#!/bin/bash

###banner 1
#检查超时设置是否配置为300
TMOUT1=`cat /etc/profile |grep -v "^[[:space:]]*#" | grep ^TMOUT |awk -F = '{print $2}'| cut -d = -f 2`
TMOUT2=`cat /etc/profile |grep -v "^[[:space:]]*#" | grep 'export TMOUT' |awk '{print $2}'| cut -d = -f 2`
if [ $TMOUT1 ];then
        if [[ $TMOUT1 != 300 ]];then
                echo -e "\e[31mNo.1.1请检查超时设置是否配置为300,不是请更改\n\e[0m"
        fi
fi
if [ $TMOUT2 ];then
        if [[ $TMOUT2 != 300 ]];then
                echo -e "\e[31mNo.1.2请检查超时设置是否配置为300,不是请更改\n\e[0m"
        fi
fi

###banner 2
PAM_auth=`cat /etc/pam.d/su|grep -v "^[[:space:]]*#"|grep -v "^$"|grep "auth[[:space:]]*sufficient[[:space:]]*pam_rootok.so"|head -1`
if [[ $? = 1 ]];then
	echo -e "\e[31mNo.2.1请检查是否使用PAM认证模块禁止wheel组之外的用户su为root\n\e[0m"
else
        ROOTOK=`cat /etc/pam.d/su |grep -v "#"|head -1|grep rootok`
        if [[ $? = 1 ]];then
                echo -e "\e[31mNo.2.2请检查pam_rootok.so顺序是否正确,不在首行请更改\n\e[0m"
        fi
fi

PAM_auth=`cat /etc/pam.d/su|grep -v "^[[:space:]]*#"|grep -v "^$"|grep "auth[[:space:]]*required[[:space:]]*pam_wheel.so group=wheel"`
if [ $? = 1 ];then
	echo -e "\e[31mNo.2.3请检查是否使用PAM认证模块禁止wheel组之外的用户su为root,不是请更改\n\e[0m" 
fi

###banner 3
file="/etc/login.defs"
PASS_MAX_DAYS=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MAX_DAYS|awk '{print $2}'`
if [[ $PASS_MAX_DAYS -lt 90 ]];then
	echo -e "\e[31mNo.3.1请检查新建用户的密码最长使用天数是否大于90天,不是请更改\n\e[0m" 
fi

PASS_MIN_DAYS=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MIN_DAYS|awk '{print $2}'`
if [[ $PASS_MIN_DAYS -lt 10 ]];then
	echo -e "\e[31mNo.3.2请检查新建用户的密码最短使用天数为10天,不是请更改\n\e[0m"
fi

PASS_MIN_LEN=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_MIN_LEN|awk '{print $2}'`
if [[ $PASS_MIN_LEN -lt 8 ]];then
	echo -e "\e[31mNo.3.3请检查新建用户的密码最小长度是否为8,不是请更改\n\e[0m"
fi

PASS_WARN_AGE=`cat $file |grep -v "^[[:space:]]*#"|grep ^PASS_WARN_AGE|awk '{print $2}'`
if [[ $PASS_WARN_AGE -lt 30 ]];then
	echo -e "\e[31mNo.3.4请检查新建用户的密码到期提前提醒天数是否为30天,不是请更改\n\e[0m"
fi

###banner 4
#/etc/login.defs的umask值为027
LOGIN_UMASK_VALUE=`cat /etc/login.defs |grep -v "^[[:space:]]*#" | egrep 'umask|UMASK' |awk '{print $NF}'|tail -1`
if [[ $LOGIN_UMASK_VALUE != 027 ]];then
	echo -e "\e[31mNo.4请检查用户目录缺省访问权限是否设置为027,不是请修改\n\e[0m"
fi

###banner 5
file="/etc/passwd"
superuser=`cat $file |awk -F ':' '{if($3==0){print $0}}'|awk -F ':' '{print $1}'`
if [[ $superuser != 'root' ]];then
	echo -e "\e[31mNo.5请检查是否禁止root之外的超级用户,若没特殊原因请整改\n\e[0m"
fi

###banner 6
file="/etc/pam.d/system-auth"
ret=`cat $file | grep -v "^[[:space:]]*#"|grep 'password[[:space:]]*requisite[[:space:]]*pam_pwquality.so[[:space:]]*retry=3[[:space:]]*difok=3[[:space:]]*minlen=8[[:space:]]*ucredit=-1[[:space:]]*lcredit=-1[[:space:]]*dcredit=-1'`
if [[ $? = 1 ]];then
	echo -e "\e[31mNo.6请设置口令复杂度\n\e[0m"
fi

###banner 7
file="/etc/rsyslog.conf"
file1="/etc/syslog.conf"
if [ -f $file ];then
        Var=`cat $file | grep -v "^[[:space:]]*#" | grep '*.*[[:space:]]@'`
        if [ $? = 1 ];then
		echo -e "\e[33mNo.7请启用rsyslog远程日志功能,具体IP请与现场核对后填写\n\e[0m"
        fi
fi
if [ -f $file1 ];then
        Var=`cat $file1 | grep -v "^[[:space:]]*#" | grep -E '[[:space:]]*.+@.+'`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.7请启用syslog远程日志功能,具体IP请与现场核对后填写\n\e[0m" 
        fi
fi

###banner 8
if [ -f $file ];then
        syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*/var/adm/messages"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.8请检查是否记录rsyslog安全事件日志,/var/adm/messages为绿盟版\n\e[0m"
        fi
fi
if [ -f $file1 ];then
        syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" |grep -v "^$"|grep "*.err\;kern\.debug\;daemon\.notice[[:space:]]*/var/adm/messages"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.8请检查是否记录syslog安全事件日志,/var/adm/messages为绿盟版\n\e[0m" 
        fi
fi

###banner 9
if [ -f $file ];then
        syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#"|grep "auth.info[[:space:]]*/var/log/authlog"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.9请检查是否记录rsyslog帐户登录日志,请检查是否有/var/log/authlog项目\n\e[0m"
        fi
fi
if [ -f $file1 ];then
        syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#"|grep "auth.info[[:space:]]*/var/log/authlog"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.9.请检查是否记录syslog帐户登录日志,请检查是否有/var/log/authlog项目\n\e[0m" 
        fi
fi

###banner 10
if [ -f $file ];then
        syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" | grep "authpriv\.\*[[:space:]]\/*"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.10.请检查rsyslog是否配置su命令使用情况记录,没有请整改\n\e[0m"
        fi
fi
if [ -f $file1 ];then
        syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" | grep "authpriv\.\*[[:space:]]\/*"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.10.请检查rsyslog是否配置su命令使用情况记录,没有请整改\n\e[0m" 
        fi
fi

###banner 11
if [ -f $file ];then
        syslog=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#" | grep "cron.*[[:space:]]*/var/log/cron"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.11.请检查rsyslog是否记录cron行为日志,请检查是否有/var/log/cron\n\e[0m"
        fi
fi
if [ -f $file1 ];then
        syslog=`cat /etc/syslog.conf | grep -v "^[[:space:]]*#" | grep "cron.*[[:space:]]*/var/log/cron"`
        if [ $? = 1 ];then
                echo -e "\e[31mNo.11.请检查syslog是否记录cron行为日志,请检查是否有/var/log/cron\n\e[0m" 
        fi
fi

###banner 12
file="/usr/lib/systemd/system/ctrl-alt-del.target"
if [ -f "$file" ];then
        echo -e "\e[31mNo.12.检查是否禁止掉ctrl-alt-del重启\n\e[0m"
fi

###banner 13
file="/etc/issue"
file1="/etc/issue.net"
if [ -f $file ];then
        echo -e "\e[31mNo.13.请检查issue是否修改系统banner,没有请删除\n\e[0m"
fi
if [ -f $file1 ];then
        echo -e "\e[31mNo.13.请检issue.net是否修改系统banner,没有请删除\n\e[0m"
fi

###banner 14
file="/etc/ssh/sshd_config"
if [ -f "$file" ];then
        port=`cat $file  |grep -v "^[[:space:]]*#"|grep "Port " |awk '{print $2}'`
        if [[ $port == 22 ]];then
                echo -e "\e[31mNo.14.当前ssh端口为22,请修改ssh端口\n\e[0m"
        fi
fi

###banner 15
if [ -f "$file" ];then
        rootlogin=`cat $file|grep -v "^[[:space:]]*#"|grep "PermitRootLogin"|awk '{print $2}' | tail -n 1`
        if [[ $rootlogin != 'no' ]];then
                echo -e "\e[31mNo.15.当前root可ssh登录服务器,请禁止掉root通过ssh登录\n\e[0m"
        fi
fi

###banner 16
file="/etc/pam.d/system-auth"
zhi=`cat $file|grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so'|awk '{print $4}'`
if [[ $zhi = "sha512" ]];then
        ret=`cat $file |grep -v '^[[:space:]]*#' | grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so[[:space:]]*sha512[[:space:]]*shadow[[:space:]]*nullok[[:space:]]*try_first_pass use_authtok[[:space:]]*remember=5'`
        if [[ -n $ret ]];then
                ret=`cat $file |grep -v '^[[:space:]]*#' | grep 'password[[:space:]]*sufficient[[:space:]]*pam_unix.so[[:space:]]*sha512[[:space:]]*shadow[[:space:]]*nullok[[:space:]]*try_first_pass use_authtok[[:space:]]*remember=' | awk -F = '{print $2}'`
                if [[ $ret -lt 5 ]];then
                        echo -e "\e[31mNo.16.请查看是否配置禁止输入前面5次输入的密码\n\e[0m"
                fi
        fi
fi

###banner 17
file="/etc/logrotate.conf"
if [ -f $file ];then
        ret=`cat $file | grep -v "^[[:space:]]*#"|egrep "^(daily|weekly|yearly)"|wc -l`
        info=`cat $file | grep -v "^[[:space:]]*#"|egrep "^(daily|weekly|yearly)"`
        if [ "$ret" != 0 ];then
                echo -e "\e[31mNo.17.请查看是否修改日志记录时间\n\e[0m"
        fi
        ret1=`cat $file | grep -v "^[[:space:]]*#"|grep ^rotate|awk '{print $2}'`
                if [ "$ret1" != 4 ];then
                echo -e "\e[31mNo.17.请查看是否修改日志记录时间\n\e[0m"
        fi
fi

###banner 18
file="/etc/ssh_banner"
#zhi1=`cat $file | grep "^Authorized only. All activity will be monitored and reported\>" | wc -l`
if [ ! -f $file ];then
        echo -e "\e[31mNo.18.1请建立SSH的Banner警告信息\n\e[0m"
#       if [[ "$zhi1" != 1 ]];then
#               echo -e "\e[31mNo.18.请更改SSH的Banner警告信息\n\e[0m"
#       fi
fi
file1="/etc/motd"
if [ ! -f $file1 ];then
        echo -e "\e[31mNo.18.2请建立SSH的motd警告信息\n\e[0m"
fi

###banner 19
NAME=(liu root gpadmin)
for CHAGE_NAME in ${NAME[*]}
do
        USER_IF=`cat /etc/passwd | grep -v "^[[:space:]]*#" | grep $CHAGE_NAME`
        if [[ -n $USER_IF ]];then
                CHAGE_USER=`chage -l ${CHAGE_NAME} | grep "Maximum number"|awk -F ': ' '{print $2}'`
                if [[ $CHAGE_USER != 99999 ]];then
                        echo -e "\e[31mNo.19.请修改${CHAGE_NAME}用户密码有效期为无限期\n\e[0m"
                fi
        fi
done

###banner 20
#检查系统内核参数配置
zhi=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.accept_redirects ="|awk '{print $3}'`
pan=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.accept_redirects ="`
if [ "$pan" ];then
	if [ $zhi != 0 ];then
		echo  -e "\e[31mNo.20.1请检查是否禁止icmp重定向(accept_redirects)\n\e[0m"
	fi
else echo  -e "\e[31mNo.20.2请检查是否禁止icmp重定向(accept_redirects)\n\e[0m"
fi
zhi=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.send_redirects ="|awk '{print $3}'`
pan=`cat /etc/sysctl.conf |grep -v "^[[:space:]]*#" |grep "net.ipv4.conf.all.send_redirects ="`
if [ "$pan" ];then
	if [ $zhi != 0 ];then
		 echo  -e "\e[31mNo.20.3请检查是否禁止icmp重定向(send_redirects)\n\e[0m"
	fi
else echo  -e "\e[31mNo.20.4请检查是否禁止icmp重定向(send_redirects)\n\e[0m"
fi

###banner 21
#file="/etc/ssh/sshd_config"
#if [ -f "$file" ]; then
#	sshversion=`cat $file|grep -v "^[[:space:]]*#"|grep "Protocol"|awk '{print $2}'`
#	if [[ "$sshversion" != "2" ]];then
#		echo  -e "\e[31mNo.21.1请检查ssh协议是否使用版本2\n\e[0m"
#	fi
#else echo -e "\e[31mNo.21.2请检查是否存在/etc/ssh/sshd_config文件\n\e[0m"
#fi

###banner 22
file="/etc/pam.d/login"
if [ -f "$file" ]; then
	Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*unlock_time=600[[:space:]]*even_deny_root root_unlock_time=10'`
	if [ $? != 0 ];then
		echo  -e "\e[31mNo.22.1请检查login文件是否设置用户登陆次数失败锁定策略(deny=5,time=600)\n\e[0m"
	fi
else echo  -e "\e[31mNo.22.2请检查是否存在/etc/pam.d/login文件\n\e[0m"
fi

file="/etc/pam.d/sshd"
if [ -f "$file" ]; then
        Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*unlock_time=600[[:space:]]*even_deny_root root_unlock_time=10'`
        if [ $? != 0 ];then
                echo -e "\e[31mNo.22.3请检查sshd文件是否设置用户登陆次数失败锁定策略(deny=5,time=600)\n\e[0m"
        fi
else echo -e "\e[31mNo.22.4请检查是否存在/etc/pam.d/sshd文件\n\e[0m"
fi

file="/etc/pam.d/su"
if [ -f "$file" ]; then
        Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=[0-9]*[[:space:]]*unlock_time=[0-9]*[[:space:]]*even_deny_root root_unlock_time=10'`
        if [ $? = 0 ];then
                echo -e "\e[31mNo.22.5请将su文件取消掉用户登陆次数失败锁定策略\n\e[0m"
        fi
else echo -e "\e[31mNo.22.6请检查是否存在/etc/pam.d/su文件\n\e[0m"
fi

file="/etc/pam.d/system-auth"
if [ -f "$file" ]; then
	Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*unlock_time=600[[:space:]]* even_deny_root root_unlock_time=10' | wc -l`
	var1=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_tally2.so[[:space:]]*deny=5[[:space:]]*onerr=fail[[:space:]]*no_magic_root[[:space:]]*unlock_time=600' | wc -l`
        if [ -z $var ];then
		if [ -z $var1 ];then
                	echo -e "\e[31mNo.22.7请检查system-auth文件是否设置用户登陆次数失败锁定策略(deny=5,time=600)\n\e[0m"
		fi
	fi
	Var=`cat $file|grep -v "^[[:space:]]*#" |grep 'account[[:space:]]*required[[:space:]]*pam_tally2.so\>'`
	if [ $? != 0 ];then
		echo  -e "\e[31mNo.22.8请检查system-auth文件是否设置用户登陆次数失败锁定略\n\e[0m"
	fi
else echo  -e "\e[31mNo.22.9请检查是否存在/etc/pam.d/system-auth文件\n\e[0m"
fi


###banner 23
#检查是否禁止root用户远程telnet登录
file="/etc/pam.d/login"
if [ -f "$file" ]; then
	Var=`cat $file |grep -v "^[[:space:]]*#" |grep 'auth[[:space:]]*required[[:space:]]*pam_securetty.so\>'`
	if [ $? != 0 ];then
		echo -e "\e[31mNo.23.1请检查是否禁止root用户远程telnet登录\n\e[0m"
	fi
else echo -e "\e[31mNo.23.2请检查是否存在/etc/pam.d/login文件\n\e[0m"
fi

###banner 24
#检查重要目录或文件权限设置
#chmod 600?
Etcx_File_Permissions=(/etc/xinetd.conf /etc/security /etc/grub.conf /boot/grub/grub.conf /etc/lilo.conf)
for Files in ${Etcx_File_Permissions[*]}
do
	if [[ -z ${Files} ]];then
                zhi=`stat -c %a ${Files} 2> /dev/null`
                if [[ $zhi != 600 ]];then
                        echo -e "\e[31mNo.24.1请检查${Files}重要目录或文件权限设置为600\n\e[0m"
                fi
#        else echo -e "\e[31mNo.24.2请检查是否有${Files}存在\n\e[0m"
        fi
done

#chmod 750?
Etcx_File_Permissions=(/etc/rc.d/init.d/ /etc/rc0.d/ /etc/rc1.d/ /etc/rc2.d/ /etc/rc3.d/ /etc/rc4.d/ /etc/rc5.d/ /etc/rc6.d/)
for Files in ${Etcx_File_Permissions[*]}
do
	ETC_Files=`ls -ld ${Files} 2> /dev/null|awk '{print $NF}'`
	if [[ -n ${ETC_Files} ]];then
		zhi=`stat -c %a ${ETC_Files} 2> /dev/null`
		if [[ $zhi != 750 ]];then
			echo -e "\e[31mNo.24.2请检查${ETC_Files}重要目录或文件权限设置为750\n\e[0m"
		fi
#	else echo -e "\e[31mNo.24.4请检查是否有${ETC_Files}存在\n\e[0m"
	fi
done

###banner 25
#检查用户umask设置
Files="/etc/csh.cshrc"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
if [ -n $Files ];then	
	if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
		echo -e "\e[31mNo.25.1请检查${Files}用户umask设置\n\e[0m"
	fi
#else echo -e "\e[31mNo.25.2请检查${Files}用户是否存在\n\e[0m"
fi

Files="/etc/csh.login"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
if [ -n $Files ];then
        if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
                echo -e "\e[31mNo.25.2请检查${Files}用户umask设置\n\e[0m"
        fi
fi

Files="/etc/bashrc"
LOGIN_UMASK_VALUE=`egrep 'umask|UMASK' ${Files} |grep -v '#'|head -n1|awk '{print $NF}'`
if [ -n $Files ];then
        if [[ ${LOGIN_UMASK_VALUE} != "077" ]];then
                echo -e "\e[31mNo.25.3请检查${Files}文件用户umask设置\n\e[0m"
        fi
else echo -e "\e[31mNo.25.3请检查${Files}文件用户是否存在\n\e[0m"
fi

###banner 26
#Files="/etc/snmp/snmpd.conf"
#if [ -f $Files ];then
#	Snmpd_VAR=`grep 'com2sec'  ${Files} |grep -v '#'|awk '{print $NF}'`
#	if [[ ${Snmpd_VAR} == "public" ]];then
#		echo -e "\e[31mNo.26.1请检查是否修改snmp默认团体字\n\e[0m"
#	elif [[ ${Snmpd_VAR} != "GnNetworkRO" ]];then
#		echo -e "\e[31mNo.26.2snmp默认团体字为${Snmpd_VAR},是否要统一?\n\e[0m"
#	fi
#else echo -e "\e[31mNo.26.3没有${Files}文件,请确认是否要添加?\n\e[0m"
#fi

###banner 27
#检查是否关闭不必要的服务和端口
system_version=`uname -r|grep el7`
if [[ -n ${system_version}  ]];then
	state=`systemctl list-unit-files |egrep "kshell|'^time/>'|'^time-udp'|ntalk|sendmail|klogin|printer|nfslock|echo|echo-udp|discard|chargen|bootps|tftp|nfs|daytime|ypbind|ident"|awk '{print $NF}'| grep enabled`
        if [[ -n $state ]];then
		echo -e "\e[31mNo.27.2请检查是否关闭不必要的服务和端口\n\e[0m"
        fi
fi

###banner 28
#检查系统core dump设置
Value=(hard soft)
Files="/etc/security/limits.conf"
zhi=`cat $Files |grep -v "^[[:space:]]*#" | grep \*[[:space:]]*$Value[[:space:]]*core[[:space:]]*0 |wc -l`
if [ -n $Files ];then
        for Var in ${Value[*]}
        do
        zhi=`cat $Files |grep -v "^[[:space:]]*#" | grep \*[[:space:]]*$Var[[:space:]]*core[[:space:]]*0 |wc -l`
                if [[ $zhi == 0 ]];then
                        echo -e "\e[31mNo.28.1请检查${Files}文件系统core dump设置中的${Var}部分\n\e[0m"
                fi
                if [[ $zhi -gt 1 ]];then
                        echo -e "\e[31mNo.28.2请检查${Files}文件系统core dump设置中的${Var}部分是否有重复项\n\e[0m"
                fi
        done
else echo -e "\e[31mNo.28.3没有${Files}文件\n\e[0m"
fi


###banner 29
#检查别名文件/etc/aliases(或/etc/mail/aliases)配置
Files=/etc/aliases
Files2=/etc/mail/aliases
NAMES=(games: ingres: system: toor: uucp: manager: dumper: operator: decode: root:)
for Ali in ${NAMES[*]}
do
	zhi=`cat $Files | grep ${Ali} |awk -F : '{print $1}'`
	if [ -n $Files ];then
		if [[ "$zhi:" == $Ali ]];then
			echo -e "\e[31mNo.29.1请检查别名文件${Files}中的 ${Ali}是否修改\n\e[0m"
		fi
	fi
	if [[ -f $Files2 ]];then
		if [[ "$zhi:" == $Ali ]];then
                        echo -e "\e[31mNo.29.2请检查别名文件${Files2}中的 ${Ali}是否修改\n\e[0m"
		fi
	fi
done


###banner 31
#检查是否关闭IP伪装和绑定多IP功能
Host_Conf="/etc/host.conf"
if [[ -f ${Host_Conf} ]];then
	CONFIG=(multi nospoof)
	for Var in ${CONFIG[*]}
        do
		zhi=`grep "${Var}[[:space:]]*" ${Host_Conf}|awk '{print $NF}'`
		if [[ $zhi != "on" ]];then
			echo -e "\e[31mNo.31.1请检查${Host_Conf}中${Var}是否配置正确\n\e[0m"
		fi 
	done
	ORDER=`grep 'order[[:space:]]*' ${Host_Conf}`
	if [[ -z ${ORDER} ]];then
		echo -e "\e[31mNo.31.2请检查${Host_Conf}中是否绑定多IP功能\n\e[0m"
	fi
else echo -e "\e[31mNo.32.3没有${Host_Conf}文件\n\e[0m"
fi

###banner 32
#检查是否存在心血漏洞
#Openssl_version_Fact=`openssl version|awk '{print $2}'| cut -d - -f 1`
#if [[ $Openssl_version_Fact ]];then
#	Openssl_version_Name=(1.0.0 1.0.1f 1.0.1e 1.0.1d 1.0.1c 1.0.1b 1.0.1 1.0.2-beta 1.0.2-beta1)
#	for Var in ${Openssl_version_Name[*]}
#	do
#		if [[ ${Var} == ${Openssl_version_Fact} ]];then
#			echo -e "\e[31mNo.32.1存在心血漏洞,openssl版本为${Var}\n\e[0m" 
#		fi
#	done
#fi

###banner 33
#检查是否禁止ip路由转发
files=/etc/sysctl.conf
system_version=`uname -r|grep el7`
if [[ -n ${system_version}  ]];then
        Value=`/usr/sbin/sysctl -n net.ipv4.ip_forward`
        Values=`cat ${files} | grep -v "^[[:space:]]*#"| grep 'net.ipv4.ip_forward' | awk -F = '{print $NF}'|awk '{print $NF}'|uniq`
        if [ -f $files ];then
                if [[ ${Value} = 0 ]];then
                        if [[ $Values != 0 ]];then
                                echo -e "\e[31mNo.33.1请检查是否禁止ip路由转发\n\e[0m"
                        fi
                else echo -e "\e[31mNo.33.2请检查是否禁止ip路由转发\n\e[0m"
                fi
        else echo -e "\e[31mNo.33.3没有${files}文件\n\e[0m"
        fi
fi

system_version=`uname -r|grep el6`
if [[ -n ${system_version}  ]];then
        Value=`/sbin/sysctl -n net.ipv4.ip_forward`
        Values=`cat ${files} | grep -v "^[[:space:]]*#"| grep 'net.ipv4.ip_forward'| awk -F = '{print $NF}'|awk '{print $NF}'|uniq`
        if [ -f $files ];then
                if [[ ${Value} = 0 ]];then
                        if [[ $Values != 0 ]];then
                                echo -e "\e[31mNo.33.4请检查是否禁止ip路由转发\n\e[0m"
                        fi
                else echo -e "\e[31mNo.33.5请检查是否禁止ip路由转发\n\e[0m"
                fi
        else echo -e "\e[31mNo.33.6没有${files}文件\n\e[0m"
        fi
fi

###banner 34
#修改FTP 相关配置信息
Ftp_Dir=(/etc/vsftpd.conf /etc/vsftpd/vsftpd.conf)
for ftp in ${Ftp_Dir[*]}
do
	if [[ -f ${ftp} ]];then
		Value=`cat ${ftp} | grep -v "^[[:space:]]*#" | grep 'ftpd_banner=[[:space:]]*' | awk -F = '{print $NF}'`
		if [[ ${Value} ]];then
			Netstat=`netstat -npl | grep vsftpd`
			zhi="\"Authorized users only. All activity may be monitored and reported.\""
			if [[ "${Value}" != ${zhi} ]];then
				echo -e "\e[31mNo.34.2请检查FTP Banner信息是否准确\n\e[0m"
			fi
			if [[ $Netstat ]];then
				Status="vsftpd服务处于开启"
			else Status="vsftpd服务处于关闭"
			fi
		else echo -e "\e[31mNo.34.1请检查是否修改FTP Banner信息? ${Status}\n\e[0m"
		fi

		LS_RECURSE_ENABLE=`cat ${ftp}|grep -v "^[[:space:]]*#"|grep -i "ls_recurse_enable="`
		LS_RECURSE_ENABLE_YES=`cat ${ftp}|grep -v "^[[:space:]]*#"|grep -i "ls_recurse_enable=YES" |awk -F'=' '{print $NF}'| tail -n 1`
		LS_RECURSE_ENABLE_NO=`cat ${ftp}|grep -v "^[[:space:]]*#"|grep -i "ls_recurse_enable=NO" |awk -F'=' '{print $NF}'| tail -n 1`
		if [[ -n $LS_RECURSE_ENABLE ]];then
                        if [[ $LS_RECURSE_ENABLE_NO = NO ]];then
                                if [[ $LS_RECURSE_ENABLE_YES = YES ]];then
                                	echo -e "\e[35mNo.34.3请检查FTP中ls_recurse_enable是否有NO项?${Status}\n\e[0m"
                        	else echo -e "\e[35mNo.34.4请检查FTP中ls_recurse_enable是否配置正确?${Status}\n\e[0m"
				fi
                        fi
                else echo -e "\e[35mNo.34.5请检查FTP中ls_recurse_enable是否配置?${Status}\n\e[0m"
                fi

		LOCAL_UMASK=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep "local_umask[[:space:]]*=[[:space:]]*022"`
		if [[ -z $LOCAL_UMASK ]];then
                        echo -e "\e[31mNo.34.6请检查FTP中local_umask是否配置?${Status}\n\e[0m"
                fi

		ANON_UMASK=`cat ${ftp} |grep -v "^[[:space:]]*#" | grep "anon_umask[[:space:]]*=[[:space:]]*022"  |awk -F'=' '{print $NF}'`
		if [[ -z $ANON_UMASK ]];then
			echo -e "\e[31mNo.34.7请检查FTP中anon_umask是否配置?${Status}\n\e[0m"
		fi

		CHROOT_LIST=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_list_enable='`
		CHROOT_LIST_YES=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_list_enable=YES' |awk -F'=' '{print $NF}'| tail -n 1`
		CHROOT_LIST_NO=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_list_enable=NO' |awk -F'=' '{print $NF}' | tail -n 1`
		if [[ -n $CHROOT_LIST ]];then
			if [[ $CHROOT_LIST_NO = NO ]];then
				if [[ $CHROOT_LIST_YES = YES ]];then		
                        		echo -e "\e[35mNo.34.8请检查FTP中chroot_list是否有NO项?${Status}\n\e[0m"
				else echo -e "\e[35mNo.34.9请检查FTP中chroot_list是否配置正确?${Status}\n\e[0m"
				fi
			fi
		fi

		ANONYMOUS_YES=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'anonymous_enable=YES' |awk -F'=' '{print $NF}'| tail -n 1`
		ANONYMOUS_NO=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'anonymous_enable=NO' |awk -F'=' '{print $NF}' | tail -n 1`
		if [[ $ANONYMOUS_YES = YES ]];then
			if [[ $ANONYMOUS_NO = NO ]];then
				echo -e "\e[35mNo.34.11请检查FTP中anonymous_enable是否仍有YES项?${Status}\n\e[0m"
			else echo -e "\e[35mNo.34.12请检查FTP中anonymous是否配置为YES?${Status}\n\e[0m"
			fi
                fi

                CHROOT_LOCAL=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_local_user='`
                CHROOT_LOCAL_YES=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_local_user=YES'| uniq |wc -l`
                CHROOT_LOCAL_NO=`cat ${ftp} |grep -v "^[[:space:]]*#" |grep 'chroot_local_user=NO' |uniq |wc -l`
                if [[ -n $CHROOT_LOCAL ]];then
                        if [[ $CHROOT_LOCAL_NO = 0 ]];then
                                if [[ $CHROOT_LOCAL_YES -ge 1 ]];then
                                        echo -e "\e[35mNo.34.13请检查FTP中chroot_local_user是否仍有YES项?${Status}\n\e[0m"
                                else echo -e "\e[35mNo.34.14请检查FTP中chroot_local_user是否配置为NO,不是请整改!${Status}\n\e[0m"
                                fi
                        fi
                else echo -e "\e[35mNo.34.15请检查FTP中chroot_local_user是否配置?${Status}\n\e[0m"
                fi
	fi
done

###banner 36
#检查是否限制远程登录IP范围
HOSTS_FILES=(/etc/hosts.allow /etc/hosts.deny)
for var in ${HOSTS_FILES[*]}
do
        if [[ -f $var ]];then
                zhi=`cat $var | grep -v "^[[:space:]]*#" |grep all`
                if [[ -z $zhi ]];then
			echo -e "\e[33mNo.36.1请检查${var}文件是否限制远程登录IP范围?是否配置all:all,该项配置有风险,请现场工程师确认allow文件没问题后再进行配置?\n\e[0m"
                fi
        else echo -e "\e[31mNo.36.2请检查${var}文件是否存在?\n\e[0m"
        fi
done

###banner 37
# 禁止IP源路由
files=/proc/sys/net/ipv4/conf/*/accept_source_route
for route in $files
do
	ROUTE=`cat $route |grep -v "^[[:space:]]*#"`
	if [ $ROUTE != 0 ];then
		echo -e "\e[31mNo.37.1请检查${route}文件是否禁止IP源路由?\n\e[0m"
	fi
done
zhi=`cat /etc/rc.local | grep 'echo 0 > /proc/sys/net/ipv4/conf/lo/accept_source_route' |wc -l`
if [[ $zhi == 0 ]];then
	echo -e "\e[31mNo.37.1请检查/etc/rc.local文件是否添加开机启动禁止lo的IP源路由项?\n\e[0m"
fi

###banner 38
#别名修改
files=~/.bashrc
BASHA=`cat $files | grep -v "^[[:space:]]*#" | grep "ls='ls -aol'"`
BASHB=`cat $files | grep -v "^[[:space:]]*#" | grep "rm='rm -i'"`
if [[ -z $BASHA ]];then
	echo -e "\e[31mNo.38.1请检查${files}文件中ls是否修改别名?\n\e[0m"
fi
if [[ -z $BASHB ]];then	
	echo -e "\e[31mNo.38.2请检查${files}文件中rm是否修改别名?\n\e[0m"
fi

###banner 39(与banner 5重了)
# 检查root用户,除root用户外 Uid 为0 用户,不做操作 只记录 日志。
#USERS_ID=`awk -F: '($3 == 0) { print $1 }' /etc/passwd|grep -v root`
#if [[ -n ${USERS_ID} ]];then
#        echo -e "\e[31mNo.39.1请检查除root用户外是否存在Uid为0的用户?\n\e[0m"
#fi

###banner 40
# 将gnamd 用户添加到visudo中
Value=`grep "gnamd[[:space:]]*ALL=(ALL)*[[:space:]]*NOPASSWD: ALL*" /etc/sudoers`
if [[ -z ${Value}  ]];then
        echo -e "\e[31mNo.40.1请检查visudo中是否存在gnamd用户?\n\e[0m"
fi

###banner 41
#更改telnet端口
FILES=/etc/services
TELNET_TCP=`cat $FILES | grep "^\<telnet\>" |grep tcp |awk '{print $NF}' | awk -F / '{print $1}'`
TELNET_UDP=`cat $FILES | grep "^\<telnet\>" |grep udp |awk '{print $NF}' | awk -F / '{print $1}'`
VAR=($TELNET_TCP $TELNET_UDP)
for zhi in ${VAR[*]}
do
	if [[ $zhi = 23  ]];then
		echo -e "\e[31mNo.41.1请检查${FILES}文件中telnet端口是否未更改?\n\e[0m"
	elif [[ $zhi != 23000 ]];then
		echo -e "\e[31mNo.41.2请检查${FILES}文件中telnet端口是否为指定端口?\n\e[0m"
	fi
done

###banner 42
#检查安全日志权限是否为640(启明会查)
files=`cat /etc/rsyslog.conf | grep -v "^[[:space:]]*#"|awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'`
zhi=`ls -l $files 2>/dev/null | grep -v 'total 4'|grep -v ""[r-][w-]-[r-]-----"" |awk '{print $9}'`
for filesname in ${zhi[*]}
do
	echo -e "\e[31mNo.42请检查${filesname}权限是否大于640,大于请整改!\n\e[0m"
done
#输出检查命令的不合格文件(参考时可单独执行)
#ls -l `cat /etc/rsyslog.conf | grep -v ""^[[:space:]]*#""|awk '(($2!~/@/) && ($2!~/*/) && ($2!~/-/)) {print $2}'` 2>/dev/null|grep -v ""[r-][w-]-[r-]-----""|awk '{print $1"" ""$8"" ""$9}'

###banner 43
#检查历史大小条数
file=/etc/profile
histsize=`cat $file |grep -v "^[[:space:]]*#" |grep HISTSIZE= | awk -F = '{print $NF}' |uniq -c|awk '{print $2}'`
histfilesize=`cat $file |grep -v "^[[:space:]]*#" |grep HISTFILESIZE= | awk -F = '{print $NF}' |uniq -c|awk '{print $2}'`
if [[ $histsize != 5 ]];then
	echo -e "\e[31mNo.43.1请检查$file中的HISTSIZE大小值是否为5,不是请整改!\n\e[0m"
fi
for zhi in ${histfilesize[*]}
do
	if [[ $zhi != 5 ]];then
		echo -e "\e[31mNo.43.2请检查$file中的HISTFILESIZE大小值是否为5,不是请整改!\n\e[0m"
	fi
done

###banner 44
#检查telnet服务是否存在
telnetrpm=`rpm -qa | grep telnet`
files=/etc/xinetd.d/telnet
if [[ -n $telnetrpm ]];then
	if [[ -f $files ]];then
		zhi=`cat /etc/xinetd.d/telnet |grep 'disable[[:space:]]*=[[:space:]]*yes'` 
		if [[ -z $zhi ]];then
			echo -e "\e[31mNo.44.1请检查$files中的telnet是否为disable,不是请整改!\n\e[0m"
		fi
	else
		echo -e "\e[31mNo.44.2已安装telnet包,请添加$files文件!\n\e[0m"
	fi
fi
		
echo "###THE END###"

发表评论

您的电子邮箱地址不会被公开。 必填项已用*标注

此站点使用Akismet来减少垃圾评论。了解我们如何处理您的评论数据

open