这个脚本主要是用于检查Linux系统的一些基础配置是否存在危险,能够快速的发现问题,定位问题,目前功能还不够全面,后面慢慢完善。
喜欢安全的朋友可以微信关注Gamma安全实验室公众号,里面有很多高质量文章以及免费的学习资料。
#! /bin/bash
######################################
# Linux主机安全基线检查
# Date:2020-12-23
# 使用前请给文件执行权限:chmod u+x check.sh
# 如提示找不到文件 在vi编辑模式下 set ff=uninx
# by Gamma安全实验室
######################################
scanner_time=`date '+%Y-%m-%d_%H:%M:%S'`
mkdir Check_log
scanner_log="./Check_log/checkResult_${scanner_time}.log"
uptime=$(uptime | sed 's/.*up \([^,]*\), .*/\1/')
#调用函数库
[ -f /etc/init.d/functions ] && source /etc/init.d/functions
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
source /etc/profile
#Require root to run this script.
[ $(id -u) -gt 0 ] && echo "请用root用户执行此脚本!" && exit 1
#报错日志记录
[ -f ${scanner_log} ] || touch ${scanner_log}
function getSystemStatus(){
echo ""
if [ -e /etc/sysconfig/i18n ];then
default_LANG="$(grep "LANG=" /etc/sysconfig/i18n | grep -v "^#" | awk -F '"' '{print $2}')"
else
default_LANG=$LANG
fi
export LANG="en_US.UTF-8"
Release=$(cat /etc/redhat-release 2>/dev/null)
Kernel=$(uname -r)
OS=$(uname -o)
Hostname=$(uname -n)
SELinux=$(/usr/sbin/sestatus | grep "SELinux status: " | awk '{print $3}')
LastReboot=$(who -b | awk '{print $3,$4}')
uptime=$(uptime | sed 's/.*up \([^,]*\), .*/\1/')
echo " 系统:$OS"
echo " 发行版本:$Release"
echo " 内核:$Kernel"
echo " 主机名:$Hostname"
echo " SELinux:$SELinux"
echo "语言/编码:$default_LANG"
echo " 扫描时间:$(date +'%F %T')"
echo " 最后启动:$LastReboot"
echo " 运行时间:$uptime"
export LANG="$default_LANG"
}
bk_safe(){
echo ""
echo -e "\033[33m********************************Linux主机安全基线检查***********************************\033[0m"
echo "" >> ${scanner_log}
echo "***********************`hostname -s` 主机安全检查结果********************************" >> ${scanner_log}
getSystemStatus >> ${scanner_log}
echo "" >> ${scanner_log}
echo "****************************************************" >> ${scanner_log}
echo "`hostname -s`账号策略检查结果" >> ${scanner_log}
echo "****************************************************" >> ${scanner_log}
action "[1] 账号策略检查中..." /bin/true
passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'`
passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'`
passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`
if [ $passmax -le 90 -a $passmax -gt 0 ];then
echo "[Y] 口令生存周期为${passmax}天,符合要求" >> ${scanner_log}
else
echo "[N] 口令生存周期为${passmax}天,不符合要求,建议设置不大于90天" >> ${scanner_log}
fi
if [ $passmin -ge 6 ];then
echo "[Y] 口令更改最小时间间隔为${passmin}天,符合要求" >> ${scanner_log}
else
echo "[N] 口