diff --git a/mychecks (1).sh b/mychecks (1).sh new file mode 100644 index 0000000..6de16ca --- /dev/null +++ b/mychecks (1).sh @@ -0,0 +1,212 @@ +#! /bin/bash +fail=0 +pass=0 +manual=0 +separator="------------------------------------------------------" +check_pass(){ +echo -e "\033[42;30m [++]PASS \033[0m" #成功打印绿底黑字 +let pass++ +} + +check_fail(){ +echo -e "\033[41;37m [++]FAIL \033[0m" #失败打印红底白字 +let fail++ +} + +check_manual(){ +echo -e "\033[43;30m [++]请手动检测该项或依据实际情况判断!! \033[0m" #未检测到文件或须手动确认打印黄底黑字 +let manual++ +} + +echo "NO.1-检查是否设置口令生存周期" +pass_max_day=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'` + +if [ "$pass_max_day" -lt "90" ]; then + check_pass +elif [ "$pass_max_day" -gt "90" ]; then + echo "口令生存周期:$pass_max_day" + check_fail +else + check_manual +fi +echo $separator + +echo "NO.2-检查是否设置口令最小长度" +pass_min_len=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'` +if test -n "$pass_min_len"; then + if [ "$pass_min_len" -lt "8" ]; then + echo "口令最小长度:$pass_min_len" + check_fail + elif [ "$pass_min_len" -ge "8" ]; then + check_pass + else + check_manual + fi +else + check_manual +fi +echo $separator + +echo "NO.3-检查是否配置口令过期提醒" +pass_warn_age=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'` +if test -n "$pass_warn_age"; then + if [ "$pass_warn_age" -lt 30 ]; then + echo "口令过期提醒天数:$pass_warn_age" + check_fail + elif [ "$pass_warn_age" -ge "30" ]; then + check_pass + else + check_manual + fi +else + check_manual +fi +echo $separator + +echo "NO.4-检查是否存在空口令账户" +empty_user=`cat /etc/shadow | awk -F : 'length($2)==0 {print $1}'` +if test -z "$empty_user"; then + check_pass + +elif test -n "$empty_user"; then + echo "请检查空口令账户:$empty_user" + check_fail +else + check_manual +fi +echo $separator + +echo "NO.5-检查是否存在特权账户" +root_account=`cat /etc/passwd | awk -F : '($3==0){print $1}'` +if [ $root_account=="root" ]; then + check_pass + +else + echo "请检查uid为0的账户: $root_account" + check_fail +fi +echo $separator + + +echo "NO.6-检查错误登录是否记录到日志" +FailLogin_log=`cat /etc/login.defs | grep FAILLOG_ENAB | grep -v ^# | awk '{print $2}'` +if [ $FailLogin_log=="yes" ]; then + check_pass +elif [ $FailLogin_log=="no" ]; then + check_fail +else + check_manual +fi +echo $separator + +echo "NO.7-检查口令复杂度" +min_class=`cat /etc/security/pwquality.conf | grep minclass | grep -v ^# | awk '{print $3}'` +if [ "$min_class" -lt "3" ]; then + echo "口令类型少于3种!" + check_fail +elif [ "$min_class" -ge "3" ]; then + check_pass +else +check_manual +fi +echo $separator + +echo "NO.8-检查重要文件的权限" +for i in /etc/shadow /etc/gshadow +do + tmppe=`stat -c %a ${i}` + if [ "$tmppe" -gt 400 ]; then + echo "${i} 权限为$tmppe" + check_fail + elif [ "$tmppe" -le 400 ]; then + echo "${i} 权限为$tmppe" + check_pass + else + check_manual + fi +done + +for i in /etc/passwd /etc/group /etc/services /etc/profile +do + tmppe=`stat -c %a ${i}` + + if [ "$tmppe" -gt 644 ]; then + echo "${i} 权限为$tmppe" + check_fail + elif [ "$tmppe" -le 644 ]; then + echo "${i} 权限为$tmppe" + check_pass + else + check_manual + fi +done + +tmppe=`stat -c %a /tmp` + +if [ "$tmppe" -gt 750 ]; then + echo "/tmp目录的权限为$tmppe" + check_fail +elif [ "$tmppe" -le 750 ]; then + check_pass +else + check_manual +fi +echo $separator + +echo "NO.9-检查日志服务状态" +service_status=`systemctl status rsyslog | grep Active | awk '{print $2}'` +if [ $service_status == "inactive" ]; then + echo "日志rsyslog服务状态为:$service_status" + check_fail +elif [ $service_status == "active" ]; then + check_pass +else + check_manual +fi +echo $separator + +echo "NO.10-检查常见日志文件是否非任意用户读写,建议非同组用户不可写" +for f in /var/log/cron /var/log/secure /var/log/httpd /var/log/auth.log /var/log/btmp +do + if [ -a ${f} ]; then + log_per=`stat -c %a ${f}` + if [ "$log_per" -ge 770 ]; then + echo "${f} 的权限为$log_per" + check_fail + else + echo "${f}的权限为$log_per" + check_pass + fi + else + echo "${f}文件不存在!" + check_manual + fi +done + +echo $separator + +echo "NO.11-检查FTP是否允许匿名登录" +ps_tmp=`ps -ef | grep ftp | grep -v grep` +if [ -z "$ps_tmp" ]; then + echo "ftp服务未开启" + check_pass +else + an_login=`cat /etc/vsftpd/vsftpd.conf | grep "anonymous_enable=NO" | grep -v ^#` + if [ -z "$an_login" ]; then + check_fail + else + echo "匿名登录:$an_login" + check_pass + fi +fi +echo $separator + +echo "NO.12-检查history命令显示的条数,建议设置5条" +echo "历史命令显示条数:`cat /etc/profile | grep "HISTSIZE" | awk -F "=" '{print $2}'`" +check_manual +echo $separator +echo " 共检测项:$((pass+fail+manual))" +echo -e "\033[32m 通过项:$pass \033[0m" +echo -e "\033[31m 失败项:$fail \033[0m" +echo -e "\033[33m 手动检查项:$manual \033[0m" +echo "已完成Linux安全基线检查"