capos_for_linux_v4.1.0.sh
#!/bin/sh
#
# ******************************************************************
# 作者: 利刃信安攻防实验室
# 微信: Mannix6
# 更新: 2024.6.14
# 版本: v4.1.0
#
# 描述: 网络安全等级保护安全基线配置核查脚本,兼容Red-Hat、CentOS、EulerOS、Asianux、Ubuntu 16、Oracle、MySQL、PostgreSQL。
#
# 使用方法: 建议在root权限下将本脚本导入/tmp目录下执行,可通过 > 重定向到其他文件后,导出查看。
# sudo sh capos_for_linux_v4.1.0.sh -a > Check_`hostname`.txt 自动核查;
# sudo sh capos_for_linux_v4.1.0.sh -l > Check_`hostname`.txt 信息收集;
# sudo sh capos_for_linux_v4.1.0.sh -o > Check_`hostname`.txt Oracle数据库核查;
# sudo sh capos_for_linux_v4.1.0.sh -pgsql > Check_`hostname`.txt PostgreSQL数据库核查;
# sudo sh capos_for_linux_v4.1.0.sh -m > Check_`hostname`.txt MySQL数据库核查,会提示输出root账户口令
# 输入后回车开始核查,也可以输入字母 q 退出MySQL数据库核查;
# sudo sh capos_for_linux_v4.1.0.sh -h -h 或其他错误参数显示帮助提示信息。
#
# 更新记录:
#v4.1.0
#1) redhat_or_centos_ceping方法中增加了对 /etc/pam.d/sshd 中登录失败模块的核查;
# 2) redhat_or_centos_ceping方法中增加了对Red-Hat7版本 /etc/security/pwquality.conf 口令复杂度配置文件的核查;
#3) 注释中修改并添加了用法信息,更新记录,并对功能方法简单介绍;
#4) 考虑到部分服务器最小化权限安装,ifconfig 修改为 ip a,netstat 修改为 ss。
#
# ******************************************************************
#!/bin/sh
#
# ******************************************************************
# 作者: 利刃信安攻防实验室
# 微信: Mannix6
# 更新: 2024.6.14
# 版本: v4.1.0
#
# 描述: 网络安全等级保护安全基线配置核查脚本,兼容Red-Hat、CentOS、EulerOS、Asianux、Ubuntu 16、Oracle、MySQL、PostgreSQL。
#
# 使用方法: 建议在root权限下将本脚本导入/tmp目录下执行,可通过 > 重定向到其他文件后,导出查看。
# sudo sh capos_for_linux_v4.1.0.sh -a > Check_`hostname`.txt 自动核查;
# sudo sh capos_for_linux_v4.1.0.sh -l > Check_`hostname`.txt 信息收集;
# sudo sh capos_for_linux_v4.1.0.sh -o > Check_`hostname`.txt Oracle数据库核查;
# sudo sh capos_for_linux_v4.1.0.sh -pgsql > Check_`hostname`.txt PostgreSQL数据库核查;
# sudo sh capos_for_linux_v4.1.0.sh -m > Check_`hostname`.txt MySQL数据库核查,会提示输出root账户口令
# 输入后回车开始核查,也可以输入字母 q 退出MySQL数据库核查;
# sudo sh capos_for_linux_v4.1.0.sh -h -h 或其他错误参数显示帮助提示信息。
#
# 更新记录:
# v4.1.0
# 1) redhat_or_centos_ceping方法中增加了对 /etc/pam.d/sshd 中登录失败模块的核查;
# 2) redhat_or_centos_ceping方法中增加了对Red-Hat7版本 /etc/security/pwquality.conf 口令复杂度配置文件的核查;
# 3) 注释中修改并添加了用法信息,更新记录,并对功能方法简单介绍;
# 4) 考虑到部分服务器最小化权限安装,ifconfig 修改为 ip a,netstat 修改为 ss。
#
# ******************************************************************
# 全局变量
# 系统版本
DISTRO=
# 系统版本号
DISTRO_NUMBER=
# 是否运行有Oracle数据
ORACLE=
# Orcle版本号
ORACLE_NUMBER=
# 是否运行有MySQL数据
MYSQL=
# MySQL版本号
MYSQL_NUMBER=
# 是否运行有PostgreSQL数据
PGSQL=
# PostgreSQL版本号
PGSQL_NUMBER=
# 数据库种类汇总
DBS=
# Web容器版本
WEBSERVER=
# Web容器版本
WEBSERVER_NUMBER=
# 提示信息颜色预设变量
SETCOLOR_SUCCESS="echo -en \\033[1;32m"
SETCOLOR_FAILURE="echo -en \\033[1;31m"
SETCOLOR_WARNING="echo -en \\033[1;33m"
SETCOLOR_NORMAL="echo -en \\033[0;39m"
time=`date +['%Y-%m-%d %H:%M:%S']`
# 普通信息
LogMsg()
{
echo -e "$time 信息: $*"
$SETCOLOR_NORMAL
}
# 告警信息
LogWarnMsg()
{
$SETCOLOR_WARNING
echo -e "$time 警告: $*"
$SETCOLOR_NORMAL
}
# 成功信息
LogSucMsg()
{
$SETCOLOR_SUCCESS
echo -e "$time 成功: $*"
$SETCOLOR_NORMAL
}
# 错误信息
LogErrorMsg()
{
$SETCOLOR_FAILURE
echo -e "$time 错误: $*"
$SETCOLOR_NORMAL
}
# ******************************************************************
# 重定向文件头部文件描述信息
# ******************************************************************
output_file_banner()
{
echo -e "******************************************************************"
echo -e "描述:\t本脚本适用于 Linux 服务器、数据库和 Linux 运维终端网络安全等级保护测评核查"
echo -e "运行时间:\t"`date +'%Y-%m-%d %H:%M'`
echo -e "******************************************************************"
echo -e
}
# ******************************************************************
# LOGO输出,美化作用
# ******************************************************************
print_logo()
{
cat <<EOF
******************************************************************
██████╗ █████╗ ██████╗ ██████╗ ███████╗{Mannix v4.1.0 2024.6.14}
██╔════╝██╔══██╗██╔══██╗██╔═══██╗██╔════╝
██║ ███████║██████╔╝██║ ██║███████╗
██║ ██╔══██║██╔═══╝ ██║ ██║╚════██║
╚██████╗██║ ██║██║ ╚██████╔╝███████║
╚═════╝╚═╝ ╚═╝╚═╝ ╚═════╝ ╚══════╝
******************************************************************
EOF
}
# ******************************************************************
# 脚本帮助提示信息
# ******************************************************************
helpinfo()
{
cat <<EOF
"使用方法: $0 [OPTION] [PARAMETER]"
${0} -h => 查看使用方法
${0} -l => 显示信息收集
${0} -o => Oracle数据库
${0} -m
=> MySQL数据库
${0} -pgsql => PostgreSQL数据库
${0} -s => 网站服务
${0} -a => 自动核查
EOF
}
# ******************************************************************
# 获取操作系统版本信息: DISTRO->系统类型 ,DISTRO_NUMBER->版本号
# ******************************************************************
get_system_version()
{
if grep -Eqii "CentOS" /etc/issue || grep -Eq "CentOS" /etc/*-release; then
DISTRO='CentOS'
if grep -Eq "9\." /etc/*-release; then
DISTRO_NUMBER='9'
elif grep -Eq "8\." /etc/*-release; then
DISTRO_NUMBER='8'
elif grep -Eq "7\." /etc/*-release; then
DISTRO_NUMBER='7'
elif grep -Eq "6\." /etc/*-release; then
DISTRO_NUMBER='6'
elif grep -Eq "5\." /etc/*-release; then
DISTRO_NUMBER='5'
elif grep -Eq "4\." /etc/*-release; then
DISTRO_NUMBER='4'
else
DISTRO_NUMBER='不支持的版本'
fi
elif grep -Eqi "Red Hat Enterprise Linux Server" /etc/issue || grep -Eq "Red Hat Enterprise Linux Server" /etc/*-release || grep -Eq "Asianux" /etc/*-release; then
DISTRO='RedHat'
if grep -Eq "9\." /etc/*-release; then
DISTRO_NUMBER='9'
elif grep -Eq "8\." /etc/*-release; then
DISTRO_NUMBER='8'
elif grep -Eq "7\." /etc/*-release; then
DISTRO_NUMBER='7'
elif grep -Eq "6\." /etc/*-release; then
DISTRO_NUMBER='6'
elif grep -Eq "5\." /etc/*-release; then
DISTRO_NUMBER='5'
elif grep -Eq "4\." /etc/*-release; then
DISTRO_NUMBER='4'
else
DISTRO_NUMBER='不支持的版本'
fi
elif grep -Eq "EulerOS" /etc/*-release; then
DISTRO='EulerOS'
DISTRO_NUMBER='7'
elif grep -Eqi "Ubuntu" /etc/issue || grep -Eq "Ubuntu" /etc/*-release; then
DISTRO='Ubuntu'
elif [[ -n `uname -a | grep AIX` ]]; then
DISTRO='AIX'
DISTRO_NUMBER=`oslevel`
else
DISTRO='不支持的版本'
fi
}
# ******************************************************************
# 获取Web容器版本信息:WEBSERVER->类型, WEBSERVER_NUMBER->版本号
# ******************************************************************
get_webserver_info()
{
[[ -n `whereis nginx | awk -F: '{print $2}'` ]] && WEBSERVER="nginx" && WEBSERVER_NUMBER=$(nginx -v | awk -F/ '{print $2}')
[[ -n `lastlog | grep weblogic` ]] && [[ -n `ss -pantu | grep ':7001'` ]] && WEBSERVER="weblogic"
[[ -n `cat /etc/passwd | grep apache` ]] && [[ -n `ss -pantu | grep ':80' | grep 'httpd'` ]] && WEBSERVER="apache" && WEBSERVER_NUMBER=$(apachectl -v | awk -F/ '{print $2}' | grep -v ^$)
}
# ******************************************************************
# 获取数据库类型和版本信息:识别后所属全局变量 ORACLE MYSQL PGSQL 会进行赋值
# ******************************************************************
get_database_version()
{
if [[ -n `ss -pantu | grep tnslsnr` ]]; then
ORACLE="Oracle"
banner=`su - oracle << EOF
sqlplus / as sysdba
exit
EOF`
[[ $banner =~ "11g" ]] && ORACLE_NUMBER="11g"
[[ $banner =~ "10g" ]] && ORACLE_NUMBER="10g"
[[ $banner =~ "12c" ]] && ORACLE_NUMBER="12c"
fi
if [[ -n `ss -pantu | grep mysqld` ]]; then
MYSQL="MySQL"
MYSQL_NUMBER=`mysql -V | awk '{print $5}'`
MYSQL_NUMBER=${MYSQL_NUMBER%?}
fi
if [[ -n `ss -pantu | grep postgres` ]]; then
PGSQL="PostgreSQL"
PGSQL_NUMBER=`su - postgres << EOF
psql -d postgres -U postgres -At -c "select version();" | awk '{print $2}'
exit
EOF`
PGSQL_NUMBER=`echo -e ${PGSQL_NUMBER} | awk '{print $2}'`
fi
DBS="${ORACLE} ${ORACLE_NUMBER} ${MYSQL} ${MYSQL_NUMBER} ${PGSQL} ${PGSQL_NUMBER}"
[[ -n `ss -pantu | grep 'redis'` ]] && DBS="${DBS} Redis"
[[ -n `ss -pantu | grep mongodb` ]] && DBS="${DBS} Mongodb"
}
# ******************************************************************
# Redhat系列操作系统信息收集
# ******************************************************************
redhat_info_collection()
{
echo -e "******************************** 1.信息收集 ********************************"
echo -e
echo -e "******************************** 信息收集开始 ********************************"
echo -e
echo -e "硬件平台:\t"`grep 'DMI' /var/log/dmesg | awk -F'DMI:' '{print $2}'`
echo -e "CPU 型号:\t"`cat /proc/cpuinfo | grep name | cut -f2 -d: | uniq`
echo -e "CPU 个数:\t"`cat /proc/cpuinfo | grep processor | wc -l | awk '{print $1}'`
echo -e "CPU 类型:\t"`cat /proc/cpuinfo | grep vendor_id | tail -n 1 | awk '{print $3}'`
Disk=$(fdisk -l |grep '磁盘' |awk -F , '{print $1}' | sed 's/Disk identifier.*//g' | sed '/^$/d')
echo -e "磁盘信息:\n${Disk}\n${Line}"
echo -e "内核信息:\t"`uname -a`
echo -e "系统版本:\t"`cat /etc/redhat-release`
check_ip_format=`ip a | grep "inet addr"`
if [ ! -n "$check_ip_format" ]; then
# 8.x 7.x
Ipddr=`ip a | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'`
else
# 6.x
Ipddr=`ip a | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}' | awk -F: '{print $2}'`
fi
echo -e "主机名:\t"`hostname`
echo -e "语言:"$LANG
echo -e "Ip地址:\t${Ipddr}"
echo -e "中间件或网站服务:\t${WEBSERVER} ${WEBSERVER_NUMBER}"
echo -e "数据库:\t${DBS}"
echo -e
echo -e "******************************** 信息收集结束 ********************************"
echo -e
}
# ******************************************************************
# Ubuntu操作系统信息收集
# ******************************************************************
ubuntu_info_collection()
{
echo -e "******************************** 1.信息收集 ********************************"
echo -e
echo -e "******************************** 信息收集开始 ********************************"
echo -e
echo -e "硬件平台:\t"`lspci |grep Host | head -1 | awk -F: '{print $3}'`
echo -e "CPU 型号:\t"`cat /proc/cpuinfo | grep name | uniq | awk -F: '{print $2}'`
echo -e "CPU 个数:\t"`cat /proc/cpuinfo | grep processor | wc -l | awk '{print $1}'`
echo -e "CPU 类型:\t"`cat /proc/cpuinfo | grep vendor_id | tail -n 1 | awk '{print $3}'`
Disk=$(fdisk -l |grep '磁盘' |awk -F , '{print $1}' | sed 's/Disk identifier.*//g' | sed '/^$/d')
echo -e "磁盘信息:\t${Disk}\n${Line}"
echo -e "内核信息:\t`uname -a`"
echo -e "系统版本:\t"`cat /etc/lsb-release | grep "DISTRIB_DESCRIPTION" | awk -F'=' '{print $2}'`
check_ip_format=`ip a | grep "inet addr"`
if [ ! -n "$check_ip_format" ]; then
Ipddr=`ip a | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'`
else
Ipddr=`ip a | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}' | awk -F: '{print $2}'`
fi
echo -e "主机名:\t"`hostname`
echo -e "语言:" $LANG
echo -e "Ip地址:\t${Ipddr}"
echo -e "中间件或网站服务:\t${WEBSERVER} ${WEBSERVER_NUMBER}"
echo -e "数据库:\t${DBS}"
echo -e
echo -e "******************************** 信息收集结束 ********************************"
echo -e
}
# ******************************************************************
# AIX小型机信息收集,暂不支持
# ******************************************************************
AIX_info_collection()
{
prtconf | cat
Ipddr=`ip a | grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' | grep -v 127 | awk '{print $2}'`
echo -e "Ip地址:\t${Ipddr}"
}
# ******************************************************************
# 信息收集 -l 参数执行该方法
# ******************************************************************
information_collection()
{
get_system_version
get_database_version
get_webserver_info
case $DISTRO in
CentOS)
redhat_info_collection;;
RedHat)
redhat_info_collection;;
EulerOS)
redhat_info_collection;;
Ubuntu)
ubuntu_info_collection;;
AIX)
AIX_info_collection ;;
esac
}
# ***************************************************************************
# 红帽系列操作系统执行该方法,主要支持 8.X 7.X 6.X 版本
# ***************************************************************************
redhat_or_centos_ceping()
{
LogMsg "操作系统核查启动 ......" 1>&2
echo -e "******************************** 系统核查开始 ********************************"
echo -e
echo -e "******************************** 2.身份鉴别 ********************************"
echo -e
echo -e "a)应对登录的用户进行身份标识和鉴别,身份标识具有唯一性,身份鉴别信息具有复杂度要求并定期更换"
echo -e
echo -e "查看UID的配置"
echo -e
grep -i id /etc/login.defs | grep -e 'UID_M*'
echo -e
echo -e "查看GID的配置"
echo -e
grep -i id /etc/login.defs | grep -e 'GID_M*'
echo -e
echo -e "查看允许登录的用户"
echo -e
cat /etc/passwd | grep -v 'nologin' | grep -v '/bin/false'
echo -e
echo -e "查看设置密码的用户"
echo -e
cat /etc/shadow | grep -v "*" | grep -v '!'
echo -e
echo -e "查看密码有效期"
echo -e
grep -i pass /etc/login.defs | grep -v '#'
echo -e
echo -e "密码复杂度及历史记忆次数"
echo -e
grep -i password /etc/pam.d/system-auth
echo -e
# ******************************** 空口令用户核查 ******************************** #
echo -e "******************************************************************"
echo -e "空口令用户"
echo -e "******************************************************************"
echo -e
flag=
null_password=`awk -F: 'length($2)==0 {print $1}' /etc/shadow`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: 'length($2)==0 {print $1}' /etc/passwd`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: '$2=="!" {print $1}' /etc/shadow`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: '$2!="x" {print $1}' /etc/passwd`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
[[ ! -n "$flag" ]] && echo -e "[是] 本系统不存在空口令用户!"
echo -e
# ******************************** 特权账户数量核查 ******************************** #
echo -e "******************************************************************"
echo -e "管理员用户"
echo -e "******************************************************************"
echo -e
awk -F: '($3==0)' /etc/passwd
echo -e
# ******************************** 口令策略核查 ******************************** #
echo -e "******************************************************************"
echo -e "密码复杂度要求"
echo -e "******************************************************************"
echo -e
cat /etc/login.defs | grep PASS | grep -v ^#
echo -e
echo -e "******************************************************************"
echo -e "在system-auth文件中 pam_pwquality.so后添加minlen=8 dcredit=-2 ucredit=-1 lcredit=-1 ocredit=-1"
echo -e "参数含义:密码长度最小为8位,数字出现的最少次数为2次,大写字母出现最少1次,小写字母出现最少1次,特殊字符出现最少1次"
echo -e "限制root用户 在system-auth文件中pam_pwquality.so行添加enforce_for_root"
echo -e "******************************************************************"
echo -e
cat /etc/pam.d/system-auth | grep password
echo -e
cat /etc/security/pwquality.conf | grep -E "difok|minlen|dcredit|ucredit|lcredit|ocredit|minclass|maxrepeat|maxclassrepeat|gecoscheck|dictpath"
echo -e
case $DISTRO_NUMBER in
7)
passwordStrength=`cat /etc/security/pwquality.conf | grep -v ^# | grep -E 'difok|minlen|dcredit|ucredit|lcredit|ocredit|minclass|maxrepeat|maxclassrepeat|gecoscheck|dictpath'`
if [ ! -n "$passwordStrength" ]; then
echo -e "[X]核查后 '/etc/security/pwquality.conf', 不存在 pam_cracklib.so 或 pam_pwquality.so 配置"
else
echo -e $passwordStrength
fi;;
*)
passwordStrength=`cat /etc/pam.d/system-auth | grep -E 'pam_cracklib.so | pam_pwquality.so'`
if [ ! -n "$passwordStrength" ]; then
echo -e "[X]核查后 '/etc/pam.d/system-auth', 不存在 pam_cracklib.so 或 pam_pwquality.so 配置"
else
echo -e $passwordStrength
fi;;
esac
echo -e
echo -e "b)应具有登录失败处理功能,应配置并启用结束会话、限制非法登录次数和当登录连接超时自动退出等相关措施"
echo -e
echo -e "登录锁定"
echo -e
grep -i auth /etc/pam.d/system-auth
echo -e
echo -e "超时退出"
echo -e
grep -i tmout /etc/profile
echo -e
# ******************************** 登录失败策略核查 ******************************** #
echo -e "******************************************************************"
echo -e "登录失败处理策略"
echo -e "******************************************************************"
echo -e
login_failure=`cat /etc/pam.d/system-auth | grep tally`
if [ -n "$login_failure" ]; then
echo -e "密码登录失败处理策略设置:${login_failure}。"
else
echo -e "[X]警告:本系统未设置登录失败处理策略!"
fi
echo -e
echo -e "******************************************************************"
echo -e "SSH 密码登录失败处理策略"
echo -e "******************************************************************"
echo -e
ssh_login_failure=`cat /etc/ssh/sshd_config | grep -v ^# | grep MaxAuthTries`
ssh_login_failure2=`cat /etc/pam.d/sshd | grep -v ^# | grep deny=`
if [ -n "$ssh_login_failure" ]; then
echo -e "SSH 密码登录失败处理策略设置:${ssh_login_failure}。"
elif [ -n "$ssh_login_failure2" ]; then
echo -e "SSH 密码登录失败处理策略设置:${ssh_login_failure2}。"
else
echo -e "[X] 警告: SSH 远程管理未设置登录失败处理策略(建议3~5次)"
fi
echo -e
# ******************************** Shell登录超时退出登录核查 ******************************** #
echo -e "******************************************************************"
echo -e "登录超时锁定(建议配置登录超时时间 >= 600秒)"
echo -e "******************************************************************"
echo -e
TMOUT=`cat /etc/profile | grep -n "TMOUT"`
if [ -n "$TMOUT" ]; then
echo -e $TMOUT
else
echo -e "[X]警告: 本系统未设置登录超时锁定!"
fi
echo -e
echo -e "******************************************************************"
echo -e "SSH 登录超时锁定(建议配置登录超时时间 >= 600秒)"
echo -e "******************************************************************"
echo -e
cat /etc/ssh/sshd_config | grep -E "ClientAliveInterval|ClientAliveCountMax"
echo -e
echo -e "c)当进行远程管理时,应采取必要措施、防止鉴别信息在网络传输过程中被窃听"
echo -e
echo -e "判断sshd是否启用和telnet是否禁用"
echo -e
ps -aux | grep -e sshd | grep -v '+'
echo -e
ps -aux | grep -e telnet | grep -v '+'
echo -e
echo -e "获取sshd的端口和路径"
echo -e
systemctl status sshd.service | grep -oE 'port [0-9]*' | uniq
echo -e
ps -aux |grep sshd | grep -v 'grep'| grep -oE '(/[a-z]*)*' | uniq
echo -e
ps -aux | grep -e sshd | grep -v 'grep'
echo -e
# ******************************** 核查telnet、ftp、smtp是否开启 ******************************** #
echo -e "******************************************************************"
echo -e "Telnet Ftp SMTP 状态"
echo -e "******************************************************************"
echo -e
telnet_or_ftp_status=`ss -an | grep -E 'telnet|ftp|smtp'`
if [ -n "$telnet_or_ftp_status" ]; then
echo -e $telnet_or_ftp_status
else
echo -e "[是]本系统未开启 'telnet, ftp, smtp' 服务!"
fi
echo -e
echo -e "d)应采用口令、密码技术、生物技术等两种或两种以上组合的鉴别技术对用户进行身份鉴别,且其中一种鉴别技术至少应使用密码技术来实现"
echo -e
echo -e "*******************************************************************"
echo -e "双因素认证人工核查"
echo -e "*******************************************************************"
echo -e
echo -e "**************************** 2.访问控制 ****************************"
echo -e
echo -e "a)应对登录的用户分配账户和权限"
echo -e
ls -l /etc/passwd /etc/shadow /etc/group
echo -e
# ******************************** 重要目录权限核查 ******************************** #
echo -e "******************************************************************"
echo -e "文件访问权限"
echo -e "******************************************************************"
echo -e
ls -l /etc/shadow
ls -l /etc/passwd
ls -l /etc/group
ls -l /etc/gshadow
ls -l /etc/profile
ls -l /etc/crontab
ls -l /etc/securetty
ls -l /etc/ssh/ssh_config
ls -l /etc/ssh/sshd_config
echo -e
echo -e "b)应重命名或删除默认账户,修改默认账户的默认口令"
echo -e
# 所有用户
echo -e "******************************************************************"
echo -e "用户列表"
echo -e "******************************************************************"
echo -e
cat /etc/passwd | cut -d ":" -f1
echo -e
# ******************************** 核查是否允许root远程登录 ******************************** #
echo -e "******************************************************************"
echo -e "SSH 远程管理 PermitRootLogin 状态"
echo -e "******************************************************************"
echo -e
cat /etc/ssh/sshd_config | grep Root
echo -e
echo -e "c)应及时删除或停用多余的、过期的账户,避免共享账户的存在"
echo -e
# ******************************** 口令过期账户数量核查 ******************************** #
echo -e "******************************************************************"
echo -e "口令过期账户"
echo -e "******************************************************************"
echo -e
for timeout_usename in `awk -F: '$2=="!!" {print $1}' /etc/shadow`; do
timeout_usenamelist+="$timeout_usename,"
done
echo -e ${timeout_usenamelist%?}
echo -e
# ******************************** 多余系统默认账户核查,仅参考,进一步核查是否login权限 ******************************** #
echo -e "******************************************************************"
echo -e "可能不需要账户"
echo -e "******************************************************************"
echo -e
for no_need_usename in `cat /etc/shadow | grep -E 'adm|lp|sync|shutdown|halt|mail|uucp|operator|games|gopher|ftp|nuucp|news' | awk -F: '{print $1}'`; do
no_need_usenamelist+="$no_need_usename,"
done
echo -e ${no_need_usenamelist%?}
echo -e
echo -e "d)应授予管理用户所需的最小权限,实现管理用户的权限分离"
echo -e
# 严格意义上要去看下/etc/sudo*文件中的对特权用户的定义,查看对应配置的用户组和用户
echo -e "e)应由授权主体配置访问控制策略,访问控制策略规定主体对客体的访问规则"
echo -e
# 随机性太大,人工访谈后验证
echo -e "f)访问控制的粒度应达到主体为用户级或进程级,客体为文件、数据库表级"
echo -e
ls -l /etc/passwd /etc/shadow /etc/group
echo -e
# 查看profile中umask的值是否为022
grep -i umask /etc/profile /etc/csh.login /etc/csh.cshrc /etc/bashrc -A1 -B1
echo -e
echo -e "g)应对重要主体和客体设置安全标记,并控制主体对有安全标记信息资源的访问"
echo -e
# ******************************** 核查SeLinux是否开启 ******************************** #
echo -e
echo -e "******************************************************************"
echo -e "MAC(Mandatory access control) 状态"
echo -e "******************************************************************"
echo -e
cat /etc/selinux/config | grep -v ^# | grep "SELINUX="
echo -e
echo -e "**************************** 3.安全审计 ****************************"
echo -e
echo -e "a)应启用安全审计功能,审计覆盖到每个用户,对重要的用户行为和重要安全事件进行审计"
echo -e
# 日志审计服务状态
ps -aux |grep auditd| grep -v 'grep'
echo -e
# ******* 核查Rsyslog,Auditd服务是否开启,日志是否外发,审计配置,审计策略 ******** #
echo -e "******************************************************************"
echo -e "日志审计服务状态"
echo -e "******************************************************************"
echo -e
case $DISTRO_NUMBER in
7)
systemctl list-unit-files --type=service | grep "rsyslog"
systemctl list-unit-files --type=service | grep "auditd";;
*)
service --status-all | grep rsyslogd
systemctl status auditd.service;;
esac
echo -e
# 查看审计规则
cat /etc/audit/audit.rules
echo -e
echo -e "b)审计记录应包括事件的日期和时间,用户、事件类型,事件是否成功及其他与审计相关的信息"
echo -e
sed -n '1,10p' /var/log/messages
echo -e
sed -n '1,10p' /var/log/audit/audit.log
echo -e
echo -e "[审计规则]:\n"`auditctl -l`
echo -e
echo -e "[审计规则]:\n"`cat /etc/audit/audit.rules`
echo -e
# ******************************** 核查最新日志的最后10行 ******************************** #
echo -e "******************************************************************"
echo -e "核查最新日志的最后10行"
echo -e "******************************************************************"
echo -e
cat /var/log/audit/audit.log | tail -n 10
echo -e
ausearch -ts today | tail -n 10
echo -e
echo -e "c)应对审计记录进行保护,定期备份,避免受到未预期的删除、修改或覆盖等"
echo -e
# 查看日志转存的时间
grep -i weekly /etc/logrotate.conf -A4
echo -e
echo -e "d)应对审计进程进行保护,防止未经授权的中断"
echo -e
echo -e "日志服务端口:"`grep -i port /etc/rsyslog.conf |grep -v '#'|grep -oE '[0-9]*'`
echo -e "日志服务器ip:"`grep -i @ /etc/rsyslog.conf |grep -v '#'|grep -oE '@ ([0-9]{1,3}.){4}*'|grep -oE '([0-9]{1,3}.){4}*'`
echo -e
# ******************************** 核查日志审计相关文件权限 ******************************** #
echo -e "******************************************************************"
echo -e "审计日志文件权限"
echo -e "******************************************************************"
echo -e
ls -l /var/log/messages
ls -l /var/log/secure
ls -l /var/log/audit/audit.log
ls -l /etc/rsyslog.conf
ls -l /etc/audit/auditd.conf
ls -l /etc/audit/audit.rules
echo -e
echo -e "[日志转发到日志服务器]:"`grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf`
echo -e
echo -e "******************************************************************"
echo -e "审计规则配置"
echo -e "注意:Max_log_file=5(Log file capacity); Max_log_file_action=ROTATE(log size); num_logs=4"
echo -e "******************************************************************"
echo -e
cat /etc/audit/auditd.conf | grep max_log_file | grep -v ^#
echo -e
cat /etc/audit/auditd.conf | grep num_logs | grep -v ^#
echo -e
echo -e "[审计规则]:"`auditd -l`
echo -e
echo -e "**************************** 4.入侵防范 ****************************"
echo -e
echo -e "a)应遵循最小安装的原则仅安装需要的组件和应用程序"
echo -e
# ******************************** 系统补丁信息 ******************************** #
echo -e "******************************************************************"
echo -e "系统补丁信息"
echo -e "******************************************************************"
echo -e
rpm -qa --last | grep patch
echo -e
yum list installed
echo -e
echo -e "b)应关闭不需要的系统服务、默认共享和高危端口"
echo -e
ss -antp
echo -e
# ******************************** 显示所有开启的服务 ******************************** #
echo -e "******************************************************************"
echo -e "运行中的服务"
echo -e "******************************************************************"
echo -e
case $DISTRO_NUMBER in
7)
systemctl list-unit-files --type=service | grep enabled;;
*)
service --status-all | grep running;;
esac
echo -e
ss -ntlp
echo -e
echo -e "c)应通过设定终端接入方式或网络地址范围对通过网络进行管理的管理终端进行限制"
echo -e
# ******************************** 核查地址限制 ******************************** #
echo -e "******************************************************************"
echo -e "Hosts.allow Hosts.deny 终端限制"
echo -e "******************************************************************"
echo -e
echo -e "[查看 /etc/hosts.allow]:"
echo -e
cat /etc/hosts.allow | grep -v ^#
echo -e
echo -e "[查看 /etc/hosts.deny]:"
echo -e
cat /etc/hosts.deny | grep -v ^#
echo -e
# ******************************** 核查登录终端数量限制 ******************************** #
echo -e "******************************************************************"
echo -e "终端登录列表"
echo -e "******************************************************************"
echo -e
for tty in `cat /etc/securetty `; do
ttylist+="$tty,"
done
echo -e ${ttylist%?}
echo -e
cat /var/log/secure | grep refused
echo -e
echo -e "d)应能发现可能存在的已知漏洞,并在经过充分测试评估后,及时修补漏洞"
echo -e
systemctl status iptables.service
echo -e
# ******************************** 核查防火墙配置 ******************************** #
echo -e "******************************************************************"
echo -e "防火墙状态"
echo -e "******************************************************************"
echo -e
iptables -L -n
echo -e
cat /var/log/secure | grep refused
echo -e
# ******************************** 核查资源限制 等保1.0遗留 ******************************** #
echo -e "******************************************************************"
echo -e "单用户访问资源限制"
echo -e "******************************************************************"
echo -e
echo -e "<domain> <type> <item> <value>"
echo -e
cat /etc/security/limits.conf | grep -v ^#
echo -e
echo -e "******************************************************************"
echo -e "系统资源使用情况"
echo -e "******************************************************************"
echo -e "[磁盘信息]:"
echo -e
df -h
echo -e
echo -e "[内存信息]:"
echo -e
free -m
echo -e
# ******************************** 核查硬件资源运行情况 等保1.0遗留 ******************************** #
# mem_use_info=(`awk '/MemTotal/{memtotal=$2}/MemAvailable/{memavailable=$2}END{printf "%.2f %.2f %.2f",memtotal/1024/1024," "(memtotal-memavailable)/1024/1024," "(memtotal-memavailable)/memtotal*100}' /proc/meminfo`)
# echo -e "内存使用百分比:${mem_use_info[2]}%"
# echo -e
TIME_INTERVAL=5
LAST_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
LAST_SYS_IDLE=$(echo -e $LAST_CPU_INFO | awk '{print $4}')
LAST_TOTAL_CPU_T=$(echo -e $LAST_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
sleep ${TIME_INTERVAL}
NEXT_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
NEXT_SYS_IDLE=$(echo -e $NEXT_CPU_INFO | awk '{print $4}')
NEXT_TOTAL_CPU_T=$(echo -e $NEXT_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
SYSTEM_IDLE=`echo -e ${NEXT_SYS_IDLE} ${LAST_SYS_IDLE} | awk '{print $1-$2}'`
TOTAL_TIME=`echo -e ${NEXT_TOTAL_CPU_T} ${LAST_TOTAL_CPU_T} | awk '{print $1-$2}'`
CPU_USAGE=`echo -e ${SYSTEM_IDLE} ${TOTAL_TIME} | awk '{printf "%.2f", 100-$1/$2*100}'`
echo -e "CPU 使用百分比:${CPU_USAGE}%"
echo -e
echo -e "e)应能够检测到对重要节点进行入侵的行为,并在发生严重入侵事件时提供报警"
echo -e
# 确认iptables的状态,查看网络的IDS
# ******************************** 其他参考系统信息 ******************************** #
echo -e "******************************************************************"
echo -e "MISC"
echo -e "******************************************************************"
echo -e
echo -e "[系统最后登录信息]:"
echo -e
lastlog
echo -e
echo -e "[计划任务信息]:"
echo -e
crontab -l
echo -e
echo -e "[进程和端口状态]:"
echo -e
ss -pantu
echo -e
ps -ef
echo -e
echo -e "******************************** 系统核查结束 ********************************"
}
# ***************************************************************************
# ubuntu操作核查系统执行该方法,主要支持16 18版本。
# ***************************************************************************
ubuntu_ceping()
{
LogMsg "操作系统核查启动 ......" 1>&2
echo -e "******************************** 系统核查开始 ********************************"
echo -e
echo -e "******************************** 2.身份鉴别 ********************************"
echo -e
echo -e "a)应对登录的用户进行身份标识和鉴别,身份标识具有唯一性,身份鉴别信息具有复杂度要求并定期更换"
echo -e
echo -e "查看UID的配置"
echo -e
grep -i id /etc/login.defs | grep -e 'UID_M*'
echo -e
echo -e "查看GID的配置"
echo -e
grep -i id /etc/login.defs | grep -e 'GID_M*'
echo -e
echo -e "查看允许登录的用户"
echo -e
cat /etc/passwd | grep -v 'nologin' | grep -v '/bin/false'
echo -e
echo -e "查看设置密码的用户"
echo -e
cat /etc/shadow | grep -v "*" | grep -v '!'
echo -e
echo -e "查看密码有效期"
echo -e
grep -i pass /etc/login.defs | grep -v '#'
echo -e
echo -e "密码复杂度及历史记忆次数"
echo -e
echo -e "******************************************************************"
echo -e "空口令用户"
echo -e "******************************************************************"
echo -e
flag=
null_password=`awk -F: 'length($2)==0 {print $1}' /etc/shadow`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: 'length($2)==0 {print $1}' /etc/passwd`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: '$2=="!" {print $1}' /etc/shadow`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: '$2!="x" {print $1}' /etc/passwd`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
[[ ! -n "$flag" ]] && echo -e "[是] 本系统不存在空口令用户!"
echo -e
echo -e "******************************************************************"
echo -e "管理员用户"
echo -e "******************************************************************"
echo -e
awk -F: '($3==0)' /etc/passwd
echo -e
echo -e
echo -e "******************************************************************"
echo -e "密码复杂度要求"
echo -e "******************************************************************"
echo -e
cat /etc/login.defs | grep PASS | grep -v ^#
echo -e
cat /etc/security/pwquality.conf | grep -E "difok|minlen|dcredit|ucredit|lcredit|ocredit|minclass|maxrepeat|maxclassrepeat|gecoscheck|dictpath"
echo -e
passwordStrength=`cat /etc/security/pwquality.conf`
if [ ! -n "$passwordStrength" ]; then
echo -e "[X]核查后 '/etc/security/pwquality.conf', 不存在 libpam-pwquality 配置,注意:apt-get install libpam-pwquality"
else
echo -e $passwordStrength
fi
echo -e
echo -e "b)应具有登录失败处理功能,应配置并启用结束会话、限制非法登录次数和当登录连接超时自动退出等相关措施"
echo -e
echo -e "超时退出"
grep -i tmout /etc/profile
echo -e
echo -e "******************************************************************"
echo -e "登录失败处理策略"
echo -e "******************************************************************"
echo -e
login_failure=`grep pam_pwquality.so /etc/pam.d/common-password`
if [ -n "$login_failure" ]; then
echo -e "密码登录失败处理策略设置:${login_failure}。"
else
echo -e "[X]警告:本系统未设置登录失败处理策略!"
fi
echo -e
echo -e "******************************************************************"
echo -e "SSH 密码登录失败处理策略"
echo -e "******************************************************************"
echo -e
ssh_login_failure=`cat /etc/ssh/sshd_config | grep -v ^# | grep MaxAuthTries`
if [ -n "$ssh_login_failure" ]; then
echo -e "SSH 密码登录失败处理策略设置:${ssh_login_failure}。"
else
echo -e "[X] 警告: SSH 远程管理未设置登录失败处理策略(建议3~5次)"
fi
echo -e
echo -e "******************************************************************"
echo -e "登录超时锁定(建议配置登录超时时间 >= 600秒)"
echo -e "******************************************************************"
echo -e
TMOUT=`cat /etc/profile | grep -n "TMOUT"`
if [ -n "$TMOUT" ]; then
echo -e $TMOUT
else
echo -e "[X]警告: 本系统未设置登录超时锁定!"
fi
echo -e
echo -e "c)当进行远程管理时,应采取必要措施、防止鉴别信息在网络传输过程中被窃听"
echo -e
echo -e "判断sshd是否启用和telnet是否禁用"
echo -e
ps -aux | grep -e sshd | grep -v '+'
echo -e
ps -aux | grep -e telnet | grep -v '+'
echo -e
echo -e "获取sshd的端口和路径"
echo -e
systemctl status sshd.service | grep -oE 'port [0-9]*' | uniq
echo -e
ps -aux |grep sshd | grep -v 'grep'| grep -oE '(/[a-z]*)*' | uniq
echo -e
ps -aux | grep -e sshd | grep -v 'grep'
echo -e
echo -e "******************************************************************"
echo -e "Telnet Ftp SMTP 状态"
echo -e "******************************************************************"
echo -e
telnet_or_ftp_status=`ss -an | grep -E 'telnet|ftp|smtp'`
if [ -n "$telnet_or_ftp_status" ]; then
echo -e $telnet_or_ftp_status
else
echo -e "[是]本系统未开启 'telnet, ftp, smtp' 服务!"
fi
echo -e
echo -e "d)应采用口令、密码技术、生物技术等两种或两种以上组合的鉴别技术对用户进行身份鉴别,且其中一种鉴别技术至少应使用密码技术来实现"
echo -e
echo -e "*******************************************************************"
echo -e "双因素认证人工核查"
echo -e "*******************************************************************"
echo -e
echo -e "**************************** 2.访问控制 ****************************"
echo -e
echo -e "a)应对登录的用户分配账户和权限"
echo -e
ls -l /etc/passwd /etc/shadow /etc/group
echo -e
echo -e "******************************************************************"
echo -e "文件访问权限"
echo -e "******************************************************************"
echo -e
ls -l /etc/shadow
ls -l /etc/passwd
ls -l /etc/group
ls -l /etc/gshadow
ls -l /etc/profile
ls -l /etc/crontab
ls -l /etc/securetty
ls -l /etc/ssh/ssh_config
ls -l /etc/ssh/sshd_config
echo -e
echo -e "b)应重命名或删除默认账户,修改默认账户的默认口令"
echo -e
# 所有用户
echo -e "******************************************************************"
echo -e "用户列表"
echo -e "******************************************************************"
echo -e
cat /etc/passwd | cut -d ":" -f1
echo -e
echo -e "******************************************************************"
echo -e "SSH 远程管理 PermitRootLogin 状态"
echo -e "******************************************************************"
echo -e
cat /etc/ssh/sshd_config | grep Root
echo -e
echo -e "c)应及时删除或停用多余的、过期的账户,避免共享账户的存在"
echo -e
echo -e "******************************************************************"
echo -e "口令过期账户"
echo -e "******************************************************************"
echo -e
for timeout_usename in `awk -F: '$2=="!!" {print $1}' /etc/shadow`; do
timeout_usenamelist+="$timeout_usename,"
done
echo -e ${timeout_usenamelist%?}
echo -e
echo -e "******************************************************************"
echo -e "可能不需要账户"
echo -e "******************************************************************"
echo -e
for no_need_usename in `cat /etc/shadow | grep -E 'adm|lp|sync|shutdown|halt|mail|uucp|operator|games|gopher|ftp|nuucp|news' | awk -F: '{print $1}'`; do
no_need_usenamelist+="$no_need_usename,"
done
echo -e ${no_need_usenamelist%?}
echo -e
echo -e "d)应授予管理用户所需的最小权限,实现管理用户的权限分离"
echo -e
# 严格意义上要去看下/etc/sudo*文件中的对特权用户的定义,查看对应配置的用户组和用户
echo -e "e)应由授权主体配置访问控制策略,访问控制策略规定主体对客体的访问规则"
echo -e
# 随机性太大,人工访谈后验证
echo -e "f)访问控制的粒度应达到主体为用户级或进程级,客体为文件、数据库表级"
echo -e
ls -l /etc/passwd /etc/shadow /etc/group
echo -e
# 查看profile中umask的值是否为022
grep -i umask /etc/profile /etc/csh.login /etc/csh.cshrc /etc/bashrc -A1 -B1
echo -e
echo -e "g)应对重要主体和客体设置安全标记,并控制主体对有安全标记信息资源的访问"
echo -e
echo -e "******************************************************************"
echo -e "MAC(Mandatory access control) 状态"
echo -e "******************************************************************"
echo -e
cat /etc/selinux/config | grep -v ^# | grep "SELINUX="
echo -e
echo -e "**************************** 3.安全审计 ****************************"
echo -e
echo -e "a)应启用安全审计功能,审计覆盖到每个用户,对重要的用户行为和重要安全事件进行审计"
echo -e
# 日志审计服务状态
ps -aux |grep auditd| grep -v 'grep'
echo -e
echo -e "******************************************************************"
echo -e "日志审计服务状态"
echo -e "******************************************************************"
echo -e
systemctl list-unit-files --type=service | grep "rsyslog"
systemctl list-unit-files --type=service | grep "auditd"
echo -e
# 查看审计规则
cat /etc/audit/audit.rules
echo -e
echo -e "b)审计记录应包括事件的日期和时间,用户、事件类型,事件是否成功及其他与审计相关的信息"
echo -e
sed -n '1,10p' /var/log/messages
echo -e
sed -n '1,10p' /var/log/audit/audit.log
echo -e
echo -e "[审计规则]:"`auditctl -l`
echo -e
echo -e "[审计规则]:"`cat /etc/audit/audit.rules`
echo -e
echo -e "******************************************************************"
echo -e "核查最新日志的最后10行"
echo -e "******************************************************************"
echo -e
cat /var/log/audit/audit.log | tail -n 10
echo -e
ausearch -ts today | tail -n 10
echo -e
echo -e "c)应对审计记录进行保护,定期备份,避免受到未预期的删除、修改或覆盖等"
echo -e
# 查看日志转存的时间
grep -i weekly /etc/logrotate.conf -A4
echo -e
echo -e "d)应对审计进程进行保护,防止未经授权的中断"
echo -e
echo -e "日志服务端口:"`grep -i port /etc/rsyslog.conf |grep -v '#'|grep -oE '[0-9]*'`
echo -e "日志服务器ip:"`grep -i @ /etc/rsyslog.conf |grep -v '#'|grep -oE '@ ([0-9]{1,3}.){4}*'|grep -oE '([0-9]{1,3}.){4}*'`
echo -e
echo -e "******************************************************************"
echo -e "审计日志文件权限"
echo -e "******************************************************************"
echo -e
ls -l /var/log/auth.log
ls -l /var/log/faillog
ls -l /etc/rsyslog.conf
ls -l /etc/audit/auditd.conf
ls -l /etc/audit/audit.rules
echo -e
echo -e "[日志转发到日志服务器]:"`grep "^*.*[^I][^I]*@" /etc/rsyslog.conf /etc/rsyslog.d/*.conf`
echo -e
echo -e "[审计规则配置]:"`cat /etc/audit/auditd.conf | grep -v ^#`
echo -e
echo -e "[审计规则]:"`auditd -l`
echo -e
echo -e "******************************************************************"
echo -e "审计规则配置"
echo -e "注意:Max_log_file=5(Log file capacity); Max_log_file_action=ROTATE(log size); num_logs=4"
echo -e "******************************************************************"
echo -e
cat /etc/audit/auditd.conf | grep max_log_file | grep -v ^#
cat /etc/audit/auditd.conf | grep max_log_file_action | grep -v ^#
echo -e
echo -e "**************************** 4.入侵防范 ****************************"
echo -e
echo -e "a)应遵循最小安装的原则仅安装需要的组件和应用程序"
echo -e
echo -e "******************************************************************"
echo -e "系统补丁信息"
echo -e "******************************************************************"
echo -e
echo -e "b)应关闭不需要的系统服务、默认共享和高危端口"
echo -e
ss -antp
echo -e
echo -e "******************************************************************"
echo -e "运行中的服务"
echo -e "******************************************************************"
echo -e
systemctl list-unit-files --type=service | grep enabled
echo -e
ss -ntlp
echo -e
echo -e "c)应通过设定终端接入方式或网络地址范围对通过网络进行管理的管理终端进行限制"
echo -e
echo -e "******************************************************************"
echo -e "Hosts.allow Hosts.deny 终端限制"
echo -e "******************************************************************"
echo -e
echo -e "[查看 /etc/hosts.allow]:"
echo -e
cat /etc/hosts.allow | grep -v ^#
echo -e
echo -e "[查看 /etc/hosts.deny]:"
echo -e
cat /etc/hosts.deny | grep -v ^#
echo -e
cat /var/log/secure | grep refused
echo -e
echo -e "d)应能发现可能存在的已知漏洞,并在经过充分测试评估后,及时修补漏洞"
echo -e
systemctl status iptables.service
echo -e
echo -e "******************************************************************"
echo -e "防火墙状态"
echo -e "******************************************************************"
echo -e
iptables --list
echo -e
cat /var/log/secure | grep refused
echo -e
echo -e "******************************************************************"
echo -e "单用户访问资源限制"
echo -e "******************************************************************"
echo -e
echo -e "<domain> <type> <item> <value>"
echo -e
cat /etc/security/limits.conf | grep -v ^#
echo -e
echo -e "******************************************************************"
echo -e "系统资源使用情况"
echo -e "******************************************************************"
echo -e
echo -e "[磁盘信息]:"
echo -e
df -h
echo -e
echo -e "[内存信息]:"
echo -e
free -m
echo -e
# mem_use_info=(`awk '/MemTotal/{memtotal=$2}/MemAvailable/{memavailable=$2}END{printf "%.2f %.2f %.2f",memtotal/1024/1024," "(memtotal-memavailable)/1024/1024," "(memtotal-memavailable)/memtotal*100}' /proc/meminfo`)
# echo -e "内存使用百分比:${mem_use_info[2]}%"
# echo -e
TIME_INTERVAL=5
LAST_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
LAST_SYS_IDLE=$(echo -e $LAST_CPU_INFO | awk '{print $4}')
LAST_TOTAL_CPU_T=$(echo -e $LAST_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
sleep ${TIME_INTERVAL}
NEXT_CPU_INFO=$(cat /proc/stat | grep -w cpu | awk '{print $2,$3,$4,$5,$6,$7,$8}')
NEXT_SYS_IDLE=$(echo -e $NEXT_CPU_INFO | awk '{print $4}')
NEXT_TOTAL_CPU_T=$(echo -e $NEXT_CPU_INFO | awk '{print $1+$2+$3+$4+$5+$6+$7}')
SYSTEM_IDLE=`echo -e ${NEXT_SYS_IDLE} ${LAST_SYS_IDLE} | awk '{print $1-$2}'`
TOTAL_TIME=`echo -e ${NEXT_TOTAL_CPU_T} ${LAST_TOTAL_CPU_T} | awk '{print $1-$2}'`
CPU_USAGE=`echo -e ${SYSTEM_IDLE} ${TOTAL_TIME} | awk '{printf "%.2f", 100-$1/$2*100}'`
echo -e "CPU 使用百分比:${CPU_USAGE}%"
echo -e
echo -e "******************************************************************"
echo -e "MISC"
echo -e "******************************************************************"
echo -e
echo -e "#[系统最后登录信息]:"
echo -e
lastlog
echo -e
echo -e "#[计划任务信息]:"
echo -e
crontab -l
echo -e
echo -e "#[进程和端口状态]:"
echo -e
ss -pantu
echo -e
ps -ef
echo -e
echo -e "******************************** 系统核查结束 ********************************"
}
# ***************************************************************************
# AIX操作核查系统执行该方法,暂不支持。
# ***************************************************************************
AIX_ceping()
{
LogMsg "Checking operating system......" 1>&2
echo -e "******************************** System checking start ********************************"
echo -e
echo -e "******************************************************************"
echo -e "Checking Empty password users"
echo -e "******************************************************************"
flag=
null_password=`awk -F: 'length($2)==0 {print $1}' /etc/shadow`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: 'length($2)==0 {print $1}' /etc/passwd`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: '$2=="!" {print $1}' /etc/shadow`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
null_password=`awk -F: '$2!="x" {print $1}' /etc/passwd`
if [ -n "$null_password" ]; then
flag='y'
echo -e $null_password
fi
[[ ! -n "$flag" ]] && echo -e "[是] This system no empty password users!"
echo -e
echo -e "******************************************************************"
echo -e "Checking UID=0 users"
echo -e "******************************************************************"
awk -F: '$3==0 {print $1}' /etc/passwd
echo -e
ps -ef
}
# ******************************************************************
# Oracle数据库核查,参数 -o 执行该方法,已测试兼容版本:10g 11g 12c
# ******************************************************************
oracle_ceping()
{
[ ! -n "$ORACLE" ] && LogErrorMsg "Not found Oracle database,please run '${0} -l'" 1>&2 && exit 1
LogMsg "Checking Oracle database system......" 1>&2
echo -e "******************************** Oracle checking start ********************************"
echo -e
# 临时SQL文件
sqlFile=/tmp/tmp_oracle.sql
# 写入SQL语句
echo -e "set echo -e off feedb off timi off pau off trimsp on head on long 2000000 longchunksize 2000000" > ${sqlFile}
echo -e "set linesize 150" > ${sqlFile}
echo -e "set pagesize 80" > ${sqlFile}
echo -e "col username format a22" > ${sqlFile}
echo -e "col account_status format a20" > ${sqlFile}
echo -e "col password format a20" > ${sqlFile}
echo -e "col CREATED format a20" > ${sqlFile}
echo -e "col USER_ID, format a10" > ${sqlFile}
echo -e "col profile format a20" > ${sqlFile}
echo -e "col resource_name format a35" > ${sqlFile}
echo -e "col limit format a10" > ${sqlFile}
echo -e "col TYPE format a15" > ${sqlFile}
echo -e "col VALUE format a20" > ${sqlFile}
echo -e "col grantee format a25" > ${sqlFile}
echo -e "col owner format a10" > ${sqlFile}
echo -e "col table_name format a10" > ${sqlFile}
echo -e "col grantor format a10" > ${sqlFile}
echo -e "col privilege format a10" > ${sqlFile}
echo -e "col AUDIT_OPTION format a30" > ${sqlFile}
echo -e "col SUCCESS format a20" > ${sqlFile}
echo -e "col FAILURE format a20" > ${sqlFile}
echo -e "col any_path format a100" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Oracle version info" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select * from v\$version;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # All database instances" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select name from v\$database;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Checking all user status(note sample account:scott,outln,ordsys)" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select username, CREATED, USER_ID, account_status, profile from dba_users;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Policie Checking of password and attempt login failed" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select profile, resource_name, limit from dba_profiles where resource_type='PASSWORD';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Show the default password account" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select * from dba_users_with_defpwd;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Show all users about granted_role='DBA'" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select grantee from dba_role_privs where granted_role='DBA';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Default users grantee roles about grantee='PUBLIC'" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select granted_role from dba_role_privs where grantee='PUBLIC';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Checking access of data dictionary must boolean=FALSE" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "show parameter O7_DICTIONARY_ACCESSIBILITY;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Audit state" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "show parameter audit;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Important security events covered by audit" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select AUDIT_OPTION, SUCCESS, FAILURE from dba_stmt_audit_opts;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Protecting audit records status" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select grantee, owner, table_name, grantor, privilege from dba_tab_privs where table_name='AUD$';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Checking login 'IDLE_TIME' value" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='KERNEL' and resource_name='IDLE_TIME';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Checking single user resource limit status" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='SESSIONS_PER_USERS';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Checking cpu time limit for a single session" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select resource_name, limit from dba_profiles where profile='DEFAULT' and resource_type='CPU_PER_SESSION';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Show maximum number of connections" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "show parameter processes;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Access control function" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select any_path from resource_view where any_path like '/sys/acls/%.xml';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # Remote_os_authent" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select value from v\$parameter where name='remote_os_authent';" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "PROMPT # 'Oracle Label Security' install status" > ${sqlFile}
echo -e "PROMPT # ******************************************************************#" > ${sqlFile}
echo -e "select username, account_status, profile from dba_users where username='LBACSYS';" > ${sqlFile}
echo -e "select object_type,count(*) from dba_objects where OWNER='LBACSYS' group by object_type;" > ${sqlFile}
echo -e "PROMPT" > ${sqlFile}
echo -e "exit" > ${sqlFile}
chmod 777 ${sqlFile}
# 切换至oracle账户执行SQL语句,执行完毕后退回root账户
su - oracle << EOF
sqlplus / as sysdba @ ${sqlFile}
exit
EOF
# 删除临时SQL文件
rm $sqlFile -f
# 查找sqlnet.ora文件
sqlnet_ora_path=`find / -name "sqlnet.ora" | grep -v samples`
echo -e
echo -e "******************************************************************#"
echo -e "Checking Oracle configuration files(path:${sqlnet_ora_path})"
echo -e "******************************************************************#"
cat $sqlnet_ora_path | grep -Ev "^$|^[#;]"
echo -e
echo -e "******************************** Oracle checking end ********************************"
echo -e
}
# ******************************************************************
# Mysql数据库核查,参数 -m 执行该方法。SQL语句暂不支持。
# ******************************************************************
mysql_ceping()
{
[ ! -n "$MYSQL" ] && LogErrorMsg "Not found Mysql database,please run '${0} -l'" 1>&2 && exit 1
LogMsg "Checking Mysql database system......" 1>&2
echo -e
echo -e "******************************** Mysql checking start ********************************"
echo -e
MYSQL_BIN=$(which mysql)
loginfotmp=/tmp/tmpinfo
# 核查是否为空口令。
if [ ! -n "$1" ];then
while :
do
while [ ! -n "${mysql_pwd}" ]
do
read -p "Enter the mysql(user:root) password: " mysql_pwd
[[ "q" == $mysql_pwd ]] && LogMsg "Already skip Mysql check." 1>&2 && return
done
$MYSQL_BIN -uroot -p$mysql_pwd -e "exit" &> $loginfotmp
loginfo=`grep "ERROR" ${loginfotmp}`
rm -f $loginfotmp
if [ ! -n "$loginfo" ]; then
break
else
mysql_pwd=
LogErrorMsg "Please confirm the password or check the configuration about mysql connect!" 1>&2
LogMsg "Of course, you can ‘Ctrl + C’ exit or enter 'q' spin mysql checking." 1>&2
continue
fi
done
else
mysql_pwd=$1
$MYSQL_BIN -uroot -p$mysql_pwd -e "exit" &> $loginfotmp
loginfo=`grep "ERROR" ${loginfotmp}`
rm -f $loginfotmp
if [ -n "$loginfo" ]; then
LogErrorMsg "Please confirm the password or check the configuration!" 1>&2
exit 1
fi
fi
echo -e "******************************************************************"
echo -e "Mysql checking"
echo -e "******************************************************************"
echo -e "Mysql database status"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -e "\s"
echo -e
echo -e "show databases;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -e 'show databases;'
echo -e
echo -e "select version();"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select host, user, password from user;'
echo -e
echo -e "password policy( > v5.7 )"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'validate_password%';"
echo -e
echo -e "show tables;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'show tables;'
echo -e
echo -e "select user, Shutdown_priv, Grant_priv, File_priv from user;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select user, Shutdown_priv, Grant_priv, File_priv from user;'
echo -e
echo -e "select * from db;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from db;'
echo -e
echo -e "select * from tables_priv;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from tables_priv;'
echo -e
echo -e "select * from columns_priv;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e 'select * from columns_priv;'
echo -e
echo -e "show global variables like '%general_log%';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show global variables like '%general_log%';"
echo -e
echo -e "show variables like 'log_%';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'log_%';"
echo -e
echo -e "show variables like 'log_bin';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'log_bin';"
echo -e
echo -e "show variables like '%timeout%';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like '%timeout%';"
echo -e
mysql_cnf=`find / -name my.cnf `
echo -e
echo -e "Checking Mysql configuration files(path:${mysql_cnf})"
echo -e
cat $mysql_cnf | grep -v ^$
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "select user,host FROM mysql.user;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "select * from mysql.user where length(authentication_string) = 0 or authentication_string is null;"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like 'validate%';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show VARIABLES like '%password%';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like '%max_connect_errors%';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables like '%have_ssl%';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show grants for 'root'@'localhost';"
echo -e
echo -e "select * from mysql.user where user = 'root';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "select * from mysql.user where user = 'root';"
echo -e
$MYSQL_BIN -uroot -p$mysql_pwd -D mysql -e "show variables where variable_name like 'version';"
echo -e
echo -e "******************************** Mysql checking end ********************************"
echo -e
}
# ******************************************************************
# PostgreSQL数据库核查,参数 -pgsql 执行该方法。
# ******************************************************************
pgsql_ceping()
{
[ ! -n "$PGSQL" ] && LogErrorMsg "Not found PostgreSQL database,please run '${0} -l'" 1>&2 && exit 1
LogMsg "Checking PostgreSQL database system......" 1>&2
echo -e
echo -e "******************************** PostgreSQL checking start ********************************"
echo -e
sqlFile=/tmp/tmp_postgres.sql
PGDATA=`su - postgres << EOF
cat ~/.bash_profile | grep PGDATA=
exit
EOF`
PGDATA=`echo -e ${PGDATA} | awk -F'PGDATA=' '{print $2}'`
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "\echo -e # PostgreSQL version info" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "select version();" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "\echo -e # List of all instances" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "\l" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "\echo -e # List of all users info" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "select * from pg_shadow;" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "\echo -e # Access control function" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "select * from pg_roles;" > ${sqlFile}
echo -e "select * from information_schema.table_privileges where grantee='cc';" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "\echo -e # Log and audit" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "show log_destination; show log_connections; show log_disconnections; show log_statement; show logging_collector; show log_rotation_size; show log_rotation_age;" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "\echo -e # PostgreSQL MISC" > ${sqlFile}
echo -e "\echo -e # ******************************************************************#" > ${sqlFile}
echo -e "select name, setting from pg_settings where context = 'user' order by 1;" > ${sqlFile}
echo -e "\q" > ${sqlFile}
chmod 777 ${sqlFile}
# 切换至postgres账户执行SQL语句,执行完毕后退回root账户
su - postgres << EOF
psql -d postgres -U postgres -f ${sqlFile}
exit
EOF
rm -f ${sqlFile}
echo -e
echo -e "******************************************************************"
echo -e "Check password module for ‘libdir/passwordcheck’"
echo -e "******************************************************************"
grep "passwordcheck" $PGDATA/postgresql.conf
echo -e
echo -e
echo -e "******************************************************************"
echo -e "Limit address"
echo -e "******************************************************************"
grep -E '[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}\.[0-9]{1,3}' $PGDATA/postgresql.conf
grep "listen_addresses" $PGDATA/postgresql.conf
echo -e
echo -e
echo -e "******************************************************************"
echo -e "To see the first 10 rows of ‘$PGDATA/pg_log/’"
echo -e "******************************************************************"
pg_logfile=`ls $PGDATA/pg_log/ | grep -E 'postgresql-*' | tail -n 1`
cat $PGDATA/pg_log/${pg_logfile} | tail -n 10
echo -e
echo -e
echo -e "******************************************************************"
echo -e "Login timeout"
echo -e "******************************************************************"
grep 'tcp_keepalives' $PGDATA/postgresql.conf
echo -e
echo -e
echo -e "******************************************************************"
echo -e "Max_connections and Shared_buffers"
echo -e "******************************************************************"
cat $PGDATA/postgresql.conf | grep -E 'max_connections|shared_buffers' | grep -Ev "^$|^[#;]"
echo -e
echo -e "******************************** PostgreSQL checking end ********************************"
echo -e
}
# ******************************************************************
# Redis缓存数据库核查,测评内容暂未实现。
# ******************************************************************
redis_ceping()
{
echo -e
echo -e
redis-server -v
redis_conf=`find / -name "redis.conf"`
cp $redis_conf ./
echo -e
echo -e
}
# ******************************************************************
# WEB容器或中间件核查,测评内容暂未实现。
# ******************************************************************
webserver_ceping()
{
echo -e
echo -e
case $WEBSERVER in
"nginx")
nginx_cfg=`find / -name "nginx.conf" | grep -v tmp`
cp $nginx_cfg ./ ;;
"weblogic")
echo -e "weblogic ceping function wait edit";;
"apache")
httpd_conf=$(find / -name httpd.conf)
cp $httpd_conf ./;;
*) echo -e "Not found web server!";;
esac
echo -e
echo -e
}
# ******************************************************************
# 参数 -a 自动核查入口
# ******************************************************************
check_system()
{
case $DISTRO in
CentOS)
redhat_or_centos_ceping;;
RedHat)
redhat_or_centos_ceping;;
EulerOS)
redhat_or_centos_ceping;;
Ubuntu)
ubuntu_ceping;;
AIX)
AIX_ceping;;
esac
[[ "Oracle" == "$ORACLE" ]] && oracle_ceping
[[ "MySQL" == "$MYSQL" ]] && mysql_ceping
[[ "PostgreSQL" == "$PGSQL" ]] && pgsql_ceping
[[ $DBS == "Redis" ]] && redis_ceping
[[ -n "$WEBSERVER" ]] && webserver_ceping
LogSucMsg "Checking completed!" 1>&2
}
# ******************************************************************
# main_ceping 方法,脚本执行入口
# ******************************************************************
main_ceping()
{
print_logo
# root账户执行核查,非root账户告警退出
[ "`whoami`" != "root" ] && LogErrorMsg "Please use root user or sudo!" 1>&2 && exit 1
case $1 in
-h)
helpinfo ;;
-l)
information_collection ;;
-o)
oracle_ceping ;;
-m)
mysql_ceping $2 ;;
-pgsql)
pgsql_ceping ;;
-s)
get_webserver_info
webserver_ceping ;;
-a)
output_file_banner
information_collection
check_system ;;
*) helpinfo ;;
esac
}
# main_ceping方法接收参数
main_ceping $1 $2
原文始发于微信公众号(利刃信安):【等保测评】capos_for_linux_v4.1.0.sh
- 左青龙
- 微信扫一扫
-
- 右白虎
- 微信扫一扫
-
评论