├── README.md └── check_system.sh /README.md: -------------------------------------------------------------------------------- 1 | # check_system 2 | ## 作者:火星小刘 3 | ### 服务器巡检脚本 4 | #### 运作原理: 5 | 通过获取可执行文件的sha1sum值判断文件是否被修改,如若被修改,输出日志 6 | #### 运行方法: 7 | 定时任务运行 8 | 可自定义添加监控目录 9 | #### 进阶玩法 10 | 可结合本人的微信报警脚本,实现微信报警 11 | 见本人项目列表 -------------------------------------------------------------------------------- /check_system.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | IP=`ifconfig |grep inet|head -1|awk '{print $2}'|awk -F: '{print $2}'` 3 | 4 | #创建日志存放目录 5 | DIRECTORY="/var/log/xunjian" 6 | LOGS="$DIRECTORY/log" 7 | SHA1CACHE="$DIRECTORY/sha1" 8 | TMP="$DIRECTORY/tmp" 9 | JIANCESHIJIAN=5 10 | 11 | HOSTNAME=`hostname` 12 | echo $HOSTNAME 13 | DATE=`date +%m月%d日-%H:%M:%S` 14 | 15 | 16 | touch -t $(date -d "$JIANCESHIJIAN min ago" +%Y%m%d%H%M) $TMP/time.tmp 17 | 18 | ########################文件修改监控############################# 19 | 20 | function CheckFileSha1() 21 | { 22 | NAME=$1 23 | FILE=$2 24 | #echo $1 $2 25 | if [ ! -f $SHA1CACHE/${NAME}_sha1 ];then 26 | sha1sum $FILE |awk '{print $1}' >> $SHA1CACHE/${NAME}_sha1 27 | fi 28 | 29 | #获取现有sha1 30 | SHA1=`sha1sum $FILE |awk '{print $1}'` 31 | 32 | #读取原有sha1 33 | LAST_SHA1=`cat $SHA1CACHE/${NAME}_sha1` 34 | 35 | #新旧sha1进行比对 36 | if [ $SHA1 != $LAST_SHA1 ];then 37 | touch -a $TMP/${NAME}_time.tmp 38 | if [ $TMP/time.tmp -ot $TMP/${NAME}_time.tmp ];then 39 | echo "文件刚刚被修改:${FILE} " >> $LOGS/$HOSTNAME.log 40 | # echo $FILE 41 | else 42 | echo $SHA1 > $SHA1CACHE/${NAME}_sha1 43 | rm -f $TMP/${NAME}_time.tmp 44 | fi 45 | fi 46 | } 47 | 48 | CheckFileSha1 passwd "/etc/passwd" 49 | 50 | CheckFileSha1 profile "/etc/profile" 51 | 52 | CheckFileSha1 rc "/etc/rc.local" 53 | 54 | ########################目录下文件修改监控########################## 55 | 56 | function CheckDirSha1() 57 | { 58 | NAME=$1 59 | FILE=$2 60 | #echo $1 $2 61 | if [ ! -f $SHA1CACHE/${NAME}_sha1 ];then 62 | sha1sum $FILE/* >> $SHA1CACHE/${NAME}_sha1 63 | fi 64 | 65 | #获取现有sha1 66 | sha1sum $FILE/* >> $SHA1CACHE/${NAME}_sha1_new 67 | 68 | DIFF=`diff $SHA1CACHE/${NAME}_sha1_new $SHA1CACHE/${NAME}_sha1 |awk '{print $3}' |sort |uniq |sed 1d` 69 | 70 | if [ -n "$DIFF" ];then 71 | touch -a $TMP/${NAME}_time.tmp 72 | if [ $TMP/time.tmp -ot $TMP/${NAME}_time.tmp ];then 73 | echo "文件刚刚被修改:$DIFF" >> $LOGS/$HOSTNAME.log 74 | # echo $DIFF 75 | else 76 | rm -f $SHA1CACHE/${NAME}_sha1 77 | sha1sum $FILE/* >> $SHA1CACHE/${NAME}_sha1 78 | rm -f $TMP/${NAME}_time.tmp 79 | fi 80 | fi 81 | rm -f $SHA1CACHE/${NAME}_sha1_new 82 | 83 | } 84 | 85 | CheckDirSha1 profile_d "/etc/profile.d" 86 | 87 | CheckDirSha1 sbin "/sbin" 88 | 89 | CheckDirSha1 usr_bin "/usr/bin" 90 | 91 | CheckDirSha1 usr_sbin "/usr/sbin" 92 | 93 | CheckDirSha1 glassfish_bin "/usr/local/glassfish4/bin" 94 | 95 | CheckDirSha1 jdk_bin "/usr/local/jdk/bin" 96 | 97 | CheckDirSha1 crontab "/var/spool/cron" 98 | 99 | 100 | #####.ssh################ 101 | 102 | #通过/etc/passwd获取所有用户的家目录 103 | for ssh_DIRECTORY in `cat /etc/passwd |awk -F ":" '{print $6}' |grep -vw /` 104 | do 105 | SSH_DIRECTORY=$ssh_DIRECTORY/.ssh 106 | 107 | #家目录下的.ssh目录内,生成时间 较 对比文件生成时间 晚 的文件 108 | if [ -d "$SSH_DIRECTORY" ];then 109 | SSH_CHANGE=`find $SSH_DIRECTORY -newer $TMP/time.tmp` 110 | if [ -n "$SSH_CHANGE" ];then 111 | echo "文件刚刚被修改:$SSH_CHANGE" >> $LOGS/$HOSTNAME.log 112 | 113 | fi 114 | fi 115 | done 116 | 117 | ########################进程检测################################# 118 | 119 | #获取原有进程列表,并保存到default_process 120 | if [ ! -f $DIRECTORY/default_process ];then 121 | ps -A |awk '{print $4}' | sort -u | sed '$a\egrep' | sed '$a\xunjian_ansible' | sed '$a\anacron' |sed '$a\sh' | sed 's/$/|/' | awk '{printf $0}' |sed 's/^/|&/g'|sed 's/^/"&/g' |sed 's/$/"/g' > $DIRECTORY/default_process 122 | fi 123 | DEFAULT_PROCESS=`cat $DIRECTORY/default_process` 124 | 125 | #获取现有进程并与原有进程比对 126 | UNKNOWN_PROCESS=`ps -A |awk '{print $4}' | sort -u |egrep -v $DEFAULT_PROCESS` 127 | 128 | if [ -n "$UNKNOWN_PROCESS" ];then 129 | touch -a $TMP/process_time.tmp 130 | if [ $TMP/time.tmp -ot $TMP/process_time.tmp ];then 131 | echo "有未知进程启动:$UNKNOWN_PROCESS" >> $LOGS/$HOSTNAME.log 132 | ps -ef|grep $UNKNOWN_PROCESS |sort |uniq >> $LOGS/$HOSTNAME-xiangxi.log 133 | else 134 | # ps -A |awk '{print $4}' | sort -u | sed '$a\egrep' | sed '$a\xunjian_ansible' | sed '$a\anacron' | sed 's/$/|/' | awk '{printf $0}' |sed 's/^/|&/g'|sed 's/^/"&/g' |sed 's/$/"/g' > $DIRECTORY/default_process 135 | rm -f $TMP/process_time.tmp 136 | fi 137 | fi 138 | 139 | #########################新增端口监控############################ 140 | 141 | #获取原有端口,并保存到default_port文件 142 | if [ ! -f $DIRECTORY/default_port ];then 143 | netstat -ntupl|grep LISTEN|awk '{print $4}'|awk -F ":" '{print $2,$4}' |sed s/[[:space:]]//g |sort |uniq |sed 's/$/|/' |awk '{printf $0}' |sed 's/^/|&/g' |sed 's/^/"&/g' |sed 's/$/"/g' > $DIRECTORY/default_port 144 | fi 145 | DEFAULT_PORT=`cat $DIRECTORY/default_port` 146 | 147 | LISTEN_PORT=`netstat -ntupl|grep LISTEN|awk '{print $4}'|awk -F ":" '{print $2,$4}'|sed s/[[:space:]]//g|sort |uniq` 148 | 149 | #获取现有端口并与原有端口比对 150 | NEW_PORT=`netstat -ntupl|grep LISTEN|awk '{print $4}'|awk -F ":" '{print $2,$4}'|sed s/[[:space:]]//g|sort |uniq|egrep -v "$DEFAULT_PORT"` 151 | 152 | #echo $NEW_PORT 153 | if [ -n "$NEW_PORT" ];then 154 | touch -a $TMP/port_time.tmp 155 | if [ $TMP/time.tmp -ot $TMP/port_time.tmp ];then 156 | echo "有新端口被监听:$NEW_PORT" >> $LOGS/$HOSTNAME.log 157 | else 158 | netstat -ntupl|grep LISTEN|awk '{print $4}'|awk -F ":" '{print $2,$4}' |sed s/[[:space:]]//g |sort |uniq |sed 's/$/|/' |awk '{printf $0}' |sed 's/^/|&/g' |sed 's/^/"&/g' |sed 's/$/"/g' > $DIRECTORY/default_port 159 | rm -f $TMP/port_time.tmp 160 | fi 161 | fi 162 | 163 | ###############chkconfig########## 164 | 165 | #获取原有开机启动项,并保存到default_chkconfig 166 | if [ ! -f $DIRECTORY/default_chkconfig ];then 167 | chkconfig | grep :on |awk '{print $1}'|sed 's/$/|/' | awk '{printf $0}' |sed 's/^/|&/g'|sed 's/^/"&/g' |sed 's/$/"/g' > $DIRECTORY/default_chkconfig 168 | fi 169 | DEFAULT_CHKCONFIG=`cat $DIRECTORY/default_chkconfig` 170 | 171 | #获取现有开机启动项,并与原启动项比对 172 | UNKNOWN_CHKCONFIG=`chkconfig | grep :on |awk '{print $1}' |egrep -v $DEFAULT_CHKCONFIG` 173 | if [ -n "$UNKNOWN_CHKCONFIG" ];then 174 | touch -a $TMP/chk_time.tmp 175 | if [ $TMP/time.tmp -ot $TMP/chk_time.tmp ];then 176 | echo "新增chkconfig启动项:$UNKNOWN_CHKCONFIG" >> $LOGS/$HOSTNAME.log 177 | # echo $UNKNOWN_CHKCONFIG 178 | else 179 | chkconfig | grep :on |awk '{print $1}'|sed 's/$/|/' | awk '{printf $0}' |sed 's/^/|&/g'|sed 's/^/"&/g' |sed 's/$/"/g' > $DIRECTORY/default_chkconfig 180 | rm -f $TMP/chk_time.tmp 181 | fi 182 | fi 183 | 184 | if [ -f $LOGS/$HOSTNAME.log ];then 185 | sed -i 's/^/'$HOSTNAME'|'$IP'|'$DATE'|/' $LOGS/$HOSTNAME.log 186 | # sed -i '1i主机名|IP|时间|事件' $LOGS/$HOSTNAME.log 187 | # sed -i '1i\主机名:'$HOSTNAME' IP:'$IP' \\'n'' $LOGS/$HOSTNAME.log 188 | fi 189 | rm -f $TMP/time.tmp 190 | 191 | --------------------------------------------------------------------------------