#!/bin/bash
###banner 1
#检查超时设置是否配置为300
TMOUT1=`cat /etc/profile |grep -v "^[[:space:]]*#" | grep ^TMOUT |awk -F = '{print $2}'| cut -d = -f 2`
TMOUT2=`cat /etc/profile |grep -v "^[[:space:]]*#" | grep 'export TMOUT' |awk '{print $2}'| cut -d = -f 2`
if [ $TMOUT1 ];then
if [[ $TMOUT1 != 300 ]];then
echo -e "\e[31mNo.1.1请检查超时设置是否配置为300,不是请更改\n\e[0m"
fi
fi
if [ $TMOUT2 ];then
if [[ $TMOUT2 != 300 ]];then
echo -e "\e[31mNo.1.2请检查超时设置是否配置为300,不是请更改\n\e[0m"
fi
fi
###banner 2
PAM_auth=`cat /etc/pam.d/su|grep -v "^[[:space:]]*#"|grep -v "^$"|grep "auth[[:space:]]*sufficient[[:space:]]*pam_rootok.so"|head -1`
if [[ $? = 1 ]];then
echo -e "\e[31mNo.2.1请检查是否使用PAM认证模块禁止wheel组之外的用户su为root\n\e[0m"
else
ROOTOK=`cat /etc/pam.d/su |grep -v "#"|head -1|grep rootok`
if [[ $? = 1 ]];then
echo -e "\e[31mNo.2.2请检查pam_rootok.so顺序是否正确,不在首行请更改\n\e[0m"
fi
fi
PAM_auth=`cat /etc/pam.d/su|grep -v "^[[:space:]]*#"|grep -v "^$"|grep "auth[[:space:]]*required[[:space:]]*pam_wheel.so group=wheel"`
if [ $? = 1 ];then
echo -e "\e[31mNo.2.3请检查是否使用PAM认证模块禁止wheel组之外的用户su为root,不是请更改\n\e[0m"
fi
###banner 3
file="/etc/login.defs"
PASS_MAX_DAYS=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MAX_DAYS|awk '{print $2}'`
if [[ $PASS_MAX_DAYS -lt 90 ]];then
echo -e "\e[31mNo.3.1请检查新建用户的密码最长使用天数是否大于90天,不是请更改\n\e[0m"
fi
PASS_MIN_DAYS=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MIN_DAYS|awk '{print $2}'`
if [[ $PASS_MIN_DAYS -lt 10 ]];then
echo -e "\e[31mNo.3.2请检查新建用户的密码最短使用天数为10天,不是请更改\n\e[0m"
fi
PASS_MIN_LEN=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MIN_LEN|awk '{print $2}'`
if [[ $PASS_MIN_LEN -lt 8 ]];then
echo -e "\e[31mNo.3.3请检查新建用户的密码最小长度是否为8,不是请更改\n\e[0m"
fi
PASS_WARN_AGE=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_WARN_AGE|awk '{print $2}'`
if [[ $PASS_WARN_AGE -lt 30 ]];then
echo -e "\e[31mNo.3.4请检查新建用户的密码到期提前提醒天数是否为30天,不是请更改\n\e[0m"
fi
###banner 4
#/etc/login.defs的umask值为027
LOGIN_UMASK_VALUE=`cat /etc/login.defs |grep -v "^[[:space:]]*#" | egrep 'umask|UMASK' |awk '{print $NF}'|tail -1`
if [[ $LOGIN_UMASK_VALUE != 027 ]];then
echo -e "\e[31mNo.4请检查用户目录缺省访问权限是否设置为027,不是请修改\n\e[0m"
fi
###banner 5
file="/etc/passwd"
superuser=`cat $file |awk -F ':' '{if($3==0){print $0}}'|awk -F ':' '{print $1}'`
if [[ $superuser != 'root' ]];then
echo -e "\e[31mNo.5请检查是否禁止root之外的超级用户,若没特殊原因请整改\n\e[0m"
fi
###banner 6
file="/etc/pam.d/system-auth"
ret=`cat $file | grep -v "^[[:space:]]*#"|grep 'password[[:space:]]*requisite[[:space:]]*pam_pwquality.so[[:space:]]*retry=3[[:space:]]*difok=3[[:space:]]*minlen=8[[:space:]]*ucredit=-1[[:space:]]*lcredit=-1[[:space:]]*dcredit=-1'`
if [[ $? = 1 ]];then
echo -e "\e[31mNo.6请设置口令复杂度\n\e[0m"
fi
###banner 7
file="/etc/rsyslog.conf"
file1="/etc/syslog.conf"
if [ -f $file ];then
Var=`cat $file | grep -v "^[[:space:]]*#" | grep '*.*[[:space:]]@'`
if [ $? = 1 ];then
echo -e "\e[33mNo.7请启用rsyslog远程日志功能,具体IP请与现场核对后填写\n\e[0m"
fi
fi
if [ -f $file1 ];then
Var=`cat $file1 | grep -v "^[[:space:]]*#" | grep -E '[[:space:]]*.+@.+'`
if [ $? = 1 ];then
echo -e "\e[31mNo.7请启用syslog远程日志功能,具体IP请与现场核对后填写\n\e[0m"
fi
fi
###banner 8
if [ -f $file ];then
syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*/var/adm/messages"`
if [ $? = 1 ];then
echo -e "\e[31mNo.8请检查是否记录rsyslog安全事件日志,/var/adm/messages为绿盟版\n\e[0m"
fi
fi
if [ -f $file1 ];then
syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*/var/adm/messages"`
if [ $? = 1 ];then
echo -e "\e[31mNo.8请检查是否记录syslog安全事件日志,/var/adm/messages为绿盟版\n\e[0m"
fi
fi
###banner 9
if [ -f $file ];then
syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#"|grep "auth.info[[:space:]]*/var/log/authlog"`
if [ $? = 1 ];then
echo -e "\e[31mNo.9请检查是否记录rsyslog帐户登录日志,请检查是否有/var/log/authlog项目\n\e[0m"
fi
fi
if [ -f $file1 ];then
syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#"|grep "auth.info[[:space:]]*/var/log/authlog"`
if [ $? = 1 ];then
echo -e "\e[31mNo.9.请检查是否记录syslog帐户登录日志,请检查是否有/var/log/authlog项目\n\e[0m"
fi
fi
###banner 10
if [ -f $file ];then
syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" | grep "authpriv\.\*[[:space:]]\/*"`
if [ $? = 1 ];then
echo -e "\e[31mNo.10.请检查rsyslog是否配置su命令使用情况记录,没有请整改\n\e[0m"
fi
fi
if [ -f $file1 ];then
syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" | grep "authpriv\.\*[[:space:]]\/*"`
if [ $? = 1 ];then
echo -e "\e[31mNo.10.请检查rsyslog是否配置su命令使用情况记录,没有请整改\n\e[0m"
fi
fi
###banner 11
if [ -f $file ];then
syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" | grep "cron.*[[:space:]]*/var/log/cron"`
if [ $? = 1 ];then
echo -e "\e[31mNo.11.请检查rsyslog是否记录cron行为日志,请检查是否有/var/log/cron\n\e[0m"
fi
fi
if [ -f $file1 ];then
syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" | grep "cron.*[[:space:]]*/var/log/cron"`
if [ $? = 1 ];then
echo -e "\e[31mNo.11.请检查syslog是否记录cron行为日志,请检查是否有/var/log/cron\n\e[0m"
fi
fi
###banner 12
file="/usr/lib/systemd/system/ctrl-alt-del.target"
if [ -f "$file" ];then
echo -e "\e[31mNo.12.检查是否禁止掉ctrl-alt-del重启\n\e[0m"
fi
###banner 13
file="/etc/issue"
file1="/etc/issue.net"
if [ -f $file ];then
echo -e "\e[31mNo.13.请检查issue是否修改系统banner,没有请删除\n\e[0m"
fi
if [ -f $file1 ];then
echo -e "\e[31mNo.13.请检issue.net是否修改系统banner,没有请删除\n\e[0m"
fi
###banner 14
file="/etc/ssh/sshd_config"
if [ -f "$file" ];then
port=`cat $file |grep -v "^[[:space:]]*#"|grep "Port " |awk '{print $2}'`
if [[ $port == 22 ]];then
echo -e "\e[31mNo.14.当前ssh端口为22,请修改ssh端口\n\e[0m"
fi
fi
###banner 15
if [ -f "$file" ];then
rootlogin=`cat $file|grep -v "^[[:space:]]*#"|grep "PermitRootLogin"|awk '{print $2}' | tail -n 1`
if [[ $rootlogin != 'no' ]];then
echo -e "\e[31mNo.15.当前root可ssh登录服务器,请禁止掉root通过ssh登录\n\e[0m"
fi
fi
###banner 16
file="/etc/pam.d/system-auth"
zhi=`cat $file|grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so'|awk '{print $4}'`
if [[ $zhi = "sha512" ]];then
ret=`cat $file |grep -v '^[[:space:]]*#' | grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so[[:space:]]*sha512[[:space:]]*shadow[[:space:]]*nullok[[:space:]]*try_first_pass use_authtok[[:space:]]*remember=5'`
if [[ -n $ret ]];then
ret=`cat $file |grep -v '^[[:space:]]*#' | grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so[[:space:]]*sha512[[:space:]]*shadow[[:space:]]*nullok[[:space:]]*try_first_pass use_authtok[[:space:]]*remember=' | awk -F = '{print $2}'`
if [[ $ret -lt 5 ]];then
echo -e "\e[31mNo.16.请查看是否配置禁止输入前面5次输入的密码\n\e[0m"
fi
fi
fi
###banner 17
file="/etc/logrotate.conf"
if [ -f $file ];then
ret=`cat $file | grep -v "^[[:space:]]*#"|egrep "^(daily|weekly|yearly)"|wc -l`
info=`cat $file | grep -v "^[[:space:]]*#"|egrep "^(daily|weekly|yearly)"`
if [ "$ret" != 0 ];then
echo -e "\e[31mNo.17.请查看是否修改日志记录时间\n\e[0m"
fi
ret1=`cat $file | grep -v "^[[:space:]]*#"|grep ^rotate|awk '{print $2}'`
if [ "$ret1" != 4 ];then
echo -e "\e[31mNo.17.请查看是否修改日志记录时间\n\e[0m"
fi
fi
###banner 18
file="/etc/ssh_banner"
#zhi1=`cat $file | grep "^Authorized only. All activity will be monitored and reported\>" | wc -l`
if [ ! -f $file ];then
echo -e "\e[31mNo.18.1请建立SSH的Banner警告信息\n\e[0m"
# if [[ "$zhi1" != 1 ]];then
# echo -e "\e[31mNo.18.请更改SSH的Banner警告信息\n\e[0m"
# fi
fi
file1="/etc/motd"
if [ ! -f $file1 ];then
echo -e "\e[31mNo.18.2请建立SSH的motd警告信息\n\e[0m"
fi
###banner 19
NAME=(liu root gpadmin)
for CHAGE_NAME in ${NAME[*]}
do
USER_IF=`cat /etc/passwd | grep -v "^[[:space:]]*#" | grep $CHAGE_NAME`
if [[ -n $USER_IF ]];then
CHAGE_USER=`chage -l ${CHAGE_NAME} | grep "Maximum number"|awk -F ': ' '{print $2}'`
if [[ $CHAGE_USER != 99999 ]];then
echo -e "\e[31mNo.19.请修改${CHAGE_NAME}用户密码有效期为无限期\n\e[0m"
fi
fi
done
###banner 20
#检查系统内核参数配置
zhi=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.accept_redirects ="|awk '{print $3}'`
pan=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.accept_redirects ="`
if [ "$pan" ];then
if [ $zhi != 0 ];then
echo -e "\e[31mNo.20.1请检查是否禁止icmp重定向(accept_redirects)\n\e[0m"
fi
else echo -e "\e[31mNo.20.2请检查是否禁止icmp重定向(accept_redirects)\n\e[0m"
fi
zhi=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.send_redirects ="|awk '{print $3}'`
pan=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.send_redirects ="`
if [ "$pan" ];then
if [ $zhi != 0 ];then
echo -e "\e[31mNo.20.3请检查是否禁止icmp重定向(send_redirects)\n\e[0m"
fi
else echo -e "\e[31mNo.20.4请检查是否禁止icmp重定向(send_redirects)\n\e[0m"
fi
###banner 21
#file="/etc/ssh/sshd_config"
#if [ -f "$file" ]; then
# sshversion=`cat $file|grep -v "^[[:space:]]*#"|grep "Protocol"|awk '{print $2}'`
# if [[ "$sshversion" != "2" ]];then
# echo -e "\e[31mNo.21.1请检查ssh协议是否使用版本2\n\e[0m"
# fi
#else echo -e "\e[31mNo.21.2请检查是否存在/etc/ssh/sshd_config文件\n\e[0m"
#fi
###banner 22
file="/etc/pam.d/login"
if [ -f "$file" ]; then
Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*unlock_time=600[[:space:]]*even_deny_root root_unlock_time=10'`
if [ $? != 0 ];then
echo -e "\e[31mNo.22.1请检查login文件是否设置用户登陆次数失败锁定策略(deny=5,time=600)\n\e[0m"
fi
else echo -e "\e[31mNo.22.2请检查是否存在/etc/pam.d/login文件\n\e[0m"
fi
file="/etc/pam.d/sshd"
if [ -f "$file" ]; then
Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*unlock_time=600[[:space:]]*even_deny_root root_unlock_time=10'`
if [ $? != 0 ];then
echo -e "\e[31mNo.22.3请检查sshd文件是否设置用户登陆次数失败锁定策略(deny=5,time=600)\n\e[0m"
fi
else echo -e "\e[31mNo.22.4请检查是否存在/etc/pam.d/sshd文件\n\e[0m"
fi
file="/etc/pam.d/su"
if [ -f "$file" ]; then
Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9]*[[:space:]]*unlock_time=[0-9]*[[:space:]]*even_deny_root root_unlock_time=10'`
if [ $? = 0 ];then
echo -e "\e[31mNo.22.5请将su文件取消掉用户登陆次数失败锁定策略\n\e[0m"
fi
else echo -e "\e[31mNo.22.6请检查是否存在/etc/pam.d/su文件\n\e[0m"
fi
file="/etc/pam.d/system-auth"
if [ -f "$file" ]; then
Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*unlock_time=600[[:space:]]* even_deny_root root_unlock_time=10' | wc -l`
var1=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*onerr=fail[[:space:]]*no_magic_root[[:space:]]*unlock_time=600' | wc -l`
if [ -z $var ];then
if [ -z $var1 ];then
echo -e "\e[31mNo.22.7请检查system-auth文件是否设置用户登陆次数失败锁定策略(deny=5,time=600)\n\e[0m"
fi
fi
Var=`cat $file|grep -v "^[[:space:]]*#" |grep 'account[[:space:]]*required[[:space:]]*pam_tally2.so\>'`
if [ $? != 0 ];then
echo -e "\e[31mNo.22.8请检查system-auth文件是否设置用户登陆次数失败锁定略\n\e[0m"
fi
else echo -e "\e[31mNo.22.9请检查是否存在/etc/pam.d/system-auth文件\n\e[0m"
fi
###banner 23
#检查是否禁止root用户远程telnet登录
file="/etc/pam.d/login"
if [ -f "$file" ]; then
Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_securetty.so\>'`
if [ $? != 0 ];then
echo -e "\e[31mNo.23.1请检查是否禁止root用户远程telnet登录\n\e[0m"
fi
else echo -e "\e[31mNo.23.2请检查是否存在/etc/pam.d/login文件\n\e[0m"
fi
###banner 24
#检查重要目录或文件权限设置
#chmod 600?
Etcx_File_Permissions=(/etc/xinetd.conf /etc/security /etc/grub.conf /boot/grub/grub.conf /etc/lilo.conf)
for Files in ${Etcx_File_Permissions[*]}
do
if [[ -z ${Files} ]];then
zhi=`stat -c %a ${Files} 2> /dev/null`
if [[ $zhi != 600 ]];then
echo -e "\e[31mNo.24.1请检查${Files}重要目录或文件权限设置为600\n\e[0m"
fi
# else echo -e "\e[31mNo.24.2请检查是否有${Files}存在\n\e[0m"
fi
done
#chmod 750?
Etcx_File_Permissions=(/etc/rc.d/init.d/ /etc/rc0.d/ /etc/rc1.d/ /etc/rc2.d/ /etc/rc3.d/ /etc/rc4.d/ /etc/rc5.d/ /etc/rc6.d/)
for Files in ${Etcx_File_Permissions[*]}
do
ETC_Files=`ls -ld ${Files} 2> /dev/null|awk '{print $NF}'`
if [[ -n ${ETC_Files} ]];then
zhi=`stat -c %a ${ETC_Files} 2> /dev/null`
if [[ $zhi != 750 ]];then
echo -e "\e[31mNo.24.2请检查${ETC_Files}重要目录或文件权限设置为750\n\e[0m"
fi
# else echo -e "\e[31mNo.24.4请检查是否有${ETC_Files}存在\n\e[0m"
fi
done
###banner 25
#检查用户umask设置
Files="/etc/csh.cshrc"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
if [ -n $Files ];then
if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
echo -e "\e[31mNo.25.1请检查${Files}用户umask设置\n\e[0m"
fi
#else echo -e "\e[31mNo.25.2请检查${Files}用户是否存在\n\e[0m"
fi
Files="/etc/csh.login"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
if [ -n $Files ];then
if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
echo -e "\e[31mNo.25.2请检查${Files}用户umask设置\n\e[0m"
fi
fi
Files="/etc/bashrc"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
if [ -n $Files ];then
if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
echo -e "\e[31mNo.25.3请检查${Files}文件用户umask设置\n\e[0m"
fi
else echo -e "\e[31mNo.25.3请检查${Files}文件用户是否存在\n\e[0m"
fi
###banner 26
#Files="/etc/snmp/snmpd.conf"
#if [ -f $Files ];then
# Snmpd_VAR=`grep 'com2sec' ${Files} |grep -v '#'|awk '{print $NF}'`
# if [[ ${Snmpd_VAR} == "public" ]];then
# echo -e "\e[31mNo.26.1请检查是否修改snmp默认团体字\n\e[0m"
# elif [[ ${Snmpd_VAR} != "GnNetworkRO" ]];then
# echo -e "\e[31mNo.26.2snmp默认团体字为${Snmpd_VAR},是否要统一?\n\e[0m"
# fi
#else echo -e "\e[31mNo.26.3没有${Files}文件,请确认是否要添加?\n\e[0m"
#fi
###banner 27
#检查是否关闭不必要的服务和端口
system_version=`uname -r|grep el7`
if [[ -n ${system_version} ]];then
state=`systemctl list-unit-files |egrep "kshell|'^time/>'|'^time-udp'|ntalk|sendmail|klogin|printer|nfslock|echo|echo-udp|discard|chargen|bootps|tftp|nfs|daytime|ypbind|ident"|awk '{print $NF}'| grep enabled`
if [[ -n $state ]];then
echo -e "\e[31mNo.27.2请检查是否关闭不必要的服务和端口\n\e[0m"
fi
fi
###banner 28
#检查系统core dump设置
Value=(hard soft)
Files="/etc/security/limits.conf"
zhi=`cat $Files |grep -v "^[[:space:]]*#" | grep \*[[:space:]]*$Value[[:space:]]*core[[:space:]]*0 |wc -l`
if [ -n $Files ];then
for Var in ${Value[*]}
do
zhi=`cat $Files |grep -v "^[[:space:]]*#" | grep \*[[:space:]]*$Var[[:space:]]*core[[:space:]]*0 |wc -l`
if [[ $zhi == 0 ]];then
echo -e "\e[31mNo.28.1请检查${Files}文件系统core dump设置中的${Var}部分\n\e[0m"
fi
if [[ $zhi -gt 1 ]];then
echo -e "\e[31mNo.28.2请检查${Files}文件系统core dump设置中的${Var}部分是否有重复项\n\e[0m"
fi
done
else echo -e "\e[31mNo.28.3没有${Files}文件\n\e[0m"
fi
###banner 29
#检查别名文件/etc/aliases(或/etc/mail/aliases)配置
Files=/etc/aliases
Files2=/etc/mail/aliases
NAMES=(games: ingres: system: toor: uucp: manager: dumper: operator: decode: root:)
for Ali in ${NAMES[*]}
do
zhi=`cat $Files | grep ${Ali} |awk -F : '{print $1}'`
if [ -n $Files ];then
if [[ "$zhi:" == $Ali ]];then
echo -e "\e[31mNo.29.1请检查别名文件${Files}中的 ${Ali}是否修改\n\e[0m"
fi
fi
if [[ -f $Files2 ]];then
if [[ "$zhi:" == $Ali ]];then
echo -e "\e[31mNo.29.2请检查别名文件${Files2}中的 ${Ali}是否修改\n\e[0m"
fi
fi
done
###banner 31
#检查是否关闭IP伪装和绑定多IP功能
Host_Conf="/etc/host.conf"
if [[ -f ${Host_Conf} ]];then
CONFIG=(multi nospoof)
for Var in ${CONFIG[*]}
do
zhi=`grep "${Var}[[:space:]]*" ${Host_Conf}|awk '{print $NF}'`
if [[ $zhi != "on" ]];then
echo -e "\e[31mNo.31.1请检查${Host_Conf}中${Var}是否配置正确\n\e[0m"
fi
done
ORDER=`grep 'order[[:space:]]*' ${Host_Conf}`
if [[ -z ${ORDER} ]];then
echo -e "\e[31mNo.31.2请检查${Host_Conf}中是否绑定多IP功能\n\e[0m"
fi
else echo -e "\e[31mNo.32.3没有${Host_Conf}文件\n\e[0m"
fi
###banner 32
#检查是否存在心血漏洞
#Openssl_version_Fact=`openssl version|awk '{print $2}'| cut -d - -f 1`
#if [[ $Openssl_version_Fact ]];then
# Openssl_version_Name=(1.0.0 1.0.1f 1.0.1e 1.0.1d 1.0.1c 1.0.1b 1.0.1 1.0.2-beta 1.0.2-beta1)
# for Var in ${Openssl_version_Name[*]}
# do
# if [[ ${Var} == ${Openssl_version_Fact} ]];then
# echo -e "\e[31mNo.32.1存在心血漏洞,openssl版本为${Var}\n\e[0m"
# fi
# done
#fi
###banner 33
#检查是否禁止ip路由转发
files=/etc/sysctl.conf
system_version=`uname -r|grep el7`
if [[ -n ${system_version} ]];then
Value=`/usr/sbin/sysctl -n net.ipv4.ip_forward`
Values=`cat ${files} | grep -v "^[[:space:]]*#"| grep 'net.ipv4.ip_forward' | awk -F = '{print $NF}'|awk '{print $NF}'|uniq`
if [ -f $files ];then
if [[ ${Value} = 0 ]];then
if [[ $Values != 0 ]];then
echo -e "\e[31mNo.33.1请检查是否禁止ip路由转发\n\e[0m"
fi
else echo -e "\e[31mNo.33.2请检查是否禁止ip路由转发\n\e[0m"
fi
else echo -e "\e[31mNo.33.3没有${files}文件\n\e[0m"
fi
fi
system_version=`uname -r|grep el6`
if [[ -n ${system_version} ]];then
Value=`/sbin/sysctl -n net.ipv4.ip_forward`
Values=`cat ${files} | grep -v "^[[:space:]]*#"| grep 'net.ipv4.ip_forward'| awk -F = '{print $NF}'|awk '{print $NF}'|uniq`
if [ -f $files ];then
if [[ ${Value} = 0 ]];then
if [[ $Values != 0 ]];then
echo -e "\e[31mNo.33.4请检查是否禁止ip路由转发\n\e[0m"
fi
else echo -e "\e[31mNo.33.5请检查是否禁止ip路由转发\n\e[0m"
fi
else echo -e "\e[31mNo.33.6没有${files}文件\n\e[0m"
fi
fi
###banner 34
#修改FTP 相关配置信息
Ftp_Dir=(/etc/vsftpd.conf /etc/vsftpd/vsftpd.conf)
for ftp in ${Ftp_Dir[*]}
do
if [[ -f ${ftp} ]];then
Value=`cat ${ftp} | grep -v "^[[:space:]]*#" | grep 'ftpd_banner=[[:space:]]*' | awk -F = '{print $NF}'`
if [[ ${Value} ]];then
Netstat=`netstat -npl | grep vsftpd`
zhi="\"Authorized users only. All activity may be monitored and reported.\""
if [[ "${Value}" != ${zhi} ]];then
echo -e "\e[31mNo.34.2请检查FTP Banner信息是否准确\n\e[0m"
fi
if [[ $Netstat ]];then
Status="vsftpd服务处于开启"
else Status="vsftpd服务处于关闭"
fi
else echo -e "\e[31mNo.34.1请检查是否修改FTP Banner信息? ${Status}\n\e[0m"
fi
LS_RECURSE_ENABLE=`cat ${ftp}|grep -v "^[[:space:]]*#"|grep -i "ls_recurse_enable="`
LS_RECURSE_ENABLE_YES=`cat ${ftp}|grep -v "^[[:space:]]*#"|grep -i "ls_recurse_enable=YES" |awk -F'=' '{print $NF}'| tail -n 1`
LS_RECURSE_ENABLE_NO=`cat ${ftp}|grep -v "^[[:space:]]*#"|grep -i "ls_recurse_enable=NO" |awk -F'=' '{print $NF}'| tail -n 1`
if [[ -n $LS_RECURSE_ENABLE ]];then
if [[ $LS_RECURSE_ENABLE_NO = NO ]];then
if [[ $LS_RECURSE_ENABLE_YES = YES ]];then
echo -e "\e[35mNo.34.3请检查FTP中ls_recurse_enable是否有NO项?${Status}\n\e[0m"
else echo -e "\e[35mNo.34.4请检查FTP中ls_recurse_enable是否配置正确?${Status}\n\e[0m"
fi
fi
else echo -e "\e[35mNo.34.5请检查FTP中ls_recurse_enable是否配置?${Status}\n\e[0m"
fi
LOCAL_UMASK=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep "local_umask[[:space:]]*=[[:space:]]*022"`
if [[ -z $LOCAL_UMASK ]];then
echo -e "\e[31mNo.34.6请检查FTP中local_umask是否配置?${Status}\n\e[0m"
fi
ANON_UMASK=`cat ${ftp} |grep -v "^[[:space:]]*#" | grep "anon_umask[[:space:]]*=[[:space:]]*022" |awk -F'=' '{print $NF}'`
if [[ -z $ANON_UMASK ]];then
echo -e "\e[31mNo.34.7请检查FTP中anon_umask是否配置?${Status}\n\e[0m"
fi
CHROOT_LIST=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_list_enable='`
CHROOT_LIST_YES=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_list_enable=YES' |awk -F'=' '{print $NF}'| tail -n 1`
CHROOT_LIST_NO=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_list_enable=NO' |awk -F'=' '{print $NF}' | tail -n 1`
if [[ -n $CHROOT_LIST ]];then
if [[ $CHROOT_LIST_NO = NO ]];then
if [[ $CHROOT_LIST_YES = YES ]];then
echo -e "\e[35mNo.34.8请检查FTP中chroot_list是否有NO项?${Status}\n\e[0m"
else echo -e "\e[35mNo.34.9请检查FTP中chroot_list是否配置正确?${Status}\n\e[0m"
fi
fi
fi
ANONYMOUS_YES=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'anonymous_enable=YES' |awk -F'=' '{print $NF}'| tail -n 1`
ANONYMOUS_NO=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'anonymous_enable=NO' |awk -F'=' '{print $NF}' | tail -n 1`
if [[ $ANONYMOUS_YES = YES ]];then
if [[ $ANONYMOUS_NO = NO ]];then
echo -e "\e[35mNo.34.11请检查FTP中anonymous_enable是否仍有YES项?${Status}\n\e[0m"
else echo -e "\e[35mNo.34.12请检查FTP中anonymous是否配置为YES?${Status}\n\e[0m"
fi
fi
CHROOT_LOCAL=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_local_user='`
CHROOT_LOCAL_YES=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_local_user=YES'| uniq |wc -l`
CHROOT_LOCAL_NO=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_local_user=NO' |uniq |wc -l`
if [[ -n $CHROOT_LOCAL ]];then
if [[ $CHROOT_LOCAL_NO = 0 ]];then
if [[ $CHROOT_LOCAL_YES -ge 1 ]];then
echo -e "\e[35mNo.34.13请检查FTP中chroot_local_user是否仍有YES项?${Status}\n\e[0m"
else echo -e "\e[35mNo.34.14请检查FTP中chroot_local_user是否配置为NO,不是请整改!${Status}\n\e[0m"
fi
fi
else echo -e "\e[35mNo.34.15请检查FTP中chroot_local_user是否配置?${Status}\n\e[0m"
fi
fi
done
###banner 36
#检查是否限制远程登录IP范围
HOSTS_FILES=(/etc/hosts.allow /etc/hosts.deny)
for var in ${HOSTS_FILES[*]}
do
if [[ -f $var ]];then
zhi=`cat $var | grep -v "^[[:space:]]*#" |grep all`
if [[ -z $zhi ]];then
echo -e "\e[33mNo.36.1请检查${var}文件是否限制远程登录IP范围?是否配置all:all,该项配置有风险,请现场工程师确认allow文件没问题后再进行配置?\n\e[0m"
fi
else echo -e "\e[31mNo.36.2请检查${var}文件是否存在?\n\e[0m"
fi
done
###banner 37
# 禁止IP源路由
files=/proc/sys/net/ipv4/conf/*/accept_source_route
for route in $files
do
ROUTE=`cat $route |grep -v "^[[:space:]]*#"`
if [ $ROUTE != 0 ];then
echo -e "\e[31mNo.37.1请检查${route}文件是否禁止IP源路由?\n\e[0m"
fi
done
zhi=`cat /etc/rc.local | grep 'echo 0 > /proc/sys/net/ipv4/conf/lo/accept_source_route' |wc -l`
if [[ $zhi == 0 ]];then
echo -e "\e[31mNo.37.1请检查/etc/rc.local文件是否添加开机启动禁止lo的IP源路由项?\n\e[0m"
fi
###banner 38
#别名修改
files=~/.bashrc
BASHA=`cat $files | grep -v "^[[:space:]]*#" | grep "ls='ls -aol'"`
BASHB=`cat $files | grep -v "^[[:space:]]*#" | grep "rm='rm -i'"`
if [[ -z $BASHA ]];then
echo -e "\e[31mNo.38.1请检查${files}文件中ls是否修改别名?\n\e[0m"
fi
if [[ -z $BASHB ]];then
echo -e "\e[31mNo.38.2请检查${files}文件中rm是否修改别名?\n\e[0m"
fi
###banner 39(与banner 5重了)
# 检查root用户,除root用户外 Uid 为0 用户,不做操作 只记录 日志。
#USERS_ID=`awk -F: '($3 == 0) { print $1 }' /etc/passwd|grep -v root`
#if [[ -n ${USERS_ID} ]];then
# echo -e "\e[31mNo.39.1请检查除root用户外是否存在Uid为0的用户?\n\e[0m"
#fi
###banner 40
# 将gnamd 用户添加到visudo中
Value=`grep "gnamd[[:space:]]*ALL=(ALL)*[[:space:]]*NOPASSWD: ALL*" /etc/sudoers`
if [[ -z ${Value} ]];then
echo -e "\e[31mNo.40.1请检查visudo中是否存在gnamd用户?\n\e[0m"
fi
###banner 41
#更改telnet端口
FILES=/etc/services
TELNET_TCP=`cat $FILES | grep "^\<telnet\>" |grep tcp |awk '{print $NF}' | awk -F / '{print $1}'`
TELNET_UDP=`cat $FILES | grep "^\<telnet\>" |grep udp |awk '{print $NF}' | awk -F / '{print $1}'`
VAR=($TELNET_TCP $TELNET_UDP)
for zhi in ${VAR[*]}
do
if [[ $zhi = 23 ]];then
echo -e "\e[31mNo.41.1请检查${FILES}文件中telnet端口是否未更改?\n\e[0m"
elif [[ $zhi != 23000 ]];then
echo -e "\e[31mNo.41.2请检查${FILES}文件中telnet端口是否为指定端口?\n\e[0m"
fi
done
###banner 42
#检查安全日志权限是否为640(启明会查)
files=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#"|awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`
zhi=`ls -l $files 2>/dev/null | grep -v 'total 4'|grep -v ""[r-][w-]-[r-]-----"" |awk '{print $9}'`
for filesname in ${zhi[*]}
do
echo -e "\e[31mNo.42请检查${filesname}权限是否大于640,大于请整改!\n\e[0m"
done
#输出检查命令的不合格文件(参考时可单独执行)
#ls -l `cat /etc/rsyslog.conf | grep -v ""^[[:space:]]*#""|awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'` 2>/dev/null|grep -v ""[r-][w-]-[r-]-----""|awk '{print $1"" ""$8"" ""$9}'
###banner 43
#检查历史大小条数
file=/etc/profile
histsize=`cat $file |grep -v "^[[:space:]]*#" |grep HISTSIZE= | awk -F = '{print $NF}' |uniq -c|awk '{print $2}'`
histfilesize=`cat $file |grep -v "^[[:space:]]*#" |grep HISTFILESIZE= | awk -F = '{print $NF}' |uniq -c|awk '{print $2}'`
if [[ $histsize != 5 ]];then
echo -e "\e[31mNo.43.1请检查$file中的HISTSIZE大小值是否为5,不是请整改!\n\e[0m"
fi
for zhi in ${histfilesize[*]}
do
if [[ $zhi != 5 ]];then
echo -e "\e[31mNo.43.2请检查$file中的HISTFILESIZE大小值是否为5,不是请整改!\n\e[0m"
fi
done
###banner 44
#检查telnet服务是否存在
telnetrpm=`rpm -qa | grep telnet`
files=/etc/xinetd.d/telnet
if [[ -n $telnetrpm ]];then
if [[ -f $files ]];then
zhi=`cat /etc/xinetd.d/telnet |grep 'disable[[:space:]]*=[[:space:]]*yes'`
if [[ -z $zhi ]];then
echo -e "\e[31mNo.44.1请检查$files中的telnet是否为disable,不是请整改!\n\e[0m"
fi
else
echo -e "\e[31mNo.44.2已安装telnet包,请添加$files文件!\n\e[0m"
fi
fi
echo "###THE END###"