服务器初始化脚本
#!/bin/bash
function check_sshd_config(){
##1. check PasswordAuthentication
if [ `grep PasswordAuthentication /etc/ssh/sshd_config 2> /dev/null | grep -v "#" | grep -i no | wc -l` -gt 0 ];then
echo "#ssh_password_authentication=1"
else
echo "#ssh_password_authentication=0"
fi
##2. check PermitRootLogin
if [ `grep PermitRootLogin /etc/ssh/sshd_config 2> /dev/null | grep -v "#" | grep -iE "no|prohibit-password" | wc -l` -gt 0 ];then
echo "#ssh_permit_root_login=1"
else
echo "#ssh_permit_root_login=0"
fi
##3.check ssh_host_rsa_key permission
if [ `stat /etc/ssh/ssh_host_rsa_key | grep Uid | grep -vE "600|100|200|300|400|500|600|700" | wc -l` -gt 0 ];then
echo "#ssh_ssh_host_rsa_key=1"
else
echo "#ssh_ssh_host_rsa_key=0"
fi
##4. check /var/empty/sshd permission
if [ -d /var/empty/sshd ];then
if [ `stat /var/empty/sshd | grep Uid | grep 777 |wc -l` -gt 0 ];then
echo "#ssh_var_empty_sshd=1"
else
echo "#ssh_var_empty_sshd=0"
fi
fi
##5. check /etc/hosts.deny
if [ -f /etc/hosts.deny ];then
if [ `grep -v "#" /etc/hosts.deny | grep -v "http-rman" | grep -v "^$" | wc -l` -gt 0 ];then
echo "#ssh_hosts_deny=1"
else
echo "#ssh_hosts_deny=0"
fi
fi
##6. check ssh shell
sh=`cat /etc/passwd | grep -E "^root" | awk -F ":" '{print $NF}'`
if [[ ! -n "$sh" || ! -f "$sh" ]];then
echo "#ssh_shell=1"
else
echo "#ssh_shell=0"
fi
##7. check /var/log/btmp /var/log/wtmp file size
if [ -f /var/log/wtmp ] && [ -f /var/log/btmp ];then
w_size=`ls -al /var/log/wtmp | awk -F " " '{print $5}'`
b_size=`ls -al /var/log/btmp | awk -F " " '{print $5}'`
if [[ $w_size -gt 1024*1024*500 || $b_size -gt 1024*1024*500 ]];then
echo "#ssh_wtmp_btmp_too_large=1"
else
echo "#ssh_wtmp_btmp_too_large=0"
fi
fi
##8. check sshd ldd
check_result=`ldd /usr/sbin/sshd /bin/sshd /sbin/sshd /usr/bin/sshd 2>/dev/null | grep -i "not found"`
if [ -n "$check_result" ];then
echo "#ssh_ldd=1"
else
echo "#ssh_ldd=0"
fi
##9. /etc/profile call /etc/profile
if [ `grep "/etc/profile " /etc/profile | grep -v "#" | grep -v "profile.d" |wc -l` -gt 0 ];then
echo "#ssh_etc_profile_call_etc_profile=1"
else
echo "#ssh_etc_profile_call_etc_profile=0"
fi
##10. sshd process exist
if [ `ps aux | grep sshd | grep -v grep |wc -l` -gt 0 ];then
echo "#sshd_process_exist=0"
else
echo "#sshd_process_exist=1"
fi
}
function check_net(){
##1. check tw recycle
if [ `sysctl -a 2>/dev/null | grep "tcp_tw_recycle = 1" | wc -l` -gt 0 ];then
echo "#net_tcp_tw_recycle=1"
else
echo "#net_tcp_tw_recycle=0"
fi
##2. check eth queues
eth_combined=`ethtool -l eth0 2>/dev/null | grep Combined`
eth_combined_preset=`echo $eth_combined |head -n 1 | awk -F ":" '{print $2}'`
eth_combined_current=`echo $eth_combined | tail -n1 | awk -F ":" '{print $2}'`
if [ "$eth_combined_preset"X != "$eth_combined_current"X ];then
echo "#net_eth_channels=1"
else
echo "#net_eth_channels=0"
fi
}
function check_limits(){
no_file_limits=`grep nofile /etc/security/limits.conf | grep -v "#" | grep soft | grep nofile |tail -n 1 | awk -F " " '{print $NF}'`
nr_open=`sysctl -a 2>/dev/null | grep nr_open |awk -F "=" '{print $2}'`
if [ ! -n $no_file_limits ] && [ ! -n $nr_open ] && [ $no_file_limits -gt $nr_open ];then
echo "#limits_no_file=1"
else
echo "#limits_no_file=0"
fi
}
function check_oom(){
if [ `dmesg | grep "invoked oom-killer" | wc -l` -gt 0 ];then
echo "#oom=1"
else
echo "#oom=0"
fi
}
function check_selinux(){
if [ `cat /etc/selinux/config 2>/dev/null | grep "SELINUX=" | grep -v "#" | grep -v permissive | grep -v disable | wc -l` -gt 0 ];then
echo "#selinux=1"
else
echo "#selinux=0"
fi
}
function check_pid_useup(){
if [ -n `which bc 2>/dev/null` ];then
echo "#pid_useup=0"
return
fi
pid_num=`cat /proc/loadavg | awk '{print $4}' | awk -F "/" '{print $2}'`
pid_max=`sysctl -a 2>/dev/null | grep pid_max | awk -F "=" '{print $2}'`
if [ `echo "$pid_max * 0.9 < $pid_num"|bc` -eq 1 ];then
echo "#pid_useup=1"
else
echo "#pid_useup=0"
fi
}
function check_cloud_init(){
if [ -n `which cloud-init 2>/dev/null` ];then
echo "#cloud-init=0"
return
fi
cloud-init -v > /dev/null 2>&1
cloud_init_ret=$?
/usr/local/bin/cloud-init -v > /dev/null 2>&1
usr_local_cloud_init_ret=$?
if [ $cloud_init_ret -ne 0 -a $usr_local_cloud_init_ret -ne 0 ];then
echo "#cloud_init=1"
else
echo "#cloud_init=0"
fi
}
function check_soft_link(){
if [ `cat /etc/redhat-release 2>/dev/null | grep "release 7" | wc -l` -gt 0 ] ||
[ `cat /etc/redhat-release 2>/dev/null | grep "release 8" | wc -l` -gt 0 ] ||
[ `cat /etc/os-release | grep -i "ubuntu 20" | wc -l` -gt 0 ];then
if [ `ls -al /bin /sbin /lib /lib64 |wc -l` -lt 4 ];then
echo "#soft_link=1"
return
fi
fi
echo "#soft_link=0"
}
function check_hugepage(){
if [ `grep nr_hugepages /etc/sysctl.conf | grep -v "#" ` ];then
echo "#hugepage=1"
else
echo "#hugepage=0"
fi
}
function check_ld_so_preload(){
if [ `cat /etc/ld.so.preload 2>/dev/null| grep -v libonion.so` ];then
echo "#ld_so_preload=1"
else
echo "#ld_so_preload=0"
fi
}
function check_cpu_high_usage(){
if [ -n `which bc 2>/dev/null` ];then
echo "#cpu_high_usage=0"
return
fi
##top, /proc/stat
top_cpu=`top -b -n 1 | grep "%Cpu(s):"`
cpu_idle=`echo $top_cpu | awk -F "," '{print $4}' | awk -F "id" '{print $1}'`
cpu_wa=`echo $top_cpu | awk -F "," '{print $5}' | awk -F "wa" '{print $1}'`
if [ `echo "100-$cpu_idle-$cpu_wa>90"|bc` -eq 1 ];then
echo "#cpu_high_usage=1"
else
echo "#cpu_high_usage=0"
fi
}
function check_mem_high_usage(){
if [ -n `which bc 2>/dev/null` ];then
echo "#mem_high_usage=0"
return
fi
cat /proc/meminfo > /tmp/diagnos_meminfo
MemTotal=`cat /tmp/diagnos_meminfo | grep MemTotal | awk '{print $2}'`
Free=`cat /tmp/diagnos_meminfo | grep MemFree | awk '{print $2}'`
Buffer=`cat /tmp/diagnos_meminfo | grep Buffer | awk '{print $2}'`
Cached=`cat /tmp/diagnos_meminfo | grep Cached | grep -iv swap | awk '{print $2}'`
SReclaimable=`cat /tmp/diagnos_meminfo | grep SReclaimable | awk '{print $2}'`
Shmem=`cat /tmp/diagnos_meminfo | grep "Shmem:" | awk '{print $2}'`
if [ `echo "($MemTotal-$Free-$Buffer-$Cached-$SReclaimable+$Shmem)*100.0/$MemTotal>90"|bc` -eq 1 ];then
echo "#mem_high_usage=1"
else
echo "#mem_high_usage=0"
fi
}
function check_disk_high_usage(){
for value in `df -h | grep -v sr0 | grep -v tmp | sed '1d' | awk '{print $(NF-1)}' | awk -F "%" '{print $1}'`;do
if [ $value -gt 95 ];then
echo "#disk_high_usage=1"
return
fi
done
echo "#disk_high_usage=0"
}
function check_inode_high_useage(){
for value in `df -i | grep -v sr0 | grep -v tmp | grep -v boot | sed '1d' | awk '{print $(NF-1)}' | awk -F "%" '{print $1}'`;do
if [ $value -gt 95 ];then
echo "#inode_high_usage=1"
return
fi
done
echo "#inode_high_usage=0"
}
function check_iptables_input_policy(){
if [ `iptables -nvL | grep -i "policy DROP" | grep INPUT` ];then
echo "#iptables_input_policy=1"
else
echo "#iptables_input_policy=0"
fi
}
function check_etc_fstab(){
if [ ! -f /etc/fstab ];then
echo "#etc_fstab=1"
return
fi
for dev in `cat /etc/fstab | grep -vE "^#" | awk '{print $1}'`;do
if [[ $dev =~ "=" ]];then
dev_uuid=`echo $dev | awk -F "=" '{print $2}'`
if [[ ! -n `blkid | grep $dev_uuid` ]];then
echo "#etc_fstab=1"
return
fi
fi
if [[ $dev =~ "/" ]];then
if [[ ! -n `blkid | grep $dev:` ]];then
##lvm /dev/vg/lv is link
if [ ! -L $dev ];then
echo "#etc_fstab=1"
return
fi
fi
fi
done
echo "#etc_fstab=0"
}
function main(){
##check start
echo "###sshd_config"
check_sshd_config
##check net sysctl
echo "###net"
check_net
##check limits
echo "###limits"
check_limits
##check oom
echo "###oom"
check_oom
##check selinux
echo "###selinux"
check_selinux
##check pid
echo "###pid"
check_pid_useup
##check cloud-init
echo "###cloud-init"
check_cloud_init
##check softlink
echo "###soft_link"
check_soft_link
##check hugepage
echo "###hugepage"
check_hugepage
##check ld_so_preload
echo "###ld_so_preload"
check_ld_so_preload
##check cpu usage
echo "###cpu_usage"
check_cpu_high_usage
##check mem usage
echo "###mem_usage"
check_mem_high_usage
##check disk_usage
echo "###disk_usage"
check_disk_high_usage
##check_inode_usage
echo "###inode_usage"
check_inode_high_useage
##check iptables
echo "###iptables"
check_iptables_input_policy
##check fstab
echo "###fstab"
check_etc_fstab
}
main "$@"
217
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
