You cannot see this page without javascript.

메뉴 건너뛰기

WHKorea

국정원기반 서버 취약점 점검 스크립트 -HPUX

 

아래 스크립트는 필자가 만든 스크립트입니다.

국정원이나 산자부 보안점검 대비 OS를 체크하기 위한 스크립트로

매우 주관적으로 만든 것이니 참고만 하시기 바랍니다.

 

 

#!/sbin/sh
# NISK(National Intelligence Service Korea) Base Security Check Script
# Edit by Guppy in 2020

DATE=`date +%Y%m%d%H%M`
#DAY=`date +%D`
DAY=`date +%m/%d/%Y`
LOGFILE=`hostname`_$DATE.txt
OS=`uname -s`
VER=`uname -r`
CURR="HP-UX"

if [ $OS != $CURR ] ; then
 echo " This Version $OS is Not RUN !! "
 exit
fi

#echo $DATE > $LOGFILE
echo $DAY > $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "#######  OTP Config Check          ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo >> $LOGFILE
cat /etc/pam.conf | grep -v ^# | grep libpam_radius.so.1 >> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/pam_radius_auth.conf ] ; then
 ls -la /etc/pam_radius_auth.conf 2>&1 >> $LOGFILE
 echo >> $LOGFILE
 cat /etc/pam_radius_auth.conf 2>&1 >> $LOGFILE
 echo >> $LOGFILE
fi
echo >> $LOGFILE

echo >> $LOGFILE
echo >> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "#######  ftp, telnet check         ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##Process Check" >>$LOGFILE
ps -ef | grep ftp | grep -v grep>> $LOGFILE
echo >> $LOGFILE
echo "##inetd.conf # Check" >>$LOGFILE
grep ftp /etc/inetd.conf>> $LOGFILE
grep telnet /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "##xferlog 20 Line Check" >>$LOGFILE
tail -n 20 /var/adm/xferlog>> $LOGFILE 2>&1
echo >> $LOGFILE

echo "#####################################################">> $LOGFILE
echo "####### ssh port 2222            ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##Port Check" >>$LOGFILE
grep ^Port /opt/ssh/etc/sshd_config >> $LOGFILE
echo >> $LOGFILE
echo "##PermitRootLogin no Check" >>$LOGFILE
grep PermitRootLogin /opt/ssh/etc/sshd_config >> $LOGFILE
echo >> $LOGFILE
echo "##2222 port Listen Check" >>$LOGFILE
netstat -na | grep 2222>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/securetty ] ; then
        if [ `grep console /etc/securetty  | wc -l` -eq 1 ] ; then
                echo "##/etc/securetty set ok " >> $LOGFILE
                else
                #echo "console" >> /etc/securetty >>$LOGFILE
                echo "console" >> /etc/securetty
                echo "##/etc/securetty reconfigure ok " >> $LOGFILE
        fi
        else
        touch /etc/securetty >>$LOGFILE
        cat "console" > /etc/securetty >>$LOGFILE
        echo "##/etc/securetty create and reconfigure ok " >> $LOGFILE
fi
echo ""  >> $LOGFILE
echo ""  >> $LOGFILE

if [ `grep "PermitRootLogin" /opt/ssh/etc/sshd_config | grep -v \# | grep no | wc -l`  -eq 1 ]
        then
        echo "##sshd_config PermitRootLogin no set ok" >> $LOGFILE
        else
        echo "PermitRootLogin no" >> /opt/ssh/etc/sshd_config
        /sbin/init.d/secsh stop >> $LOGFILE
        /sbin/init.d/secsh start >> $LOGFILE
        echo "##sshd_config PermitRootLogin no set reconfigured" >> $LOGFILE
fi
echo ""  >> $LOGFILE
echo ""  >> $LOGFILE

echo "#####################################################">> $LOGFILE
echo "####### ntp check                  ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##crontab Check" >>$LOGFILE
crontab -l | grep ntp>> $LOGFILE
echo >> $LOGFILE
echo "##ntp log Check" >>$LOGFILE
tail -n 20 /tmp/time/ntpdate.log >> $LOGFILE
echo >> $LOGFILE

echo "#####################################################">> $LOGFILE
echo "####### ACL check                  ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##allow Check" >>$LOGFILE
cat /etc/hosts.allow | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##deny Check" >>$LOGFILE
cat /etc/hosts.deny | grep -v ^#  | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##inetd.sec Check" >>$LOGFILE
cat /var/adm/inetd.sec | grep -v ^#  | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
#ipfstat -io>> $LOGFILE
echo >> $LOGFILE

echo "   #####################################################">> $LOGFILE
echo "1. #######UID, GID 0-99  Head 20 Line  ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
cat /etc/passwd | head -n20>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##passwd Check" >>$LOGFILE
cat /etc/passwd | grep ~2019>> $LOGFILE
cat /etc/passwd | grep ~2018>> $LOGFILE
cat /etc/passwd | grep ~2017>> $LOGFILE
echo >> $LOGFILE

echo "####### group check               ##################">> $LOGFILE
echo "##group id 1000 Check" >>$LOGFILE
cat /etc/group | grep ^user >> $LOGFILE
echo >> $LOGFILE
echo "##delete group Check" >>$LOGFILE
Def_group="tty uucp smbnull tftp"
for check in $Def_group
do
        if [ `cat /etc/group | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
        then
        echo "## Default group exist : $check" >> $LOGFILE
        groupdel $check >> $LOGFILE
        echo "##group $check delete " >> $LOGFILE
        fi
done

echo >> $LOGFILE
echo "##group id 20 Check" >>$LOGFILE
cat /etc/passwd | grep :20:>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "   #####################################################">> $LOGFILE
echo "2. #######UID, GID 0   -> Only root   ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
cat /etc/passwd | grep :0:>> $LOGFILE
echo >> $LOGFILE

echo "##Default ID check           ##################">> $LOGFILE

Def_ID="adm lp uucp nuucp sync shutdown halt news operator games gopher nfsnobody squid hpdb smbnull iwww owww tftp "
for check in $Def_ID
do
        if [ `cat /etc/passwd | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
        then
        echo "## Default ID exist : $check" >> $LOGFILE
        userdel $check >> $LOGFILE
        echo "##user $check delete " >> $LOGFILE
        fi
done

echo >> $LOGFILE
echo "##test id Check" >>$LOGFILE
cat /etc/passwd | grep test >> $LOGFILE
echo >> $LOGFILE

echo >> $LOGFILE
echo "##Shell nologin, false Check " >>$LOGFILE
cat /etc/passwd | grep -v /sbin/nologin | grep -v /bin/false | grep -v userid | grep -v userdev | grep -v usermaster >> $LOGFILE
echo >> $LOGFILE

echo "##change /sbin/nologin" >>$LOGFILE
Def_nologin="opc_op cimsrvr sfmdb hpsmh"
for check in $Def_nologin
do
        if [ `cat /etc/passwd | grep -v /sbin/nologin | grep -v /bin/false | grep ^$check: | awk -F: '{print $1}'  | wc -l ` -gt 0 ]
        then
        echo "## Default user login exist : $check" >> $LOGFILE
        usermod -s /sbin/nologin $check >> $LOGFILE 2>&1
        echo "##user  $check nologin configured" >> $LOGFILE
        fi
done

echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "   #####################################################">> $LOGFILE
echo "4. ####### login fail count            ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
echo "##/etc/default/security Check" >>$LOGFILE
grep -v ^# /etc/default/security | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo "##trustmode u_maxtries#5 Check" >>$LOGFILE
cat /tcb/files/auth/system/default >> $LOGFILE 2>&1
echo >> $LOGFILE
if [ -f /tcb/files/auth/system/default ] ; then
        grep -i u_maxtries /tcb/files/auth/system/default | awk -F: '{print $4}' >> $LOGFILE
        grep -i u_maxtries /tcb/files/auth/system/default | awk -F: '{print $5}' >> $LOGFILE
        else
        echo "## No Trusted Mode. ">> $LOGFILE
fi

echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "   #####################################################">> $LOGFILE
echo "5. ####### hosts perm 644(444),root || 600 check      ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
ls -la /etc/hosts>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/hosts ]
        then
                if [ `ls -alL /etc/hosts | grep "...-.--.--.*.*" | wc -l` -eq 1 ]
                then
                 echo "##/etc/hosts perm ok " >> $LOGFILE
                else
                 echo "##/etc/hosts perm reset " >> $LOGFILE
                 chmod 644 /etc/hosts >> $LOGFILE
                fi
                if [ `ls -ld /etc/hosts | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/etc/hosts root ok " >> $LOGFILE
                else
                 echo "##/etc/hosts root reset " >> $LOGFILE
                 chown root /etc/hosts >> $LOGFILE
                fi
        else
                echo "##/etc/hosts NOT Found" >> $LOGFILE
fi
echo >> $LOGFILE

 

echo "####### syslog.conf perm 644(444),root   ##################">> $LOGFILE
ls -la /etc/syslog.conf>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/syslog.conf ]
        then
                if [ `ls -alL /etc/syslog.conf | grep "...-.--.--" | wc -l` -eq 1 ]
                then
                 echo "##/etc/syslog.conf perm ok" >> $LOGFILE
                else
                 echo "##/etc/syslog.conf perm reset" >> $LOGFILE
                 chown 644 /etc/syslog.conf >> $LOGFILE
                fi
                if [ `ls -ld /etc/syslog.conf | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/etc/syslog.conf root ok " >> $LOGFILE
                else
                 echo "##/etc/syslog.conf root reset " >> $LOGFILE
                 chown root /etc/syslog.conf >> $LOGFILE
                fi

        else
                echo "##/etc/syslog.conf Not Found" >> $LOGFILE
fi
echo >> $LOGFILE


echo "####### services perm 644,root            ##################">> $LOGFILE
ls -la /etc/services>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/services ]
        then
                if [ `ls -alL /etc/services | grep "...-.--.--" | wc -l` -eq 1 ]
                then
                 echo "##/etc/services perm ok" >> $LOGFILE
                else
                 echo "##/etc/services perm reset" >> $LOGFILE
                 chown 644 /etc/services >> $LOGFILE
                fi
                if [ `ls -ld /etc/services | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/etc/services root ok " >> $LOGFILE
                else
                 echo "##/etc/services root reset " >> $LOGFILE
                 chown root /etc/services >> $LOGFILE
                fi
        else
                echo "##/etc/services Not Found" >> $LOGFILE
fi

echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "   #####################################################">> $LOGFILE
echo "6. ####### sulog   , su 4750 , root.wheel    ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
echo "##sulog file 20 Line check" >>$LOGFILE
tail -n 30 /var/adm/sulog>> $LOGFILE
echo >> $LOGFILE
echo "##su perm " >>$LOGFILE
ls -la /usr/bin/su >> $LOGFILE
echo >> $LOGFILE
if [ -f /usr/bin/su ]
        then
                if [ `ls -alL /usr/bin/su | grep ".rwsr-x---.*root.*wheel*" | wc -l` -eq 1 ]
                then
                echo "##/usr/bin/su perm ok" >> $LOGFILE
                else
                echo "##/usr/bin/su perm reset" >> $LOGFILE
                chmod 4750 /usr/bin/su >> $LOGFILE
         chown root /usr/bin/su >> $LOGFILE
                chgrp wheel /usr/bin/su >> $LOGFILE
                fi

        else
                echo "##/usr/bin/su Not Found" >> $LOGFILE
fi
echo >> $LOGFILE

echo "##syslog.conf check" >>$LOGFILE
grep auth /etc/syslog.conf >> $LOGFILE 2>&1
echo >> $LOGFILE

if [ `cat /etc/syslog.conf  | grep auth | wc -l` -gt 1 ] ; then
        echo " syslog auth setting ok " >>$LOGFILE
        echo "" >>$LOGFILE
        cat /etc/syslog.conf  | grep auth >>$LOGFILE
        else
        if [ ! -d /var/log/sulog ] ; then
        mkdir -p /var/log/sulog
        echo "/var/log/sulog directory create" >>$LOGFILE
        fi
        echo "" >>$LOGFILE
        echo "auth.notice   /var/log/sulog/syslog.log" >> /etc/syslog.conf
        echo "" >>$LOGFILE
        /sbin/init.d/syslogd stop >>$LOGFILE
        /sbin/init.d/syslogd start >>$LOGFILE
        echo " notice syslog reconfigured " >>$LOGFILE
fi

echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo "   #####################################################">> $LOGFILE
echo "7. #######  network daemon 644(555) g-w, o-w ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
echo >> $LOGFILE
ls -la /sbin/init.d/*>> $LOGFILE
echo >> $LOGFILE
if [ `find /sbin/init.d/ \( -perm -g+w -o -perm -o+w \) -print | wc -l` -eq 0 ]
        then
        echo "##Network Daemon Perm 755 ok " >> $LOGFILE
        else
        echo "##Network Daemon Perm reset  " >> $LOGFILE
        find /sbin/init.d/ \( -perm -g+w -o -perm -o+w \) -print >> $LOGFILE
        find /sbin/init.d/ \( -perm -g+w -o -perm -o+w \) -exec  chmod 755 {} \; >> $LOGFILE
fi
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo "" >>$LOGFILE

 

echo "   #####################################################">> $LOGFILE
echo "8. #######  Password  check (OTP or Not)) ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "   #####################################################">> $LOGFILE
echo "9., 10. #######  passwd 644,root shadow 400,root ##################">> $LOGFILE
echo "   #####################################################">> $LOGFILE
echo >> $LOGFILE
ls -la /etc/passwd>> $LOGFILE
if [ -f /etc/passwd ]
        then
                if [ `ls -alL /etc/passwd | grep "...-.--.--" | wc -l` -eq 1 ]
                then
                 echo "##/etc/passwd perm ok" >> $LOGFILE
                else
                 echo "##/etc/passwd perm reset" >> $LOGFILE
                 chown 644 /etc/passwd >> $LOGFILE
                fi
                if [ `ls -ld /etc/passwd | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/etc/passwd root ok " >> $LOGFILE
                else
                 echo "##/etc/passwd root reset " >> $LOGFILE
                 chown root /etc/passwd >> $LOGFILE
                fi

        else
                echo "##/etc/passwd Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
ls -la /etc/shadow>> $LOGFILE 2>&1
if [ -f /etc/shadow ]
        then
                if [ `ls -alL /etc/shadow | grep "..--------" | wc -l` -eq 1 ]
                then
                 echo "##/etc/shadow perm ok" >> $LOGFILE
                else
                 echo "##/etc/shadow perm reset" >> $LOGFILE
                 chown 400 /etc/shadow >> $LOGFILE
                fi
                if [ `ls -ld /etc/shadow | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/etc/shadow root ok " >> $LOGFILE
                else
                 echo "##/etc/shadow root reset " >> $LOGFILE
                 chown root /etc/shadow >> $LOGFILE
                fi

        else
                echo "##/etc/shadow Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo "##trustmode auth directory 400 check" >>$LOGFILE
ls -la /tcb/files/ >> $LOGFILE 2>&1
echo >> $LOGFILE

echo "#######  trustmode  root check                 ##################">> $LOGFILE
ls -la /tcb/files/auth/r/root>> $LOGFILE 2>&1
cat /tcb/files/auth/r/root>> $LOGFILE 2>&1
/usr/lbin/getprdef -r>> $LOGFILE 2>&1
echo >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "11. #######  remote shell check            #################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo >> $LOGFILE
echo "##inetd.conf # check" >>$LOGFILE
grep rlogind /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "##hosts.equiv exist check" >>$LOGFILE
ls -la /etc/hosts.equiv >> $LOGFILE 2>&1
if [ -f /etc/hosts.equiv ]
then
                if [ `ls -alL /etc/hosts.equiv | grep ".r.-------.*root.*" | wc -l` -eq 1 ]
                        then
                                echo "##/etc/hosts.equiv perm ok" >> $LOGFILE
                        else
                                echo "##/etc/hosts.equiv perm reset" >> $LOGFILE
                                chown root:root /etc/hosts.equiv >> $LOGFILE
                                chmod 400 /etc/hosts.equiv >> $LOGFILE
                fi

else
        echo "##/etc/hosts.equiv file Not Found is ok" >> $LOGFILE
fi
echo >> $LOGFILE

echo "##/home at .rhosts exist check" >>$LOGFILE
ls -la /home/*/.rhosts >> $LOGFILE 2>&1

HOMEDIRS=`cat /etc/passwd | awk -F":" 'length($6) > 0 {print $6}' | sort -u`
for dir in $HOMEDIRS
do

if [ -f $dir/.rhosts ]
        then
        ls -la $dir/.rhosts >> $LOGFILE
        echo "## Delete file $dir/.rhosts " >> $LOGFILE
        rm -rf $dir/.rhosts >> $LOGFILE
#       else
#       echo " .rhosts file not found "
fi
if [ -f $dir/.netrc ]
        then
        ls -la $dir/.netrc >> $LOGFILE
        echo "## Delete file $dir/.netrc " >> $LOGFILE
        rm -rf $dir/.netrc >> $LOGFILE
#       else
#       echo " .netrc file not found "
fi

done

echo >> $LOGFILE
echo "##remshd # check" >>$LOGFILE
grep remshd /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "12. ####### inetd 600,root  rpc stop      ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo >> $LOGFILE
ls -la /etc/inetd.conf >> $LOGFILE
if [ -f /etc/inetd.conf  ]
        then
                if [ `ls -alL /etc/inetd.conf  | grep "...-------" | wc -l` -eq 1 ]
                then
                 echo "##/etc/inetd.conf  perm ok" >> $LOGFILE
                else
                 echo "##/etc/inetd.conf  perm reset" >> $LOGFILE
                 chown 600 /etc/inetd.conf  >> $LOGFILE
                fi
                if [ `ls -ld /etc/inetd.conf  | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/etc/inetd.conf  root ok " >> $LOGFILE
                else
                 echo "##/etc/inetd.conf  root reset " >> $LOGFILE
                 chown root /etc/inetd.conf  >> $LOGFILE
                fi

        else
                echo "##/etc/inetd.conf  Not Found">> $LOGFILE
fi
echo >> $LOGFILE
echo "##inetd.conf rpc config set check" >>$LOGFILE
cat /etc/inetd.conf | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo "##rpcinfo check" >>$LOGFILE
rpcinfo -p 127.0.0.1 >> $LOGFILE 2>&1
echo >> $LOGFILE
netstat -na | grep LISTEN | grep ".512 " >> $LOGFILE
netstat -na | grep LISTEN | grep ".513 " >> $LOGFILE
netstat -na | grep LISTEN | grep ".514 " >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "13. ####### ftp, telnet check                ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo >> $LOGFILE
grep telnet /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "##telnet Listen is .. " >> $LOGFILE
netstat -na | grep ".23 " >> $LOGFILE
netstat -na | grep ".22 ">> $LOGFILE
netstat -na | grep ".2222 " >> $LOGFILE

echo >> $LOGFILE
grep ftp /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "## ftp Listen is .. " >> $LOGFILE
netstat -na | grep ".2929 " >> $LOGFILE
netstat -na | grep ".21 ">> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo "14. ## Anonymous FTP check   ############################" >> $LOGFILE
echo "    #####################################################">> $LOGFILE
if [ -f /etc/ftpd/ftpaccess ] ; then
        if [ `cat /etc/ftpd/ftpaccess | grep -v ^\# | grep anonymous | wc -l ` -eq 0 ]
                then
                echo "14. ## Anonymous FTP NO Setting" >> $LOGFILE
                else
                echo "14. ## Setting requiore Anonymous FTP Delete at /etc/ftpd/ftpaccess " >> $LOGFILE
                echo "## mv /etc/ftpd/ftpaccess /etc/ftpd/ftpaccess.org " >> $LOGFILE
                mv /etc/ftpd/ftpaccess /etc/ftpd/ftpaccess.org >> $LOGFILE
        fi
else
        echo "14. /etc/ftpd/ftpaccess file not found "  >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE


echo "    #####################################################">> $LOGFILE
echo "15. ####### find /home .netrc            ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
find /home -name .netrc>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "16. ####### inetd running     ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
ps -ef | grep inetd | grep -v grep >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "17. ####### last  20  Line                      ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
last -R | head -n 20>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "18. ####### Cron 640,root                 ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
#ls -laR /var/spool/cron>> $LOGFILE
echo >> $LOGFILE
ls -la /var/adm/cron/*.allow>> $LOGFILE 2>&1
ls -la /var/adm/cron/*.deny>> $LOGFILE 2>&1
echo >> $LOGFILE
cat /var/adm/cron/*.allow>> $LOGFILE 2>&1
cat /var/adm/cron/*.deny>> $LOGFILE 2>&1
echo >> $LOGFILE
if [ -f /var/adm/cron/cron.allow  ]
        then
                if [ `ls -alL /var/adm/cron/cron.allow  | grep "...-.-----" | wc -l` -eq 1 ]
                then
                 echo "##/var/adm/cron/cron.allow  perm ok" >>$LOGFILE
                else
                 echo "##/var/adm/cron/cron.allow  perm reset" >>$LOGFILE
                 chown 640 /var/adm/cron/cron.allow  >>$LOGFILE
                fi
                if [ `ls -ld /var/adm/cron/cron.allow  | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/var/adm/cron/cron.allow  root ok " >>$LOGFILE
                else
                 echo "##/var/adm/cron/cron.allow  root reset " >>$LOGFILE
                 chown root /var/adm/cron/cron.allow  >>$LOGFILE
                fi

        else
                echo "##/var/adm/cron/cron.allow  Not Found" >>$LOGFILE
fi
echo >> $LOGFILE
if [ -f /var/adm/cron/cron.deny  ]
        then
                if [ `ls -alL /var/adm/cron/cron.deny  | grep "...-.-----" | wc -l` -eq 1 ]
                then
                 echo "##/var/adm/cron/cron.deny  perm ok" >>$LOGFILE
                else
                 echo "##/var/adm/cron/cron.deny  perm reset" >>$LOGFILE
                 chown 640 /var/adm/cron/cron.deny  >>$LOGFILE
                fi
                if [ `ls -ld /var/adm/cron/cron.deny  | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/var/adm/cron/cron.deny  root ok " >>$LOGFILE
                else
                 echo "##/var/adm/cron/cron.deny  root reset " >>$LOGFILE
                 chown root /var/adm/cron/cron.deny >>$LOGFILE
                fi

        else
                echo "##/var/adm/cron/cron.deny  Not Found" >>$LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "19. ####### Snmp                          ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo >> $LOGFILE
echo "##Process check" >>$LOGFILE
ps -ef | grep snmp | grep -v grep>> $LOGFILE
echo >> $LOGFILE
echo "##start shell check" >>$LOGFILE
cat /etc/rc.config.d/Snmp* |grep _START= | grep -v ^#>> $LOGFILE
echo >> $LOGFILE
echo "##community check" >>$LOGFILE
cat /etc/SnmpAgent.d/snmpd.conf | grep community-name: | grep -v ^#>> $LOGFILE
echo >> $LOGFILE
echo "##Listen check" >>$LOGFILE
netstat -na | grep .161 >> $LOGFILE
echo >> $LOGFILE

echo "    #####################################################">> $LOGFILE
echo "20. ####### ssh version                   ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo >> $LOGFILE

if [ $VER = B.11.31 ] ; then
        swlist SecureShell >> $LOGFILE
        swlist Secure_Shell >> $LOGFILE
fi
if [ $VER = B.11.23 ] ; then
        swlist T1471AA >> $LOGFILE
fi
if [ $VER = B.11.11 ] ; then
        swlist T1471AA >> $LOGFILE
fi

echo >> $LOGFILE
openssl version>> $LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
ls -la /etc/hosts>> $LOGFILE 2>&1
echo >> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo "21. 22. ####### ndd check                    ##################">> $LOGFILE
echo "    #####################################################">> $LOGFILE
echo "##ip_forwarding check" >>$LOGFILE
ndd -get /dev/ip ip_forwarding>> $LOGFILE
echo >> $LOGFILE
echo "##ip_forward_src_routed check" >>$LOGFILE
ndd -get /dev/ip ip_forward_src_routed>> $LOGFILE
echo >> $LOGFILE
echo "##ip_respond_to_echo_broadcast check" >>$LOGFILE
ndd -get /dev/ip ip_respond_to_echo_broadcast>> $LOGFILE
echo >> $LOGFILE
echo "##ip_forward_directed_broadcasts check" >>$LOGFILE
ndd -get /dev/ip ip_forward_directed_broadcasts>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##nddconf all show check" >>$LOGFILE
cat /etc/rc.config.d/nddconf | grep -v ^# >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "############################################">> $LOGFILE
echo "####### etc1 system check  ##################">> $LOGFILE
echo "############################################">> $LOGFILE

echo "#######/home .profile perm g-w, o-w                 ##################">> $LOGFILE
echo >> $LOGFILE
find /home/*/ -name .profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >> $LOGFILE 2>&1
find /home/*/ -name .bash_profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >>$LOGFILE 2>&1
find /home/*/ -name .*rc \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >>$LOGFILE 2>&1
find /home/*/ -name .login \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >>$LOGFILE 2>&1
find /home/*/ -name .profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >> $LOGFILE 2>&1
find /home/*/ -name .bash_profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \;  >>$LOGFILE 2>&1
find /home/*/ -name .*rc \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \;  >>$LOGFILE 2>&1
find /home/*/ -name .login \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >>$LOGFILE 2>&1

echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "####### Warm Message (/etc/motd)    ##################">> $LOGFILE
cat /etc/motd  >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "####### automount stop                   ##################">> $LOGFILE
ps -ef | grep automount |grep -v grep >> $LOGFILE
echo >> $LOGFILE
grep AUTOFS= /etc/rc.config.d/nfsconf  >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "####### hosts.lpd 600,root                 ##################">> $LOGFILE
ls -la /etc/hosts.lpd>> $LOGFILE 2>&1
echo >> $LOGFILE
if [ -f /etc/hosts.lpd  ]
        then
                if [ `ls -alL /etc/hosts.lpd  | grep "...-------" | wc -l` -eq 1 ]
                then
                 echo "##/etc/hosts.lpd  perm ok"
                else
                 echo "##/etc/hosts.lpd  perm reset"
                 chown 600 /etc/hosts.lpd
                fi
                if [ `ls -ld /etc/hosts.lpd  | awk '{ print $3 }' ` = "root" ]
      then
                 echo "##/etc/hosts.lpd  root ok "
                else
                 echo "##/etc/hosts.lpd  root reset "
                 chown root /etc/hosts.lpd
                fi

        else
                echo "##/etc/hosts.lpd  Not Found"   >>$LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "####### TMOUT 600, umask (0)022     ##################">> $LOGFILE
echo "##/etc/profile check" >>$LOGFILE
echo >> $LOGFILE
echo "##TMOUT at profile" >>$LOGFILE
grep TMOUT /etc/profile>> $LOGFILE
echo >> $LOGFILE
echo "##UMASK at profile" >>$LOGFILE
grep UMASK /etc/profile>> $LOGFILE
echo >> $LOGFILE
echo "##umask config" >>$LOGFILE
grep umask /etc/profile>> $LOGFILE
echo "##umask setting">> $LOGFILE
umask >> $LOGFILE
if [ `umask` -eq  022 ] ; then
        echo "## UMASK set ok " >> $LOGFILE
        else
        echo " umask 022" >> /etc/profile
        echo "UMASK=0022" >> /etc/default/security
        echo "## UMASK 0022 Set" >> $LOGFILE
fi


echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/home at -nouser -o -nogroup check autorun chgrp user, chown root" >>$LOGFILE
#find /home \( -nouser -o -nogroup \) -xdev -exec ls -la {} \; 2> /dev/null >> $LOGFILE
#find /home \( -nouser -o -nogroup \) -xdev -exec chown root:root {} \; 2> /dev/null >> $LOGFILE
find /home -nouser -xdev -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -nouser -xdev -exec chown root {} \; 2> /dev/null >> $LOGFILE
find /home -nogroup -xdev -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -nogroup -xdev -exec chgrp user {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/home at setuid , getgid check if exist require delete file" >>$LOGFILE
echo "##/home at perm -04000 -o -perm -02000 check" >>$LOGFILE
find /home -type f \( -perm -04000 -o -perm -02000 \) -exec ls -la {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo "##/home at world write file check autorun chmod o-w" >>$LOGFILE
find /home -type f -perm 2 -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -type f -perm 2 -exec chmod o-w {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

find /home -type d -perm 777 -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -type d -perm 777 -exec chmod o-w {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/dev at device file check if exist require delete file" >>$LOGFILE
find /dev -type -f -exec ls -la {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

 

echo "############################################">> $LOGFILE
echo "####### system info   ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##nwmgr " >>$LOGFILE
nwmgr >>  $LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##netstat -in " >>$LOGFILE
netstat -in >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##netstat -rn " >>$LOGFILE
netstat -rn >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##bdf " >>$LOGFILE
bdf >> $LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##netstat -na " >>$LOGFILE
netstat -na >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##ps -ef " >>$LOGFILE
ps -ef >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE

 

 

위로