首页 > 代码库 > 【信息安全系列】Linux主机安全检查
【信息安全系列】Linux主机安全检查
#!/bin/bash ################################################################# ## ## ## It was used for Linux OS Security configuration check ## ## ## ################################################################# ##检查Linux主机是否开启了不必要的服务等;## echo ‘###检查Linux主机是否开启了不必要的服务等;###‘ chkconfig --list|egrep "shell|login|exec|talk|ntalk|imap|pop-2|pop-3|finger|auth|Anancron|Cups|Gpm|Isdn|Kudzu|Pcmcia|Rhnsd|ipop2|ipop3"|grep -w "on" ##检查是否关闭R系列服务(rlogin、rsh、rexec等)## echo ‘###检查是否关闭R系列服务(rlogin、rsh、rexec等)###‘ chkconfig --list|egrep "rexec|rlogin|rsh"|grep -w "on" ##检查用户口令策略是否符合安全要求## echo ‘###检查用户口令策略是否符合安全要求###‘ function Calculate { CREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "credit"|sed ‘s/^.*credit=//g‘|sed ‘s/\s.*$//g‘` DCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "dcredit"|sed ‘s/^.*dcredit=//g‘|sed ‘s/\s.*$//g‘` LCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "lcredit"|sed ‘s/^.*lcredit=//g‘|sed ‘s/\s.*$//g‘` UCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "ucredit"|sed ‘s/^.*ucredit=//g‘|sed ‘s/\s.*$//g‘` OCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "ocredit"|sed ‘s/^.*ocredit=//g‘|sed ‘s/\s.*$//g‘` MINCLASS=`cat $FILE|egrep -v "^#|^$"|grep -w "minclass"|sed ‘s/^.*minclass=//g‘|sed ‘s/\s.*$//g‘` MINLEN=`cat $FILE|grep -v "^#|^$"|grep "minlen"|sed ‘s/^.*minlen=//g‘|sed ‘s/\s.*$//g‘` COUNT=0 for NO in $CREDIT $DCREDIT $LCREDIT $UCREDIT $OCREDIT do if ([[ $NO -lt 0 ]]); then COUNT=`expr $COUNT + 1` fi done if ([[ $MINCLASS -ge 2 ]] && [[ $MINLEN -ge 6 ]]); then echo "check reuslt:true" elif ([[ $COUNT -ge 2 ]] && [[ $MINLEN -ge 6 ]]); then echo "check reuslt:true" else echo "check reuslt:false" fi unset CREDIT DCREDIT LCREDIT UCREDIT OCREDIT MINCLASS MINLEN COUNT } if ([ -f /etc/redhat-release ] &&[ -f /etc/pam.d/system-auth ]); then FILE=/etc/pam.d/system-auth cat $FILE |sed ‘/^#/d‘|sed ‘/^$/d‘ Calculate elif ([ -f /etc/SuSE-release ] && [ -f /etc/pam.d/passwd ]); then FILE=/etc/pam.d/passwd cat $FILE|grep -v ‘^#‘|grep -v ‘^$‘ Calculate fi if [ -f /etc/pam.d/login ]; then cat /etc/pam.d/login |sed ‘/^#/d‘|sed ‘/^$/d‘; fi; if [ -f /etc/pam.d/sshd ]; then cat /etc/pam.d/sshd |sed ‘/^#/d‘|sed ‘/^$/d‘; fi ##检查FTP是否禁止匿名登录## echo ‘###检查FTP是否禁止匿名登录###‘ grep anonymous /etc/ftpusers|grep -v ‘#‘ grep anonymous /etc/vsftpd/vsftpd.conf|grep -v ‘#‘ ##检查SNMP是否修改默认通讯字符串## echo ‘###检查SNMP是否修改默认通讯字符串###‘ chkconfig --list snmpd cat /etc/snmp/snmpd.conf|egrep "public|private"|grep -v ‘#‘ ##检查操作系统帐号是否存在弱口令## echo ‘###检查操作系统帐号是否存在弱口令###‘ cat /etc/shadow ##检查Unix系统是否启用信任主机方式,配置文件是否配置妥当## echo ‘###检查Unix系统是否启用信任主机方式,配置文件是否配置妥当###‘ cat $HOME/.rhosts|grep "++" cat /etc/hosts.equiv|grep "++" ##设备安全事件审计## echo ‘###设备安全事件审计###‘ function Check_SYSLOGD { if [ -f /etc/syslog.conf ]; then SYSLOGCONF=/etc/syslog.conf; else SYSLOGCONF=/etc/rsyslog.conf; fi cat $SYSLOGCONF |sed ‘/^#/d‘|sed ‘/^$/d‘|awk ‘($2!~/*/) && ($2!~/-/) {print $1"\t"$2}‘ } function Check_SYSLOGNG { SYSLOGCONF=/etc/syslog-ng/syslog-ng.conf for FILTER in `cat $SYSLOGCONF |grep "^log"|grep filter|cut -d\; -f2|cut -d\( -f2|cut -d\) -f1|sort|uniq`;do cat $SYSLOGCONF|grep "^filter $FILTER" done for DESTINATION in `cat $SYSLOGCONF |grep "^log"|awk -F\; ‘{print $1"\n"$2"\n"$3}‘|grep destination|cut -d\( -f2|cut -d\) -f1|sort|uniq`;do cat $SYSLOGCONF|grep "^destination $DESTINATION " done cat $SYSLOGCONF |grep "^log" } if [[ `ps -ef|egrep ‘(syslogd|syslog-ng)‘|grep -v "grep"|wc -l` != 0 ]]; then if [[ `grep -sv "^#" /etc/sysconfig/syslog|grep SYSLOG_DAEMON|cut -d\" -f2` = "syslog-ng" ]]; then Check_SYSLOGNG; else Check_SYSLOGD; fi; else echo "syslog is not running"; fi ##检测特定系统自带的与设备运行、维护等工作无关的账号是否被删除或锁定## echo ‘###检测特定系统自带的与设备运行、维护等工作无关的账号是否被删除或锁定###‘ egrep -w "Adm|lp|sync|shutdown|halt|news|uucp|operator|games" /etc/shadow |awk -F: ‘($2!~"!") {print $1":"$2}‘ echo "result="`egrep -w "Adm|lp|sync|shutdown|halt|news|uucp|operator|games" /etc/shadow |awk -F: ‘($2!~"!") {print $1":"$2}‘|wc -l` ##限制密码文件的访问权限## echo ‘###限制密码文件的访问权限###‘ ls -l /etc/passwd /etc/shadow /etc/group | awk ‘{print $1":"$7":"$9}‘ ##检查root是否可以直接登录## echo ‘###检查root是否可以直接登录###‘ SSHSTATUS=`netstat -an |grep ":22\>"|wc -l` if [ x"$SSHSTATUS" != "x0" ]; then if [[ `grep "^PermitRootLogin no" /etc/ssh/sshd_config|wc -l` != 0 ]]; then grep "^PermitRootLogin no" /etc/ssh/sshd_config; echo "This device does not permit root to ssh login,check result:true"; else echo "This device permits root to ssh login,check result:false" ; fi else echo "The ssh service of device is not running,check result:true"; fi TELSTATUS=`netstat -an |grep ":23\>"|wc -l` if [ x"$TELSTATUS" != "x0" ]; then if ([ -f /etc/securetty ] && [ `grep -i "^pts" /etc/securetty|wc -l` = 0 ]); then echo "This device does not permit root to telnet login,check result:true"; else echo "This device permits root to telnet login,check result:false"; fi else echo "The telnet service of device is not running,check result:true" ; fi ##检查SSH安全配置## echo ‘###检查SSH安全配置###‘ grep Protocol /etc/ssh/sshd_config|grep -v ‘^#‘ ##检查终端超时退出时间## echo ‘###检查终端超时退出时间###‘ cat /etc/profile |sed ‘/^#/d‘|sed ‘/^$/d‘|grep -i TMOUT cat /etc/csh.cshrc |sed ‘/^#/d‘|sed ‘/^$/d‘|grep -i autologout ##检查补丁更新情况## echo ‘###检查补丁更新情况###‘ uname -a if [ -f /etc/SuSE-release ]; then cat /etc/SuSE-release; elif [ -f /etc/redhat-release ]; then cat /etc/redhat-release;echo " redhat patch check result:true"; fi
【信息安全系列】Linux主机安全检查
声明:以上内容来自用户投稿及互联网公开渠道收集整理发布,本网站不拥有所有权,未作人工编辑处理,也不承担相关法律责任,若内容有误或涉及侵权可进行投诉: 投诉/举报 工作人员会在5个工作日内联系你,一经查实,本站将立刻删除涉嫌侵权内容。