#!/bin/bash

ipv4=`ifconfig eth0 | grep 'inet addr'|awk -F ":" '{print $2}'|awk '{print$1}'`
ipv6=`ifconfig eth0 | grep 'inet6 addr'|awk -F "/" '{print $1}'`

os_name=`uname -s 2>> error;uname.bak -s 2>>error`
os_version=`lsb_release -a 2>> error||cat /etc/issue 2>> error||cat /etc/redhat-release 2>> error||cat /etc/redhat-release.bak 2>> error||uname -a 2>> error||uname.bak -a 2>> error`
startDate=`date "+%Y-%m-%d %H:%M:%S"`
ipaddr="$1"

os_result=`uname -a 2>> error||uname.bak -a 2>> error`
result=`echo ${os_result%-*}`
os=`echo ${result##* }`

Script_ID[0]=1
Script_Value[0]="function linux7() {
ls -l /lib*/security/pam_tally.so 2>/dev/null
echo \"---------------system-auth-------------------\"
cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'
if [[ -n %ls -l /lib*/security/pam_tally.so 2>/dev/null% ]];then
if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally.so\"% ]];then
if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally.so\"|egrep \"deny=\\w+\"% ]];then
echo \"result=\"%cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally.so\"|awk -F\"deny=\" '{print\$2}'|awk '{print\$1}'%
else
echo \"result=false\"
fi
else
echo \"result=false\"
fi
elif [[ -n %ls -l /lib*/security/pam_tally2.so 2>/dev/null% ]];then
cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\"
if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\"% ]];then
if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\"|egrep \"deny=\\w+\"% ]];then
echo \"result=\"%cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\"|awk -F\"deny=\" '{print\$2}'|awk '{print\$1}'%
else
echo \"result=false\"
fi
else
echo \"result=false\"
fi
else
echo \"result=pam_tally not found\"
fi
}
function linux8() {
ls -l /etc/pam.d/system-auth /etc/pam.d/password-auth 2>/dev/null
if [ -f /etc/pam.d/system-auth ]&&[ -f /etc/pam.d/password-auth ];then
for FILE in /etc/pam.d/system-auth /etc/pam.d/password-auth
do
echo \$FILE
cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d'
venus1=\$(cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth\\s+required\\s+pam_faillock.so\\s+preauth\"|egrep \"deny=\\w\")
venus2=\$(cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\"|egrep \"deny=\\w\")
venus3=\$(cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"account\\s+required\\s+pam_faillock.so\")
if [[ -n \$venus1 ]]&&[[ -n \$venus2 ]]&&[[ -n \$venus3 ]];then
echo \"result=\"\$(echo \$venus1|sed 's/.*\\sdeny=\\(\\w*\\)\\s.*/\\1/')
echo \"result=\"\$(echo \$venus2|sed 's/.*\\sdeny=\\(\\w*\\)\\s.*/\\1/')
else
echo \"result=false\"
fi
done
unset FILE venus1 venus2 venus3
else
echo \"result=false\"
fi
}
function ubuntu_debian() {
ls /lib/x86_64-linux-gnu/security/pam_tally*.so 2>/dev/null
cat etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'
if [ -f /lib/x86_64-linux-gnu/security/pam_tally.so ] || [ -f /lib/x86_64-linux-gnu/security/pam_tally2.so ];then
DENY_result1=%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'%
DENY_result2=%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'%
if [ -n \"\$DENY_result1\" ];then
echo \"result1=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'%
elif [ -n \"DENY_result2\" ];then
echo \"result=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'%
else
echo \"result=false\"
fi
unset DENY_result1 DENY_result2
else
echo \"result=pam_tally not found\"
fi
}
function suse() {
ls -l /lib*/security/pam_tally.so 2>/dev/null
echo \"----------------common-auth------------------\"
cat /etc/pam.d/common-auth|sed '/^\\s*#/d'|sed '/^\\s*\$/d' 2>/dev/null
echo \"----------------common-account------------------\"
cat /etc/pam.d/common-account|sed '/^\\s*#/d'|sed '/^\\s*\$/d' 2>/dev/null
echo \"----------------------------------\"
if [[ -n %ls -l /lib*/security/pam_tally.so 2>/dev/null% ]];then
if [[ -n %cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'% ]];then
echo \"result=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'%
else
echo \"result=false\"
fi
elif [[ -n %ls -l /lib*/security/pam_tally2.so 2>/dev/null% ]];then
if [[ -n %cat /etc/pam.d/common-account 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -n '/account\\s*required\\s*pam_tally2.so/p'% ]];then
if [[ -n %cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'% ]];then
echo \"result=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'%
else
echo \"result=false\"
fi
else
echo \"result=false\"
fi
else
echo \"result=pam_tally not found\"
fi
}
if [ -f /etc/redhat-release ];then
linux_version=\$(cat /etc/redhat-release|awk -F\"release\" '{print\$2}'|awk '{print\$1}'|cut -d\\. -f1)
if [ \$linux_version -ge 8 ];then
cat /etc/redhat-release
linux8
else
cat /etc/redhat-release
linux7
fi
elif [ -f /etc/SuSE-release ];then
cat /etc/SuSE-release
suse
elif [[ -n \$(cat /etc/os-release 2>/dev/null |grep -w \"ID\"|egrep -wi \"ubuntu|debian\") ]];then
cat /etc/os-release
ubuntu_debian
else
echo \"result=Operating system judgment failed\"
fi
"
Script_Support[0]="3.10.0 2.6.32 2.6.18 2.6.9 2.4.21 2.4.9"

Script_ID[1]=2
Script_Value[1]="if grep -v \"^[[:space:]]*#\" /etc/ssh/sshd_config|grep -i \"PermitRootLogin no\"
then echo \"This device does not permit root to ssh login,check result:true\";
else
echo \"This device permits root to ssh login,check result:false\";
fi
if grep  -v \"^[[:space:]]*#\" /etc/ssh/sshd_config|egrep \"^protocol[[:space:]]*2|^Protocol[[:space:]]*2\"
then echo \"SSH protocol version is 2,check result:true\"
else
echo \"SSH protocol version is not 2,check result:false\"
fi
"
Script_Support[1]="4.18.0 2.6.32 2.6.18 2.6.9 2.4.21 2.4.9"

Script_ID[2]=3
Script_Value[2]="export LANG=en_US.UTF-8
if [[ %cat /etc/redhat-release 2>/dev/null|cut -b 22% -ge 7 ]] || [[ %cat /etc/redhat-release 2>/dev/null|cut -b 41% -ge 7 ]];then
echo \"telnet_status=\"%systemctl|grep telnet|grep active|wc -l%
echo \"ssh_status=\"%ps -ef|grep \"sshd\"|grep -v \"grep\"|wc -l%
else
echo \"telnet_status=\"%chkconfig --list |egrep \"*.telnet\"|egrep -i \"on\"|wc -l%
echo \"ssh_status=\"%ps -ef|grep \"sshd\"|grep -v \"grep\"|wc -l%
fi
unset telnet_status ssh_status
"
Script_Support[2]="4.18.0 3.10.0 2.6.18 2.6.9 2.4.21 2.4.9"

Script_ID[3]=4
Script_Value[3]="ls -alL /etc/passwd /etc/shadow /etc/group
echo \"passwd_total=\"%ls -alL /etc/passwd 2>/dev/null|grep -v  \"[r-][w-]-[r-]--[r-]--\"|grep \"[r-][w-][x-][r-][w-][x-][r-][w-][x-]\"|wc -l%
echo \"shadow_total=\"%ls -alL /etc/shadow 2>/dev/null|grep -v  \"[r-][w-]-------\"|grep \"[r-][w-][x-][r-][w-][x-][r-][w-][x-]\"|wc -l%
echo \"group_total=\"%ls -alL /etc/group 2>/dev/null|grep -v  \"[r-][w-]-[r-]--[r-]--\"|grep \"[r-][w-][x-][r-][w-][x-][r-][w-][x-]\"|wc -l%
"
Script_Support[3]="4.18.0 3.10.0 2.6.32 2.6.9 2.4.21 2.4.9"

Script_ID[4]=5
Script_Value[4]="Calculate (){
echo \"DCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/dcredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'%
echo \"LCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/lcredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'%
echo \"UCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/ucredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'%
echo \"OCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/ocredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'%
echo \"MINCLASS=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/minlen/{print\$2}'|awk '{print\$1}'%
}
if ([ -f /etc/redhat-release ] && [ -f /etc/pam.d/system-auth ]);then
if [[ %cat /etc/redhat-release|grep -aPo '(?<=release\\s)\\d'% -ge \"7\" ]];then
if [[ -n %cat /etc/pam.d/passwd|egrep -v \"[[:space:]]*#\"|egrep \"password[[:space:]]+required[[:space:]]+pam_pwquality.so\"% ]];then
echo \"result0=Found pam_pwquality.so module\"
FILE=/etc/security/pwquality.conf;
Calculate \"\$FILE\";
unset FILE
else
FILE=/etc/pam.d/system-auth;
Calculate \"\$FILE\";
unset FILE
fi
fi
elif ([ -f /etc/SuSE-release ] && [ -f /etc/pam.d/common-password ]);then
FILE=/etc/pam.d/common-password
Calculate \"\$FILE\";
unset FILE
fi
"
Script_Support[4]="4.18.0 3.10.0 2.6.32 2.6.18 2.4.21 2.4.9"

Script_ID[5]=6
Script_Value[5]="export LANG=en_US.UTF-8
if [[ %cat /etc/redhat-release 2>/dev/null|cut -b 22% -ge 7 ]] || [[ %cat /etc/redhat-release 2>/dev/null|cut -b 41% -ge 7 ]];then
telnet_status=%systemctl|grep \"telnet.socket\"|wc -l%
else
telnet_status=%chkconfig --list|egrep \"telnet.*\"|grep -w \"on\"|wc -l%
fi
if [ \$telnet_status -ge 1 ];then
echo \"pts_count=\"%cat /etc/securetty 2>/dev/null|grep -v \"^[[:space:]]*#\"|grep \"pts/*\"|wc -l%
else
echo \"Telnet process is not open\"
fi
unset telnet_status
"
Script_Support[5]="4.18.0 3.10.0 2.6.32 2.6.18 2.6.9 2.4.9"

Script_ID[6]=7
Script_Value[6]="if [ -f /etc/syslog.conf ];
then
cat /etc/syslog.conf | grep -v \"^[[:space:]]*#\" | grep -E '[[:space:]]*.+@.+';
fi;
if [ -s /etc/syslog-ng/syslog-ng.conf ];
then
ret_1=%cat /etc/syslog-ng/syslog-ng.conf | grep -v \"^[[:space:]]*#\" | grep \"port(514)\"|awk '{print \$2}'%;
if [ -n \"\$ret_1\" ];
then
ret_2=%cat /etc/syslog-ng/syslog-ng.conf | grep -v \"^[[:space:]]*#\" | grep \"destination(\$ret_1)\"%;
if [ -n \"\$ret_2\" ];
then
echo \"Set the log server:true\";
else
echo \"not Set the log server:false\";
fi;
fi;
fi;
if [ -f /etc/rsyslog.conf ];
then cat /etc/rsyslog.conf | grep -v \"^[[:space:]]*#\" | grep -E '[[:space:]]*.+@.+';
fi
"
Script_Support[6]="4.18.0 3.10.0 2.6.32 2.6.18 2.6.9 2.4.21"

file="$1_linux_chk.xml"

echo -e "<?xml version="1.0" encoding="UTF-8"?>\n<result>" > ${file}
echo -e "<osName><![CDATA[$os_name]]></osName>\n<version><![CDATA[$os_version]]></version>" >> ${file}
echo "<ip><![CDATA[$ipaddr]]></ip>" >> ${file}
echo "<type><![CDATA[/server/Linux]]></type>" >> ${file}
echo "<startTime><![CDATA[$startDate]]></startTime>" >> ${file}
echo "<pId><![CDATA[0]]></pId>" >> ${file}
echo -e "\t<scripts>" >> ${file}
echo 核查开始
total=${#Script_ID[@]}
for((i=0;i<=${total};i=i+1))
do
  if [ -n "${Script_ID[$i]}" ];then
    
    index=`expr $i + 1`
    echo 正在核查第${index}/${total}项
    contain=${Script_Support[$i]}
    value=${Script_Value[$i]}
    value=${value//%/\`}
    script_result=`echo "${value}"|bash`
    if [[ $contain =~ $os ]] 
    then
        echo -e "\t\t<script>" >> ${file}
        echo -e "\t\t\t<id>${Script_ID[$i]}</id>" >> ${file}
        echo -e "\t\t\t<value><![CDATA[${value}\n${script_result}]]></value>" >> ${file}
        echo -e "\t\t</script>" >> ${file}
    else 
        echo 第${index}/${total}项不兼容此系统
    fi
    echo 第${index}/${total}项核查完毕
  fi
done
echo -e "\t</scripts>" >> ${file}
endDate=`date "+%Y-%m-%d %H:%M:%S"`
echo "<endTime><![CDATA[$endDate]]></endTime>" >> ${file}
echo "</result>" >> ${file}
path=`echo ~+`
echo "write result to $path/$file";

因为脚本会预处理 ` 命令` ,所以将 ` 由上层替换为% ,然后在脚本中替换为`,就可以在其他地方输出value 本身以及执行结果,否则的话脚本会将value中命令执行结果替换原来`命令`出的命令 

posted on 2020-07-21 10:51  冷乐飒  阅读(195)  评论(0编辑  收藏  举报