|per|py)$")
if [ -n "$dangerstarup" ];then
        (echo "[!!!]发现危险启动项:" && echo "$dangerstarup") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现危险启动项" | $saveresult
fi
printf "\n" | $saveresult

定时任务

echo ------------查看系统定时任务-------------------
echo "正在分析系统定时任务....." | $saveresult
syscrontab=$(more /etc/crontab | grep -v "# run-parts" | grep run-parts)
if [ -n "$syscrontab" ];then
        (echo "[!!!]发现存在系统定时任务:" && more /etc/crontab ) | tee -a $danger_file | $saveresult
else
        echo "[*]未发现系统定时任务" | $saveresult
fi
printf "\n" | $saveresult

# if [ $? -eq 0 ]表示上面命令执行成功;执行成功输出的是0;失败非0
#ifconfig  echo $? 返回0,表示执行成功
# if [ $? != 0 ]表示上面命令执行失败

echo ------------分析系统可疑定时任务-------------------
echo "正在分析系统可疑任务....." | $saveresult
dangersyscron=$(egrep "((chmod|useradd|groupadd|chattr)|((wget|curl)*\.(sh|pl|py)$))"  /etc/cron*/* /var/spool/cron/*)
if [ $? -eq 0 ];then
        (echo "[!!!]发现下面的定时任务可疑,请注意!!!" && echo "$dangersyscron") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现可疑系统定时任务" | $saveresult
fi
printf "\n" | $saveresult

echo ------------分析用户定时任务-------------------
echo ------------查看用户定时任务-------------------
echo "正在查看用户定时任务....." | $saveresult
crontab=$(crontab -l)
if [ $? -eq 0 ];then
        (echo "[!!!]发现用户定时任务如下:" && echo "$crontab") | $saveresult
else
        echo "[*]未发现用户定时任务"  | $saveresult
fi
printf "\n" | $saveresult

echo ------------查看可疑用户定时任务-------------------
echo "正在分析可疑用户定时任务....." | $saveresult
danger_crontab=$(crontab -l | egrep "((chmod|useradd|groupadd|chattr)|((wget|curl).*\.(sh|pl|py)))")
if [ $? -eq 0 ];then
        (echo "[!!!]发现可疑定时任务,请注意!!!" && echo "$danger_crontab") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现可疑定时任务" | $saveresult
fi
printf "\n" | $saveresult

路由表

echo "正在检查路由表....." | $saveresult
route=$(route -n)
if [ -n "$route" ];then
        (echo "[*]路由表如下:" && echo "$route") | $saveresult
else
        echo "[*]未发现路由器表" | $saveresult
fi
printf "\n" | $saveresult

echo "正在分析是否开启转发功能....." | $saveresult
#数值分析
#1:开启路由转发
#0:未开启路由转发
ip_forward=`more /proc/sys/net/ipv4/ip_forward | gawk -F: '{if ($1==1) print "1"}'`
if [ -n "$ip_forward" ];then
        echo "[!!!]该服务器开启路由转发,请注意!" | tee -a $danger_file  | $saveresult
else
        echo "[*]该服务器未开启路由转发" | $saveresult
fi
printf "\n" | $saveresult

进程分析

echo ------------系统进程--------------------
echo "正在检查进程....." | $saveresult
ps=$(ps -aux)
if [ -n "$ps" ];then
        (echo "[*]系统进程如下:" && echo "$ps") | $saveresult
else
        echo "[*]未发现系统进程" | $saveresult
fi
printf "\n" | $saveresult

echo "[7.2]正在检查守护进程....." | $saveresult
if [ -e /etc/xinetd.d/rsync ];then
        (echo "[*]系统守护进程:" && more /etc/xinetd.d/rsync | grep -v "^#") | $saveresult
else
        echo "[*]未发现守护进程" | $saveresult
fi
printf "\n" | $saveresult

文件检查

echo ------------DNS文件检查-----------------
echo "正在检查DNS文件....." | $saveresult
resolv=$(more /etc/resolv.conf | grep ^nameserver | awk '{print $NF}')
if [ -n "$resolv" ];then
        (echo "[*]该服务器使用以下DNS服务器:" && echo "$resolv") | $saveresult
else
        echo "[*]未发现DNS服务器" | $saveresult
fi
printf "\n" | $saveresult

echo ------------hosts文件检查-----------------
echo "正在检查hosts文件....." | $saveresult
hosts=$(more /etc/hosts)
if [ -n "$hosts" ];then
        (echo "[*]hosts文件如下:" && echo "$hosts") | $saveresult
else
        echo "[*]未发现hosts文件" | $saveresult
fi
printf "\n" | $saveresult

echo ------------公钥文件检查-----------------
echo "正在检查公钥文件....." | $saveresult
if [  -e /root/.ssh/*.pub ];then
        echo "[!!!]发现公钥文件,请注意!"  | tee -a $danger_file | $saveresult
else
        echo "[*]未发现公钥文件" | $saveresult
fi
printf "\n" | $saveresult

echo ------------私钥文件检查-----------------
echo "正在检查私钥文件....." | $saveresult
if [ -e /root/.ssh/id_rsa ];then
        echo "[!!!]发现私钥文件,请注意!" | tee -a $danger_file | $saveresult
else
        echo "[*]未发现私钥文件" | $saveresult
fi
printf "\n" | $saveresult

运行服务

echo ------------运行服务----------------------
echo "正在检查运行服务....." | $saveresult
services=$(systemctl | grep -E "\.service.*running" | awk -F. '{print $1}')
if [ -n "$services" ];then
        (echo "[*]以下服务正在运行:" && echo "$services") | $saveresult
else
        echo "[!!!]未发现正在运行的服务!" | $saveresult
fi
printf "\n" | $saveresult

用户检查

echo ------------超级用户---------------------
#UID=0的为超级用户,系统默认root的UID为0
echo "正在检查是否存在超级用户....." | $saveresult
Superuser=`more /etc/passwd | egrep -v '^root|^#|^(\+:\*)?:0:0:::' | awk -F: '{if($3==0) print $1}'`
if [ -n "$Superuser" ];then
        echo "[!!!]除root外发现超级用户:" | tee -a $danger_file | $saveresult
        for user in $Superuser
        do
                echo $user | $saveresult
                if [ "${user}" = "toor" ];then
                        echo "[!!!]BSD系统默认安装toor用户,其他系统默认未安装toor用户,若非BSD系统建议删除该账号" | $saveresult
                fi
        done
else
        echo "[*]未发现超级用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------克隆用户---------------------
#相同的UID为克隆用户
echo "正在检查是否存在克隆用户....." | $saveresult
uid=`awk -F: '{a[$3]++}END{for(i in a)if(a[i]>1)print i}' /etc/passwd`
if [ -n "$uid" ];then
        echo "[!!!]发现下面用户的UID相同:" | tee -a $danger_file | $saveresult
        (more /etc/passwd | grep $uid | awk -F: '{print $1}') | tee -a $danger_file | $saveresult
else
        echo "[*]未发现相同UID的用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------可登录用户-------------------
echo "正在检查可登录的用户......" | $saveresult
loginuser=`cat /etc/passwd  | grep -E "/bin/bash$" | awk -F: '{print $1}'`
if [ -n "$loginuser" ];then
        echo "[!!!]以下用户可以登录:" | tee -a $danger_file | $saveresult
        for user in $loginuser
        do
                echo $user | tee -a $danger_file | $saveresult
        done
else
        echo "[*]未发现可以登录的用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------非系统用户-----------------
echo "正在检查非系统本身自带用户" | $saveresult
if [ -f /etc/login.defs ];then
        uid=$(grep "^UID_MIN" /etc/login.defs | awk '{print $2}')
        (echo "系统最小UID为"$uid) | $saveresult
        nosystemuser=`gawk -F: '{if ($3>='$uid' && $3!=65534) {print $1}}' /etc/passwd`
        if [ -n "$nosystemuser" ];then
                (echo "以下用户为非系统本身自带用户:" && echo "$nosystemuser") | tee -a $danger_file | $saveresult
        else
                echo "[*]未发现除系统本身外的其他用户" | $saveresult
        fi
fi
printf "\n" | $saveresult

echo ------------shadow文件-----------------
echo "正在检查shadow文件....." | $saveresult
(echo "[*]shadow文件" && more /etc/shadow ) | $saveresult
printf "\n" | $saveresult

echo ------------空口令用户-----------------
echo "正在检查空口令用户....." | $saveresult
nopasswd=`gawk -F: '($2=="") {print $1}' /etc/shadow`
if [ -n "$nopasswd" ];then
        (echo "[!!!]以下用户口令为空:" && echo "$nopasswd") | $saveresult
else
        echo "[*]未发现空口令用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------空口令且可登录-----------------
echo "正在检查空口令且可登录的用户....." | $saveresult
#允许空口令用户登录方法
#1.passwd -d username
#2.echo "PermitEmptyPasswords yes" >>/etc/ssh/sshd_config
#3.service sshd restart
aa=$(cat /etc/passwd  | grep -E "/bin/bash$" | awk -F: '{print $1}')
bb=$(gawk -F: '($2=="") {print $1}' /etc/shadow)
cc=$(cat /etc/ssh/sshd_config | grep -w "^PermitEmptyPasswords yes")
flag=""
for a in $aa
do
    for b in $bb
    do
        if [ "$a" = "$b" ] && [ -n "$cc" ];then
            echo "[!!!]发现空口令且可登录用户:"$a | $saveresult
            flag=1
        fi
    done
done
if [ -n "$flag" ];then
        echo "请人工分析配置和账号" | $saveresult
else
        echo "[*]未发现空口令且可登录用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------口令未加密----------------
echo "正在检查口令加密用户....." | $saveresult
noenypasswd=$(awk -F: '{if($2!="x") {print $1}}' /etc/passwd)
if [ -n "$noenypasswd" ];then
        (echo "[!!!]以下用户口令未加密:" && echo "$noenypasswd") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现口令未加密的用户"  | $saveresult
fi
printf "\n" | $saveresult

用户组检查

echo ------------用户组信息------------ ----
echo "正在检查用户组信息....." | $saveresult
echo "[*]用户组信息如下:"
(more /etc/group | grep -v "^#") | $saveresult
printf "\n" | $saveresult

echo ------------特权用户--------------------
echo "正在检查特权用户....." | $saveresult
roots=$(more /etc/group | grep -v '^#' | gawk -F: '{if ($1!="root"&&$3==0) print $1}')
if [ -n "$roots" ];then
        echo "[!!!]除root用户外root组还有以下用户:" | tee -a $danger_file | $saveresult
        for user in $roots
        do
                echo $user | tee -a $danger_file | $saveresult
        done
else
        echo "[*]除root用户外root组未发现其他用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------相同GID用户组--------------------
echo "正在检查相应GID用户组....." | $saveresult
groupuid=$(more /etc/group | grep -v "^$" | awk -F: '{print $3}' | uniq -d)
if [ -n "$groupuid" ];then
        (echo "[!!!]发现相同GID用户组:" && echo "$groupuid") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现相同GID的用户组" | $saveresult
fi
printf "\n" | $saveresult

echo ------------相同用户组名--------------------
echo "正在检查相同用户组名....." | $saveresult
groupname=$(more /etc/group | grep -v "^$" | awk -F: '{print $1}' | uniq -d)
if [ -n "$groupname" ];then
        (echo "[!!!]发现相同用户组名:" && echo "$groupname") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现相同用户组名" | $saveresult
fi
printf "\n" | $saveresult

文件权限

echo ------------etc文件权限--------------------
echo "正在检查etc文件权限....." | $saveresult
etc=$(ls -l / | grep etc | awk '{print $1}')
if [ "${etc:1:9}" = "rwxr-x---" ]; then
    echo "[*]/etc/权限为750,权限正常" | $saveresult
else
    echo "[!!!]/etc/文件权限为:""${etc:1:9}","权限不符合规划,权限应改为750" | $saveresult
fi
printf "\n" | $saveresult

echo ------------shadow文件权限--------------------
echo "正在检查shadow文件权限....." | $saveresult
shadow=$(ls -l /etc/shadow | awk '{print $1}')
if [ "${shadow:1:9}" = "rw-------" ]; then
    echo "[*]/etc/shadow文件权限为600,权限符合规范" | $saveresult
else
    echo "[!!!]/etc/shadow文件权限为:""${shadow:1:9}"",不符合规范,权限应改为600" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------passwd文件权限--------------------
echo "正在检查passwd文件权限....." | $saveresult
passwd=$(ls -l /etc/passwd | awk '{print $1}')
if [ "${passwd:1:9}" = "rw-r--r--" ]; then
    echo "[*]/etc/passwd文件权限为644,符合规范" | $saveresult
else
    echo "[!!!]/etc/passwd文件权限为:""${passwd:1:9}"",权限不符合规范,建议改为644" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------group文件权限--------------------
echo "正在检查group文件权限....." | $saveresult
group=$(ls -l /etc/group | awk '{print $1}')
if [ "${group:1:9}" = "rw-r--r--" ]; then
    echo "[*]/etc/group文件权限为644,符合规范" | $saveresult
else
    echo "[!!!]/etc/goup文件权限为""${group:1:9}","不符合规范,权限应改为644" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------securetty文件权限--------------------
echo "正在检查securetty文件权限....." | $saveresult
securetty=$(ls -l /etc/securetty | awk '{print $1}')
if [ "${securetty:1:9}" = "-rw-------" ]; then
    echo "[*]/etc/securetty文件权限为600,符合规范" | $saveresult
else
    echo "[!!!]/etc/securetty文件权限为""${securetty:1:9}","不符合规范,权限应改为600" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------services文件权限--------------------
echo "正在检查services文件权限....." | $saveresult
services=$(ls -l /etc/services | awk '{print $1}')
if [ "${services:1:9}" = "-rw-r--r--" ]; then
    echo "[*]/etc/services文件权限为644,符合规范" | $saveresult
else
    echo "[!!!]/etc/services文件权限为""$services:1:9}","不符合规范,权限应改为644" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------grub.conf文件权限--------------------
echo "正在检查grub.conf文件权限....." | $saveresult
grubconf=$(ls -l /etc/grub.conf | awk '{print $1}')
if [ "${grubconf:1:9}" = "-rw-------" ]; then
    echo "[*]/etc/grub.conf文件权限为600,符合规范" | $saveresult
else
    echo "[!!!]/etc/grub.conf文件权限为""${grubconf:1:9}","不符合规范,权限应改为600" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------lilo.conf文件权限--------------------
echo "正在检查lilo.conf文件权限....." | $saveresult
if [ -f /etc/lilo.conf ];then
liloconf=$(ls -l /etc/lilo.conf | awk '{print $1}')
        if [ "${liloconf:1:9}" = "-rw-------" ];then
                echo "/etc/lilo.conf文件权限为600,符合要求" | $saveresult
        else
                echo "/etc/lilo.conf文件权限不为600,不符合要求,建议设置权限为600" | $saveresult
        fi
else
        echo "/etc/lilo.conf文件夹不存在,不检查,符合要求"
fi
printf "\n" | $saveresult

echo ------------limits.conf文件权限--------------------
echo "正在检查limits.conf文件权限....." | $saveresult
cat /etc/security/limits.conf | grep -v ^# | grep core
if [ $? -eq 0 ];then
        soft=`cat /etc/security/limits.conf | grep -v ^# | grep core | awk -F ' ' '{print $2}'`
        for i in $soft
        do
                if [ $i = "soft" ];then
                        echo "* soft core 0 已经设置,符合要求" | $saveresult
                fi
                if [ $i = "hard" ];then
                        echo "* hard core 0 已经设置,符合要求" | $saveresult
                fi
        done
else
        echo "没有设置core,建议在/etc/security/limits.conf中添加* soft core 0和* hard core 0"  | $saveresult
fi

用户新增删除

echo "正在检查useradd时间属性....." | $saveresult
echo "[*]useradd时间属性:" | $saveresult
stat /usr/sbin/useradd | egrep "Access|Modify|Change" | grep -v '(' | $saveresult
printf "\n" | $saveresult

echo "正在检查userdel时间属性....." | $saveresult
echo "[*]userdel时间属性:" | $saveresult
stat /usr/sbin/userdel | egrep "Access|Modify|Change" | grep -v '(' | $saveresult
printf "\n" | $saveresult

历史操作

echo ------------系统操作历史命令---------------
echo "正在检查操作系统历史命令....." | $saveresult
history=$(more /root/.bash_history)
if [ -n "$history" ];then
        (echo "[*]操作系统历史命令如下:" && echo "$history") | $saveresult
else
        echo "[!!!]未发现历史命令,请检查是否记录及已被清除" | $saveresult
fi
printf "\n" | $saveresult

echo ------------是否下载过脚本文件---------------
echo "正在检查是否下载过脚本文件....." | $saveresult
scripts=$(more /root/.bash_history | grep -E "((wget|curl).*\.(sh|pl|py)$)" | grep -v grep)
if [ -n "$scripts" ];then
        (echo "[!!!]该服务器下载过脚本以下脚本:" && echo "$scripts") | tee -a $danger_file | $saveresult
else
        echo "[*]该服务器未下载过脚本文件" | $saveresult
fi
printf "\n" | $saveresult

echo ------------是否增加过账号---------------
echo "正在检查是否增加过账号....." | $saveresult
addusers=$(history | egrep "(useradd|groupadd)" | grep -v grep)
if [ -n "$addusers" ];then
        (echo "[!!!]该服务器增加过以下账号:" && echo "$addusers") | tee -a $danger_file | $saveresult
else
        echo "[*]该服务器未增加过账号" | $saveresult
fi
printf "\n" | $saveresult

echo ------------是否删除过账号--------------
echo "正在检查是否删除过账号....." | $saveresult
delusers=$(history | egrep "(userdel|groupdel)" | grep -v grep)
if [ -n "$delusers" ];then
        (echo "[!!!]该服务器删除过以下账号:" && echo "$delusers") | tee -a $danger_file | $saveresult
else
        echo "[*]该服务器未删除过账号" | $saveresult
fi
printf "\n" | $saveresult

echo ------------可疑历史命令--------------
echo "正在检查历史可疑命令....." | $saveresult
danger_histroy=$(history | grep -E "(whois|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)" | grep -v grep)
if [ -n "$danger_histroy" ];then
        (echo "[!!!]发现可疑历史命令" && echo "$danger_histroy") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现可疑历史命令" | $saveresult
fi
printf "\n" | $saveresult

echo ------------本地下载文件--------------
echo "正在检查历史日志中本地下载文件记录....." | $saveresult
uploadfiles=$(history | grep sz | grep -v grep | awk '{print $3}')
if [ -n "$uploadfiles" ];then
        (echo "[!!!]通过历史日志发现本地主机下载过以下文件:" && echo "$uploadfiles") | $saveresult
else
        echo "[*]通过历史日志未发现本地主机下载过文件" | $saveresult
fi
printf "\n" | $saveresult

echo ------------数据库操作历史命令---------------
echo "正在检查数据库操作历史命令....." | $saveresult
mysql_history=$(more /root/.mysql_history)
if [ -n "$mysql_history" ];then
        (echo "[*]数据库操作历史命令如下:" && echo "$mysql_history") | $saveresult
else
        echo "[*]未发现数据库历史命令" | $saveresult
fi
printf "\n" | $saveresult

防火墙策略

echo ------------防火墙策略-------------------
echo "正在检查防火墙策略....." | $saveresult
firewalledstatus=$(systemctl status firewalld | grep "active (running)")
firewalledpolicy=$(iptables -L | grep "\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}")
if [ -n "$firewalledstatus" ];then
        echo "[*]该服务器防火墙已打开"
        if [ -n "$firewalledpolicy" ];then
                (echo "[*]防火墙策略如下" && echo "$firewalledpolicy") | $saveresult
        else
                echo "[!!!]防火墙策略未配置,建议配置防火墙策略!" | tee -a $danger_file | $saveresult
        fi
else
        echo "[!!!]防火墙未开启,建议开启防火墙" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

远程策略

echo ------------远程允许策略-----------------
echo "正在检查远程允许策略....." | $saveresult
hostsallow=$(more /etc/hosts.allow | grep -v '#')
if [ -n "$hostsallow" ];then
        (echo "[!!!]允许以下IP远程访问:" && echo "$hostsallow") | tee -a $danger_file | $saveresult
else
        echo "[*]hosts.allow文件未发现允许远程访问地址" | $saveresult
fi
printf "\n" | $saveresult

echo ------------远程拒绝策略-----------------
echo "正在检查远程拒绝策略....." | $saveresult
hostsdeny=$(more /etc/hosts.deny | grep -v '#')
if [ -n "$hostsdeny" ];then
        (echo "[!!!]拒绝以下IP远程访问:" && echo "$hostsdeny") | $saveresult
else
        echo "[*]hosts.deny文件未发现拒绝远程访问地址" | $saveresult
fi
printf "\n" | $saveresult

密码策略

echo ------------密码有效期策略------------------------
echo "正在检查密码有效期策略....." | $saveresult
(echo "[*]密码有效期策略如下:" && more /etc/login.defs | grep -v "#" | grep PASS ) | $saveresult
printf "\n" | $saveresult

echo "[*]正在进行具体项的基线检查......" | $saveresult
passmax=$(cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}')
if [ $passmax -le 90 -a $passmax -gt 0 ];then
        echo "[*]口令生存周期为${passmax}天,符合要求" | $saveresult
else
        echo "[!!!]口令生存周期为${passmax}天,不符合要求,建议设置为0-90天" | $saveresult
fi
passmin=$(cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}')
if [ $passmin -ge 6 ];then
        echo "[*]口令更改最小时间间隔为${passmin}天,符合要求" | $saveresult
else
        echo "[!!!]口令更改最小时间间隔为${passmin}天,不符合要求,建议设置不小于6天" | $saveresult
fi
passlen=$(cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}')
if [ $passlen -ge 8 ];then
        echo "[*]口令最小长度为${passlen},符合要求" | $saveresult
else
        echo "[!!!]口令最小长度为${passlen},不符合要求,建议设置最小长度大于等于8" | $saveresult
fi
passage=$(cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}')
if [ $passage -ge 30 -a $passage -lt $passmax ];then
        echo "[*]口令过期警告时间天数为${passage},符合要求" | $saveresult
else
        echo "[!!!]口令过期警告时间天数为${passage},不符合要求,建议设置大于等于30并小于口令生存周期" | $saveresult
fi
printf "\n" | $saveresult
echo ------------密码复杂度策略------------------------
echo "正在检查密码复杂度策略....." | $saveresult
(echo "[*]密码复杂度策略如下:" && more /etc/pam.d/system-auth | grep -v "#") | $saveresult
printf "\n" | $saveresult
echo ------------密码已过期用户---------------------------
echo "正在检查密码已过期用户....." | $saveresult
NOW=$(date "+%s")
day=$((${NOW}/86400))
passwdexpired=$(grep -v ":[\!\*x]([\*\!])?:" /etc/shadow | awk -v today=${day} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ -n "$passwdexpired" ];then
        (echo "[*]以下用户的密码已过期:" && echo "$passwdexpired")  | $saveresult
else
        echo "[*]未发现密码已过期用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------账号超时锁定策略---------------------------
echo "正在检查账号超时锁定策略....." | $saveresult
account_timeout=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
if [ "$account_timeout" != ""  ];then
        TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
        if [ $TMOUT -le 600 -a $TMOUT -ge 10 ];then
                echo "[*]账号超时时间为${TMOUT}秒,符合要求" | $saveresult
        else
                echo "[!!!]账号超时时间为${TMOUT}秒,不符合要求,建议设置小于600秒" | $saveresult
fi
else
        echo "[!!!]账号超时未锁定,不符合要求,建议设置小于600秒" | $saveresult
fi
printf "\n" | $saveresult
echo ------------grub密码策略检查---------------------------
echo "正在检查grub密码策略....." | $saveresult
grubpass=$(cat /etc/grub.conf | grep password)
if [ $? -eq 0 ];then
        echo "[*]已设置grub密码,符合要求" | $saveresult
else
        echo "[!!!]未设置grub密码,不符合要求,建议设置grub密码" | $saveresult
fi
printf "\n" | $saveresult

selinux策略

echo ------------selinux策略----------------------
echo "正在检查selinux策略....." | $saveresult
(echo "selinux策略如下:" && egrep -v '#|^$' /etc/sysconfig/selinux ) | $saveresult
printf "\n" | $saveresult

SSH策略

echo ------------sshd配置----------------------
echo "正在检查sshd配置....." | $saveresult
sshdconfig=$(more /etc/ssh/sshd_config | egrep -v "#|^$")
if [ -n "$sshdconfig" ];then
        (echo "[*]sshd配置文件如下:" && echo "$sshdconfig") | $saveresult
else
        echo "[!]未发现sshd配置文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------空口令登录检查--------------------
echo "正在检查是否允许空口令登录....." | $saveresult
emptypasswd=$(cat /etc/ssh/sshd_config | grep -w "^PermitEmptyPasswords yes")
nopasswd=`gawk -F: '($2=="") {print $1}' /etc/shadow`
if [ -n "$emptypasswd" ];then
        echo "[!!!]允许空口令登录,请注意!!!"
        if [ -n "$nopasswd" ];then
                (echo "[!!!]以下用户空口令:" && echo "$nopasswd") | tee -a $danger_file | $saveresult
        else
                echo "[*]但未发现空口令用户" | $saveresult
        fi
else
        echo "[*]不允许空口令用户登录" | $saveresult
fi
printf "\n" | $saveresult
echo ------------root远程登录--------------------
echo "正在检查是否允许root远程登录....." | $saveresult
cat /etc/ssh/sshd_config | grep -v ^# |grep "PermitRootLogin no"
if [ $? -eq 0 ];then
        echo "[*]root不允许登陆,符合要求" | $saveresult
else
        echo "[!!!]允许root远程登陆,不符合要求,建议/etc/ssh/sshd_config添加PermitRootLogin no" | $saveresult
fi
printf "\n" | $saveresult

echo ------------ssh协议版本--------------------
echo "正在检查ssh协议版本....." | $saveresult
protocolver=$(more /etc/ssh/sshd_config | grep -v ^$ | grep Protocol | awk '{print $2}')
if [ "$protocolver" -eq "2" ];then
        echo "[*]openssh使用ssh2协议,符合要求"
else
        echo "[!!!]openssh未ssh2协议,不符合要求"
fi

Nginx配置

echo ------------Nginx配置---------------------
echo "正在检查Nginx配置文件......" | $saveresult
nginx=$(whereis nginx | awk -F: '{print $2}')
if [ -n "$nginx" ];then
        (echo "[*]Nginx配置文件如下:" && more $nginx/conf/nginx.conf) | $saveresult
else
        echo "[*]未发现Nginx服务" | $saveresult
fi
printf "\n" | $saveresult
echo ------------Nginx端口转发分析-------------
echo "正在检查Nginx端口转发配置......" | $saveresult
nginx=$(whereis nginx | awk -F: '{print $2}')
nginxportconf=$(more $nginx/conf/nginx.conf | egrep "listen|server |server_name |upstream|proxy_pass|location"| grep -v \#)
if [ -n "$nginxportconf" ];then
        (echo "[*]可能存在端口转发的情况,请人工分析:" && echo "$nginxportconf") | $saveresult
else
        echo "[*]未发现端口转发配置" | $saveresult
fi
printf "\n" | $saveresult

SNMP配置

echo ------------SNMP配置检查-------------
echo "正在检查SNMP配置......" | $saveresult
if [ -f /etc/snmp/snmpd.conf ];then
        public=$(cat /etc/snmp/snmpd.conf | grep public | grep -v ^# | awk '{print $4}')
        private=$(cat /etc/snmp/snmpd.conf | grep private | grep -v ^# | awk '{print $4}')
        if [ "$public" -eq "public" ];then
                echo "发现snmp服务存在默认团体名public,不符合要求" | $saveresult
        fi
        if [ "$private" -eq "private" ];then
                echo "发现snmp服务存在默认团体名private,不符合要求" | $saveresult
        fi
else
        echo "snmp服务配置文件不存在,可能没有运行snmp服务" | $saveresult
fi
printf "\n" | $saveresult

可疑文件

echo ------------脚本文件------------------------
#下面脚本不查找/usr目录和/etc目录,检查时可以根据需求来调整
echo "正在检查脚本文件....." | $saveresult
scripts=$(find / *.* | egrep "\.(py|sh|per|pl)$" | egrep -v "/usr|/etc|/var")
if [ -n "scripts" ];then
        (echo "[!!!]发现以下脚本文件,请注意!!!" && echo "$scripts") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现脚本文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------恶意文件---------------------
#webshell这一块因为技术难度相对较高,并且已有专业的工具,目前这一块建议使用专门的安全检查工具来实现
#系统层的恶意文件建议使用rootkit专杀工具来查杀,如rkhunter,下载地址:http://rkhunter.sourceforge.net
echo ------------最近24小时内变动的文件---------------------
#查看最近24小时内有改变的文件
(find / -mtime 0 | grep -E "\.(py|sh|per|pl|php|asp|jsp)$") | tee -a $danger_file | $saveresult
printf "\n" | $saveresult
echo ------------文件属性---------------------
echo ------------passwd文件属性---------------------
echo "正在检查passwd文件属性......" | $saveresult
flag=0
for ((x=1;x<=15;x++))
do
        apend=`lsattr /etc/passwd | cut -c $x`
        if [ $apend = "i" ];then
                echo "/etc/passwd文件存在i安全属性,符合要求" | $saveresult
                flag=1
        fi
        if [ $apend = "a" ];then
                echo "/etc/passwd文件存在a安全属性" | $saveresult
                flag=1
        fi
done
if [ $flag = 0 ];then
        echo "/etc/passwd文件不存在相关安全属性,建议使用chattr +i或chattr +a防止/etc/passwd被删除或修改" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------shadow文件属性---------------------
echo "正在检查shadow文件属性......" | $saveresult
flag=0
for ((x=1;x<=15;x++))
do
        apend=`lsattr /etc/shadow | cut -c $x`
        if [ $apend = "i" ];then
                echo "/etc/shadow文件存在i安全属性,符合要求" | $saveresult
                flag=1
        fi
        if [ $apend = "a" ];then
                echo "/etc/shadow文件存在a安全属性" | $saveresult
                flag=1
        fi
done
if [ $flag = 0 ];then
        echo "/etc/shadow文件不存在相关安全属性,建议使用chattr +i或chattr +a防止/etc/shadow被删除或修改" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------gshadow文件属性---------------------
echo "正在检查gshadow文件属性......" | $saveresult
flag=0
for ((x=1;x<=15;x++))
do
        apend=`lsattr /etc/gshadow | cut -c $x`
        if [ $apend = "i" ];then
                echo "/etc/gshadow文件存在i安全属性,符合要求" | $saveresult
                flag=1
        fi
        if [ $apend = "a" ];then
                echo "/etc/gshadow文件存在a安全属性" | $saveresult
                flag=1
        fi
done
if [ $flag = 0 ];then
        echo "/etc/gshadow文件不存在相关安全属性,建议使用chattr +i或chattr +a防止/etc/gshadow被删除或修改" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

日志分析

echo ------------查看日志配置----------------------
echo "正在查看日志配置....." | $saveresult
logconf=$(more /etc/rsyslog.conf | egrep -v "#|^$")
if [ -n "$logconf" ];then
        (echo "[*]日志配置如下:" && echo "$logconf") | $saveresult
else
        echo "[!!!]未发现日志配置文件" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------日志是否存在---------------
echo "正在分析日志文件是否存在....." | $saveresult
logs=$(ls -l /var/log/)
if [ -n "$logs" ];then
        echo "[*]日志文件存在" | $saveresult
else
        echo "[!!!]日志文件不存在,请分析是否被清除!" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------日志审核是否开启---------------
echo "正在分析日志审核是否开启....." | $saveresult
service auditd status | grep running
if [ $? -eq 0 ];then
        echo "[*]系统日志审核功能已开启,符合要求" | $saveresult
else
        echo "[!!!]系统日志审核功能已关闭,不符合要求,建议开启日志审核。可使用以下命令开启:service auditd start" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------打包日志---------------
echo "正在打包日志......" | $saveresult
zip -r ${log_file}system_log.zip /var/log/
if [ $? -eq 0 ];then
        echo "[*]日志打包成功" | $saveresult
else
        echo "[!!!]日志打包失败,请工人导出日志" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult

echo ------------secure日志分析---------------
echo ------------成功登录--------------------
echo "正在检查日志中成功登录的情况....." | $saveresult
loginsuccess=$(more /var/log/secure* | grep "Accepted password" | awk '{print $1,$2,$3,$9,$11}')
if [ -n "$loginsuccess" ];then
        (echo "[*]日志中分析到以下用户成功登录:" && echo "$loginsuccess")  | $saveresult
        (echo "[*]登录成功的IP及次数如下:" && grep "Accepted " /var/log/secure* | awk '{print $11}' | sort -nr | uniq -c )  | $saveresult
        (echo "[*]登录成功的用户及次数如下:" && grep "Accepted" /var/log/secure* | awk '{print $9}' | sort -nr | uniq -c )  | $saveresult
else
        echo "[*]日志中未发现成功登录的情况" | $saveresult
fi
printf "\n" | $saveresult
echo ------------登录失败--------------------
echo "存在检查日志中登录失败的情况....." | $saveresult
loginfailed=$(more /var/log/secure* | grep "Failed password" | awk '{print $1,$2,$3,$9,$11}')
if [ -n "$loginfailed" ];then
        (echo "[!!!]日志中发现以下登录失败的情况:" && echo "$loginfailed") |  tee -a $danger_file  | $saveresult
        (echo "[!!!]登录失败的IP及次数如下:" && grep "Failed password" /var/log/secure* | awk '{print $11}' | sort -nr | uniq -c)  | $saveresult
        (echo "[!!!]登录失败的用户及次数如下:" && grep "Failed password" /var/log/secure* | awk '{print $9}' | sort -nr | uniq -c)  | $saveresult
else
        echo "[*]日志中未发现登录失败的情况" | $saveresult
fi
printf "\n" | $saveresult
echo ------------本机登录情况-----------------
echo "正在检查图本机登录情况....." | $saveresult
systemlogin=$(more /var/log/secure* | grep -E "sshd:session.*session opened" | awk '{print $1,$2,$3,$11}')
if [ -n "$systemlogin" ];then
        (echo "[*]本机登录情况:" && echo "$systemlogin") | $saveresult
        (echo "[*]本机登录账号及次数如下:" && more /var/log/secure* | grep -E "sshd:session.*session opened" | awk '{print $11}' | sort -nr | uniq -c) | $saveresult
else
        echo "[!!!]未发现在本机登录退出情况,请注意!!!" | $saveresult
fi
printf "\n" | $saveresult
echo ------------新增用户-------------------
echo "正在检查新增用户....." | $saveresult
newusers=$(more /var/log/secure* | grep "new user"  | awk -F '[=,]' '{print $1,$2}' | awk '{print $1,$2,$3,$9}')
if [ -n "$newusers" ];then
        (echo "[!!!]日志中发现新增用户:" && echo "$newusers") | tee -a $danger_file | $saveresult
        (echo "[*]新增用户账号及次数如下:" && more /var/log/secure* | grep "new user" | awk '{print $8}' | awk -F '[=,]' '{print $2}' | sort | uniq -c) | $saveresult
else
        echo "[*]日志中未发现新增加用户" | $saveresult
fi
printf "\n" | $saveresult

echo ------------新增用户组-----------------
echo "正在检查新增用户组....." | $saveresult
newgoup=$(more /var/log/secure* | grep "new group"  | awk -F '[=,]' '{print $1,$2}' | awk '{print $1,$2,$3,$9}')
if [ -n "$newgoup" ];then
        (echo "[!!!]日志中发现新增用户组:" && echo "$newgoup") | tee -a $danger_file | $saveresult
        (echo "[*]新增用户组及次数如下:" && more /var/log/secure* | grep "new group" | awk '{print $8}' | awk -F '[=,]' '{print $2}' | sort | uniq -c) | $saveresult
else
        echo "[*]日志中未发现新增加用户组" | $saveresult
fi
printf "\n" | $saveresult
echo ------------message日志分析---------------
echo ------------传输文件--------------------
#下面命令仅显示传输的文件名,并会将相同文件名的去重
#more /var/log/message* | grep "ZMODEM:.*BPS" | awk -F '[]/]' '{print $0}' | sort | uniq
echo "[16.3.1]正在检查传输文件....." | $saveresult
zmodem=$(more /var/log/message* | grep "ZMODEM:.*BPS")
if [ -n "$zmodem" ];then
        (echo "[!!!]传输文件情况:" && echo "$zmodem") | tee -a $danger_file | $saveresult
else
        echo "[*]日志中未发现传输文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------历史使用DNS服务器------------
echo "正在检查日志中使用DNS服务器的情况....." | $saveresult
dns_history=$(more /var/log/messages* | grep "using nameserver" | awk '{print $NF}' | awk -F# '{print $1}' | sort | uniq)
if [ -n "$dns_history" ];then
        (echo "[!!!]该服务器曾经使用以下DNS:" && echo "$dns_history") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现使用DNS服务器" | $saveresult
fi
printf "\n" | $saveresult
echo ------------cron日志分析---------------
echo ------------定时下载-----------------
echo "正在分析定时下载....." | $saveresult
cron_download=$(more /var/log/cron* | grep "wget|curl")
if [ -n "$cron_download" ];then
        (echo "[!!!]定时下载情况:" && echo "$cron_download") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现定时下载情况" | $saveresult
fi
printf "\n" | $saveresult

echo ------------定时执行脚本-----------------
echo "正在分析定时执行脚本....." | $saveresult
cron_shell=$(more /var/log/cron* | grep -E "\.py$|\.sh$|\.pl$")
if [ -n "$cron_shell" ];then
        (echo "[!!!]发现定时执行脚本:" && echo "$cron_download") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现定时下载脚本" | $saveresult
fi
printf "\n" | $saveresult
echo ------------yum日志分析----------------------
echo ------------下载软件情况-------------------
echo "正在分析使用yum下载软件情况....." | $saveresult
yum_install=$(more /var/log/yum* | grep Installed | awk '{print $NF}' | sort | uniq)
if [ -n "$yum_install" ];then
        (echo "[*]曾使用yum下载以下软件:"  && echo "$yum_install") | $saveresult
else
        echo "[*]未使用yum下载过软件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------下载脚本文件-------------------
echo "正在分析使用yum下载脚本文件....." | $saveresult
yum_installscripts=$(more /var/log/yum* | grep Installed | grep -E "(\.sh$\.py$|\.pl$)" | awk '{print $NF}' | sort | uniq)
if [ -n "$yum_installscripts" ];then
        (echo "[*]曾使用yum下载以下脚本文件:"  && echo "$yum_installscripts") | $saveresult
else
        echo "[*]未使用yum下载过脚本文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------卸载软件情况-------------------
echo "正在检查使用yum卸载软件情况....." | $saveresult
yum_erased=$(more /var/log/yum* | grep Erased)
if [ -n "$yum_erased" ];then
        (echo "[*]使用yum曾卸载以下软件:" && echo "$yum_erased")  | $saveresult
else
        echo "[*]未使用yum卸载过软件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------可疑工具-----------------
echo "正在检查使用yum安装的可疑工具....." | $saveresult
hacker_tools=$(more /var/log/yum* | awk -F: '{print $NF}' | awk -F '[-]' '{print $1}' | sort | uniq | grep -E "(^nc|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)")
if [ -n "$hacker_tools" ];then
        (echo "[!!!]发现使用yum下载过以下可疑软件:" && echo "$hacker_tools") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现使用yum下载过可疑软件" | $saveresult
fi
printf "\n" | $saveresult

echo ------------dmesg日志分析----------------------
echo ------------内核自检日志---------------------
echo "正在查看内核自检日志....." | $saveresult
dmesg=$(dmesg)
if [ $? -eq 0 ];then
        (echo "[*]日志自检日志如下:" && "$dmesg" ) | $saveresult
else
        echo "[*]未发现内核自检日志" | $saveresult
fi
printf "\n" | $saveresult
echo ------------btmp日志分析----------------------
echo ------------错误登录日志分析-----------------
echo "正在分析错误登录日志....." | $saveresult
lastb=$(lastb)
if [ -n "$lastb" ];then
        (echo "[*]错误登录日志如下:" && echo "$lastb") | $saveresult
else
        echo "[*]未发现错误登录日志" | $saveresult
fi
printf "\n" | $saveresult
echo ------------lastlog日志分析----------------------
echo ------------所有用户最后一次登录日志分析-----------------
echo "正在分析所有用户最后一次登录日志....." | $saveresult
lastlog=$(lastlog)
if [ -n "$lastlog" ];then
        (echo "[*]所有用户最后一次登录日志如下:" && echo "$lastlog") | $saveresult
else
        echo "[*]未发现所有用户最后一次登录日志" | $saveresult
fi
printf "\n" | $saveresult
echo ------------wtmp日志分析---------------
echo ------------所有登录用户分析-------
echo "正在检查历史上登录到本机的用户:" | $saveresult
lasts=$(last | grep pts | grep -vw :0)
if [ -n "$lasts" ];then
        (echo "[*]历史上登录到本机的用户如下:" && echo "$lasts") | $saveresult
else
        echo "[*]未发现历史上登录到本机的用户信息" | $saveresult
fi
printf "\n" | $saveresult

内核信息

echo ------------内核情况-----------------
echo "正在检查内核信息......" | $saveresult
lsmod=$(lsmod)
if [ -n "$lsmod" ];then
        (echo "[*]内核信息如下:" && echo "$lsmod") | $saveresult
else
        echo "[*]未发现内核信息" | $saveresult
fi
printf "\n" | $saveresult
echo ------------可疑内核检查-----------------
echo "正在检查可疑内核....." | $saveresult
danger_lsmod=$(lsmod | grep -Ev "ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6table_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state")
if [ -n "$danger_lsmod" ];then
        (echo "[!!!]发现可疑内核模块:" && echo "$danger_lsmod") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现可疑内核模块" | $saveresult
fi
printf "\n" | $saveresult

软件分析

echo ------------安装软件及版本-----------------
echo "正在检查安装软件及版本情况....." | $saveresult
software=$(rpm -qa | awk -F- '{print $1,$2}' | sort -nr -k2 | uniq)
if [ -n "$software" ];then
        (echo "[*]系统安装与版本如下:" && echo "$software") | $saveresult
else
        echo "[*]系统未安装软件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------可疑软件-----------------
echo "正在检查安装的可疑软件....." | $saveresult
danger_soft=$(rpm -qa  | awk -F- '{print $1}' | sort | uniq | grep -E "^(ncat|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)$")
if [ -n "$danger_soft" ];then
        (echo "[!!!]以下安装的软件可疑,需要人工分析:"  && echo "$danger_soft") | tee -a $danger_file | $saveresult
else
        echo "[*]未发现安装可疑软件" | $saveresult
fi
printf "\n" | $saveresult

环境变量

echo ------------环境变量-----------------
echo "正在检查环境变量....." | $saveresult
env=$(env)
if [ -n "$env" ];then
        (echo "[*]环境变量:" && echo "$env") | $saveresult
else
        echo "[*]未发现环境变量" | $saveresult
fi
printf "\n" | $saveresult

性能分析

echo ------------性能分析-----------------
echo ------------磁盘分析-----------------
echo ------------磁盘使用-----------------
echo "正在检查磁盘使用....." | $saveresult
echo "[*]磁盘使用情况如下:" && df -h  | $saveresult
printf "\n" | $saveresult
echo ------------检查磁盘使用过大-----------------
echo "正在检查磁盘使用是否过大....." | $saveresult
#使用超过70%告警
df=$(df -h | awk 'NR!=1{print $1,$5}' | awk -F% '{print $1}' | awk '{if ($2>70) print $1,$2}')
if [ -n "$df" ];then
        (echo "[!!!]硬盘空间使用过高,请注意!!!" && echo "$df" ) | tee -a $danger_file | $saveresult
else
        echo "[*]硬盘空间足够" | $saveresult
fi
printf "\n" | $saveresult
echo ------------CPU分析-----------------
echo ------------CPU情况-----------------
echo "正在检查CPU相关信息....." | $saveresult
(echo "CPU硬件信息如下:" && more /proc/cpuinfo ) | $saveresult
(echo "CPU使用情况如下:" && ps -aux | sort -nr -k 3 | awk  '{print $1,$2,$3,$NF}') | $saveresult
printf "\n" | $saveresult
echo ------------占用CPU前5进程-----------------
echo "正在检查占用CPU前5资源的进程....." | $saveresult
(echo "占用CPU资源前5进程:" && ps -aux | sort -nr -k 3 | head -5)  | $saveresult
printf "\n" | $saveresult
echo ------------占用CPU较大进程-----------------
echo "正在检查占用CPU较大的进程....." | $saveresult
pscpu=$(ps -aux | sort -nr -k 3 | head -5 | awk '{if($3>=20) print $0}')
if [ -n "$pscpu" ];then
        echo "[!!!]以下进程占用的CPU超过20%:" && echo "UID         PID   PPID  C STIME TTY          TIME CMD"
        echo "$pscpu" | tee -a 20.2.3_pscpu.txt | tee -a $danger_file | $saveresult
else
        echo "[*]未发现进程占用资源超过20%" | $saveresult
fi
printf "\n" | $saveresult
echo ------------内存分析-----------------
echo ------------内存情况-----------------
echo "正在检查内存相关信息....." | $saveresult
(echo "[*]内存信息如下:" && more /proc/meminfo) | $saveresult
(echo "[*]内存使用情况如下:" && free -m) | $saveresult
printf "\n" | $saveresult

echo ------------占用内存前5进程-----------------
echo "正在检查占用内存前5资源的进程....." | $saveresult
(echo "[*]占用内存资源前5进程:" && ps -aux | sort -nr -k 4 | head -5) | $saveresult
printf "\n" | $saveresult
echo ------------占用内存较多进程-----------------
echo "正在检查占用内存较多的进程....." | $saveresult
psmem=$(ps -aux | sort -nr -k 4 | head -5 | awk '{if($4>=2) print $0}')
if [ -n "$psmem" ];then
        echo "[!!!]以下进程占用的内存超过20%:" && echo "UID         PID   PPID  C STIME TTY          TIME CMD"
        echo "$psmem" | tee -a $danger_file | $saveresult
else
        echo "[*]未发现进程占用内存资源超过20%" | $saveresult
fi
printf "\n" | $saveresult
echo ------------网络连接-----------------
echo "正在检查网络连接情况......" | $saveresult
netstat=$(netstat -anlp | grep ESTABLISHED)
netstatnum=$(netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}')
if [ -n "$netstat" ];then
        (echo "[*]网络连接情况:" && echo "$netstat") | $saveresult
        if [ -n "$netstatnum" ];then
                (echo "[*]各个状态的数量如下:" && echo "$netstatnum")  | $saveresult
        fi
else
        echo "[*]未发现网络连接" | $saveresult
fi
printf "\n" | $saveresult

你可能感兴趣的:(运维,安全,linux,网络)