#!/bin/bashcat<>$FILE_PATHelseecho-e"系统更新是否通过:YES\n">>$FILE_PATHfi}##############检查交换分区##############swap_check(){swap_sizes=`free-m|grep'Swap'|awk'{print$2}'`if[-z$swap_sizes];thenecho-e"Noswapsystempartition\n">>$FILE_PATHelseif[$swap_sizes-lt1000];thenecho-e"swap分区设置太小\n">>$FILE_PATHelseecho-e"swap分区检查:YES\n">>$FILE_PATHfifi}#############检查必要的软件##############soft_install_check(){num=`rpm-qa|egrep'^sysstat-|^man-|^wget-|^screen-|^ntp-'|wc-l`if[$num-lt5];thenecho-e"Sysstat,man,wget,screen,ntp安装已通过:否\n">>$FILE_PATHelseecho-e"sysstat,man,wget,screen,ntp安装是否通过:YES\n">>$FILE_PATHfi}#############检查时钟时间############clock_time_type(){clock_type=`ls-l/etc/localtime|awk-F"/"'{print$8}'`if[-n"$clock_type"];thenecho-e"system时区为:$clock_type\n">>$FILE_PATHelseecho-e"请检查是否设置了时区\n">>$FILE_PATHfi}#####检查空密码########passwd_check(){num=`awk-F":"'{if($2=="")打印$1}'/etc/shadow|wc-l`if[$num-gt0];thenecho-e"空密码账户检查是否通过:NO\n">>$FILE_PATHelseecho-e"空密码账户检查是否通过:YES\n">>$FILE_PATHfi}#####检查用户uid是否为0########passwd_uid_check(){num=`awk-F":"'{if($3=="0"&&$1!="root")打印$1}'/etc/passwd|wc-l`if[$num-gt0];thenecho-e"非root账号的UID检测是否通过:NO\n">>$FILE_PATHelseecho-e"非root账号的UID检测是否通过:YES\n">>$FILE_PATHfi}#########检查umask#############user_umask_check(){root_umask=`umask`user_umask=`grep-A1'\$UID-gt199'/etc/profile|grep'umask'|awk'{print$2}'`if[$root_umask=="0022"]&&[$user_umask=="002"];thenecho-e"账户umask测试是否通过:YES\n">>$FILE_PATHelseecho-e"账户umask测试是否通过:NO\n">>$FILE_PATHfi}########重要检查文件权限##########file_lsattr_check(){num=0files=(/etc/passwd/etc/shadow)forfilein${files[*]}doattr=`lsattr$file|awk'{print$1}'`if[$attr!="----i-------e-"];thennum=$(($num+1))fidoneif[$num-eq0];thenecho-e"重要文件设置已通过:是\n">>$FILE_PATHelseecho-e"重要文件设置已通过:否\n">>$FILE_PATHfi}###########ssh协议和密码认证################ssh_config_check(){echo-e"检查sshd_config配置文件:\n">>$FILE_PATH#####检查项目######check_items=(ListenAddressProtocolStrictModesMaxAuthTriesMaxSessionsPubkeyAuthenticationPasswordAuthenticationPermitEmptyPasswordsX11Forwarding)#######参考值##############proposal_value=("参考实际情况"2yes55yesnonono)i=0foritemin${check_items[*]}dovalue=`grep$item/etc/ssh/sshd_config|grep-v'^#'|awk'{print$2}'`echo"${check_items[$i]}:${value}建议值:${proposal_value[$i]}">>$FILE_PATHi=$(($i+1))done}############防火墙服务状态#####################firewall_check(){grep'release6'/etc/redhat-release>>/dev/nullif[$?-eq0];然后/etc/init.d/iptablesstatus>>/dev/nullif[$?-eq0];thenecho-e"防火墙状态是否通过:YES\n">>$FILE_PATHelseecho-e"防火墙状态是否通过:NO\n">>$FILE_PATHfielsesystemctlstatusfirewalld.service>>/dev/nullif[$?-eq0];thenecho-e"防火墙状态是否通过:YES\n">>$FILE_PATHelseecho-e"防火墙状态是否通过:NO\n">>$FILE_PATHfifi}#############ntp服务状态######################ntp_check(){grep'release6'/etc/redhat-release>>/dev/无效[$?-eq0];then/etc/init.d/ntpdstatus>>/dev/nullif[$?-eq0];thenecho-e"ntp状态是否通过:是\n">>$FILE_PATHelseecho-e"ntp状态通过:否\n">>$FILE_PATHfieldsystemctlstatusntpd.service>>/dev/nullif[$?-eq0];thenecho-e"ntp状态是否通过:YES\n">>$FILE_PATHelseecho-e"ntp状态是否通过:NO\n">>$FILE_PATHfifi}#############auditd服务状态####################auditd_check(){grep'release6'/etc/redhat-release>>/dev/nullif[$?-eq0];then/etc/init.d/auditdstatus>>/dev/nullif[$?-eq0];thenecho-e"Auditdstatuspassed:YES\n">>$FILE_PATHelseecho-e"auditdstatuspassed:NO\n">>$FILE_PATHfielsesystemctlstatusauditd.service>>/dev/nullif[$?-eq0];thenecho-e"Auditdstatuspassed:YES\n">>$FILE_PATHelseecho-e"auditdstatuspassed:NO\n">>$FILE_PATHfifi}#############检查不需要的服务################service_check(){echo"检查系统中多余的服务,centos6:acpid|ip6tables|netfs|postfix|udev-post">>$FILE_PATHecho"检查系统中的冗余服务,centos7:postfix.servicetuned.serviceirqbalance.service">>$FILE_PATHgrep'release6'/etc/redhat-release>>/dev/nullif[$?-eq0];thencent6_num=`chkconfig--list|egrep'3:on|3:enable'|egrep'acpid|ip6tables|netfs|postfix|udev-post'|wc-l`if[$cent6_num-eq0];thenecho-e"系统冗余服务是否关闭:YES\n">>$FILE_PATHelseecho-e"系统冗余服务是否关闭:NO\n">>$FILE_PATHfielsecent7_num=`systemctllist-unit-files--type=service|grep'enabled'|egrep'postfix.service|tuned.service|irqbalance.service'|wc-l`if[$cent7_num-eq0];thenecho-e"系统是否冗余服务isclosed:YES\n">>$FILE_PATHelseecho-e"isredundantsystemserviceclosed:NO\n">>$FILE_PATHfifi}#############查看打开文件数##############file_check(){system_file_limit=`cat/proc/sys/fs/file-max`#current_open_file=`lsof|wc-l`user_file_limit=`ulimit-a|grep'打开文件'|awk'{print$4}'`echo"系统打开数据限制:$system_file_limit">>$FILE_PATHecho"用用户进程打开数据限制:$user_file_limit">>$FILE_PATH}echo`date+%Y%m%d`>$FILE_PATHsystem_update_checkswap_checksoft_install_checkclock_time_typepasswd_checkpasswd_uid_checkuser_umask_checkfile_lsattr_checkssh_config_checkfirewall_checkntp_checkauditd_checkservice_checkfile_check
