Shell

绿盟安全扫描整改

no Comments 
#!/bin/bash
#  ---------------
# Safety Scripts
#  ---------------
PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin

#ITEM_ID [6]这一函数中的IP项需要根据实际情况修改
IpAddr=203.0.113.10   # 这一函数中的IP项需要根据实际情况修改

# log文件名
result_file=Linux-`date "+%Y%m%d_%H%M%S"`.sh.log;



#检查是否配置超时设置
function checktimeout(){
echo "Start to do ITEM_ID [1]."
echo "ITEM_ID=1">>${result_file}
file="/etc/profile"
Var=`cat $file |grep -v "^[[:space:]]*#"|grep -v "^$"|grep "TMOUT"`
if [ $? = 1 ];then
    echo "export TMOUT=300 " >>/etc/profile
	source /etc/profile
	echo "timeout is not exists,In order to increase" >>${result_file}
else
    num=`cat $file |grep  ^TMOUT|awk -F '=' '{print $2}'|wc -l`
	time=`cat $file |grep  ^TMOUT|awk -F '=' '{print $2}'`
	if [[ $num -ne 0 ]];then	
	   if [[ "${time}" == 300 ]];then
	      echo "TMOUT=300 exists "  >>${result_file}
	   else 
	      sed -i "s@${time}@300@g" /etc/profile
		  source /etc/profile
		  echo "timeout exists,but is not 300,change to 300" >>${result_file}
	   fi
	fi 
	num1=`cat $file |grep "export TMOUT="|awk '{print $2}'|awk -F '=' '{print $2}'|wc -l`
	time1=`cat $file |grep "export TMOUT="|awk '{print $2}'|awk -F '=' '{print $2}'`
	if [[ $num1 -ne 0 ]];then	
	   if [[ "${time1}" == 300 ]];then
	      echo "export TMOUT=300 exists " >>${result_file}
	   else 
	      sed -i "s#${time1}#300#g" /etc/profile
		  source /etc/profile
		  echo "export TMOUT exists,but is not 300,change to 300" >>${result_file}
	   fi
	fi   
fi
echo "*********************************************************************">>${result_file}
file="/etc/profile"

#文件与目录缺省权限控制
umask=`cat /etc/profile |grep -v "^[[:space:]]*#"|grep umask|sed -n 1p|awk '{print $2}'`
Var=`cat $file |grep umask|grep -v '^#'|sed -n 1p`
if [ $? = 1 ];then
    echo "umask 027" >> /etc/profile
	source /etc/profile
	echo "umask is not exists,In order to increase" #>>${result_file}
else
    if [ "$umask" != 027 ];then
		sed -i '/&&/{n;s/umask.*/umask 027/}' /etc/profile
		source /etc/profile
		echo "umask exists,but is not 027,change to 027"  #>>${result_file}
	else
		echo "umask exists and is 027" #>>${result_file}
	fi
fi
echo "*********************************************************************">>${result_file}
#设置Bash保留历史命令的条数
histsize=`cat $file|grep HISTSIZE=`
if [ $? = 1 ];then
   echo "HISTSIZE=5">> $file 
   echo "HISTSIZE= is  not exists,In order to increase" >>${result_file}
else
   sed -i "/HISTSIZE/s/HISTSIZE=[0-9]*/HISTSIZE=5/" $file
   echo "change to HISTSIZE=5"  >>${result_file}
fi
echo "*********************************************************************">>${result_file}
histfilesize=`cat $file |grep HISTFILESIZE=`
if [ $? = 1 ];then
	echo "HISTFILESIZE=5">> $file 
	echo "HISTFILESIZE= is  not exists,In order to increase" >>${result_file}
else
   sed -i "/HISTFILESIZE/s/HISTFILESIZE=[0-9]*/HISTFILESIZE=5/" $file
   echo "change to HISTFILESIZE=5"  >>${result_file}
fi
echo "*********************************************************************">>${result_file}
histfilesize1=`cat $file |grep "export HISTFILESIZE="`
        if [ $? = 1 ];then
           echo "export HISTFILESIZE=5">> $file
           echo "export HISTFILESIZE= is  not exists,In order to increase" >>${result_file}
        else
           sed -i "/^export HISTFILESIZE/s/^export HISTFILESIZE=[0-9]*/export HISTFILESIZE=5/" $file
           echo "change to export HISTFILESIZE=5"  >>${result_file}
        fi
echo "*********************************************************************">>${result_file}
}

#检查是否使用PAM认证模块禁止wheel组之外的用户su为root
function checksu(){
echo "Start to do ITEM_ID [2]."
echo "ITEM_ID=2">>${result_file}
group=`cat /etc/group |grep wheel`
if [ $? = 1 ];then
    groupadd wheel
	echo "groupadd wheel"  >>${result_file}
else 
    echo "whell exists"  >>${result_file}
fi
# System Users  ''' 如果有其他用户,请以相同格式写到下面 USERS变量中  '''
USERS=(liu gnamd)
for user in ${USERS[*]}
do
    Users=`grep ${user} /etc/passwd`
    if [[ -z ${Users} ]];then
	    useradd -G wheel ${user}
		echo "GreeNet"|passwd --stdin ${user}
		
		echo "user ${user} not in user,In order to increase" >>${result_file}
		# Password
		if [[ "${user}" == "liu" ]];then
		    Password_Old=`grep -w liu /etc/shadow|awk -F: '{print $2}'`
			Password_New='$6$pAoRKU68$fepuCboV1KKQP/qvcJwF.vwtqh7DNBwUOwX3hGg49bRdfOyJHCBPt0xJiIBu0GwabBYLrvOliR09iIngkzhS71'
			sed -i "s#${Password_Old}#${Password_New}#g" /etc/shadow
			
			echo "user ${user} not password,In order to increase" >>${result_file}
		elif [[ "${user}" == "gnamd" ]];then
			Password_Old=`grep -w gnamd /etc/shadow|awk -F: '{print $2}'`
		    Password_New='$6$oQq9WEKP$.ogY2rI3O6GCPmSjWVk.BgDE1Gp1VrGjAJF9shs8YsEC8XghyINbmUdWrCgM0RBrAPomJ1ujn3ABMH8XpQF3E/'
			sed -i "s#${Password_Old}#${Password_New}#g" /etc/shadow

			echo "user ${user} not password,In order to increase" >>${result_file}
		#else
		#    echo "user ${user} exists"  >>${result_file}
		fi
	else
        echo "user ${user} exists" >>${result_file}
	fi
	Grep_Users=`grep "wheel" /etc/group|grep ${user}`
    if [[ -z $Grep_Users ]];then
	    usermod -G wheel ${user}
	    echo "user ${user} not in wheel,In order to increase" >>${result_file}
	else
	    echo "user ${user} in wheel" >>${result_file}
	fi
	# /etc/pam.d 及 /etc/pam.d/su 检查
    if [[ ! -d /etc/pam.d ]];then
        mkdir -p /etc/pam.d
		echo "user ${user} mkdir /etc/pam.d" >>${result_file}
		# 检测 su 文件
		if [[ ! -f /etc/pam.d/su ]];then
	        touch /etc/pam.d/su
	        echo "user ${user} touch su" >>${result_file}
	    else 
	        echo "user ${user} su exists" >>${result_file}
	    fi
    else
        echo "user ${user} /etc/pam.d exists" >>${result_file}
		if [[ ! -f /etc/pam.d/su ]];then
	        touch /etc/pam.d/su
	        echo "user ${user} touch su" >>${result_file}
	    else 
	        echo "user ${user} su exists" >>${result_file}
	    fi
    fi
	# PAM 
    PAM_auth=`cat /etc/pam.d/su|grep -v "^[[:space:]]*#"|grep -v "^$"|grep "auth[[:space:]]*sufficient[[:space:]]*pam_rootok.so"`
    if [ $? = 1 ];then
	sed -i '2iauth            sufficient      pam_rootok.so' /etc/pam.d/su
        echo "user ${user} auth		sufficient	pam_rootok.so is not exists,In order to increase" >>${result_file}
    else
	sed -i '\@auth[[:space:]]*sufficient[[:space:]]*pam_rootok.so@d' /etc/pam.d/su
	sed -i '2iauth            sufficient      pam_rootok.so' /etc/pam.d/su	
        echo "user ${user} auth		sufficient	pam_rootok.so  exists" >>${result_file}
    fi
    PAM_auth=`cat /etc/pam.d/su|grep -v "^[[:space:]]*#"|grep -v "^$"|grep "auth[[:space:]]*required[[:space:]]*pam_wheel.so group=wheel"`
    if [ $? = 1 ];then 	 
        echo "auth		required	pam_wheel.so group=wheel" >>/etc/pam.d/su
        echo "user ${user} auth		required	pam_wheel.so group=wheel is not exists,In order to increase" >>${result_file}
    else 
        echo "user ${user} auth		required	pam_wheel.so group=wheel  exists" >>${result_file}
    fi
done
	echo "*********************************************************************">>${result_file}	 
}

#口令生存期
function passwdtime(){
echo "Start to do ITEM_ID [3]."
echo "ITEM_ID=3">>${result_file}
file="/etc/login.defs"
#新建用户的密码最长使用天数不大于90天
PASS_MAX_DAYS=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MAX_DAYS|awk '{print $2}'`
cat $file |grep ^PASS_MAX_DAYS
if [ $? = 1 ];then
    echo "PASS_MAX_DAYS 90" >> $file
	echo "PASS_MAX_DAYS is not exists,In order to increase" >>${result_file}
else
    if [ "$PASS_MAX_DAYS" != 90 ];then
	    sed -i "/^PASS_MAX_DAYS/s/[0-9]\+/90/" $file
		echo "PASS_MAX_DAYS exists,but is not 90,change to 90" >>${result_file}
	else 
	    echo "PASS_MAX_DAYS exists and is  90" >>${result_file}
	fi
fi
#新建用户的密码最短使用天数为10天
PASS_MIN_DAYS=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MIN_DAYS|awk '{print $2}'`
cat $file |grep ^PASS_MIN_DAYS
if [ $? = 1 ];then
    echo "PASS_MIN_DAYS 10" >> $file
	echo "PASS_MIN_DAYS is not exists,In order to increase" >>${result_file}
else
    if [ "$PASS_MIN_DAYS" != 10 ];then
	    sed -i "/^PASS_MIN_DAYS/s/[0-9]\+/10/" $file
		echo "PASS_MIN_DAYS exists,but is not 10,change to 10" >>${result_file}
	else 
	    echo "PASS_MIN_DAYS exists and is 10" >>${result_file}
	fi
fi
#新建用户的密码到期提前提醒天数为7天
PASS_MIN_LEN=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MIN_LEN|awk '{print $2}'`
cat $file |grep ^PASS_MIN_LEN
if [ $? = 1 ];then
    echo "PASS_MIN_LEN 8" >> $file
	echo "PASS_MIN_LEN is not exists,In order to increase" >>${result_file}
else
    if [ "$PASS_MIN_LEN" != 8 ];then
	    sed -i "/^PASS_MIN_LEN/s/[0-9]\+/8/" $file
		echo "PASS_MIN_LEN exists,but is not 8,change to 8" >>${result_file}
	else 
	    echo "PASS_MIN_LEN exists and is 8" >>${result_file}
	fi
fi

#检查口令过期前警告天数
PASS_WARN_AGE=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_WARN_AGE|awk '{print $2}'`
cat $file |grep ^PASS_WARN_AGE
if [ $? = 1 ];then
    echo "PASS_WARN_AGE	30" >> $file
	echo "PASS_WARN_AGE is not exists,In order to increase" >>${result_file}
else
    if [ "$PASS_WARN_AGE" -lt 30 ];then
	    sed -i "/^PASS_WARN_AGE/s/[0-9]\+/30/" $file
		echo "PASS_MIN_LEN exists,but is not 30,change to 30" >>${result_file}
	else 
	    echo "PASS_MIN_LEN exists and is $PASS_WARN_AGE" >>${result_file}
	fi
fi

#检查用户目录缺省访问权限设置
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' /etc/login.defs |awk '{print $NF}'`
LOGIN_UMASK_VAR=`egrep 'umask|UMASK' /etc/login.defs |awk '{print $1}'`
LOGIN_UMASK_VALUE_VAR=`egrep 'umask|UMASK' /etc/login.defs` 
if [[ ${LOGIN_UMASK_VAR} == "UMASK" ]];then
    UMASK_027="UMASK           027"
else
    UMASK_027="umask           027"
fi
if [[ ${LOGIN_UMASK_VALUE} != "027" ]];then
    sed -i "s#${LOGIN_UMASK_VALUE_VAR}#${UMASK_027}#g" /etc/login.defs
	echo "LOGIN_UMASK_VALUE exists,but is not 027,change to 027" >>${result_file}
else
    echo "LOGIN_UMASK_VALUE exists" >>${result_file}
fi
echo "*********************************************************************">>${result_file}	
}

#检查是否禁止root之外的超级用户
function superuser(){
echo "Start to do ITEM_ID [4]."
echo "ITEM_ID=4">>${result_file}
file="/etc/passwd"
superuser=`cat $file |awk -F ':' '{if($3==0){print $0}}'|awk -F ':' '{print $1}'`
echo "$superuser is superuser" >>${result_file}
echo "*********************************************************************">>${result_file}	
}

#口令复杂度
function passwdcomplex(){
echo "Start to do ITEM_ID [5]."
echo "ITEM_ID=5">>${result_file}
    file="/etc/pam.d/system-auth-ac"	
	ret=`cat $file | grep -v "^[[:space:]]*#"|grep 'password    requisite    pam_pwquality.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1'`
	if [ -z "$ret" ];then
	    ret1=`cat $file |grep -v "^[[:space:]]*#" | grep 'pam_pwquality.so'`
		if [ -n "$ret1" ];then
			sed -i '/^password.*pam_pwquality/s/password/#password/' $file
			sed -i -e '/^#password.*pam_pwquality/a\password    requisite    pam_pwquality.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1' $file #至少一个大写,小写,数字
			echo "pam_pwquality.so exists,change to pam_pwquality.so retry=3..." >>${result_file}
	    else 
		    echo "password    requisite    pam_pwquality.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1" >> $file
			echo "pam_pwquality.so is not exists,In order to increase" >>${result_file}		    
		fi	
	else
	    echo "password    requisite    pam_pwquality.so retry=3 difok=3 minlen=8 ucredit=-1 lcredit=-1 dcredit=-1  exists"  >>${result_file}	
	fi
	echo "*********************************************************************">>${result_file}
}	

#启用远程日志功能
function remotelog(){
echo "Start to do ITEM_ID [5]."
echo "ITEM_ID=5">>${result_file}
     file="/etc/rsyslog.conf"
	 file1="/etc/syslog.conf"
	 IP=${IpAddr}   #根据实际情况修改
	 if [ -f $file ];then
	    Var=`cat $file | grep -v "^[[:space:]]*#" | grep '*.*[[:space:]]@'`
		if [ $? = 1 ];then
           echo "*.* @$IP" >>$file	
		   echo "*.* @$IP is not exists,In order to increase" >>${result_file}
		else
		   echo "*.* @$IP exists" >>${result_file}
		fi
	 fi
	 if [ -f $file1 ];then
	    Var=`cat $file1 | grep -v "^[[:space:]]*#" | grep -E '[[:space:]]*.+@.+'`
		if [ $? = 1 ];then
           echo "*.* @$IP" >>$file1	
		   echo "*.* @$IP is not exists,In order to increase" >>${result_file}
		else
		   echo "*.* @$IP exists" >>${result_file}
		fi
	 fi
	 echo "*********************************************************************">>${result_file}
}

#检查是否记录安全事件日志
function lvmeng_safelog(){
echo "Start to do ITEM_ID [6]."
echo "ITEM_ID=6">>${result_file}
    file="/etc/rsyslog.conf"
	file1="/etc/syslog.conf"
	if [ -f $file ];then
	   syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*/var/adm/messages"|wc -l`
	   Var=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*/var/adm/messages"|awk '{print $NF}'`
	   if [ $syslog -ge 1 ]; then
          echo "safelog check result:exists" >>${result_file}
       else
          sed -i "/^*.err;kern.debug;daemon.notice[[:space:]]*\/var\/adm\/messages/d"  $file
	      #sed -i "s#${Var}#/var/adm/messages#g" $file
          echo "*.err;kern.debug;daemon.notice                     /var/adm/messages"	>>  $file
		  echo "safelog check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ -f $file1 ];then
	   syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*/var/adm/messages"|wc -l`
	   Var=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*"|awk '{print $NF}'`
	   if [ $syslog -ge 1 ]; then
          echo "safelog check result:exists" >>${result_file}
       else
          sed -i "/^*.err;kern.debug;daemon.notice[[:space:]]*\/var\/adm\/messages/d"  $file
	      #sed -i "s#${Var}#/var/adm/messages#g" $file
          echo "*.err;kern.debug;daemon.notice                     /var/adm/messages"	>>  $file
		  echo "safelog check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ ! -f /var/adm/messages ];then
	      mkdir /var/amd/ -p
	      touch /var/adm/messages
		  chmod 640 /var/adm/messages
		  chattr +a /var/adm/messages 
		  echo "touch and chmod /var/adm/messages" >>${result_file}
	else
	    chattr +a /var/adm/messages
	    echo "exists,chattr +a /var/adm/messages" >>${result_file}
	fi
	echo "*********************************************************************">>${result_file}
}

#检查是否记录帐户登录日志
function loginlog(){
echo "Start to do ITEM_ID [7]."
echo "ITEM_ID=7">>${result_file}
    file="/etc/rsyslog.conf"
	file1="/etc/syslog.conf"
	if [ -f $file ];then
	   syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#"|grep "auth.info[[:space:]]*/var/log/authlog"|wc -l`;
	   if [ $syslog -ge 1 ]; then
          echo "loginlog check result:exists" >>${result_file}
       else
          echo "auth.info                                             /var/log/authlog"	>>  $file
		  echo "loginlog check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ -f $file1 ];then
	   syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#"|grep "auth.info[[:space:]]*/var/log/authlog"|wc -l`;
	   if [ $syslog -ge 1 ]; then
          echo "loginlog check result:exists" >>${result_file}
       else
          echo "auth.info                                             /var/log/authlog"	>>  $file1
		  echo "loginlog check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ ! -f /var/log/authlog ];then 
	  touch /var/log/authlog
		chmod 640 /var/log/authlog
		chattr +a /var/log/authlog
		echo "touch and chmod /var/log/authlog" >>${result_file}
	else
	  chmod 640 /var/log/authlog
	  echo "exists,chmod 640 /var/log/authlog" >>${result_file}
	fi
	echo "*********************************************************************">>${result_file}
}

#检查是否配置su命令使用情况记录
function suinfo(){
echo "Start to do ITEM_ID [8]."
echo "ITEM_ID=8">>${result_file}
    file="/etc/rsyslog.conf"
	file1="/etc/syslog.conf"
	if [ -f $file ];then
	   syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" | grep "authpriv\.\*[[:space:]]\/*"|wc -l`;
	   if [ $syslog -ge 1 ]; then
          echo "suinfo check result:exists" >>${result_file}
       else
          echo "authpriv.*		                                    /var/log/secure"	>>  $file
		  echo "suinfo check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ -f $file1 ];then
	   syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" | grep "authpriv\.\*[[:space:]]\/*"|wc -l`;
	   if [ $syslog -ge 1 ]; then
          echo "suinfo check result:exists" >>${result_file}
       else
          echo "authpriv.*		                                    /var/log/secure"	>>  $file1
		  echo "suinfo check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ ! -f /var/log/secure ];then 
	    touch /var/log/secure
		chmod 640 /var/log/secure
		chattr +a /var/log/secure
		echo "touch and chmod /var/log/secure" >>${result_file}
	fi
	echo "*********************************************************************">>${result_file}
}

#记录cron行为日志
function cronlog(){
echo "Start to do ITEM_ID [9]."
echo "ITEM_ID=9">>${result_file}
    file="/etc/rsyslog.conf"
	file1="/etc/syslog.conf"
	if [ -f $file ];then
	   syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" | grep "cron.*[[:space:]]*/var/log/cron"|wc -l`;
	   if [ $syslog -ge 1 ]; then
          echo "cronlog check result:exists" >>${result_file}
       else
          echo "cron.*                                                  /var/log/cron"	>>  $file
		  echo "cronlog check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ -f $file1 ];then
	   syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" | grep "cron.*[[:space:]]*/var/log/cron"|wc -l`;
	   if [ $syslog -ge 1 ]; then
          echo "cronlog check result:exists" >>${result_file}
       else
          echo "cron.*                                                  /var/log/cron"	>>  $file1
		  echo "cronlog check result:is not exists,In order to increase" >>${result_file}
	   fi
	fi
	if [ ! -f /var/log/cron ];then 
	    touch /var/log/cron
		chmod 640 /var/log/cron
		chattr +a /var/log/cron
		echo "touch and chmod /var/log/cron" >>${result_file}
	else
	  chmod 640 /var/log/cron
	  echo "exists,chmod 640 /var/log/cron" >>${result_file}
	fi
	echo "*********************************************************************">>${result_file} 
}

#禁止掉ctrl-alt-del重启
function  noreboot(){
echo "Start to do ITEM_ID [10]."
echo "ITEM_ID=10">>${result_file}
  file="/usr/lib/systemd/system/ctrl-alt-del.target"
  if [ -f "$file" ]; then
    mv $file /usr/lib/systemd/system/ctrl-alt-del.target.bak
	rm -f $file	
	init q
	echo "file exists,removed" >>${result_file}
  fi
  echo "file is not exists" >>${result_file}
  echo "*********************************************************************">>${result_file}
}

#检查是否修改系统banner
function systembanner(){
echo "Start to do ITEM_ID [11]."
echo "ITEM_ID=11">>${result_file}
file="/etc/issue"
file1="/etc/issue.net"
if [ -f $file ];then
    mv /etc/issue /etc/issue.bak 
	echo "mv /etc/issue /etc/issue.bak"  >>${result_file}
else 
   echo "$file is not exists" >>${result_file}
fi
if [ -f $file1 ];then
    mv /etc/issue.net /etc/issue.net.bak 
	echo "mv /etc/issue.net /etc/issue.net.bak"  >>${result_file}
else 
   echo "$file1 is not exists" >>${result_file}
fi
echo "*********************************************************************">>${result_file}
}

#修改ssh端口
function changessh(){
echo "Start to do ITEM_ID [12]."
echo "ITEM_ID=12">>${result_file}
  file="/etc/ssh/sshd_config"
  if [ -f "$file" ]; then
    port=`cat $file  |grep -v "^[[:space:]]*#"|grep "Port " |awk '{print $2}'`
	cat $file  |grep -v "^[[:space:]]*#"|grep "Port "
	if [ $? = 1 ];then
	   sed -i '/^#Port/s/#Port.*/Port 6802/' $file
	   echo "#Port 22,change to Port 6802" >>${result_file}
	   centos=`(cat /etc/redhat-release |egrep -o '[0-9]+'|awk 'NR==1') 2>& 1`
       if [ $centos = 6 ];then
	      echo "system is centos 6 " >>${result_file}
          service sshd restart |tee -a ${result_file}
       else
	      echo "system is centos 7 " >>${result_file}
          systemctl restart  sshd.service |tee -a ${result_file}
       fi
	   gnos=`( cat /etc/issue.bak|awk 'NR==1{print $3}'|awk -F '.' '{print $1}') 2>& 1`
       if [ $gnos = 4 ];then
	       echo "system is gnos " >>${result_file}
           /etc/init.d/sshd restart |tee -a ${result_file}
       fi
	else
       if [ "$port" = "22" ];then
		  sed -i '/^Port/s/Port 22/Port 6802/' $file
		  echo "Port 22,change to Port 6802"   >>${result_file}
		  centos1=`(cat /etc/redhat-release |egrep -o '[0-9]+'|awk 'NR==1') 2>& 1`
		  if [ $centos1 = 6 ];then
		     echo "system is centos 6 " >>${result_file}
             service sshd restart |tee -a ${result_file}
          else
		     echo "system is centos 7 " >>${result_file}
             systemctl restart  sshd.service |tee -a ${result_file}
          fi
		  gnos=`( cat /etc/issue.bak|awk 'NR==1{print $3}'|awk -F '.' '{print $1}') 2>& 1`
          if [ $gnos = 4 ];then
	        echo "system is gnos " >>${result_file}
            /etc/init.d/sshd restart |tee -a ${result_file}
          fi
	   else
		   echo "Port is $port" >>${result_file}
	   fi 
	fi
  fi
  echo "*********************************************************************">>${result_file}
}

#禁止掉root
function noroot(){
echo "Start to do ITEM_ID [13]."
echo "ITEM_ID=13">>${result_file}
  file="/etc/ssh/sshd_config"
  if [ -f "$file" ]; then
	rootlogin=`cat $file|grep -v "^[[:space:]]*#"|grep "PermitRootLogin"|awk '{print $2}'`
	cat $file|grep -v "^[[:space:]]*#"|grep "PermitRootLogin"
	if [ $? = 1 ];then
        sed -i '/^#PermitRootLogin/s/#PermitRootLogin.*/PermitRootLogin no/' $file
		echo "#PermitRootLogin yes ,change to PermitRootLogin no " >>${result_file}
		centos=`(cat /etc/redhat-release |egrep -o '[0-9]+'|awk 'NR==1') 2>& 1`
        if [ $centos -eq 6 ];then
		  echo "system is centos 6 " >>${result_file}
          service sshd restart |tee -a ${result_file}
        else
		  echo "system is centos 7 " >>${result_file}
          systemctl restart  sshd.service |tee -a ${result_file}
        fi
		gnos=`( cat /etc/issue.bak|awk 'NR==1{print $3}'|awk -F '.' '{print $1}') 2>& 1`
        if [ $gnos -eq 4 ];then
	        echo "system is gnos " >>${result_file}
            /etc/init.d/sshd restart |tee -a ${result_file}
        fi
	else 
	   if [ "$rootlogin" = "yes" ];then
		   sed -i '/^PermitRootLogin/s/PermitRootLogin yes/PermitRootLogin no/' $file
		   echo "PermitRootLogin yes,change to PermitRootLogin no "   >>${result_file}
		   centos=`(cat /etc/redhat-release |egrep -o '[0-9]+'|awk 'NR==1') 2>& 1`
           if [ $centos -eq 6 ];then
		      echo "system is centos 6 " >>${result_file}
              service sshd restart |tee -a ${result_file}
           else
		      echo "system is centos 7 " >>${result_file}
              systemctl restart  sshd.service |tee -a ${result_file}
           fi
		   gnos=`( cat /etc/issue.bak|awk 'NR==1{print $3}'|awk -F '.' '{print $1}') 2>& 1`
           if [ $gnos -eq 4 ];then
	         echo "system is gnos " >>${result_file}
             /etc/init.d/sshd restart |tee -a ${result_file}
           fi
	   else
		   echo "PermitRootLogin is $rootlogin" >>${result_file}
	   fi
	fi
	    
  fi
  echo "*********************************************************************">>${result_file}
}

#禁止输入前面5次输入的密码
function passwd5(){
echo "Start to do ITEM_ID [14]."
echo "ITEM_ID=14">>${result_file}
 file="/etc/pam.d/system-auth-ac"
 if [ -f "$file" ];then
  zhi=`cat $file|grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so'|awk '{print $4}'`
  if [ $zhi = "sha512" ];then
    ret=`cat $file |grep -v '^#' | grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so[[:space:]]*sha512[[:space:]]*shadow[[:space:]]*nullok[[:space:]]*try_first_pass use_authtok[[:space:]]*remember=5'`
	if [ -z "$ret" ];then
		ret=`cat $file |grep -v '^#' | grep 'pam_unix.so sha512 shadow'`
		if [ -n "$ret" ];then
			sed -i '/^password.*sha512 shadow/s/use_authtok/use_authtok remember=5/' $file
			echo "sha512...remember=5 is not exists,In order to increase"  >>${result_file}
		else
		    echo "password    sufficient    pam_unix.so sha512 shadow nullok try_first_pass use_authtok remember=5" >> $file
			echo "password...sha512...remember=5 is not exists,In order to increase" >>${result_file}
		fi
	else
	    echo "password...sha512...remember=5 exists" >>${result_file}
	    
	fi
  else
	ret1=`cat $file |grep -v '^#' | grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so[[:space:]]*md5[[:space:]]*shadow[[:space:]]*nullok[[:space:]]*try_first_pass use_authtok[[:space:]]*remember=5'`
	if [ -z "$ret1" ];then
		ret1=`cat $file |grep -v '^#' | grep 'pam_unix.so md5 shadow'`
		if [ -n "$ret1" ];then
			sed -i '/^password.*md5 shadow/s/use_authtok/use_authtok remember=5/' $file
			echo "md5...remember=5 is not exists,In order to increase"  >>${result_file}
		else
		    echo "password    sufficient    pam_unix.so md5 shadow nullok try_first_pass use_authtok remember=5" >> $file
			echo "password...md5...remember=5 is not exists,In order to increase" >>${result_file}
		fi
	else
	    echo "password...md5...remember=5 exists" >>${result_file}
	    
	fi
  fi
 fi
 echo "*********************************************************************">>${result_file}
}

#修改日志记录时间
function logdate(){
echo "Start to do ITEM_ID [15]."
echo "ITEM_ID=15">>${result_file}
	file="/etc/logrotate.conf"
	if [ -f $file ];then
	   ret=`cat $file | grep -v "^[[:space:]]*#"|egrep "^(daily|weekly|yearly)"|wc -l`
	   info=`cat $file | grep -v "^[[:space:]]*#"|egrep "^(daily|weekly|yearly)"`
	   if [ "$ret" != 0 ];then
	        sed -i "/^$info/s/$info/monthly/" $file
	        echo "$info change to monthly" >>${result_file}
	   else
	        echo "is monthly" >>${result_file}
	   fi
	   ret1=`cat $file | grep -v "^[[:space:]]*#"|grep ^rotate|awk '{print $2}'`
	   if [ "$ret1" != 4 ];then
	      sed -i "/^rotate/s/rotate $ret1/rotate 4/" $file
		  echo "rotate is not 4,change to 4" >>${result_file}
	   else 
	      echo "rotate is 4" >>${result_file}
	   fi
	fi
    echo "*********************************************************************">>${result_file}
}

#修改SSH的Banner警告信息  
function sshbanner(){
echo "Start to do ITEM_ID [16]."
echo "ITEM_ID=16">>${result_file}
file="/etc/ssh_banner"
if [ ! -f $file ];then
   touch /etc/ssh_banner
   chown bin:bin /etc/ssh_banner
   chmod 644 /etc/ssh_banner
   echo "Authorized only. All activity will be monitored and reported" >> /etc/ssh_banner
   echo "Banner /etc/ssh_banner" >> /etc/ssh/sshd_config
   echo "banner info write $file" >>${result_file}
   centos=`(cat /etc/redhat-release |egrep -o '[0-9]+'|awk 'NR==1') 2>& 1`
   if [ $centos -eq 6 ];then
	 echo "system is centos 6 " >>${result_file}
     service sshd restart |tee -a ${result_file}
   else
	 echo "system is centos 7 " >>${result_file}
     systemctl restart  sshd.service |tee -a ${result_file}
   fi
   gnos=`( cat /etc/issue.bak|awk 'NR==1{print $3}'|awk -F '.' '{print $1}') 2>& 1`
   if [ $gnos -eq 4 ];then
	  echo "system is gnos " >>${result_file}
      /etc/init.d/sshd restart |tee -a ${result_file}
   fi
else
   echo "$file exists" >>${result_file}
fi
file1="/etc/motd"
if [ ! -f $file1 ];then
   touch /etc/motd
   echo "Authorized users only. All activity may be monitored and reported" >> /etc/motd
   echo "info write $file1 " >>${result_file}
else
   Value=`cat /etc/motd`
   if [[ -z ${Value} ]];then
       echo "Authorized users only. All activity may be monitored and reported" >> /etc/motd
	   echo "$file1 exists, In order to increase" >>${result_file} 
   fi
fi
echo "*********************************************************************">>${result_file}
}

#修改用户密码有效期为无限期
function userpasswd(){
echo "Start to do ITEM_ID [17]."
echo "ITEM_ID=17">>${result_file}
user=`grep -w "gnnetmg" /etc/passwd`
if [[ $user ]];then
  chage -M 99999 gnnetmg
  zhi=`(chage -l gnnetmg|grep "Maximum number"|awk -F ': ' '{print $2}') 2>& 1`
  if [[ $zhi -eq 99999 ]];then
     echo "chage -M 99999 gnnetmg  " >>${result_file}
  fi
fi
user=`grep -w "liu" /etc/passwd`
if [[ $user ]];then
   chage -M 99999 liu 
   zhi=`(chage -l liu|grep "Maximum number"|awk -F ': ' '{print $2}') 2>& 1`
   if [[ $zhi -eq 99999 ]];then
     echo "chage -M 99999 liu  "  >>${result_file}
   fi
fi
user=`grep -w "root" /etc/passwd`
if [[ $user ]];then
   chage -M 99999 root
   zhi=`(chage -l root|grep "Maximum number"|awk -F ': ' '{print $2}') 2>& 1`
   if [[ $zhi -eq 99999 ]];then
      echo "chage -M 99999 root  "  >>${result_file}
   fi
fi
echo "*********************************************************************">>${result_file}
}
 
# 检查系统内核参数配置
function banicmp(){
echo "Start to do ITEM_ID [18]."
echo "ITEM_ID=18">>${result_file}
#检查是否禁止icmp重定向
zhi=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.accept_redirects ="|awk '{print $3}'`
pan=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.accept_redirects ="`
if [ "$pan" ];then
   if [ $zhi -eq 0 ];then
      sysctl -w net.ipv4.conf.all.accept_redirects="0" >& /dev/null # 当次生效,重启系统失效
	  echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects # 当次生效,重启系统失效
      echo "net.ipv4.conf.all.accept_redirects = 0"  >>${result_file}
   else
      sed -i '/^net.ipv4.conf.all.accept_redirects.*/s/accept_redirects =.*/accept_redirects = 0/' /etc/sysctl.conf
	  sysctl -w net.ipv4.conf.all.accept_redirects="0" >& /dev/null # 当次生效,重启系统失效
	  echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects # 当次生效,重启系统失效
      echo "net.ipv4.conf.all.accept_redirects have value,but is not 0,change to 0"  >>${result_file}
   fi
else
   echo "net.ipv4.conf.all.accept_redirects = 0" >> /etc/sysctl.conf
   sysctl -w net.ipv4.conf.all.accept_redirects="0" >& /dev/null # 当次生效,重启系统失效
   echo '0' > /proc/sys/net/ipv4/conf/all/accept_redirects # 当次生效,重启系统失效
   echo "net.ipv4.conf.all.accept_redirects have not value,in order to increase" >>${result_file}
fi

zhi=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.send_redirects ="|awk '{print $3}'`
pan=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.send_redirects ="`
if [ "$pan" ];then
   if [ $zhi -eq 0 ];then
      sysctl -w net.ipv4.conf.all.send_redirects="0" >& /dev/null # 当次生效,重启系统失效
	  echo '0' > /proc/sys/net/ipv4/conf/all/send_redirects >& /dev/null # 当次生效,重启系统失效
      echo "net.ipv4.conf.all.send_redirects = 0"  >>${result_file}
   else
      sed -i '/^net.ipv4.conf.all.send_redirects.*/s/send_redirects =.*/send_redirects = 0/' /etc/sysctl.conf
	  sysctl -w net.ipv4.conf.all.send_redirects="0" >& /dev/null # 当次生效,重启系统失效
	  echo '0' > /proc/sys/net/ipv4/conf/all/send_redirects # 当次生效,重启系统失效
      echo "net.ipv4.conf.all.send_redirects have value,but is not 0,change to 0"  >>${result_file}
   fi
else
   echo "net.ipv4.conf.all.send_redirects = 0" >> /etc/sysctl.conf
   sysctl -w net.ipv4.conf.all.send_redirects="0" >& /dev/null # 当次生效,重启系统失效
   echo '0' > /proc/sys/net/ipv4/conf/all/send_redirects # 当次生效,重启系统失效
   echo "net.ipv4.conf.all.send_redirects have not value,in order to increase" >>${result_file}
fi
echo "*********************************************************************" >> ${result_file}
}

#检查ssh协议是否使用版本2
function checksshversion(){
echo "Start to do ITEM_ID [19]."
echo "ITEM_ID=19">>${result_file}
file="/etc/ssh/sshd_config"
  if [ -f "$file" ]; then
	sshversion=`cat $file|grep -v "^[[:space:]]*#"|grep "Protocol"|awk '{print $2}'`
	cat $file|grep -v "^[[:space:]]*#"|grep "Protocol"
	if [ $? = 1 ];then
        sed -i '/^#Protocol/s/#Protocol.*/Protocol 2/' $file
		echo "#Protocol 2 ,change to Protocol 2 " >>${result_file}
		centos=`(cat /etc/redhat-release |egrep -o '[0-9]+'|awk 'NR==1') 2>& 1`
        if [ $centos -eq 6 ];then
		  echo "system is centos 6 " >>${result_file}
          service sshd restart |tee -a ${result_file}
        else
		  echo "system is centos 7 " >>${result_file}
          systemctl restart  sshd.service |tee -a ${result_file}
        fi
		gnos=`( cat /etc/issue.bak|awk 'NR==1{print $3}'|awk -F '.' '{print $1}') 2>& 1`
        if [[ $gnos -eq 4 ]];then
	        echo "system is gnos " >>${result_file}
            /etc/init.d/sshd restart |tee -a ${result_file}
        fi
	else 
	   if [ "$sshversion" != "2" ];then
		   sed -i '/^Protocol/s/Protocol.*/Protocol 2/' $file
		   echo "Protocol *,change to Protocol 2"   >>${result_file}
		   centos=`(cat /etc/redhat-release |egrep -o '[0-9]+'|awk 'NR==1') 2>& 1`
           if [ $centos -eq 6 ];then
		      echo "system is centos 6 " >>${result_file}
              service sshd restart |tee -a ${result_file}
           else
		      echo "system is centos 7 " >>${result_file}
              systemctl restart  sshd.service |tee -a ${result_file}
           fi
		   gnos=`( cat /etc/issue.bak|awk 'NR==1{print $3}'|awk -F '.' '{print $1}') 2>& 1`
           if [ $gnos -eq 4 ];then
	         echo "system is gnos " >>${result_file}
             /etc/init.d/sshd restart |tee -a ${result_file}
           fi
	   else
		   echo "Protocol is $sshversion" >>${result_file}
	   fi
	fi
	    
  fi
  echo "*********************************************************************">>${result_file}
}

#用户登陆次数失败锁定策略
function userlocking(){
echo "Start to do ITEM_ID [20]."
echo "ITEM_ID=20">>${result_file}
file="/etc/pam.d/login"
  if [ -f "$file" ]; then
      Var=`cat $file |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]* even_deny_root root_unlock_time=10'`
      if [ $? = 0 ];then
          sed -i "s@auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]* even_deny_root root_unlock_time=10@auth       required     pam_tally2.so   deny=5 unlock_time=600 even_deny_root root_unlock_time=10@g" $file
          echo "/etc/pam.d/login command exists"  >>${result_file}
      else
          sed -i '/#%PAM/a\auth       required     pam_tally2.so   deny=5 unlock_time=600 even_deny_root root_unlock_time=10' $file
          echo "sed -i  command /etc/pam.d/login" >>${result_file}
      fi

  fi
file="/etc/pam.d/sshd"
  if [ -f "$file" ]; then
      Var=`cat $file |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]* even_deny_root root_unlock_time=10'`
      if [ $? = 0 ];then
          sed -i "s@auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]* even_deny_root root_unlock_time=10@auth       required     pam_tally2.so   deny=5 unlock_time=600 even_deny_root root_unlock_time=10@g" $file
          echo "/etc/pam.d/sshd command exists"  >>${result_file}
      else
          sed -i '/#%PAM/a\auth       required     pam_tally2.so   deny=5 unlock_time=600 even_deny_root root_unlock_time=10' $file
          echo "sed -i  command /etc/pam.d/sshd" >>${result_file}
      fi
  fi
# Centos6 or Centos7 配置后系统用户无法登陆未配置 系统只识别"pam_tally2.so" 安全检测机构检测"pam_tally.so"
#file="/etc/pam.d/sshd"
#  if [ -f "$file" ]; then
#      cat ${file}|grep "auth[[:space:]]*required[[:space:]]*pam_tally.so[[:space:]]*deny=5[[:space:]]*unlock_time=[0-9]*"
#      if [ $? = 1 ];then
#          echo "auth required pam_tally.so deny=5 unlock_time=600 no_lock_time" >> $file
#          echo "sed -i  command /etc/pam.d/sshd"  >>${result_file}
#      else
#          echo "/etc/pam.d/sshd command exists"  >>${result_file}
#      fi
#  fi
#file="/etc/pam.d/sshd"
#  if [ -f "$file" ]; then
#      cat ${file}|grep "account[[:space:]]*required[[:space:]]*pam_tally.so"
#      if [ $? = 1 ];then
#          echo "account required pam_tally.so" >> $file
#          echo "sed -i  command /etc/pam.d/sshd"  >>${result_file}
#      else
#          echo "/etc/pam.d/sshd command exists"  >>${result_file}
#      fi
#  fi
file="/etc/pam.d/su"
  if [ -f "$file" ]; then
      Var=`cat $file |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]*[[:space:]]*even_deny_root[[:space:]]*root_unlock_time=10'`
      if [ $? = 0 ];then
          sed -i '/auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]*[[:space:]]*even_deny_root[[:space:]]*root_unlock_time=10/d' $file
          echo "sed -i -e command /etc/pam.d/su"  >>${result_file}
      else
          echo "/etc/pam.d/su command not exists"  >>${result_file}
      fi
  fi
file="/etc/pam.d/system-auth"
  if [ -f "$file" ]; then
      Var=`cat $file |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]*[[:space:]]*even_deny_root*[[:space:]]*root_unlock_time=10'`
      if [ $? = 0 ];then
          sed -i "s@auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9][[:space:]]*unlock_time=[0-9]*[[:space:]]*even_deny_root*[[:space:]]*root_unlock_time=10@auth       required     pam_tally2.so   deny=5 unlock_time=600 even_deny_root root_unlock_time=10@g" $file
          echo "/etc/pam.d/system-auth command exists"   >>${result_file}
      else
          echo "auth       required     pam_tally2.so   deny=5 unlock_time=600 even_deny_root root_unlock_time=10" >> $file
          echo "sed -i  command /etc/pam.d/system-auth"  >>${result_file}
      fi
  fi
file="/etc/pam.d/system-auth"
  if [ -f "$file" ]; then
      Var=`cat $file|grep 'account[[:space:]]*required[[:space:]]*pam_tally2.so'`
      if [ $? = 0 ];then
          #sed -i "s@account[[:space:]]*required[[:space:]]*pam_tally2.so@account[[:space:]]*required[[:space:]]*pam_tally2.so@g" $file
          echo "/etc/pam.d/system-auth command exists"   >>${result_file}
      else
          echo "account       required       pam_tally2.so" >> $file
          echo "sed -i  command /etc/pam.d/system-auth"  >>${result_file}
      fi
  fi
# Centos6 or Centos7 配置后系统用户无法登陆未配置 系统只识别"pam_tally2.so" 安全检测机构检测"pam_tally.so"
#file="/etc/pam.d/system-auth"
#  if [ -f "$file" ]; then
#      cat ${file}|grep "auth[[:space:]]*required[[:space:]]*pam_tally.so[[:space:]]*deny=5[[:space:]]*unlock_time=[0-9]*"
#      if [ $? = 1 ];then
#          echo "auth required pam_tally.so deny=5 unlock_time=600" >> $file
#          echo "sed -i  command /etc/pam.d/system-auth"  >>${result_file}
#      else
#          echo "/etc/pam.d/system-auth command exists"  >>${result_file}
#      fi
#  fi
#file="/etc/pam.d/system-auth"
#  if [ -f "$file" ]; then
#      cat ${file}|grep "account[[:space:]]*required[[:space:]]*pam_tally.so"
#      if [ $? = 1 ];then
#          echo "account required pam_tally.so" >> $file
#          echo "sed -i  command /etc/pam.d/system-auth"  >>${result_file}
#      else
#          echo "/etc/pam.d/system-auth command exists"  >>${result_file}
#      fi
#  fi
  echo "*********************************************************************">>${result_file}
}

#检查是否禁止root用户远程telnet登录
function noroottel(){
echo "Start to do ITEM_ID [21]."
echo "ITEM_ID=21">>${result_file}
file="/etc/pam.d/login"
  if [ -f "$file" ]; then
      Var=`cat $file |grep 'auth[[:space:]]*required[[:space:]]*pam_securetty.so'`
      if [ $? = 1 ];then
          echo 'auth       required     pam_securetty.so' >> $file
          echo "auth required pam_securetty.so is not exists,in order to increase" >>${result_file}
      else
          echo "auth required pam_securetty.so exists"  >>${result_file}
      fi
  fi
  echo "*********************************************************************">>${result_file}
}

#检查重要目录或文件权限设置
function File_Permissions(){
echo "Start to do ITEM_ID [22]."
echo "ITEM_ID=22">>${result_file}
#/etc/xinetd.conf文件权限是否符合规范
if [[ ! -f /etc/xinetd.conf ]];then
    touch /etc/xinetd.conf
	chmod 600 /etc/xinetd.conf
	echo "/etc/xinetd.conf is not exists,in order to increase"  >>${result_file}
else
	echo "/etc/xinetd.conf exists"  >>${result_file}
fi
#/etc/security目录权限是否符合规范
if [[ -d /etc/security/ ]];then
    chmod 600 /etc/security
	echo "/etc/security File_Permissions modify" >>${result_file}
fi
# chmod 750 
Etcx_File_Permissions=(/etc/rc.d/init.d /etc/rc0.d /etc/rc1.d /etc/rc2.d /etc/rc3.d /etc/rc4.d /etc/rc5.d /etc/rc6.d)
for Files in ${Etcx_File_Permissions[*]}
do
    ETC_Files=`ls -ld ${Files} 2> /dev/null|awk '{print $NF}'`
    if [[ -n ${ETC_Files} ]];then
		chmod 750 ${Files}
		echo "Etcx_File_Permissions modify" >>${result_file}
	else
	    echo "111"
	    echo "${ETC_Files}  is not exists" >>${result_file}
	fi
done
if [[ -f /etc/grub.conf  ]];then
    chmod 600 /etc/grub.conf;
fi
if [[ -f /boot/grub/grub.conf ]];then
    chmod 600 /boot/grub/grub.conf
fi
if [[ -f /etc/lilo.conf ]];then
    chmod 600 /etc/lilo.conf
fi
  echo "*********************************************************************">>${result_file}
}

#检查用户umask设置
function Users_Umask_config(){
echo "Start to do ITEM_ID [23]."
echo "ITEM_ID=23">>${result_file}
#检查文件/etc/csh.cshrc中umask设置
Files="/etc/csh.cshrc"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
LOGIN_UMASK_VAR=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $1}'`
LOGIN_UMASK_VALUE_VAR=`egrep 'umask|UMASK' ${Files}|grep -v '#'|head -n1` 
if [[ ${LOGIN_UMASK_VAR} == "UMASK" ]];then
    UMASK_077="    UMASK 077"
else
    UMASK_077="    umask 077"
fi
if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
    sed -i "s#${LOGIN_UMASK_VALUE_VAR}#${UMASK_077}#g" ${Files}
	echo "${Files} exists,but is not 077,change to 077" >>${result_file}
else
    echo "${Files} exists" >>${result_file}
fi

#检查文件/etc/csh.login中umask设置
Files="/etc/csh.login"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
LOGIN_UMASK_VAR=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $1}'`
LOGIN_UMASK_VALUE_VAR=`egrep 'umask|UMASK' ${Files}|grep -v '#'|head -n1` 
if [[ -z $LOGIN_UMASK_VAR ]];then
	echo '    UMASK 077' >> ${Files}
fi
if [[ ${LOGIN_UMASK_VAR} == "UMASK" ]];then
    UMASK_077="    UMASK 077"
else
    UMASK_077="    umask 077"
fi
if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
    sed "s#${LOGIN_UMASK_VALUE_VAR}#${UMASK_077}#g" ${Files}
	echo "${Files} exists,but is not 077,change to 077" >>${result_file}
else
    echo "${Files} exists" >>${result_file}
fi

#检查文件/etc/bashrc(或/etc/bash.bashrc)中umask设置
Files=`ls -ld /etc/bashrc`
if [[ -n ${Files}  ]];then
    Bashrc="/etc/bashrc"
else
    Bashrc="/etc/bash.bashrc"
fi
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Bashrc} |grep -v '#'|head -n1|awk '{print $NF}'`
LOGIN_UMASK_VAR=`egrep 'umask|UMASK' ${Bashrc} |grep -v '#'|head -n1|awk '{print $1}'`
LOGIN_UMASK_VALUE_VAR=`egrep 'umask|UMASK' ${Bashrc}|grep -v '#'|head -n1` 
if [[ ${LOGIN_UMASK_VAR} == "UMASK" ]];then
    UMASK_077="       UMASK 077"
else
    UMASK_077="       umask 077"
fi
if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
    sed -i "s#${LOGIN_UMASK_VALUE_VAR}#${UMASK_077}#g" ${Bashrc}
	echo "${Bashrc} exists,but is not 077,change to 077" >>${result_file}
else
    echo "${Bashrc} exists" >>${result_file}
fi

#检查文件/etc/profile中umask设置
#Files="/etc/profile"
#LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
#LOGIN_UMASK_VAR=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $1}'`
#LOGIN_UMASK_VALUE_VAR=`egrep 'umask|UMASK' ${Files}|grep -v '#'|head -n1` 
#if [[ ${LOGIN_UMASK_VAR} == "UMASK" ]];then
#    UMASK_077="    UMASK 077"
#else
#    UMASK_077="    umask 077"
#fi
#if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
#    sed -i "s#${LOGIN_UMASK_VALUE_VAR}#${UMASK_077}#g" ${Files}
#	echo "${Files} exists,but is not 077,change to 077" >>${result_file}
#else
#    echo "${Files} exists" >>${result_file}
#fi
#  echo "*********************************************************************">>${result_file}
}

#检查是否修改snmp默认团体字
function snmpd(){
echo "Start to do ITEM_ID [24]."
echo "ITEM_ID=24">>${result_file}
Files="/etc/snmp/snmpd.conf"
Snmpd_VALUE="com2sec notConfigUser  default       GnNetworkRO"
Snmpd_VAR=`grep 'com2sec'  ${Files} |grep -v '#'|awk '{print $NF}'`
Snmpd_VALUE_OLD=`grep 'com2sec'  ${Files}|grep -v '#'|head -n1` 
if [[ ${Snmpd_VAR} == "public" ]];then
    sed -i "s#${Snmpd_VALUE_OLD}#${Snmpd_VALUE}#g" ${Files}
	echo "${Files} exists,but is not GnNetworkRO,change to public" >>${result_file}
else
    echo "${Files} exists" >>${result_file}
fi
  echo "*********************************************************************">>${result_file}
}

#检查是否关闭不必要的服务和端口
function stop_services(){
echo "Start to do ITEM_ID [25]."
echo "ITEM_ID=25">>${result_file}
system_version=`uname -r|grep el6`
if [[ -n ${system_version}  ]];then
    chkconfig nfslock off 
fi
  echo "*********************************************************************">>${result_file}
}

#检查系统core dump设置
function core_dump(){
echo "Start to do ITEM_ID [26]."
echo "ITEM_ID=26">>${result_file}
Value=(hard soft)
for Var in ${Value[*]}
do
        if [[ "${Var}" == "hard" ]];then
                Null=`cat /etc/security/limits.conf|grep -v "^[[:space:]]*#" | grep \*[[:space:]]*$Var[[:space:]]*core[[:space:]]*0 |wc -l`
                if [[ ${Null} == 0 ]];then
                        echo '*               hard    core              0' >> /etc/security/limits.conf
                        echo "${Var} limits.conf is not exists,in order to increase" >>${result_file}
                fi
        elif [[ "${Var}" == "soft"  ]];then
                Null=`cat /etc/security/limits.conf|grep -v "^[[:space:]]*#" | grep \*[[:space:]]*${Var}[[:space:]]*core[[:space:]]*0 |wc -l`
                if [[ ${Null} == 0 ]];then
                        echo '*               soft    core              0' >> /etc/security/limits.conf
                        echo "${Var} limits.conf is not exists,in order to increase" >>${result_file}
                fi
        else
                echo "${Var} exists" >>${result_file}
        fi
  echo "*********************************************************************">>${result_file}
done
}

#检查别名文件/etc/aliase(或/etc/mail/aliases)配置
function System_Aliases(){
echo "Start to do ITEM_ID [27]."
echo "ITEM_ID=27">>${result_file}
NAMES=(games: ingres: system: toor: uucp: manager: dumper: operator: decode: root:)
for Ali in ${NAMES[*]}
do
    sed -i "s@${Ali}@#${Ali}@g" /etc/aliases
	echo "sed -i command /etc/aliases"  >>${result_file}
	if [[ ! -f /etc/mail/aliases ]];then
	    echo "${Ali} not is exists(No need to create)" >>${result_file}
	else
        sed -i "s@${Ali}@#${Ali}@g" /etc/mail/aliases
		echo "sed -i command /etc/mail/aliases"  >>${result_file}
	fi
done
  echo "*********************************************************************">>${result_file}
}

# 检查是否关闭不必要的服务和端口
function Services_off(){
echo "Start to do ITEM_ID [28]."
echo "ITEM_ID=28">>${result_file}
Services=(ident lpd kshell time time-udp ntalk sendmail klogin printer nfslock echo echo-udp discard discard-udp chargen chargen-udp bootps tftp nfs daytime ypbind ident)
for Sers in ${Services[*]}
do
    if [[ ! -f /etc/rc.d/init.d/${Sers} ]];then
        echo '# chkconfig: - 58 74' > /etc/rc.d/init.d/${Sers}
	    chmod 750 /etc/rc.d/init.d/${Sers}
		chkconfig --add ${Sers}
	fi
done
  echo "*********************************************************************">>${result_file}
}

#检查是否关闭IP伪装和绑定多IP功能
function Ip_Camouflage(){
echo "Start to do ITEM_ID [29]."
echo "ITEM_ID=29">>${result_file}
Host_Conf="/etc/host.conf"
if [[ -f ${Host_Conf} ]];then
    Var=`grep 'multi[[:space:]]*' ${Host_Conf}|awk '{print $NF}'`
    if [[ ${Var} == "off" ]];then
        sed -i "s#multi[[:space:]]*off#on#" ${Host_Conf}
    elif [[ -z ${Var} ]];then
        echo "multi on" >> ${Host_Conf}
    fi 
    Var=`grep 'nospoof[[:space:]]*' ${Host_Conf}|awk '{print $NF}'`
    if [[ -z ${Var} ]];then
        echo "nospoof on" >> ${Host_Conf}
    elif [[ ${Var} == "off" ]];then
        sed -i "s#nospoof[[:space:]]*off#on#" ${Host_Conf}
    fi
else
    touch ${Host_Conf}
    echo "multi on" >> ${Host_Conf}
    echo "nospoof on" >> ${Host_Conf}
fi
if [[ -f ${Host_Conf} ]];then
    Var=`grep 'order[[:space:]]*' ${Host_Conf}`
    if [[ -z ${Var} ]];then
        echo "order hosts,bind" >>${Host_Conf}
    fi
fi  
  echo "*********************************************************************">>${result_file}
}

#检查是否存在心血漏洞
#function Openssh_Version(){
#echo "Start to do ITEM_ID [30]."
#echo "ITEM_ID=30">>${result_file}
#Openssl_Val=`openssl version|egrep '1.0.0|1.0.1f|1.0.1e|1.0.1d|1.0.1c|1.0.1b|1.0.1|1.0.2-beta|1.0.2-beta1'`
#Openssl_version=`openssl version|egrep '1.0.0|1.0.1f|1.0.1e|1.0.1d|1.0.1c|1.0.1b|1.0.1|1.0.2-beta|1.0.2-beta1'|awk '{print $2}'| cut -d - -f 1`
#if [[ ${Openssl_Val} ]];then
#    Libcrypto=`ldd /usr/bin/openssl |grep 'libcrypto.so'|cut -d= -f 1|awk '{print $1}'`
#	Null=`ls -ld /usr/lib64/${Libcrypto} 2> /dev/null`
#	if [[ ${Null} ]];then
#	    cp /usr/lib64/${Libcrypto} /usr/lib64/${Libcrypto}.baks
#	    sed -i "s#${Openssl_version}#1.0.1u#g" /usr/lib64/${Libcrypto}
#		echo "sed -i command /usr/lib64/${Libcrypto} openssl version"  >>${result_file}
#	fi
#fi
#    echo "*********************************************************************">>${result_file}
#}

#检查是否禁止ip路由转发
function Ip_Forward(){
echo "Start to do ITEM_ID [31]."
echo "ITEM_ID=31">>${result_file}
Value=`sysctl -n net.ipv4.ip_forward`
Values=`grep 'net.ipv4.ip_forward' /etc/sysctl.conf`
if [[ ${Value} != 0 ]];then
    cp -p /etc/sysctl.conf /etc/sysctl.conf_bak # Copy sysctl.conf
	echo "net.ipv4.ip_forward=0" >> /etc/sysctl.conf  # 追加禁止Ip地址路由转发命令
	sysctl -p >& /dev/null  #使配置文件生效
	echo "net.ipv4.ip_forward=0 /etc/sysctl.conf is not exists,in order to increase"  >>${result_file}
elif [[ -z ${Values} ]];then
	echo "net.ipv4.ip_forward=0" >> /etc/sysctl.conf  # 追加禁止Ip地址路由转发命令
	sysctl -p >& /dev/null  #使配置文件生效
	echo "net.ipv4.ip_forward=0 /etc/sysctl.conf is not exists,in order to increase"  >>${result_file}	
fi 
    echo "*********************************************************************">>${result_file}
}


#修改FTP Banner信息
function  Ftp_Banner(){
echo "Start to do ITEM_ID [32]."
echo "ITEM_ID=32">>${result_file}
Ftp_Dir=(/etc/vsftpd.conf /etc/vsftpd/vsftpd.conf)
for ftp in ${Ftp_Dir[*]}
do
    if [[ -f ${ftp} ]];then
        Value=`grep "#ftpd_banner=[[:space:]]*" ${ftp}`
        Values=`grep "ftpd_banner=[[:space:]]*" ${ftp}`
        if [[ ${Value} ]];then
            if [[ ${Values} ]];then
                Null=`grep 'ftpd_banner=[[:space:]]*' ${ftp}`
                if [[ -z ${Null} ]];then
                    echo 'ftpd_banner="Authorized users only. All activity may be monitored and reported."' >> ${ftp}
                else
                    sed -i "/^ftpd_banner=/d" ${ftp}
                    echo 'ftpd_banner="Authorized users only. All activity may be monitored and reported."'  >> ${ftp}
                fi
            fi
        fi
    fi
done
Ftp_Dir=(/etc/vsftpd.conf /etc/vsftpd/vsftpd.conf)
for ftp in ${Ftp_Dir[*]}
do
    if [[ -f ${ftp} ]];then
        ENABLE=`cat ${ftp}|grep -v "^[[:space:]]*#"|grep -i "ls_recurse_enable=YES"|wc -l`
        if [[ ${ENABLE} -eq 1 ]];then
            echo "ls_recurse_enable exists"  >>${result_file}
        else
            sed -i "s@ls_recurse_enable@#ls_recurse_enable@g" ${ftp}
            if [[ -f ${ftp} ]];then
                Enable=`grep "#ls_recurse_enable" ${ftp}`
                Enable_Value=`grep "ls_recurse_enable" ${ftp}||awk -F'=' '{print $NF}'|tail -n1`
                if [[ ${Enable} ]];then
                    echo "ls_recurse_enable=YES"  >> ${ftp}
                else
                    if [[ ${Enable_Value} != 'YES' ]];then
                        sed -i "s@ls_recurse_enable@#ls_recurse_enable@g" ${ftp}
                        echo "ls_recurse_enable=YES"  >> ${ftp}
                    fi 
                
                fi
            fi
        fi
    fi
    if [[ -f ${ftp} ]];then
        Value="local_umask=022"
        Local=`grep "#local_umask=[[:space:]]*[0-9]*" ${ftp}`
        Local_umask=`grep "local_umask=[[:space:]]*[0-9]*" ${ftp}` 
        Local_umask_num=`grep "local_umask=[[:space:]]*[0-9]*" ${ftp}|awk -F'=' '{print $NF}'` 
        if [[ -z ${Local} ]];then
            if [[ -z ${Local_umask} ]];then
                echo "${Value}" ${ftp}
            else
                if [[ ${Local_umask_num} != 022 ]];then
                    sed -i "s#${Local_umask}#${Value}#g" ${ftp}
                fi
            fi
        fi
    fi
    if [[ -f ${ftp} ]];then
        Value="anon_umask=022"
        Anon=`grep "#anon_umask=[[:space:]]*[0-9]*" ${ftp}`
        Anon_umask=`grep "anon_umask=[[:space:]]*[0-9]*" ${ftp}` 
        Anon_umask_num=`grep "anon_umask=[[:space:]]*[0-9]*" ${ftp}|awk -F'=' '{print $NF}'` 
        if [[ -z ${Anon} ]];then
            if [[ -z ${Anon_umask} ]];then
                echo "${Value}" >> ${ftp}
            else 
                if [[ ${Anon_umask_num} != '022' ]];then
                    sed -i "s#${Anon_umask}#${Value}#g" ${ftp}
                fi
            fi
        fi
    fi
done
    echo "*********************************************************************">>${result_file}
}


#检查FTP配置-限制FTP用户登录后能访问的目录
function  Ftp_Users(){
echo "Start to do ITEM_ID [33]."
echo "ITEM_ID=33">>${result_file}
Ftp_Dir=(/etc/vsftpd.conf /etc/vsftpd/vsftpd.conf)
for ftp in ${Ftp_Dir[*]}
do
    if [[ -f ${ftp} ]];then
        Vaule="chroot_list_enable=YES"
        Enable=`grep '#chroot_list_enable' ${ftp}`
        Enable_Val=`grep 'chroot_list_enable' ${ftp}`
        Enable_num=`grep 'chroot_list_enable' ${ftp} |awk -F'=' '{print $NF}'`
        if [[ ${Enable} ]];then
            sed -i "/^chroot_list_enable=/d"  ${ftp}
            echo "chroot_list_enable=YES"  >> ${ftp}
        else
            if [[ "${Enable_num}" != "YES" ]] || [[ "${Enable_num}" != "yes" ]];then
                sed -i "s#${Enable_Val}#${Vaule}#g" ${ftp}
            fi
        fi
    fi
    if [[ -f ${ftp} ]];then
        Enable=`grep '#chroot_local_user' ${ftp}`
        if [[ ${Enable} ]];then
            sed -i "s@#chroot_local_user@chroot_local_user@g" ${ftp}
        fi
    fi
    if [[ -f ${ftp} ]];then
        Vaule="chroot_list_file=/etc/vsftpd/chroot_list"
        Enable=`grep '#chroot_list_file' ${ftp}`
        Enable_Val=`grep 'chroot_list_enable' ${ftp}`
        if [[ ${Enable} ]];then
            sed -i "/^chroot_list_file=/d" ${ftp}
            echo "${Vaule}" >> ${ftp}
            if [[ -f /etc/vsftpd/chroot_list ]];then
                echo "/etc/vsftpd/chroot_list exists"  >>${result_file}
            else
                touch /etc/vsftpd/chroot_list
            fi
            chmod 750 /etc/vsftpd/chroot_list
        else
            sed -i "/^chroot_list_file=/d" ${ftp}
            echo "${Vaule}" >> ${ftp}
            if [[ -f /etc/vsftpd/chroot_list ]];then
                echo "/etc/vsftpd/chroot_list exists"  >>${result_file}
            else
                touch /etc/vsftpd/chroot_list
            fi
            chmod 750 /etc/vsftpd/chroot_list
        fi
    fi
done
    echo "*********************************************************************">>${result_file}
}



#检查是否限制远程登录IP范围
function  Hosts_allow_deny(){
echo "Start to do ITEM_ID [34]."
echo "ITEM_ID=34">>${result_file}
allow="/etc/hosts.allow"
deny="/etc/hosts.deny"
if [[ -f ${allow} ]];then
    Null=`grep -v '#' /etc/hosts.allow`
    if [[ -z ${Null} ]];then
        echo "sshd:10.,172.16.0.0/12,192.168.:allow" >> ${allow}
    fi
fi
if [[ -f ${deny} ]];then
    Null=`grep -v '#' /etc/hosts.deny`
    if [[ -z ${Null} ]];then
        echo "sshd:10.10.1.1" >> ${deny}
    fi
fi
    echo "*********************************************************************">>${result_file}
}


#    '''检查是否安装snmp服务'''  未操作	
#    '''检查文件/etc/csh.login中umask设置'''  未操作
#    '''检查重要文件属性设置'''  未操作
#    '''检查是否记录用户对设备的操作'''  未操作
#    '''检查是否限制远程登录IP范围'''  未操作

checktimeout
checksu	
passwdtime
superuser
passwdcomplex
remotelog
lvmeng_safelog     
loginlog
suinfo
cronlog
noreboot
systembanner
#changessh
noroot
passwd5
logdate
sshbanner
userpasswd
banicmp
checksshversion
userlocking
noroottel
File_Permissions
Users_Umask_config
snmpd
stop_services
core_dump
System_Aliases
#Services_off
Ip_Camouflage
Openssh_Version
Ip_Forward
Ftp_Banner
Ftp_Users
Hosts_allow_deny



# 禁止IP源路由
for f in /proc/sys/net/ipv4/conf/*/accept_source_route
do
   echo 0 > $f
done

#别名修改
BASHA=`grep "ls='ls -aol'" ~/.bashrc`
if [[ -z $BASHA ]];then
    sed -i -e "/^alias mv/a\alias ls='ls -aol'"  ~/.bashrc 
fi

BASHB=`grep "rm='rm -i'" ~/.bashrc`
if [[ -z $BASHB ]];then
    sed -i -e "/^alias mv/a\alias rm='rm -i'"  ~/.bashrc 
fi

#vsftpd的anonymous_enable修改
FILES=/etc/vsftpd/vsftpd.conf
zhi=`cat /etc/vsftpd/vsftpd.conf | grep -v "[[:space:]]*#" |grep anonymous_enable |awk -F = '{print $NF}'`
if [[ -f $FILES ]];then
	if [[ $zhi == YES ]];then
		sed -i "s/anonymous_enable=YES/anonymous_enable=NO/g" /etc/vsftpd/vsftpd.conf
	fi
fi

# 检查root用户,除root用户外 Uid 为0 用户,不做操作 只记录 日志。
USERS_ID=`awk -F: '($3 == 0) { print $1 }' /etc/passwd|grep -v root`
if [[ -z ${USERS_ID} ]];then
    echo "Non-root UID is 0,Users: ${USERS_ID} " 
    echo "Non-root UID is 0,Users: ${USERS_ID} "  >>${result_file}
fi
# 将gnamd 用户添加到visudo中
Value=`grep "gnamd[[:space:]]*ALL=(ALL)*[[:space:]]*NOPASSWD: ALL*" /etc/sudoers`
chage -M 99999 gnamd
if [[ -z ${Value}  ]];then
    echo "gnamd          ALL=(ALL)       NOPASSWD: ALL" >>/etc/sudoers
fi

#更改telnet端口
sed -i '/telnet[[:space:]]*23\//s/23/23000/' /etc/services
echo "sed -i telnet 23 to 23000" >>${result_file}

#检查telnet服务是否存在,存在要加disable
telnetrpm=`rpm -qa | grep telnet`
files=/etc/xinetd.d/telnet
if [[ -n $telnetrpm ]];then
	if [[ -f $files ]];then
		zhi=`cat /etc/xinetd.d/telnet |grep 'disable[[:space:]]*=[[:space:]]*yes'` 
		if [[ -z $zhi ]];then
			echo 'disable = yes' >> $files
		fi
	else	
		mkdir -p /etc/xinetd.d
		echo 'disable = yes' > $files
	fi
fi

#向/etc/rc.local文件添加开机启动禁止lo的IP源路由项
zhi=`cat /etc/rc.local | grep 'echo 0 > /proc/sys/net/ipv4/conf/lo/accept_source_route' |wc -l`
if [[ $zhi == 0 ]];then
	echo 'echo 0 > /proc/sys/net/ipv4/conf/lo/accept_source_route' >> /etc/rc.local
fi

chmod 644 /etc/passwd 
echo "chmod 644 /etc/passwd " >>${result_file}
chmod 400 /etc/shadow 
echo "chmod 400 /etc/shadow  " >>${result_file}
chmod 644 /etc/group 
echo "chmod 644 /etc/group  " >>${result_file}
limit=`(chmod 640 /etc/rsyslog.d/listen.conf) 2>& 1`
echo "$limit,chmod 640 /etc/rsyslog.d/listen.conf  " >>${result_file}
limit=`(chmod 640 /var/log/boot.log) 2>& 1`
echo "$limit,chmod 640 /var/log/boot.log  " >>${result_file}
limit=`(chmod 640 /var/lib/rsyslog/imjournal.state) 2>& 1`
echo "$limit,chmod 640 /var/lib/rsyslog/imjournal.state " >>${result_file}
limit=`(chmod 640 /var/log/authlog) 2>& 1`
echo "$limit,chmod 640 /var/log/authlog" >>${result_file}

发表评论

您的电子邮箱地址不会被公开。

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据