-
Notifications
You must be signed in to change notification settings - Fork 0
/
baseline-check.sh
450 lines (377 loc) · 15.3 KB
/
baseline-check.sh
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
#!/bin/bash
#vesion 1.1
#author by Tkid3
time=`date +'%Y-%m-%d'`
ipadd=`ip a | grep /24 |awk {'print $2'}|sed 's/\/24//'`
Result=/tmp/${ipadd}_${time}_checkResult.txt
cat <<EOF
*************************************************************************************
*****
___ __ ___ ___ __ __ _ _ ___ __ _ _ ___ __ _ _
( ,) ( ) / __)( _)( ) ( )( \( )( _) / _)( )( )( _) / _)( ) )
) ,\ /__\ \__ \ ) _) )(__ )( ) ( ) _) ( (_ )__( ) _)( (_ ) \
(___/(_)(_)(___/(___)(____)(__)(_)\_)(___) \__)(_)(_)(___) \__)(_)\_)
***** Centos7基线检查脚本
***** Author(Tkid3)
*****
***** 输出结果: ${Result}
*************************************************************************************
EOF
echo "IP: ${ipadd}" >> ${Result}
user_id=`whoami`
echo "当前扫描用户:${user_id}" >> ${Result}
scanner_time=`date '+%Y-%m-%d %H:%M:%S'`
echo "当前扫描时间:${scanner_time}" >> ${Result}
uname=`uname -a`
echo "系统版本情况${uname}" >> ${Result}
echo "1.账号策略检查中..."
echo "***************************"
#项目:帐号与口令-用户口令设置
#合格:Y;不合格:N
passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'`
passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'`
passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`
echo "1.账号策略检查:" >> ${Result}
if [ $passmax -le 90 -a $passmax -gt 0 ];then
echo "Y:口令生存周期为${passmax}天,符合要求" >> ${Result}
else
echo "N:口令生存周期为${passmax}天,不符合要求,建议设置不大于90天" >> ${Result}
fi
if [ $passmin -ge 6 ];then
echo "Y:口令更改最小时间间隔为${passmin}天,符合要求" >> ${Result}
else
echo "N:口令更改最小时间间隔为${passmin}天,不符合要求,建议设置大于等于6天" >> ${Result}
fi
if [ $passlen -ge 8 ];then
echo "Y:口令最小长度为${passlen},符合要求" >> ${Result}
else
echo "N:口令最小长度为${passlen},不符合要求,建议设置最小长度大于等于8" >> ${Result}
fi
if [ $passage -ge 30 -a $passage -lt $passmax ];then
echo "Y:口令过期警告时间天数为${passage},符合要求" >> ${Result}
else
echo "N:口令过期警告时间天数为${passage},不符合要求,建议设置大于等于30并小于口令生存周期" >> ${Result}
fi
echo "2.账号是否会主动注销检查中..."
echo "***************************"
echo "2.账号是否会主动注销检查:" >> ${Result}
profileTimeout=$(cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}')
if [ ${user_id} = "root" ];then
user_file="/root"
else
user_file="/home/${user_id}"
fi
bashrcTimeout=$(cat ${user_file}/.bashrc | grep TMOUT | awk -F[=] '{print $2}' 2>/dev/null)
bash_profileTimeout=$(cat ${user_file}/.bash_profile | grep TMOUT | awk -F[=] '{print $2}' 2>/dev/null)
if [[ ${profileTimeout} -ne 0 ]] && [[ ${bashrcTimeout} -ne 0 ]] && [[ ${bash_profileTimeout} -ne 0 ]];then
TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
if [ $TMOUT -le 600 -a $TMOUT -ge 10 ];then
echo "Y:账号超时时间${TMOUT}秒,符合要求" >> ${Result}
else
echo "N:账号超时时间${TMOUT}秒,不符合要求,建议设置小于600秒" >> ${Result}
fi
else
echo "N:账号超时不存在自动注销,不符合要求,建议设置小于600秒" >> ${Result}
fi
#项目:帐号与口令-root用户远程登录限制
#合格:Y;不合格:N
echo "3.ssh配置检查中..."
echo "***************************"
echo "3.ssh配置检查:" >> ${Result}
remoteLogin=`cat /etc/ssh/sshd_config | grep -v ^# |grep "PermitRootLogin no"`
if [ $? -eq 0 ];then
echo "Y:已经设置远程root不能登陆,符合要求" >> ${Result}
else
echo "N:已经设置远程root能登陆,不符合要求,建议/etc/ssh/sshd_config添加PermitRootLogin no" >> ${Result}
fi
alivetime=`cat /etc/ssh/sshd_config | grep -v ^# | grep ClientAliveInterval`
if [ $? -eq 0 ];then
echo "Y:已经设置闲置会话自动断开,符合要求" >> ${Result}
else
echo "N:未设置客户端闲置会话自动断开,不符合要求,建议/etc/ssh/sshd_config添加ClientAliveInterval 600" >> ${Result}
fi
Protocol2=`cat /etc/ssh/sshd_config | grep -v ^# | grep "Protocol 2"`
if [ $? -eq 0 ];then
echo "Y:仅支持SSH-2协议,符合要求" >> ${Result}
else
echo "N:支持SSH-1协议,不符合要求。建议/etc/ssh/sshd_config添加Protocol 2" >> ${Result}
fi
alivecountMax=`cat /etc/ssh/sshd_config | grep -v ^# | grep ClientAliveCountMax`
if [ $? -eq 0 ];then
echo "Y:已经设置最大连接数,符合要求" >> ${Result}
else
echo "N:未设置最大连接数,不符合要求,建议/etc/ssh/sshd_config添加ClientAliveCountMax 3" >> ${Result}
fi
#项目:帐号与口令-检查是否存在除root之外UID为0的用户
#合格:Y;不合格:N
#查找非root账号UID为0的账号
echo "4.是否存在除root之外UID为0的用户..."
echo "***************************"
echo "4.是否存在除root之外UID为0的用户:" >> ${Result}
UIDS=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`
flag=0
for i in $UIDS
do
if [ $i = 0 ];then
echo "N:存在非root账号的账号UID为0,不符合要求" >> ${Result}
else
flag=1
fi
done
if [ $flag = 1 ];then
echo "Y:不存在非root账号的账号UID为0,符合要求" >> ${Result}
fi
#项目:帐号与口令-检查telnet服务是否开启
#合格:Y;不合格:N
#检查telnet是否开启
echo "5.检查telnet服务是否开启..."
echo "***************************"
echo "5.检查telnet服务是否开启:" >> ${Result}
telnetd=`ps -ef|grep telnet|grep -v grep`
if [ $telnetd ]; then
echo "N:检测到telnet服务开启,不符合要求,建议关闭telnet" >> ${Result}
else
echo "Y:检测到telnet服务未开启,符合要求" >> ${Result}
fi
#项目:帐号与口令-root用户环境变量的安全性
#合格:Y;不合格:N
#检查目录权限是否为777
echo "6.root用户环境变量的安全性..."
echo "***************************"
echo "6.root用户环境变量的安全性:" >> ${Result}
dirPri=$(find $(echo $PATH | tr ':' ' ') -type d \( -perm -0777 \) 2> /dev/null)
if [ -z "$dirPri" ]
then
echo "Y:目录权限无777的,符合要求" >> ${Result}
else
echo "N:文件${dirPri}目录权限为777的,不符合要求。" >> ${Result}
fi
#项目:帐号与口令-远程连接的安全性配置
#合格:Y;不合格:N
echo "7.远程连接的安全性配置..."
echo "***************************"
echo "7.远程连接的安全性配置:" >> ${Result}
fileNetrc=`find /home /root -xdev -mount -name .netrc -print 2> /dev/null`
if [ -z "${fileNetrc}" ];then
echo "Y:不存在.netrc文件,符合要求" >> ${Result}
else
echo "N:存在.netrc文件,不符合要求" >> ${Result}
fi
fileRhosts=`find /home /root -xdev -mount -name .rhosts -print 2> /dev/null`
if [ -z "$fileRhosts" ];then
echo "Y:不存在.rhosts文件,符合要求" >> ${Result}
else
echo "N:存在.rhosts文件,不符合要求" >> ${Result}
fi
#项目:帐号与口令-用户的umask安全配置
#合格:Y;不合格:N
#检查umask设置
echo "8.用户的umask安全配置..."
echo "***************************"
echo "8.用户的umask安全配置:" >> ${Result}
umask1=`cat /etc/profile | grep umask | grep -v ^# | awk '{print $2}'`
umask2=`cat /etc/csh.cshrc | grep umask | grep -v ^# | awk '{print $2}'`
umask3=`cat /etc/bashrc | grep umask | grep -v ^# | awk 'NR!=1{print $2}'`
flags=0
for i in $umask1
do
if [ $i != "027" ];then
echo "N:/etc/profile文件中所所设置的umask为${i},不符合要求,建议设置为027" >> ${Result}
flags=1
break
fi
done
if [ $flags == 0 ];then
echo "Y:/etc/profile文件中所设置的umask为${i},符合要求" >> ${Result}
fi
flags=0
for i in $umask2
do
if [ $i != "027" ];then
echo "N:/etc/csh.cshrc文件中所所设置的umask为${i},不符合要求,建议设置为027" >> ${Result}
flags=1
break
fi
done
if [ $flags == 0 ];then
echo "Y:/etc/csh.cshrc文件中所设置的umask为${i},符合要求" >> ${Result}
fi
flags=0
for i in $umask3
do
if [ $i != "027" ];then
echo "N:/etc/bashrc文件中所设置的umask为${i},不符合要求,建议设置为027" >> ${Result}
flags=1
break
fi
done
if [ $flags == 0 ];then
echo "Y:/etc/bashrc文件中所设置的umask为${i},符合要求" >> ${Result}
fi
#项目:文件系统-重要目录和文件的权限设置
#合格:Y;不合格:N
echo "9.重要目录和文件的权限设置:" >> ${Result}
echo "9.检查重要文件权限中..."
echo "***************************"
file1=`ls -l /etc/passwd | awk '{print $1}'`
file2=`ls -l /etc/shadow | awk '{print $1}'`
file3=`ls -l /etc/group | awk '{print $1}'`
file4=`ls -l /etc/securetty | awk '{print $1}'`
file5=`ls -l /etc/services | awk '{print $1}'`
#检测文件权限为400的文件
if [ $file2 = "-r--------" ];then
echo "Y:/etc/shadow文件权限为400,符合要求" >> ${Result}
else
echo "N:/etc/shadow文件权限不为400,不符合要求,建议设置权限为400" >> ${Result}
fi
#检测文件权限为600的文件
if [ $file4 = "-rw-------" ];then
echo "Y:/etc/security文件权限为600,符合要求" >> ${Result}
else
echo "N:/etc/security文件权限不为600,不符合要求,建议设置权限为600" >> ${Result}
fi
#检测文件权限为644的文件
if [ $file1 = "-rw-r--r--" ];then
echo "Y:/etc/passwd文件权限为644,符合要求" >> ${Result}
else
echo "N:/etc/passwd文件权限不为644,不符合要求,建议设置权限为644" >> ${Result}
fi
if [ $file5 = "-rw-r--r--" ];then
echo "Y:/etc/services文件权限为644,符合要求" >> ${Result}
else
echo "N:/etc/services文件权限不为644,不符合要求,建议设置权限为644" >> ${Result}
fi
if [ $file3 = "-rw-r--r--" ];then
echo "Y:/etc/group文件权限为644,符合要求" >> ${Result}
else
echo "N:/etc/group文件权限不为644,不符合要求,建议设置权限为644" >> ${Result}
fi
#项目:文件系统-查找未授权的SUID/SGID文件
#合格:Y;不合格:N
echo "10.查找未授权的SUID/SGID文件中..."
echo "***************************"
echo "10.查找未授权的SUID/SGID文件:" >> ${Result}
unauthorizedfile=`find /usr /var \( -perm -04000 -o -perm -02000 \) -type f 2>/dev/null`
echo "C:文件${unauthorizedfile}设置了SUID/SGID,请检查是否授权" >> ${Result}
#项目:文件系统-检查任何人都有写权限的目录
#合格:Y;不合格:N;检查:C
echo "11.检查任何人都有写权限的目录中..."
echo "***************************"
echo "11.检查任何人都有写权限的目录:" >> ${Result}
checkWriteDre=$(find /usr /var -xdev -mount -type d \( -perm -0002 -a ! -perm -1000 \) 2> /dev/null)
if [ -z "${checkWriteDre}" ];then
echo "Y:不存在任何人都有写权限的目录,符合要求" >> ${Result}
else
echo "N:${checkWriteDre}目录任何人都可以写,不符合要求" >> ${Result}
fi
#项目:文件系统-检查任何人都有写权限的文件
#合格:Y;不合格:N;检查:C
echo "12.检查任何人都有写权限的文件..."
echo "***************************"
echo "12.检查任何人都有写权限的文件:" >> ${Result}
checkWriteFile=$(find /usr /var /home /root -xdev -mount -type f \( -perm -0002 -a ! -perm -1000 \) 2> /dev/null)
if [ -z "${checkWriteFile}" ];then
echo "Y:不存在任何人都有写权限的文件,符合要求" >> ${Result}
else
echo "N:${checkWriteFile}文件任何人都可以写,不符合要求" >> ${Result}
fi
#项目:文件系统-检查异常隐含文件
#合格:Y;不合格:N;检查:C
echo "13.检查异常隐含文件中..."
echo "***************************"
echo "13.检查异常隐含文件:" >> ${Result}
hideFile=$(find /usr /var -xdev -mount \( -name "..*" -o -name "...*" \) 2> /dev/null)
if [ -z "${hideFile}" ];then
echo "Y:不存在异常文件,符合要求" >> ${Result}
else
echo "N:${hideFile}是异常文件,建议审视" >> ${Result}
fi
#项目:日志审计-syslog登录事件记录
#合格:Y;不合格:N;检查:C
echo "14.syslog登录事件记录中..."
echo "***************************"
echo "14.syslog登录事件记录:" >> ${Result}
if [ -e /etc/syslog.conf ];then
logFile=$(cat /etc/syslog.conf | grep -V ^# | grep authpriv.*)
if [ ! -z "${logFile}" ];then
echo "Y:存在保存authpirv的日志文件" >> ${Result}
else
echo "N:不存在保存authpirv的日志文件" >> ${Result}
fi
else
echo "N:不存在/etc/syslog.conf文件,建议对所有登录事件都记录" >> ${Result}
fi
#项目:系统文件-检查日志审核功能是否开启
#合格:Y;不合格:N;检查:C
echo "15.检查日志审核功能是否开启中..."
echo "***************************"
echo "15.检查日志审核功能是否开启:" >> ${Result}
auditdStatus=$(service auditd status 2> /dev/null)
if [ $? = 0 ];then
echo "Y:系统日志审核功能已开启,符合要求" >> ${Result}
fi
if [ $? = 3 ];then
echo "N:系统日志审核功能已关闭,不符合要求,建议service auditd start开启" >> ${Result}
fi
#项目:系统文件-系统core dump状态
#合格:Y;不合格:N;检查:C
echo "16.检查系统core dump状态中..."
echo "***************************"
echo "16.系统core dump状态:" >> ${Result}
limitsFile=$(cat /etc/security/limits.conf | grep -V ^# | grep core)
if [ $? -eq 0 ];then
soft=`cat /etc/security/limits.conf | grep -V ^# | grep core | awk {print $2}`
for i in $soft
do
if [ "$i"x = "soft"x ];then
echo "Y:* soft core 0 已经设置" >> ${Result}
fi
if [ "$i"x = "hard"x ];then
echo "Y:* hard core 0 已经设置" >> ${Result}
fi
done
else
echo "N:没有设置core,建议在/etc/security/limits.conf中添加* soft core 0和* hard core 0" >> ${Result}
fi
echo "17.检查系统日志读写权限中..."
echo "***************************"
#项目:系统文件-日志文件权限
#合格:Y;不合格:N;检查:C
echo "17.检查系统日志读写权限:" >> ${Result}
if [ -e /var/log/messages ];then
MESSAGES=`ls -l /var/log/messages | awk '{print $1}'`
echo "C:/var/log/messages的文件权限为:${MESSAGES:1:9}" >> ${Result}
else
echo "未找到/var/log/messages的文件" >> ${Result}
fi
if [ -e /var/log/secure ];then
SECURE=`ls -l /var/log/secure | awk '{print $1}'`
echo "C:/var/log/secure 的文件权限为:${SECURE:1:9}" >> ${Result}
else
echo "未找到/var/log/secure的文件" >> ${Result}
fi
if [ -e /var/log/maillog ];then
MAILLOG=`ls -l /var/log/maillog | awk '{print $1}'`
echo "C:/var/log/maillog 的文件权限为:${MAILLOG:1:9}" >> ${Result}
else
echo "未找到/var/log/maillog的文件" >> ${Result}
fi
if [ -e /var/log/cron ];then
CRON=`ls -l /var/log/cron | awk '{print $1}'`
echo "C:/var/log/cron 的文件权限为:${CRON:1:9}" >> ${Result}
else
echo "未找到/var/log/cron的文件" >> ${Result}
fi
if [ -e /var/log/spooler ];then
SPOOLER=`ls -l /var/log/spooler | awk '{print $1}'`
echo "C:/var/log/spooler 的文件权限为:${SPOOLER:1:9}" >> ${Result}
else
echo "未找到/var/log/spooler的文件" >> ${Result}
fi
if [ -e /var/log/boot/log ];then
LOG=`ls -l /var/log/boot/log | awk '{print $1}'`
echo "C:/var/log/boot/log 的文件权限为:${LOG:1:9}" >> ${Result}
else
echo "未找到/var/log/boot/log的文件" >> ${Result}
fi