linux安全配置檢查腳本_v0.8
阿新 • • 發佈:2017-11-29
忽略 過期 重要文件 shadow 基線 div grup roo director
腳本環境:RHEL6.*
腳本說明:該腳本作用為純執行檢測不涉及更改配置等操作,與直接上來就改安全配置等基線腳本相比相對安全一些。雖然如此,在你執行該腳本之前仍然建議你備份或快照一下目標系統。
代碼部分:
#! /bin/bash cat <<EOF ************************************************************************* linux安全配置掃描腳本: 1. 輸出結果也可以在當前目錄的out.txt中查看 2. 檢查範圍: -》賬號策略檢查 -》賬號註銷檢查 -》GRUB密碼檢查 -》LILO密碼檢查-》非root賬號但UID為0的用戶檢查 -》/etc/profile中umask默認值檢查 -》/etc/csh.cshrc中umask默認值檢查 -》/etc/bashrc中umask默認值檢查 -》重要文件權限檢查 -》內核文件dump配置檢查 ************************************************************************* EOF rm -rf ./out.txt echo -e "\n" echo "[1] 賬號策略檢查中..." passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep-v ^# | awk ‘{print $2}‘` passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk ‘{print $2}‘` passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk ‘{print $2}‘` passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk ‘{print $2}‘` if [ $passmax -le 90 -a $passmax -gt 0];then echo " [OK]口令生存周期為${passmax}天,符合要求" >> out.txt else echo " [ X ] 口令生存周期為${passmax}天,不符合要求,建議設置不大於90天" >> out.txt fi if [ $passmin -ge 6 ];then echo " [OK]口令更改最小時間間隔為${passmin}天,符合要求" >> out.txt else echo " [ X ] 口令更改最小時間間隔為${passmin}天,不符合要求,建議設置大於等於6天" >> out.txt fi if [ $passlen -ge 8 ];then echo " [OK]口令最小長度為${passlen},符合要求" >> out.txt else echo " [ X ] 口令最小長度為${passlen},不符合要求,建議設置最小長度大於等於8" >> out.txt fi if [ $passage -ge 30 -a $passage -lt $passmax ];then echo " [OK]口令過期警告時間天數為${passage},符合要求" >> out.txt else echo " [ X ] 口令過期警告時間天數為${passage},不符合要求,建議設置大於等於30並小於口令生存周期" >> out.txt fi echo "..." echo ‘check over‘ echo -e "\n" echo "[2] 賬號註銷檢查中..." TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] ‘{print $2}‘` if [ ! $TMOUT ];then echo " [ X ] 賬號超時不存在自動註銷,不符合要求,建議設置小於600秒" >> out.txt else if [ $TMOUT -le 600 -a $TMOUT -ge 10 ] ; then echo " [ √ ] 賬號超時時間${TMOUT}秒,符合要求" >> out.txt else echo " [ X ] 賬號超時時間$TMOUT秒,不符合要求,建議設置小於600秒" >> out.txt fi fi echo "..." echo ‘check over‘ echo -e "\n" echo "[3] GRUB密碼檢查中..." grup_pwd=`cat /etc/grub.conf | grep -v ^# | grep password 2> /dev/null` if [ $? -eq 0 ];then echo " [ √ ] 已設置grub密碼,符合要求" >> out.txt else echo " [ X ] 沒有設置grub密碼,不符合要求,建議設置grub密碼" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "[4] LILO密碼檢查中..." if [ ! -f /etc/lilo.conf ] ; then echo " [ √ ] lilo.conf配置文件不存在,系統可能不是通過LILO引導" >> out.txt else lilo_pwd=`cat /etc/lilo.conf | grep -v ^# | grep password &> /dev/null` if [ $? -eq 0 ];then echo " [ √ ] 已設置lilo密碼,符合要求" >> out.txt else echo " [ X ] 沒有設置lilo密碼,不符合要求,建議設置lilo密碼(操作有風險,需慎重!)" >> out.txt fi fi echo "..." echo "check over" echo -e "\n" echo "[5] 非root賬號但UID為0的用戶檢查中..." UIDS=`awk -F[:] ‘NR!=1{print $3}‘ /etc/passwd` flag=0 for i in $UIDS do if [ $i = 0 ];then flag=1 fi done if [ $flag != 1 ];then echo " [ √ ] 不存在root賬號外的UID為0的異常用戶" >> out.txt else echo " [ X ] 存在非root但UID為0的異常用戶,請立刻進行排查" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "[6] /etc/profile中umask默認值檢查中..." umask1=`cat /etc/profile | grep umask | grep -v ‘^#‘ | awk ‘{print $2}‘` flags=0 for i in $umask1 do if [ $i = "027" ];then flags=1 fi done if [ $flags = 1 ];then echo " [ √ ] /etc/profile文件中所設置的umask為${i},符合要求" >> out.txt else echo " [ X ] /etc/profile文件中所設置的umask為${i},不符合要求" >> out.txt echo " 【理論上建議設置值為027,但因系統重要程度不同請根據具體情況慎重操作,如不確定請暫忽略此項】" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "[7] /etc/csh.cshrc中umask默認值檢查中..." umask2=`cat /etc/csh.cshrc | grep umask | grep -v ‘^#‘ | awk ‘{print $2}‘` flags=0 for i in $umask2 do if [ $i = "027" ];then flags=1 fi done if [ $flags = 1 ];then echo " [ √ ] /etc/csh.cshrc文件中所設置的umask為${i},符合要求" >> out.txt else echo " [ X ] /etc/csh.cshrc文件中所設置的umask為${i},不符合要求" >> out.txt echo " 【理論上建議設置值為027,但因系統重要程度不同請根據具體情況慎重操作,如不確定請暫忽略此項】" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "[8] /etc/bashrc中umask默認值檢查中..." umask3=`cat /etc/bashrc | grep umask | grep -v ‘^ #‘ | awk ‘{print $2}‘` flags=0 for i in $umask3 do if [ $i = "027" ];then flags=1 fi done if [ $flags = 1 ];then echo " [ √ ] /etc/bashrc文件中所設置的umask為${i},符合要求" >> out.txt else echo " [ X ] /etc/bashrc文件中所設置的umask為${i},不符合要求" >> out.txt echo " 【理論上建議設置值為027,但因系統重要程度不同請根據具體情況慎重操作,如不確定請暫忽略此項】" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "[9] 重要文件權限檢查中..." file1=`ls -l /etc/passwd | awk ‘{print $1}‘` if [ $file1 = "-rw-r--r--." ];then echo " [ √ ] /etc/passwd文件權限為644,符合要求" >> out.txt else echo " [ X ] /etc/passwd文件權限為[$file1.],不符合要求" >> out.txt fi file2=`ls -l /etc/shadow | awk ‘{print $1}‘` if [ $file2 = "-rw-r--r--." ] || [ $file2 = "----------." ];then echo " [ √ ] /etc/shadow文件權限為400或000,符合要求" >> out.txt else echo " [ X ] /etc/shadow文件權限為${file2},不符合要求" >> out.txt fi file3=`ls -l /etc/group | awk ‘{print $1}‘` if [ $file3 = "-rw-r--r--." ];then echo " [ √ ] /etc/group文件權限為644,符合要求" >> out.txt else echo " [ X ] /etc/group文件權限為$file3,不符合要求" >> out.txt fi file4=`ls -l /etc/securetty | awk ‘{print $1}‘` if [ $file4 = "-rw-------." ];then echo " [ √ ] /etc/security文件權限為600,符合要求" >> out.txt else echo " [ X ] /etc/security文件權限不為600,不符合要求,建議設置權限為600" >> out.txt fi file5=`ls -l /etc/services | awk ‘{print $1}‘` if [ $file5 = "-rw-r--r--." ];then echo " [ √ ] /etc/services文件權限為644,符合要求" >> out.txt else echo " [ X ] /etc/services文件權限不為644,不符合要求,建議設置權限為644" >> out.txt fi file6=`ls -l /etc/xinetd.conf | awk ‘{print $1}‘` if [ !-f $file6 ];then echo " [ √ ] /etc/xinetd.conf文件不存在,暫略此項" >> out.txt else if [ $file6 = "-rw-------." ];then echo " [ √ ] /etc/xinetd.conf文件權限為600,符合要求" >> out.txt else echo " [ X ] /etc/xinetd.conf文件權限不為600,不符合要求,建議設置權限為600" >> out.txt fi fi file7=`ls -l /etc/grub.conf | awk ‘{print $1}‘` if [ $file7 = "-rw-------." ];then echo " [ √ ] /etc/grub.conf文件權限為600,符合要求" >> out.txt else echo " [ X ] /etc/grub.conf文件權限為$file7,不符合要求,建議設置權限為600" >> out.txt fi file8=`ls -l /etc/lilo.conf | awk ‘{print $1}‘` if [ -f /etc/lilo.conf ];then if [ $file8 = "-rw-------" ];then echo " [ √ ] /etc/lilo.conf文件權限為600,符合要求" >> out.txt else echo " [ X ] /etc/lilo.conf文件權限不為600,不符合要求,建議設置權限為600" >> out.txt fi else echo " [ √ ] /etc/lilo.conf文件不存在,暫略此項" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "[10] 內核文件dump配置檢查中..." cat /etc/security/limits.conf | grep -v ^# | grep core if [ $? = 0 ];then #soft=`cat /etc/security/limits.conf| grep -V ^# | grep core | awk {print $2}` soft=`cat /etc/security/limits.conf| grep -v ‘^#‘ | awk ‘{print $2}‘` &> /dev/null for i in $soft do if [ $i = "soft" ];then echo -e " [ √ ] 內核文件dump配置檢查[*\tsoft\tcore\t0]已經設置" >> out.txt fi if [ $i = "hard" ];then echo -e " [ √ ] 內核文件dump配置檢查[*\thard\tcore\t0]已經設置" >> out.txt fi done else echo -e " [ X ] 沒有設置core,建議在/etc/security/limits.conf中添加[*\tsoft\tcore\t0]和[*\thard\tcore\t0]" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "--------------------------------------------------------------------------" echo "" echo "掃描結果:" echo "" cat ./out.txt echo "" echo "--------------------------------------------------------------------------" echo ""
執行結果:
[root@localhost ~]# ./linuxCheck.sh ************************************************************************* linux安全配置掃描腳本: 1. 輸出結果也可以在當前目錄的out.txt中查看 2. 檢查範圍: -》賬號策略檢查 -》賬號註銷檢查 -》GRUB密碼檢查 -》LILO密碼檢查 -》非root賬號但UID為0的用戶檢查 -》/etc/profile中umask默認值檢查 -》/etc/csh.cshrc中umask默認值檢查 -》/etc/bashrc中umask默認值檢查 -》重要文件權限檢查 -》內核文件dump配置檢查 ************************************************************************* [1] 賬號策略檢查中... ... check over [2] 賬號註銷檢查中... ... check over [3] GRUB密碼檢查中... ... check over [4] LILO密碼檢查中... ... check over [5] 非root賬號但UID為0的用戶檢查中... ... check over [6] /etc/profile中umask默認值檢查中... ... check over [7] /etc/csh.cshrc中umask默認值檢查中... ... check over [8] /etc/bashrc中umask默認值檢查中... ... check over [9] 重要文件權限檢查中... ls: cannot access /etc/xinetd.conf: No such file or directory ls: cannot access /etc/lilo.conf: No such file or directory ... check over [10] 內核文件dump配置檢查中... * soft core 0 ... check over -------------------------------------------------------------------------- 掃描結果: [ X ] 口令生存周期為99999天,不符合要求,建議設置不大於90天 [ X ] 口令更改最小時間間隔為0天,不符合要求,建議設置大於等於6天 [ X ] 口令最小長度為5,不符合要求,建議設置最小長度大於等於8 [ X ] 口令過期警告時間天數為7,不符合要求,建議設置大於等於30並小於口令生存周期 [ X ] 賬號超時不存在自動註銷,不符合要求,建議設置小於600秒 [ √ ] 已設置grub密碼,符合要求 [ √ ] lilo.conf配置文件不存在,系統可能不是通過LILO引導 [ √ ] 不存在root賬號外的UID為0的異常用戶 [ X ] /etc/profile文件中所設置的umask為022,不符合要求 【理論上建議設置值為027,但因系統重要程度不同請根據具體情況慎重操作,如不確定請暫忽略此項】 [ X ] /etc/csh.cshrc文件中所設置的umask為022,不符合要求 【理論上建議設置值為027,但因系統重要程度不同請根據具體情況慎重操作,如不確定請暫忽略此項】 [ X ] /etc/bashrc文件中所設置的umask為022,不符合要求 【理論上建議設置值為027,但因系統重要程度不同請根據具體情況慎重操作,如不確定請暫忽略此項】 [ √ ] /etc/passwd文件權限為644,符合要求 [ √ ] /etc/shadow文件權限為400或000,符合要求 [ √ ] /etc/group文件權限為644,符合要求 [ √ ] /etc/security文件權限為600,符合要求 [ √ ] /etc/services文件權限為644,符合要求 [ √ ] /etc/xinetd.conf文件不存在,暫略此項 [ X ] /etc/grub.conf文件權限為lrwxrwxrwx.,不符合要求,建議設置權限為600 [ √ ] /etc/lilo.conf文件不存在,暫略此項 [ √ ] 內核文件dump配置檢查[* soft core 0]已經設置 [ √ ] 內核文件dump配置檢查[* hard core 0]已經設置 --------------------------------------------------------------------------
linux安全配置檢查腳本_v0.8