#!/bin/bash
cat <<EOF
*************************************************************************************
***** linux基线检查脚本
*************************************************************************************
***** 输出结果/tmp/linux_security.txt
*************************************************************************************
EOF
FILE_PATH="/tmp/linux_security.txt"
#########检查系统更新##################
system_update_check(){
num=`yum check-update|grep 'updates'|wc -l`
if [ $num -gt 1 ];then
echo -e "系统更新是否通过:NO \n">>$FILE_PATH
else
echo -e "系统更新是否通过:YES \n">>$FILE_PATH
fi
}
#############检查swap分区##############
swap_check(){
swap_sizes=`free -m|grep 'Swap'|awk '{print $2}'`
if [ -z $swap_sizes ];then
echo -e "没有swap系统分区 \n">>$FILE_PATH
else
if [ $swap_sizes -lt 1000 ];then
echo -e "swap 分区设置过小 \n">>$FILE_PATH
else
echo -e "swap 分区检查:YES \n">>$FILE_PATH
fi
fi
}
#############检查必要软件#############
soft_install_check(){
num=`rpm -qa|egrep '^sysstat-|^man-|^wget-|^screen-|^ntp-'|wc -l`
if [ $num -lt 5 ];then
echo -e "sysstat,man,wget,screen,ntp安装是否通过:NO \n">>$FILE_PATH
else
echo -e "sysstat,man,wget,screen,ntp安装是否通过:YES \n">>$FILE_PATH
fi
}
############查看时钟时间#############
clock_time_type(){
clock_type=`ls -l /etc/localtime |awk -F"/" '{print $8}'`
if [ -n "$clock_type" ];then
echo -e "系统时区为:$clock_type \n">>$FILE_PATH
else
echo -e "请检查是否有设置时区 \n">>$FILE_PATH
fi
}
#####检查空密码########
passwd_check(){
num=`awk -F":" '{if($2=="") print $1}' /etc/shadow|wc -l`
if [ $num -gt 0 ];then
echo -e "空口令账号检测是否通过:NO \n">>$FILE_PATH
else
echo -e "空口令账号检测是否通过:YES \n">>$FILE_PATH
fi
}
#####检查用户uid是否为0########
passwd_uid_check(){
num=`awk -F":" '{if($3=="0" && $1!="root") print $1}' /etc/passwd|wc -l`
if [ $num -gt 0 ];then
echo -e "非root账户UID检测是否通过:NO \n">>$FILE_PATH
else
echo -e "非root账户UID检测是否通过:YES \n">>$FILE_PATH
fi
}
#########检查umask############
user_umask_check(){
root_umask=`umask`
user_umask=`grep -A 1 '\$UID -gt 199' /etc/profile|grep 'umask'|awk '{print $2}'`
if [ $root_umask == "0022" ] && [ $user_umask == "002" ];then
echo -e "账户umask检测是否通过:YES \n">>$FILE_PATH
else
echo -e "账户umask检测是否通过:NO \n">>$FILE_PATH
fi
}
########检查重要文件权限##########
file_lsattr_check(){
num=0
files=(/etc/passwd /etc/shadow)
for file in ${files[*]}
do
attr=`lsattr $file|awk '{print $1}'`
if [ $attr != "----i--------e-" ];then
num=$(($num+1))
fi
done
if [ $num -eq 0 ];then
echo -e "重要文件设置是否通过:YES \n">>$FILE_PATH
else
echo -e "重要文件设置是否通过:NO \n">>$FILE_PATH
fi
}
###########ssh 协议和密码认证################
ssh_config_check(){
echo -e "检查sshd_config配置文件: \n">>$FILE_PATH
#####检查项######
check_items=(ListenAddress Protocol StrictModes MaxAuthTries MaxSessions PubkeyAuthentication PasswordAuthentication PermitEmptyPasswords X11Forwarding)
#######参考值#############
proposal_value=("参考实际情况" 2 yes 5 5 yes no no no)
i=0
for item in ${check_items[*]}
do
value=`grep $item /etc/ssh/sshd_config|grep -v '^#'|awk '{print $2}'`
echo "${check_items[$i]}:${value} 建议值:${proposal_value[$i]}">>$FILE_PATH
i=$(($i+1))
done
}
############防火墙服务状态####################
firewall_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/iptables status>>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status firewalld.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "防火墙状态是否通过:YES \n">>$FILE_PATH
else
echo -e "防火墙状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
############ntp服务状态####################
ntp_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/ntpd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status ntpd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "ntp状态是否通过:YES \n">>$FILE_PATH
else
echo -e "ntp状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
############auditd服务状态####################
auditd_check(){
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
/etc/init.d/auditd status>>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
else
systemctl status auditd.service >>/dev/null
if [ $? -eq 0 ];then
echo -e "auditd状态是否通过:YES \n">>$FILE_PATH
else
echo -e "auditd状态是否通过:NO \n">>$FILE_PATH
fi
fi
}
#############检查不必要的服务###############
service_check(){
echo "检查系统多余服务,centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATH
echo "检查系统多余服务,centos7:postfix.service tuned.service irqbalance.service">>$FILE_PATH
grep 'release 6' /etc/redhat-release >>/dev/null
if [ $? -eq 0 ];then
cent6_num=`chkconfig --list|egrep '3:on|3:启用'|egrep 'acpid|ip6tables|netfs|postfix|udev-post'|wc -l`
if [ $cent6_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \n">>$FILE_PATH
fi
else
cent7_num=`systemctl list-unit-files --type=service|grep 'enabled'|egrep 'postfix.service|tuned.service|irqbalance.service'|wc -l`
if [ $cent7_num -eq 0 ];then
echo -e "系统多余服务是否关闭:YES \n">>$FILE_PATH
else
echo -e "系统多余服务是否关闭:NO \n">>$FILE_PATH
fi
fi
}
############检查文件打开数情况##############
file_check(){
system_file_limit=`cat /proc/sys/fs/file-max`
#current_open_file=`lsof|wc -l`
user_file_limit=`ulimit -a|grep 'open files'|awk '{print $4}'`
echo "系统打开数限制:$system_file_limit">>$FILE_PATH
echo "用户进程打开数限制:$user_file_limit">>$FILE_PATH
}
echo `date +%Y%m%d`>$FILE_PATH
system_update_check
swap_check
soft_install_check
clock_time_type
passwd_check
passwd_uid_check
user_umask_check
file_lsattr_check
ssh_config_check
firewall_check
ntp_check
auditd_check
service_check
file_check
**粗体** _斜体_ [链接](http://example.com) `代码` - 列表 > 引用
。你还可以使用@
来通知其他用户。