安全巡检脚本(分模块)
生活随笔
收集整理的這篇文章主要介紹了
安全巡检脚本(分模块)
小編覺得挺不錯的,現在分享給大家,幫大家做個參考.
安全巡檢
版本以及IP信息
echo -------------IP及版本------------------- echo -------------IP地址------------------- echo "正在檢查IP地址....." ip=$(ifconfig -a | grep -w inet | awk '{print $2}') if [ -n "$ip" ];then(echo "[*]本機IP地址信息:" && echo "$ip") elseecho "[!!!]本機未配置IP地址" fi printf "\n"echo -------------版本信息------------------ echo "正在檢查系統內核版本....." corever=$(uname -a) if [ -n "$corever" ];then(echo "[*]系統內核版本信息:" && echo "$corever") elseecho "[!!!]未發現內核版本信息" fi printf "\n" echo "正在檢查系統發行版本....." systemver=$(cat /etc/redhat-release) if [ -n "$systemver" ];then(echo "[*]系統發行版本:" && echo "$systemver") elseecho "[!!!]未發現發行版本信息" fi printf "\n"ARP攻擊查看
echo -------------ARP------------------ echo -------------ARP表項------------- echo "正在查看ARP表項....." arp=$(arp -a -n) if [ -n "$arp" ];then(echo "[*]ARP表項如下:" && echo "$arp") elseecho "[未發現arp表]" fi printf "\n" echo -------------ARP攻擊------------- echo "正在檢測是否存在ARP攻擊....." arpattack=$(arp -a -n | awk '{++S[$4]} END {for(a in S) {if($2>1) print $2,a,S[a]}}') if [ -n "$arpattack" ];then(echo "[!!!]發現存在ARP攻擊:" && echo "$arpattack") | tee -a $danger_file elseecho "[*]未發現ARP攻擊" fi printf "\n"端口開放以及高危端口查看
端口開放腳本
echo ------------查看端口情況----------------- echo -------------查看開放端口-------------- echo -------------查看TCP開放端口-------------- #TCP或UDP端口綁定在0.0.0.0、127.0.0.1、192.168.1.1這種IP上只表示這些端口開放 #只有綁定在0.0.0.0上局域網才可以訪問 echo "正在檢查TCP開放端口....." listenport=$(netstat -anltp | grep LISTEN | awk '{print $4,$7}' | sed 's/:/ /g' | awk '{print $2,$3}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq) if [ -n "$listenport" ];then(echo "[*]該服務器開放TCP端口以及對應的服務:" && echo "$listenport") elseecho "[!!!]系統未開放TCP端口" fi printf "\n" accessport=$(netstat -anltp | grep LISTEN | awk '{print $4,$7}' | egrep "(0.0.0.0|:::)" | sed 's/:/ /g' | awk '{print $(NF-1),$NF}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq) if [ -n "$accessport" ];then(echo "[!!!]以下TCP端口面向局域網或互聯網開放,請注意!" && echo "$accessport") elseecho "[*]端口未面向局域網或互聯網開放" fi printf "\n" echo -------------查看UDP開放端口-------------- echo "正在檢查UDP開放端口....." udpopen=$(netstat -anlup | awk '{print $4,$NF}' | grep : | sed 's/:/ /g' | awk '{print $2,$3}' | sed 's/\// /g' | awk '{printf "%-20s%-10s\n",$1,$NF}' | sort -n | uniq) if [ -n "$udpopen" ];then(echo "[*]該服務器開放UDP端口以及對應的服務:" && echo "$udpopen") elseecho "[!!!]系統未開放UDP端口" fi printf "\n"udpports=$(netstat -anlup | awk '{print $4}' | egrep "(0.0.0.0|:::)" | awk -F: '{print $NF}' | sort -n | uniq) if [ -n "$udpports" ];thenecho "[*]以下UDP端口面向局域網或互聯網開放:" for port in $udpportsdonc -uz 127.0.0.1 $portif [ $? -eq 0 ];thenecho $port fidone elseecho "[*]未發現在UDP端口面向局域網或互聯網開放." fi printf "\n"高危端口列表
病毒木馬31:木馬Master Paradise、HackersParadise 99:后門程序ncx99 121:木馬BO jammerkillahV 135:DCOM服務,沖擊波病毒利用,建議關閉 445:Microsoft-DS,為共享默認開放,震蕩波病毒利用,一般應關閉 456:木馬HACKERS PARADISE 555:木馬PhAse1.0、Stealth Spy、IniKiller 666:木馬Attack FTP、Satanz Backdoor 1001:木馬Silencer,WebEx 1011:木馬Doly 1024:動態端口的開始,木馬yai 1025:inetinfo.exe(互聯網信息服務)木馬netspy 1070:木馬Psyber Stream,Streaming Audio 1234:木馬SubSeven2.0、Ultors Trojan 1243:木馬SubSeven1.0/1.9 1245:木馬Vodoo,GabanBus,NetBus,Vodoo 1492:木馬FTP99CMP 1509:木馬Psyber Streaming Server 1524:許多攻擊腳本安裝一個后門SHELL在這個端口 1524:FreeBSD (FBRK) Rootkit backdoor 1600:木馬Shivka-Burka 1807:木馬SpySender 1981:木馬ShockRave 1984:Fuckit Rootkit 1999:木馬BackDoor,yai 2000:木馬GirlFriend 1.3、Millenium 1.0 2001:木馬Millenium 1.0、Trojan Cow,黑洞2001 2006:CB Rootkit or w00tkit Rootkit SSH server 2023:木馬Pass Ripper 2115:木馬Bugs 2128:MRK 2140:木馬Deep Throat 1.0/3.0,The Invasor 2565:木馬Striker 2583:木馬Wincrash 2.0 2801:木馬Phineas Phucker 2847:諾頓反病毒服務 3024:木馬WinCrash 3129:木馬Master Paradise 3150:木馬The Invasor,deep throat 3210:木馬SchoolBus 3333:木馬Prosiak 3700:木馬Portal of Doom 3996:木馬RemoteAnything 4060:木馬RemoteAnything 4092:木馬WinCrash 4590:木馬ICQTrojan 4950:木馬IcqTrojan 5000:木馬blazer5,Sockets de Troie默認開放5000端口,一般應關閉 5001:木馬Sockets de Troie 5321:木馬Sockets de Troie 5400:木馬Blade Runner 5401:木馬Blade Runner 5402:木馬Blade Runner 5550:木馬xtcp 5569:木馬Robo-Hack 5742:木馬WinCrash1.03 6267:木馬廣外女生 6400:木馬The tHing 6666:rogue IRC bot 6667:rogue IRC bot 6668:rogue IRC bot 6669:rogue IRC bot 6670:木馬Deep Throat 6671:木馬Deep Throat 3.0 6883:木馬DeltaSource 6939:木馬Indoctrination 6969:木馬Gatecrasher、Priority 7000:木馬Remote Grab 7000:Possible rogue IRC bot 7300:木馬NetMonitor 7301:木馬NetMonitor 7306:木馬NetMonitor,NetSpy1.0 7307:木馬NetMonitor 7308:木馬NetMonitor 7511:木馬聰明基因 7597:木馬Quaz 7626:木馬冰河 7676:木馬Giscier 7789:木馬ICKiller 8011:木馬way2.4 8225:木馬灰鴿子 8311:木馬初戀情人 9400:木馬Incommand 1.0 9401:木馬Incommand 1.0 9402:木馬Incommand 1.0 9872:木馬Portal of Doom 9873:木馬Portal of Doom 9874:木馬Portal of Doom 9875:木馬Portal of Doom 9899:木馬InIkiller 9989:木馬iNi-Killer 10067:木馬iNi-Killer 10167:木馬iNi-Killer 11000:木馬SennaSpy 11233:木馬Progenic trojan 12076:木馬Telecommando 12223:木馬Hack‘99 KeyLogger 12345:木馬NetBus1.60/1.70、GabanBus 12346:木馬NetBus1.60/1.70、GabanBus 12361:木馬Whack-a-mole 13000:Possible Universal Rootkit (URK) SSH server 14856:Optic Kit (Tux) 16959:木馬Subseven 16969:木馬Priority 19191:木馬藍色火焰 20000:木馬Millennium 20001:木馬Millennium 20034:木馬NetBus Pro 21554:木馬GirlFriend 22222:木馬Prosiak 23444:木馬網絡公牛 23456:木馬Evil FTP、Ugly FTP 25000:Possible Universal Rootkit (URK) component 26274:木馬Delta 27374:木馬Subseven 2.1 29812:FreeBSD (FBRK) Rootkit default backdoor port 30100:木馬NetSphere 30129:木馬Masters Paradise 30303:木馬Socket23 30999:木馬Kuang 31337:木馬BO(Back Orifice) 31337:Historical backdoor port 31338:木馬BO(Back Orifice),DeepBO 31339:木馬NetSpy DK 31666:木馬BOWhack 32982:Solaris Wanuk 33333:木馬Prosiak 33369:Volc Rootkit SSH server (divine) 34324:木馬Tiny Telnet Server、BigGluck、TN 40412:木馬The Spy 40421:木馬Masters Paradise 40422:木馬Masters Paradise 40423:木馬Masters Paradise 40426:木馬Masters Paradise 43210:木馬SchoolBus 1.0/2.0 44445:木馬Happypig 47018:Possible Universal Rootkit (URK) component 47107:T0rn 47262:木馬Delta 50505:木馬Sockets de Troie 50766:木馬Fore 53001:木馬Remote Windows Shutdown 54320:木馬bo2000 54321:木馬SchoolBus 1.0/2.0 60922:zaRwT.KiT 61466:木馬Telecommando 62883:Possible FreeBSD (FBRK) Rootkit default backdoor port 65000:木馬Devil 1.03 65535:FreeBSD Rootkit (FBRK) telnet port#挖礦礦池 #格式:端口號:相關挖礦類型描述:對應進程名 #X:代表未知進程 1111:挖礦木馬:X 2222:挖礦木馬:X 3333:挖礦木馬:X 3367:ZCL挖礦木馬(zclassic.f2pool.com):ZecMiner64 3377:ZEN挖礦木馬(zencash.f2pool.com):ZecMiner64 3636:RVN挖礦木馬(raven.f2pool.com):(sgminer|ccminer) 4444:挖礦木馬:X 5555:挖礦木馬:X 5730:DCR挖礦木馬(dcr.f2pool.com): 5740:多功能挖礦木馬([raven|xzc|dcr].f2pool.com):(ccminer|sgminer|cpuminer-avx2) 5750:PGN挖礦木馬(pigeon.f2pool.com):(sgminer|ccminer) 6666:挖礦木馬:X 6688:ETH挖礦木馬(eth.f2pool.com):EthDcrMiner64 7777:ETH挖礦木馬(eth.f2pool.com):EthDcrMiner64 8008:ETH挖礦木馬(eth.f2pool.com):EthDcrMiner64 8118:ETC挖礦木馬(etc.f2pool.com):EthDcrMiner64 8220:8220挖礦木馬:X 8332:挖礦木馬:X 8333:挖礦木馬:X 8888:挖礦木馬:X 9008:XVG挖礦木馬(xvg-blake2s.f2pool.com):ccminer 9009:XVG挖礦木馬(xvg-scrypt.f2pool.com):X 9010:XVG挖礦木馬(xvg-x17.f2pool.com):sgminer 9011:XVG挖礦木馬(xvg-groestl.f2pool.com):X 9012:XVG挖礦木馬(xvg-lyra.f2pool.com):(sgminer|ccminer) 9221:BTM挖礦木馬(btm.f2pool.com):(HSPMinerBTMiner_NebuTech) 9327:litecoin挖礦:X 9332:bitcoin挖礦:X 9501:BCD挖礦木馬(bcd-pool.beepool.org):ccminer 9502:BTM挖礦木馬(btm-pool.beepool.org):BTMinerNebuTech 9503:HC挖礦木馬(hc-pool.beepool.org):X 9504:SUQA挖礦木馬(suqa-pool.beepool.org):X 9505:AE挖礦木馬(ae-pool.beepool.org):(bminer|qskg_ae|HSPMinerAE) 9507:BEAM挖礦木馬(beam-pool.beepool.org):beam-cuda-miner 9509:DASH挖礦木馬(dash-pool.beepool.org):X 9510:GRIN挖礦木馬(grin-pool.beepool.org):miner 9518:ETC挖礦木馬(etc-pool.beepool.org):EthDcrMiner64 9522:BCX挖礦木馬(bcx-pool.beepool.org):ccminer 9530:ETH挖礦木馬(eth-pool.beepool.org):EthDcrMiner64 9531:RVN挖礦木馬(rvn-pool.beepool.org):ccminer 9540:MOAC挖礦木馬(moac-pool.beepool.org):EthDcrMiner64 9568:DCR挖礦木馬(dcr-pool.beepool.org):X 9999:挖礦木馬:X 11110:DGB挖礦木馬(dgb-sha256d.f2pool.com):X 11112:DGB挖礦木馬(dgb-groestl.f2pool.com):X 11113:DGB挖礦木馬(dgb-skein.f2pool.com):X 11114:DGB挖礦木馬(dgb-qubit.f2pool.com):X 13333:ETN挖礦木馬(etn.f2pool.com):(xmrig|NsCpuCNMiner64|xmrig-nvidia|ccminer-x64|xmrig-amd|NsGpuCNMiner) 13531:XMR挖礦木馬(xmr.f2pool.com):(xmrig|NsCpuCNMiner64|NsGpuCNMiner|xmrig-nvidia|xmrig-amd) 13541:XMR挖礦木馬(xmr-classic.f2pool.com):X 13654:XDAG挖礦木馬(xdag.f2pool.com):DaggerGpuMiner 14433:挖礦木馬:X 14444:挖礦木馬:X 15555:PASC挖礦木馬(pasc.f2pool.com):EthDcrMiner64 20012:GIN挖礦木馬(gin.f2pool.com):ccminer-x64 20581:挖礦木馬:X 20593:MONA挖礦木馬(mona.f2pool.com):ccminer-x64 45560:XMR挖礦木馬(xmr.pool.minergate.com):xmr-stak 45590:挖礦木馬:X 45700:minergate.com挖礦木馬:X 45790:挖礦木馬:X 52137:WMAMiner挖礦蠕蟲:X 55335:挖礦木馬:X 65333:挖礦木馬:X#代理 1080:shadansocks客戶端#其他高危端口檢查腳本
echo -------------TCP高危端口-------------- echo "正在檢查TCP高危端口....." tcpport=`netstat -anlpt | awk '{print $4}' | awk -F: '{print $NF}' | sort | uniq | grep '[0-9].*'` count=0 if [ -n "$tcpport" ];thenfor port in $tcpportdofor i in `cat /tmp/dangerstcpports`dotcpport=`echo $i | awk -F "[:]" '{print $1}'`desc=`echo $i | awk -F "[:]" '{print $2}'`process=`echo $i | awk -F "[:]" '{print $3}'`if [ $tcpport == $port ];thenecho "$tcpport,$desc,$process" | tee -a $danger_file count=count+1fidonedone fi if [ $count = 0 ];thenecho "[*]未發現TCP危險端口" elseecho "[!!!]請人工對TCP危險端口進行關聯分析與確認" fi printf "\n" echo -------------UDP高危端口-------------- echo "正在檢查UDP高危端口....." udpport=`netstat -anlpu | awk '{print $4}' | awk -F: '{print $NF}' | sort | uniq | grep '[0-9].*'` count=0 if [ -n "$udpport" ];thenfor port in $udpportdofor i in `cat /tmp/dangersudpports`doudpport=`echo $i | awk -F "[:]" '{print $1}'`desc=`echo $i | awk -F "[:]" '{print $2}'`process=`echo $i | awk -F "[:]" '{print $3}'`if [ $udpport == $port ];thenecho "$udpport,$desc,$process" | tee -a $danger_file count=count+1fidonedone fi if [ $count = 0 ];thenecho "[*]未發現UDP危險端口" elseecho "[!!!]請人工對UDP危險端口進行關聯分析與確認" fi printf "\n"網絡連接情況
echo ------------網絡連接--------------------- echo "正在檢查網絡連接情況....." | $saveresult netstat=$(netstat -anlp | grep ESTABLISHED) netstatnum=$(netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}') if [ -n "$netstat" ];then(echo "[*]網絡連接情況:" && echo "$netstat") | $saveresultif [ -n "$netstatnum" ];then(echo "[*]各個狀態的數量如下:" && echo "$netstatnum") | $saveresultfi elseecho "[*]未發現網絡連接" | $saveresult fi printf "\n" | $saveresult網卡模式
echo -------------網卡模式--------------------- echo "正在檢查網卡模式....." | $saveresult ifconfigmode=$(ifconfig -a | grep flags | awk -F '[: = < >]' '{print "網卡:",$1,"模式:",$5}') if [ -n "$ifconfigmode" ];then(echo "網卡工作模式如下:" && echo "$ifconfigmode") | $saveresult elseecho "[*]未找到網卡模式相關信息,請人工分析" | $saveresult fi printf "\n" | $saveresultecho "正在分析是否有網卡處于混雜模式....." | $saveresult Promisc=`ifconfig | grep PROMISC | gawk -F: '{ print $1}'` if [ -n "$Promisc" ];then(echo "[!!!]網卡處于混雜模式:" && echo "$Promisc") | tee -a $danger_file | $saveresult elseecho "[*]未發現網卡處于混雜模式" | $saveresult fi printf "\n" | $saveresultecho "正在分析是否有網卡處于監聽模式....." | $saveresult Monitor=`ifconfig | grep -E "Mode:Monitor" | gawk -F: '{ print $1}'` if [ -n "$Monitor" ];then(echo "[!!!]網卡處于監聽模式:" && echo "$Monitor") | tee -a $danger_file | $saveresult elseecho "[*]未發現網卡處于監聽模式" | $saveresult fi printf "\n" | $saveresult啟動項
echo -------------系統自啟動項----------------------- echo "正在檢查系統自啟動項....." | $saveresult systemchkconfig=$(systemctl list-unit-files | grep enabled | awk '{print $1}') if [ -n "$systemchkconfig" ];then(echo "[*]系統自啟動項如下:" && echo "$systemchkconfig") | $saveresult elseecho "[*]未發現系統自啟動項" | $saveresult fi printf "\n" | $saveresultecho -------------危險啟動項----------------------- echo "正在檢查危險啟動項....." | $saveresult dangerstarup=$(chkconfig --list | grep -E ":on|啟用" | awk '{print $1}' | grep -E "\.(sh|per|py)$") if [ -n "$dangerstarup" ];then(echo "[!!!]發現危險啟動項:" && echo "$dangerstarup") | tee -a $danger_file | $saveresult elseecho "[*]未發現危險啟動項" | $saveresult fi printf "\n" | $saveresult定時任務
echo ------------查看系統定時任務------------------- echo "正在分析系統定時任務....." | $saveresult syscrontab=$(more /etc/crontab | grep -v "# run-parts" | grep run-parts) if [ -n "$syscrontab" ];then(echo "[!!!]發現存在系統定時任務:" && more /etc/crontab ) | tee -a $danger_file | $saveresult elseecho "[*]未發現系統定時任務" | $saveresult fi printf "\n" | $saveresult# if [ $? -eq 0 ]表示上面命令執行成功;執行成功輸出的是0;失敗非0 #ifconfig echo $? 返回0,表示執行成功 # if [ $? != 0 ]表示上面命令執行失敗echo ------------分析系統可疑定時任務------------------- echo "正在分析系統可疑任務....." | $saveresult dangersyscron=$(egrep "((chmod|useradd|groupadd|chattr)|((wget|curl)*\.(sh|pl|py)$))" /etc/cron*/* /var/spool/cron/*) if [ $? -eq 0 ];then(echo "[!!!]發現下面的定時任務可疑,請注意!!!" && echo "$dangersyscron") | tee -a $danger_file | $saveresult elseecho "[*]未發現可疑系統定時任務" | $saveresult fi printf "\n" | $saveresultecho ------------分析用戶定時任務------------------- echo ------------查看用戶定時任務------------------- echo "正在查看用戶定時任務....." | $saveresult crontab=$(crontab -l) if [ $? -eq 0 ];then(echo "[!!!]發現用戶定時任務如下:" && echo "$crontab") | $saveresult elseecho "[*]未發現用戶定時任務" | $saveresult fi printf "\n" | $saveresultecho ------------查看可疑用戶定時任務------------------- echo "正在分析可疑用戶定時任務....." | $saveresult danger_crontab=$(crontab -l | egrep "((chmod|useradd|groupadd|chattr)|((wget|curl).*\.(sh|pl|py)))") if [ $? -eq 0 ];then(echo "[!!!]發現可疑定時任務,請注意!!!" && echo "$danger_crontab") | tee -a $danger_file | $saveresult elseecho "[*]未發現可疑定時任務" | $saveresult fi printf "\n" | $saveresult路由表
echo "正在檢查路由表....." | $saveresult route=$(route -n) if [ -n "$route" ];then(echo "[*]路由表如下:" && echo "$route") | $saveresult elseecho "[*]未發現路由器表" | $saveresult fi printf "\n" | $saveresultecho "正在分析是否開啟轉發功能....." | $saveresult #數值分析 #1:開啟路由轉發 #0:未開啟路由轉發 ip_forward=`more /proc/sys/net/ipv4/ip_forward | gawk -F: '{if ($1==1) print "1"}'` if [ -n "$ip_forward" ];thenecho "[!!!]該服務器開啟路由轉發,請注意!" | tee -a $danger_file | $saveresult elseecho "[*]該服務器未開啟路由轉發" | $saveresult fi printf "\n" | $saveresult進程分析
echo ------------系統進程-------------------- echo "正在檢查進程....." | $saveresult ps=$(ps -aux) if [ -n "$ps" ];then(echo "[*]系統進程如下:" && echo "$ps") | $saveresult elseecho "[*]未發現系統進程" | $saveresult fi printf "\n" | $saveresultecho "[7.2]正在檢查守護進程....." | $saveresult if [ -e /etc/xinetd.d/rsync ];then(echo "[*]系統守護進程:" && more /etc/xinetd.d/rsync | grep -v "^#") | $saveresult elseecho "[*]未發現守護進程" | $saveresult fi printf "\n" | $saveresult文件檢查
echo ------------DNS文件檢查----------------- echo "正在檢查DNS文件....." | $saveresult resolv=$(more /etc/resolv.conf | grep ^nameserver | awk '{print $NF}') if [ -n "$resolv" ];then(echo "[*]該服務器使用以下DNS服務器:" && echo "$resolv") | $saveresult elseecho "[*]未發現DNS服務器" | $saveresult fi printf "\n" | $saveresultecho ------------hosts文件檢查----------------- echo "正在檢查hosts文件....." | $saveresult hosts=$(more /etc/hosts) if [ -n "$hosts" ];then(echo "[*]hosts文件如下:" && echo "$hosts") | $saveresult elseecho "[*]未發現hosts文件" | $saveresult fi printf "\n" | $saveresultecho ------------公鑰文件檢查----------------- echo "正在檢查公鑰文件....." | $saveresult if [ -e /root/.ssh/*.pub ];thenecho "[!!!]發現公鑰文件,請注意!" | tee -a $danger_file | $saveresult elseecho "[*]未發現公鑰文件" | $saveresult fi printf "\n" | $saveresultecho ------------私鑰文件檢查----------------- echo "正在檢查私鑰文件....." | $saveresult if [ -e /root/.ssh/id_rsa ];thenecho "[!!!]發現私鑰文件,請注意!" | tee -a $danger_file | $saveresult elseecho "[*]未發現私鑰文件" | $saveresult fi printf "\n" | $saveresult運行服務
echo ------------運行服務---------------------- echo "正在檢查運行服務....." | $saveresult services=$(systemctl | grep -E "\.service.*running" | awk -F. '{print $1}') if [ -n "$services" ];then(echo "[*]以下服務正在運行:" && echo "$services") | $saveresult elseecho "[!!!]未發現正在運行的服務!" | $saveresult fi printf "\n" | $saveresult用戶檢查
echo ------------超級用戶--------------------- #UID=0的為超級用戶,系統默認root的UID為0 echo "正在檢查是否存在超級用戶....." | $saveresult Superuser=`more /etc/passwd | egrep -v '^root|^#|^(\+:\*)?:0:0:::' | awk -F: '{if($3==0) print $1}'` if [ -n "$Superuser" ];thenecho "[!!!]除root外發現超級用戶:" | tee -a $danger_file | $saveresultfor user in $Superuserdoecho $user | $saveresultif [ "${user}" = "toor" ];thenecho "[!!!]BSD系統默認安裝toor用戶,其他系統默認未安裝toor用戶,若非BSD系統建議刪除該賬號" | $saveresultfidone elseecho "[*]未發現超級用戶" | $saveresult fi printf "\n" | $saveresultecho ------------克隆用戶--------------------- #相同的UID為克隆用戶 echo "正在檢查是否存在克隆用戶....." | $saveresult uid=`awk -F: '{a[$3]++}END{for(i in a)if(a[i]>1)print i}' /etc/passwd` if [ -n "$uid" ];thenecho "[!!!]發現下面用戶的UID相同:" | tee -a $danger_file | $saveresult(more /etc/passwd | grep $uid | awk -F: '{print $1}') | tee -a $danger_file | $saveresult elseecho "[*]未發現相同UID的用戶" | $saveresult fi printf "\n" | $saveresultecho ------------可登錄用戶------------------- echo "正在檢查可登錄的用戶......" | $saveresult loginuser=`cat /etc/passwd | grep -E "/bin/bash$" | awk -F: '{print $1}'` if [ -n "$loginuser" ];thenecho "[!!!]以下用戶可以登錄:" | tee -a $danger_file | $saveresultfor user in $loginuserdoecho $user | tee -a $danger_file | $saveresultdone elseecho "[*]未發現可以登錄的用戶" | $saveresult fi printf "\n" | $saveresultecho ------------非系統用戶----------------- echo "正在檢查非系統本身自帶用戶" | $saveresult if [ -f /etc/login.defs ];thenuid=$(grep "^UID_MIN" /etc/login.defs | awk '{print $2}')(echo "系統最小UID為"$uid) | $saveresultnosystemuser=`gawk -F: '{if ($3>='$uid' && $3!=65534) {print $1}}' /etc/passwd`if [ -n "$nosystemuser" ];then(echo "以下用戶為非系統本身自帶用戶:" && echo "$nosystemuser") | tee -a $danger_file | $saveresultelseecho "[*]未發現除系統本身外的其他用戶" | $saveresultfi fi printf "\n" | $saveresultecho ------------shadow文件----------------- echo "正在檢查shadow文件....." | $saveresult (echo "[*]shadow文件" && more /etc/shadow ) | $saveresult printf "\n" | $saveresultecho ------------空口令用戶----------------- echo "正在檢查空口令用戶....." | $saveresult nopasswd=`gawk -F: '($2=="") {print $1}' /etc/shadow` if [ -n "$nopasswd" ];then(echo "[!!!]以下用戶口令為空:" && echo "$nopasswd") | $saveresult elseecho "[*]未發現空口令用戶" | $saveresult fi printf "\n" | $saveresultecho ------------空口令且可登錄----------------- echo "正在檢查空口令且可登錄的用戶....." | $saveresult #允許空口令用戶登錄方法 #1.passwd -d username #2.echo "PermitEmptyPasswords yes" >>/etc/ssh/sshd_config #3.service sshd restart aa=$(cat /etc/passwd | grep -E "/bin/bash$" | awk -F: '{print $1}') bb=$(gawk -F: '($2=="") {print $1}' /etc/shadow) cc=$(cat /etc/ssh/sshd_config | grep -w "^PermitEmptyPasswords yes") flag="" for a in $aa dofor b in $bbdoif [ "$a" = "$b" ] && [ -n "$cc" ];thenecho "[!!!]發現空口令且可登錄用戶:"$a | $saveresultflag=1fidone done if [ -n "$flag" ];thenecho "請人工分析配置和賬號" | $saveresult elseecho "[*]未發現空口令且可登錄用戶" | $saveresult fi printf "\n" | $saveresultecho ------------口令未加密---------------- echo "正在檢查口令加密用戶....." | $saveresult noenypasswd=$(awk -F: '{if($2!="x") {print $1}}' /etc/passwd) if [ -n "$noenypasswd" ];then(echo "[!!!]以下用戶口令未加密:" && echo "$noenypasswd") | tee -a $danger_file | $saveresult elseecho "[*]未發現口令未加密的用戶" | $saveresult fi printf "\n" | $saveresult用戶組檢查
echo ------------用戶組信息------------ ---- echo "正在檢查用戶組信息....." | $saveresult echo "[*]用戶組信息如下:" (more /etc/group | grep -v "^#") | $saveresult printf "\n" | $saveresultecho ------------特權用戶-------------------- echo "正在檢查特權用戶....." | $saveresult roots=$(more /etc/group | grep -v '^#' | gawk -F: '{if ($1!="root"&&$3==0) print $1}') if [ -n "$roots" ];thenecho "[!!!]除root用戶外root組還有以下用戶:" | tee -a $danger_file | $saveresultfor user in $rootsdoecho $user | tee -a $danger_file | $saveresultdone elseecho "[*]除root用戶外root組未發現其他用戶" | $saveresult fi printf "\n" | $saveresultecho ------------相同GID用戶組-------------------- echo "正在檢查相應GID用戶組....." | $saveresult groupuid=$(more /etc/group | grep -v "^$" | awk -F: '{print $3}' | uniq -d) if [ -n "$groupuid" ];then(echo "[!!!]發現相同GID用戶組:" && echo "$groupuid") | tee -a $danger_file | $saveresult elseecho "[*]未發現相同GID的用戶組" | $saveresult fi printf "\n" | $saveresultecho ------------相同用戶組名-------------------- echo "正在檢查相同用戶組名....." | $saveresult groupname=$(more /etc/group | grep -v "^$" | awk -F: '{print $1}' | uniq -d) if [ -n "$groupname" ];then(echo "[!!!]發現相同用戶組名:" && echo "$groupname") | tee -a $danger_file | $saveresult elseecho "[*]未發現相同用戶組名" | $saveresult fi printf "\n" | $saveresult文件權限
echo ------------etc文件權限-------------------- echo "正在檢查etc文件權限....." | $saveresult etc=$(ls -l / | grep etc | awk '{print $1}') if [ "${etc:1:9}" = "rwxr-x---" ]; thenecho "[*]/etc/權限為750,權限正常" | $saveresult elseecho "[!!!]/etc/文件權限為:""${etc:1:9}","權限不符合規劃,權限應改為750" | $saveresult fi printf "\n" | $saveresultecho ------------shadow文件權限-------------------- echo "正在檢查shadow文件權限....." | $saveresult shadow=$(ls -l /etc/shadow | awk '{print $1}') if [ "${shadow:1:9}" = "rw-------" ]; thenecho "[*]/etc/shadow文件權限為600,權限符合規范" | $saveresult elseecho "[!!!]/etc/shadow文件權限為:""${shadow:1:9}"",不符合規范,權限應改為600" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------passwd文件權限-------------------- echo "正在檢查passwd文件權限....." | $saveresult passwd=$(ls -l /etc/passwd | awk '{print $1}') if [ "${passwd:1:9}" = "rw-r--r--" ]; thenecho "[*]/etc/passwd文件權限為644,符合規范" | $saveresult elseecho "[!!!]/etc/passwd文件權限為:""${passwd:1:9}"",權限不符合規范,建議改為644" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------group文件權限-------------------- echo "正在檢查group文件權限....." | $saveresult group=$(ls -l /etc/group | awk '{print $1}') if [ "${group:1:9}" = "rw-r--r--" ]; thenecho "[*]/etc/group文件權限為644,符合規范" | $saveresult elseecho "[!!!]/etc/goup文件權限為""${group:1:9}","不符合規范,權限應改為644" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------securetty文件權限-------------------- echo "正在檢查securetty文件權限....." | $saveresult securetty=$(ls -l /etc/securetty | awk '{print $1}') if [ "${securetty:1:9}" = "-rw-------" ]; thenecho "[*]/etc/securetty文件權限為600,符合規范" | $saveresult elseecho "[!!!]/etc/securetty文件權限為""${securetty:1:9}","不符合規范,權限應改為600" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------services文件權限-------------------- echo "正在檢查services文件權限....." | $saveresult services=$(ls -l /etc/services | awk '{print $1}') if [ "${services:1:9}" = "-rw-r--r--" ]; thenecho "[*]/etc/services文件權限為644,符合規范" | $saveresult elseecho "[!!!]/etc/services文件權限為""$services:1:9}","不符合規范,權限應改為644" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------grub.conf文件權限-------------------- echo "正在檢查grub.conf文件權限....." | $saveresult grubconf=$(ls -l /etc/grub.conf | awk '{print $1}') if [ "${grubconf:1:9}" = "-rw-------" ]; thenecho "[*]/etc/grub.conf文件權限為600,符合規范" | $saveresult elseecho "[!!!]/etc/grub.conf文件權限為""${grubconf:1:9}","不符合規范,權限應改為600" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------lilo.conf文件權限-------------------- echo "正在檢查lilo.conf文件權限....." | $saveresult if [ -f /etc/lilo.conf ];then liloconf=$(ls -l /etc/lilo.conf | awk '{print $1}')if [ "${liloconf:1:9}" = "-rw-------" ];thenecho "/etc/lilo.conf文件權限為600,符合要求" | $saveresultelseecho "/etc/lilo.conf文件權限不為600,不符合要求,建議設置權限為600" | $saveresultfi elseecho "/etc/lilo.conf文件夾不存在,不檢查,符合要求" fi printf "\n" | $saveresultecho ------------limits.conf文件權限-------------------- echo "正在檢查limits.conf文件權限....." | $saveresult cat /etc/security/limits.conf | grep -v ^# | grep core if [ $? -eq 0 ];thensoft=`cat /etc/security/limits.conf | grep -v ^# | grep core | awk -F ' ' '{print $2}'`for i in $softdoif [ $i = "soft" ];thenecho "* soft core 0 已經設置,符合要求" | $saveresultfiif [ $i = "hard" ];thenecho "* hard core 0 已經設置,符合要求" | $saveresultfidone elseecho "沒有設置core,建議在/etc/security/limits.conf中添加* soft core 0和* hard core 0" | $saveresult fi用戶新增刪除
echo "正在檢查useradd時間屬性....." | $saveresult echo "[*]useradd時間屬性:" | $saveresult stat /usr/sbin/useradd | egrep "Access|Modify|Change" | grep -v '(' | $saveresult printf "\n" | $saveresultecho "正在檢查userdel時間屬性....." | $saveresult echo "[*]userdel時間屬性:" | $saveresult stat /usr/sbin/userdel | egrep "Access|Modify|Change" | grep -v '(' | $saveresult printf "\n" | $saveresult歷史操作
echo ------------系統操作歷史命令--------------- echo "正在檢查操作系統歷史命令....." | $saveresult history=$(more /root/.bash_history) if [ -n "$history" ];then(echo "[*]操作系統歷史命令如下:" && echo "$history") | $saveresult elseecho "[!!!]未發現歷史命令,請檢查是否記錄及已被清除" | $saveresult fi printf "\n" | $saveresultecho ------------是否下載過腳本文件--------------- echo "正在檢查是否下載過腳本文件....." | $saveresult scripts=$(more /root/.bash_history | grep -E "((wget|curl).*\.(sh|pl|py)$)" | grep -v grep) if [ -n "$scripts" ];then(echo "[!!!]該服務器下載過腳本以下腳本:" && echo "$scripts") | tee -a $danger_file | $saveresult elseecho "[*]該服務器未下載過腳本文件" | $saveresult fi printf "\n" | $saveresultecho ------------是否增加過賬號--------------- echo "正在檢查是否增加過賬號....." | $saveresult addusers=$(history | egrep "(useradd|groupadd)" | grep -v grep) if [ -n "$addusers" ];then(echo "[!!!]該服務器增加過以下賬號:" && echo "$addusers") | tee -a $danger_file | $saveresult elseecho "[*]該服務器未增加過賬號" | $saveresult fi printf "\n" | $saveresultecho ------------是否刪除過賬號-------------- echo "正在檢查是否刪除過賬號....." | $saveresult delusers=$(history | egrep "(userdel|groupdel)" | grep -v grep) if [ -n "$delusers" ];then(echo "[!!!]該服務器刪除過以下賬號:" && echo "$delusers") | tee -a $danger_file | $saveresult elseecho "[*]該服務器未刪除過賬號" | $saveresult fi printf "\n" | $saveresultecho ------------可疑歷史命令-------------- echo "正在檢查歷史可疑命令....." | $saveresult danger_histroy=$(history | grep -E "(whois|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)" | grep -v grep) if [ -n "$danger_histroy" ];then(echo "[!!!]發現可疑歷史命令" && echo "$danger_histroy") | tee -a $danger_file | $saveresult elseecho "[*]未發現可疑歷史命令" | $saveresult fi printf "\n" | $saveresultecho ------------本地下載文件-------------- echo "正在檢查歷史日志中本地下載文件記錄....." | $saveresult uploadfiles=$(history | grep sz | grep -v grep | awk '{print $3}') if [ -n "$uploadfiles" ];then(echo "[!!!]通過歷史日志發現本地主機下載過以下文件:" && echo "$uploadfiles") | $saveresult elseecho "[*]通過歷史日志未發現本地主機下載過文件" | $saveresult fi printf "\n" | $saveresultecho ------------數據庫操作歷史命令--------------- echo "正在檢查數據庫操作歷史命令....." | $saveresult mysql_history=$(more /root/.mysql_history) if [ -n "$mysql_history" ];then(echo "[*]數據庫操作歷史命令如下:" && echo "$mysql_history") | $saveresult elseecho "[*]未發現數據庫歷史命令" | $saveresult fi printf "\n" | $saveresult防火墻策略
echo ------------防火墻策略------------------- echo "正在檢查防火墻策略....." | $saveresult firewalledstatus=$(systemctl status firewalld | grep "active (running)") firewalledpolicy=$(iptables -L | grep "\([0-9]\{1,3\}\.\)\{3\}[0-9]\{1,3\}") if [ -n "$firewalledstatus" ];thenecho "[*]該服務器防火墻已打開"if [ -n "$firewalledpolicy" ];then(echo "[*]防火墻策略如下" && echo "$firewalledpolicy") | $saveresultelseecho "[!!!]防火墻策略未配置,建議配置防火墻策略!" | tee -a $danger_file | $saveresultfi elseecho "[!!!]防火墻未開啟,建議開啟防火墻" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresult遠程策略
echo ------------遠程允許策略----------------- echo "正在檢查遠程允許策略....." | $saveresult hostsallow=$(more /etc/hosts.allow | grep -v '#') if [ -n "$hostsallow" ];then(echo "[!!!]允許以下IP遠程訪問:" && echo "$hostsallow") | tee -a $danger_file | $saveresult elseecho "[*]hosts.allow文件未發現允許遠程訪問地址" | $saveresult fi printf "\n" | $saveresultecho ------------遠程拒絕策略----------------- echo "正在檢查遠程拒絕策略....." | $saveresult hostsdeny=$(more /etc/hosts.deny | grep -v '#') if [ -n "$hostsdeny" ];then(echo "[!!!]拒絕以下IP遠程訪問:" && echo "$hostsdeny") | $saveresult elseecho "[*]hosts.deny文件未發現拒絕遠程訪問地址" | $saveresult fi printf "\n" | $saveresult密碼策略
echo ------------密碼有效期策略------------------------ echo "正在檢查密碼有效期策略....." | $saveresult (echo "[*]密碼有效期策略如下:" && more /etc/login.defs | grep -v "#" | grep PASS ) | $saveresult printf "\n" | $saveresultecho "[*]正在進行具體項的基線檢查......" | $saveresult passmax=$(cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}') if [ $passmax -le 90 -a $passmax -gt 0 ];thenecho "[*]口令生存周期為${passmax}天,符合要求" | $saveresult elseecho "[!!!]口令生存周期為${passmax}天,不符合要求,建議設置為0-90天" | $saveresult fi passmin=$(cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}') if [ $passmin -ge 6 ];thenecho "[*]口令更改最小時間間隔為${passmin}天,符合要求" | $saveresult elseecho "[!!!]口令更改最小時間間隔為${passmin}天,不符合要求,建議設置不小于6天" | $saveresult fi passlen=$(cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}') if [ $passlen -ge 8 ];thenecho "[*]口令最小長度為${passlen},符合要求" | $saveresult elseecho "[!!!]口令最小長度為${passlen},不符合要求,建議設置最小長度大于等于8" | $saveresult fi passage=$(cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}') if [ $passage -ge 30 -a $passage -lt $passmax ];thenecho "[*]口令過期警告時間天數為${passage},符合要求" | $saveresult elseecho "[!!!]口令過期警告時間天數為${passage},不符合要求,建議設置大于等于30并小于口令生存周期" | $saveresult fi printf "\n" | $saveresult echo ------------密碼復雜度策略------------------------ echo "正在檢查密碼復雜度策略....." | $saveresult (echo "[*]密碼復雜度策略如下:" && more /etc/pam.d/system-auth | grep -v "#") | $saveresult printf "\n" | $saveresult echo ------------密碼已過期用戶--------------------------- echo "正在檢查密碼已過期用戶....." | $saveresult NOW=$(date "+%s") day=$((${NOW}/86400)) passwdexpired=$(grep -v ":[\!\*x]([\*\!])?:" /etc/shadow | awk -v today=${day} -F: '{ if (($5!="") && (today>$3+$5)) { print $1 }}') if [ -n "$passwdexpired" ];then(echo "[*]以下用戶的密碼已過期:" && echo "$passwdexpired") | $saveresult elseecho "[*]未發現密碼已過期用戶" | $saveresult fi printf "\n" | $saveresultecho ------------賬號超時鎖定策略--------------------------- echo "正在檢查賬號超時鎖定策略....." | $saveresult account_timeout=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'` if [ "$account_timeout" != "" ];thenTMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'`if [ $TMOUT -le 600 -a $TMOUT -ge 10 ];thenecho "[*]賬號超時時間為${TMOUT}秒,符合要求" | $saveresultelseecho "[!!!]賬號超時時間為${TMOUT}秒,不符合要求,建議設置小于600秒" | $saveresult fi elseecho "[!!!]賬號超時未鎖定,不符合要求,建議設置小于600秒" | $saveresult fi printf "\n" | $saveresult echo ------------grub密碼策略檢查--------------------------- echo "正在檢查grub密碼策略....." | $saveresult grubpass=$(cat /etc/grub.conf | grep password) if [ $? -eq 0 ];thenecho "[*]已設置grub密碼,符合要求" | $saveresult elseecho "[!!!]未設置grub密碼,不符合要求,建議設置grub密碼" | $saveresult fi printf "\n" | $saveresultselinux策略
echo ------------selinux策略---------------------- echo "正在檢查selinux策略....." | $saveresult (echo "selinux策略如下:" && egrep -v '#|^$' /etc/sysconfig/selinux ) | $saveresult printf "\n" | $saveresultSSH策略
echo ------------sshd配置---------------------- echo "正在檢查sshd配置....." | $saveresult sshdconfig=$(more /etc/ssh/sshd_config | egrep -v "#|^$") if [ -n "$sshdconfig" ];then(echo "[*]sshd配置文件如下:" && echo "$sshdconfig") | $saveresult elseecho "[!]未發現sshd配置文件" | $saveresult fi printf "\n" | $saveresult echo ------------空口令登錄檢查-------------------- echo "正在檢查是否允許空口令登錄....." | $saveresult emptypasswd=$(cat /etc/ssh/sshd_config | grep -w "^PermitEmptyPasswords yes") nopasswd=`gawk -F: '($2=="") {print $1}' /etc/shadow` if [ -n "$emptypasswd" ];thenecho "[!!!]允許空口令登錄,請注意!!!"if [ -n "$nopasswd" ];then(echo "[!!!]以下用戶空口令:" && echo "$nopasswd") | tee -a $danger_file | $saveresultelseecho "[*]但未發現空口令用戶" | $saveresultfi elseecho "[*]不允許空口令用戶登錄" | $saveresult fi printf "\n" | $saveresult echo ------------root遠程登錄-------------------- echo "正在檢查是否允許root遠程登錄....." | $saveresult cat /etc/ssh/sshd_config | grep -v ^# |grep "PermitRootLogin no" if [ $? -eq 0 ];thenecho "[*]root不允許登陸,符合要求" | $saveresult elseecho "[!!!]允許root遠程登陸,不符合要求,建議/etc/ssh/sshd_config添加PermitRootLogin no" | $saveresult fi printf "\n" | $saveresultecho ------------ssh協議版本-------------------- echo "正在檢查ssh協議版本....." | $saveresult protocolver=$(more /etc/ssh/sshd_config | grep -v ^$ | grep Protocol | awk '{print $2}') if [ "$protocolver" -eq "2" ];thenecho "[*]openssh使用ssh2協議,符合要求" elseecho "[!!!]openssh未ssh2協議,不符合要求" fiNginx配置
echo ------------Nginx配置--------------------- echo "正在檢查Nginx配置文件......" | $saveresult nginx=$(whereis nginx | awk -F: '{print $2}') if [ -n "$nginx" ];then(echo "[*]Nginx配置文件如下:" && more $nginx/conf/nginx.conf) | $saveresult elseecho "[*]未發現Nginx服務" | $saveresult fi printf "\n" | $saveresult echo ------------Nginx端口轉發分析------------- echo "正在檢查Nginx端口轉發配置......" | $saveresult nginx=$(whereis nginx | awk -F: '{print $2}') nginxportconf=$(more $nginx/conf/nginx.conf | egrep "listen|server |server_name |upstream|proxy_pass|location"| grep -v \#) if [ -n "$nginxportconf" ];then(echo "[*]可能存在端口轉發的情況,請人工分析:" && echo "$nginxportconf") | $saveresult elseecho "[*]未發現端口轉發配置" | $saveresult fi printf "\n" | $saveresultSNMP配置
echo ------------SNMP配置檢查------------- echo "正在檢查SNMP配置......" | $saveresult if [ -f /etc/snmp/snmpd.conf ];thenpublic=$(cat /etc/snmp/snmpd.conf | grep public | grep -v ^# | awk '{print $4}')private=$(cat /etc/snmp/snmpd.conf | grep private | grep -v ^# | awk '{print $4}')if [ "$public" -eq "public" ];thenecho "發現snmp服務存在默認團體名public,不符合要求" | $saveresultfiif [ "$private" -eq "private" ];thenecho "發現snmp服務存在默認團體名private,不符合要求" | $saveresultfi elseecho "snmp服務配置文件不存在,可能沒有運行snmp服務" | $saveresult fi printf "\n" | $saveresult可疑文件
echo ------------腳本文件------------------------ #下面腳本不查找/usr目錄和/etc目錄,檢查時可以根據需求來調整 echo "正在檢查腳本文件....." | $saveresult scripts=$(find / *.* | egrep "\.(py|sh|per|pl)$" | egrep -v "/usr|/etc|/var") if [ -n "scripts" ];then(echo "[!!!]發現以下腳本文件,請注意!!!" && echo "$scripts") | tee -a $danger_file | $saveresult elseecho "[*]未發現腳本文件" | $saveresult fi printf "\n" | $saveresult echo ------------惡意文件--------------------- #webshell這一塊因為技術難度相對較高,并且已有專業的工具,目前這一塊建議使用專門的安全檢查工具來實現 #系統層的惡意文件建議使用rootkit專殺工具來查殺,如rkhunter,下載地址:http://rkhunter.sourceforge.net echo ------------最近24小時內變動的文件--------------------- #查看最近24小時內有改變的文件 (find / -mtime 0 | grep -E "\.(py|sh|per|pl|php|asp|jsp)$") | tee -a $danger_file | $saveresult printf "\n" | $saveresult echo ------------文件屬性--------------------- echo ------------passwd文件屬性--------------------- echo "正在檢查passwd文件屬性......" | $saveresult flag=0 for ((x=1;x<=15;x++)) doapend=`lsattr /etc/passwd | cut -c $x`if [ $apend = "i" ];thenecho "/etc/passwd文件存在i安全屬性,符合要求" | $saveresultflag=1fiif [ $apend = "a" ];thenecho "/etc/passwd文件存在a安全屬性" | $saveresultflag=1fi done if [ $flag = 0 ];thenecho "/etc/passwd文件不存在相關安全屬性,建議使用chattr +i或chattr +a防止/etc/passwd被刪除或修改" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------shadow文件屬性--------------------- echo "正在檢查shadow文件屬性......" | $saveresult flag=0 for ((x=1;x<=15;x++)) doapend=`lsattr /etc/shadow | cut -c $x`if [ $apend = "i" ];thenecho "/etc/shadow文件存在i安全屬性,符合要求" | $saveresultflag=1fiif [ $apend = "a" ];thenecho "/etc/shadow文件存在a安全屬性" | $saveresultflag=1fi done if [ $flag = 0 ];thenecho "/etc/shadow文件不存在相關安全屬性,建議使用chattr +i或chattr +a防止/etc/shadow被刪除或修改" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresult echo ------------gshadow文件屬性--------------------- echo "正在檢查gshadow文件屬性......" | $saveresult flag=0 for ((x=1;x<=15;x++)) doapend=`lsattr /etc/gshadow | cut -c $x`if [ $apend = "i" ];thenecho "/etc/gshadow文件存在i安全屬性,符合要求" | $saveresultflag=1fiif [ $apend = "a" ];thenecho "/etc/gshadow文件存在a安全屬性" | $saveresultflag=1fi done if [ $flag = 0 ];thenecho "/etc/gshadow文件不存在相關安全屬性,建議使用chattr +i或chattr +a防止/etc/gshadow被刪除或修改" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresult日志分析
echo ------------查看日志配置---------------------- echo "正在查看日志配置....." | $saveresult logconf=$(more /etc/rsyslog.conf | egrep -v "#|^$") if [ -n "$logconf" ];then(echo "[*]日志配置如下:" && echo "$logconf") | $saveresult elseecho "[!!!]未發現日志配置文件" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresult echo ------------日志是否存在--------------- echo "正在分析日志文件是否存在....." | $saveresult logs=$(ls -l /var/log/) if [ -n "$logs" ];thenecho "[*]日志文件存在" | $saveresult elseecho "[!!!]日志文件不存在,請分析是否被清除!" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresult echo ------------日志審核是否開啟--------------- echo "正在分析日志審核是否開啟....." | $saveresult service auditd status | grep running if [ $? -eq 0 ];thenecho "[*]系統日志審核功能已開啟,符合要求" | $saveresult elseecho "[!!!]系統日志審核功能已關閉,不符合要求,建議開啟日志審核。可使用以下命令開啟:service auditd start" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresult echo ------------打包日志--------------- echo "正在打包日志......" | $saveresult zip -r ${log_file}system_log.zip /var/log/ if [ $? -eq 0 ];thenecho "[*]日志打包成功" | $saveresult elseecho "[!!!]日志打包失敗,請工人導出日志" | tee -a $danger_file | $saveresult fi printf "\n" | $saveresultecho ------------secure日志分析--------------- echo ------------成功登錄-------------------- echo "正在檢查日志中成功登錄的情況....." | $saveresult loginsuccess=$(more /var/log/secure* | grep "Accepted password" | awk '{print $1,$2,$3,$9,$11}') if [ -n "$loginsuccess" ];then(echo "[*]日志中分析到以下用戶成功登錄:" && echo "$loginsuccess") | $saveresult(echo "[*]登錄成功的IP及次數如下:" && grep "Accepted " /var/log/secure* | awk '{print $11}' | sort -nr | uniq -c ) | $saveresult(echo "[*]登錄成功的用戶及次數如下:" && grep "Accepted" /var/log/secure* | awk '{print $9}' | sort -nr | uniq -c ) | $saveresult elseecho "[*]日志中未發現成功登錄的情況" | $saveresult fi printf "\n" | $saveresult echo ------------登錄失敗-------------------- echo "存在檢查日志中登錄失敗的情況....." | $saveresult loginfailed=$(more /var/log/secure* | grep "Failed password" | awk '{print $1,$2,$3,$9,$11}') if [ -n "$loginfailed" ];then(echo "[!!!]日志中發現以下登錄失敗的情況:" && echo "$loginfailed") | tee -a $danger_file | $saveresult(echo "[!!!]登錄失敗的IP及次數如下:" && grep "Failed password" /var/log/secure* | awk '{print $11}' | sort -nr | uniq -c) | $saveresult(echo "[!!!]登錄失敗的用戶及次數如下:" && grep "Failed password" /var/log/secure* | awk '{print $9}' | sort -nr | uniq -c) | $saveresult elseecho "[*]日志中未發現登錄失敗的情況" | $saveresult fi printf "\n" | $saveresult echo ------------本機登錄情況----------------- echo "正在檢查圖本機登錄情況....." | $saveresult systemlogin=$(more /var/log/secure* | grep -E "sshd:session.*session opened" | awk '{print $1,$2,$3,$11}') if [ -n "$systemlogin" ];then(echo "[*]本機登錄情況:" && echo "$systemlogin") | $saveresult(echo "[*]本機登錄賬號及次數如下:" && more /var/log/secure* | grep -E "sshd:session.*session opened" | awk '{print $11}' | sort -nr | uniq -c) | $saveresult elseecho "[!!!]未發現在本機登錄退出情況,請注意!!!" | $saveresult fi printf "\n" | $saveresult echo ------------新增用戶------------------- echo "正在檢查新增用戶....." | $saveresult newusers=$(more /var/log/secure* | grep "new user" | awk -F '[=,]' '{print $1,$2}' | awk '{print $1,$2,$3,$9}') if [ -n "$newusers" ];then(echo "[!!!]日志中發現新增用戶:" && echo "$newusers") | tee -a $danger_file | $saveresult(echo "[*]新增用戶賬號及次數如下:" && more /var/log/secure* | grep "new user" | awk '{print $8}' | awk -F '[=,]' '{print $2}' | sort | uniq -c) | $saveresult elseecho "[*]日志中未發現新增加用戶" | $saveresult fi printf "\n" | $saveresultecho ------------新增用戶組----------------- echo "正在檢查新增用戶組....." | $saveresult newgoup=$(more /var/log/secure* | grep "new group" | awk -F '[=,]' '{print $1,$2}' | awk '{print $1,$2,$3,$9}') if [ -n "$newgoup" ];then(echo "[!!!]日志中發現新增用戶組:" && echo "$newgoup") | tee -a $danger_file | $saveresult(echo "[*]新增用戶組及次數如下:" && more /var/log/secure* | grep "new group" | awk '{print $8}' | awk -F '[=,]' '{print $2}' | sort | uniq -c) | $saveresult elseecho "[*]日志中未發現新增加用戶組" | $saveresult fi printf "\n" | $saveresult echo ------------message日志分析--------------- echo ------------傳輸文件-------------------- #下面命令僅顯示傳輸的文件名,并會將相同文件名的去重 #more /var/log/message* | grep "ZMODEM:.*BPS" | awk -F '[]/]' '{print $0}' | sort | uniq echo "[16.3.1]正在檢查傳輸文件....." | $saveresult zmodem=$(more /var/log/message* | grep "ZMODEM:.*BPS") if [ -n "$zmodem" ];then(echo "[!!!]傳輸文件情況:" && echo "$zmodem") | tee -a $danger_file | $saveresult elseecho "[*]日志中未發現傳輸文件" | $saveresult fi printf "\n" | $saveresult echo ------------歷史使用DNS服務器------------ echo "正在檢查日志中使用DNS服務器的情況....." | $saveresult dns_history=$(more /var/log/messages* | grep "using nameserver" | awk '{print $NF}' | awk -F# '{print $1}' | sort | uniq) if [ -n "$dns_history" ];then(echo "[!!!]該服務器曾經使用以下DNS:" && echo "$dns_history") | tee -a $danger_file | $saveresult elseecho "[*]未發現使用DNS服務器" | $saveresult fi printf "\n" | $saveresult echo ------------cron日志分析--------------- echo ------------定時下載----------------- echo "正在分析定時下載....." | $saveresult cron_download=$(more /var/log/cron* | grep "wget|curl") if [ -n "$cron_download" ];then(echo "[!!!]定時下載情況:" && echo "$cron_download") | tee -a $danger_file | $saveresult elseecho "[*]未發現定時下載情況" | $saveresult fi printf "\n" | $saveresultecho ------------定時執行腳本----------------- echo "正在分析定時執行腳本....." | $saveresult cron_shell=$(more /var/log/cron* | grep -E "\.py$|\.sh$|\.pl$") if [ -n "$cron_shell" ];then(echo "[!!!]發現定時執行腳本:" && echo "$cron_download") | tee -a $danger_file | $saveresult elseecho "[*]未發現定時下載腳本" | $saveresult fi printf "\n" | $saveresult echo ------------yum日志分析---------------------- echo ------------下載軟件情況------------------- echo "正在分析使用yum下載軟件情況....." | $saveresult yum_install=$(more /var/log/yum* | grep Installed | awk '{print $NF}' | sort | uniq) if [ -n "$yum_install" ];then(echo "[*]曾使用yum下載以下軟件:" && echo "$yum_install") | $saveresult elseecho "[*]未使用yum下載過軟件" | $saveresult fi printf "\n" | $saveresult echo ------------下載腳本文件------------------- echo "正在分析使用yum下載腳本文件....." | $saveresult yum_installscripts=$(more /var/log/yum* | grep Installed | grep -E "(\.sh$\.py$|\.pl$)" | awk '{print $NF}' | sort | uniq) if [ -n "$yum_installscripts" ];then(echo "[*]曾使用yum下載以下腳本文件:" && echo "$yum_installscripts") | $saveresult elseecho "[*]未使用yum下載過腳本文件" | $saveresult fi printf "\n" | $saveresult echo ------------卸載軟件情況------------------- echo "正在檢查使用yum卸載軟件情況....." | $saveresult yum_erased=$(more /var/log/yum* | grep Erased) if [ -n "$yum_erased" ];then(echo "[*]使用yum曾卸載以下軟件:" && echo "$yum_erased") | $saveresult elseecho "[*]未使用yum卸載過軟件" | $saveresult fi printf "\n" | $saveresult echo ------------可疑工具----------------- echo "正在檢查使用yum安裝的可疑工具....." | $saveresult hacker_tools=$(more /var/log/yum* | awk -F: '{print $NF}' | awk -F '[-]' '{print $1}' | sort | uniq | grep -E "(^nc|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)") if [ -n "$hacker_tools" ];then(echo "[!!!]發現使用yum下載過以下可疑軟件:" && echo "$hacker_tools") | tee -a $danger_file | $saveresult elseecho "[*]未發現使用yum下載過可疑軟件" | $saveresult fi printf "\n" | $saveresultecho ------------dmesg日志分析---------------------- echo ------------內核自檢日志--------------------- echo "正在查看內核自檢日志....." | $saveresult dmesg=$(dmesg) if [ $? -eq 0 ];then(echo "[*]日志自檢日志如下:" && "$dmesg" ) | $saveresult elseecho "[*]未發現內核自檢日志" | $saveresult fi printf "\n" | $saveresult echo ------------btmp日志分析---------------------- echo ------------錯誤登錄日志分析----------------- echo "正在分析錯誤登錄日志....." | $saveresult lastb=$(lastb) if [ -n "$lastb" ];then(echo "[*]錯誤登錄日志如下:" && echo "$lastb") | $saveresult elseecho "[*]未發現錯誤登錄日志" | $saveresult fi printf "\n" | $saveresult echo ------------lastlog日志分析---------------------- echo ------------所有用戶最后一次登錄日志分析----------------- echo "正在分析所有用戶最后一次登錄日志....." | $saveresult lastlog=$(lastlog) if [ -n "$lastlog" ];then(echo "[*]所有用戶最后一次登錄日志如下:" && echo "$lastlog") | $saveresult elseecho "[*]未發現所有用戶最后一次登錄日志" | $saveresult fi printf "\n" | $saveresult echo ------------wtmp日志分析--------------- echo ------------所有登錄用戶分析------- echo "正在檢查歷史上登錄到本機的用戶:" | $saveresult lasts=$(last | grep pts | grep -vw :0) if [ -n "$lasts" ];then(echo "[*]歷史上登錄到本機的用戶如下:" && echo "$lasts") | $saveresult elseecho "[*]未發現歷史上登錄到本機的用戶信息" | $saveresult fi printf "\n" | $saveresult內核信息
echo ------------內核情況----------------- echo "正在檢查內核信息......" | $saveresult lsmod=$(lsmod) if [ -n "$lsmod" ];then(echo "[*]內核信息如下:" && echo "$lsmod") | $saveresult elseecho "[*]未發現內核信息" | $saveresult fi printf "\n" | $saveresult echo ------------可疑內核檢查----------------- echo "正在檢查可疑內核....." | $saveresult danger_lsmod=$(lsmod | grep -Ev "ablk_helper|ac97_bus|acpi_power_meter|aesni_intel|ahci|ata_generic|ata_piix|auth_rpcgss|binfmt_misc|bluetooth|bnep|bnx2|bridge|cdrom|cirrus|coretemp|crc_t10dif|crc32_pclmul|crc32c_intel|crct10dif_common|crct10dif_generic|crct10dif_pclmul|cryptd|dca|dcdbas|dm_log|dm_mirror|dm_mod|dm_region_hash|drm|drm_kms_helper|drm_panel_orientation_quirks|e1000|ebtable_broute|ebtable_filter|ebtable_nat|ebtables|edac_core|ext4|fb_sys_fops|floppy|fuse|gf128mul|ghash_clmulni_intel|glue_helper|grace|i2c_algo_bit|i2c_core|i2c_piix4|i7core_edac|intel_powerclamp|ioatdma|ip_set|ip_tables|ip6_tables|ip6t_REJECT|ip6t_rpfilter|ip6table_filter|ip6table_mangle|ip6table_nat|ip6table_raw|ip6table_security|ipmi_devintf|ipmi_msghandler|ipmi_si|ipmi_ssif|ipt_MASQUERADE|ipt_REJECT|iptable_filter|iptable_mangle|iptable_nat|iptable_raw|iptable_security|iTCO_vendor_support|iTCO_wdt|jbd2|joydev|kvm|kvm_intel|libahci|libata|libcrc32c|llc|lockd|lpc_ich|lrw|mbcache|megaraid_sas|mfd_core|mgag200|Module|mptbase|mptscsih|mptspi|nf_conntrack|nf_conntrack_ipv4|nf_conntrack_ipv6|nf_defrag_ipv4|nf_defrag_ipv6|nf_nat|nf_nat_ipv4|nf_nat_ipv6|nf_nat_masquerade_ipv4|nfnetlink|nfnetlink_log|nfnetlink_queue|nfs_acl|nfsd|parport|parport_pc|pata_acpi|pcspkr|ppdev|rfkill|sch_fq_codel|scsi_transport_spi|sd_mod|serio_raw|sg|shpchp|snd|snd_ac97_codec|snd_ens1371|snd_page_alloc|snd_pcm|snd_rawmidi|snd_seq|snd_seq_device|snd_seq_midi|snd_seq_midi_event|snd_timer|soundcore|sr_mod|stp|sunrpc|syscopyarea|sysfillrect|sysimgblt|tcp_lp|ttm|tun|uvcvideo|videobuf2_core|videobuf2_memops|videobuf2_vmalloc|videodev|virtio|virtio_balloon|virtio_console|virtio_net|virtio_pci|virtio_ring|virtio_scsi|vmhgfs|vmw_balloon|vmw_vmci|vmw_vsock_vmci_transport|vmware_balloon|vmwgfx|vsock|xfs|xt_CHECKSUM|xt_conntrack|xt_state") if [ -n "$danger_lsmod" ];then(echo "[!!!]發現可疑內核模塊:" && echo "$danger_lsmod") | tee -a $danger_file | $saveresult elseecho "[*]未發現可疑內核模塊" | $saveresult fi printf "\n" | $saveresult軟件分析
echo ------------安裝軟件及版本----------------- echo "正在檢查安裝軟件及版本情況....." | $saveresult software=$(rpm -qa | awk -F- '{print $1,$2}' | sort -nr -k2 | uniq) if [ -n "$software" ];then(echo "[*]系統安裝與版本如下:" && echo "$software") | $saveresult elseecho "[*]系統未安裝軟件" | $saveresult fi printf "\n" | $saveresult echo ------------可疑軟件----------------- echo "正在檢查安裝的可疑軟件....." | $saveresult danger_soft=$(rpm -qa | awk -F- '{print $1}' | sort | uniq | grep -E "^(ncat|sqlmap|nmap|beef|nikto|john|ettercap|backdoor|proxy|msfconsole|msf)$") if [ -n "$danger_soft" ];then(echo "[!!!]以下安裝的軟件可疑,需要人工分析:" && echo "$danger_soft") | tee -a $danger_file | $saveresult elseecho "[*]未發現安裝可疑軟件" | $saveresult fi printf "\n" | $saveresult環境變量
echo ------------環境變量----------------- echo "正在檢查環境變量....." | $saveresult env=$(env) if [ -n "$env" ];then(echo "[*]環境變量:" && echo "$env") | $saveresult elseecho "[*]未發現環境變量" | $saveresult fi printf "\n" | $saveresult性能分析
echo ------------性能分析----------------- echo ------------磁盤分析----------------- echo ------------磁盤使用----------------- echo "正在檢查磁盤使用....." | $saveresult echo "[*]磁盤使用情況如下:" && df -h | $saveresult printf "\n" | $saveresult echo ------------檢查磁盤使用過大----------------- echo "正在檢查磁盤使用是否過大....." | $saveresult #使用超過70%告警 df=$(df -h | awk 'NR!=1{print $1,$5}' | awk -F% '{print $1}' | awk '{if ($2>70) print $1,$2}') if [ -n "$df" ];then(echo "[!!!]硬盤空間使用過高,請注意!!!" && echo "$df" ) | tee -a $danger_file | $saveresult elseecho "[*]硬盤空間足夠" | $saveresult fi printf "\n" | $saveresult echo ------------CPU分析----------------- echo ------------CPU情況----------------- echo "正在檢查CPU相關信息....." | $saveresult (echo "CPU硬件信息如下:" && more /proc/cpuinfo ) | $saveresult (echo "CPU使用情況如下:" && ps -aux | sort -nr -k 3 | awk '{print $1,$2,$3,$NF}') | $saveresult printf "\n" | $saveresult echo ------------占用CPU前5進程----------------- echo "正在檢查占用CPU前5資源的進程....." | $saveresult (echo "占用CPU資源前5進程:" && ps -aux | sort -nr -k 3 | head -5) | $saveresult printf "\n" | $saveresult echo ------------占用CPU較大進程----------------- echo "正在檢查占用CPU較大的進程....." | $saveresult pscpu=$(ps -aux | sort -nr -k 3 | head -5 | awk '{if($3>=20) print $0}') if [ -n "$pscpu" ];thenecho "[!!!]以下進程占用的CPU超過20%:" && echo "UID PID PPID C STIME TTY TIME CMD"echo "$pscpu" | tee -a 20.2.3_pscpu.txt | tee -a $danger_file | $saveresult elseecho "[*]未發現進程占用資源超過20%" | $saveresult fi printf "\n" | $saveresult echo ------------內存分析----------------- echo ------------內存情況----------------- echo "正在檢查內存相關信息....." | $saveresult (echo "[*]內存信息如下:" && more /proc/meminfo) | $saveresult (echo "[*]內存使用情況如下:" && free -m) | $saveresult printf "\n" | $saveresultecho ------------占用內存前5進程----------------- echo "正在檢查占用內存前5資源的進程....." | $saveresult (echo "[*]占用內存資源前5進程:" && ps -aux | sort -nr -k 4 | head -5) | $saveresult printf "\n" | $saveresult echo ------------占用內存較多進程----------------- echo "正在檢查占用內存較多的進程....." | $saveresult psmem=$(ps -aux | sort -nr -k 4 | head -5 | awk '{if($4>=2) print $0}') if [ -n "$psmem" ];thenecho "[!!!]以下進程占用的內存超過20%:" && echo "UID PID PPID C STIME TTY TIME CMD"echo "$psmem" | tee -a $danger_file | $saveresult elseecho "[*]未發現進程占用內存資源超過20%" | $saveresult fi printf "\n" | $saveresult echo ------------網絡連接----------------- echo "正在檢查網絡連接情況......" | $saveresult netstat=$(netstat -anlp | grep ESTABLISHED) netstatnum=$(netstat -n | awk '/^tcp/ {++S[$NF]} END {for(a in S) print a, S[a]}') if [ -n "$netstat" ];then(echo "[*]網絡連接情況:" && echo "$netstat") | $saveresultif [ -n "$netstatnum" ];then(echo "[*]各個狀態的數量如下:" && echo "$netstatnum") | $saveresultfi elseecho "[*]未發現網絡連接" | $saveresult fi printf "\n" | $saveresult總結
以上是生活随笔為你收集整理的安全巡检脚本(分模块)的全部內容,希望文章能夠幫你解決所遇到的問題。
- 上一篇: AHK机器码生成器
- 下一篇: 假期无聊,我又发现一个刷题神器