├── Hp-Unix └── hpunix.sh ├── Linux ├── capos_for_linux_v2.2.sh ├── capos_for_linux_v2.6.2.sh ├── secure_config.sh └── suse11.sh ├── Mysql └── mysql.sql ├── Oracle ├── Oracle-审计开启指导书.sql ├── oracle_10g.sql ├── oracle_11g.sql └── oracle_12c.sql ├── README.md ├── Sybase └── sybase-测评指导书.sql └── windows ├── CapOSv1.3.1_compress.exe ├── CapOSv1.3.1_compressx86.exe ├── CapOSv1.3.2_compress.exe ├── CapOSv1.3.2_compressx86.exe ├── capos_for_windows_64v1.4.1.exe └── capos_for_windows_v1.4.1.exe /Hp-Unix/hpunix.sh: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/Hp-Unix/hpunix.sh -------------------------------------------------------------------------------- /Linux/capos_for_linux_v2.2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #============================================================================ 3 | # Author: Li shichang 4 | # Mail: sjm217@qq.com 5 | # Date: 2019.9 6 | # Version: v2.2 7 | # 8 | # Description: 9 | # 等级保护安全基线配置检查脚本，兼容Red-Hat CentOS，Oracle, Mysql，Postgresql. 10 | # Usage: 11 | # ./capos_for_linux.sh {parameter} >> filename.sh 12 | #============================================================================ 13 | 14 | # 全局变量 15 | DISTRO= 16 | DISTRO_NUMBER= 17 | 18 | ORACLE= 19 | ORACLE_NUMBER= 20 | 21 | MYSQL= 22 | MYSQL_NUMBER= 23 | 24 | PGSQL= 25 | PGSQL_NUMBER= 26 | 27 | DBS= 28 | 29 | WEBSERVER= 30 | WEBSERVER_NUMBER= 31 | 32 | # text colour set 33 | SETCOLOR_SUCCESS="echo -en \\033[1;32m" 34 | SETCOLOR_FAILURE="echo -en \\033[1;31m" 35 | SETCOLOR_WARNING="echo -en \\033[1;33m" 36 | SETCOLOR_NORMAL="echo -en \\033[0;39m" 37 | time=`date +['%Y-%m-%d %H:%M:%S']` 38 | LogMsg() 39 | { 40 | echo "$time INFO: $*" 41 | $SETCOLOR_NORMAL 42 | } 43 | 44 | LogWarnMsg() 45 | { 46 | $SETCOLOR_WARNING 47 | echo "$time WARN: $*" 48 | $SETCOLOR_NORMAL 49 | } 50 | 51 | LogSucMsg() 52 | { 53 | $SETCOLOR_SUCCESS 54 | echo "$time SUCCESS: $*" 55 | $SETCOLOR_NORMAL 56 | } 57 | 58 | LogErrorMsg() 59 | { 60 | $SETCOLOR_FAILURE 61 | echo "$time ERROR: $*" 62 | $SETCOLOR_NORMAL 63 | } 64 | 65 | output_file_banner() 66 | { 67 | echo "# ============================================================================" 68 | echo -e "# Describe: \t\t This file about security baseline check output" 69 | echo -e "# Running time:\t\t "`date +'%Y-%m-%d %H:%M'` 70 | echo "# ============================================================================" 71 | echo 72 | } 73 | 74 | print_logo() 75 | { 76 | cat < view usage methods. 95 | ${0} -l => show information collection. 96 | ${0} -o => oracle check. 97 | ${0} -m [password] => mysql check. 98 | ${0} -pgsql => postgresql check. 99 | ${0} -s => webserver check. 100 | ${0} -a => auto check. 101 | 102 | EOF 103 | } 104 | 105 | #---------------------------------------------------------------------------- 106 | # Gets the system version info 107 | #---------------------------------------------------------------------------- 108 | get_system_version() 109 | { 110 | if grep -Eqii "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then 111 | DISTRO='CentOS' 112 | if grep -Eq "7\." /etc/*-release; then 113 | DISTRO_NUMBER='7' 114 | elif grep -Eq "6\." /etc/*-release; then 115 | DISTRO_NUMBER='6' 116 | elif grep -Eq "5\." /etc/*-release; then 117 | DISTRO_NUMBER='5' 118 | elif grep -Eq "4\." /etc/*-release; then 119 | DISTRO_NUMBER='4' 120 | else 121 | DISTRO_NUMBER='unknow' 122 | fi 123 | elif grep -Eqi "Red Hat Enterprise Linux Server" /etc/issue || grep -Eq "Red Hat Enterprise Linux Server" /etc/*-release; then 124 | DISTRO='RedHat' 125 | if grep -Eq "7\." /etc/*-release; then 126 | DISTRO_NUMBER='7' 127 | elif grep -Eq "6\." /etc/*-release; then 128 | DISTRO_NUMBER='6' 129 | elif grep -Eq "5\." /etc/*-release; then 130 | DISTRO_NUMBER='5' 131 | elif grep -Eq "4\." /etc/*-release; then 132 | DISTRO_NUMBER='4' 133 | else 134 | DISTRO_NUMBER='unknow' 135 | fi 136 | elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then 137 | DISTRO='Ubuntu' 138 | else 139 | DISTRO='unknow' 140 | fi 141 | } 142 | 143 | #---------------------------------------------------------------------------- 144 | # Gets the web server info 145 | #---------------------------------------------------------------------------- 146 | get_webserver_info() 147 | { 148 | [[ -n `whereis nginx | awk -F: '{print $2}'` ]] && WEBSERVER="nginx" && WEBSERVER_NUMBER=$(nginx -v | awk -F/ '{print $2}') 149 | [[ -n `lastlog | grep weblogic` ]] && [[ -n `netstat -pantu | grep ':7001'` ]] && WEBSERVER="weblogic" 150 | [[ -n `cat /etc/passwd | grep apache` ]] && [[ -n `netstat -pantu | grep ':80' | grep 'httpd'` ]] && WEBSERVER="apache" && WEBSERVER_NUMBER=$(apachectl -v | awk -F/ '{print $2}' | grep -v ^$) 151 | } 152 | 153 | #---------------------------------------------------------------------------- 154 | # Gets the database version info 155 | #---------------------------------------------------------------------------- 156 | get_database_version() 157 | { 158 | if [[ -n `netstat -pantu | grep tnslsnr` ]]; then 159 | ORACLE="Oracle" 160 | banner=`su - oracle << EOF 161 | sqlplus / as sysdba 162 | exit 163 | EOF` 164 | 165 | [[ $banner =~ "11g" ]] && ORACLE_NUMBER="11g" 166 | [[ $banner =~ "10g" ]] && ORACLE_NUMBER="10g" 167 | [[ $banner =~ "12c" ]] && ORACLE_NUMBER="12c" 168 | fi 169 | 170 | if [[ -n `netstat -pantu | grep mysqld` ]]; then 171 | MYSQL="Mysql" 172 | MYSQL_NUMBER=`mysql -V | awk '{print $5}'` 173 | MYSQL_NUMBER=${MYSQL_NUMBER%?} 174 | fi 175 | 176 | if [[ -n `netstat -pantu | grep postgres` ]]; then 177 | PGSQL="PostgreSQL" 178 | PGSQL_NUMBER=`su - postgres << EOF 179 | psql -d postgres -U postgres -At -c "select version();" | awk '{print $2}' 180 | exit 181 | EOF` 182 | PGSQL_NUMBER=`echo ${PGSQL_NUMBER} | awk '{print $2}'` 183 | fi 184 | 185 | DBS="${ORACLE} ${ORACLE_NUMBER} ${MYSQL} ${MYSQL_NUMBER} ${PGSQL} ${PGSQL_NUMBER}" 186 | 187 | [[ -n `netstat -pantu | grep 'redis'` ]] && DBS="${DBS} Redis" 188 | [[ -n `netstat -pantu | grep mongodb` ]] && DBS="${DBS} Mongodb" 189 | } 190 | 191 | #---------------------------------------------------------------------------- 192 | # Information Collection 193 | #---------------------------------------------------------------------------- 194 | information_collection() 195 | { 196 | get_system_version 197 | get_database_version 198 | get_webserver_info 199 | echo 200 | echo "-------------------------------- Information Collection start --------------------------------" 201 | echo 202 | echo -e "Hardware platform: \t"`grep 'DMI' /var/log/dmesg | awk -F'DMI:' '{print $2}'` 203 | echo -e "CPU model: \t"`cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq` 204 | echo -e "CPUS: \t\t\t\t" `cat /proc/cpuinfo | grep processor | wc -l | awk '{print $1}'` 205 | echo -e "CPU Type: \t\t\t" `cat /proc/cpuinfo | grep vendor_id | tail -n 1 | awk '{print $3}'` 206 | Disk=$(fdisk -l |grep 'Disk' |awk -F , '{print $1}' | sed 's/Disk identifier.*//g' | sed '/^$/d') 207 | echo -e "Disks info:\t\t\t ${Disk}\n${Line}" 208 | echo -e "System Version: \t" `more /etc/redhat-release` 209 | check_ip_format=`ifconfig | grep "inet addr"` 210 | if [ ! -n "$check_ip_format" ]; then 211 | # 7.x 212 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'` 213 | else 214 | # 6.x 215 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}' | awk -F: '{print $2}'` 216 | fi 217 | echo -e "Hostname: \t\t\t" `hostname` 218 | echo -e "IP Address: \t\t ${Ipddr}" 219 | echo -e "Middleware or webserver：\t ${WEBSERVER} ${WEBSERVER_NUMBER}" 220 | echo -e "DBS：\t\t\t\t ${DBS}" 221 | echo 222 | echo "-------------------------------- Information Collection end --------------------------------" 223 | echo 224 | } 225 | 226 | #---------------------------------------------------------------------------- 227 | # Red-Hat or CentOS check 228 | #---------------------------------------------------------------------------- 229 | redhat_or_centos_ceping() 230 | { 231 | LogMsg "Checking operating system......" 1>&2 232 | echo "-------------------------------- System checking start --------------------------------" 233 | echo 234 | echo "#----------------------------------------------------------------------------" 235 | echo "# Checking Empty password users" 236 | echo "#----------------------------------------------------------------------------" 237 | 238 | flag= 239 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/shadow` 240 | 241 | if [ -n "$null_password" ]; then 242 | flag='y' 243 | echo $null_password 244 | fi 245 | 246 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/passwd` 247 | if [ -n "$null_password" ]; then 248 | flag='y' 249 | echo $null_password 250 | fi 251 | 252 | null_password=`awk -F: '$2=="!" {print $1}' /etc/shadow` 253 | if [ -n "$null_password" ]; then 254 | flag='y' 255 | echo $null_password 256 | fi 257 | 258 | null_password=`awk -F: '$2!="x" {print $1}' /etc/passwd` 259 | if [ -n "$null_password" ]; then 260 | flag='y' 261 | echo $null_password 262 | fi 263 | 264 | [[ ! -n "$flag" ]] && echo "[Y] This system no empty password users!" 265 | 266 | echo 267 | echo "#----------------------------------------------------------------------------" 268 | echo "# Checking UID=0 users" 269 | echo "#----------------------------------------------------------------------------" 270 | awk -F: '($3==0)' /etc/passwd 271 | echo 272 | 273 | echo 274 | echo "#----------------------------------------------------------------------------" 275 | echo "# Password time out users" 276 | echo "#----------------------------------------------------------------------------" 277 | for timeout_usename in `awk -F: '$2=="!!" {print $1}' /etc/shadow`; do 278 | timeout_usenamelist+="$timeout_usename," 279 | done 280 | echo ${timeout_usenamelist%?} 281 | echo 282 | 283 | echo 284 | echo "#----------------------------------------------------------------------------" 285 | echo "# May be No need users" 286 | echo "#----------------------------------------------------------------------------" 287 | for no_need_usename in `cat /etc/shadow | grep -E 'uucp|nuucp|lp|adm|sync|halt|news|operator|gopher' | awk -F: '{print $1}'`; do 288 | no_need_usenamelist+="$no_need_usename," 289 | done 290 | echo ${no_need_usenamelist%?} 291 | echo 292 | 293 | echo 294 | echo "#----------------------------------------------------------------------------" 295 | echo "# Policy of password Strength" 296 | echo "#----------------------------------------------------------------------------" 297 | cat /etc/login.defs | grep PASS | grep -v ^# 298 | echo 299 | passwordStrength=`cat /etc/pam.d/system-auth | grep -E 'pam_cracklib.so | pam_pwquality.so'` 300 | if [ ! -n "$passwordStrength" ]; then 301 | echo "[X] After check '/etc/pam.d/system-auth', no pam_cracklib.so/pam_pwquality.so config" 302 | else 303 | echo $passwordStrength 304 | fi 305 | echo 306 | echo 307 | echo "#----------------------------------------------------------------------------" 308 | echo "# Policy of login failure" 309 | echo "#----------------------------------------------------------------------------" 310 | login_failure=`more /etc/pam.d/system-auth | grep tally` 311 | if [ -n "$login_failure" ]; then 312 | echo $login_failure 313 | else 314 | echo "[X] Warning: This system no login failure policy!" 315 | fi 316 | echo 317 | 318 | echo "#----------------------------------------------------------------------------" 319 | echo "# Policy of ssh login failure" 320 | echo "#----------------------------------------------------------------------------" 321 | ssh_login_failure=`cat /etc/ssh/sshd_config | grep -v ^# | grep MaxAuthTries` 322 | if [ ! -n "$ssh_login_failure" ]; then 323 | echo "[X] Warning: Remote management of ssh not set MaxAuthTries(3~5)! " 324 | else 325 | echo -e "ssh already set : ${ssh_login_failure}." 326 | fi 327 | echo 328 | 329 | echo 330 | echo "#----------------------------------------------------------------------------" 331 | echo "# Login timeout lock, ('suggest config parameter: TMOUT >= 600s')" 332 | echo "#----------------------------------------------------------------------------" 333 | TMOUT=`cat /etc/profile | grep -n "TMOUT"` 334 | if [ -n "$TMOUT" ]; then 335 | echo $TMOUT 336 | else 337 | echo "[X] Warning: This system no set TMOUT!" 338 | fi 339 | echo 340 | 341 | echo 342 | echo "#----------------------------------------------------------------------------" 343 | echo "# Checking some files access permission" 344 | echo "#----------------------------------------------------------------------------" 345 | ls -l /etc/shadow 346 | ls -l /etc/passwd 347 | ls -l /etc/group 348 | ls -l /etc/gshadow 349 | ls -l /etc/profile 350 | ls -l /etc/crontab 351 | ls -l /etc/securetty 352 | ls -l /etc/ssh/ssh_config 353 | ls -l /etc/ssh/sshd_config 354 | echo 355 | 356 | echo 357 | echo "#----------------------------------------------------------------------------" 358 | echo "# Checking telnet and ftp status" 359 | echo "#----------------------------------------------------------------------------" 360 | telnet_or_ftp_status=`netstat -an | grep -E 'telnet | ftp | smtp'` 361 | if [ -n "$telnet_or_ftp_status" ]; then 362 | echo $telnet_or_ftp_status 363 | else 364 | echo "[Y] This system no open 'telnet, ftp, smtp' server!" 365 | fi 366 | echo 367 | 368 | echo 369 | echo "#----------------------------------------------------------------------------" 370 | echo "# Checking MAC(Mandatory access control) status" 371 | echo "#----------------------------------------------------------------------------" 372 | cat /etc/selinux/config | grep -v ^# | grep "SELINUX=" 373 | echo 374 | 375 | echo 376 | echo "#----------------------------------------------------------------------------" 377 | echo "# Syslog and audit status" 378 | echo "#----------------------------------------------------------------------------" 379 | case $DISTRO_NUMBER in 380 | 7) 381 | systemctl list-unit-files --type=service | grep "rsyslog" 382 | systemctl list-unit-files --type=service | grep "auditd";; 383 | *) 384 | service --status-all | grep rsyslogd 385 | service auditd status;; 386 | esac 387 | echo 388 | 389 | echo 390 | echo "[Audit rules]:" `auditctl -l` 391 | echo 392 | 393 | echo 394 | echo "#----------------------------------------------------------------------------" 395 | echo "# To see the first 10 rows of ‘/var/log/secure’" 396 | echo "#----------------------------------------------------------------------------" 397 | logfile=`ls /var/log/ | grep -E 'secure-.*'| tail -n 1` 398 | cat /var/log/${logfile} | tail -n 10 399 | echo 400 | 401 | echo "#----------------------------------------------------------------------------" 402 | echo "# Files permission for about syslog and audit" 403 | echo "#----------------------------------------------------------------------------" 404 | ls -l /var/log/messages 405 | ls -l /var/log/secure 406 | ls -l /var/log/audit/audit.log 407 | ls -l /etc/rsyslog.conf 408 | ls -l /etc/audit/auditd.conf 409 | echo 410 | 411 | echo "#----------------------------------------------------------------------------" 412 | echo "# Configuration parameter of audit record" 413 | echo "# Note:Max_log_file=5(Log file capacity); Max_log_file_action=ROTATE(log size); num_logs=4" 414 | echo "#----------------------------------------------------------------------------" 415 | cat /etc/audit/auditd.conf | grep max_log_file | grep -v ^# 416 | cat /etc/audit/auditd.conf | grep num_logs | grep -v ^# 417 | echo 418 | 419 | echo "#----------------------------------------------------------------------------" 420 | echo "# Show all running service" 421 | echo "#----------------------------------------------------------------------------" 422 | case $DISTRO_NUMBER in 423 | 7) 424 | systemctl list-unit-files --type=service | grep enabled;; 425 | *) 426 | service --status-all | grep running;; 427 | esac 428 | echo 429 | 430 | echo "#----------------------------------------------------------------------------" 431 | echo "# System patch info" 432 | echo "#----------------------------------------------------------------------------" 433 | rpm -qa --last | grep patch 434 | echo 435 | 436 | echo "#----------------------------------------------------------------------------" 437 | echo "# PermitRootLogin parameter status of ssh" 438 | echo "#----------------------------------------------------------------------------" 439 | cat /etc/ssh/sshd_config | grep Root 440 | echo 441 | 442 | echo "#----------------------------------------------------------------------------" 443 | echo "# IP address permit in hosts.allow and hosts.deny" 444 | echo "#----------------------------------------------------------------------------" 445 | echo "[more /etc/hosts.allow]:" 446 | cat /etc/hosts.allow | grep -v ^# 447 | echo "[more /etc/hosts.deny]:" 448 | cat /etc/hosts.deny | grep -v ^# 449 | echo 450 | 451 | echo "#----------------------------------------------------------------------------" 452 | echo "# Check /etc/securetty about tty login number" 453 | echo "#----------------------------------------------------------------------------" 454 | for tty in `cat /etc/securetty `; do 455 | ttylist+="$tty," 456 | done 457 | echo ${ttylist%?} 458 | echo 459 | 460 | echo "#----------------------------------------------------------------------------" 461 | echo "# Checking iptables status" 462 | echo "#----------------------------------------------------------------------------" 463 | iptables -L -n 464 | echo 465 | 466 | echo "#----------------------------------------------------------------------------" 467 | echo "# System resource limit for single user" 468 | echo "#----------------------------------------------------------------------------" 469 | echo " " 470 | cat /etc/security/limits.conf | grep -v ^# 471 | echo 472 | 473 | echo "#----------------------------------------------------------------------------" 474 | echo "# System resource used status" 475 | echo "#----------------------------------------------------------------------------" 476 | echo "[disk info:]" 477 | df -h 478 | echo 479 | 480 | echo "[Memory info]:" 481 | free -m 482 | echo 483 | 484 | 485 | # About memory and cpu used rate come from "https://blog.51cto.com/10616534/2177671" 486 | mem_use_info=(`awk '/MemTotal/{memtotal=$2}/MemAvailable/{memavailable=$2}END{printf "%.2f %.2f %.2f",memtotal/1024/1024," "(memtotal-memavailable)/1024/1024," "(memtotal-memavailable)/memtotal*100}' /proc/meminfo`) 487 | echo mem_used_rate:${mem_use_info[2]}% 488 | 489 | TIME_INTERVAL=5 490 | LAST_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}') 491 | LAST_SYS_IDLE=$(echo $LAST_CPU_INFO | awk '{print $4}') 492 | LAST_TOTAL_CPU_T=$(echo $LAST_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}') 493 | sleep ${TIME_INTERVAL} 494 | NEXT_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}') 495 | NEXT_SYS_IDLE=$(echo $NEXT_CPU_INFO | awk '{print $4}') 496 | NEXT_TOTAL_CPU_T=$(echo $NEXT_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}') 497 | SYSTEM_IDLE=`echo ${NEXT_SYS_IDLE} ${LAST_SYS_IDLE} | awk '{print $1-$2}'` 498 | TOTAL_TIME=`echo ${NEXT_TOTAL_CPU_T} ${LAST_TOTAL_CPU_T} | awk '{print $1-$2}'` 499 | CPU_USAGE=`echo ${SYSTEM_IDLE} ${TOTAL_TIME} | awk '{printf "%.2f", 100-$1/$2*100}'` 500 | echo "cpu_used_rate:${CPU_USAGE}%" 501 | echo 502 | 503 | echo "#----------------------------------------------------------------------------" 504 | echo "# MISC" 505 | echo "#----------------------------------------------------------------------------" 506 | echo "#[System lastlog info]:" 507 | lastlog 508 | echo 509 | echo "#[crontab info]:" 510 | crontab -l 511 | echo 512 | echo "#[Process and port state]:" 513 | netstat -pantu 514 | echo 515 | echo "-------------------------------- System checking end --------------------------------" 516 | echo 517 | } 518 | 519 | #---------------------------------------------------------------------------- 520 | # Oracle database checking(compatible 10g 11g 12c) 521 | #---------------------------------------------------------------------------- 522 | oracle_ceping() 523 | { 524 | LogMsg "Checking Oracle database system......" 1>&2 525 | echo "-------------------------------- Oracle checking start --------------------------------" 526 | echo 527 | # tmp sql file 528 | sqlFile=/tmp/tmp_oracle.sql 529 | # write the sql file 530 | echo "set echo off feedb off timi off pau off trimsp on head on long 2000000 longchunksize 2000000" > ${sqlFile} 531 | echo "set linesize 150" >> ${sqlFile} 532 | echo "set pagesize 80" >> ${sqlFile} 533 | echo "col username format a22" >> ${sqlFile} 534 | echo "col account_status format a20" >> ${sqlFile} 535 | echo "col password format a20" >> ${sqlFile} 536 | echo "col CREATED format a20" >> ${sqlFile} 537 | echo "col USER_ID, format a10" >> ${sqlFile} 538 | echo "col profile format a20" >> ${sqlFile} 539 | echo "col resource_name format a35" >> ${sqlFile} 540 | echo "col limit format a10" >> ${sqlFile} 541 | echo "col TYPE format a15" >> ${sqlFile} 542 | echo "col VALUE format a20" >> ${sqlFile} 543 | 544 | echo "col grantee format a25" >> ${sqlFile} 545 | echo "col owner format a10" >> ${sqlFile} 546 | echo "col table_name format a10" >> ${sqlFile} 547 | echo "col grantor format a10" >> ${sqlFile} 548 | echo "col privilege format a10" >> ${sqlFile} 549 | 550 | echo "col AUDIT_OPTION format a30" >> ${sqlFile} 551 | echo "col SUCCESS format a20" >> ${sqlFile} 552 | echo "col FAILURE format a20" >> ${sqlFile} 553 | echo "col any_path format a100" >> ${sqlFile} 554 | 555 | echo "PROMPT #============================================================================#" >> ${sqlFile} 556 | echo "PROMPT # Oracle version info" >> ${sqlFile} 557 | echo "PROMPT #============================================================================#" >> ${sqlFile} 558 | echo "select * from v\$version;" >> ${sqlFile} 559 | echo "PROMPT" >> ${sqlFile} 560 | 561 | echo "PROMPT #============================================================================#" >> ${sqlFile} 562 | echo "PROMPT # All database instances" >> ${sqlFile} 563 | echo "PROMPT #============================================================================#" >> ${sqlFile} 564 | echo "select name from v\$database;" >> ${sqlFile} 565 | echo "PROMPT" >> ${sqlFile} 566 | 567 | echo "PROMPT #============================================================================#" >> ${sqlFile} 568 | echo "PROMPT # Checking all user status(note sample account:scott,outln,ordsys)" >> ${sqlFile} 569 | echo "PROMPT #============================================================================#" >> ${sqlFile} 570 | echo "select username, CREATED, USER_ID, account_status, profile from dba_users;" >> ${sqlFile} 571 | echo "PROMPT" >> ${sqlFile} 572 | 573 | echo "PROMPT #============================================================================#" >> ${sqlFile} 574 | echo "PROMPT # Policie Checking of password and attempt login failed" >> ${sqlFile} 575 | echo "PROMPT #============================================================================#" >> ${sqlFile} 576 | echo "select profile, resource_name, limit from dba_profiles where resource_type='PASSWORD';" >> ${sqlFile} 577 | echo "PROMPT" >> ${sqlFile} 578 | 579 | echo "PROMPT #============================================================================#" >> ${sqlFile} 580 | echo "PROMPT # Show the default password account" >> ${sqlFile} 581 | echo "PROMPT #============================================================================#" >> ${sqlFile} 582 | echo "select * from dba_users_with_defpwd;" >> ${sqlFile} 583 | echo "PROMPT" >> ${sqlFile} 584 | 585 | echo "PROMPT #============================================================================#" >> ${sqlFile} 586 | echo "PROMPT # Show all users about granted_role='DBA'" >> ${sqlFile} 587 | echo "PROMPT #============================================================================#" >> ${sqlFile} 588 | echo "select grantee from dba_role_privs where granted_role='DBA';" >> ${sqlFile} 589 | echo "PROMPT" >> ${sqlFile} 590 | 591 | echo "PROMPT #============================================================================#" >> ${sqlFile} 592 | echo "PROMPT # Default users grantee roles about grantee='PUBLIC'" >> ${sqlFile} 593 | echo "PROMPT #============================================================================#" >> ${sqlFile} 594 | echo "select granted_role from dba_role_privs where grantee='PUBLIC';" >> ${sqlFile} 595 | echo "PROMPT" >> ${sqlFile} 596 | 597 | echo "PROMPT #============================================================================#" >> ${sqlFile} 598 | echo "PROMPT # Checking access of data dictionary must boolean=FALSE" >> ${sqlFile} 599 | echo "PROMPT #============================================================================#" >> ${sqlFile} 600 | echo "show parameter O7_DICTIONARY_ACCESSIBILITY;" >> ${sqlFile} 601 | echo "PROMPT" >> ${sqlFile} 602 | 603 | echo "PROMPT #============================================================================#" >> ${sqlFile} 604 | echo "PROMPT # Audit state" >> ${sqlFile} 605 | echo "PROMPT #============================================================================#" >> ${sqlFile} 606 | echo "show parameter audit;" >> ${sqlFile} 607 | echo "PROMPT" >> ${sqlFile} 608 | 609 | echo "PROMPT #============================================================================#" >> ${sqlFile} 610 | echo "PROMPT # Important security events covered by audit" >> ${sqlFile} 611 | echo "PROMPT #============================================================================#" >> ${sqlFile} 612 | echo "select AUDIT_OPTION, SUCCESS, FAILURE from dba_stmt_audit_opts;" >> ${sqlFile} 613 | echo "PROMPT" >> ${sqlFile} 614 | 615 | echo "PROMPT #============================================================================#" >> ${sqlFile} 616 | echo "PROMPT # Protecting audit records status" >> ${sqlFile} 617 | echo "PROMPT #============================================================================#" >> ${sqlFile} 618 | echo "select grantee, owner, table_name, grantor, privilege from dba_tab_privs where table_name='AUD$';" >> ${sqlFile} 619 | echo "PROMPT" >> ${sqlFile} 620 | 621 | echo "PROMPT #============================================================================#" >> ${sqlFile} 622 | echo "PROMPT # Checking login 'IDLE_TIME' value" >> ${sqlFile} 623 | echo "PROMPT #============================================================================#" >> ${sqlFile} 624 | echo "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='KERNEL' and resource_name='IDLE_TIME';" >> ${sqlFile} 625 | echo "PROMPT" >> ${sqlFile} 626 | 627 | echo "PROMPT #============================================================================#" >> ${sqlFile} 628 | echo "PROMPT # Checking single user resource limit status" >> ${sqlFile} 629 | echo "PROMPT #============================================================================#" >> ${sqlFile} 630 | echo "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='SESSIONS_PER_USERS';" >> ${sqlFile} 631 | echo "PROMPT" >> ${sqlFile} 632 | 633 | echo "PROMPT #============================================================================#" >> ${sqlFile} 634 | echo "PROMPT # Checking cpu time limit for a single session" >> ${sqlFile} 635 | echo "PROMPT #============================================================================#" >> ${sqlFile} 636 | echo "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='CPU_PER_SESSION';" >> ${sqlFile} 637 | echo "PROMPT" >> ${sqlFile} 638 | 639 | echo "PROMPT #============================================================================#" >> ${sqlFile} 640 | echo "PROMPT # Show maximum number of connections" >> ${sqlFile} 641 | echo "PROMPT #============================================================================#" >> ${sqlFile} 642 | echo "show parameter processes;" >> ${sqlFile} 643 | echo "PROMPT" >> ${sqlFile} 644 | 645 | echo "PROMPT #============================================================================#" >> ${sqlFile} 646 | echo "PROMPT # Access control function" >> ${sqlFile} 647 | echo "PROMPT #============================================================================#" >> ${sqlFile} 648 | echo "select any_path from resource_view where any_path like '/sys/acls/%.xml';" >> ${sqlFile} 649 | echo "PROMPT" >> ${sqlFile} 650 | 651 | echo "PROMPT #============================================================================#" >> ${sqlFile} 652 | echo "PROMPT # Remote_os_authent" >> ${sqlFile} 653 | echo "PROMPT #============================================================================#" >> ${sqlFile} 654 | echo "select value from v\$parameter where name='remote_os_authent';" >> ${sqlFile} 655 | echo "PROMPT" >> ${sqlFile} 656 | 657 | echo "PROMPT #============================================================================#" >> ${sqlFile} 658 | echo "PROMPT # 'Oracle Label Security' install status" >> ${sqlFile} 659 | echo "PROMPT #============================================================================#" >> ${sqlFile} 660 | echo "select username, account_status, profile from dba_users where username='LBACSYS';" >> ${sqlFile} 661 | echo "select object_type,count(*) from dba_objects where OWNER='LBACSYS' group by object_type;" >> ${sqlFile} 662 | echo "PROMPT" >> ${sqlFile} 663 | echo "exit" >> ${sqlFile} 664 | chmod 777 ${sqlFile} 665 | 666 | # switch oracle to execute, gone and back root user 667 | su - oracle << EOF 668 | sqlplus / as sysdba @ ${sqlFile} 669 | exit 670 | EOF 671 | # delete the tmp sql file 672 | rm $sqlFile -f 673 | 674 | sqlnet_ora_path=`find / -name "sqlnet.ora" | grep -v samples` 675 | echo 676 | echo "#============================================================================#" 677 | echo -e "# Checking Oracle configuration files(path:${sqlnet_ora_path})" 678 | echo "#============================================================================#" 679 | cat $sqlnet_ora_path | grep -Ev "^$|^[#;]" 680 | echo 681 | echo "-------------------------------- Oracle checking end --------------------------------" 682 | echo 683 | } 684 | 685 | mysql_ceping() 686 | { 687 | LogMsg "Checking Mysql database system......" 1>&2 688 | echo 689 | echo "-------------------------------- Mysql checking start --------------------------------" 690 | echo 691 | MYSQL_BIN=$(which mysql) 692 | loginfotmp=/tmp/tmpinfo 693 | 694 | if [ ! -n "$1" ];then 695 | while : 696 | do 697 | while [ ! -n "${mysql_pwd}" ] 698 | do 699 | read -p "Enter the mysql(user:root) password: " mysql_pwd 700 | [[ "q" == $mysql_pwd ]] && LogMsg "Already skip Mysql check." 1>&2 && return 701 | done 702 | 703 | $MYSQL_BIN -uroot -p$mysql_pwd -e "exit" &> $loginfotmp 704 | loginfo=`grep "ERROR" ${loginfotmp}` 705 | rm -f $loginfotmp 706 | if [ ! -n "$loginfo" ]; then 707 | break 708 | else 709 | mysql_pwd= 710 | LogErrorMsg "Please confirm the password or check the configuration about mysql connect!" 1>&2 711 | LogMsg "Of course, you can ‘Ctrl + C’ exit or enter 'q' spin mysql checking." 1>&2 712 | continue 713 | fi 714 | done 715 | else 716 | mysql_pwd=$1 717 | $MYSQL_BIN -uroot -p$mysql_pwd -e "exit" &> $loginfotmp 718 | loginfo=`grep "ERROR" ${loginfotmp}` 719 | rm -f $loginfotmp 720 | if [ -n "$loginfo" ]; then 721 | LogErrorMsg "Please confirm the password or check the configuration!" 1>&2 722 | exit 1 723 | fi 724 | 725 | fi 726 | 727 | echo "#----------------------------------------------------------------------------" 728 | echo "# Mysql checking" 729 | echo "#----------------------------------------------------------------------------" 730 | echo "# Mysql database status" 731 | $MYSQL_BIN -uroot -p$mysql_pwd -e "\s" 732 | echo "# show databases;" 733 | $MYSQL_BIN -uroot -p$mysql_pwd -e 'show databases;' 734 | echo "# select version();" 735 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select host, user, password from user;' 736 | echo "# password policy( > v5.7 )" 737 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'validate_password%';" 738 | echo "# show tables;" 739 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'show tables;' 740 | echo "# select user, Shutdown_priv, Grant_priv, File_priv from user;" 741 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select user, Shutdown_priv, Grant_priv, File_priv from user;' 742 | echo "# select * from db;" 743 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from db;' 744 | echo "# select * from tables_priv;" 745 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from tables_priv;' 746 | echo "# select * from columns_priv;" 747 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from columns_priv;' 748 | echo "# show variables like 'log_%';" 749 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'log_%';" 750 | echo "# show variables like 'log_bin';" 751 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'log_bin';" 752 | echo "# show variables like '%timeout%';" 753 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like '%timeout%';" 754 | mysql_cnf=`find / -name my.cnf ` 755 | echo -e "# Checking Mysql configuration files(path:${mysql_cnf})" 756 | cat $mysql_cnf | grep -v ^$ 757 | echo 758 | echo "-------------------------------- Mysql checking end --------------------------------" 759 | echo 760 | } 761 | 762 | pgsql_ceping() 763 | { 764 | LogMsg "Checking PostgreSQL database system......" 1>&2 765 | echo 766 | echo "-------------------------------- PostgreSQL checking start --------------------------------" 767 | echo 768 | sqlFile=/tmp/tmp_postgres.sql 769 | PGDATA=`su - postgres << EOF 770 | cat ~/.bash_profile | grep PGDATA= 771 | exit 772 | EOF` 773 | PGDATA=`echo ${PGDATA} | awk -F'PGDATA=' '{print $2}'` 774 | 775 | echo "\echo #============================================================================#" >> ${sqlFile} 776 | echo "\echo # PostgreSQL version info" >> ${sqlFile} 777 | echo "\echo #============================================================================#" >> ${sqlFile} 778 | echo "select version();" >> ${sqlFile} 779 | 780 | echo "\echo #============================================================================#" >> ${sqlFile} 781 | echo "\echo # List of all instances" >> ${sqlFile} 782 | echo "\echo #============================================================================#" >> ${sqlFile} 783 | echo "\l" >> ${sqlFile} 784 | 785 | echo "\echo #============================================================================#" >> ${sqlFile} 786 | echo "\echo # List of all users info" >> ${sqlFile} 787 | echo "\echo #============================================================================#" >> ${sqlFile} 788 | echo "select * from pg_shadow;" >> ${sqlFile} 789 | 790 | echo "\echo #============================================================================#" >> ${sqlFile} 791 | echo "\echo # Access control function" >> ${sqlFile} 792 | echo "\echo #============================================================================#" >> ${sqlFile} 793 | echo "select * from pg_roles;" >> ${sqlFile} 794 | echo "select * from information_schema.table_privileges where grantee='cc';" >> ${sqlFile} 795 | 796 | echo "\echo #============================================================================#" >> ${sqlFile} 797 | echo "\echo # Log and audit" >> ${sqlFile} 798 | echo "\echo #============================================================================#" >> ${sqlFile} 799 | echo "show log_destination; show log_connections; show log_disconnections; show log_statement; show logging_collector; show log_rotation_size; show log_rotation_age;" >> ${sqlFile} 800 | 801 | echo "\echo #============================================================================#" >> ${sqlFile} 802 | echo "\echo # PostgreSQL MISC" >> ${sqlFile} 803 | echo "\echo #============================================================================#" >> ${sqlFile} 804 | echo "select name, setting from pg_settings where context = 'user' order by 1;" >> ${sqlFile} 805 | 806 | echo "\q" >> ${sqlFile} 807 | chmod 777 ${sqlFile} 808 | 809 | su - postgres << EOF 810 | psql -d postgres -U postgres -f ${sqlFile} 811 | exit 812 | EOF 813 | rm -f ${sqlFile} 814 | 815 | 816 | echo 817 | # 检查是否有密码复杂度模块 818 | echo "#----------------------------------------------------------------------------" 819 | echo "# Check password module for ‘libdir/passwordcheck’" 820 | echo "#----------------------------------------------------------------------------" 821 | grep "passwordcheck" $PGDATA/postgresql.conf 822 | echo 823 | 824 | echo 825 | # 检查地址限制 826 | echo "#----------------------------------------------------------------------------" 827 | echo "# Limit address" 828 | echo "#----------------------------------------------------------------------------" 829 | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' $PGDATA/postgresql.conf 830 | grep "listen_addresses" $PGDATA/postgresql.conf 831 | echo 832 | 833 | echo 834 | # 查看日志记录 835 | echo "#----------------------------------------------------------------------------" 836 | echo "# To see the first 10 rows of ‘$PGDATA/pg_log/’" 837 | echo "#----------------------------------------------------------------------------" 838 | pg_logfile=`ls $PGDATA/pg_log/ | grep -E 'postgresql-*' | tail -n 1` 839 | cat $PGDATA/pg_log/${pg_logfile} | tail -n 10 840 | echo 841 | 842 | echo 843 | # 登录超时 844 | echo "#----------------------------------------------------------------------------" 845 | echo "# Login timeout" 846 | echo "#----------------------------------------------------------------------------" 847 | grep 'tcp_keepalives' $PGDATA/postgresql.conf 848 | echo 849 | 850 | echo 851 | # 最大连接数 852 | echo "#----------------------------------------------------------------------------" 853 | echo "# Max_connections and Shared_buffers" 854 | echo "#----------------------------------------------------------------------------" 855 | cat $PGDATA/postgresql.conf | grep -E 'max_connections|shared_buffers' | grep -Ev "^$|^[#;]" 856 | echo 857 | echo "-------------------------------- PostgreSQL checking end --------------------------------" 858 | echo 859 | } 860 | 861 | redis_ceping() 862 | { 863 | echo 864 | #echo "-------------------------------- Redis checking start --------------------------------" 865 | echo 866 | redis-server -v 867 | redis_conf=`find / -name "redis.conf"` 868 | cp $redis_conf ./ 869 | echo 870 | #echo "-------------------------------- Redis checking end --------------------------------" 871 | echo 872 | } 873 | 874 | #---------------------------------------------------------------------------- 875 | # webserver check 876 | #---------------------------------------------------------------------------- 877 | webserver_ceping() 878 | { 879 | echo 880 | #echo "-------------------------------- Webserver checking start --------------------------------" 881 | echo 882 | case $WEBSERVER in 883 | "nginx") 884 | nginx_cfg=`find / -name "nginx.conf" | grep -v tmp` 885 | cp $nginx_cfg ./ ;; 886 | "weblogic") 887 | echo "weblogic ceping function wait edit" ;; 888 | "apache") 889 | httpd_conf=$(find / -name httpd.conf) 890 | cp $httpd_conf ./ ;; 891 | *) echo "Not found web server!" ;; 892 | esac 893 | echo 894 | #echo "-------------------------------- Webserver checking end --------------------------------" 895 | echo 896 | } 897 | 898 | check_system() 899 | { 900 | [[ "CentOS"=="$DISTRO" ]] || [[ "RedHat"=="$DISTRO" ]] && redhat_or_centos_ceping 901 | [[ "Oracle" == "$ORACLE" ]] && oracle_ceping 902 | [[ "Mysql" == "$MYSQL" ]] && mysql_ceping 903 | [[ "PostgreSQL" == "$PGSQL" ]] && pgsql_ceping 904 | [[ $DBS == "redis" ]] && redis_ceping 905 | [[ -n "$WEBSERVER" ]] && webserver_ceping 906 | LogSucMsg "Checking completed！" 1>&2 907 | } 908 | 909 | main_ceping() 910 | { 911 | print_logo 912 | # check root privilege 913 | [ "`whoami`" != "root" ] && LogErrorMsg "Please use root user or sudo!" 1>&2 && exit 1 914 | case $1 in 915 | -h) 916 | helpinfo ;; 917 | -l) 918 | information_collection ;; 919 | -o) 920 | oracle_ceping ;; 921 | -m) 922 | mysql_ceping $2 ;; 923 | -pgsql) 924 | pgsql_ceping ;; 925 | -s) 926 | get_webserver_info 927 | webserver_ceping ;; 928 | -a) 929 | output_file_banner 930 | information_collection 931 | check_system ;; 932 | *) helpinfo ;; 933 | esac 934 | } 935 | 936 | main_ceping $1 $2 -------------------------------------------------------------------------------- /Linux/capos_for_linux_v2.6.2.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | #============================================================================ 3 | # 作者: 李世昌 4 | # 邮箱: lis912@163.com 5 | # 更新时间: 2020.11 6 | # 版本: v2.6.2 7 | # 8 | # 描述: 等级保护安全基线配置检查脚本，兼容Red-Hat、CentOS、EulerOS、Asianux、Ubuntu 16、Oracle、Mysql、Postgresql。 9 | # 10 | # 使用方法：建议在root权限下将本脚本导入/tmp目录下执行，可通过 >> 重定向到其他文件后，导出查看。 11 | # sh capos_for_linux.sh_2.6.2.sh -a 自动核查； 12 | # sh capos_for_linux.sh_2.6.2.sh -l 信息收集； 13 | # sh capos_for_linux.sh_2.6.2.sh -o Oracle数据库核查； 14 | # sh capos_for_linux.sh_2.6.2.sh -pgsql Postgresql数据库核查； 15 | # sh capos_for_linux.sh_2.6.2.sh -m Mysql数据库核查，会提示输出root账户口令，输入后回车开始核查，也可以输入字母 q 退出Mysql数据库核查； 16 | # sh capos_for_linux.sh_2.6.2.sh -h -h 或其他错误参数显示帮助提示信息。 17 | # 18 | # 19 | # 更新记录： 20 | # v2.6.2 21 | # 1) redhat_or_centos_ceping方法中增加了对 /etc/pam.d/sshd 中登录失败模块的检查； 22 | # 2) redhat_or_centos_ceping方法中增加了对Red-Hat7版本 /etc/security/pwquality.conf 口令复杂度配置文件的检查； 23 | # 3) 注释中修改并添加了用法信息，更新记录,并对功能方法简单介绍。 24 | # 25 | #============================================================================ 26 | 27 | # 全局变量 28 | # 系统版本 29 | DISTRO= 30 | # 系统版本号 31 | DISTRO_NUMBER= 32 | 33 | # 是否运行有Oracle数据 34 | ORACLE= 35 | # Orcle版本号 36 | ORACLE_NUMBER= 37 | 38 | # 是否运行有Mysql数据 39 | MYSQL= 40 | # Mysql版本号 41 | MYSQL_NUMBER= 42 | 43 | # 是否运行有Postgresql数据 44 | PGSQL= 45 | # Postgresql版本号 46 | PGSQL_NUMBER= 47 | 48 | # 数据库种类汇总 49 | DBS= 50 | 51 | # WEB容器版本 52 | WEBSERVER= 53 | # WEB容器版本 54 | WEBSERVER_NUMBER= 55 | 56 | # 提示信息颜色预设变量 57 | SETCOLOR_SUCCESS="echo -en \\033[1;32m" 58 | SETCOLOR_FAILURE="echo -en \\033[1;31m" 59 | SETCOLOR_WARNING="echo -en \\033[1;33m" 60 | SETCOLOR_NORMAL="echo -en \\033[0;39m" 61 | time=`date +['%Y-%m-%d %H:%M:%S']` 62 | # 普通信息 63 | LogMsg() 64 | { 65 | echo "$time INFO: $*" 66 | $SETCOLOR_NORMAL 67 | } 68 | # 告警信息 69 | LogWarnMsg() 70 | { 71 | $SETCOLOR_WARNING 72 | echo "$time WARN: $*" 73 | $SETCOLOR_NORMAL 74 | } 75 | # 成功信息 76 | LogSucMsg() 77 | { 78 | $SETCOLOR_SUCCESS 79 | echo "$time SUCCESS: $*" 80 | $SETCOLOR_NORMAL 81 | } 82 | # 错误信息 83 | LogErrorMsg() 84 | { 85 | $SETCOLOR_FAILURE 86 | echo "$time ERROR: $*" 87 | $SETCOLOR_NORMAL 88 | } 89 | 90 | #---------------------------------------------------------------------------- 91 | # 重定向文件头部文件描述信息 92 | #---------------------------------------------------------------------------- 93 | output_file_banner() 94 | { 95 | echo "# ============================================================================" 96 | echo -e "# Describe: \t\t This file about security baseline check output" 97 | echo -e "# Running time:\t\t "`date +'%Y-%m-%d %H:%M'` 98 | echo "# ============================================================================" 99 | echo 100 | } 101 | 102 | #---------------------------------------------------------------------------- 103 | # LOGO输出，美化作用 104 | #---------------------------------------------------------------------------- 105 | print_logo() 106 | { 107 | cat < view usage methods. 129 | ${0} -l => show information collection. 130 | ${0} -o => oracle check. 131 | ${0} -m [password] => mysql check. 132 | ${0} -pgsql => postgresql check. 133 | ${0} -s => webserver check. 134 | ${0} -a => auto check. 135 | 136 | EOF 137 | } 138 | 139 | #---------------------------------------------------------------------------- 140 | # 获取操作系统版本信息: DISTRO->系统类型 ,DISTRO_NUMBER->版本号 141 | #---------------------------------------------------------------------------- 142 | get_system_version() 143 | { 144 | if grep -Eqii "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then 145 | DISTRO='CentOS' 146 | if grep -Eq "7\." /etc/*-release; then 147 | DISTRO_NUMBER='7' 148 | elif grep -Eq "6\." /etc/*-release; then 149 | DISTRO_NUMBER='6' 150 | elif grep -Eq "5\." /etc/*-release; then 151 | DISTRO_NUMBER='5' 152 | elif grep -Eq "4\." /etc/*-release; then 153 | DISTRO_NUMBER='4' 154 | else 155 | DISTRO_NUMBER='unknow' 156 | fi 157 | elif grep -Eqi "Red Hat Enterprise Linux Server" /etc/issue || grep -Eq "Red Hat Enterprise Linux Server" /etc/*-release || grep -Eq "Asianux" /etc/*-release; then 158 | DISTRO='RedHat' 159 | if grep -Eq "7\." /etc/*-release; then 160 | DISTRO_NUMBER='7' 161 | elif grep -Eq "6\." /etc/*-release; then 162 | DISTRO_NUMBER='6' 163 | elif grep -Eq "5\." /etc/*-release; then 164 | DISTRO_NUMBER='5' 165 | elif grep -Eq "4\." /etc/*-release; then 166 | DISTRO_NUMBER='4' 167 | else 168 | DISTRO_NUMBER='unknow' 169 | fi 170 | elif grep -Eq "EulerOS" /etc/*-release; then 171 | DISTRO='EulerOS' 172 | DISTRO_NUMBER='7' 173 | elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then 174 | DISTRO='Ubuntu' 175 | elif [[ -n `uname -a | grep AIX` ]]; then 176 | DISTRO='AIX' 177 | DISTRO_NUMBER=`oslevel` 178 | else 179 | DISTRO='unknow' 180 | fi 181 | } 182 | 183 | #---------------------------------------------------------------------------- 184 | # 获取WEB容器版本信息:WEBSERVER->类型, WEBSERVER_NUMBER->版本号 185 | #---------------------------------------------------------------------------- 186 | get_webserver_info() 187 | { 188 | [[ -n `whereis nginx | awk -F: '{print $2}'` ]] && WEBSERVER="nginx" && WEBSERVER_NUMBER=$(nginx -v | awk -F/ '{print $2}') 189 | [[ -n `lastlog | grep weblogic` ]] && [[ -n `netstat -pantu | grep ':7001'` ]] && WEBSERVER="weblogic" 190 | [[ -n `cat /etc/passwd | grep apache` ]] && [[ -n `netstat -pantu | grep ':80' | grep 'httpd'` ]] && WEBSERVER="apache" && WEBSERVER_NUMBER=$(apachectl -v | awk -F/ '{print $2}' | grep -v ^$) 191 | } 192 | 193 | #---------------------------------------------------------------------------- 194 | # 获取数据库类型和版本信息：识别后所属全局变量 ORACLE MYSQL PGSQL 会进行赋值 195 | #---------------------------------------------------------------------------- 196 | get_database_version() 197 | { 198 | if [[ -n `netstat -pantu | grep tnslsnr` ]]; then 199 | ORACLE="Oracle" 200 | banner=`su - oracle << EOF 201 | sqlplus / as sysdba 202 | exit 203 | EOF` 204 | 205 | [[ $banner =~ "11g" ]] && ORACLE_NUMBER="11g" 206 | [[ $banner =~ "10g" ]] && ORACLE_NUMBER="10g" 207 | [[ $banner =~ "12c" ]] && ORACLE_NUMBER="12c" 208 | fi 209 | 210 | if [[ -n `netstat -pantu | grep mysqld` ]]; then 211 | MYSQL="Mysql" 212 | MYSQL_NUMBER=`mysql -V | awk '{print $5}'` 213 | MYSQL_NUMBER=${MYSQL_NUMBER%?} 214 | fi 215 | 216 | if [[ -n `netstat -pantu | grep postgres` ]]; then 217 | PGSQL="PostgreSQL" 218 | PGSQL_NUMBER=`su - postgres << EOF 219 | psql -d postgres -U postgres -At -c "select version();" | awk '{print $2}' 220 | exit 221 | EOF` 222 | PGSQL_NUMBER=`echo ${PGSQL_NUMBER} | awk '{print $2}'` 223 | fi 224 | 225 | DBS="${ORACLE} ${ORACLE_NUMBER} ${MYSQL} ${MYSQL_NUMBER} ${PGSQL} ${PGSQL_NUMBER}" 226 | 227 | [[ -n `netstat -pantu | grep 'redis'` ]] && DBS="${DBS} Redis" 228 | [[ -n `netstat -pantu | grep mongodb` ]] && DBS="${DBS} Mongodb" 229 | } 230 | 231 | #---------------------------------------------------------------------------- 232 | # Redhat系操作系统信息收集 233 | #---------------------------------------------------------------------------- 234 | redhat_info_collection() 235 | { 236 | echo 237 | echo "-------------------------------- Information Collection start --------------------------------" 238 | echo 239 | echo -e "Hardware platform: \t"`grep 'DMI' /var/log/dmesg | awk -F'DMI:' '{print $2}'` 240 | echo -e "CPU model: \t"`cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq` 241 | echo -e "CPUS: \t\t\t\t" `cat /proc/cpuinfo | grep processor | wc -l | awk '{print $1}'` 242 | echo -e "CPU Type: \t\t\t" `cat /proc/cpuinfo | grep vendor_id | tail -n 1 | awk '{print $3}'` 243 | Disk=$(fdisk -l |grep 'Disk' |awk -F , '{print $1}' | sed 's/Disk identifier.*//g' | sed '/^$/d') 244 | echo -e "Disks info:\t\t\t ${Disk}\n${Line}" 245 | echo -e "System Version: \t" `more /etc/redhat-release` 246 | check_ip_format=`ifconfig | grep "inet addr"` 247 | if [ ! -n "$check_ip_format" ]; then 248 | # 7.x 249 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'` 250 | else 251 | # 6.x 252 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}' | awk -F: '{print $2}'` 253 | fi 254 | echo -e "Hostname: \t\t\t" `hostname` 255 | echo -e "IP Address: \t\t ${Ipddr}" 256 | echo -e "Middleware or webserver：\t ${WEBSERVER} ${WEBSERVER_NUMBER}" 257 | echo -e "DBS：\t\t\t\t ${DBS}" 258 | echo 259 | echo "-------------------------------- Information Collection end --------------------------------" 260 | echo 261 | } 262 | 263 | #---------------------------------------------------------------------------- 264 | # Ubuntu操作系统信息收集 265 | #---------------------------------------------------------------------------- 266 | ubuntu_info_collection() 267 | { 268 | echo 269 | echo "-------------------------------- Information Collection start --------------------------------" 270 | echo 271 | echo -e "Hardware platform: \t"`lspci |grep Host | head -1 | awk -F: '{print $3}'` 272 | echo -e "CPU model: \t"`cat /proc/cpuinfo | grep name | uniq | awk -F: '{print $2}'` 273 | echo -e "CPUS: \t\t\t\t" `cat /proc/cpuinfo | grep processor | wc -l | awk '{print $1}'` 274 | echo -e "CPU Type: \t\t\t" `cat /proc/cpuinfo | grep vendor_id | tail -n 1 | awk '{print $3}'` 275 | Disk=$(fdisk -l |grep 'Disk' |awk -F , '{print $1}' | sed 's/Disk identifier.*//g' | sed '/^$/d') 276 | echo -e "Disks info:\t\t\t ${Disk}\n${Line}" 277 | echo -e "System Version: \t" `cat /etc/lsb-release | grep "DISTRIB_DESCRIPTION" | awk -F'=' '{print $2}'` 278 | check_ip_format=`ifconfig | grep "inet addr"` 279 | if [ ! -n "$check_ip_format" ]; then 280 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'` 281 | else 282 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}' | awk -F: '{print $2}'` 283 | fi 284 | echo -e "Hostname: \t\t\t" `hostname` 285 | echo -e "IP Address: \t\t ${Ipddr}" 286 | echo -e "Middleware or webserver：\t ${WEBSERVER} ${WEBSERVER_NUMBER}" 287 | echo -e "DBS：\t\t\t\t ${DBS}" 288 | echo 289 | echo "-------------------------------- Information Collection end --------------------------------" 290 | echo 291 | } 292 | 293 | #---------------------------------------------------------------------------- 294 | # AIX小型机信息收集，未完善 295 | #---------------------------------------------------------------------------- 296 | AIX_info_collection() 297 | { 298 | prtconf | more 299 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'` 300 | echo -e "IP Address: \t\t ${Ipddr}" 301 | } 302 | 303 | 304 | #---------------------------------------------------------------------------- 305 | # 信息收集 -l 参数执行该方法 306 | #---------------------------------------------------------------------------- 307 | information_collection() 308 | { 309 | get_system_version 310 | get_database_version 311 | get_webserver_info 312 | case $DISTRO in 313 | CentOS) 314 | redhat_info_collection;; 315 | RedHat) 316 | redhat_info_collection;; 317 | EulerOS) 318 | redhat_info_collection;; 319 | Ubuntu) 320 | ubuntu_info_collection;; 321 | AIX) 322 | AIX_info_collection;; 323 | esac 324 | } 325 | 326 | #------------------------------------------------------------------------------------------- 327 | # 红帽系操作系统执行该方法，主要支持7.X，6.X版本。其中部分5.X 4.X 低版本,部分命令无法识别 328 | #------------------------------------------------------------------------------------------- 329 | redhat_or_centos_ceping() 330 | { 331 | LogMsg "Checking operating system......" 1>&2 332 | echo "-------------------------------- System checking start --------------------------------" 333 | 334 | # --------------------------------------- 空口令用户核查 --------------------------------------- # 335 | echo 336 | echo "#----------------------------------------------------------------------------" 337 | echo "# Checking Empty password users" 338 | echo "#----------------------------------------------------------------------------" 339 | 340 | flag= 341 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/shadow` 342 | 343 | if [ -n "$null_password" ]; then 344 | flag='y' 345 | echo $null_password 346 | fi 347 | 348 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/passwd` 349 | if [ -n "$null_password" ]; then 350 | flag='y' 351 | echo $null_password 352 | fi 353 | 354 | null_password=`awk -F: '$2=="!" {print $1}' /etc/shadow` 355 | if [ -n "$null_password" ]; then 356 | flag='y' 357 | echo $null_password 358 | fi 359 | 360 | null_password=`awk -F: '$2!="x" {print $1}' /etc/passwd` 361 | if [ -n "$null_password" ]; then 362 | flag='y' 363 | echo $null_password 364 | fi 365 | 366 | [[ ! -n "$flag" ]] && echo "[Y] This system no empty password users!" 367 | 368 | 369 | 370 | # --------------------------------------- 特权账户数量核查 --------------------------------------- # 371 | echo 372 | echo "#----------------------------------------------------------------------------" 373 | echo "# Checking UID=0 users" 374 | echo "#----------------------------------------------------------------------------" 375 | awk -F: '($3==0)' /etc/passwd 376 | echo 377 | 378 | # --------------------------------------- 口令过期账户数量核查 --------------------------------------- # 379 | echo 380 | echo "#----------------------------------------------------------------------------" 381 | echo "# Password time out users" 382 | echo "#----------------------------------------------------------------------------" 383 | for timeout_usename in `awk -F: '$2=="!!" {print $1}' /etc/shadow`; do 384 | timeout_usenamelist+="$timeout_usename," 385 | done 386 | echo ${timeout_usenamelist%?} 387 | echo 388 | 389 | # --------------------------------------- 多余系统默认账户核查，仅参考，进一步核查是否login权限 --------------------------------------- # 390 | echo 391 | echo "#----------------------------------------------------------------------------" 392 | echo "# May be No need users" 393 | echo "#----------------------------------------------------------------------------" 394 | for no_need_usename in `cat /etc/shadow | grep -E 'uucp|nuucp|lp|adm|sync|halt|news|operator|gopher' | awk -F: '{print $1}'`; do 395 | no_need_usenamelist+="$no_need_usename," 396 | done 397 | echo ${no_need_usenamelist%?} 398 | echo 399 | 400 | # --------------------------------------- 口令策略核查 --------------------------------------- # 401 | echo 402 | echo "#----------------------------------------------------------------------------" 403 | echo "# Policy of password Strength" 404 | echo "#----------------------------------------------------------------------------" 405 | cat /etc/login.defs | grep PASS | grep -v ^# 406 | echo 407 | case $DISTRO_NUMBER in 408 | 7) 409 | passwordStrength=`cat /etc/security/pwquality.conf | grep -v ^# | grep -E 'difok | minlen | dcredit | ucredit | lcredit | ocredit | minclass | maxrepeat | maxclassrepeat | gecoscheck | dictpath'` 410 | if [ ! -n "$passwordStrength" ]; then 411 | echo "[X] After check '/etc/security/pwquality.conf', no pam_cracklib.so/pam_pwquality.so config" 412 | else 413 | echo $passwordStrength 414 | fi;; 415 | *) 416 | passwordStrength=`cat /etc/pam.d/system-auth | grep -E 'pam_cracklib.so | pam_pwquality.so'` 417 | if [ ! -n "$passwordStrength" ]; then 418 | echo "[X] After check '/etc/pam.d/system-auth', no pam_cracklib.so/pam_pwquality.so config" 419 | else 420 | echo $passwordStrength 421 | fi;; 422 | esac 423 | 424 | # --------------------------------------- 登录失败策略核查 --------------------------------------- # 425 | echo 426 | echo 427 | echo "#----------------------------------------------------------------------------" 428 | echo "# Policy of login failure" 429 | echo "#----------------------------------------------------------------------------" 430 | login_failure=`more /etc/pam.d/system-auth | grep tally` 431 | if [ -n "$login_failure" ]; then 432 | echo $login_failure 433 | else 434 | echo "[X] Warning: This system no login failure policy!" 435 | fi 436 | echo 437 | echo "#----------------------------------------------------------------------------" 438 | echo "# Policy of ssh login failure" 439 | echo "#----------------------------------------------------------------------------" 440 | ssh_login_failure=`cat /etc/ssh/sshd_config | grep -v ^# | grep MaxAuthTries` 441 | ssh_login_failure2=`cat /etc/pam.d/sshd | grep -v ^# | grep deny=` 442 | if [ -n "$ssh_login_failure" ]; then 443 | echo -e "ssh already set : ${ssh_login_failure}." 444 | elif [ -n "$ssh_login_failure2" ]; then 445 | echo -e "ssh already set : ${ssh_login_failure2}." 446 | else 447 | echo "[X] Warning: No login failure policy of ssh ! " 448 | fi 449 | echo 450 | 451 | # --------------------------------------- shell登录超时退出登录核查 --------------------------------------- # 452 | echo 453 | echo "#----------------------------------------------------------------------------" 454 | echo "# Login timeout lock, ('suggest config parameter: TMOUT >= 600s')" 455 | echo "#----------------------------------------------------------------------------" 456 | TMOUT=`cat /etc/profile | grep -n "TMOUT"` 457 | if [ -n "$TMOUT" ]; then 458 | echo $TMOUT 459 | else 460 | echo "[X] Warning: not set TMOUT!" 461 | fi 462 | echo 463 | 464 | # --------------------------------------- 重要目录权限核查 --------------------------------------- # 465 | echo 466 | echo "#----------------------------------------------------------------------------" 467 | echo "# Checking some files access permission" 468 | echo "#----------------------------------------------------------------------------" 469 | ls -l /etc/shadow 470 | ls -l /etc/passwd 471 | ls -l /etc/group 472 | ls -l /etc/gshadow 473 | ls -l /etc/profile 474 | ls -l /etc/crontab 475 | ls -l /etc/securetty 476 | ls -l /etc/ssh/ssh_config 477 | ls -l /etc/ssh/sshd_config 478 | echo 479 | 480 | # --------------------------------------- 核查telnet、ftp、smtp是否开启 --------------------------------------- # 481 | echo 482 | echo "#----------------------------------------------------------------------------" 483 | echo "# Checking telnet and ftp status" 484 | echo "#----------------------------------------------------------------------------" 485 | telnet_or_ftp_status=`netstat -an | grep -E 'telnet | ftp | smtp'` 486 | if [ -n "$telnet_or_ftp_status" ]; then 487 | echo $telnet_or_ftp_status 488 | else 489 | echo "[Y] This system no open 'telnet, ftp, smtp' server!" 490 | fi 491 | echo 492 | 493 | # --------------------------------------- 核查selinux是否开启 --------------------------------------- # 494 | echo 495 | echo "#----------------------------------------------------------------------------" 496 | echo "# Checking MAC(Mandatory access control) status" 497 | echo "#----------------------------------------------------------------------------" 498 | cat /etc/selinux/config | grep -v ^# | grep "SELINUX=" 499 | echo 500 | 501 | # ------- 核查rsyslog，auditd服务是否开启，日志是否外发，审计配置，审计策略 -------- # 502 | echo 503 | echo "#----------------------------------------------------------------------------" 504 | echo "# Syslog and audit status" 505 | echo "#----------------------------------------------------------------------------" 506 | case $DISTRO_NUMBER in 507 | 7) 508 | systemctl list-unit-files --type=service | grep "rsyslog" 509 | systemctl list-unit-files --type=service | grep "auditd";; 510 | *) 511 | service --status-all | grep rsyslogd 512 | service auditd status;; 513 | esac 514 | echo 515 | 516 | echo 517 | echo "[Sent to a central host]:" `grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf` 518 | echo "#----------------------------------------------------------------------------" 519 | echo "# Configuration parameter of audit record" 520 | echo "# Note:Max_log_file=5(Log file capacity); Max_log_file_action=ROTATE(log size); num_logs=4" 521 | echo "#----------------------------------------------------------------------------" 522 | cat /etc/audit/auditd.conf | grep max_log_file | grep -v ^# 523 | cat /etc/audit/auditd.conf | grep num_logs | grep -v ^# 524 | echo "[Audit rules]:" `auditd -l` 525 | echo 526 | 527 | # --------------------------------------- 核查最新日志的最后10行 --------------------------------------- # 528 | echo 529 | echo "#----------------------------------------------------------------------------" 530 | echo "# To see the first 10 rows of ‘/var/log/secure’" 531 | echo "#----------------------------------------------------------------------------" 532 | logfile=`ls /var/log/ | grep -E 'secure-.*'| tail -n 1` 533 | cat /var/log/${logfile} | tail -n 10 534 | echo 535 | 536 | # --------------------------------------- 核查日志审计相关文件权限 --------------------------------------- # 537 | echo "#----------------------------------------------------------------------------" 538 | echo "# Files permission for about syslog and audit" 539 | echo "#----------------------------------------------------------------------------" 540 | ls -l /var/log/messages 541 | ls -l /var/log/secure 542 | ls -l /var/log/audit/audit.log 543 | ls -l /etc/rsyslog.conf 544 | ls -l /etc/audit/auditd.conf 545 | echo 546 | 547 | # --------------------------------------- 显示所有开启的服务 --------------------------------------- # 548 | echo 549 | echo "#----------------------------------------------------------------------------" 550 | echo "# Show all running service" 551 | echo "#----------------------------------------------------------------------------" 552 | case $DISTRO_NUMBER in 553 | 7) 554 | systemctl list-unit-files --type=service | grep enabled;; 555 | *) 556 | service --status-all | grep running;; 557 | esac 558 | echo 559 | 560 | # --------------------------------------- 系统补丁信息 --------------------------------------- # 561 | echo "#----------------------------------------------------------------------------" 562 | echo "# System patch info" 563 | echo "#----------------------------------------------------------------------------" 564 | rpm -qa --last | grep patch 565 | echo 566 | 567 | # --------------------------------------- 核查是否允许root远程登录 --------------------------------------- # 568 | echo "#----------------------------------------------------------------------------" 569 | echo "# PermitRootLogin parameter status of ssh" 570 | echo "#----------------------------------------------------------------------------" 571 | cat /etc/ssh/sshd_config | grep Root 572 | echo 573 | 574 | # --------------------------------------- 核查地址限制 --------------------------------------- # 575 | echo "#----------------------------------------------------------------------------" 576 | echo "# IP address permit in hosts.allow and hosts.deny" 577 | echo "#----------------------------------------------------------------------------" 578 | echo "[more /etc/hosts.allow]:" 579 | cat /etc/hosts.allow | grep -v ^# 580 | echo "[more /etc/hosts.deny]:" 581 | cat /etc/hosts.deny | grep -v ^# 582 | echo 583 | 584 | # --------------------------------------- 核查登录终端数量限制 --------------------------------------- # 585 | echo "#----------------------------------------------------------------------------" 586 | echo "# Check /etc/securetty about tty login number" 587 | echo "#----------------------------------------------------------------------------" 588 | for tty in `cat /etc/securetty `; do 589 | ttylist+="$tty," 590 | done 591 | echo ${ttylist%?} 592 | echo 593 | 594 | # --------------------------------------- 核查防火墙配置 --------------------------------------- # 595 | echo "#----------------------------------------------------------------------------" 596 | echo "# Checking iptables status" 597 | echo "#----------------------------------------------------------------------------" 598 | iptables -L -n 599 | echo 600 | 601 | # --------------------------------------- 核查资源限制等保1.0遗留 --------------------------------------- # 602 | echo "#----------------------------------------------------------------------------" 603 | echo "# System resource limit for single user" 604 | echo "#----------------------------------------------------------------------------" 605 | echo " " 606 | cat /etc/security/limits.conf | grep -v ^# 607 | echo 608 | 609 | echo "#----------------------------------------------------------------------------" 610 | echo "# System resource used status" 611 | echo "#----------------------------------------------------------------------------" 612 | echo "[disk info:]" 613 | df -h 614 | echo 615 | 616 | echo "[Memory info]:" 617 | free -m 618 | echo 619 | 620 | # --------------------------------------- 核查硬件资源运行情况等保1.0遗留 --------------------------------------- # 621 | mem_use_info=(`awk '/MemTotal/{memtotal=$2}/MemAvailable/{memavailable=$2}END{printf "%.2f %.2f %.2f",memtotal/1024/1024," "(memtotal-memavailable)/1024/1024," "(memtotal-memavailable)/memtotal*100}' /proc/meminfo`) 622 | echo mem_used_rate:${mem_use_info[2]}% 623 | 624 | TIME_INTERVAL=5 625 | LAST_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}') 626 | LAST_SYS_IDLE=$(echo $LAST_CPU_INFO | awk '{print $4}') 627 | LAST_TOTAL_CPU_T=$(echo $LAST_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}') 628 | sleep ${TIME_INTERVAL} 629 | NEXT_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}') 630 | NEXT_SYS_IDLE=$(echo $NEXT_CPU_INFO | awk '{print $4}') 631 | NEXT_TOTAL_CPU_T=$(echo $NEXT_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}') 632 | SYSTEM_IDLE=`echo ${NEXT_SYS_IDLE} ${LAST_SYS_IDLE} | awk '{print $1-$2}'` 633 | TOTAL_TIME=`echo ${NEXT_TOTAL_CPU_T} ${LAST_TOTAL_CPU_T} | awk '{print $1-$2}'` 634 | CPU_USAGE=`echo ${SYSTEM_IDLE} ${TOTAL_TIME} | awk '{printf "%.2f", 100-$1/$2*100}'` 635 | echo "cpu_used_rate:${CPU_USAGE}%" 636 | echo 637 | 638 | 639 | # --------------------------------------- 其他参考系统信息 --------------------------------------- # 640 | echo "#----------------------------------------------------------------------------" 641 | echo "# MISC" 642 | echo "#----------------------------------------------------------------------------" 643 | echo "#[System lastlog info]:" 644 | lastlog 645 | echo 646 | echo "#[crontab info]:" 647 | crontab -l 648 | echo 649 | echo "#[Process and port state]:" 650 | netstat -pantu 651 | echo 652 | echo "-------------------------------- System checking end --------------------------------" 653 | echo 654 | ps -ef 655 | } 656 | 657 | #------------------------------------------------------------------------------------------- 658 | # ubuntu操作核查系统执行该方法，主要支持16 18版本。 659 | #------------------------------------------------------------------------------------------- 660 | ubuntu_ceping() 661 | { 662 | LogMsg "Checking operating system......" 1>&2 663 | echo "-------------------------------- System checking start --------------------------------" 664 | echo 665 | echo "#----------------------------------------------------------------------------" 666 | echo "# Checking Empty password users" 667 | echo "#----------------------------------------------------------------------------" 668 | 669 | flag= 670 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/shadow` 671 | 672 | if [ -n "$null_password" ]; then 673 | flag='y' 674 | echo $null_password 675 | fi 676 | 677 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/passwd` 678 | if [ -n "$null_password" ]; then 679 | flag='y' 680 | echo $null_password 681 | fi 682 | 683 | null_password=`awk -F: '$2=="!" {print $1}' /etc/shadow` 684 | if [ -n "$null_password" ]; then 685 | flag='y' 686 | echo $null_password 687 | fi 688 | 689 | null_password=`awk -F: '$2!="x" {print $1}' /etc/passwd` 690 | if [ -n "$null_password" ]; then 691 | flag='y' 692 | echo $null_password 693 | fi 694 | 695 | [[ ! -n "$flag" ]] && echo "[Y] This system no empty password users!" 696 | 697 | echo 698 | echo "#----------------------------------------------------------------------------" 699 | echo "# Checking UID=0 users" 700 | echo "#----------------------------------------------------------------------------" 701 | awk -F: '($3==0)' /etc/passwd 702 | echo 703 | 704 | echo 705 | echo "#----------------------------------------------------------------------------" 706 | echo "# Password time out users" 707 | echo "#----------------------------------------------------------------------------" 708 | for timeout_usename in `awk -F: '$2=="!!" {print $1}' /etc/shadow`; do 709 | timeout_usenamelist+="$timeout_usename," 710 | done 711 | echo ${timeout_usenamelist%?} 712 | echo 713 | 714 | echo 715 | echo "#----------------------------------------------------------------------------" 716 | echo "# May be No need users" 717 | echo "#----------------------------------------------------------------------------" 718 | for no_need_usename in `cat /etc/shadow | grep -E 'uucp|nuucp|lp|adm|sync|halt|news|operator|gopher' | awk -F: '{print $1}'`; do 719 | no_need_usenamelist+="$no_need_usename," 720 | done 721 | echo ${no_need_usenamelist%?} 722 | echo 723 | 724 | echo 725 | echo "#----------------------------------------------------------------------------" 726 | echo "# Policy of password Strength" 727 | echo "#----------------------------------------------------------------------------" 728 | cat /etc/login.defs | grep PASS | grep -v ^# 729 | echo 730 | passwordStrength=`cat /etc/security/pwquality.conf` 731 | if [ ! -n "$passwordStrength" ]; then 732 | echo "[X] After check '/etc/security/pwquality.conf', no libpam-pwquality config,note:apt-get install libpam-pwquality" 733 | else 734 | echo $passwordStrength 735 | fi 736 | echo 737 | echo 738 | echo "#----------------------------------------------------------------------------" 739 | echo "# Policy of login failure" 740 | echo "#----------------------------------------------------------------------------" 741 | login_failure=`grep pam_pwquality.so /etc/pam.d/common-password` 742 | if [ -n "$login_failure" ]; then 743 | echo $login_failure 744 | else 745 | echo "[X] Warning: This system no login failure policy!" 746 | fi 747 | echo 748 | 749 | echo "#----------------------------------------------------------------------------" 750 | echo "# Policy of ssh login failure" 751 | echo "#----------------------------------------------------------------------------" 752 | ssh_login_failure=`cat /etc/ssh/sshd_config | grep -v ^# | grep MaxAuthTries` 753 | if [ ! -n "$ssh_login_failure" ]; then 754 | echo "[X] Warning: Remote management of ssh not set MaxAuthTries(3~5)! " 755 | else 756 | echo -e "ssh already set : ${ssh_login_failure}." 757 | fi 758 | echo 759 | 760 | echo "#----------------------------------------------------------------------------" 761 | echo "# IP address permit in hosts.allow and hosts.deny" 762 | echo "#----------------------------------------------------------------------------" 763 | echo "[more /etc/hosts.allow]:" 764 | cat /etc/hosts.allow | grep -v ^# 765 | echo "[more /etc/hosts.deny]:" 766 | cat /etc/hosts.deny | grep -v ^# 767 | echo 768 | 769 | echo 770 | echo "#----------------------------------------------------------------------------" 771 | echo "# Login timeout lock, ('suggest config parameter: TMOUT >= 600s')" 772 | echo "#----------------------------------------------------------------------------" 773 | TMOUT=`cat /etc/profile | grep -n "TMOUT"` 774 | if [ -n "$TMOUT" ]; then 775 | echo $TMOUT 776 | else 777 | echo "[X] Warning: This system no set TMOUT!" 778 | fi 779 | echo 780 | 781 | echo 782 | echo "#----------------------------------------------------------------------------" 783 | echo "# Checking some files access permission" 784 | echo "#----------------------------------------------------------------------------" 785 | ls -l /etc/shadow 786 | ls -l /etc/passwd 787 | ls -l /etc/group 788 | ls -l /etc/gshadow 789 | ls -l /etc/profile 790 | ls -l /etc/crontab 791 | ls -l /etc/securetty 792 | ls -l /etc/ssh/ssh_config 793 | ls -l /etc/ssh/sshd_config 794 | echo 795 | 796 | echo 797 | echo "#----------------------------------------------------------------------------" 798 | echo "# Checking telnet and ftp status" 799 | echo "#----------------------------------------------------------------------------" 800 | telnet_or_ftp_status=`netstat -an | grep -E 'telnet | ftp | smtp'` 801 | if [ -n "$telnet_or_ftp_status" ]; then 802 | echo $telnet_or_ftp_status 803 | else 804 | echo "[Y] This system no open 'telnet, ftp, smtp' server!" 805 | fi 806 | echo 807 | 808 | echo 809 | echo "#----------------------------------------------------------------------------" 810 | echo "# Checking MAC(Mandatory access control) status" 811 | echo "#----------------------------------------------------------------------------" 812 | cat /etc/selinux/config | grep -v ^# | grep "SELINUX=" 813 | echo 814 | 815 | echo 816 | echo "#----------------------------------------------------------------------------" 817 | echo "# Syslog and audit status" 818 | echo "#----------------------------------------------------------------------------" 819 | systemctl list-unit-files --type=service | grep "rsyslog" 820 | systemctl list-unit-files --type=service | grep "auditd" 821 | echo 822 | 823 | echo 824 | echo "[Sent to a central host]:" `grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf` 825 | echo "[Audit config]:" `cat /etc/audit/auditd.conf | grep -v ^#` 826 | echo "[Audit rules]:" `auditd -l` 827 | echo 828 | 829 | echo "#----------------------------------------------------------------------------" 830 | echo "# Files permission for about syslog and audit" 831 | echo "#----------------------------------------------------------------------------" 832 | ls -l /var/log/auth.log 833 | ls -l /var/log/faillog 834 | ls -l /etc/rsyslog.conf 835 | ls -l /etc/audit/auditd.conf 836 | echo 837 | 838 | echo "#----------------------------------------------------------------------------" 839 | echo "# Configuration parameter of audit record" 840 | echo "# Note:Max_log_file=5(Log file capacity); Max_log_file_action=ROTATE(log size); num_logs=4" 841 | echo "#----------------------------------------------------------------------------" 842 | cat /etc/audit/auditd.conf | grep max_log_file | grep -v ^# 843 | cat /etc/audit/auditd.conf | grep max_log_file_action | grep -v ^# 844 | echo 845 | 846 | echo "#----------------------------------------------------------------------------" 847 | echo "# Show all running service" 848 | echo "#----------------------------------------------------------------------------" 849 | systemctl list-unit-files --type=service | grep enabled 850 | echo 851 | 852 | echo "#----------------------------------------------------------------------------" 853 | echo "# System patch info" 854 | echo "#----------------------------------------------------------------------------" 855 | echo 856 | 857 | echo "#----------------------------------------------------------------------------" 858 | echo "# PermitRootLogin parameter status of ssh" 859 | echo "#----------------------------------------------------------------------------" 860 | cat /etc/ssh/sshd_config | grep Root 861 | echo 862 | 863 | echo "#----------------------------------------------------------------------------" 864 | echo "# IP address permit in hosts.allow and hosts.deny" 865 | echo "#----------------------------------------------------------------------------" 866 | iptables --list 867 | echo 868 | 869 | echo "#----------------------------------------------------------------------------" 870 | echo "# System resource limit for single user" 871 | echo "#----------------------------------------------------------------------------" 872 | echo " " 873 | cat /etc/security/limits.conf | grep -v ^# 874 | echo 875 | 876 | echo "#----------------------------------------------------------------------------" 877 | echo "# System resource used status" 878 | echo "#----------------------------------------------------------------------------" 879 | echo "[disk info:]" 880 | df -h 881 | echo 882 | 883 | echo "[Memory info]:" 884 | free -m 885 | echo 886 | 887 | mem_use_info=(`awk '/MemTotal/{memtotal=$2}/MemAvailable/{memavailable=$2}END{printf "%.2f %.2f %.2f",memtotal/1024/1024," "(memtotal-memavailable)/1024/1024," "(memtotal-memavailable)/memtotal*100}' /proc/meminfo`) 888 | echo mem_used_rate:${mem_use_info[2]}% 889 | 890 | TIME_INTERVAL=5 891 | LAST_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}') 892 | LAST_SYS_IDLE=$(echo $LAST_CPU_INFO | awk '{print $4}') 893 | LAST_TOTAL_CPU_T=$(echo $LAST_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}') 894 | sleep ${TIME_INTERVAL} 895 | NEXT_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}') 896 | NEXT_SYS_IDLE=$(echo $NEXT_CPU_INFO | awk '{print $4}') 897 | NEXT_TOTAL_CPU_T=$(echo $NEXT_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}') 898 | SYSTEM_IDLE=`echo ${NEXT_SYS_IDLE} ${LAST_SYS_IDLE} | awk '{print $1-$2}'` 899 | TOTAL_TIME=`echo ${NEXT_TOTAL_CPU_T} ${LAST_TOTAL_CPU_T} | awk '{print $1-$2}'` 900 | CPU_USAGE=`echo ${SYSTEM_IDLE} ${TOTAL_TIME} | awk '{printf "%.2f", 100-$1/$2*100}'` 901 | echo "cpu_used_rate:${CPU_USAGE}%" 902 | echo 903 | echo "#----------------------------------------------------------------------------" 904 | echo "# MISC" 905 | echo "#----------------------------------------------------------------------------" 906 | echo "#[System lastlog info]:" 907 | lastlog 908 | echo 909 | echo "#[crontab info]:" 910 | crontab -l 911 | echo 912 | echo "#[Process and port state]:" 913 | netstat -pantu 914 | echo 915 | echo "-------------------------------- System checking end --------------------------------" 916 | echo 917 | ps -ef 918 | } 919 | 920 | #------------------------------------------------------------------------------------------- 921 | # AIX操作核查系统执行该方法，未完善。 922 | #------------------------------------------------------------------------------------------- 923 | AIX_ceping() 924 | { 925 | LogMsg "Checking operating system......" 1>&2 926 | echo "-------------------------------- System checking start --------------------------------" 927 | echo 928 | echo "#----------------------------------------------------------------------------" 929 | echo "# Checking Empty password users" 930 | echo "#----------------------------------------------------------------------------" 931 | flag= 932 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/shadow` 933 | 934 | if [ -n "$null_password" ]; then 935 | flag='y' 936 | echo $null_password 937 | fi 938 | 939 | null_password=`awk -F: 'length($2)==0 {print $1}' /etc/passwd` 940 | if [ -n "$null_password" ]; then 941 | flag='y' 942 | echo $null_password 943 | fi 944 | 945 | null_password=`awk -F: '$2=="!" {print $1}' /etc/shadow` 946 | if [ -n "$null_password" ]; then 947 | flag='y' 948 | echo $null_password 949 | fi 950 | 951 | null_password=`awk -F: '$2!="x" {print $1}' /etc/passwd` 952 | if [ -n "$null_password" ]; then 953 | flag='y' 954 | echo $null_password 955 | fi 956 | 957 | [[ ! -n "$flag" ]] && echo "[Y] This system no empty password users!" 958 | 959 | echo 960 | echo "#----------------------------------------------------------------------------" 961 | echo "# Checking UID=0 users" 962 | echo "#----------------------------------------------------------------------------" 963 | awk -F: '$3==0 {print $1}' /etc/passwd 964 | echo 965 | ps -ef 966 | } 967 | 968 | 969 | #---------------------------------------------------------------------------- 970 | # Oracle数据库核查，参数 -o 执行该方法，已测试兼容版本：10g 11g 12c 971 | #---------------------------------------------------------------------------- 972 | oracle_ceping() 973 | { 974 | [ ! -n "$ORACLE" ] && LogErrorMsg "Not found Oracle database,please run '${0} -l'" 1>&2 && exit 1 975 | LogMsg "Checking Oracle database system......" 1>&2 976 | echo "-------------------------------- Oracle checking start --------------------------------" 977 | echo 978 | # 临时SQL文件 979 | sqlFile=/tmp/tmp_oracle.sql 980 | # 写入SQL语句 981 | echo "set echo off feedb off timi off pau off trimsp on head on long 2000000 longchunksize 2000000" > ${sqlFile} 982 | echo "set linesize 150" >> ${sqlFile} 983 | echo "set pagesize 80" >> ${sqlFile} 984 | echo "col username format a22" >> ${sqlFile} 985 | echo "col account_status format a20" >> ${sqlFile} 986 | echo "col password format a20" >> ${sqlFile} 987 | echo "col CREATED format a20" >> ${sqlFile} 988 | echo "col USER_ID, format a10" >> ${sqlFile} 989 | echo "col profile format a20" >> ${sqlFile} 990 | echo "col resource_name format a35" >> ${sqlFile} 991 | echo "col limit format a10" >> ${sqlFile} 992 | echo "col TYPE format a15" >> ${sqlFile} 993 | echo "col VALUE format a20" >> ${sqlFile} 994 | 995 | echo "col grantee format a25" >> ${sqlFile} 996 | echo "col owner format a10" >> ${sqlFile} 997 | echo "col table_name format a10" >> ${sqlFile} 998 | echo "col grantor format a10" >> ${sqlFile} 999 | echo "col privilege format a10" >> ${sqlFile} 1000 | 1001 | echo "col AUDIT_OPTION format a30" >> ${sqlFile} 1002 | echo "col SUCCESS format a20" >> ${sqlFile} 1003 | echo "col FAILURE format a20" >> ${sqlFile} 1004 | echo "col any_path format a100" >> ${sqlFile} 1005 | 1006 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1007 | echo "PROMPT # Oracle version info" >> ${sqlFile} 1008 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1009 | echo "select * from v\$version;" >> ${sqlFile} 1010 | echo "PROMPT" >> ${sqlFile} 1011 | 1012 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1013 | echo "PROMPT # All database instances" >> ${sqlFile} 1014 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1015 | echo "select name from v\$database;" >> ${sqlFile} 1016 | echo "PROMPT" >> ${sqlFile} 1017 | 1018 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1019 | echo "PROMPT # Checking all user status(note sample account:scott,outln,ordsys)" >> ${sqlFile} 1020 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1021 | echo "select username, CREATED, USER_ID, account_status, profile from dba_users;" >> ${sqlFile} 1022 | echo "PROMPT" >> ${sqlFile} 1023 | 1024 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1025 | echo "PROMPT # Policie Checking of password and attempt login failed" >> ${sqlFile} 1026 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1027 | echo "select profile, resource_name, limit from dba_profiles where resource_type='PASSWORD';" >> ${sqlFile} 1028 | echo "PROMPT" >> ${sqlFile} 1029 | 1030 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1031 | echo "PROMPT # Show the default password account" >> ${sqlFile} 1032 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1033 | echo "select * from dba_users_with_defpwd;" >> ${sqlFile} 1034 | echo "PROMPT" >> ${sqlFile} 1035 | 1036 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1037 | echo "PROMPT # Show all users about granted_role='DBA'" >> ${sqlFile} 1038 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1039 | echo "select grantee from dba_role_privs where granted_role='DBA';" >> ${sqlFile} 1040 | echo "PROMPT" >> ${sqlFile} 1041 | 1042 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1043 | echo "PROMPT # Default users grantee roles about grantee='PUBLIC'" >> ${sqlFile} 1044 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1045 | echo "select granted_role from dba_role_privs where grantee='PUBLIC';" >> ${sqlFile} 1046 | echo "PROMPT" >> ${sqlFile} 1047 | 1048 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1049 | echo "PROMPT # Checking access of data dictionary must boolean=FALSE" >> ${sqlFile} 1050 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1051 | echo "show parameter O7_DICTIONARY_ACCESSIBILITY;" >> ${sqlFile} 1052 | echo "PROMPT" >> ${sqlFile} 1053 | 1054 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1055 | echo "PROMPT # Audit state" >> ${sqlFile} 1056 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1057 | echo "show parameter audit;" >> ${sqlFile} 1058 | echo "PROMPT" >> ${sqlFile} 1059 | 1060 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1061 | echo "PROMPT # Important security events covered by audit" >> ${sqlFile} 1062 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1063 | echo "select AUDIT_OPTION, SUCCESS, FAILURE from dba_stmt_audit_opts;" >> ${sqlFile} 1064 | echo "PROMPT" >> ${sqlFile} 1065 | 1066 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1067 | echo "PROMPT # Protecting audit records status" >> ${sqlFile} 1068 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1069 | echo "select grantee, owner, table_name, grantor, privilege from dba_tab_privs where table_name='AUD$';" >> ${sqlFile} 1070 | echo "PROMPT" >> ${sqlFile} 1071 | 1072 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1073 | echo "PROMPT # Checking login 'IDLE_TIME' value" >> ${sqlFile} 1074 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1075 | echo "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='KERNEL' and resource_name='IDLE_TIME';" >> ${sqlFile} 1076 | echo "PROMPT" >> ${sqlFile} 1077 | 1078 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1079 | echo "PROMPT # Checking single user resource limit status" >> ${sqlFile} 1080 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1081 | echo "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='SESSIONS_PER_USERS';" >> ${sqlFile} 1082 | echo "PROMPT" >> ${sqlFile} 1083 | 1084 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1085 | echo "PROMPT # Checking cpu time limit for a single session" >> ${sqlFile} 1086 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1087 | echo "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='CPU_PER_SESSION';" >> ${sqlFile} 1088 | echo "PROMPT" >> ${sqlFile} 1089 | 1090 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1091 | echo "PROMPT # Show maximum number of connections" >> ${sqlFile} 1092 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1093 | echo "show parameter processes;" >> ${sqlFile} 1094 | echo "PROMPT" >> ${sqlFile} 1095 | 1096 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1097 | echo "PROMPT # Access control function" >> ${sqlFile} 1098 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1099 | echo "select any_path from resource_view where any_path like '/sys/acls/%.xml';" >> ${sqlFile} 1100 | echo "PROMPT" >> ${sqlFile} 1101 | 1102 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1103 | echo "PROMPT # Remote_os_authent" >> ${sqlFile} 1104 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1105 | echo "select value from v\$parameter where name='remote_os_authent';" >> ${sqlFile} 1106 | echo "PROMPT" >> ${sqlFile} 1107 | 1108 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1109 | echo "PROMPT # 'Oracle Label Security' install status" >> ${sqlFile} 1110 | echo "PROMPT #============================================================================#" >> ${sqlFile} 1111 | echo "select username, account_status, profile from dba_users where username='LBACSYS';" >> ${sqlFile} 1112 | echo "select object_type,count(*) from dba_objects where OWNER='LBACSYS' group by object_type;" >> ${sqlFile} 1113 | echo "PROMPT" >> ${sqlFile} 1114 | echo "exit" >> ${sqlFile} 1115 | chmod 777 ${sqlFile} 1116 | 1117 | # 切换至oracle账户执行SQL语句，执行完毕后退回root账户 1118 | su - oracle << EOF 1119 | sqlplus / as sysdba @ ${sqlFile} 1120 | exit 1121 | EOF 1122 | # 删除临时SQL文件 1123 | rm $sqlFile -f 1124 | 1125 | # 查找sqlnet.ora文件 1126 | sqlnet_ora_path=`find / -name "sqlnet.ora" | grep -v samples` 1127 | echo 1128 | echo "#============================================================================#" 1129 | echo -e "# Checking Oracle configuration files(path:${sqlnet_ora_path})" 1130 | echo "#============================================================================#" 1131 | cat $sqlnet_ora_path | grep -Ev "^$|^[#;]" 1132 | echo 1133 | echo "-------------------------------- Oracle checking end --------------------------------" 1134 | echo 1135 | } 1136 | 1137 | #---------------------------------------------------------------------------- 1138 | # Mysql数据库核查，参数 -m 执行该方法。SQL语句未完善。 1139 | #---------------------------------------------------------------------------- 1140 | mysql_ceping() 1141 | { 1142 | [ ! -n "$MYSQL" ] && LogErrorMsg "Not found Mysql database,please run '${0} -l'" 1>&2 && exit 1 1143 | LogMsg "Checking Mysql database system......" 1>&2 1144 | echo 1145 | echo "-------------------------------- Mysql checking start --------------------------------" 1146 | echo 1147 | MYSQL_BIN=$(which mysql) 1148 | loginfotmp=/tmp/tmpinfo 1149 | 1150 | # 核查是否为空口令。 1151 | if [ ! -n "$1" ];then 1152 | while : 1153 | do 1154 | while [ ! -n "${mysql_pwd}" ] 1155 | do 1156 | read -p "Enter the mysql(user:root) password: " mysql_pwd 1157 | [[ "q" == $mysql_pwd ]] && LogMsg "Already skip Mysql check." 1>&2 && return 1158 | done 1159 | 1160 | $MYSQL_BIN -uroot -p$mysql_pwd -e "exit" &> $loginfotmp 1161 | loginfo=`grep "ERROR" ${loginfotmp}` 1162 | rm -f $loginfotmp 1163 | if [ ! -n "$loginfo" ]; then 1164 | break 1165 | else 1166 | mysql_pwd= 1167 | LogErrorMsg "Please confirm the password or check the configuration about mysql connect!" 1>&2 1168 | LogMsg "Of course, you can ‘Ctrl + C’ exit or enter 'q' spin mysql checking." 1>&2 1169 | continue 1170 | fi 1171 | done 1172 | else 1173 | mysql_pwd=$1 1174 | $MYSQL_BIN -uroot -p$mysql_pwd -e "exit" &> $loginfotmp 1175 | loginfo=`grep "ERROR" ${loginfotmp}` 1176 | rm -f $loginfotmp 1177 | if [ -n "$loginfo" ]; then 1178 | LogErrorMsg "Please confirm the password or check the configuration!" 1>&2 1179 | exit 1 1180 | fi 1181 | 1182 | fi 1183 | 1184 | echo "#----------------------------------------------------------------------------" 1185 | echo "# Mysql checking" 1186 | echo "#----------------------------------------------------------------------------" 1187 | echo "# Mysql database status" 1188 | $MYSQL_BIN -uroot -p$mysql_pwd -e "\s" 1189 | echo "# show databases;" 1190 | $MYSQL_BIN -uroot -p$mysql_pwd -e 'show databases;' 1191 | echo "# select version();" 1192 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select host, user, password from user;' 1193 | echo "# password policy( > v5.7 )" 1194 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'validate_password%';" 1195 | echo "# show tables;" 1196 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'show tables;' 1197 | echo "# select user, Shutdown_priv, Grant_priv, File_priv from user;" 1198 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select user, Shutdown_priv, Grant_priv, File_priv from user;' 1199 | echo "# select * from db;" 1200 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from db;' 1201 | echo "# select * from tables_priv;" 1202 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from tables_priv;' 1203 | echo "# select * from columns_priv;" 1204 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from columns_priv;' 1205 | echo "# show global variables like '%general%';" 1206 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show global variables like '%general%';" 1207 | echo "# show variables like 'log_%';" 1208 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'log_%';" 1209 | echo "# show variables like 'log_bin';" 1210 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'log_bin';" 1211 | echo "# show variables like '%timeout%';" 1212 | $MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like '%timeout%';" 1213 | mysql_cnf=`find / -name my.cnf ` 1214 | echo -e "# Checking Mysql configuration files(path:${mysql_cnf})" 1215 | cat $mysql_cnf | grep -v ^$ 1216 | echo 1217 | echo "-------------------------------- Mysql checking end --------------------------------" 1218 | echo 1219 | } 1220 | 1221 | #---------------------------------------------------------------------------- 1222 | # PostgreSQL数据库核查，参数 -pgsql 执行该方法。 1223 | #---------------------------------------------------------------------------- 1224 | pgsql_ceping() 1225 | { 1226 | [ ! -n "$PGSQL" ] && LogErrorMsg "Not found PostgreSQL database,please run '${0} -l'" 1>&2 && exit 1 1227 | LogMsg "Checking PostgreSQL database system......" 1>&2 1228 | echo 1229 | echo "-------------------------------- PostgreSQL checking start --------------------------------" 1230 | echo 1231 | sqlFile=/tmp/tmp_postgres.sql 1232 | PGDATA=`su - postgres << EOF 1233 | cat ~/.bash_profile | grep PGDATA= 1234 | exit 1235 | EOF` 1236 | PGDATA=`echo ${PGDATA} | awk -F'PGDATA=' '{print $2}'` 1237 | 1238 | echo "\echo #============================================================================#" >> ${sqlFile} 1239 | echo "\echo # PostgreSQL version info" >> ${sqlFile} 1240 | echo "\echo #============================================================================#" >> ${sqlFile} 1241 | echo "select version();" >> ${sqlFile} 1242 | 1243 | echo "\echo #============================================================================#" >> ${sqlFile} 1244 | echo "\echo # List of all instances" >> ${sqlFile} 1245 | echo "\echo #============================================================================#" >> ${sqlFile} 1246 | echo "\l" >> ${sqlFile} 1247 | 1248 | echo "\echo #============================================================================#" >> ${sqlFile} 1249 | echo "\echo # List of all users info" >> ${sqlFile} 1250 | echo "\echo #============================================================================#" >> ${sqlFile} 1251 | echo "select * from pg_shadow;" >> ${sqlFile} 1252 | 1253 | echo "\echo #============================================================================#" >> ${sqlFile} 1254 | echo "\echo # Access control function" >> ${sqlFile} 1255 | echo "\echo #============================================================================#" >> ${sqlFile} 1256 | echo "select * from pg_roles;" >> ${sqlFile} 1257 | echo "select * from information_schema.table_privileges where grantee='cc';" >> ${sqlFile} 1258 | 1259 | echo "\echo #============================================================================#" >> ${sqlFile} 1260 | echo "\echo # Log and audit" >> ${sqlFile} 1261 | echo "\echo #============================================================================#" >> ${sqlFile} 1262 | echo "show log_destination; show log_connections; show log_disconnections; show log_statement; show logging_collector; show log_rotation_size; show log_rotation_age;" >> ${sqlFile} 1263 | 1264 | echo "\echo #============================================================================#" >> ${sqlFile} 1265 | echo "\echo # PostgreSQL MISC" >> ${sqlFile} 1266 | echo "\echo #============================================================================#" >> ${sqlFile} 1267 | echo "select name, setting from pg_settings where context = 'user' order by 1;" >> ${sqlFile} 1268 | 1269 | echo "\q" >> ${sqlFile} 1270 | chmod 777 ${sqlFile} 1271 | # 切换至postgres账户执行SQL语句，执行完毕后退回root账户 1272 | su - postgres << EOF 1273 | psql -d postgres -U postgres -f ${sqlFile} 1274 | exit 1275 | EOF 1276 | rm -f ${sqlFile} 1277 | 1278 | echo 1279 | echo "#----------------------------------------------------------------------------" 1280 | echo "# Check password module for ‘libdir/passwordcheck’" 1281 | echo "#----------------------------------------------------------------------------" 1282 | grep "passwordcheck" $PGDATA/postgresql.conf 1283 | echo 1284 | echo 1285 | echo "#----------------------------------------------------------------------------" 1286 | echo "# Limit address" 1287 | echo "#----------------------------------------------------------------------------" 1288 | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' $PGDATA/postgresql.conf 1289 | grep "listen_addresses" $PGDATA/postgresql.conf 1290 | echo 1291 | echo 1292 | echo "#----------------------------------------------------------------------------" 1293 | echo "# To see the first 10 rows of ‘$PGDATA/pg_log/’" 1294 | echo "#----------------------------------------------------------------------------" 1295 | pg_logfile=`ls $PGDATA/pg_log/ | grep -E 'postgresql-*' | tail -n 1` 1296 | cat $PGDATA/pg_log/${pg_logfile} | tail -n 10 1297 | echo 1298 | echo 1299 | echo "#----------------------------------------------------------------------------" 1300 | echo "# Login timeout" 1301 | echo "#----------------------------------------------------------------------------" 1302 | grep 'tcp_keepalives' $PGDATA/postgresql.conf 1303 | echo 1304 | echo 1305 | echo "#----------------------------------------------------------------------------" 1306 | echo "# Max_connections and Shared_buffers" 1307 | echo "#----------------------------------------------------------------------------" 1308 | cat $PGDATA/postgresql.conf | grep -E 'max_connections|shared_buffers' | grep -Ev "^$|^[#;]" 1309 | echo 1310 | echo "-------------------------------- PostgreSQL checking end --------------------------------" 1311 | echo 1312 | } 1313 | 1314 | #---------------------------------------------------------------------------- 1315 | # Redis缓存数据库核查，测评内容暂未实现。 1316 | #---------------------------------------------------------------------------- 1317 | redis_ceping() 1318 | { 1319 | echo 1320 | echo 1321 | redis-server -v 1322 | redis_conf=`find / -name "redis.conf"` 1323 | cp $redis_conf ./ 1324 | echo 1325 | echo 1326 | } 1327 | 1328 | #---------------------------------------------------------------------------- 1329 | # WEB容器或中间件核查，测评内容暂未实现。 1330 | #---------------------------------------------------------------------------- 1331 | webserver_ceping() 1332 | { 1333 | echo 1334 | echo 1335 | case $WEBSERVER in 1336 | "nginx") 1337 | nginx_cfg=`find / -name "nginx.conf" | grep -v tmp` 1338 | cp $nginx_cfg ./ ;; 1339 | "weblogic") 1340 | echo "weblogic ceping function wait edit" ;; 1341 | "apache") 1342 | httpd_conf=$(find / -name httpd.conf) 1343 | cp $httpd_conf ./ ;; 1344 | *) echo "Not found web server!" ;; 1345 | esac 1346 | echo 1347 | echo 1348 | } 1349 | 1350 | #---------------------------------------------------------------------------- 1351 | # 参数 -a 自动核查入口 1352 | #---------------------------------------------------------------------------- 1353 | check_system() 1354 | { 1355 | case $DISTRO in 1356 | CentOS) 1357 | redhat_or_centos_ceping;; 1358 | RedHat) 1359 | redhat_or_centos_ceping;; 1360 | EulerOS) 1361 | redhat_or_centos_ceping;; 1362 | Ubuntu) 1363 | ubuntu_ceping;; 1364 | AIX) 1365 | AIX_ceping;; 1366 | esac 1367 | 1368 | [[ "Oracle" == "$ORACLE" ]] && oracle_ceping 1369 | [[ "Mysql" == "$MYSQL" ]] && mysql_ceping 1370 | [[ "PostgreSQL" == "$PGSQL" ]] && pgsql_ceping 1371 | [[ $DBS == "redis" ]] && redis_ceping 1372 | [[ -n "$WEBSERVER" ]] && webserver_ceping 1373 | LogSucMsg "Checking completed！" 1>&2 1374 | } 1375 | 1376 | 1377 | #---------------------------------------------------------------------------- 1378 | # main_ceping 方法，脚本执行入口 1379 | #---------------------------------------------------------------------------- 1380 | main_ceping() 1381 | { 1382 | print_logo 1383 | # root账户执行核查，非root账户告警退出 1384 | [ "`whoami`" != "root" ] && LogErrorMsg "Please use root user or sudo!" 1>&2 && exit 1 1385 | case $1 in 1386 | -h) 1387 | helpinfo ;; 1388 | -l) 1389 | information_collection ;; 1390 | -o) 1391 | oracle_ceping ;; 1392 | -m) 1393 | mysql_ceping $2 ;; 1394 | -pgsql) 1395 | pgsql_ceping ;; 1396 | -s) 1397 | get_webserver_info 1398 | webserver_ceping ;; 1399 | -a) 1400 | output_file_banner 1401 | information_collection 1402 | check_system ;; 1403 | *) helpinfo ;; 1404 | esac 1405 | } 1406 | 1407 | # main_ceping方法接收参数 1408 | main_ceping $1 $2 -------------------------------------------------------------------------------- /Linux/secure_config.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ----------------------------------------------------------- 4 | # Filename: secure_config.sh 5 | # Describe: Security config Red-Hat system 6 | # Usage: chmod 777 secure_config.sh 7 | # ./secure_config.sh -h 8 | # v1.0 2018.8.25 9 | # ----------------------------------------------------------- 10 | 11 | # 脚本配置值 12 | # 本文件名称 13 | selfname=$0 14 | #备份路径 15 | backup_filemame=/home/xinyuan_config_files_backup 16 | # 待修改备份的配置文件路径 17 | login_defs=/etc/login.defs 18 | system_auth=/etc/pam.d/system-auth 19 | profile=/etc/profile 20 | 21 | ######################################################### 22 | # 自定义系统配置值 23 | # 口令策略 24 | PASS_MAX_DAYS=90 25 | PASS_MIN_DAYS=2 26 | PASS_MIN_LEN=8 27 | PASS_WARN_AGE=7 28 | # 口令复杂度 29 | retry=5 30 | difok=3 31 | minlen= 32 | ucredit=-1 33 | lcredit=-1 34 | dcredit=-1 35 | ocredit=-1 36 | remember=8 37 | # 登录失败策略 38 | deny=5 39 | unlock_time=600 40 | #定义 y添加 n不添加 41 | even_deny_root=y 42 | root_unlock_time=1800 43 | # 登录超时 44 | TMOUT=600 45 | ######################################################### 46 | #获取系统参数 47 | # 口令策略 login.defs 48 | sys_PASS_MAX_DAYS=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'` 49 | sys_PASS_MIN_DAYS=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'` 50 | sys_PASS_MIN_LEN=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'` 51 | sys_PASS_WARN_AGE=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# |awk '{print $2}'` 52 | # /etc/pam.d/system-auth 53 | # 口令复杂度策略 54 | sys_retry=`more /etc/pam.d/system-auth | grep retry | awk -F'retry=' '{print $2}' | awk '{print $1}'` 55 | sys_difok=`more /etc/pam.d/system-auth | grep difok | awk -F'difok=' '{print $2}' | awk '{print $1}'` 56 | sys_minlen=`more /etc/pam.d/system-auth | grep minlen | awk -F'minlen=' '{print $2}' | awk '{print $1}'` 57 | sys_ucredit=`more /etc/pam.d/system-auth | grep ucredit | awk -F'ucredit=' '{print $2}' | awk '{print $1}'` 58 | sys_lcredit=`more /etc/pam.d/system-auth | grep lcredit | awk -F'lcredit=' '{print $2}' | awk '{print $1}'` 59 | sys_dcredit=`more /etc/pam.d/system-auth | grep dcredit | awk -F'dcredit=' '{print $2}' | awk '{print $1}'` 60 | sys_ocredit=`more /etc/pam.d/system-auth | grep ocredit | awk -F'ocredit=' '{print $2}' | awk '{print $1}'` 61 | sys_remember=`more /etc/pam.d/system-auth | grep remember | awk -F'remember=' '{print $2}' | awk '{print $1}'` 62 | # 登录失败策略 63 | sys_deny=`more /etc/pam.d/system-auth | grep deny | awk -F'deny=' '{print $2}' | awk '{print $1}'` 64 | sys_unlock_time=`more /etc/pam.d/system-auth | grep unlock_time | awk -F'unlock_time=' '{print $2}' | awk '{print $1}'` 65 | sys_even_deny_root=`more /etc/pam.d/system-auth | grep even_deny_root | awk -F'even_deny_root=' '{print $2}' | awk '{print $1}'` 66 | sys_root_unlock_time=`more /etc/pam.d/system-auth | grep root_unlock_time | awk -F'root_unlock_time=' '{print $2}' | awk '{print $1}'` 67 | # 会话超时锁定 /etc/profile 68 | sys_TMOUT=`more /etc/profile | grep TMOUT | awk -F'TMOUT=' '{print $2}'` 69 | ######################################################### 70 | 71 | h_help() { 72 | echo ============================================================== 73 | echo Description: 74 | echo -e " This Script for configur some security files," 75 | echo -e "and the system original configuration file will" 76 | echo -e "be backed up to \"${backup_filemame}\"." 77 | echo -e if you have recovery it, please run \`${selfname} -b\`. 78 | echo 79 | echo Usage: 80 | echo -e "\t" "${selfname} -h view usage methods." 81 | echo -e "\t" "${selfname} -l show system config." 82 | echo -e "\t" "${selfname} -c config it and backup original files." 83 | echo -e "\t" "${selfname} -f enforcing config system files." 84 | echo -e "\t" "${selfname} -b recovery original security config." 85 | echo -e "\t" "${selfname} -s show myself parameter value." 86 | echo ============================================================== 87 | 88 | } 89 | 90 | l_syscfg() { 91 | echo 92 | echo -e "PASS_MAX_DAYS=${sys_PASS_MAX_DAYS}" 93 | echo -e "PASS_MIN_DAYS=${sys_PASS_MIN_DAYS}" 94 | echo -e "PASS_MIN_LEN=${sys_PASS_MIN_LEN}" 95 | echo -e "PASS_WARN_AGE=${sys_PASS_WARN_AGE}" 96 | echo 97 | echo -e "retry=${sys_retry}" 98 | echo -e "difok=${sys_difok}" 99 | echo -e "minlen=${sys_minlen}" 100 | echo -e "ucredit=${sys_ucredit}" 101 | echo -e "lcredit=${sys_lcredit}" 102 | echo -e "dcredit=${sys_dcredit}" 103 | echo -e "ocredit=${sys_ocredit}" 104 | echo -e "remember=${sys_remember}" 105 | echo 106 | # 查看系统登录失败的策略 107 | login_failure=`more /etc/pam.d/system-auth | grep tally` 108 | if [ ! -n "$login_failure" ]; then 109 | echo "No have login failure policy!" 110 | else 111 | echo $login_failure 112 | fi 113 | echo 114 | echo -e "TMOUT=${sys_TMOUT}" 115 | echo 116 | } 117 | 118 | sys_backup() { 119 | if [ ! -d "${backup_filemame}" ]; then 120 | mkdir -p ${backup_filemame} 121 | cp ${login_defs} ${backup_filemame} -f 122 | cp ${system_auth} ${backup_filemame} -f 123 | cp ${profile} ${backup_filemame} -f 124 | else 125 | echo -e "Warning: \"${backup_filemame}\" already exists!!! you has been finished the configuration." 126 | exit 127 | fi 128 | } 129 | 130 | login_failure_policy() { 131 | word="auth required pam_tally2.so" 132 | 133 | test2=(deny unlock_time root_unlock_time) 134 | declare -a test 135 | test[0]=$deny 136 | test[1]=$unlock_time 137 | test[2]=$root_unlock_time 138 | if [ "y" == "${even_deny_root}" ]; then 139 | word+=" even_deny_root" 140 | fi 141 | 142 | for ((i=0; i<${#test[@]}; i++)) 143 | do 144 | if [ -z "${test[i]}" ]; then 145 | continue 146 | else 147 | cfg=${test2[i]}=${test[i]} 148 | word+=" ${cfg}" 149 | fi 150 | done 151 | 152 | login_failure=`more /etc/pam.d/system-auth | grep tally` 153 | if [ ! -n "$login_failure" ]; then 154 | sed -i "8i\\${word}" ${system_auth} 155 | else 156 | sed -i "s/${login_failure}/${word}/" ${system_auth} 157 | fi 158 | } 159 | 160 | 161 | pam_cracklib_version() { 162 | # 默认是 pam_cracklib.so 163 | pam_version=`more /etc/pam.d/system-auth | grep 'pam_cracklib'` 164 | word="password requisite pam_cracklib.so try_first_pass" 165 | 166 | # 如果没有获取到pam_cracklib.so，尝试pam_pwquality.so 167 | if [ ! -n "$pam_version" ]; then 168 | pam_version=`more /etc/pam.d/system-auth | grep 'pam_pwquality'` 169 | word="password requisite pam_pwquality.so try_first_pass local_users_only" 170 | # 如果依旧未获取，那么出现了问题，报错返回 171 | if [ ! -n "$pam_version" ]; then 172 | echo "not find 'pam_cracklib.so | pam_pwquality.so' pam_cracklib_version error!!!" 173 | exit 1 174 | fi 175 | fi 176 | 177 | test2=(retry difok minlen ucredit lcredit dcredit ocredit remember) 178 | declare -a test 179 | test[0]=$retry 180 | test[1]=$difok 181 | test[2]=$minlen 182 | test[3]=$ucredit 183 | test[4]=$lcredit 184 | test[5]=$dcredit 185 | test[6]=$ocredit 186 | test[7]=$remember 187 | 188 | for ((i=0; i<${#test[@]}; i++)) 189 | do 190 | if [ -z "${test[i]}" ]; then 191 | continue 192 | else 193 | cfg=${test2[i]}=${test[i]} 194 | word+=" ${cfg}" 195 | fi 196 | done 197 | 198 | passwordStrength=`more /etc/pam.d/system-auth | grep -E 'password requisite'` 199 | sed -i "s/${passwordStrength}/${word}/" ${system_auth} 200 | } 201 | 202 | export_tmout() { 203 | tmout="export TMOUT=${TMOUT}" 204 | if [ ! -n "$sys_TMOUT" ]; then 205 | echo ${tmout}>>${profile} 206 | source ${profile} 207 | fi 208 | # 如果不为空，那么就先不配置了吧 209 | # sysvalue=`more /etc/profile | grep -n "TMOUT"` 210 | # sed -i "s/${sysvalue}/${tmout}/" ${profile} 211 | } 212 | 213 | sys_config() { 214 | sed -i "s/PASS_MAX_DAYS\t${sys_PASS_MAX_DAYS}/PASS_MAX_DAYS\t${PASS_MAX_DAYS}/" ${login_defs} 215 | sed -i "s/PASS_MIN_DAYS\t${sys_PASS_MIN_DAYS}/PASS_MIN_DAYS\t${PASS_MIN_DAYS}/" ${login_defs} 216 | sed -i "s/PASS_MIN_LEN\t${sys_PASS_MIN_LEN}/PASS_MIN_LEN\t${PASS_MIN_LEN}/" ${login_defs} 217 | sed -i "s/PASS_WARN_AGE\t${sys_PASS_WARN_AGE}/PASS_WARN_AGE\t${PASS_WARN_AGE}/" ${login_defs} 218 | 219 | pam_cracklib_version 220 | login_failure_policy 221 | export_tmout 222 | # sed "s/^.*do.*$/bad/" filename 223 | } 224 | 225 | 226 | c_config() { 227 | sys_backup 228 | sys_config 229 | # l_syscfg 230 | } 231 | 232 | f_config() { 233 | sys_config 234 | } 235 | 236 | b_recovery() { 237 | cp ${backup_filemame}/login.defs ${login_defs} -f 238 | cp ${backup_filemame}/system-auth ${system_auth} -f 239 | cp ${backup_filemame}/profile ${profile} -f 240 | 241 | rm ${backup_filemame} -rf 242 | } 243 | 244 | s_mycfg() { 245 | echo 246 | echo "--> ${login_defs}" 247 | echo PASS_MAX_DAYS=${PASS_MAX_DAYS} 248 | echo PASS_MIN_DAYS=${PASS_MIN_DAYS} 249 | echo PASS_MIN_LEN=${PASS_MIN_LEN} 250 | echo PASS_WARN_AGE=${PASS_WARN_AGE} 251 | echo 252 | echo "--> ${system_auth}" 253 | echo retry=${retry} 254 | echo difok=${difok} 255 | echo minlen=${minlen} 256 | echo ucredit=${ucredit} 257 | echo lcredit=${lcredit} 258 | echo dcredit=${dcredit} 259 | echo ocredit=${ocredit} 260 | echo ocredit=${ocredit} 261 | echo 262 | echo deny=${deny} 263 | echo unlock_time=${unlock_time} 264 | #定义 y添加 n不添加 265 | echo even_deny_root=${even_deny_root} 266 | echo root_unlock_time=${root_unlock_time} 267 | echo 268 | echo "--> ${profile}" 269 | echo TMOUT=${TMOUT} 270 | echo 271 | } 272 | 273 | 274 | cfg_main() { 275 | case $1 in 276 | -h) h_help ;; 277 | -l) l_syscfg ;; 278 | -s) s_mycfg ;; 279 | -c) c_config ;; 280 | -f) f_config ;; 281 | -b) b_recovery ;; 282 | *) h_help ;; 283 | esac 284 | } 285 | 286 | cfg_main $1 -------------------------------------------------------------------------------- /Linux/suse11.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # ----------------------------------------------------------- 4 | # Filename: suse.sh 5 | # Describe: Security check for release SUSE linux 6 | # Usage: chmod 777 suse.sh 7 | # ./suse.sh &> filename.sh 8 | # v1.0 2018.10 9 | # ----------------------------------------------------------- 10 | 11 | 12 | echo "# ---------------------------------------------------------------------" 13 | echo -e "# Describe: \t\t This file to check system security configuration" 14 | echo -e "# Running time:\t\t "`date +'%Y-%m-%d %H:%S'` 15 | echo "# Project name:" 16 | echo "# Server name:" 17 | echo "# ---------------------------------------------------------------------" 18 | echo 19 | 20 | 21 | sysversion=`ifconfig | grep "inet addr"` 22 | if [ ! -n "$sysversion" ]; then 23 | # 7.x 24 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'` 25 | else 26 | # 6.x 27 | Ipddr=`ifconfig | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}' | awk -F: '{print $2}'` 28 | fi 29 | 30 | 31 | # 系统软硬件摘要 32 | echo "********* [System Info:] *********" 33 | echo -e "Server platform: \t"`grep 'DMI' /var/log/boot.msg` 34 | echo -e "CPU model: \t"`cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq` 35 | echo -e "CPU Type: \t\t\t" `cat /proc/cpuinfo | grep vendor_id | tail -n 1 | awk '{print $3}'` 36 | echo -e "CPUS: \t\t\t\t" `cat /proc/cpuinfo | grep processor | wc -l | awk '{print $1}'` 37 | Disk=$(fdisk -l |grep 'Disk' |awk -F , '{print $1}' | sed 's/Disk identifier.*//g' | sed '/^$/d') 38 | echo -e "Disks info:\t\t\t ${Disk}\n${Line}" 39 | echo -e "System Version: \t" `lsb_release -a | grep Description` 40 | echo -e "Hostname: \t\t\t" `hostname -s` 41 | echo -e "IP Address: \t\t ${Ipddr}" 42 | echo 43 | echo 44 | 45 | # 密码策略 46 | echo "********* [Password policy:]" 47 | cat /etc/login.defs | grep PASS | grep -v ^# 48 | echo 49 | echo 50 | 51 | # 口令复杂度和登录失败策略 52 | cat /etc/pam.d/common-auth | grep -v ^# 53 | echo 54 | echo 55 | 56 | # 账户登录是否超时锁定策略 =600s 57 | echo "********* [Login timeout lock, ('TMOUT >= 600s')]" 58 | TMOUT=`more /etc/profile | grep -n "TMOUT"` 59 | if [ ! -n "$TMOUT" ]; then 60 | flag= 61 | echo "[X] Warning: This system no set TMOUT!" 62 | else 63 | echo $TMOUT 64 | fi 65 | echo 66 | echo 67 | 68 | 69 | # 访问权限：600合格 70 | echo "********* [Checking shadow and passwd access permission:]" 71 | ls -l /etc/shadow 72 | ls -l /etc/passwd 73 | echo 74 | echo 75 | 76 | # 查看 telnet, ftp, ssh启动状态 77 | echo "********* [Checking telnet and ftp status:]" 78 | telnet_status=`netstat -an | grep -E 'telnet | ftp'` 79 | if [ ! -n "$telnet_status" ]; then 80 | flag= 81 | else 82 | flag='y' 83 | echo $telnet_status 84 | fi 85 | echo 86 | echo 87 | 88 | # 强制访问控制,如果未安装SElinux，则会命令报错 89 | echo "********* [Mandatory access control:]" 90 | sestatus -v 91 | echo 92 | echo 93 | 94 | # 查看是否开启系统日志审计进程 95 | echo "********* [Syslog and audit status:]" 96 | service syslog status 97 | service auditd status 98 | echo 99 | echo 100 | # 查看审计规则 101 | echo "[audit rules:]" `auditctl -l` 102 | echo 103 | echo 104 | 105 | # 审计记录的保护 106 | echo "********* [Files Permission for about syslog and audit:]" 107 | ls -l /var/log/audit 108 | echo 109 | echo 110 | 111 | 112 | # 查看系统安装的补丁包信息： 113 | echo "********* [Patch information of the system：]" 114 | rpm -qa --last | grep patch 115 | echo 116 | echo 117 | 118 | # ssh服务端配置：设置禁止直接以超级用户ssh登录 119 | echo "********* [SSHD PermitRootLogin ：]" 120 | more /etc/ssh/sshd_config | grep PermitRootLogin 121 | echo 122 | echo 123 | 124 | # 查看配置访问地址的限制策略 125 | echo "********* [IP address permit in hosts.allow and hosts.deny ：]" 126 | echo "[more /etc/hosts.allow:]" 127 | more /etc/hosts.allow | grep -v ^# 128 | echo 129 | echo 130 | 131 | echo "[more /etc/hosts.deny :]" 132 | more /etc/hosts.deny | grep -v ^# 133 | echo 134 | echo 135 | 136 | # 系统对主体使用系统资源的限制配置 137 | echo "********* [Describes system resource limit for a user:]" 138 | echo 139 | echo " " 140 | more /etc/security/limits.conf | grep -v ^# 141 | echo 142 | echo 143 | 144 | # 系统资源使用率 145 | 146 | echo "********* [System resource used rate:]" 147 | echo 148 | echo 149 | # 磁盘使用情况 150 | echo "[disk info:]" 151 | df -h 152 | echo 153 | echo 154 | 155 | # 内存使用情况 156 | echo "[Memory info:]" 157 | free -m 158 | echo 159 | echo 160 | 161 | # 内存使用率 162 | echo "mem_used_rate = " `free -m|awk '{if(NR==2){print int($3*100/$2),"%"}}'` 163 | # CPU使用率 164 | cpu_used=`top -b -n 1 | head -n 4 | grep "^Cpu(s)" | awk '{print $2}' | cut -d 'u' -f 1` 165 | echo "cpu_used_rate = " $cpu_used 166 | echo 167 | echo 168 | echo "********* [Cat files: /etc/passwd:]" 169 | more /etc/passwd 170 | echo 171 | echo 172 | echo "********* [Cat files: /etc/shadow:]" 173 | more /etc/shadow 174 | echo 175 | echo 176 | # 检查正在运行的服务，是否有运行无关的进程 177 | echo "********* [Select all running service:]" 178 | service --status-all | grep running 179 | echo 180 | echo 181 | -------------------------------------------------------------------------------- /Mysql/mysql.sql: -------------------------------------------------------------------------------- 1 | --------------------------------------------------- 2 | -- mysql 5.7 3 | -- Method： 4 | -- mysql > tee ./mylog.sql 记录控制台输出 5 | -- mysql > source mys.sql 6 | -- mysql > notee; 结束记录 7 | 8 | -- 导出 mysql系统的配置文件：my.cnf or my.ini 9 | -- 查找my.cnf路径： find / -name my.cnf 10 | --------------------------------------------------- 11 | 12 | 13 | -- 输出当前时间 14 | select now(); 15 | -- 查看版本信息 16 | select version(); 17 | 18 | 19 | -- 查看所有的数据库实例 20 | show databases; 21 | 22 | 23 | -- 查看是否有空口令 24 | use mysql 25 | show tables; 26 | 27 | select user, password, authentication_string from user; 28 | select * from db; 29 | 30 | 31 | -- host字段显示是否有限制登录地址 32 | select host, user, password from user; 33 | select host, user from user; 34 | 35 | 36 | -- 全局下授予的一些权限 37 | select user, Shutdown_priv, Grant_priv, File_priv from user; 38 | -- 表级别粒度的权限，可能为空，就是没有添加 39 | select * from tables_priv; 40 | -- 列粒度级别 41 | select * from columns_priv; 42 | 43 | 44 | -- 数据库日志 45 | show variables like 'log_%'; 46 | show variables like 'log_bin'; 47 | 48 | 49 | -- 删除多余账号 50 | select host, user from user; 51 | 52 | 53 | -- 超时锁定： 54 | show variables like '%timeout%'; 55 | 56 | -------------------------------------------------------------------------------- /Oracle/Oracle-审计开启指导书.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/Oracle/Oracle-审计开启指导书.sql -------------------------------------------------------------------------------- /Oracle/oracle_10g.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/Oracle/oracle_10g.sql -------------------------------------------------------------------------------- /Oracle/oracle_11g.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/Oracle/oracle_11g.sql -------------------------------------------------------------------------------- /Oracle/oracle_12c.sql: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/Oracle/oracle_12c.sql -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | ## 等级保护基线检查工具 2 | 3 | 4 | 5 | * Hp-Unix 6 | > * 笔记而已。 7 | * Linux 8 | > * capos_for_linux_v2.6.2sh 红帽系linxu版本测评使用,兼容Red-Hat、CentOS、EulerOS、Asianux、Ubuntu 16、Oracle、Mysql、Postgresql，做了一些小优化，比如添加了运行消息提示，添加了中文注释，Mysql口令输入的检测处理，详细大家看代码吧！ 9 | > * suse11.sh Suse linux 11.X 版本测评使用。 10 | > * secure_config.sh 红帽系linux 口令策略，登录失败策略，登录超时整改脚本。 11 | * Windows 12 | > * 该小工具使用golang语言编写，包含多个版本，可生成 txt文档和word测评结果文档，可在测windows终端时使用，存在隐藏未解决的bug。项目源码：https://github.com/lis912/CapOS, 建议使用最新capos_for_windows_v1.4.1. 13 | * Mysql 14 | > * mysql.sql 5.0以上版本适用，使用方法在该文件开头。 15 | * Oracle 16 | > * oracle_10g.sql…… 使用方法在文件开头有说明。 17 | * Sybase 18 | > * 笔记而已。 19 | 20 | -------------------------------------------------------------------------------- /Sybase/sybase-测评指导书.sql: -------------------------------------------------------------------------------- 1 | 2 | 3 | -- 在unix环境下切换 4 | su – sybase 5 | 6 | 7 | -- 登录：如果环境变量没有isql命令，需要进入相关的bin目录下，servername即主机名 -U 默认sa用户，-P口令 8 | isql -Usa -P -Sservername 9 | 10 | -- 0 查看版本： 11 | 1> select @@version 12 | 13 | -- 例如： 14 | Adaptive Server Enterprise/15.7.0/EBF 19805 SMP ESD#01 /P/x86_64/Enterprise Lin 15 | ux/aseasap/2918/64-bit/FBO/Wed Feb 8 07:50:28 2012 16 | 17 | -- 查看所有的库信息(系统库：master，model，sybsystemdb，sybsystemprocs，tempdb) 18 | 1> sp_helpdb 19 | 2> go 20 | 21 | 22 | -- 进入一个库 23 | use 库名 24 | 25 | -- 显示当前库下所有的表名 26 | select name from sysobjects where type='U' 27 | 或者 28 | sp_tables 29 | 30 | 31 | 32 | -- 1.查看账户状态 33 | 1> sp_helpuser 34 | 2> go 35 | 36 | Users_name ID_in_db Group_name Login_name 37 | --------- --------- --------- --------- 38 | dbo public 1 sa 39 | guest public 2 NULL 40 | probe public 3 probe 41 | 42 | 43 | -- 2.1 口令策略： systemwide password expiration(密码最大有效期天数=90，符合) 44 | 1> sp_configure "systemwide password expiration" 45 | 2> go 46 | 47 | Parameter Name Default Memory Used Config Value Run Value Unit Type 48 | ------------------ --------- --------- --------- --------- --------- --------- 49 | systemwide password expiration 0 0 0 0 days dynamic 50 | 51 | 52 | -- 2.2 口令策略： check password for digit(是否启用检查口令中至少有一位数字字符=1，符合) 53 | 1> sp_configure "check password for digit" 54 | 2> go 55 | 56 | Parameter Name Default Memory Used Config Value Run Value Unit Type 57 | ------------------ --------- --------- --------- --------- --------- --------- 58 | check password for digit 0 0 0 0 switch dynamic 59 | 60 | 61 | -- 2.3 口令策略： minimum password length(最小口令长度=8，符合) 62 | 1> sp_configure "minimum password length" 63 | 2> go 64 | 65 | Parameter Name Default Memory Used Config Value Run Value Unit Type 66 | ------------------ --------- --------- --------- --------- --------- --------- 67 | minimum password length 6 6 6 6 bytes dynamic 68 | 69 | 70 | 71 | 72 | -- 3. 登录失败策略： maximum failed logins(最大登录失败允许次数!= 0, 符合) 73 | 1> select name,value from master.dbo.sysconfigures where name='maximum failed logins' 74 | 2> go 75 | 76 | name value 77 | ------- ------- 78 | maximum failed logins 0 79 | 80 | 81 | -- 4. 远程加密设置,查看 status=net password encryption(启用RSA加密算法对网络连接进行加密，符合) 82 | 1> sp_helpserver 83 | 2> go 84 | 85 | 86 | 87 | -- 5.1 登录失败审计，log audit logon failure(登录失败审计=1，启用，符合) 88 | 1> sp_configure "log audit logon failure" 89 | 2> go 90 | 91 | 92 | -- 5.2 登录成功审计，log audit logon success(登录失败审计=1，启用，符合) 93 | 1> sp_configure "log audit logon success" 94 | 2> go 95 | 96 | 97 | -- 5.3 是否使能审计功能，auditing=1，启用，符合 98 | 1> use master 99 | 2> go 100 | 1> sp_configure "auditing" 101 | 2> go 102 | 103 | 104 | -- 5.4 审计配置策略，如果未开启审计，将不存在sybsecurity库，执行sql语句报错。 105 | 1> use sybsecurity 106 | 2> go 107 | -- 如果存在sybsecurity库，查看审计策略，查看是否开启Logins、create、delete、drop等动作行为的审计 108 | 1> sp_displayaudit 109 | 2> go 110 | 111 | 112 | 113 | -- 5.5 查看审计记录表信息，当然如果审计开启了的话，不存在报错。 114 | 1> select * from AuditTable 115 | 2> go 116 | 117 | 118 | -- 5.6 查询审计存储空间，audit queue size(审计内存队列大小>50，默认为100，大约42K) 119 | 1> sp_configure "audit queue size" 120 | 2> go 121 | 122 | 123 | 124 | -------------------------------------------------------------------------------- /windows/CapOSv1.3.1_compress.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/windows/CapOSv1.3.1_compress.exe -------------------------------------------------------------------------------- /windows/CapOSv1.3.1_compressx86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/windows/CapOSv1.3.1_compressx86.exe -------------------------------------------------------------------------------- /windows/CapOSv1.3.2_compress.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/windows/CapOSv1.3.2_compress.exe -------------------------------------------------------------------------------- /windows/CapOSv1.3.2_compressx86.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/windows/CapOSv1.3.2_compressx86.exe -------------------------------------------------------------------------------- /windows/capos_for_windows_64v1.4.1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/windows/capos_for_windows_64v1.4.1.exe -------------------------------------------------------------------------------- /windows/capos_for_windows_v1.4.1.exe: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/lis912/Evaluation_tools/e9ea2d378d67bc8c6750869f451a63977231fd06/windows/capos_for_windows_v1.4.1.exe --------------------------------------------------------------------------------