对linux系统进行安全检查的方法
1、充分利用Linux和Unix系统中内置的检查命令来检测系统。例如,下面的几个命令在
Linux和Unix系统中就很有用处:
-who,查看谁登陆到系统中;
-w,查看谁登陆到系统中,且在做什么操作;
-last,显示系统曾经被登陆的用户和TTYS;
-history,显示系统过去被运行的命令;
-netstat,可以查看现在的网络状态;
-top,动态实时察看系统的进程;
-finger,查看所有的登陆用户。
2、定期检查系统中的日志、文件、时间和进程信息。如:
-检查/var/log/messages日志文件查看外部用户的登陆状况;
-检查用户目录下/home/username下的登陆历史文件(如:.history 文件);
-检查用户目录下/home/username的.rhosts、.forward远程登陆文件;
-用“find / -ctime -2 -ctime +1 -ls”命令来查看不到两天以内修改的一些文件;
-用“ls -lac”命令去查看文件真正的修改时间;
-用“cmp file1 file2”命令来比较文件大小的变化;
3,CPU 查看方式
//查看系统cpu使用情况
top
//查看所有cpu核信息
mpstat -P ALL 1
//查看cpu使用情况以及平均负载
vmstat 1
//进程cpu的统计信息
pidstat -u 1 -p pid
//跟踪进程内部函数级cpu使用情况
perf top -p pid -e cpu-clock
4,MEM 查看方式
//查看系统内存使用情况
free -m
//虚拟内存统计信息
vmstat 1
//查看系统内存情况
top
//1s采集周期,获取内存的统计信息
pidstat -p pid -r 1
//查看进程的内存映像信息
pmap -d pid
//检测程序内存问题
valgrind --tool=memcheck --leak-check=full --log-file=./log.txt ./程序名
5,磁盘方式
//查看系统io信息
iotop
//统计io详细信息
iostat -d -x -k 1 10
//查看进程级io的信息
pidstat -d 1 -p pid
//查看系统IO的请求,比如可以在发现系统IO异常时,可以使用该命令进行调查,就能指定到底是什么原因导致的IO异常
perf record -e block:block_rq_issue -ag
^C
perf report
6,网络方式
//显示网络统计信息
netstat -s
//显示当前UDP连接状况
netstat -nu
//显示UDP端口号的使用情况
netstat -apu
//统计机器中网络连接各个状态个数
netstat -a | awk \\'/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}\\'
7,系统负载方式
//查看负载情况
uptime
top
vmstat
//统计系统调用耗时情况
strace -c -p pid
//跟踪指定的系统操作例如epoll_wait
strace -T -e epoll_wait -p pid
//查看内核日志信息
dmesg
//显示TCP连接
ss -t -a
//显示sockets摘要信息
ss -s
//显示所有udp sockets
ss -u -a
//tcp,etcp状态
sar -n TCP,ETCP 1
//查看网络IO
sar -n DEV 1
//抓包以包为单位进行输出
tcpdump -i eth1 host 192.168.1.1 and port 80
//抓包以流为单位显示数据内容
tcpflow -cp host 192.168.1.1
8,分析系统
TOP
perf top -p pid
检查脚本.sh
#!/bin/bash
echo "Version:1.3"
echo "Author:飞鸟"
echo "Mail:[email protected]"
cat ${danger_file}
mkdir $check_file
echo "" >> $danger_file
mkdir $log_file
cd $check_file
if [ $(whoami) != "root" ];then
echo "安全检查必须使用root账号,否则某些项无法检查"
exit 1
fi
saveresult="tee -a checkresult.txt"
echo "[0.1]正在检查IP地址....." && "$saveresult"
echo -------------0.IP及版本-------------------
echo -------------0.1IP地址-------------------
echo "[0.1]正在检查IP地址....." | $saveresult
ip=$(ifconfig -a | grep -w inet | awk '{print $2}')
if [ -n "$ip" ];then
(echo "[*]本机IP地址信息:" && echo "$ip") | $saveresult
else
echo "[!!!]本机未配置IP地址" | $saveresult
fi
printf "\n" | $saveresult
echo -------------0.2版本信息------------------
echo "[0.2.1]正在检查系统内核版本....." | $saveresult
corever=$(uname -a)
if [ -n "$corever" ];then
(echo "[*]系统内核版本信息:" && echo "$corever") | $saveresult
else
echo "[!!!]未发现内核版本信息" | $saveresult
fi
printf "\n" | $saveresult
echo "[0.2.2]正在检查系统发行版本....." | $saveresult
systemver=$(cat /etc/redhat-release)
if [ -n "$systemver" ];then
(echo "[*]系统发行版本:" && echo "$systemver") | $saveresult
else
echo "[!!!]未发现发行版本信息" | $saveresult
fi
printf "\n" | $saveresult
echo -------------0.3 ARP------------------
echo -------------0.3.1 ARP表项-------------
echo "[0.3.1]正在查看ARP表项....." | $saveresult
arp=$(arp -a -n)
if [ -n "$arp" ];then
(echo "[*]ARP表项如下:" && echo "$arp") | $saveresult
else
echo "[未发现arp表]" | $saveresult
fi
printf "\n" | $saveresult
echo -------------0.3.2 ARP攻击-------------
echo "[0.3.2]正在检测是否存在ARP攻击....." | $saveresult
arpattack=$(arp -a -n | awk '{++S[$4]} END {for(a in S) {if($2>1) print $2,a,S[a]}}')
if [ -n "$arpattack" ];then
(echo "[!!!]发现存在ARP攻击:" && echo "$arpattack") | tee -a $danger_file | $saveresult
else
echo "[*]未发现ARP攻击" | $saveresult
fi
printf "\n" | $saveresult
echo ------------1.查看端口情况-----------------
echo -------------1.1 查看开放端口--------------
echo -------------1.1.1 查看TCP开放端口--------------
#TCP或UDP端口绑定在0.0.0.0、127.0.0.1、192.168.1.1这种IP上只表示这些端口开放
#只有绑定在0.0.0.0上局域网才可以访问
echo "[1.1.1]正在检查TCP开放端口....." | $saveresult
listenport=$(netstat -anltp | grep LISTEN | awk '{print $4,$7}' | sed 's/:/ /g' | awk '{print $2,$3}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq)
if [ -n "$listenport" ];then
(echo "[*]该服务器开放TCP端口以及对应的服务:" && echo "$listenport") | $saveresult
else
echo "[!!!]系统未开放TCP端口" | $saveresult
fi
printf "\n" | $saveresult
accessport=$(netstat -anltp | grep LISTEN | awk '{print $4,$7}' | egrep "(0.0.0.0|:::)" | sed 's/:/ /g' | awk '{print $(NF-1),$NF}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq)
if [ -n "$accessport" ];then
(echo "[!!!]以下TCP端口面向局域网或互联网开放,请注意!" && echo "$accessport") | $saveresult
else
echo "[*]端口未面向局域网或互联网开放" | $saveresult
fi
printf "\n" | $saveresult
echo -------------1.1.2 查看UDP开放端口--------------
echo "[1.1.2]正在检查UDP开放端口....." | $saveresult
udpopen=$(netstat -anlup | awk '{print $4,$NF}' | grep : | sed 's/:/ /g' | awk '{print $2,$3}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq)
if [ -n "$udpopen" ];then
(echo "[*]该服务器开放UDP端口以及对应的服务:" && echo "$udpopen") | $saveresult
else
echo "[!!!]系统未开放UDP端口" | $saveresult
fi
printf "\n" | $saveresult
udpports=$(netstat -anlup | awk '{print $4}' | egrep "(0.0.0.0|:::)" | awk -F: '{print $NF}' | sort -n | uniq)
if [ -n "$udpports" ];then
echo "[*]以下UDP端口面向局域网或互联网开放:" | $saveresult
for port in $udpports
do
nc -uz 127.0.0.1 $port
if [ $? -eq 0 ];then
echo $port | $saveresult
fi
done
else
echo "[*]未发现在UDP端口面向局域网或互联网开放." | $saveresult
fi
printf "\n" | $saveresult
echo -------------1.2 TCP高危端口--------------
echo "[1.2]正在检查TCP高危端口....." | $saveresult
tcpport=`netstat -anlpt | awk '{print $4}' | awk -F: '{print $NF}' | sort | uniq | grep '[0-9].*'`
count=0
if [ -n "$tcpport" ];then
for port in $tcpport
do
for i in `cat /tmp/dangerstcpports.dat`
do
tcpport=`echo $i | awk -F "[:]" '{print $1}'`
desc=`echo $i | awk -F "[:]" '{print $2}'`
process=`echo $i | awk -F "[:]" '{print $3}'`
if [ $tcpport == $port ];then
echo "$tcpport,$desc,$process" | tee -a $danger_file | $saveresult
count=count+1
fi
done
done
fi
if [ $count = 0 ];then
echo "[*]未发现TCP危险端口" | $saveresult
else
echo "[!!!]请人工对TCP危险端口进行关联分析与确认" | $saveresult
fi
printf "\n" | $saveresult
echo -------------1.3 UDP高危端口--------------
echo "[1.3]正在检查UDP高危端口....."
udpport=`netstat -anlpu | awk '{print $4}' | awk -F: '{print $NF}' | sort | uniq | grep '[0-9].*'`
count=0
if [ -n "$udpport" ];then
for port in $udpport
do
for i in `cat /tmp/dangersudpports.dat`
do
udpport=`echo $i | awk -F "[:]" '{print $1}'`
desc=`echo $i | awk -F "[:]" '{print $2}'`
process=`echo $i | awk -F "[:]" '{print $3}'`
if [ $udpport == $port ];then
echo "$udpport,$desc,$process" | tee -a $danger_file | $saveresult
count=count+1
fi
done
done
fi
if [ $count = 0 ];then
echo "[*]未发现UDP危险端口" | $saveresult
else
echo "[!!!]请人工对UDP危险端口进行关联分析与确认"
fi
printf "\n" | $saveresult
echo ------------2.网络连接---------------------
echo "[2.1]正在检查网络连接情况....." | $saveresult
netstat=$(netstat -anlp | grep ESTABLISHED)
netstatnum=$(netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}')
if [ -n "$netstat" ];then
(echo "[*]网络连接情况:" && echo "$netstat") | $saveresult
if [ -n "$netstatnum" ];then
(echo "[*]各个状态的数量如下:" && echo "$netstatnum") | $saveresult
fi
else
echo "[*]未发现网络连接" | $saveresult
fi
printf "\n" | $saveresult
echo -------------3.网卡模式---------------------
echo "[3.1]正在检查网卡模式....." | $saveresult
ifconfigmode=$(ifconfig -a | grep flags | awk -F '[: = ]' '{print "网卡:",$1,"模式:",$5}')
if [ -n "$ifconfigmode" ];then
(echo "网卡工作模式如下:" && echo "$ifconfigmode") | $saveresult
else
echo "[*]未找到网卡模式相关信息,请人工分析" | $saveresult
fi
printf "\n" | $saveresult
echo "[3.2]正在分析是否有网卡处于混杂模式....." | $saveresult
Promisc=`ifconfig | grep PROMISC | gawk -F: '{ print $1}'`
if [ -n "$Promisc" ];then
(echo "[!!!]网卡处于混杂模式:" && echo "$Promisc") | tee -a $danger_file | $saveresult
else
echo "[*]未发现网卡处于混杂模式" | $saveresult
fi
printf "\n" | $saveresult
echo "[3.3]正在分析是否有网卡处于监听模式....." | $saveresult
Monitor=`ifconfig | grep -E "Mode:Monitor" | gawk -F: '{ print $1}'`
if [ -n "$Monitor" ];then
(echo "[!!!]网卡处于监听模式:" && echo "$Monitor") | tee -a $danger_file | $saveresult
else
echo "[*]未发现网卡处于监听模式" | $saveresult
fi
printf "\n" | $saveresult
echo -------------4.启动项-----------------------
echo -------------4.1 用户自定义启动项-----------------------
echo "[4.1]正在检查用户自定义启动项....." | $saveresult
chkconfig=$(chkconfig --list | grep -E ":on|启用" | awk '{print $1}')
if [ -n "$chkconfig" ];then
(echo "[*]用户自定义启动项:" && echo "$chkconfig") | $saveresult
else
echo "[!!!]未发现用户自定义启动项" | $saveresult
fi
printf "\n" | $saveresult
echo -------------4.2 系统自启动项-----------------------
echo "[4.2]正在检查系统自启动项....." | $saveresult
systemchkconfig=$(systemctl list-unit-files | grep enabled | awk '{print $1}')
if [ -n "$systemchkconfig" ];then
(echo "[*]系统自启动项如下:" && echo "$systemchkconfig") | $saveresult
else
echo "[*]未发现系统自启动项" | $saveresult
fi
printf "\n" | $saveresult
echo -------------4.3 危险启动项-----------------------
echo "[4.3]正在检查危险启动项....." | $saveresult
dangerstarup=$(chkconfig --list | grep -E ":on|启用" | awk '{print $1}' | grep -E "\.(sh|per|py)$")
if [ -n "$dangerstarup" ];then
(echo "[!!!]发现危险启动项:" && echo "$dangerstarup") | tee -a $danger_file | $saveresult
else
echo "[*]未发现危险启动项" | $saveresult
fi
printf "\n" | $saveresult
echo ------------5.查看定时任务-------------------
echo ------------5.1系统定时任务分析-------------------
echo ------------5.1.1查看系统定时任务-------------------
echo "[5.1.1]正在分析系统定时任务....." | $saveresult
syscrontab=$(more /etc/crontab | grep -v "# run-parts" | grep run-parts)
if [ -n "$syscrontab" ];then
(echo "[!!!]发现存在系统定时任务:" && more /etc/crontab ) | tee -a $danger_file | $saveresult
else
echo "[*]未发现系统定时任务" | $saveresult
fi
printf "\n" | $saveresult
# if [ $? -eq 0 ]表示上面命令执行成功;执行成功输出的是0;失败非0
#ifconfig echo $? 返回0,表示执行成功
# if [ $? != 0 ]表示上面命令执行失败
echo ------------5.1.2分析系统可疑定时任务-------------------
echo "[5.1.2]正在分析系统可疑任务....." | $saveresult
dangersyscron=$(egrep "((chmod|useradd|groupadd|chattr)|((wget|curl)*\.(sh|pl|py)$))" /etc/cron*/* /var/spool/cron/*)
if [ $? -eq 0 ];then
(echo "[!!!]发现下面的定时任务可疑,请注意!!!" && echo "$dangersyscron") | tee -a $danger_file | $saveresult
else
echo "[*]未发现可疑系统定时任务" | $saveresult
fi
printf "\n" | $saveresult
echo ------------5.2分析用户定时任务-------------------
echo ------------5.2.1查看用户定时任务-------------------
echo "[5.2.1]正在查看用户定时任务....." | $saveresult
crontab=$(crontab -l)
if [ $? -eq 0 ];then
(echo "[!!!]发现用户定时任务如下:" && echo "$crontab") | $saveresult
else
echo "[*]未发现用户定时任务" | $saveresult
fi
printf "\n" | $saveresult
echo ------------5.2.2查看可疑用户定时任务-------------------
echo "[5.2.2]正在分析可疑用户定时任务....." | $saveresult
danger_crontab=$(crontab -l | egrep "((chmod|useradd|groupadd|chattr)|((wget|curl).*\.(sh|pl|py)))")
if [ $? -eq 0 ];then
(echo "[!!!]发现可疑定时任务,请注意!!!" && echo "$danger_crontab") | tee -a $danger_file | $saveresult
else
echo "[*]未发现可疑定时任务" | $saveresult
fi
printf "\n" | $saveresult
echo -------------6.路由与路由转发----------------
echo "[6.1]正在检查路由表....." | $saveresult
route=$(route -n)
if [ -n "$route" ];then
(echo "[*]路由表如下:" && echo "$route") | $saveresult
else
echo "[*]未发现路由器表" | $saveresult
fi
printf "\n" | $saveresult
echo "[6.2]正在分析是否开启转发功能....." | $saveresult
#数值分析
#1:开启路由转发
#0:未开启路由转发
ip_forward=`more /proc/sys/net/ipv4/ip_forward | gawk -F: '{if ($1==1) print "1"}'`
if [ -n "$ip_forward" ];then
echo "[!!!]该服务器开启路由转发,请注意!" | tee -a $danger_file | $saveresult
else
echo "[*]该服务器未开启路由转发" | $saveresult
fi
printf "\n" | $saveresult
echo ------------7.进程分析--------------------
echo ------------7.1系统进程--------------------
echo "[7.1]正在检查进程....." | $saveresult
ps=$(ps -aux)
if [ -n "$ps" ];then
(echo "[*]系统进程如下:" && echo "$ps") | $saveresult
else
echo "[*]未发现系统进程" | $saveresult
fi
printf "\n" | $saveresult
echo "[7.2]正在检查守护进程....." | $saveresult
if [ -e /etc/xinetd.d/rsync ];then
(echo "[*]系统守护进程:" && more /etc/xinetd.d/rsync | grep -v "^#") | $saveresult
else
echo "[*]未发现守护进程" | $saveresult
fi
printf "\n" | $saveresult
echo ------------8.关键文件检查-----------------
echo ------------8.1DNS文件检查-----------------
echo "[8.1]正在检查DNS文件....." | $saveresult
resolv=$(more /etc/resolv.conf | grep ^nameserver | awk '{print $NF}')
if [ -n "$resolv" ];then
(echo "[*]该服务器使用以下DNS服务器:" && echo "$resolv") | $saveresult
else
echo "[*]未发现DNS服务器" | $saveresult
fi
printf "\n" | $saveresult
echo ------------8.2hosts文件检查-----------------
echo "[8.2]正在检查hosts文件....." | $saveresult
hosts=$(more /etc/hosts)
if [ -n "$hosts" ];then
(echo "[*]hosts文件如下:" && echo "$hosts") | $saveresult
else
echo "[*]未发现hosts文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------8.3公钥文件检查-----------------
echo "[8.3]正在检查公钥文件....." | $saveresult
if [ -e /root/.ssh/*.pub ];then
echo "[!!!]发现公钥文件,请注意!" | tee -a $danger_file | $saveresult
else
echo "[*]未发现公钥文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------8.4私钥文件检查-----------------
echo "[8.4]正在检查私钥文件....." | $saveresult
if [ -e /root/.ssh/id_rsa ];then
echo "[!!!]发现私钥文件,请注意!" | tee -a $danger_file | $saveresult
else
echo "[*]未发现私钥文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------9.运行服务----------------------
echo "[9.1]正在检查运行服务....." | $saveresult
services=$(systemctl | grep -E "\.service.*running" | awk -F. '{print $1}')
if [ -n "$services" ];then
(echo "[*]以下服务正在运行:" && echo "$services") | $saveresult
else
echo "[!!!]未发现正在运行的服务!" | $saveresult
fi
printf "\n" | $saveresult
echo ------------10.查看登录用户------------------
echo "[10.1]正在检查正在登录的用户....." | $saveresult
(echo "[*]系统登录用户:" && who ) | $saveresult
printf "\n" | $saveresult
echo ------------11.查看用户信息------------------
echo "[11]正在查看用户信息....." | $saveresult
echo "[*]用户名:口令:用户标识号:组标识号:注释性描述:主目录:登录Shell" | $saveresult
more /etc/passwd | $saveresult
printf "\n" | $saveresult
echo ------------11.1超级用户---------------------
#UID=0的为超级用户,系统默认root的UID为0
echo "[11.1]正在检查是否存在超级用户....." | $saveresult
Superuser=`more /etc/passwd | egrep -v '^root|^#|^(\+:\*)?:0:0:::' | awk -F: '{if($3==0) print $1}'`
if [ -n "$Superuser" ];then
echo "[!!!]除root外发现超级用户:" | tee -a $danger_file | $saveresult
for user in $Superuser
do
echo $user | $saveresult
if [ "${user}" = "toor" ];then
echo "[!!!]BSD系统默认安装toor用户,其他系统默认未安装toor用户,若非BSD系统建议删除该账号" | $saveresult
fi
done
else
echo "[*]未发现超级用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.2克隆用户---------------------
#相同的UID为克隆用户
echo "[11.2]正在检查是否存在克隆用户....." | $saveresult
uid=`awk -F: '{a[$3]++}END{for(i in a)if(a[i]>1)print i}' /etc/passwd`
if [ -n "$uid" ];then
echo "[!!!]发现下面用户的UID相同:" | tee -a $danger_file | $saveresult
(more /etc/passwd | grep $uid | awk -F: '{print $1}') | tee -a $danger_file | $saveresult
else
echo "[*]未发现相同UID的用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.3可登录用户-------------------
echo "[11.3]正在检查可登录的用户......" | $saveresult
loginuser=`cat /etc/passwd | grep -E "/bin/bash$" | awk -F: '{print $1}'`
if [ -n "$loginuser" ];then
echo "[!!!]以下用户可以登录:" | tee -a $danger_file | $saveresult
for user in $loginuser
do
echo $user | tee -a $danger_file | $saveresult
done
else
echo "[*]未发现可以登录的用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.4非系统用户-----------------
echo "[11.4]正在检查非系统本身自带用户" | $saveresult
if [ -f /etc/login.defs ];then
uid=$(grep "^UID_MIN" /etc/login.defs | awk '{print $2}')
(echo "系统最小UID为"$uid) | $saveresult
nosystemuser=`gawk -F: '{if ($3>='$uid' && $3!=65534) {print $1}}' /etc/passwd`
if [ -n "$nosystemuser" ];then
(echo "以下用户为非系统本身自带用户:" && echo "$nosystemuser") | tee -a $danger_file | $saveresult
else
echo "[*]未发现除系统本身外的其他用户" | $saveresult
fi
fi
printf "\n" | $saveresult
echo ------------11.5shadow文件-----------------
echo "[11.5]正在检查shadow文件....." | $saveresult
(echo "[*]shadow文件" && more /etc/shadow ) | $saveresult
printf "\n" | $saveresult
echo ------------11.6空口令用户-----------------
echo "[11.6]正在检查空口令用户....." | $saveresult
nopasswd=`gawk -F: '($2=="") {print $1}' /etc/shadow`
if [ -n "$nopasswd" ];then
(echo "[!!!]以下用户口令为空:" && echo "$nopasswd") | $saveresult
else
echo "[*]未发现空口令用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.7空口令且可登录-----------------
echo "[11.7]正在检查空口令且可登录的用户....." | $saveresult
#允许空口令用户登录方法
#1.passwd -d username
#2.echo "PermitEmptyPasswords yes" >>/etc/ssh/sshd_config
#3.service sshd restart
aa=$(cat /etc/passwd | grep -E "/bin/bash$" | awk -F: '{print $1}')
bb=$(gawk -F: '($2=="") {print $1}' /etc/shadow)
cc=$(cat /etc/ssh/sshd_config | grep -w "^PermitEmptyPasswords yes")
flag=""
for a in $aa
do
for b in $bb
do
if [ "$a" = "$b" ] && [ -n "$cc" ];then
echo "[!!!]发现空口令且可登录用户:"$a | $saveresult
flag=1
fi
done
done
if [ -n "$flag" ];then
echo "请人工分析配置和账号" | $saveresult
else
echo "[*]未发现空口令且可登录用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.8口令未加密----------------
echo "[11.8]正在检查口令加密用户....." | $saveresult
noenypasswd=$(awk -F: '{if($2!="x") {print $1}}' /etc/passwd)
if [ -n "$noenypasswd" ];then
(echo "[!!!]以下用户口令未加密:" && echo "$noenypasswd") | tee -a $danger_file | $saveresult
else
echo "[*]未发现口令未加密的用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.9用户组分析-----------------------
echo ------------11.9.1 用户组信息------------ ----
echo "[11.9.1]正在检查用户组信息....." | $saveresult
echo "[*]用户组信息如下:"
(more /etc/group | grep -v "^#") | $saveresult
printf "\n" | $saveresult
echo ------------11.9.2 特权用户--------------------
echo "[11.9.2]正在检查特权用户....." | $saveresult
roots=$(more /etc/group | grep -v '^#' | gawk -F: '{if ($1!="root"&&$3==0) print $1}')
if [ -n "$roots" ];then
echo "[!!!]除root用户外root组还有以下用户:" | tee -a $danger_file | $saveresult
for user in $roots
do
echo $user | tee -a $danger_file | $saveresult
done
else
echo "[*]除root用户外root组未发现其他用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.9.3 相同GID用户组--------------------
echo "[11.9.3]正在检查相应GID用户组....." | $saveresult
groupuid=$(more /etc/group | grep -v "^$" | awk -F: '{print $3}' | uniq -d)
if [ -n "$groupuid" ];then
(echo "[!!!]发现相同GID用户组:" && echo "$groupuid") | tee -a $danger_file | $saveresult
else
echo "[*]未发现相同GID的用户组" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.9.4 相同用户组名--------------------
echo "[11.9.4]正在检查相同用户组名....." | $saveresult
groupname=$(more /etc/group | grep -v "^$" | awk -F: '{print $1}' | uniq -d)
if [ -n "$groupname" ];then
(echo "[!!!]发现相同用户组名:" && echo "$groupname") | tee -a $danger_file | $saveresult
else
echo "[*]未发现相同用户组名" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10 文件权限--------------------
echo ------------11.10.1 etc文件权限--------------------
echo "[11.10.1]正在检查etc文件权限....." | $saveresult
etc=$(ls -l / | grep etc | awk '{print $1}')
if [ "${etc:1:9}" = "rwxr-x---" ]; then
echo "[*]/etc/权限为750,权限正常" | $saveresult
else
echo "[!!!]/etc/文件权限为:""${etc:1:9}","权限不符合规划,权限应改为750" | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.2 shadow文件权限--------------------
echo "[11.10.2]正在检查shadow文件权限....." | $saveresult
shadow=$(ls -l /etc/shadow | awk '{print $1}')
if [ "${shadow:1:9}" = "rw-------" ]; then
echo "[*]/etc/shadow文件权限为600,权限符合规范" | $saveresult
else
echo "[!!!]/etc/shadow文件权限为:""${shadow:1:9}"",不符合规范,权限应改为600" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.3 passwd文件权限--------------------
echo "[11.10.3]正在检查passwd文件权限....." | $saveresult
passwd=$(ls -l /etc/passwd | awk '{print $1}')
if [ "${passwd:1:9}" = "rw-r--r--" ]; then
echo "[*]/etc/passwd文件权限为644,符合规范" | $saveresult
else
echo "[!!!]/etc/passwd文件权限为:""${passwd:1:9}"",权限不符合规范,建议改为644" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.4 group文件权限--------------------
echo "[11.10.4]正在检查group文件权限....." | $saveresult
group=$(ls -l /etc/group | awk '{print $1}')
if [ "${group:1:9}" = "rw-r--r--" ]; then
echo "[*]/etc/group文件权限为644,符合规范" | $saveresult
else
echo "[!!!]/etc/goup文件权限为""${group:1:9}","不符合规范,权限应改为644" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.5 securetty文件权限--------------------
echo "[11.10.5]正在检查securetty文件权限....." | $saveresult
securetty=$(ls -l /etc/securetty | awk '{print $1}')
if [ "${securetty:1:9}" = "-rw-------" ]; then
echo "[*]/etc/securetty文件权限为600,符合规范" | $saveresult
else
echo "[!!!]/etc/securetty文件权限为""${securetty:1:9}","不符合规范,权限应改为600" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.6 services文件权限--------------------
echo "[11.10.6]正在检查services文件权限....." | $saveresult
services=$(ls -l /etc/services | awk '{print $1}')
if [ "${services:1:9}" = "-rw-r--r--" ]; then
echo "[*]/etc/services文件权限为644,符合规范" | $saveresult
else
echo "[!!!]/etc/services文件权限为""$services:1:9}","不符合规范,权限应改为644" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.7 grub.conf文件权限--------------------
echo "[11.10.7]正在检查grub.conf文件权限....." | $saveresult
grubconf=$(ls -l /etc/grub.conf | awk '{print $1}')
if [ "${grubconf:1:9}" = "-rw-------" ]; then
echo "[*]/etc/grub.conf文件权限为600,符合规范" | $saveresult
else
echo "[!!!]/etc/grub.conf文件权限为""${grubconf:1:9}","不符合规范,权限应改为600" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.8 xinetd.conf文件权限--------------------
echo "[11.10.8]正在检查xinetd.conf文件权限....." | $saveresult
xinetdconf=$(ls -l /etc/xinetd.conf | awk '{print $1}')
if [ "${xinetdconf:1:9}" = "-rw-------" ]; then
echo "[*]/etc/xinetd.conf文件权限为600,符合规范" | $saveresult
else
echo "[!!!]/etc/xinetd.conf文件权限为""${xinetdconf:1:9}","不符合规范,权限应改为600" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------11.10.9 lilo.conf文件权限--------------------
echo "[11.10.9]正在检查lilo.conf文件权限....." | $saveresult
if [ -f /etc/lilo.conf ];then
liloconf=$(ls -l /etc/lilo.conf | awk '{print $1}')
if [ "${liloconf:1:9}" = "-rw-------" ];then
echo "/etc/lilo.conf文件权限为600,符合要求" | $saveresult
else
echo "/etc/lilo.conf文件权限不为600,不符合要求,建议设置权限为600" | $saveresult
fi
else
echo "/etc/lilo.conf文件夹不存在,不检查,符合要求"
fi
printf "\n" | $saveresult
echo ------------11.10.10 limits.conf文件权限--------------------
echo "[11.10.10]正在检查limits.conf文件权限....." | $saveresult
cat /etc/security/limits.conf | grep -v ^# | grep core
if [ $? -eq 0 ];then
soft=`cat /etc/security/limits.conf | grep -v ^# | grep core | awk -F ' ' '{print $2}'`
for i in $soft
do
if [ $i = "soft" ];then
echo "* soft core 0 已经设置,符合要求" | $saveresult
fi
if [ $i = "hard" ];then
echo "* hard core 0 已经设置,符合要求" | $saveresult
fi
done
else
echo "没有设置core,建议在/etc/security/limits.conf中添加* soft core 0和* hard core 0" | $saveresult
fi
echo ------------11.11其他--------------------
###############################################
#Access:访问时间,每次访问文件时都会更新这个时间,如使用more、cat
#Modify:修改时间,文件内容改变会导致该时间更新
#Change:改变时间,文件属性变化会导致该时间更新,当文件修改时也会导致该时间更新;但是改变文件的属性,如读写权限时只会导致该时间更新,不会导致修改时间更新
###############################################
echo "[11.11]正在检查useradd时间属性....." | $saveresult
echo "[*]useradd时间属性:" | $saveresult
stat /usr/sbin/useradd | egrep "Access|Modify|Change" | grep -v '(' | $saveresult
printf "\n" | $saveresult
echo "[11.11]正在检查userdel时间属性....." | $saveresult
echo "[*]userdel时间属性:" | $saveresult
stat /usr/sbin/userdel | egrep "Access|Modify|Change" | grep -v '(' | $saveresult
printf "\n" | $saveresult
echo ------------12历史命令--------------------------
echo ------------12.1系统操作历史命令---------------
echo ------------12.1.1系统操作历史命令---------------
echo "[12.1.1]正在检查操作系统历史命令....." | $saveresult
history=$(more /root/.bash_history)
if [ -n "$history" ];then
(echo "[*]操作系统历史命令如下:" && echo "$history") | $saveresult
else
echo "[!!!]未发现历史命令,请检查是否记录及已被清除" | $saveresult
fi
printf "\n" | $saveresult
echo ------------12.1.2是否下载过脚本文件---------------
echo "[12.1.2]正在检查是否下载过脚本文件....." | $saveresult
scripts=$(more /root/.bash_history | grep -E "((wget|curl).*\.(sh|pl|py)$)" | grep -v grep)
if [ -n "$scripts" ];then
(echo "[!!!]该服务器下载过脚本以下脚本:" && echo "$scripts") | tee -a $danger_file | $saveresult
else
echo "[*]该服务器未下载过脚本文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------12.1.3是否增加过账号---------------
echo "[12.1.3]正在检查是否增加过账号....." | $saveresult
addusers=$(history | egrep "(useradd|groupadd)" | grep -v grep)
if [ -n "$addusers" ];then
(echo "[!!!]该服务器增加过以下账号:" && echo "$addusers") | tee -a $danger_file | $saveresult
else
echo "[*]该服务器未增加过账号" | $saveresult
fi
printf "\n" | $saveresult
echo ------------12.1.4是否删除过账号--------------
echo "[12.1.4]正在检查是否删除过账号....." | $saveresult
delusers=$(history | egrep "(userdel|groupdel)" | grep -v grep)
if [ -n "$delusers" ];then
(echo "[!!!]该服务器删除过以下账号:" && echo "$delusers") | tee -a $danger_file | $saveresult
else
echo "[*]该服务器未删除过账号" | $saveresult
fi
printf "\n" | $saveresult
echo ------------12.1.5可疑历史命令--------------
echo "[12.1.5]正在检查历史可疑命令....." | $saveresult
danger_histroy=$(history | grep -E "(whois|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)" | grep -v grep)
if [ -n "$danger_histroy" ];then
(echo "[!!!]发现可疑历史命令" && echo "$danger_histroy") | tee -a $danger_file | $saveresult
else
echo "[*]未发现可疑历史命令" | $saveresult
fi
printf "\n" | $saveresult
echo ------------12.1.6本地下载文件--------------
echo "[12.1.6]正在检查历史日志中本地下载文件记录....." | $saveresult
uploadfiles=$(history | grep sz | grep -v grep | awk '{print $3}')
if [ -n "$uploadfiles" ];then
(echo "[!!!]通过历史日志发现本地主机下载过以下文件:" && echo "$uploadfiles") | $saveresult
else
echo "[*]通过历史日志未发现本地主机下载过文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------12.2数据库操作历史命令---------------
echo "[12.2]正在检查数据库操作历史命令....." | $saveresult
mysql_history=$(more /root/.mysql_history)
if [ -n "$mysql_history" ];then
(echo "[*]数据库操作历史命令如下:" && echo "$mysql_history") | $saveresult
else
echo "[*]未发现数据库历史命令" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.策略情况---------------------
echo ------------13.1防火墙策略-------------------
echo "[13.1]正在检查防火墙策略....." | $saveresult
firewalledstatus=$(systemctl status firewalld | grep "active (running)")
firewalledpolicy=$(iptables -L | grep "\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}")
if [ -n "$firewalledstatus" ];then
echo "[*]该服务器防火墙已打开"
if [ -n "$firewalledpolicy" ];then
(echo "[*]防火墙策略如下" && echo "$firewalledpolicy") | $saveresult
else
echo "[!!!]防火墙策略未配置,建议配置防火墙策略!" | tee -a $danger_file | $saveresult
fi
else
echo "[!!!]防火墙未开启,建议开启防火墙" | tee -a $danger_file | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.2远程访问策略-----------------
echo ------------13.2.1远程允许策略-----------------
echo "[13.2.1]正在检查远程允许策略....." | $saveresult
hostsallow=$(more /etc/hosts.allow | grep -v '#')
if [ -n "$hostsallow" ];then
(echo "[!!!]允许以下IP远程访问:" && echo "$hostsallow") | tee -a $danger_file | $saveresult
else
echo "[*]hosts.allow文件未发现允许远程访问地址" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.2.2远程拒绝策略-----------------
echo "[13.2.2]正在检查远程拒绝策略....." | $saveresult
hostsdeny=$(more /etc/hosts.deny | grep -v '#')
if [ -n "$hostsdeny" ];then
(echo "[!!!]拒绝以下IP远程访问:" && echo "$hostsdeny") | $saveresult
else
echo "[*]hosts.deny文件未发现拒绝远程访问地址" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.3密码策略------------------------
echo ------------13.3.1密码有效期策略------------------------
echo "[13.3.1]正在检查密码有效期策略....." | $saveresult
(echo "[*]密码有效期策略如下:" && more /etc/login.defs | grep -v "#" | grep PASS ) | $saveresult
printf "\n" | $saveresult
echo "[*]正在进行具体项的基线检查......" | $saveresult
passmax=$(cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}')
if [ $passmax -le 90 -a $passmax -gt 0 ];then
echo "[*]口令生存周期为${passmax}天,符合要求" | $saveresult
else
echo "[!!!]口令生存周期为${passmax}天,不符合要求,建议设置为0-90天" | $saveresult
fi
passmin=$(cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}')
if [ $passmin -ge 6 ];then
echo "[*]口令更改最小时间间隔为${passmin}天,符合要求" | $saveresult
else
echo "[!!!]口令更改最小时间间隔为${passmin}天,不符合要求,建议设置不小于6天" | $saveresult
fi
passlen=$(cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}')
if [ $passlen -ge 8 ];then
echo "[*]口令最小长度为${passlen},符合要求" | $saveresult
else
echo "[!!!]口令最小长度为${passlen},不符合要求,建议设置最小长度大于等于8" | $saveresult
fi
passage=$(cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}')
if [ $passage -ge 30 -a $passage -lt $passmax ];then
echo "[*]口令过期警告时间天数为${passage},符合要求" | $saveresult
else
echo "[!!!]口令过期警告时间天数为${passage},不符合要求,建议设置大于等于30并小于口令生存周期" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.3.2密码复杂度策略------------------------
echo "[13.3.1]正在检查密码复杂度策略....." | $saveresult
(echo "[*]密码复杂度策略如下:" && more /etc/pam.d/system-auth | grep -v "#") | $saveresult
printf "\n" | $saveresult
echo ------------13.3.3 密码已过期用户---------------------------
echo "[13.3.3]正在检查密码已过期用户....." | $saveresult
NOW=$(date "+%s")
day=$((${NOW}/86400))
passwdexpired=$(grep -v ":[\!\*x]([\*\!])?:" /etc/shadow | awk -v today=${day} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}')
if [ -n "$passwdexpired" ];then
(echo "[*]以下用户的密码已过期:" && echo "$passwdexpired") | $saveresult
else
echo "[*]未发现密码已过期用户" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.3.4 账号超时锁定策略---------------------------
echo "[13.3.4]正在检查账号超时锁定策略....." | $saveresult
account_timeout=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
if [ "$account_timeout" != "" ];then
TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`
if [ $TMOUT -le 600 -a $TMOUT -ge 10 ];then
echo "[*]账号超时时间为${TMOUT}秒,符合要求" | $saveresult
else
echo "[!!!]账号超时时间为${TMOUT}秒,不符合要求,建议设置小于600秒" | $saveresult
fi
else
echo "[!!!]账号超时未锁定,不符合要求,建议设置小于600秒" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.3.5 grub密码策略检查---------------------------
echo "[13.3.5]正在检查grub密码策略....." | $saveresult
grubpass=$(cat /etc/grub.conf | grep password)
if [ $? -eq 0 ];then
echo "[*]已设置grub密码,符合要求" | $saveresult
else
echo "[!!!]未设置grub密码,不符合要求,建议设置grub密码" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.3.6 lilo密码策略检查---------------------------
echo "[13.3.6]正在检查lilo密码策略....." | $saveresult
if [ -f /etc/lilo.conf ];then
lilopass=$(cat /etc/lilo.conf | grep password 2> /dev/null)
if [ $? -eq 0 ];then
echo "[*]已设置lilo密码,符合要求" | $saveresult
else
echo "[!!!]未设置lilo密码,不符合要求,建议设置lilo密码" | $saveresult
fi
else
echo "[*]未发现/etc/lilo.conf文件" | $saveresult
fi
echo ------------13.4selinux策略----------------------
echo "[13.4]正在检查selinux策略....." | $saveresult
(echo "selinux策略如下:" && egrep -v '#|^$' /etc/sysconfig/selinux ) | $saveresult
printf "\n" | $saveresult
echo ------------13.5sshd配置文件--------------------
echo ------------13.5.1sshd配置----------------------
echo "[13.5.1]正在检查sshd配置....." | $saveresult
sshdconfig=$(more /etc/ssh/sshd_config | egrep -v "#|^$")
if [ -n "$sshdconfig" ];then
(echo "[*]sshd配置文件如下:" && echo "$sshdconfig") | $saveresult
else
echo "[!]未发现sshd配置文件" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.5.2空口令登录检查--------------------
echo "[13.5.2]正在检查是否允许空口令登录....." | $saveresult
emptypasswd=$(cat /etc/ssh/sshd_config | grep -w "^PermitEmptyPasswords yes")
nopasswd=`gawk -F: '($2=="") {print $1}' /etc/shadow`
if [ -n "$emptypasswd" ];then
echo "[!!!]允许空口令登录,请注意!!!"
if [ -n "$nopasswd" ];then
(echo "[!!!]以下用户空口令:" && echo "$nopasswd") | tee -a $danger_file | $saveresult
else
echo "[*]但未发现空口令用户" | $saveresult
fi
else
echo "[*]不允许空口令用户登录" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.5.3 root远程登录--------------------
echo "[13.5.3]正在检查是否允许root远程登录....." | $saveresult
cat /etc/ssh/sshd_config | grep -v ^# |grep "PermitRootLogin no"
if [ $? -eq 0 ];then
echo "[*]root不允许登陆,符合要求" | $saveresult
else
echo "[!!!]允许root远程登陆,不符合要求,建议/etc/ssh/sshd_config添加PermitRootLogin no" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.5.4 ssh协议版本--------------------
echo "[13.5.4]正在检查ssh协议版本....." | $saveresult
protocolver=$(more /etc/ssh/sshd_config | grep -v ^$ | grep Protocol | awk '{print $2}')
if [ "$protocolver" -eq "2" ];then
echo "[*]openssh使用ssh2协议,符合要求"
else
echo "[!!!]openssh未ssh2协议,不符合要求"
fi
echo ------------13.6 NIS 配置文件--------------------
echo "[13.6]正在检查nis配置....." | $saveresult
nisconfig=$(more /etc/nsswitch.conf | egrep -v '#|^$')
if [ -n "$nisconfig" ];then
(echo "[*]NIS服务配置如下:" && echo "$nisconfig") | $saveresult
else
echo "[*]未发现NIS服务配置" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.7 Nginx配置----------------------
echo ------------13.7.1 Nginx配置---------------------
echo "[13.7.1]正在检查Nginx配置文件......" | $saveresult
nginx=$(whereis nginx | awk -F: '{print $2}')
if [ -n "$nginx" ];then
(echo "[*]Nginx配置文件如下:" && more $nginx/conf/nginx.conf) | $saveresult
else
echo "[*]未发现Nginx服务" | $saveresult
fi
printf "\n" | $saveresult
echo ------------13.7.2 Nginx端口转发分析-------------
echo "[13.7.2]正在检查Nginx端口转发配置......" | $saveresult
nginx=$(whereis nginx | awk -F: '{print $2}')
nginxportconf=$(more $nginx/conf/nginx.conf | egrep "listen|server |server_name
