#!/bin/bash ipv4=`ifconfig eth0 | grep 'inet addr'|awk -F ":" '{print $2}'|awk '{print$1}'` ipv6=`ifconfig eth0 | grep 'inet6 addr'|awk -F "/" '{print $1}'` os_name=`uname -s 2>> error;uname.bak -s 2>>error` os_version=`lsb_release -a 2>> error||cat /etc/issue 2>> error||cat /etc/redhat-release 2>> error||cat /etc/redhat-release.bak 2>> error||uname -a 2>> error||uname.bak -a 2>> error` startDate=`date "+%Y-%m-%d %H:%M:%S"` ipaddr="$1" os_result=`uname -a 2>> error||uname.bak -a 2>> error` result=`echo ${os_result%-*}` os=`echo ${result##* }` Script_ID[0]=1 Script_Value[0]="function linux7() { ls -l /lib*/security/pam_tally.so 2>/dev/null echo \"---------------system-auth-------------------\" cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d' if [[ -n %ls -l /lib*/security/pam_tally.so 2>/dev/null% ]];then if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally.so\"% ]];then if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally.so\"|egrep \"deny=\\w+\"% ]];then echo \"result=\"%cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally.so\"|awk -F\"deny=\" '{print\$2}'|awk '{print\$1}'% else echo \"result=false\" fi else echo \"result=false\" fi elif [[ -n %ls -l /lib*/security/pam_tally2.so 2>/dev/null% ]];then cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\" if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\"% ]];then if [[ -n %cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\"|egrep \"deny=\\w+\"% ]];then echo \"result=\"%cat /etc/pam.d/system-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth[[:space:]]*required[[:space:]]*\\S*pam_tally2.so\"|awk -F\"deny=\" '{print\$2}'|awk '{print\$1}'% else echo \"result=false\" fi else echo \"result=false\" fi else echo \"result=pam_tally not found\" fi } function linux8() { ls -l /etc/pam.d/system-auth /etc/pam.d/password-auth 2>/dev/null if [ -f /etc/pam.d/system-auth ]&&[ -f /etc/pam.d/password-auth ];then for FILE in /etc/pam.d/system-auth /etc/pam.d/password-auth do echo \$FILE cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d' venus1=\$(cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth\\s+required\\s+pam_faillock.so\\s+preauth\"|egrep \"deny=\\w\") venus2=\$(cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"auth\\s+\\[default=die\\]\\s+pam_faillock.so\\s+authfail\"|egrep \"deny=\\w\") venus3=\$(cat \$FILE|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|egrep \"account\\s+required\\s+pam_faillock.so\") if [[ -n \$venus1 ]]&&[[ -n \$venus2 ]]&&[[ -n \$venus3 ]];then echo \"result=\"\$(echo \$venus1|sed 's/.*\\sdeny=\\(\\w*\\)\\s.*/\\1/') echo \"result=\"\$(echo \$venus2|sed 's/.*\\sdeny=\\(\\w*\\)\\s.*/\\1/') else echo \"result=false\" fi done unset FILE venus1 venus2 venus3 else echo \"result=false\" fi } function ubuntu_debian() { ls /lib/x86_64-linux-gnu/security/pam_tally*.so 2>/dev/null cat etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d' if [ -f /lib/x86_64-linux-gnu/security/pam_tally.so ] || [ -f /lib/x86_64-linux-gnu/security/pam_tally2.so ];then DENY_result1=%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'% DENY_result2=%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'% if [ -n \"\$DENY_result1\" ];then echo \"result1=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'% elif [ -n \"DENY_result2\" ];then echo \"result=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'% else echo \"result=false\" fi unset DENY_result1 DENY_result2 else echo \"result=pam_tally not found\" fi } function suse() { ls -l /lib*/security/pam_tally.so 2>/dev/null echo \"----------------common-auth------------------\" cat /etc/pam.d/common-auth|sed '/^\\s*#/d'|sed '/^\\s*\$/d' 2>/dev/null echo \"----------------common-account------------------\" cat /etc/pam.d/common-account|sed '/^\\s*#/d'|sed '/^\\s*\$/d' 2>/dev/null echo \"----------------------------------\" if [[ -n %ls -l /lib*/security/pam_tally.so 2>/dev/null% ]];then if [[ -n %cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'% ]];then echo \"result=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'% else echo \"result=false\" fi elif [[ -n %ls -l /lib*/security/pam_tally2.so 2>/dev/null% ]];then if [[ -n %cat /etc/pam.d/common-account 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -n '/account\\s*required\\s*pam_tally2.so/p'% ]];then if [[ -n %cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'% ]];then echo \"result=\"%cat /etc/pam.d/common-auth 2>/dev/null|sed '/^\\s*#/d'|sed '/^\\s*\$/d'|sed -rn '/auth/s/auth\\s*required\\s*pam_tally2.so.*(deny=[[:digit:]]+).*/\\1/p'|awk -F= '{print\$2}'% else echo \"result=false\" fi else echo \"result=false\" fi else echo \"result=pam_tally not found\" fi } if [ -f /etc/redhat-release ];then linux_version=\$(cat /etc/redhat-release|awk -F\"release\" '{print\$2}'|awk '{print\$1}'|cut -d\\. -f1) if [ \$linux_version -ge 8 ];then cat /etc/redhat-release linux8 else cat /etc/redhat-release linux7 fi elif [ -f /etc/SuSE-release ];then cat /etc/SuSE-release suse elif [[ -n \$(cat /etc/os-release 2>/dev/null |grep -w \"ID\"|egrep -wi \"ubuntu|debian\") ]];then cat /etc/os-release ubuntu_debian else echo \"result=Operating system judgment failed\" fi " Script_Support[0]="3.10.0 2.6.32 2.6.18 2.6.9 2.4.21 2.4.9" Script_ID[1]=2 Script_Value[1]="if grep -v \"^[[:space:]]*#\" /etc/ssh/sshd_config|grep -i \"PermitRootLogin no\" then echo \"This device does not permit root to ssh login,check result:true\"; else echo \"This device permits root to ssh login,check result:false\"; fi if grep -v \"^[[:space:]]*#\" /etc/ssh/sshd_config|egrep \"^protocol[[:space:]]*2|^Protocol[[:space:]]*2\" then echo \"SSH protocol version is 2,check result:true\" else echo \"SSH protocol version is not 2,check result:false\" fi " Script_Support[1]="4.18.0 2.6.32 2.6.18 2.6.9 2.4.21 2.4.9" Script_ID[2]=3 Script_Value[2]="export LANG=en_US.UTF-8 if [[ %cat /etc/redhat-release 2>/dev/null|cut -b 22% -ge 7 ]] || [[ %cat /etc/redhat-release 2>/dev/null|cut -b 41% -ge 7 ]];then echo \"telnet_status=\"%systemctl|grep telnet|grep active|wc -l% echo \"ssh_status=\"%ps -ef|grep \"sshd\"|grep -v \"grep\"|wc -l% else echo \"telnet_status=\"%chkconfig --list |egrep \"*.telnet\"|egrep -i \"on\"|wc -l% echo \"ssh_status=\"%ps -ef|grep \"sshd\"|grep -v \"grep\"|wc -l% fi unset telnet_status ssh_status " Script_Support[2]="4.18.0 3.10.0 2.6.18 2.6.9 2.4.21 2.4.9" Script_ID[3]=4 Script_Value[3]="ls -alL /etc/passwd /etc/shadow /etc/group echo \"passwd_total=\"%ls -alL /etc/passwd 2>/dev/null|grep -v \"[r-][w-]-[r-]--[r-]--\"|grep \"[r-][w-][x-][r-][w-][x-][r-][w-][x-]\"|wc -l% echo \"shadow_total=\"%ls -alL /etc/shadow 2>/dev/null|grep -v \"[r-][w-]-------\"|grep \"[r-][w-][x-][r-][w-][x-][r-][w-][x-]\"|wc -l% echo \"group_total=\"%ls -alL /etc/group 2>/dev/null|grep -v \"[r-][w-]-[r-]--[r-]--\"|grep \"[r-][w-][x-][r-][w-][x-][r-][w-][x-]\"|wc -l% " Script_Support[3]="4.18.0 3.10.0 2.6.32 2.6.9 2.4.21 2.4.9" Script_ID[4]=5 Script_Value[4]="Calculate (){ echo \"DCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/dcredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'% echo \"LCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/lcredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'% echo \"UCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/ucredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'% echo \"OCREDIT=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/ocredit/{print\$2}'|awk '{print\$1}'|awk -F\"-\" '{print\$2}'% echo \"MINCLASS=\"%cat \$1|egrep -v \"[[:space:]]*#\"|tr -d ' '|awk 'BEGIN{RS=\" \"}{print \$0}'|awk -F\"=\" '/minlen/{print\$2}'|awk '{print\$1}'% } if ([ -f /etc/redhat-release ] && [ -f /etc/pam.d/system-auth ]);then if [[ %cat /etc/redhat-release|grep -aPo '(?<=release\\s)\\d'% -ge \"7\" ]];then if [[ -n %cat /etc/pam.d/passwd|egrep -v \"[[:space:]]*#\"|egrep \"password[[:space:]]+required[[:space:]]+pam_pwquality.so\"% ]];then echo \"result0=Found pam_pwquality.so module\" FILE=/etc/security/pwquality.conf; Calculate \"\$FILE\"; unset FILE else FILE=/etc/pam.d/system-auth; Calculate \"\$FILE\"; unset FILE fi fi elif ([ -f /etc/SuSE-release ] && [ -f /etc/pam.d/common-password ]);then FILE=/etc/pam.d/common-password Calculate \"\$FILE\"; unset FILE fi " Script_Support[4]="4.18.0 3.10.0 2.6.32 2.6.18 2.4.21 2.4.9" Script_ID[5]=6 Script_Value[5]="export LANG=en_US.UTF-8 if [[ %cat /etc/redhat-release 2>/dev/null|cut -b 22% -ge 7 ]] || [[ %cat /etc/redhat-release 2>/dev/null|cut -b 41% -ge 7 ]];then telnet_status=%systemctl|grep \"telnet.socket\"|wc -l% else telnet_status=%chkconfig --list|egrep \"telnet.*\"|grep -w \"on\"|wc -l% fi if [ \$telnet_status -ge 1 ];then echo \"pts_count=\"%cat /etc/securetty 2>/dev/null|grep -v \"^[[:space:]]*#\"|grep \"pts/*\"|wc -l% else echo \"Telnet process is not open\" fi unset telnet_status " Script_Support[5]="4.18.0 3.10.0 2.6.32 2.6.18 2.6.9 2.4.9" Script_ID[6]=7 Script_Value[6]="if [ -f /etc/syslog.conf ]; then cat /etc/syslog.conf | grep -v \"^[[:space:]]*#\" | grep -E '[[:space:]]*.+@.+'; fi; if [ -s /etc/syslog-ng/syslog-ng.conf ]; then ret_1=%cat /etc/syslog-ng/syslog-ng.conf | grep -v \"^[[:space:]]*#\" | grep \"port(514)\"|awk '{print \$2}'%; if [ -n \"\$ret_1\" ]; then ret_2=%cat /etc/syslog-ng/syslog-ng.conf | grep -v \"^[[:space:]]*#\" | grep \"destination(\$ret_1)\"%; if [ -n \"\$ret_2\" ]; then echo \"Set the log server:true\"; else echo \"not Set the log server:false\"; fi; fi; fi; if [ -f /etc/rsyslog.conf ]; then cat /etc/rsyslog.conf | grep -v \"^[[:space:]]*#\" | grep -E '[[:space:]]*.+@.+'; fi " Script_Support[6]="4.18.0 3.10.0 2.6.32 2.6.18 2.6.9 2.4.21" file="$1_linux_chk.xml" echo -e "<?xml version="1.0" encoding="UTF-8"?>\n<result>" > ${file} echo -e "<osName><![CDATA[$os_name]]></osName>\n<version><![CDATA[$os_version]]></version>" >> ${file} echo "<ip><![CDATA[$ipaddr]]></ip>" >> ${file} echo "<type><![CDATA[/server/Linux]]></type>" >> ${file} echo "<startTime><![CDATA[$startDate]]></startTime>" >> ${file} echo "<pId><![CDATA[0]]></pId>" >> ${file} echo -e "\t<scripts>" >> ${file} echo 核查开始 total=${#Script_ID[@]} for((i=0;i<=${total};i=i+1)) do if [ -n "${Script_ID[$i]}" ];then index=`expr $i + 1` echo 正在核查第${index}/${total}项 contain=${Script_Support[$i]} value=${Script_Value[$i]} value=${value//%/\`} script_result=`echo "${value}"|bash` if [[ $contain =~ $os ]] then echo -e "\t\t<script>" >> ${file} echo -e "\t\t\t<id>${Script_ID[$i]}</id>" >> ${file} echo -e "\t\t\t<value><![CDATA[${value}\n${script_result}]]></value>" >> ${file} echo -e "\t\t</script>" >> ${file} else echo 第${index}/${total}项不兼容此系统 fi echo 第${index}/${total}项核查完毕 fi done echo -e "\t</scripts>" >> ${file} endDate=`date "+%Y-%m-%d %H:%M:%S"` echo "<endTime><![CDATA[$endDate]]></endTime>" >> ${file} echo "</result>" >> ${file} path=`echo ~+` echo "write result to $path/$file";
因为脚本会预处理 ` 命令` ,所以将 ` 由上层替换为% ,然后在脚本中替换为`,就可以在其他地方输出value 本身以及执行结果,否则的话脚本会将value中命令执行结果替换原来`命令`出的命令