#!/usr/bin/env bash
#网络检查依赖NetworkManager Service,需先开启该服务
start_nms(){
#echo "网络检查依赖NetworkManager Service,需先开启该服务"
systemctl start NetworkManager.service 2>&1 >/dev/null
if [ $? -ne 0 ];then
echo "NetworkManager Service启动失败,影响2.6网络绑定设定检查"
fi
}
#网络检查依赖NetworkManager Service,检查后关闭该服务
stop_nms(){
systemctl stop NetworkManager.service 2>&1 >/dev/null
if [ $? -ne 0 ];then
echo "NetworkManager Service关闭失败,请手工关闭。"
fi
}
#获取主机名
get_hostname(){
echo "###2.5主机名设定###"
echo -e "\t当前主机名为:$(hostname),请人工检查"
echo -e "\n"
}
#2.6网络绑定设定
#判断是否有bond0网卡,如有并输出相关信息;
get_bond0(){
echo "###2.6网络绑定设定###"
nmcli connection show bond0 2>&1 >/dev/null
if [ $? -eq 0 ];then
result=$(nmcli connection show | grep bond0)
echo "${result}"
echo "$(nmcli connection show bond0 |egrep "ipv4.addresses:|ipv4.gateway:|ipv4.dns:|ipv4.method:" )"
echo "bond0网卡信息请人工检查"
else
echo -e "\tError:bond0网卡不存在"
fi
echo -e "\n"
}
#2.7Disable NetworkManager Service
get_nms(){
echo "###2.7Disable NetworkManager Service###"
nms_status=$(systemctl is-enabled NetworkManager)
if [ x"${nms_status}" == x"disabled" ];then
echo -e "\t2.7Disable NetworkManager Service检查通过。"
else
echo -e "\t2.7Disable NetworkManager Service当前状态为${nms_status}。检查未通过"
fi
echo -e "\n"
}
#2.8禁用IPV6 Disable IPV6
get_ipv6(){
echo "###2.8禁用IPV6 Disable IPV6###"
item=$1
regular="\s*${item}\s*=\s*1\s*"
v6res=$(cat /etc/sysctl.conf | grep -E "${regular}")
if [ -n "${v6res}" ];then
echo -e "\t${v6res}"
echo -e "\t${item} 检查通过"
else
echo -e "\t${item}检查未通过"
fi
echo -e "\n"
}
#2.9DNS设置
get_dns(){
echo "###2.9DNS设置###"
dns=$(cat /etc/sysconfig/network-scripts/ifcfg-bond0 | grep DNS)
echo ${dns}
dns1=$(echo ${dns} | grep DNS1|awk -F "=" '{print $2}')
dns2=$(echo ${dns} | grep DNS2|awk -F "=" '{print $2}')
if [ x"${dns1}" == x"10.32.54.10" ];then
echo -e "\tDNS1配置正确,检查通过。"
else
echo -e "\tDNS2配置不正确,检查未通过"
fi
if [ x"${dns2}" == x"10.32.54.11" ];then
echo -e "\tDNS2配置正确,检查通过。"
else
echo -e "\tDNS2配置不正确,检查未通过"
fi
echo -e "\n"
}
#2.10Zabbix-agent的配置
#依据现场安装手册编写和检查
#2.11Syslog的配置(北京待定)
get_rsyslog(){
echo "###2.11Syslog的配置(北京待定)###"
#1配置转发,根据信息确定
#2服务开机自启动及当前状态检查
#开机自启
rauto=$(systemctl is-enabled rsyslog.service)
rstatus=$(systemctl is-active rsyslog.service)
if [ x"${rauto}" == x"enabled" ];then
echo -e "\trsyslog服务已配置开机自启动,检查通过"
else
echo -e "\trsyslog服务未配置开机自启动,检查未通过"
fi
if [ x"${rstatus}" == x"active" ];then
echo -e "\trsyslog服务已运行,检查通过"
else
echo -e "\trsyslog服务未运行,检查未通过"
fi
echo -e "\n"
}
#2.12用户配置
get_user(){
echo "###2.12用户配置###"
echo "sa.k00572,sa.k00382用户无添加的信息信息,待定"
echo -e "\n"
}
#2.13User Profile配置
get_profile(){
echo "###2.13User Profile配置###"
echo "待确定逻辑"
mkdir -p /var/log/history_old/
chmod 777 /var/log/history_old/
echo -e "\n"
}
#2.14用户安全策略相关配置
get_secret(){
sitem=$1
tmp=$(cat /etc/security/pwquality.conf|grep "^${sitem}\s*=\s*")
sres=$(echo ${tmp}|awk -F "=" '{print $2}')
echo -e "\t${tmp}"
if [ x"${sitem}" == x"minlen" ];then
[ ${sres} -eq 8 ] && echo -e "\t${sitem}检查通过" || echo -e "\t${sitem}应设置为8,检查未通过"
elif [ x"${sitem}" == x"minclass" ];then
[ ${sres} -eq 3 ] && echo -e "\t${sitem}检查通过" || echo -e "\t${sitem}应设置为3,检查未通过"
elif [ x"${sitem}" == x"maxrepeat" ];then
[ ${sres} -eq 0 ] && echo -e "\t${sitem}检查通过" || echo -e "\t${sitem}应设置为0,检查未通过"
elif [ x"${sitem}" == x"maxclassrepeat" ];then
[ ${sres} -eq 0 ] && echo -e "\t${sitem}检查通过" || echo -e "\t${sitem}应设置为0,检查未通过"
elif [ x"${sitem}" == x"lcredit" ];then
[ ${sres} -eq 1 ] && echo -e "\t${sitem}检查通过" || echo -e "\t${sitem}应设置为1,检查未通过"
elif [ x"${sitem}" == x"ucredit" ];then
[ ${sres} -eq 1 ] && echo -e "\r${sitem}检查通过" || echo -e "\t${sitem}应设置为1,检查未通过"
elif [ x"${sitem}" == x"dcredit" ];then
[ ${sres} -eq 1 ] && echo -e "\t${sitem}检查通过" || echo -e "\t${sitem}应设置为1,检查未通过"
elif [ x"${sitem}" == x"ocredit" ];then
[ ${sres} -eq 1 ] && echo -e "\t${sitem}检查通过" || echo -e "\t${sitem}应设置为1,检查未通过"
fi
echo -e "\n"
}
#密码错误3次锁定5分钟
#文档有误
get_pd_err(){
echo "###密码错误3次锁定5分钟###"
ptmp=$(cat -n /etc/pam.d/password-auth-ac | grep pam_tally2.so)
echo ${ptmp}
file=$(echo ${ptmp}|grep -oE "file=\S+"| awk -F"=" '{print $2}')
deny=$(echo ${ptmp}|grep -oE "deny=[0-9]"| awk -F"=" '{print $2}')
unlock_time=$(echo ${ptmp}|grep -oE "unlock_time=[0-9]+"| awk -F"=" '{print $2}')
if [ x"${file}" == x"/var/log/tallylog" ];then
echo -e "\t密码认证日志配置正确,检查通过"
else
echo -e "\t密码认证日志应配置为/var/log/tallylog,检查未通过"
fi
if [ x"${deny}" == x"5" ];then
echo -e "\t密码错误次数配置正确,检查通过"
else
echo -e "\t密码错误次数应配置为3,检查未通过"
fi
if [ x"${unlock_time}" == x"300" ];then
echo -e "\t密码错误锁定时长配置正确,检查通过"
else
echo -e "\t密码错误锁定时长应配置为300,检查未通过"
fi
echo -e "\n"
}
#密码周期策略
get_login_defs(){
litem=$1
echo "###${litem}配置检查###"
ltmp=$(cat /etc/login.defs| grep ^${litem})
echo -e "\t${ltmp}"
litem_set=$(echo ${ltmp}|awk '{print $2}')
if [ x"${litem}" == x"PASS_MAX_DAYS" ];then
[ ${litem_set} -eq 90 ] && echo -e "\t${litem}检查通过" || echo -e "\t${litem}应设置为90,检查未通过"
elif [ x"${litem}" == x"PASS_MIN_DAYS" ];then
[ ${litem_set} -eq 0 ] && echo -e "\t${litem}检查通过" || echo -e "\t${litem}应设置为0,检查未通过"
elif [ x"${litem}" == x"PASS_MIN_LEN" ];then
[ ${litem_set} -eq 8 ] && echo -e "\t${litem}检查通过" || echo -e "\t${litem}应设置为8,检查未通过"
elif [ x"${litem}" == x"PASS_WARN_AGE" ];then
[ ${litem_set} -eq 7 ] && echo -e "\t${litem}检查通过" || echo -e "\t${litem}应设置为7,检查未通过"
fi
echo -e "\n"
}
#禁止root远程登录
get_sshd_config(){
permit=$(cat /etc/ssh/sshd_config | grep -E "\s*PermitRootLogin\s*no")
echo "${permit}"
[ -n "${permit}" ] && echo -e "\t禁止root远程登录,检查通过" || echo -e "\t禁止root远程登录,检查未通过"
}
#禁止svc.adm远程登录
get_svc_adm(){
permit=$(cat /etc/ssh/sshd_config | grep -E "\s*DenyGroups\s*svc.adm")
echo "${permit}"
[ -n "${permit}" ] && echo -e "\t禁止svc.adm远程登录,检查通过" || echo -e "\t禁止svc.adm远程登录,检查未通过"
echo -e "\n"
}
#配置/etc/motd文件
get_motd(){
echo "###配置/etc/motd文件###"
cat /etc/motd
echo -e "\t文件内容请人工检查"
echo "###/etc/motd文件i权限检查###"
attr=$(lsattr /etc/motd)
echo -e "\t${attr}"
ires=$(echo ${attr}| grep "\-i\-")
[ -n "${ires}" ] && echo -e "\t/etc/motd文件i权限检查,检查通过" || echo -e "\t/etc/motd文件i权限检查,检查未通过"
echo -e "\n"
}
#2.15sudo log功能 Enable sudo log
get_sudo(){
echo "####2.14sudo log功能 Enable sudo log###"
var1="Defaults logfile=/var/log/sudo.log"
var2="Defaults loglinelen=0"
var3="Defaults \!syslog"
r1=$(cat /etc/sudoers|grep "${var1}")
r2=$(cat /etc/sudoers|grep "${var2}")
r3=$(cat /etc/sudoers|grep "${var3}")
echo "${r1}"
echo "${r2}"
echo "${r3}"
if [ -n "${r1}" ] && [ -n "${r2}" ] && [ -n "${r3}" ];then
echo -e "\t2.14sudo log功能 Enable sudo log,检查通过"
else
echo -e "\t2.14sudo log功能 Enable sudo log,检查未通过"
fi
echo
}
#2.16关闭防火墙
get_firewall(){
firewall_auto=$(systemctl is-enabled firewalld)
fireall_active=$(systemctl is-active firewalld)
firewall_mask=$(ls -l /etc/systemd/system/firewalld.service | grep -o /dev/null)
if [ x"${firewall_auto}" == x"disabled" ];then
echo -e "\t2.15关闭防火墙,防火墙开机自启为${firewall_auto},检查通过。"
else
echo -e "\t2.15关闭防火墙,防火墙开机自启为${firewall_auto}。检查未通过"
fi
if [ x"${fireall_active}" == x"inactive" ];then
echo -e "\t2.15关闭防火墙,防火墙运行状态为${fireall_active},检查通过。"
else
echo -e "\t2.15关闭防火墙,防火墙运行状态为${fireall_active},检查未通过。"
fi
if [ -n "${firewall_mask}" ];then
echo -e "\t2.15关闭防火墙,防火墙已标记为${fireall_mask},检查通过。"
else
echo -e "\t2.15关闭防火墙,防火墙未标记为mask,检查未通过。"
fi
}
#2.17关闭Selinux
get_selinux(){
selinux_result=$(cat /etc/selinux/config | grep -E "\s*SELINUX=disabled")
[ -n "${selinux_result}" ] && echo -e "\t#2.16关闭Selinux检查通过" || echo -e "\t\t#2.16关闭Selinux检查未通过"
}
#2.18YUM 配置,备份可能不对
get_yum(){
if [ -f "/etc/yum.repos.d/Redhat7_9.repo" ] || [ -f "/etc/yum.repos.d/CentOS7_9.repo" ];then
echo -e "\t2.17YUM 配置,检查通过"
else
echo -e "\t2.17YUM 配置,检查未通过"
fi
}
#2.19NTP 配置
#需确定地址
get_ntp(){
echo
}
#2.20安全相关配置
get_secret_check(){
files=(find /var/log -type f -exec ls -l {} \;)
echo "${files}"
echo -e "\t检查目录/var/log,请人工检查以上文件权限"
echo "检查目录/etc/cron*,未写"
}
#2.20Kdump 配置验证
#2.21配置crashkernel size(DB Server only)
main(){
get_hostname
start_nms
get_bond0
stop_nms
get_nms
get_ipv6 net.ipv6.conf.all.disable_ipv6
get_ipv6 net.ipv6.conf.default.disable_ipv6
get_ipv6 net.ipv6.conf.lo.disable_ipv6
get_dns
get_rsyslog
get_user
echo "###2.13用户安全策略相关配置###"
get_secret minlen
get_secret minclass
get_secret maxrepeat
get_secret maxclassrepeat
get_secret lcredit
get_secret ucredit
get_secret dcredit
get_secret ocredit
get_login_defs PASS_MAX_DAYS
get_login_defs PASS_MIN_DAYS
get_login_defs PASS_MIN_LEN
get_login_defs PASS_WARN_AGE
get_sshd_config
get_svc_adm
get_motd
get_sudo
}
main
Base_check_For_Rhel7
原创
©著作权归作者所有:来自51CTO博客作者woonli的原创作品,请联系作者获取转载授权,否则将追究法律责任
上一篇:Linux检查脚本
下一篇:BASE_LINE_Set
提问和评论都可以,用心的回复会被更多人看到
评论
发布评论
相关文章
-
JS选择图片获取base64编码预览图片
通过将图片转为data url的base64格式编码,实现直接预览图片
图片预览 base64 dataurl 图片转base64 -
rhel 7之 selinux
selinux
rhel 7 selinux
