└── jixianhecha.sh /jixianhecha.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | #version 2.0 3 | 4 | 5 | cat <> /tmp/${ipadd}_out.txt 25 | else 26 | echo "口令生存周期为${passmax}天,不符合要求,建议设置不大于90天" >> /tmp/${ipadd}_out.txt 27 | fi 28 | 29 | if [ $passmin -ge 6 ];then 30 | echo "口令更改最小时间间隔为${passmin}天,符合要求" >> /tmp/${ipadd}_out.txt 31 | else 32 | echo "口令更改最小时间间隔为${passmin}天,不符合要求,建议设置大于等于6天" >> /tmp/${ipadd}_out.txt 33 | fi 34 | 35 | if [ $passlen -ge 8 ];then 36 | echo "口令最小长度为${passlen},符合要求" >> /tmp/${ipadd}_out.txt 37 | else 38 | echo "口令最小长度为${passlen},不符合要求,建议设置最小长度大于等于8" >> /tmp/${ipadd}_out.txt 39 | fi 40 | 41 | if [ $passage -ge 30 -a $passage -lt $passmax ];then 42 | echo "口令过期警告时间天数为${passage},符合要求" >> /tmp/${ipadd}_out.txt 43 | else 44 | echo "口令过期警告时间天数为${passage},不符合要求,建议设置大于等于30并小于口令生存周期" >> /tmp/${ipadd}_out.txt 45 | fi 46 | 47 | echo "***************************" 48 | echo "账号是否会主动注销检查中..." 49 | echo "***************************" 50 | cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}' 51 | if [ $? -eq 0 ];then 52 | TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'` 53 | if [ $TMOUT -le 600 -a $TMOUT -ge 10 ];then 54 | echo "账号超时时间${TMOUT}秒,符合要求" >> /tmp/${ipadd}_out.txt 55 | else 56 | echo "账号超时时间${TMOUT}秒,不符合要求,建议设置小于600秒" >> /tmp/${ipadd}_out.txt 57 | fi 58 | else 59 | echo "账号超时不存在自动注销,不符合要求,建议设置小于600秒" >> /tmp/${ipadd}_out.txt 60 | fi 61 | 62 | #grub和lilo密码是否设置检查 63 | cat /etc/grub.conf | grep password 2> /dev/null 64 | if [ $? -eq 0 ];then 65 | echo "已设置grub密码,符合要求" >> /tmp/${ipadd}_out.txt 66 | else 67 | echo "没有设置grub密码,不符合要求,建议设置grub密码" >> /tmp/${ipadd}_out.txt 68 | fi 69 | 70 | cat /etc/lilo.conf | grep password 2> /dev/null 71 | if [ $? -eq 0 ];then 72 | echo "已设置lilo密码,符合要求" >> /tmp/${ipadd}_out.txt 73 | else 74 | echo "没有设置lilo密码,不符合要求,建议设置lilo密码" >> /tmp/${ipadd}_out.txt 75 | fi 76 | 77 | #查找非root账号UID为0的账号 78 | UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd` 79 | flag=0 80 | for i in $UIDS 81 | do 82 | if [ $i = 0 ];then 83 | echo "存在非root账号的账号UID为0,不符合要求" >> /tmp/${ipadd}_out.txt 84 | else 85 | flag=1 86 | fi 87 | done 88 | if [ $flag = 1 ];then 89 | echo "不存在非root账号的账号UID为0,符合要求" >> /tmp/${ipadd}_out.txt 90 | fi 91 | 92 | #检查umask设置 93 | umask1=`cat /etc/profile | grep umask | grep -v ^# | awk '{print $2}'` 94 | umask2=`cat /etc/csh.cshrc | grep umask | grep -v ^# | awk '{print $2}'` 95 | umask3=`cat /etc/bashrc | grep umask | grep -v ^# | awk 'NR!=1{print $2}'` 96 | flags=0 97 | for i in $umask1 98 | do 99 | if [ $i = "027" ];then 100 | echo "/etc/profile文件中所设置的umask为${i},符合要求" >> /tmp/${ipadd}_out.txt 101 | else 102 | flags=1 103 | fi 104 | done 105 | if [ $flags = 1 ];then 106 | echo "/etc/profile文件中所所设置的umask为${i},不符合要求,建议设置为027" >> /tmp/${ipadd}_out.txt 107 | fi 108 | 109 | 110 | flags=0 111 | for i in $umask2 112 | do 113 | if [ $i = "027" ];then 114 | echo "/etc/csh.cshrc文件中所设置的umask为${i},符合要求" >> /tmp/${ipadd}_out.txt 115 | else 116 | flags=1 117 | fi 118 | done 119 | if [ $flags = 1 ];then 120 | echo "/etc/csh.cshrc文件中所所设置的umask为${i},不符合要求,建议设置为027" >> /tmp/${ipadd}_out.txt 121 | fi 122 | 123 | 124 | flags=0 125 | for i in $umask3 126 | do 127 | if [ $i = "027" ];then 128 | echo "/etc/bashrc文件中所设置的umask为${i},符合要求" >> /tmp/${ipadd}_out.txt 129 | else 130 | flags=1 131 | fi 132 | done 133 | if [ $flags = 1 ];then 134 | echo "/etc/bashrc文件中所设置的umask为${i},不符合要求,建议设置为027" >> /tmp/${ipadd}_out.txt 135 | fi 136 | 137 | 138 | 139 | 140 | echo "***************************" 141 | echo "检查重要文件权限中..." 142 | echo "***************************" 143 | 144 | file1=`ls -l /etc/passwd | awk '{print $1}'` 145 | file2=`ls -l /etc/shadow | awk '{print $1}'` 146 | file3=`ls -l /etc/group | awk '{print $1}'` 147 | file4=`ls -l /etc/securetty | awk '{print $1}'` 148 | file5=`ls -l /etc/services | awk '{print $1}'` 149 | file6=`ls -l /etc/xinetd.conf | awk '{print $1}'` 150 | file7=`ls -l /etc/grub.conf | awk '{print $1}'` 151 | file8=`ls -l /etc/lilo.conf | awk '{print $1}'` 152 | 153 | if [ $file1 = "-rw-r--r--" ];then 154 | echo "/etc/passwd文件权限为644,符合要求" >> /tmp/${ipadd}_out.txt 155 | else 156 | echo "/etc/passwd文件权限不为644,不符合要求,建议设置权限为644" >> /tmp/${ipadd}_out.txt 157 | fi 158 | 159 | if [ $file2 = "-r--------" ];then 160 | echo "/etc/shadow文件权限为400,符合要求" >> /tmp/${ipadd}_out.txt 161 | else 162 | echo "/etc/shadow文件权限不为400,不符合要求,建议设置权限为400" >> /tmp/${ipadd}_out.txt 163 | fi 164 | 165 | if [ $file3 = "-rw-r--r--" ];then 166 | echo "/etc/group文件权限为644,符合要求" >> /tmp/${ipadd}_out.txt 167 | else 168 | echo "/etc/group文件权限不为644,不符合要求,建议设置权限为644" >> /tmp/${ipadd}_out.txt 169 | fi 170 | 171 | if [ $file4 = "-rw-------" ];then 172 | echo "/etc/security文件权限为600,符合要求" >> /tmp/${ipadd}_out.txt 173 | else 174 | echo "/etc/security文件权限不为600,不符合要求,建议设置权限为600" >> /tmp/${ipadd}_out.txt 175 | fi 176 | 177 | if [ $file5 = "-rw-r--r--" ];then 178 | echo "/etc/services文件权限为644,符合要求" >> /tmp/${ipadd}_out.txt 179 | else 180 | echo "/etc/services文件权限不为644,不符合要求,建议设置权限为644" >> /tmp/${ipadd}_out.txt 181 | fi 182 | 183 | if [ $file6 = "-rw-------" ];then 184 | echo "/etc/xinetd.conf文件权限为600,符合要求" >> /tmp/${ipadd}_out.txt 185 | else 186 | echo "/etc/xinetd.conf文件权限不为600,不符合要求,建议设置权限为600" >> /tmp/${ipadd}_out.txt 187 | fi 188 | 189 | if [ $file7 = "-rw-------" ];then 190 | echo "/etc/grub.conf文件权限为600,符合要求" >> /tmp/${ipadd}_out.txt 191 | else 192 | echo "/etc/grub.conf文件权限不为600,不符合要求,建议设置权限为600" >> /tmp/${ipadd}_out.txt 193 | fi 194 | 195 | if [ -f /etc/lilo.conf ];then 196 | if [ $file8 = "-rw-------" ];then 197 | echo "/etc/lilo.conf文件权限为600,符合要求" >> /tmp/${ipadd}_out.txt 198 | else 199 | echo "/etc/lilo.conf文件权限不为600,不符合要求,建议设置权限为600" >> /tmp/${ipadd}_out.txt 200 | fi 201 | 202 | else 203 | echo "/etc/lilo.conf文件夹不存在" 204 | fi 205 | 206 | cat /etc/security/limits.conf | grep -V ^# | grep core 207 | if [ $? -eq 0 ];then 208 | soft=`cat /etc/security/limits.conf | grep -V ^# | grep core | awk {print $2}` 209 | for i in $soft 210 | do 211 | if [ $i = "soft" ];then 212 | echo "* soft core 0 已经设置" >> /tmp/${ipadd}_out.txt 213 | fi 214 | if [ $i = "hard" ];then 215 | echo "* hard core 0 已经设置" >> /tmp/${ipadd}_out.txt 216 | fi 217 | done 218 | else 219 | echo "没有设置core,建议在/etc/security/limits.conf中添加* soft core 0和* hard core 0" >> /tmp/${ipadd}_out.txt 220 | fi 221 | 222 | 223 | echo "***************************" 224 | echo "检查ssh配置文件中..." 225 | echo "***************************" 226 | cat /etc/ssh/sshd_config | grep -v ^# |grep "PermitRootLogin no" 227 | if [ $? -eq 0 ];then 228 | echo "已经设置远程root不能登陆,符合要求" >> /tmp/${ipadd}_out.txt 229 | else 230 | echo "不已经设置远程root不能登陆,不符合要求,建议/etc/ssh/sshd_config添加PermitRootLogin no" >> /tmp/${ipadd}_out.txt 231 | fi 232 | 233 | #检查telnet是否开启 234 | telnetd=`cat /etc/xinetd.d/telnet | grep disable | awk '{print $3}'` 235 | if [ $telnetd = "yes" ];then 236 | echo "检测到telnet服务开启,不符合要求,建议关闭telnet" >> /tmp/${ipadd}_out.txt 237 | fi 238 | 239 | Protocol=`cat /etc/ssh/sshd_config | grep -v ^# | grep Protocol | awk '{print $2}'` 240 | if [ $Protocol = 2 ];then 241 | echo "openssh使用ssh2协议,符合要求" >> /tmp/${ipadd}_out.txt 242 | fi 243 | if [ $Protocol = 1 ];then 244 | echo "openssh使用ssh1协议,不符合要求" >> /tmp/${ipadd}_out.txt 245 | fi 246 | 247 | #检查保留历时命令条数 248 | HISTSIZE=`cat /etc/profile|grep HISTSIZE|head -1|awk -F[=] '{print $2}'` 249 | if [ $HISTSIZE -eq 5 ];then 250 | echo "保留历时命令条数为$HISTSIZE,符合要求" >> /tmp/${ipadd}_out.txt 251 | else 252 | echo "保留历时命令条数为$HISTSIZE,不符合要求,建议/etc/profile的HISTSIZE设置为5" >> /tmp/${ipadd}_out.txt 253 | fi 254 | 255 | #检查重要文件的属性 256 | flag=0 257 | for ((x=1;x<=15;x++)) 258 | do 259 | apend=`lsattr /etc/passwd | cut -c $x` 260 | if [ $apend = "i" ];then 261 | echo "/etc/passwd文件存在i安全属性" >> /tmp/${ipadd}_out.txt 262 | flag=1 263 | fi 264 | if [ $apend = "a" ];then 265 | echo "/etc/passwd文件存在a安全属性" >> /tmp/${ipadd}_out.txt 266 | flag=1 267 | fi 268 | done 269 | if [ $flag = 0 ];then 270 | echo "/etc/passwd文件不存在相关安全属性,建议使用chattr +i或chattr +a防止/etc/passwd被删除或修改" >> /tmp/${ipadd}_out.txt 271 | fi 272 | 273 | flag=0 274 | for ((x=1;x<=15;x++)) 275 | do 276 | apend=`lsattr /etc/shadow | cut -c $x` 277 | if [ $apend = "i" ];then 278 | echo "/etc/shadow文件存在i安全属性" >> /tmp/${ipadd}_out.txt 279 | flag=1 280 | fi 281 | if [ $apend = "a" ];then 282 | echo "/etc/shadow文件存在a安全属性" >> /tmp/${ipadd}_out.txt 283 | flag=1 284 | fi 285 | done 286 | if [ $flag = 0 ];then 287 | echo "/etc/shadow文件不存在相关安全属性,建议使用chattr +i或chattr +a防止/etc/shadow被删除或修改" >> /tmp/${ipadd}_out.txt 288 | fi 289 | 290 | flag=0 291 | for ((x=1;x<=15;x++)) 292 | do 293 | apend=`lsattr /etc/gshadow | cut -c $x` 294 | if [ $apend = "i" ];then 295 | echo "/etc/gshadow文件存在i安全属性" >> /tmp/${ipadd}_out.txt 296 | flag=1 297 | fi 298 | if [ $apend = "a" ];then 299 | echo "/etc/gshadow文件存在a安全属性" >> /tmp/${ipadd}_out.txt 300 | flag=1 301 | fi 302 | done 303 | if [ $flag = 0 ];then 304 | echo "/etc/gshadow文件不存在相关安全属性,建议使用chattr +i或chattr +a防止/etc/gshadow被删除或修改" >> /tmp/${ipadd}_out.txt 305 | fi 306 | 307 | flag=0 308 | for ((x=1;x<=15;x++)) 309 | do 310 | apend=`lsattr /etc/group | cut -c $x` 311 | if [ $apend = "i" ];then 312 | echo "/etc/group文件存在i安全属性" >> /tmp/${ipadd}_out.txt 313 | flag=1 314 | fi 315 | if [ $apend = "a" ];then 316 | echo "/etc/group文件存在a安全属性" >> /tmp/${ipadd}_out.txt 317 | flag=1 318 | fi 319 | done 320 | if [ $flag = 0 ];then 321 | echo "/etc/group文件不存在相关安全属性,建议使用chattr +i或chattr +a防止/etc/group被删除或修改" >> /tmp/${ipadd}_out.txt 322 | fi 323 | 324 | 325 | #检查snmp默认团体口令public、private 326 | if [ -f /etc/snmp/snmpd.conf ];then 327 | public=`cat /etc/snmp/snmpd.conf | grep public | grep -v ^# | awk '{print $4}'` 328 | private=`cat /etc/snmp/snmpd.conf | grep private | grep -v ^# | awk '{print $4}'` 329 | if [ $public = "public" ];then 330 | echo "发现snmp服务存在默认团体名public,不符合要求" >> /tmp/${ipadd}_out.txt 331 | fi 332 | if [[ $private = "private" ]];then 333 | echo "发现snmp服务存在默认团体名private,不符合要求" >> /tmp/${ipadd}_out.txt 334 | fi 335 | else 336 | echo "snmp服务配置文件不存在,可能没有运行snmp服务" 337 | fi 338 | 339 | #检查主机信任关系 340 | rhosts=`find / -name .rhosts` 341 | rhosts2=`find / -name hosts.equiv` 342 | for i in $rhosts 343 | do 344 | if [ -f $i ];then 345 | echo "找到信任主机关系,请查看${i}文件,请自行判断是否属于正常业务需求,建议删除信任IP" >> /tmp/${ipadd}_out.txt 346 | fi 347 | done 348 | 349 | #检查日志审核功能是否开启 350 | service auditd status 351 | if [ $? = 0 ];then 352 | echo "系统日志审核功能已开启,符合要求" >> /tmp/${ipadd}_out.txt 353 | fi 354 | if [ $? = 3 ];then 355 | echo "系统日志审核功能已关闭,不符合要求,建议service auditd start开启" >> /tmp/${ipadd}_out.txt 356 | fi 357 | 358 | #检查磁盘动态空间,是否大于等于80% 359 | space=`df -h | awk -F "[ %]+" 'NR!=1{print $5}'` 360 | for i in $space 361 | do 362 | if [ $i -ge 80 ];then 363 | echo "警告!磁盘存储容量大于80%,建议扩充磁盘容量或者删除垃圾文件" >> /tmp/${ipadd}_out.txt 364 | fi 365 | done 366 | 367 | echo "***************************" 368 | echo "*** 检查完毕 ***" 369 | echo "***************************" 370 | 371 | 372 | --------------------------------------------------------------------------------