蓝队应急基本内容排查

检查脚本：
serity-scan.sh:

#! /bin/bash

file='/tmp/security_file';
if [ -f "$file" ];then
	echo ""
else
	touch $file;
fi
savefile='tee -a /tmp/security_file';
echo "用户角度筛查：" | $savefile ;
echo "用户信息：" |$savefile ;
echo "1.1：passwd:" |$savefile ;
cat /etc/passwd|$savefile;
echo -e '\n'|$savefile;
echo "1.2：影子文件："|$savefile;
cat /etc/shadow|$savefile;
echo -e '\n'|$savefile;

echo "1.3：特权账户列表："|$savefile;
awk -F: '$3==0{print $1}' /etc/passwd |$savefile;
echo -e '\n' |$savefile;
cat /etc/passwd |grep x:0 |$savefile;
echo -e '\n'|$savefile;

echo "1.4：当前登录用户(tty本地 pts远程)："|$savefile;
who |$savefile;
echo -e '\n'|$savefile;
w|$savefile;
echo -e '\n'|$savefile;
uptime|$savefile;
echo -e '\n' |$savefile;

echo "1.5：可以登录的用户："|$savefile;
cat /etc/passwd|grep -v nologin |grep -v false |$savefile;


echo "2：基于历史命令的角度排查(所有用户)："|$savefile;
echo "root用户："|$savefile;
cat /root/.bash_history|$savefile;
echo -e "\n"|$savefile;
for username in `ls /home/`;
do
echo "$username 用户:"|$savefile 
cat /home/$username/.bash_history |$savefile
echo -e '\n'|$savefile;
done;

echo "3：基于网络端口排查："|$savefile;
netstat -antp |$savefile;
echo -e '\n'|$savefile;

echo "4：基于进程排查："|$savefile;
echo "4.1：所有进程："|$savefile;
ps -aux |$savefile;
echo -e '\n' |$savefile;
echo "4.2：cpu占用前十的进程："|$savefile;
ps aux --sort=pcpu |head -10|$savefile;
echo -e "\n" |$savefile;
echo "4.3:内存占用前十的进程："|$savefile;
ps -aux --sort=-%mem |head -n 10 |$savefile;
echo -e "\n" |$savefile;

echo "5：基于开机启动项排查："|$savefile;
echo "/etc/rc.local:" |$savefile;
cat /etc/rc.local | $savefile;
echo -e "\n" |$savefile;
for runlevel in {0..6};do
	echo "/etc/rc.d/rc${runlevel}.d/:"
	ls -al /etc/rc.d/rc${runlevel}.d/
	echo -e "\n" |$savefile;
done

echo "6：基于定时任务排查："|$savefile;
for usercrontab in `ls /var/spool/cron/`;do
	echo "${usercrontab}的定时任务："|$savefile
	cat /var/spool/cron/${usercrontab}|$savefile
	echo -e "\n"|$savefile;
done

for usercrontab in `ls /etc/cron.d/`;do
	echo "/etc/cron.d/${usercrontab} :"|$savefile
	cat /etc/cron.d/${usercrontab} |$savefile
	echo -e "\n" |$savefile;
done

echo "7：基于服务的排查："|$savefile;
echo "7.1:开机自启动："|$savefile;
chkconfig --list |$savefile;
echo -e "\n"|$savefile;
echo "7.2：systemctl自启动服务:"|$savefile;
systemctl list-unit-files |grep enabled|$savefile;
echo -e "\n"|$savefile;



echo "8：排查host文件："|$savefile;
cat /etc/hosts|$savefile;
echo -e '\n'|$savefile;

echo '9：日志分析排查：'|$savefile;
echo "9.1：root账户爆破登录情况："|$savefile;
grep "Failed password for root" /var/log/secure |awk '{print $11}'|sort |uniq -c |sort -nr|$savefile;
echo -e "\n" |$savefile;
echo "9.2：root账户成功登录的相关信息："|$savefile;
grep "Accepted" /var/log/secure |awk '{print $1,$2,$3,$9,$11}'| sort |uniq -c|sort -nr |$savefile;

echo "排查脚本执行完毕"|$savefile;
./security_func.sh;

功能脚本：
security_func.sh：

while true
	do
	echo "linux应急排查：";
	echo "0:退出";
	echo "1:删除用户";
	echo "2:查看与可疑IP连接下对应的pid";
	echo "3:监控指定进程/应用下线程数(输入pid/应用名称如:sshd)";
	echo "4:监控某端口网络客户连接数";
	echo "5:查看文件的相关信息";
	read -p "输入数字：" func_name
	case "${func_name}" in
		"0")
		exit 0
		;;
		"1")
		read -p "输入用户名：" username
		passwd -d ${username}
		echo "键入回车"
		read
		;;
		"2")
		read -p "输入可疑连接IP：" ip_addr
		netstat -antlp | grep ${ip_addr} |awk '{print $7}'|cut -f1 -d"/"
		echo "键入回车"
		read
		;;
		"3")
		read -p "输入应用名称或pid：" monitor_name
		if [[ ${monitor_name} =~ ^[0-9]+$ ]]; then
			top -p ${monitor_name}
		else 
			ps -eLf |grep ${monitor_name}|wc -l
		fi
		echo "键入回车"
		read
		;;
		"4")
		read -p "输入端口号：" monitor_port
		echo "tcp:"
		netstat -n |grep tcp |grep ${monitor_port} |wc -l 
		echo "udp:"
		netstat -n |grep udp |grep ${monitor_port} |wc -l
		echo "键入回车"
		read
		;;
		"5")
		read -p "输入文件路径：" monitor_path
		stat ${monitor_path}
		echo "键入回车"
		read
		;;
		*)
		echo "请输入0-5之间的数字"
		;;
	esac
done