#!/bin/bash
# -*- coding:utf-8 -*-
# @Time : 2021/11/25 10:24
# @Author: CharieSng
# @File : check.sh
DIR="/etc"
OS_V=`cat $DIR/redhat-release | awk -F 'release ' '{print $2}' | cut -c1`
OS_B=`getconf LONG_BIT`
echo "################################################################################"
echo "正在查看/etc/login.defs..."
sleep 3
##PASS_MAX_DAYS
max=`cat $DIR/login.defs |grep ^PASS_MAX_DAYS |awk '{print $2}'`
echo -n "最大期限:$max天"
if [ -z "$max" ] || [ $max -gt 90 ];then
echo -e ",建议小于等于\033[31m90\033[0m天\c"
fi
echo ""
##PASS_MIN_DAYS
min=`cat $DIR/login.defs |grep ^PASS_MIN_DAYS |awk '{print $2}'`
echo -n "最小期限:$min天"
if [ -z "$min" ] || [ $min -ne 0 ];then
echo -e ",建议等于\033[31m0\033[0m天\c"
fi
echo ""
##PASS_MIN_LEN
len=`cat $DIR/login.defs |grep ^PASS_MIN_LEN |awk '{print $2}'`
echo -n "口令长度:$len位"
if [ -z "$len" ] || [ $len -lt 8 ];then
echo -e ",建议大于等于\033[31m8\033[0m位\c"
fi
echo ""
##PASS_WARN_AGE
warn=`cat $DIR/login.defs |grep ^PASS_WARN_AGE | awk '{print $2}'`
echo -n "警告天数:$warn天"
if [ -z "$warn" ] || [ $warn -ne 7 ];then
echo -e ",建议等于\033[31m7\033[0m天\c"
fi
echo ""
echo "----------------------------------------"
echo "正在查看/etc/pam.d/system-auth..."
sleep 3
##minclass
class=`cat $DIR/pam.d/system-auth |grep minclass | awk -F 'minclass=' '{print $2}' | awk '{print $1}'`
echo -n "密码复杂度:$class种"
if [ -z "$class" ] || [ $class -lt 3 ];then
echo -e ",建议大于等于\033[31m3\033[0m种\c"
fi
echo ""
##retry
try=`cat $DIR/pam.d/system-auth |grep retry | awk -F 'retry=' '{print $2}' | awk '{print $1}'`
echo -n "密码重试次数:$try次"
if [ -z "$try" ] || [ $try -gt 3 ];then
echo -e ",建议小于等于\033[31m3\033[0m次\c"
fi
echo ""
echo "----------------------------------------"
echo "正在查看系统补丁..."
sleep 3
##patch
patch=`rpm -qa | grep ^patch | awk -F '-' {'print $2'}`
if [ -z "$patch" ];then
echo -e "\033[31m未\033[0m安装系统补丁\c"
else
echo -n "系统补丁版本:$patch"
fi
echo ""
echo "----------------------------------------"
echo "正在查看用户/etc/shadow..."
sleep 3
##shadow
user=`awk -F: '($2 == "") {print $1}' $DIR/shadow`
if [ "$user" ];then
echo -e "存在\033[31m空\033[0m密码用户:"
echo -n "$user"
else
echo -n "不存在空密码用户"
fi
echo ""
echo "----------------------------------------"
echo "正在查看用户/etc/passwd..."
sleep 3
##passwd
pass=`awk -F: '($3 == 0) { print $1 }' $DIR/passwd | grep -v root`
if [ "$pass" ];then
echo -e "存在具有\033[31mroot\033[0m权限帐号:"
echo -n "$pass"
else
echo -n "不存在具有root权限帐号"
fi
echo ""
echo "----------------------------------------"
echo "正在查看文件共享..."
sleep 3
##samba
samba=`rpm -qi samba | grep -v "not installed"`
if [ "$samba" ];then
echo -e "建议\033[31m关闭\033[0msamba文件共享\c"
else
echo -n "未开启samba文件共享"
fi
echo ""
echo "----------------------------------------"
echo "正在查看服务..."
sleep 3
##systemctl
if [ $OS_V -eq 6 ];then
service=`service --status-all | grep "正在运行"`
else
service=`systemctl list-units | grep "running"`
fi
echo -n "$service"
echo ""
echo "----------------------------------------"
echo "正在查看审计服务..."
sleep 3
##auditd
audit=`echo "$service" | grep auditd`
if [ -z "$audit" ];then
echo -e "审计服务已\033[31m关闭\033[0m\c"
else
echo -n "审计服务已开启"
fi
echo ""
echo "----------------------------------------"
echo "正在查看日志服务..."
sleep 3
##rsyslog
syslog=`echo "$service" | grep rsyslog`
if [ -z "$syslog" ];then
echo -e "日志服务已\033[31m关闭\033[0m\c"
else
echo -n "日志服务已开启"
fi
echo ""
echo "----------------------------------------"
echo "正在查看日志策略/etc/logrotate.conf..."
sleep 3
##logrotate
logrotate=`cat $DIR/logrotate.conf | awk '/rotate log files/{getline;print}'`
backlog=`cat $DIR/logrotate.conf | awk '/backlogs/{getline;print $2}'`
case $logrotate in
'daily')
logrotate='天'
day=1
;;
'weekly')
logrotate='周'
day=7
;;
'monthly')
logrotate='月'
day=30
esac
echo "日志按$logrotate转储,保留$backlog个备份,保存$((day*backlog))天"
if [ $[day*backlog] -lt 180 ];then
echo -e "建议大于等于\033[31m180\033[0m天\c"
fi
echo ""
echo "----------------------------------------"
echo "正在查看日志权限..."
sleep 3
##permission
perm=`ls -lR /var/log/ | grep ^-rw-------`
message=`echo "$perm" | grep messages`
secure=`echo "$perm" | grep secure`
audit=`echo "$perm" | grep audit.log`
if [ -z "$message" ];then
echo -e "messages日志权限\033[31m非\033[0m600\c"
else
echo -n "messages日志权限为600"
fi
echo ""
if [ -z "$secure" ];then
echo -e "secure日志权限\033[31m非\033[0m600\c"
else
echo -n "secure日志权限为600"
fi
echo ""
if [ -z "$audit" ];then
echo -e "audit日志权限\033[31m非\033[0m600\c"
else
echo -n "audit日志权限为600"
fi
echo ""
echo "################################################################################"
主机检查
©著作权归作者所有,转载或内容合作请联系作者
- 文/潘晓璐 我一进店门,熙熙楼的掌柜王于贵愁眉苦脸地迎上来,“玉大人,你说我怎么就摊上这事。” “怎么了?”我有些...
- 文/花漫 我一把揭开白布。 她就那样静静地躺着,像睡着了一般。 火红的嫁衣衬着肌肤如雪。 梳的纹丝不乱的头发上,一...
- 文/苍兰香墨 我猛地睁开眼,长吁一口气:“原来是场噩梦啊……” “哼!你这毒妇竟也来了?” 一声冷哼从身侧响起,我...
推荐阅读更多精彩内容
- 1、主机检查一直在准备preparing,查看ambari-server日志,提示Error executing ...
- 今晚突然发生ping不通npm或cnpm中央仓库,可是却ping的通其他网站 这里提供一个我成功解决的情况: (1...
- 上传文件到服务器,能正常浏览,但死活不能通过尝试过更改路径,更改域名,关闭CDN都不行最后的通过。。多点几次提交就...
