蓝队应急基本内容排查
检查脚本:
serity-scan.sh:
#! /bin/bash
file='/tmp/security_file';
if [ -f "$file" ];then
echo ""
else
touch $file;
fi
savefile='tee -a /tmp/security_file';
echo "用户角度筛查:" | $savefile ;
echo "用户信息:" |$savefile ;
echo "1.1:passwd:" |$savefile ;
cat /etc/passwd|$savefile;
echo -e '\n'|$savefile;
echo "1.2:影子文件:"|$savefile;
cat /etc/shadow|$savefile;
echo -e '\n'|$savefile;
echo "1.3:特权账户列表:"|$savefile;
awk -F: '$3==0{print $1}' /etc/passwd |$savefile;
echo -e '\n' |$savefile;
cat /etc/passwd |grep x:0 |$savefile;
echo -e '\n'|$savefile;
echo "1.4:当前登录用户(tty本地 pts远程):"|$savefile;
who |$savefile;
echo -e '\n'|$savefile;
w|$savefile;
echo -e '\n'|$savefile;
uptime|$savefile;
echo -e '\n' |$savefile;
echo "1.5:可以登录的用户:"|$savefile;
cat /etc/passwd|grep -v nologin |grep -v false |$savefile;
echo "2:基于历史命令的角度排查(所有用户):"|$savefile;
echo "root用户:"|$savefile;
cat /root/.bash_history|$savefile;
echo -e "\n"|$savefile;
for username in `ls /home/`;
do
echo "$username 用户:"|$savefile
cat /home/$username/.bash_history |$savefile
echo -e '\n'|$savefile;
done;
echo "3:基于网络端口排查:"|$savefile;
netstat -antp |$savefile;
echo -e '\n'|$savefile;
echo "4:基于进程排查:"|$savefile;
echo "4.1:所有进程:"|$savefile;
ps -aux |$savefile;
echo -e '\n' |$savefile;
echo "4.2:cpu占用前十的进程:"|$savefile;
ps aux --sort=pcpu |head -10|$savefile;
echo -e "\n" |$savefile;
echo "4.3:内存占用前十的进程:"|$savefile;
ps -aux --sort=-%mem |head -n 10 |$savefile;
echo -e "\n" |$savefile;
echo "5:基于开机启动项排查:"|$savefile;
echo "/etc/rc.local:" |$savefile;
cat /etc/rc.local | $savefile;
echo -e "\n" |$savefile;
for runlevel in {0..6};do
echo "/etc/rc.d/rc${runlevel}.d/:"
ls -al /etc/rc.d/rc${runlevel}.d/
echo -e "\n" |$savefile;
done
echo "6:基于定时任务排查:"|$savefile;
for usercrontab in `ls /var/spool/cron/`;do
echo "${usercrontab}的定时任务:"|$savefile
cat /var/spool/cron/${usercrontab}|$savefile
echo -e "\n"|$savefile;
done
for usercrontab in `ls /etc/cron.d/`;do
echo "/etc/cron.d/${usercrontab} :"|$savefile
cat /etc/cron.d/${usercrontab} |$savefile
echo -e "\n" |$savefile;
done
echo "/etc/cron.* :"|$savefile
ls -la /etc/cron.*|$savefile
echo -e "\n" |$savefile;
echo "7:基于服务的排查:"|$savefile;
echo "7.1:开机自启动:"|$savefile;
chkconfig --list |$savefile;
echo -e "\n"|$savefile;
echo "7.2:systemctl自启动服务:"|$savefile;
systemctl list-unit-files |grep enabled|$savefile;
echo -e "\n"|$savefile;
echo "8:排查host文件:"|$savefile;
cat /etc/hosts|$savefile;
echo -e '\n'|$savefile;
echo '9:日志分析排查:'|$savefile;
echo "9.1:root账户爆破登录情况:"|$savefile;
grep "Failed password for root" /var/log/secure |awk '{print $11}'|sort |uniq -c |sort -nr|$savefile;
echo -e "\n" |$savefile;
echo "9.2:root账户成功登录的相关信息:"|$savefile;
grep "Accepted" /var/log/secure |awk '{print $1,$2,$3,$9,$11}'| sort |uniq -c|sort -nr |$savefile;
echo "排查脚本执行完毕"|$savefile;
./security_func.sh;
功能脚本:
security_func.sh:
while true
do
echo "linux应急排查:";
echo "0:退出";
echo "1:删除用户";
echo "2:查看与可疑IP连接下对应的pid";
echo "3:监控指定进程/应用下线程数(输入pid/应用名称如:sshd)";
echo "4:监控某端口网络客户连接数";
echo "5:查看文件的相关信息";
read -p "输入数字:" func_name
case "${func_name}" in
"0")
exit 0
;;
"1")
read -p "输入用户名:" username
passwd -d ${username}
echo "键入回车"
read
;;
"2")
read -p "输入可疑连接IP:" ip_addr
netstat -antlp | grep ${ip_addr} |awk '{print $7}'|cut -f1 -d"/"
echo "键入回车"
read
;;
"3")
read -p "输入应用名称或pid:" monitor_name
if [[ ${monitor_name} =~ ^[0-9]+$ ]]; then
top -p ${monitor_name}
else
ps -eLf |grep ${monitor_name}|wc -l
fi
echo "键入回车"
read
;;
"4")
read -p "输入端口号:" monitor_port
echo "tcp:"
netstat -n |grep tcp |grep ${monitor_port} |wc -l
echo "udp:"
netstat -n |grep udp |grep ${monitor_port} |wc -l
echo "键入回车"
read
;;
"5")
read -p "输入文件路径:" monitor_path
stat ${monitor_path}
echo "键入回车"
read
;;
*)
echo "请输入0-5之间的数字"
;;
esac
done