蓝队应急基本内容排查

检查脚本:
serity-scan.sh:


#! /bin/bash

file='/tmp/security_file';
if [ -f "$file" ];then
	echo ""
else
	touch $file;
fi
savefile='tee -a /tmp/security_file';
echo "用户角度筛查:" | $savefile ;
echo "用户信息:" |$savefile ;
echo "1.1:passwd:" |$savefile ;
cat /etc/passwd|$savefile;
echo -e '\n'|$savefile;
echo "1.2:影子文件:"|$savefile;
cat /etc/shadow|$savefile;
echo -e '\n'|$savefile;

echo "1.3:特权账户列表:"|$savefile;
awk -F: '$3==0{print $1}' /etc/passwd |$savefile;
echo -e '\n' |$savefile;
cat /etc/passwd |grep x:0 |$savefile;
echo -e '\n'|$savefile;

echo "1.4:当前登录用户(tty本地 pts远程):"|$savefile;
who |$savefile;
echo -e '\n'|$savefile;
w|$savefile;
echo -e '\n'|$savefile;
uptime|$savefile;
echo -e '\n' |$savefile;

echo "1.5:可以登录的用户:"|$savefile;
cat /etc/passwd|grep -v nologin |grep -v false |$savefile;


echo "2:基于历史命令的角度排查(所有用户):"|$savefile;
echo "root用户:"|$savefile;
cat /root/.bash_history|$savefile;
echo -e "\n"|$savefile;
for username in `ls /home/`;
do
echo "$username 用户:"|$savefile 
cat /home/$username/.bash_history |$savefile
echo -e '\n'|$savefile;
done;

echo "3:基于网络端口排查:"|$savefile;
netstat -antp |$savefile;
echo -e '\n'|$savefile;

echo "4:基于进程排查:"|$savefile;
echo "4.1:所有进程:"|$savefile;
ps -aux |$savefile;
echo -e '\n' |$savefile;
echo "4.2:cpu占用前十的进程:"|$savefile;
ps aux --sort=pcpu |head -10|$savefile;
echo -e "\n" |$savefile;
echo "4.3:内存占用前十的进程:"|$savefile;
ps -aux --sort=-%mem |head -n 10 |$savefile;
echo -e "\n" |$savefile;

echo "5:基于开机启动项排查:"|$savefile;
echo "/etc/rc.local:" |$savefile;
cat /etc/rc.local | $savefile;
echo -e "\n" |$savefile;
for runlevel in {0..6};do
	echo "/etc/rc.d/rc${runlevel}.d/:"
	ls -al /etc/rc.d/rc${runlevel}.d/
	echo -e "\n" |$savefile;
done

echo "6:基于定时任务排查:"|$savefile;
for usercrontab in `ls /var/spool/cron/`;do
	echo "${usercrontab}的定时任务:"|$savefile
	cat /var/spool/cron/${usercrontab}|$savefile
	echo -e "\n"|$savefile;
done

for usercrontab in `ls /etc/cron.d/`;do
	echo "/etc/cron.d/${usercrontab} :"|$savefile
	cat /etc/cron.d/${usercrontab} |$savefile
	echo -e "\n" |$savefile;
done

echo "/etc/cron.* :"|$savefile
ls -la /etc/cron.*|$savefile
echo -e "\n" |$savefile;


echo "7:基于服务的排查:"|$savefile;
echo "7.1:开机自启动:"|$savefile;
chkconfig --list |$savefile;
echo -e "\n"|$savefile;
echo "7.2:systemctl自启动服务:"|$savefile;
systemctl list-unit-files |grep enabled|$savefile;
echo -e "\n"|$savefile;



echo "8:排查host文件:"|$savefile;
cat /etc/hosts|$savefile;
echo -e '\n'|$savefile;

echo '9:日志分析排查:'|$savefile;
echo "9.1:root账户爆破登录情况:"|$savefile;
grep "Failed password for root" /var/log/secure |awk '{print $11}'|sort |uniq -c |sort -nr|$savefile;
echo -e "\n" |$savefile;
echo "9.2:root账户成功登录的相关信息:"|$savefile;
grep "Accepted" /var/log/secure |awk '{print $1,$2,$3,$9,$11}'| sort |uniq -c|sort -nr |$savefile;

echo "排查脚本执行完毕"|$savefile;
./security_func.sh;

功能脚本:
security_func.sh:

while true
	do
	echo "linux应急排查:";
	echo "0:退出";
	echo "1:删除用户";
	echo "2:查看与可疑IP连接下对应的pid";
	echo "3:监控指定进程/应用下线程数(输入pid/应用名称如:sshd)";
	echo "4:监控某端口网络客户连接数";
	echo "5:查看文件的相关信息";
	read -p "输入数字:" func_name
	case "${func_name}" in
		"0")
		exit 0
		;;
		"1")
		read -p "输入用户名:" username
		passwd -d ${username}
		echo "键入回车"
		read
		;;
		"2")
		read -p "输入可疑连接IP:" ip_addr
		netstat -antlp | grep ${ip_addr} |awk '{print $7}'|cut -f1 -d"/"
		echo "键入回车"
		read
		;;
		"3")
		read -p "输入应用名称或pid:" monitor_name
		if [[ ${monitor_name} =~ ^[0-9]+$ ]]; then
			top -p ${monitor_name}
		else 
			ps -eLf |grep ${monitor_name}|wc -l
		fi
		echo "键入回车"
		read
		;;
		"4")
		read -p "输入端口号:" monitor_port
		echo "tcp:"
		netstat -n |grep tcp |grep ${monitor_port} |wc -l 
		echo "udp:"
		netstat -n |grep udp |grep ${monitor_port} |wc -l
		echo "键入回车"
		read
		;;
		"5")
		read -p "输入文件路径:" monitor_path
		stat ${monitor_path}
		echo "键入回车"
		read
		;;
		*)
		echo "请输入0-5之间的数字"
		;;
	esac
done
posted @ 2024-07-29 10:23  蓝尽红出  阅读(5)  评论(0编辑  收藏  举报