上传文件至 /
This commit is contained in:
parent
2c622de0e9
commit
95f8f19736
212
mychecks (1).sh
Normal file
212
mychecks (1).sh
Normal file
@ -0,0 +1,212 @@
|
||||
#! /bin/bash
|
||||
fail=0
|
||||
pass=0
|
||||
manual=0
|
||||
separator="------------------------------------------------------"
|
||||
check_pass(){
|
||||
echo -e "\033[42;30m [++]PASS \033[0m" #成功打印绿底黑字
|
||||
let pass++
|
||||
}
|
||||
|
||||
check_fail(){
|
||||
echo -e "\033[41;37m [++]FAIL \033[0m" #失败打印红底白字
|
||||
let fail++
|
||||
}
|
||||
|
||||
check_manual(){
|
||||
echo -e "\033[43;30m [++]请手动检测该项或依据实际情况判断!! \033[0m" #未检测到文件或须手动确认打印黄底黑字
|
||||
let manual++
|
||||
}
|
||||
|
||||
echo "NO.1-检查是否设置口令生存周期"
|
||||
pass_max_day=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
|
||||
|
||||
if [ "$pass_max_day" -lt "90" ]; then
|
||||
check_pass
|
||||
elif [ "$pass_max_day" -gt "90" ]; then
|
||||
echo "口令生存周期:$pass_max_day"
|
||||
check_fail
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.2-检查是否设置口令最小长度"
|
||||
pass_min_len=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'`
|
||||
if test -n "$pass_min_len"; then
|
||||
if [ "$pass_min_len" -lt "8" ]; then
|
||||
echo "口令最小长度:$pass_min_len"
|
||||
check_fail
|
||||
elif [ "$pass_min_len" -ge "8" ]; then
|
||||
check_pass
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.3-检查是否配置口令过期提醒"
|
||||
pass_warn_age=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`
|
||||
if test -n "$pass_warn_age"; then
|
||||
if [ "$pass_warn_age" -lt 30 ]; then
|
||||
echo "口令过期提醒天数:$pass_warn_age"
|
||||
check_fail
|
||||
elif [ "$pass_warn_age" -ge "30" ]; then
|
||||
check_pass
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.4-检查是否存在空口令账户"
|
||||
empty_user=`cat /etc/shadow | awk -F : 'length($2)==0 {print $1}'`
|
||||
if test -z "$empty_user"; then
|
||||
check_pass
|
||||
|
||||
elif test -n "$empty_user"; then
|
||||
echo "请检查空口令账户:$empty_user"
|
||||
check_fail
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.5-检查是否存在特权账户"
|
||||
root_account=`cat /etc/passwd | awk -F : '($3==0){print $1}'`
|
||||
if [ $root_account=="root" ]; then
|
||||
check_pass
|
||||
|
||||
else
|
||||
echo "请检查uid为0的账户: $root_account"
|
||||
check_fail
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
|
||||
echo "NO.6-检查错误登录是否记录到日志"
|
||||
FailLogin_log=`cat /etc/login.defs | grep FAILLOG_ENAB | grep -v ^# | awk '{print $2}'`
|
||||
if [ $FailLogin_log=="yes" ]; then
|
||||
check_pass
|
||||
elif [ $FailLogin_log=="no" ]; then
|
||||
check_fail
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.7-检查口令复杂度"
|
||||
min_class=`cat /etc/security/pwquality.conf | grep minclass | grep -v ^# | awk '{print $3}'`
|
||||
if [ "$min_class" -lt "3" ]; then
|
||||
echo "口令类型少于3种!"
|
||||
check_fail
|
||||
elif [ "$min_class" -ge "3" ]; then
|
||||
check_pass
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.8-检查重要文件的权限"
|
||||
for i in /etc/shadow /etc/gshadow
|
||||
do
|
||||
tmppe=`stat -c %a ${i}`
|
||||
if [ "$tmppe" -gt 400 ]; then
|
||||
echo "${i} 权限为$tmppe"
|
||||
check_fail
|
||||
elif [ "$tmppe" -le 400 ]; then
|
||||
echo "${i} 权限为$tmppe"
|
||||
check_pass
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
done
|
||||
|
||||
for i in /etc/passwd /etc/group /etc/services /etc/profile
|
||||
do
|
||||
tmppe=`stat -c %a ${i}`
|
||||
|
||||
if [ "$tmppe" -gt 644 ]; then
|
||||
echo "${i} 权限为$tmppe"
|
||||
check_fail
|
||||
elif [ "$tmppe" -le 644 ]; then
|
||||
echo "${i} 权限为$tmppe"
|
||||
check_pass
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
done
|
||||
|
||||
tmppe=`stat -c %a /tmp`
|
||||
|
||||
if [ "$tmppe" -gt 750 ]; then
|
||||
echo "/tmp目录的权限为$tmppe"
|
||||
check_fail
|
||||
elif [ "$tmppe" -le 750 ]; then
|
||||
check_pass
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.9-检查日志服务状态"
|
||||
service_status=`systemctl status rsyslog | grep Active | awk '{print $2}'`
|
||||
if [ $service_status == "inactive" ]; then
|
||||
echo "日志rsyslog服务状态为:$service_status"
|
||||
check_fail
|
||||
elif [ $service_status == "active" ]; then
|
||||
check_pass
|
||||
else
|
||||
check_manual
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.10-检查常见日志文件是否非任意用户读写,建议非同组用户不可写"
|
||||
for f in /var/log/cron /var/log/secure /var/log/httpd /var/log/auth.log /var/log/btmp
|
||||
do
|
||||
if [ -a ${f} ]; then
|
||||
log_per=`stat -c %a ${f}`
|
||||
if [ "$log_per" -ge 770 ]; then
|
||||
echo "${f} 的权限为$log_per"
|
||||
check_fail
|
||||
else
|
||||
echo "${f}的权限为$log_per"
|
||||
check_pass
|
||||
fi
|
||||
else
|
||||
echo "${f}文件不存在!"
|
||||
check_manual
|
||||
fi
|
||||
done
|
||||
|
||||
echo $separator
|
||||
|
||||
echo "NO.11-检查FTP是否允许匿名登录"
|
||||
ps_tmp=`ps -ef | grep ftp | grep -v grep`
|
||||
if [ -z "$ps_tmp" ]; then
|
||||
echo "ftp服务未开启"
|
||||
check_pass
|
||||
else
|
||||
an_login=`cat /etc/vsftpd/vsftpd.conf | grep "anonymous_enable=NO" | grep -v ^#`
|
||||
if [ -z "$an_login" ]; then
|
||||
check_fail
|
||||
else
|
||||
echo "匿名登录:$an_login"
|
||||
check_pass
|
||||
fi
|
||||
fi
|
||||
echo $separator
|
||||
|
||||
echo "NO.12-检查history命令显示的条数,建议设置5条"
|
||||
echo "历史命令显示条数:`cat /etc/profile | grep "HISTSIZE" | awk -F "=" '{print $2}'`"
|
||||
check_manual
|
||||
echo $separator
|
||||
echo " 共检测项:$((pass+fail+manual))"
|
||||
echo -e "\033[32m 通过项:$pass \033[0m"
|
||||
echo -e "\033[31m 失败项:$fail \033[0m"
|
||||
echo -e "\033[33m 手动检查项:$manual \033[0m"
|
||||
echo "已完成Linux安全基线检查"
|
||||
Loading…
Reference in New Issue
Block a user