首页 > 代码库 > 【信息安全系列】Linux主机安全检查

【信息安全系列】Linux主机安全检查

#!/bin/bash

#################################################################
##                                                             ##
##    It was used for Linux OS Security configuration check    ##
##                                                             ##
#################################################################

##检查Linux主机是否开启了不必要的服务等;##    
echo ###检查Linux主机是否开启了不必要的服务等;###
chkconfig --list|egrep "shell|login|exec|talk|ntalk|imap|pop-2|pop-3|finger|auth|Anancron|Cups|Gpm|Isdn|Kudzu|Pcmcia|Rhnsd|ipop2|ipop3"|grep -w "on"
##检查是否关闭R系列服务(rlogin、rsh、rexec等)##    
echo ###检查是否关闭R系列服务(rlogin、rsh、rexec等)###
chkconfig --list|egrep "rexec|rlogin|rsh"|grep -w "on"
##检查用户口令策略是否符合安全要求##    
echo ###检查用户口令策略是否符合安全要求###
function Calculate
{
  CREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "credit"|sed s/^.*credit=//g|sed s/\s.*$//g`
  DCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "dcredit"|sed s/^.*dcredit=//g|sed s/\s.*$//g`
  LCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "lcredit"|sed s/^.*lcredit=//g|sed s/\s.*$//g`
  UCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "ucredit"|sed s/^.*ucredit=//g|sed s/\s.*$//g`
  OCREDIT=`cat $FILE|egrep -v "^#|^$"|grep -w "ocredit"|sed s/^.*ocredit=//g|sed s/\s.*$//g`
  MINCLASS=`cat $FILE|egrep -v "^#|^$"|grep -w "minclass"|sed s/^.*minclass=//g|sed s/\s.*$//g`
  MINLEN=`cat $FILE|grep -v "^#|^$"|grep "minlen"|sed s/^.*minlen=//g|sed s/\s.*$//g`
  COUNT=0
  for NO in $CREDIT $DCREDIT $LCREDIT $UCREDIT $OCREDIT
  do
     if ([[ $NO -lt 0 ]]);
     then COUNT=`expr $COUNT + 1`
     fi
  done
  if ([[ $MINCLASS -ge 2 ]] && [[ $MINLEN -ge 6 ]]);
     then echo "check reuslt:true"
          elif ([[ $COUNT -ge 2 ]] && [[ $MINLEN -ge 6 ]]);
          then echo "check reuslt:true"
      else echo "check reuslt:false"
  fi
  unset CREDIT DCREDIT LCREDIT UCREDIT OCREDIT MINCLASS MINLEN COUNT
}
if ([ -f /etc/redhat-release ] &&[ -f /etc/pam.d/system-auth ]);
then FILE=/etc/pam.d/system-auth
     cat $FILE |sed /^#/d|sed /^$/d
     Calculate
elif ([ -f /etc/SuSE-release ] && [ -f /etc/pam.d/passwd ]);
then FILE=/etc/pam.d/passwd
     cat $FILE|grep -v ^#|grep -v ^$
     Calculate
fi
if [ -f /etc/pam.d/login ];
then cat /etc/pam.d/login |sed /^#/d|sed /^$/d;
fi;
if [ -f /etc/pam.d/sshd ];
then cat /etc/pam.d/sshd |sed /^#/d|sed /^$/d;
fi
##检查FTP是否禁止匿名登录##   
echo ###检查FTP是否禁止匿名登录###
grep anonymous /etc/ftpusers|grep -v #
grep anonymous /etc/vsftpd/vsftpd.conf|grep -v #
##检查SNMP是否修改默认通讯字符串## 
echo ###检查SNMP是否修改默认通讯字符串###
chkconfig  --list snmpd
cat /etc/snmp/snmpd.conf|egrep "public|private"|grep -v #
##检查操作系统帐号是否存在弱口令##       
echo ###检查操作系统帐号是否存在弱口令###
cat /etc/shadow
##检查Unix系统是否启用信任主机方式,配置文件是否配置妥当##     
echo ###检查Unix系统是否启用信任主机方式,配置文件是否配置妥当###
cat $HOME/.rhosts|grep "++"
cat /etc/hosts.equiv|grep "++"
##设备安全事件审计##    
echo ###设备安全事件审计###
function Check_SYSLOGD
{
if [ -f  /etc/syslog.conf ];
   then SYSLOGCONF=/etc/syslog.conf;
else SYSLOGCONF=/etc/rsyslog.conf;
fi
cat $SYSLOGCONF |sed /^#/d|sed /^$/d|awk ($2!~/*/) && ($2!~/-/) {print $1"\t"$2}
}
function Check_SYSLOGNG
{
SYSLOGCONF=/etc/syslog-ng/syslog-ng.conf
for FILTER in `cat $SYSLOGCONF |grep "^log"|grep filter|cut -d\; -f2|cut -d\( -f2|cut -d\) -f1|sort|uniq`;do
    cat $SYSLOGCONF|grep "^filter $FILTER"
done
for DESTINATION in `cat $SYSLOGCONF |grep "^log"|awk -F\; {print $1"\n"$2"\n"$3}|grep destination|cut -d\( -f2|cut -d\) -f1|sort|uniq`;do
    cat $SYSLOGCONF|grep "^destination $DESTINATION "
done
cat $SYSLOGCONF |grep "^log"
}
if [[ `ps -ef|egrep (syslogd|syslog-ng)|grep -v "grep"|wc -l` != 0 ]];
   then if [[ `grep -sv "^#" /etc/sysconfig/syslog|grep SYSLOG_DAEMON|cut -d\" -f2` = "syslog-ng" ]];
           then Check_SYSLOGNG;
           else Check_SYSLOGD;
        fi;
   else echo "syslog is not running";
fi      
##检测特定系统自带的与设备运行、维护等工作无关的账号是否被删除或锁定## 
echo ###检测特定系统自带的与设备运行、维护等工作无关的账号是否被删除或锁定###
egrep -w "Adm|lp|sync|shutdown|halt|news|uucp|operator|games" /etc/shadow |awk -F: ($2!~"!") {print $1":"$2}
echo "result="`egrep -w "Adm|lp|sync|shutdown|halt|news|uucp|operator|games" /etc/shadow |awk -F: ($2!~"!") {print $1":"$2}|wc -l`
##限制密码文件的访问权限##   
echo ###限制密码文件的访问权限###
        ls -l /etc/passwd /etc/shadow /etc/group | awk {print $1":"$7":"$9}
##检查root是否可以直接登录##  
echo ###检查root是否可以直接登录###
SSHSTATUS=`netstat -an |grep ":22\>"|wc -l`
if [ x"$SSHSTATUS" != "x0" ];
then  if [[ `grep "^PermitRootLogin no" /etc/ssh/sshd_config|wc -l` != 0 ]];
      then  grep "^PermitRootLogin no" /etc/ssh/sshd_config;
            echo "This device does not permit root to ssh login,check result:true";
      else  echo "This device permits root  to ssh login,check result:false" ;
      fi
else  echo "The ssh service of device is not running,check result:true";
fi
TELSTATUS=`netstat -an |grep ":23\>"|wc -l`
if [ x"$TELSTATUS" != "x0" ];
then  if ([ -f /etc/securetty ] && [ `grep -i "^pts" /etc/securetty|wc -l` = 0  ]);
       then  echo "This device does not permit root to telnet login,check result:true";
       else  echo "This device permits root to telnet login,check result:false";
      fi
else  echo "The telnet service of device is not running,check result:true" ;
fi
##检查SSH安全配置##       
echo ###检查SSH安全配置###
        grep Protocol /etc/ssh/sshd_config|grep -v ^#
##检查终端超时退出时间##      
echo ###检查终端超时退出时间###
cat /etc/profile |sed /^#/d|sed /^$/d|grep -i TMOUT
cat /etc/csh.cshrc |sed /^#/d|sed /^$/d|grep -i autologout
##检查补丁更新情况##    
echo ###检查补丁更新情况###
uname -a
if [ -f /etc/SuSE-release ];
    then cat /etc/SuSE-release;
       elif [ -f /etc/redhat-release ];
          then cat /etc/redhat-release;echo " redhat patch check result:true";
fi

【信息安全系列】Linux主机安全检查