In addition to Weibo, there is also WeChat
Please pay attention
WeChat public account
Shulou
2025-01-17 Update From: SLTechnology News&Howtos shulou NAV: SLTechnology News&Howtos > Network Security >
Share
Shulou(Shulou.com)06/01 Report--
#! / bin/bash
# vesion 1.1 20190505
# author by (jxwpx)
Ipadd=ifconfig-a | grep Bcast | awk-F "[:] +'{print $4}'| tr"\ n "" _ "
Cat "/ tmp/$ {ipadd} _ checkResult.txt"
User_id=whoami
Echo "current scanning user: ${user_id}" > "/ tmp/$ {ipadd} _ checkResult.txt"
Scanner_time=date'+% Y-%m-%d% HRV% MVA% S'
Echo "current scan time: ${scanner_time}" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Echo ""
Echo "account policy checking."
Echo ""
# number: GOOANN-Linux-02-01-01
# Project: account number and password-user password setting
# qualified: y; unqualified: n
# non-conforming places
Passmax=cat / etc/login.defs | grep PASS_MAX_DAYS | grep-v ^ # | awk'{print $2}'
Passmin=cat / etc/login.defs | grep PASS_MIN_DAYS | grep-v ^ # | awk'{print $2}'
Passlen=cat / etc/login.defs | grep PASS_MIN_LEN | grep-v ^ # | awk'{print $2}'
Passage=cat / etc/login.defs | grep PASS_WARN_AGE | grep-v ^ # | awk'{print $2}'
Echo "GOOANN-Linux-02-01-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
If [$passmax-le 90-a $passmax-gt 0]; then
Echo "Y: password lifetime is ${passmax} days, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Else
The life cycle of echo "N: password is ${passmax} days, which does not meet the requirement. It is recommended to set it less than 90 days" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [$passmin-ge 6]; then
Echo "Y: the minimum time interval for password change is ${passmin} days, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: the minimum time interval for password change is ${passmin} days, which does not meet the requirement. It is recommended to set it greater than or equal to 6 days" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [$passlen-ge 8]; then
Echo "Y: the minimum password length is ${passlen}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Else
The minimum length of echo "N: password is ${passlen}, which does not meet the requirement. It is recommended to set the minimum length greater than or equal to 8" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [$passage-ge 30-a $passage-lt $passmax]; then
Echo "Y: password expiration warning days are ${passage}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: password expiration warning days is ${passage}, which does not meet the requirements. It is recommended to set a value greater than or equal to 30 and less than the password lifetime" > / "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
Echo ""
Echo "whether the account will take the initiative to cancel the check."
Echo ""
CheckTimeout=$ (cat / etc/profile | grep TMOUT | awk-F [=]'{print $2}')
If [$?-eq 0]; then
TMOUT=cat / etc/profile | grep TMOUT | awk-F [=]'{print $2}'
If [$TMOUT-le 600-a $TMOUT-ge 10]; then
Echo "Y: account timeout ${TMOUT} seconds, meeting requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: account timeout ${TMOUT} seconds, which does not meet the requirements. It is recommended to set less than 600s" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
Else
Echo "N: account timeout does not exist automatic logout, which does not meet the requirements. It is recommended to set less than 600s" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# No.: GOOANN-Linux-02-01-02
# Project: account number and password-remote login restrictions for root users
# qualified: y; unqualified: n
# non-conforming places
Echo ""
Echo "check whether root users can log in remotely."
Echo ""
Echo "GOOANN-Linux-02-01-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
RemoteLogin=$ (cat / etc/ssh/sshd_config | grep-v ^ # | grep "PermitRootLogin no")
If [$?-eq 0]; then
Echo "Y: remote root has been set not to log in, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: remote root has been set to log in, which does not meet the requirements. It is recommended that / etc/ssh/sshd_config add PermitRootLogin no" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# No.: GOOANN-Linux-02-01-03
# item: account number and password-check whether there is a user with a UID of 0 except root
# qualified: y; unqualified: n
# non-conforming places
# find non-root accounts with a UID of 0
Echo "GOOANN-Linux-02-01-03:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
UIDS=awk-F [:] 'NRZ $3} 1 {print $3}' / etc/passwd
Flag=0
For i in $UIDS
Do
If [$I = 0]; then
Echo "N: an account with a non-root account whose UID is 0 does not meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Flag=1
Fi
Done
If [$flag = 1]; then
Echo "Y: there is no non-root account UID is 0, which meets the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
# No.: GOOANN-Linux-02-01-04
# item: account number and password-check whether the telnet service is enabled
# qualified: y; unqualified: n
# non-conforming places
# check whether telnet is enabled
Echo "GOOANN-Linux-02-01-04:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Telnetd=cat / etc/xinetd.d/telnet | grep disable | awk'{print $3}'
If ["$telnetd" x = "yes" x]; then
Echo "N: telnet service is detected to be enabled, which does not meet the requirements. It is recommended to close telnet" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# number: GOOANN-Linux-02-01-05
# Project: account number and password-Security of root user environment variables
# qualified: y; unqualified: n
# non-conforming places
# check whether the directory permission is 777
Echo "GOOANN-Linux-02-01-05:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
DirPri=$ (find $(echo $PATH | tr':'')-type d (- perm-0777) 2 > / dev/null)
If [- z "$dirPri"]
Then
Echo "Y: directory permissions do not have 777s, meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: file ${dirPri} directory permission is 777, does not meet the requirements." > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
# No.: GOOANN-Linux-02-01-06
# Project: security configuration of account and password-remote connection
# qualified: y; unqualified: n
# non-conforming places
Echo "GOOANN-Linux-02-01-06:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
FileNetrc=find /-xdev-mount-name .netrc-print 2 > / dev/null
If [- z "${fileNetrc}"]; then
Echo "Y: no .netrc file exists, meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: there is a .netrc file that does not meet the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
FileRhosts=find /-xdev-mount-name .rhosts-print 2 > / dev/null
If [- z "$fileRhosts"]; then
Echo "Y: the .rhosts file does not exist, meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: there is a .rhosts file that does not meet the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
# No.: GOOANN-Linux-02-01-07
# Project: account number and password-user's umask security configuration
# qualified: y; unqualified: n
# non-conforming places
# check umask settings
Echo "GOOANN-Linux-02-01-07:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Umask1=cat / etc/profile | grep umask | grep-v ^ # | awk'{print $2}'
Umask2=cat / etc/csh.cshrc | grep umask | grep-v ^ # | awk'{print $2}'
Umask3=cat / etc/bashrc | grep umask | grep-v ^ # | awk 'NRemote1 {print $2}'
Flags=0
For i in $umask1
Do
If [$I! = "027"]; then
The umask set in the echo "N:/etc/profile file is ${I}, which does not meet the requirements. It is recommended to set it to 027" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Flags=1
Break
Fi
Done
If [$flags = = 0]; then
The umask set in the echo "Y:/etc/profile file is ${I}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
Flags=0
For i in $umask2
Do
If [$I! = "027"]; then
The umask set in the echo "N:/etc/csh.cshrc file is ${I}, which does not meet the requirements. It is recommended to set it to 027" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Flags=1
Break
Fi
Done
If [$flags = = 0]; then
The umask set in the echo "Y:/etc/csh.cshrc file is ${I}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
Flags=0
For i in $umask3
Do
If [$I! = "027"]; then
The umask set in the echo "N:/etc/bashrc file is ${I}, which does not meet the requirements. It is recommended to set it to 027" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Flags=1
Break
Fi
Done
If [$flags = = 0]; then
The umask set in the echo "Y:/etc/bashrc file is ${I}, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# Ref.: GOOANN-Linux-02-01-08
# Project: account number and password-check whether the grub and lilo passwords are set
# qualified: y; unqualified: n
# non-conforming places
# check whether grub and lilo passwords are set
Echo "GOOANN-Linux-02-01-08:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Grubfile=$ (cat / etc/grub.conf | grep password)
If [$?-eq 0]; then
Echo "Y: grub password has been set and meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: no grub password is set, which does not meet the requirements. It is recommended to set grub password" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
Lilo=$ (cat / etc/lilo.conf | grep password)
If [$?-eq 0]; then
Echo "Y: lilo password has been set and meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: no lilo password is set, which does not meet the requirements. It is recommended to set lilo password" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# No.: GOOANN-Linux-02-02-01
# Project: file system-permission settings for important directories and files
# qualified: y; unqualified: n
# non-conforming places
Echo "GOOANN-Linux-02-02-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Echo ""
Echo "checking important file permissions."
Echo ""
File1=ls-l / etc/passwd | awk'{print $1}'
File2=ls-l / etc/shadow | awk'{print $1}'
File3=ls-l / etc/group | awk'{print $1}'
File4=ls-l / etc/securetty | awk'{print $1}'
File5=ls-l / etc/services | awk'{print $1}'
File6=ls-l / etc/xinetd.conf | awk'{print $1}'
File7=ls-l / etc/grub.conf | awk'{print $1}'
File8=ls-l / etc/lilo.conf | awk'{print $1}'
# detect files with file permissions of 400
If [$file2 = "- r -"]; then
Echo "Y:/etc/shadow file permission is 400, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
The permission of echo "N:/etc/shadow file does not meet the requirement. It is recommended to set the permission to 400" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# detect files with file permissions of 600
If [$file4 = "- rw-"]; then
Echo "Y:/etc/security file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
The permission of echo "N:/etc/security file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [$file6 = "- rw-"]; then
Echo "Y:/etc/xinetd.conf file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
The permission of echo "N:/etc/xinetd.conf file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [$file7 = "- rw-"]; then
Echo "Y:/etc/grub.conf file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
The permission of echo "N:/etc/grub.conf file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [- f / etc/lilo.conf]; then
If [$file8 = "- rw-"]; then
Echo "Y:/etc/lilo.conf file permission is 600, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
The permission of echo "N:/etc/lilo.conf file does not meet the requirement. It is recommended to set the permission to 600" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
Else
Echo "N:/etc/lilo.conf folder does not exist"
Fi
# detect files with file permissions of 644
If [$file1 = "- rw-r--r--"]; then
Echo "Y:/etc/passwd file permission is 644, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N:/etc/passwd file permission is not 644, which does not meet the requirements. It is recommended to set permission to 644" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [$file5 = "- rw-r--r--"]; then
Echo "Y:/etc/services file permission is 644, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N:/etc/services file permission is not 644, which does not meet the requirements. It is recommended to set permission to 644" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
If [$file3 = "- rw-r--r--"]; then
Echo "Y:/etc/group file permission is 644, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N:/etc/group file permission is not 644, which does not meet the requirements. It is recommended to set permission to 644" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# No.: GOOANN-Linux-02-02-02
# Project: file system-find unauthorized SUID/SGID files
# qualified: y; unqualified: n
# non-conforming places
Echo "GOOANN-Linux-02-02-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Unauthorizedfile=find /\ (- perm-04000-o-perm-02000\)-type f
Echo "C: file ${unauthorizedfile} sets SUID/SGID. Please check whether it is authorized" > "/ tmp/$ {ipadd} _ checkResult.txt".
# No.: GOOANN-Linux-02-02-03
# Project: file system-check directories where anyone has write permission
# qualified: y; unqualified: n; check: C
# non-conforming places
Echo "GOOANN-Linux-02-02-03:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
CheckWriteDre=$ (find /-xdev-mount-type d (- perm-0002-a!-perm-1000) 2 > / dev/null)
If [- z "${checkWriteDre}"]; then
Echo "Y: there is no directory where anyone has write permission, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Else
The echo "NVV ${checkWriteDre} directory can be written by anyone, which does not meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# No.: GOOANN-Linux-02-02-04
# Project: file system-check files for which anyone has write permission
# qualified: y; unqualified: n; check: C
# non-conforming places
Echo "GOOANN-Linux-02-02-04:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
CheckWriteFile=$ (find /-xdev-mount-type f (- perm-0002-a!-perm-1000) 2 > / dev/null)
If [- z "${checkWriteFile}"]; then
Echo "Y: there is no directory where anyone has write permission, which meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt".
Else
The echo "NVV ${checkWriteFile} directory can be written by anyone, which does not meet the requirements" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# No.: GOOANN-Linux-02-02-05
# Project: file system-check for abnormal hidden files
# qualified: y; unqualified: n; check: C
# non-conforming places
Echo "GOOANN-Linux-02-02-05:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
HideFile=$ (find /-xdev-mount (- name ".."-o-name "...") 2 > / dev/null)
If [- z "${hideFile}"]; then
Echo "Y: no hidden files exist, meet requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "NVR ${hideFile} is a hidden file. It is recommended to review" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# number: GOOANN-Linux-03-01-01
# Project: log audit-syslog login event record
# qualified: y; unqualified: n; check: C
# non-conforming places
Echo "GOOANN-Linux-03-01-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
RecodeFile=$ (cat / etc/syslog.conf)
If [!-z "${recodeFile}"]; then
LogFile=$ (cat / etc/syslog.conf | grep-V ^ # | grep authpriv.)
If [!-z "${logFile}"]; then
Echo "Y: log file exists to save authpirv" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Else
Echo "N: there is no log file to save authpirv" > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
Else
Echo "N: the / etc/syslog.conf file does not exist. It is recommended to log" > > "/ tmp/$ {ipadd} _ checkResult.txt" for all login events.
Fi
# No.: GOOANN-Linux-03-01-02
# Project: system files-check whether log auditing is enabled
# qualified: y; unqualified: n; check: C
Echo "GOOANN-Linux-03-01-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
AuditdStatus=$ (service auditd status 2 > / dev/null)
If [$? = 0]; then
Echo "Y: Syslog audit function is enabled and meets the requirements" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
If [$? = 3]; then
Echo "N: Syslog audit function has been turned off and does not meet the requirements. It is recommended that service auditd start enable" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
# number: GOOANN-Linux-04-01-01
# Project: system File-system core dump status
# qualified: y; unqualified: n; check: C
Echo "GOOANN-Linux-04-01-01:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
LimitsFile=$ (cat / etc/security/limits.conf | grep-V ^ # | grep core)
If [$?-eq 0]; then
Soft=cat / etc/security/limits.conf | grep-V ^ # | grep core | awk {print $2}
For i in $soft
Do
If ["$I" x = "soft" x]; then
Echo "Y: soft core 0 has been set" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
If ["$I" x = "hard" x]; then
Echo "Y: hard core 0 has been set" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Fi
Done
Else
Echo "N: core is not set. It is recommended to add soft core 0 and * hard core 0" > > "/ tmp/$ {ipadd} _ checkResult.txt" to / etc/security/limits.conf.
Fi
# No.: GOOANN-Linux-04-01-02
# Project: system files-check disk dynamic space for 80% or greater
# qualified: y; unqualified: n; check: C
#
Echo "GOOANN-Linux-04-01-02:" > > "/ tmp/$ {ipadd} _ checkResult.txt"
Space=$ (df-h | awk-F "[%] +" NRRPH1 {print $5}')
For i in $space
Do
If [$I-ge 80]; then
Echo "C: warning! disk storage capacity is greater than 80%. It is recommended to expand disk capacity or delete junk files" > "/ tmp/$ {ipadd} _ checkResult.txt".
Fi
Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.
Views: 0
*The comments in the above article only represent the author's personal views and do not represent the views and positions of this website. If you have more insights, please feel free to contribute and share.
Continue with the installation of the previous hadoop.First, install zookooper1. Decompress zookoope
"Every 5-10 years, there's a rare product, a really special, very unusual product that's the most un
© 2024 shulou.com SLNews company. All rights reserved.
12
Report
