看到网上有人分享了一些linux系统的基线检查脚本,但有些检查项未必适合自己或者说检查的不够完善,
计划按着自己的需求重新写一份出来,其中脚本的检查范围在不断更新中。
脚本内容:
[root@localhost ~]# cat check.sh #! /bin/bash cat <<EOF ************************************************************************* linux安全配置检查脚本: 1. 输出结果也可以在当前目录的out.txt中查看 2. 检查范围: -》账号策略检查 -》账号注销检查 -》GRUB密码检查 -》LILO密码检查 ************************************************************************* EOF rm -rf ./out.txt echo -e " " echo "[1] 账号策略检查中..." passmax=`cat /etc/login.defs | grep PASS_MAX_DAYS | grep -v ^# | awk '{print $2}'` passmin=`cat /etc/login.defs | grep PASS_MIN_DAYS | grep -v ^# | awk '{print $2}'` passlen=`cat /etc/login.defs | grep PASS_MIN_LEN | grep -v ^# | awk '{print $2}'` passage=`cat /etc/login.defs | grep PASS_WARN_AGE | grep -v ^# | awk '{print $2}'` if [ $passmax -le 90 -a $passmax -gt 0 ];then echo " [OK]口令生存周期为${passmax}天,符合要求" >> out.txt else echo " [ X ] 口令生存周期为${passmax}天,不符合要求,建议设置不大于90天" >> out.txt fi if [ $passmin -ge 6 ];then echo " [OK]口令更改最小时间间隔为${passmin}天,符合要求" >> out.txt else echo " [ X ] 口令更改最小时间间隔为${passmin}天,不符合要求,建议设置大于等于6天" >> out.txt fi if [ $passlen -ge 8 ];then echo " [OK]口令最小长度为${passlen},符合要求" >> out.txt else echo " [ X ] 口令最小长度为${passlen},不符合要求,建议设置最小长度大于等于8" >> out.txt fi if [ $passage -ge 30 -a $passage -lt $passmax ];then echo " [OK]口令过期警告时间天数为${passage},符合要求" >> out.txt else echo " [ X ] 口令过期警告时间天数为${passage},不符合要求,建议设置大于等于30并小于口令生存周期" >> out.txt fi echo "..." echo 'check over' echo -e " " echo "[2] 账号注销检查中..." TMOUT=`cat /etc/profile | grep TMOUT | awk -F[=] '{print $2}'` if [ ! $TMOUT ];then echo " [ X ] 账号超时不存在自动注销,不符合要求,建议设置小于600秒" >> out.txt else if [ $TMOUT -le 600 -a $TMOUT -ge 10 ] ; then echo " [ √ ] 账号超时时间${TMOUT}秒,符合要求" >> out.txt else echo " [ X ] 账号超时时间$TMOUT秒,不符合要求,建议设置小于600秒" >> out.txt fi fi echo "..." echo 'check over' echo -e " " echo "[3] GRUB密码检查中..." grup_pwd=`cat /etc/grub.conf | grep -v ^# | grep password 2> /dev/null` if [ $? -eq 0 ];then echo " [ √ ] 已设置grub密码,符合要求" >> out.txt else echo " [ X ] 没有设置grub密码,不符合要求,建议设置grub密码" >> out.txt fi echo "..." echo "check over" echo -e " " echo "[4] LILO密码检查中..." if [ ! -f /etc/lilo.conf ] ; then echo " [ √ ] lilo.conf配置文件不存在,系统可能不是通过LILO引导" >> out.txt else lilo_pwd=`cat /etc/lilo.conf | grep -v ^# | grep password &> /dev/null` if [ $? -eq 0 ];then echo " [ √ ] 已设置lilo密码,符合要求" >> out.txt else echo " [ X ] 没有设置lilo密码,不符合要求,建议设置lilo密码" >> out.txt fi fi echo "..." echo "check over" echo -e "" ## 详细过滤脚本 待更新中...## echo -e " " echo "--------------------------------------------------------------------------" echo "" echo "检查结果:" echo "" cat ./out.txt echo "" echo "--------------------------------------------------------------------------" echo "" [root@localhost ~]#
执行效果:
