linux各版本基線檢查腳本(centos6、centos7、ubuntu系列)

以下是centos7基線檢查腳本：

#!/bin/bash
#version v1.0 by pensar
#操作系統linux 配置規范--centos7
cat <<EOF
***************************************************************
 linux安全配置檢查腳本:
    1. 輸出結果在/tmp/check/目錄下查看
    2.檢查范圍及檢查項(共計4大類，33項)
*日志審計配置*：
    [1]檢查Cron任務授權
    [2]檢查是否對syslog登錄事件記錄
    [3]檢查是否對rsyslog.conf配置審核
    [4]檢查系統日志讀寫權限
    [5]檢查是否對遠程日志服務器配置    
*系統文件管理*：
    [1]檢查是否對登錄超時時間配置
    [2]檢查系統磁盤狀態
    [3]檢查是否禁止匿名FTP訪問
    [4]檢查是否修改FTP banner 信息
    [5]檢查是否關閉不必要的服務
    [6]檢查系統core dump狀態
    [7]檢查系統補丁    
*用戶賬號配置*：
    [1]檢查是否存在無用賬號
    [2]檢查不同用戶是否共享賬號
    [3]檢查是否刪除或鎖定無用賬號
    [4]檢查是否存在無用用戶組
    [5]檢查是否指定用戶組成員使用su命令
    [6]檢查密碼長度及復雜度策略
    [7]檢查是否對用戶遠程登錄進行限制
    [8]檢查是否配置加密協議
    [9]檢查是否配置密碼的生存期
    [10]檢查用戶缺省訪問權限
    [11]檢查passwd group文件安全權限
    [12]檢查是否存在除root之外UID為0的用戶
    [13]檢查是否配置環境變量
    [14]檢查是否對遠程連接的安全性進行配置
    [15]檢查是否對用戶的umask進行配置
    [16]檢查是否對重要目錄和文件的權限進行設置
    [17]檢查是否存在未授權的suid/sgid文件
    [18]檢查是否存在異常隱含文件    
*網絡通信配置*：
    [1]檢查是否對基本網絡服務進行配置
    [2]檢查是否開啟NFS服務
    [3]檢查常規網絡服務是否運行正常
***************************************************************
EOF
mkdir /tmp/check
str1=`/sbin/ifconfig -a | grep inet | grep -v 127.0.0.1 | grep -v inet6 | awk '{print $2}' | tr -d "addr:" | head -n 1`
str=`date +%Y%m%d%H%M`_"$str1"

echo "----**日志審計配置**----" >> /tmp/check/${str}_out.txt 
echo "[1] 檢查Cron任務授權" >> /tmp/check/${str}_out.txt 
if [ -e /etc/cron.deny ] && [ -e /etc/at.deny ];then
    CRON_DENY=`ls -l /etc/cron.deny | awk '{print $1}'`
    AT_DENY=`ls -l /etc/at.deny | awk '{print $1}'`
    echo "/etc/cron.deny文件授權情況為：${CRON_DENY:1:9}" >> /tmp/check/${str}_out.txt 
    echo "/etc/at.deny文件授權情況為：${AT_DENY:1:9}" >> /tmp/check/${str}_out.txt 
    echo "{'Check_point':'檢查Cron任務授權','Check_result':{'/etc/cron.deny文件授權情況為':'${CRON_DENY:1:9}','/etc/at.deny文件授權情況為':'${AT_DENY:1:9}'}}" >> /tmp/check/${str}_dict.txt 
    CRON=`cat /etc/rsyslog.conf | grep "cron.\*"`
    echo "/etc/rsyslog.conf的配置情況為：${CRON}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/etc/cron.deny和/etc/at.deny配置文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[2]檢查是否對syslog登錄事件記錄" >> /tmp/check/${str}_out.txt 
if [ -e /etc/syslog.conf ];then
    Clog=`cat /etc/syslog.conf | grep /var/log/secure | grep -E "authpriv\.\*"`
    echo "/etc/syslog.conf的配置為：${Clog}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/etc/syslog.conf配置文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[3]檢查是否對rsyslog.conf配置審核" >> /tmp/check/${str}_out.txt 
if [ -e /etc/rsyslog.conf ];then
    LOG=`cat /etc/rsyslog.conf | grep @loghost` 
    echo "rsyslog.conf文件的配置為${LOG}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/etc/rsyslog.conf配置文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[4]檢查系統日志讀寫權限" >> /tmp/check/${str}_out.txt 
if [ -e /var/log/messages ];then
    MESSAGES=`ls -l /var/log/messages | awk '{print $1}'`
    echo "/var/log/messages的文件權限為：${MESSAGES:1:9}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/var/log/messages的文件" >> /tmp/check/${str}_out.txt 
fi
if [ -e /var/log/secure ];then
    SECURE=`ls -l /var/log/secure | awk '{print $1}'`
    echo "/var/log/secure 的文件權限為：${SECURE:1:9}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/var/log/secure的文件" >> /tmp/check/${str}_out.txt 
fi

if [ -e /var/log/maillog ];then
    MAILLOG=`ls -l /var/log/maillog | awk '{print $1}'`
    echo "/var/log/maillog 的文件權限為：${MAILLOG:1:9}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/var/log/maillog的文件" >> /tmp/check/${str}_out.txt 
fi

if [ -e /var/log/cron ];then
    CRON=`ls -l /var/log/cron | awk '{print $1}'`
    echo "/var/log/cron 的文件權限為：${CRON:1:9}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/var/log/cron的文件" >> /tmp/check/${str}_out.txt 
fi
if [ -e /var/log/spooler ];then
    SPOOLER=`ls -l /var/log/spooler | awk '{print $1}'`
    echo "/var/log/spooler 的文件權限為：${SPOOLER:1:9}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/var/log/spooler的文件" >> /tmp/check/${str}_out.txt 
fi

if [ -e /var/log/boot/log ];then
    LOG=`ls -l /var/log/boot/log | awk '{print $1}'`
    echo "/var/log/boot/log 的文件權限為：${LOG:1:9}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/var/log/boot/log的文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[5]檢查是否對遠程日志服務器配置" >> /tmp/check/${str}_out.txt 
if [ -e /etc/rsyslog.conf ];then
    RSYS=`cat /etc/rsyslog.conf | grep "@${str1}" | grep $'\t' | grep \.\*` 
    echo "遠程日志服務器配置情況為：${RSYS}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/etc/rsyslog.conf配置文件" >> /tmp/check/${str}_out.txt 
fi
echo "----------------------------" >> /tmp/check/${str}_out.txt
echo ""
echo "----**系統文件管理**----" >> /tmp/check/${str}_out.txt 
echo "[1]檢查是否對登錄超時時間配置" >> /tmp/check/${str}_out.txt 
if [ -e /etc/profile ] && [ -e /etc/bashrc ]; then
    TMOUT=`cat /etc/profile | grep HISTTIMEFORMAT | grep TMOUT`
    if [ -n ${TMOUT} ]; then
        echo "/etc/profile的超時時間設置情況為：${TMOUT}" >> /tmp/check/${str}_out.txt 
        FORMAT=`cat /etc/bashrc | grep export | grep HISTTIMEFORMAT`
        if [ -n ${FORMAT} ];then
            echo "/etc/bashrc的設置為${FORMAT}" >> /tmp/check/${str}_out.txt 
        else
            echo "/etc/bashrc不存在對應配置" >> /tmp/check/${str}_out.txt 
        fi
    else
        echo "/etc/profile文件不存在對應配置" >> /tmp/check/${str}_out.txt 
    fi
else
    echo "不存在/etc/profile文件以及/etc/bashrc文件" >> /tmp/check/${str}_out.txt 
fi


echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[2]檢查系統磁盤狀態" >> /tmp/check/${str}_out.txt 
DF=`df -h | awk 'NR!=1{print $5}' | awk -F[\%] '{print $1}'`
for i in $DF
do
    if [ $i -ge 80 ];then
        flag=1
    else
        flag=0
    fi
done
if [ $flag = 1 ];then
    echo "系統磁盤使用率大於80%" >> /tmp/check/${str}_out.txt 
else [ $flag = 0 ]
    echo "系統磁盤狀態小於80%" >> /tmp/check/${str}_out.txt 
fi    
    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[3]檢查是否禁止匿名FTP訪問" >> /tmp/check/${str}_out.txt 
if [ -e /etc/vsftpd.conf ];then
    cat /etc/vsftpd.conf | grep "anonymous_enable=NO" 
    if [ $? -eq 0 ]; then
        echo "/etc/vsftpd.conf文件有設置：anonymous_enable=NO" >> /tmp/check/${str}_out.txt 
    else
        echo "不符合規范，需編輯/etc/vsftpd.conf文件，設置：anonymous_enable=NO" >> /tmp/check/${str}_out.txt 
    fi
else
    echo "未找到/etc/vsftpd.conf文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[4]檢查是否修改FTP banner 信息" >> /tmp/check/${str}_out.txt 
if [ -e /etc/vsftpd.d/vsftpd.conf ];then
    BANNER=`cat /etc/vsftpd.d/vsftpd.conf | grep ftpd_banner | grep -F[=] awk '{print $1}'`
    if [ -n ${BANNER} ];then
        echo "banner信息為${BANNER}" >> /tmp/check/${str}_out.txt 
    else
        echo "未設置banner信息" >> /tmp/check/${str}_out.txt 
    fi
else
    echo "未找到/etc/vsftpd.d/vsftpd.conf文件" >> /tmp/check/${str}_out.txt 
fi

if [ -e /etc/ftpaccess ];then
    cat /etc/ftpaccess | grep "banner /path/to/ftpbanner"
    if [ -e -eq 0 ];then
        echo "/etc/ftpaccess文件中已經設置banner路徑" >> /tmp/check/${str}_out.txt 
    else
        echo "/etc/ftpaccess文件中未設置banner路徑" >> /tmp/check/${str}_out.txt 
    fi
else
    echo "不存在/etc/ftpaccess文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[5]檢查是否關閉不必要的服務" >> /tmp/check/${str}_out.txt 
SERVICE=`ps -ef`
echo "系統服務情況為${SERVICE}" >> /tmp/check/${str}_out.txt 
SER_LIST=`systemctl list-units -all --type=service`
echo "服務有${SER_LIST}" >> /tmp/check/${str}_out.txt 
if [ -e /etc/xinetd.conf ];then
    echo "在/etc/xinetd.conf文件中禁止不必要的基本網絡服務" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/etc/xinetd.conf文件" >> /tmp/check/${str}_out.txt 
fi


echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[6]檢查系統core dump狀態" >> /tmp/check/${str}_out.txt 
if [ -e /etc/security/limits.conf ];then
    cat /etc/security/limits.conf | grep \* | grep soft | grep core  | grep 0
    if [ $? -eq 0 ];then
        cat /etc/security/limits.conf | grep \* | grep hard | grep core  | grep 0
        if [ $? -eq 0 ];then
            echo "/etc/security/limits.conf符合安全配置" >> /tmp/check/${str}_out.txt 
        else
            echo "/etc/security/limits.conf未安裝規范進行設置" >> /tmp/check/${str}_out.txt 
        fi
    else
        echo "/etc/security/limits.conf未安裝規范進行設置" >> /tmp/check/${str}_out.txt 
    fi
else
    echo "未找到/etc/security/limits.conf配置文件"  >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[7]檢查系統補丁" >> /tmp/check/${str}_out.txt 
OS=`uname -a`
echo "系統版本情況為${OS}" >> /tmp/check/${str}_out.txt 



echo "----**用戶賬號配置**----" >> /tmp/check/${str}_out.txt 
echo "[1]檢查是否存在無用賬號" >> /tmp/check/${str}_out.txt 
passwd=`ls -l /etc/passwd | awk '{print $1}'`
if [ "${passwd:1:9}" = "rw-r--r--" ]; then
    echo "/etc/passwd文件權限為644，符合規范" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/passwd文件權限為${passwd:1:9}，不符合規范" >> /tmp/check/${str}_out.txt 
fi
PASSWD_U=`cat /etc/passwd | awk -F[:] '{print $1}'`
echo "查看是否存在無用賬號：${PASSWD_U}" >> /tmp/check/${str}_out.txt 

    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[2]檢查不同用戶是否共享賬號" >> /tmp/check/${str}_out.txt     
PASS=`cat /etc/passwd | awk -F[:] '{print $1}'`
echo "cat /etc/passwd結果為${PASS}" >> /tmp/check/${str}_out.txt 
#查看所有賬號，與管理員確認是否有共享賬號    
    
echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[3]檢查是否刪除或鎖定無用賬號" >> /tmp/check/${str}_out.txt 
NOlogin=`cat /etc/passwd | grep nologin | awk -F[:] '{print $1}'`
echo "shell域中為nologin的賬戶有${NOlogin}" >> /tmp/check/${str}_out.txt 

    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[4]檢查是否存在無用用戶組" >> /tmp/check/${str}_out.txt 
GROUP=`ls -l /etc/group | awk '{print $1}'`
echo "/etc/group文件權限為${GROUP}" >> /tmp/check/${str}_out.txt 
GROUP_U=`cat /etc/group | awk -F[:] '{print $1}'`
echo "/etc/group用戶組有${GROUP}" >> /tmp/check/${str}_out.txt 

    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[5]檢查是否指定用戶組成員使用su命令" >> /tmp/check/${str}_out.txt 
if [ -e /etc/pam.d/su ];then
    SUFFI=`cat /etc/pam.d/su | grep auth | grep sufficient | grep pam_rootok.so`
    REQUIRED=`cat /etc/pam.d/su | grep auth | grep required | grep group=`
    echo "是否指定用戶組成員情況為${SUFFI}\n${REQUIRED}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/etc/pam.d/su配置文件" >> /tmp/check/${str}_out.txt 
fi



echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[6]檢查密碼長度及復雜度策略" >> /tmp/check/${str}_out.txt 
if [ -e /etc/pam.d/system-auth ];then
    passComplexity=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so"`
    passucredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e ucredit | awk '{print $4}'`
    passlcredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e lcredit | awk '{print $5}'`
    passdcredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e dcredit | awk '{print $6}'`
    passocredit=`cat /etc/pam.d/system-auth | grep "pam_pwquality.so" | grep -e ocredit | awk '{print $7}'`
    echo "密碼復雜度策略為：${passComplexity}" >> /tmp/check/${str}_out.txt     
    echo "密碼復雜度策略中設置的大寫字母個數為：${passucredit}" >> /tmp/check/${str}_out.txt 
    echo "密碼復雜度策略中設置的小寫字母個數為：${passlcredit}" >> /tmp/check/${str}_out.txt 
    echo "密碼復雜度策略中設置的數字個數為：${passdcredit}" >> /tmp/check/${str}_out.txt 
    echo "密碼復雜度策略中設置的特殊字符個數為：${passocredit}" >> /tmp/check/${str}_out.txt 
else
    ehco "不存在/etc/pam.d/system-auth文件" >> /tmp/check/${str}_out.txt 
fi
    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[7]檢查是否對用戶遠程登錄進行限制" >> /tmp/check/${str}_out.txt 
cat /etc/securetty | grep "#" | grep tty
if [ $? -eq 0 ];then
    echo "注釋掉所有tty設備" >> /tmp/check/${str}_out.txt 
else
    echo "未注釋掉所有tty設備" >> /tmp/check/${str}_out.txt 
fi

RootLogin=`cat /etc/ssh/sshd_config | grep PermitRootLogin | awk '{print $2}'`
if [ "${RootLogin}" == "yes" ];then
    echo "/etc/ssh/sshd_config中PermitRootLogin配置為yes" >> /tmp/check/${str}_out.txt 
else [ "${RootLogin}" == "no" ]
    echo "/etc/ssh/sshd_config中PermitRootLogin配置為no" >> /tmp/check/${str}_out.txt 
fi



echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[8]檢查是否配置加密協議" >> /tmp/check/${str}_out.txt 
SSH=`ps -elf | grep ssh`
echo "ssh服務狀態為${SSH}"  >> /tmp/check/${str}_out.txt 
if [ -e /etc/ssh/sshd_config ];then
    cat /etc/ssh/sshd_config | grep "Host*" | grep "Protocol 2"
    if [ $? -eq 0 ];then
        echo "/etc/ssh/sshd_config文件符合安全配置" >> /tmp/check/${str}_out.txt 
    else
        echo "/etc/ssh/sshd_config文件中未找到相應配置" >> /tmp/check/${str}_out.txt 
    fi
else
    echo "未找到/etc/ssh/sshd_config文件" >> /tmp/check/${str}_out.txt 
fi    

    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[9]檢查是否配置密碼的生存期" >> /tmp/check/${str}_out.txt 
if [ -e /etc/login.defs ];then
    passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'`
    passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'`
    passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'`
    passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'`
    echo "口令生存周期天數為： ${passmax}" >> /tmp/check/${str}_out.txt 
    echo "口令更改最小時間間隔為天數為：${passmin}" >> /tmp/check/${str}_out.txt 
    echo "口令最小長度天數為：${passlen}" >> /tmp/check/${str}_out.txt 
    echo "口令過期告警時間天數為：${passage}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到/etc/login.defs配置文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[10]檢查用戶缺省訪問權限" >> /tmp/check/${str}_out.txt 
fileumask=`cat /etc/login.defs | grep -i umask | awk '{print $2}'`
if [ -n $fileumask ]; then    
    echo "/etc/login.defs文件的umask的值為：${fileumask}" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/login.defs文件未配置umask值" >> /tmp/check/${str}_out.txt 
fi


echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[11]檢查passwd group文件安全權限" >> /tmp/check/${str}_out.txt 

grep ^+: /etc/passwd /etc/shadow /etc/group
if [ $? -eq 0 ];then
    echo "低於安全要求" >> /tmp/check/${str}_out.txt 
else
    echo "符合安全要求" >> /tmp/check/${str}_out.txt 
fi
passwd=`ls -l /etc/passwd | awk '{print $1}'`
echo "/etc/passwd文件權限為${passwd:1:9}" >> /tmp/check/${str}_out.txt 
ETC_group=`ls -l /etc/group | awk '{print $1}'`
echo "/etc/group文件權限為${passwd:1:9}" >> /tmp/check/${str}_out.txt 

igroup=`lsattr /etc/group | grep i`
if [ "$igroup" = "i" ]; then
    echo "/etc/group文件存在i屬性文件" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/group文件不存在i文件屬性" >> /tmp/check/${str}_out.txt 
fi
ipasswd=`lsattr /etc/passwd | grep i`
if [ "$igshadow" = "i" ]; then
    echo "/etc/passwd存在i屬性文件" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/passwd不存在i文件屬性" >> /tmp/check/${str}_out.txt 
fi

    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[12]檢查是否存在除root之外UID為0的用戶" >> /tmp/check/${str}_out.txt 
uids=`awk -F[:] 'NR!=1{print $3}' /etc/passwd`  #NR!=1意思的除了第一行不顯示。1代表具體的行數
flag=0
for i in $uids
do 
    if [ $i = 0 ]; then
        echo "存在非root賬號的賬號UID為0，不符合要求" >> /tmp/check/${str}_out.txt 
    else    
        flag=1
    fi
done
if [ $flag = 1 ]; then
   echo "不存在非root賬號的UID為0，符合要求" >> /tmp/check/${str}_out.txt 
fi

    
    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[13]檢查是否配置環境變量" >> /tmp/check/${str}_out.txt 
echo $PATH | egrep '(^|:)(\.|:|$)'
if [ $? -eq 0 ];then
    echo "檢查是否包含父目錄，低於安全要求" >> /tmp/check/${str}_out.txt 
else
    echo "檢查是否包含父目錄，符合安全要求" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[14]檢查是否對遠程連接的安全性進行配置" >> /tmp/check/${str}_out.txt 
filerhosts=`find / -maxdepth 3 -type f -name .rhosts 2>/dev/null`
if [ -n "$filerhosts" ]; then
    echo "rhosts文件路徑為：${filerhosts}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到.rhosts文件" >> /tmp/check/${str}_out.txt 
fi

fileequiv=`find / -maxdepth 2 -name hosts.equiv 2>/dev/null`
if [ -n "$fileequiv" ]; then
    echo "hosts.equiv文件路徑為：${fileequiv}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到hosts.equiv文件" >> /tmp/check/${str}_out.txt 
fi
filenetrc=`find / -maxdepth 3 -name .netrc 2>/dev/null`
if [ -n "$filenetrc" ]; then
    echo "netrc文件路徑為：${filenetrc}" >> /tmp/check/${str}_out.txt 
else
    echo "未找到.netrc文件" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[15]檢查是否對用戶的umask進行配置" >> /tmp/check/${str}_out.txt 
if [ -e /etc/profile ];then
    PROFILE1=`cat /etc/profile | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'`
    PROFILE2=`cat /etc/profile | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'`
    if [ -n "$PROFILE" ]; then
        echo "在/etc/profile文件中umask的值為：${PROFILE}和${PROFILE1}" >> /tmp/check/${str}_out.txt 
    else
        echo "在/etc/profile文件中未找到umask值" >> /tmp/check/${str}_out.txt 
    fi
fi

csh=`cat /etc/csh.login | grep -i umask`
if [ -n "$csh" ]; then
    echo "在/etc/csh.login文件中umask的內容為：${csh}" >> /tmp/check/${str}_out.txt 
else
    echo "在/etc/csh.login文件中未找到umask值" >> /tmp/check/${str}_out.txt 
fi

cshrc1=`cat /etc/csh.cshrc | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'`
cshrc2=`cat /etc/csh.cshrc | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'`
if [ -n "$cshrc" ]; then
    echo "在/etc/csh.cshrc文件中umask的值為：${cshrc1}和${cshrc2}" >> /tmp/check/${str}_out.txt 
else
    echo "在/etc/csh.login文件中未找到umask值" >> /tmp/check/${str}_out.txt 
fi

if [ -e /etc/bashrc ];then
    bashrc1=`cat /etc/bashrc | grep -i umask | grep -v '#' | head -n 1 | awk '{print $2}'`
    bashrc2=`cat /etc/bashrc | grep -i umask | grep -v '#' | tail -1 | awk '{print $2}'`
    if [ -n "$bashrc1" ] && [ -n "$bashrc2" ]; then
        echo "在/etc/bashrc文件中umask內容為：${bashrc1}和${bashrc2}" >> /tmp/check/${str}_out.txt 
    else
        echo "在/etc/bashrc文件中未找到umask值" >> /tmp/check/${str}_out.txt 
    fi
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[16]檢查是否對重要目錄和文件的權限進行設置" >> /tmp/check/${str}_out.txt 
etc=`ls -l / | grep etc | awk '{print $1}'`
if [ "${etc:1:9}" = "rwxr-x---" ]; then
    echo "/etc/權限為750，符合規范" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/文件權限為${etc:1:9}，不符合規范" >> /tmp/check/${str}_out.txt 
fi

Shadow=`ls -l /etc/shadow | awk '{print $1}'`
if [ "${shadow:1:9}" = "rw-------" ]; then
    echo "/etc/shadow文件權限為600，符合規范" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/shadow文件權限為${Shadow:1:9}，不符合規范" >> /tmp/check/${str}_out.txt 
fi

Passwd=`ls -l /etc | grep passwd | awk '{print $1}'`
if [ "${passwd:1:9}" = "rw-r--r--" ]; then
    echo "/etc/passwd文件權限為644，符合規范" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/passwd文件權限為${Passwd:1:9}，不符合規范" >> /tmp/check/${str}_out.txt 
fi

Group=`ls -l /etc | grep group | awk '{print $1}'`
if [ "${Group:1:9}" = "rw-r--r--" ]; then
    echo "/etc/passwd文件權限為644，符合規范" >> /tmp/check/${str}_out.txt 
else
    echo "/etc/passwd文件權限為${Group:1:9}，不符合規范" >> /tmp/check/${str}_out.txt 
fi


echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[17]檢查是否存在未授權的suid/sgid文件" >> /tmp/check/${str}_out.txt 
for PART in `grep -v ^# /etc/fstab | awk '($6 != "0") {print "/./"$2 }'`; do
    RESULT=`find $PART -type f -xdev \( -perm -04000 -o -perm -02000 \) -print`
        if [ -n $RESULT ];then
            flag=1
        else
            flag=0
        fi
done
if [ $flag -eq 0 ];then
    echo "返回值為空，符合規范" >> /tmp/check/${str}_out.txt 
else [ $flag -eq 1 ]
    echo "返回值不為空，不符合規范" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[18]檢查是否存在異常隱含文件" >> /tmp/check/${str}_out.txt 
find  / -name ".. *" -print
HIDDEN=`find  / -name ".. *" -print; find  / -name "...*" -print | cat -v`
if [ -n ${XINETD} ];then
    echo "隱藏文件有${HIDDEN}" >> /tmp/check/${str}_out.txt 
else
    echo "沒有隱藏文件" >> /tmp/check/${str}_out.txt 
fi

echo "----**網絡通信配置**----" >> /tmp/check/${str}_out.txt 
echo "[1]檢查是否對基本網絡服務進行配置" >> /tmp/check/${str}_out.txt 
XINETD=`ls  -l  /etc/xinetd.d`
echo "/etc/xinetd.d目錄中的包含的基本的網絡服務的配置文件為${XINETD}" >> /tmp/check/${str}_out.txt 
    
echo "----------------------------" >> /tmp/check/${str}_out.txt     
echo "[2]檢查是否開啟NFS服務" >> /tmp/check/${str}_out.txt 
systemctl status nfs
if [ $? -eq 0 ];then
    echo "已開啟nfs服務" >> /tmp/check/${str}_out.txt 
else [ $? -eq 3 ]
    echo "未開啟nfs服務" >> /tmp/check/${str}_out.txt 
fi

echo "----------------------------" >> /tmp/check/${str}_out.txt 
echo "[3]檢查常規網絡服務是否運行正常" >> /tmp/check/${str}_out.txt 
#若無telnet命令
telnet localhost 80
if [ $? -eq 0 ];then
    echo "80服務正常運行" >> /tmp/check/${str}_out.txt 
    telnet localhost 25
    if [ $? -eq 0 ];then
        echo "25服務正常運行" >> /tmp/check/${str}_out.txt 
    fi
    telnet localhost 110
    if [ $? -eq 0 ];then
        echo "110服務正常運行" >> /tmp/check/${str}_out.txt 
    fi
    telnet localhost 143
    if [ $? -eq 0 ];then
        echo "143服務正常運行" >> /tmp/check/${str}_out.txt 
    fi
    telnet localhost 443
    if [ $? -eq 0 ];then
        echo "443服務正常運行" >> /tmp/check/${str}_out.txt 
    fi
    telnet localhost 21
    if [ $? -eq 0 ];then
        echo "21服務正常運行" >> /tmp/check/${str}_out.txt 
    fi
else
    echo "系統未安裝telnet命令" >> /tmp/check/${str}_out.txt 
fi