看到網上有人分享了一些linux系統的基線檢查腳本,但有些檢查項未必適合自己或者說檢查的不夠完善,
計划按着自己的需求重新寫一份出來,其中腳本的檢查范圍在不斷更新中。
腳本內容:
[root@localhost ~]# cat check.sh #! /bin/bash cat <<EOF ************************************************************************* linux安全配置檢查腳本: 1. 輸出結果也可以在當前目錄的out.txt中查看 2. 檢查范圍: -》賬號策略檢查 -》賬號注銷檢查 -》GRUB密碼檢查 -》LILO密碼檢查 ************************************************************************* EOF rm -rf ./out.txt echo -e "\n" echo "[1] 賬號策略檢查中..." passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'` passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'` passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'` passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'` if [ $passmax -le 90 -a $passmax -gt 0 ];then echo " [OK]口令生存周期為${passmax}天,符合要求" >> out.txt else echo " [ X ] 口令生存周期為${passmax}天,不符合要求,建議設置不大於90天" >> out.txt fi if [ $passmin -ge 6 ];then echo " [OK]口令更改最小時間間隔為${passmin}天,符合要求" >> out.txt else echo " [ X ] 口令更改最小時間間隔為${passmin}天,不符合要求,建議設置大於等於6天" >> out.txt fi if [ $passlen -ge 8 ];then echo " [OK]口令最小長度為${passlen},符合要求" >> out.txt else echo " [ X ] 口令最小長度為${passlen},不符合要求,建議設置最小長度大於等於8" >> out.txt fi if [ $passage -ge 30 -a $passage -lt $passmax ];then echo " [OK]口令過期警告時間天數為${passage},符合要求" >> out.txt else echo " [ X ] 口令過期警告時間天數為${passage},不符合要求,建議設置大於等於30並小於口令生存周期" >> out.txt fi echo "..." echo 'check over' echo -e "\n" echo "[2] 賬號注銷檢查中..." TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'` if [ ! $TMOUT ];then echo " [ X ] 賬號超時不存在自動注銷,不符合要求,建議設置小於600秒" >> out.txt else if [ $TMOUT -le 600 -a $TMOUT -ge 10 ] ; then echo " [ √ ] 賬號超時時間${TMOUT}秒,符合要求" >> out.txt else echo " [ X ] 賬號超時時間$TMOUT秒,不符合要求,建議設置小於600秒" >> out.txt fi fi echo "..." echo 'check over' echo -e "\n" echo "[3] GRUB密碼檢查中..." grup_pwd=`cat /etc/grub.conf | grep -v ^# | grep password 2> /dev/null` if [ $? -eq 0 ];then echo " [ √ ] 已設置grub密碼,符合要求" >> out.txt else echo " [ X ] 沒有設置grub密碼,不符合要求,建議設置grub密碼" >> out.txt fi echo "..." echo "check over" echo -e "\n" echo "[4] LILO密碼檢查中..." if [ ! -f /etc/lilo.conf ] ; then echo " [ √ ] lilo.conf配置文件不存在,系統可能不是通過LILO引導" >> out.txt else lilo_pwd=`cat /etc/lilo.conf | grep -v ^# | grep password &> /dev/null` if [ $? -eq 0 ];then echo " [ √ ] 已設置lilo密碼,符合要求" >> out.txt else echo " [ X ] 沒有設置lilo密碼,不符合要求,建議設置lilo密碼" >> out.txt fi fi echo "..." echo "check over" echo -e "" ## 詳細過濾腳本 待更新中...## echo -e "\n" echo "--------------------------------------------------------------------------" echo "" echo "檢查結果:" echo "" cat ./out.txt echo "" echo "--------------------------------------------------------------------------" echo "" [root@localhost ~]#
執行效果:
