국정원기반 서버 취약점 점검 스크립트 -HPUX
아래 스크립트는 필자가 만든 스크립트입니다.
국정원이나 산자부 보안점검 대비 OS를 체크하기 위한 스크립트로
매우 주관적으로 만든 것이니 참고만 하시기 바랍니다.
#!/sbin/sh
# NISK(National Intelligence Service Korea) Base Security Check Script
# Edit by Guppy in 2020
DATE=`date +%Y%m%d%H%M`
#DAY=`date +%D`
DAY=`date +%m/%d/%Y`
LOGFILE=`hostname`_$DATE.txt
OS=`uname -s`
VER=`uname -r`
CURR="HP-UX"
if [ $OS != $CURR ] ; then
echo " This Version $OS is Not RUN !! "
exit
fi
#echo $DATE > $LOGFILE
echo $DAY > $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "####### OTP Config Check ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo >> $LOGFILE
cat /etc/pam.conf | grep -v ^# | grep libpam_radius.so.1 >> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/pam_radius_auth.conf ] ; then
ls -la /etc/pam_radius_auth.conf 2>&1 >> $LOGFILE
echo >> $LOGFILE
cat /etc/pam_radius_auth.conf 2>&1 >> $LOGFILE
echo >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "####### ftp, telnet check ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##Process Check" >>$LOGFILE
ps -ef | grep ftp | grep -v grep>> $LOGFILE
echo >> $LOGFILE
echo "##inetd.conf # Check" >>$LOGFILE
grep ftp /etc/inetd.conf>> $LOGFILE
grep telnet /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "##xferlog 20 Line Check" >>$LOGFILE
tail -n 20 /var/adm/xferlog>> $LOGFILE 2>&1
echo >> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "####### ssh port 2222 ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##Port Check" >>$LOGFILE
grep ^Port /opt/ssh/etc/sshd_config >> $LOGFILE
echo >> $LOGFILE
echo "##PermitRootLogin no Check" >>$LOGFILE
grep PermitRootLogin /opt/ssh/etc/sshd_config >> $LOGFILE
echo >> $LOGFILE
echo "##2222 port Listen Check" >>$LOGFILE
netstat -na | grep 2222>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/securetty ] ; then
if [ `grep console /etc/securetty | wc -l` -eq 1 ] ; then
echo "##/etc/securetty set ok " >> $LOGFILE
else
#echo "console" >> /etc/securetty >>$LOGFILE
echo "console" >> /etc/securetty
echo "##/etc/securetty reconfigure ok " >> $LOGFILE
fi
else
touch /etc/securetty >>$LOGFILE
cat "console" > /etc/securetty >>$LOGFILE
echo "##/etc/securetty create and reconfigure ok " >> $LOGFILE
fi
echo "" >> $LOGFILE
echo "" >> $LOGFILE
if [ `grep "PermitRootLogin" /opt/ssh/etc/sshd_config | grep -v \# | grep no | wc -l` -eq 1 ]
then
echo "##sshd_config PermitRootLogin no set ok" >> $LOGFILE
else
echo "PermitRootLogin no" >> /opt/ssh/etc/sshd_config
/sbin/init.d/secsh stop >> $LOGFILE
/sbin/init.d/secsh start >> $LOGFILE
echo "##sshd_config PermitRootLogin no set reconfigured" >> $LOGFILE
fi
echo "" >> $LOGFILE
echo "" >> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "####### ntp check ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##crontab Check" >>$LOGFILE
crontab -l | grep ntp>> $LOGFILE
echo >> $LOGFILE
echo "##ntp log Check" >>$LOGFILE
tail -n 20 /tmp/time/ntpdate.log >> $LOGFILE
echo >> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "####### ACL check ##################">> $LOGFILE
echo "#####################################################">> $LOGFILE
echo "##allow Check" >>$LOGFILE
cat /etc/hosts.allow | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##deny Check" >>$LOGFILE
cat /etc/hosts.deny | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##inetd.sec Check" >>$LOGFILE
cat /var/adm/inetd.sec | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
#ipfstat -io>> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "1. #######UID, GID 0-99 Head 20 Line ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
cat /etc/passwd | head -n20>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##passwd Check" >>$LOGFILE
cat /etc/passwd | grep ~2019>> $LOGFILE
cat /etc/passwd | grep ~2018>> $LOGFILE
cat /etc/passwd | grep ~2017>> $LOGFILE
echo >> $LOGFILE
echo "####### group check ##################">> $LOGFILE
echo "##group id 1000 Check" >>$LOGFILE
cat /etc/group | grep ^user >> $LOGFILE
echo >> $LOGFILE
echo "##delete group Check" >>$LOGFILE
Def_group="tty uucp smbnull tftp"
for check in $Def_group
do
if [ `cat /etc/group | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
then
echo "## Default group exist : $check" >> $LOGFILE
groupdel $check >> $LOGFILE
echo "##group $check delete " >> $LOGFILE
fi
done
echo >> $LOGFILE
echo "##group id 20 Check" >>$LOGFILE
cat /etc/passwd | grep :20:>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "2. #######UID, GID 0 -> Only root ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
cat /etc/passwd | grep :0:>> $LOGFILE
echo >> $LOGFILE
echo "##Default ID check ##################">> $LOGFILE
Def_ID="adm lp uucp nuucp sync shutdown halt news operator games gopher nfsnobody squid hpdb smbnull iwww owww tftp "
for check in $Def_ID
do
if [ `cat /etc/passwd | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
then
echo "## Default ID exist : $check" >> $LOGFILE
userdel $check >> $LOGFILE
echo "##user $check delete " >> $LOGFILE
fi
done
echo >> $LOGFILE
echo "##test id Check" >>$LOGFILE
cat /etc/passwd | grep test >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##Shell nologin, false Check " >>$LOGFILE
cat /etc/passwd | grep -v /sbin/nologin | grep -v /bin/false | grep -v userid | grep -v userdev | grep -v usermaster >> $LOGFILE
echo >> $LOGFILE
echo "##change /sbin/nologin" >>$LOGFILE
Def_nologin="opc_op cimsrvr sfmdb hpsmh"
for check in $Def_nologin
do
if [ `cat /etc/passwd | grep -v /sbin/nologin | grep -v /bin/false | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
then
echo "## Default user login exist : $check" >> $LOGFILE
usermod -s /sbin/nologin $check >> $LOGFILE 2>&1
echo "##user $check nologin configured" >> $LOGFILE
fi
done
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "4. ####### login fail count ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "##/etc/default/security Check" >>$LOGFILE
grep -v ^# /etc/default/security | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo "##trustmode u_maxtries#5 Check" >>$LOGFILE
cat /tcb/files/auth/system/default >> $LOGFILE 2>&1
echo >> $LOGFILE
if [ -f /tcb/files/auth/system/default ] ; then
grep -i u_maxtries /tcb/files/auth/system/default | awk -F: '{print $4}' >> $LOGFILE
grep -i u_maxtries /tcb/files/auth/system/default | awk -F: '{print $5}' >> $LOGFILE
else
echo "## No Trusted Mode. ">> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "5. ####### hosts perm 644(444),root || 600 check ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
ls -la /etc/hosts>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/hosts ]
then
if [ `ls -alL /etc/hosts | grep "...-.--.--.*.*" | wc -l` -eq 1 ]
then
echo "##/etc/hosts perm ok " >> $LOGFILE
else
echo "##/etc/hosts perm reset " >> $LOGFILE
chmod 644 /etc/hosts >> $LOGFILE
fi
if [ `ls -ld /etc/hosts | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/hosts root ok " >> $LOGFILE
else
echo "##/etc/hosts root reset " >> $LOGFILE
chown root /etc/hosts >> $LOGFILE
fi
else
echo "##/etc/hosts NOT Found" >> $LOGFILE
fi
echo >> $LOGFILE
echo "####### syslog.conf perm 644(444),root ##################">> $LOGFILE
ls -la /etc/syslog.conf>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/syslog.conf ]
then
if [ `ls -alL /etc/syslog.conf | grep "...-.--.--" | wc -l` -eq 1 ]
then
echo "##/etc/syslog.conf perm ok" >> $LOGFILE
else
echo "##/etc/syslog.conf perm reset" >> $LOGFILE
chown 644 /etc/syslog.conf >> $LOGFILE
fi
if [ `ls -ld /etc/syslog.conf | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/syslog.conf root ok " >> $LOGFILE
else
echo "##/etc/syslog.conf root reset " >> $LOGFILE
chown root /etc/syslog.conf >> $LOGFILE
fi
else
echo "##/etc/syslog.conf Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
echo "####### services perm 644,root ##################">> $LOGFILE
ls -la /etc/services>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/services ]
then
if [ `ls -alL /etc/services | grep "...-.--.--" | wc -l` -eq 1 ]
then
echo "##/etc/services perm ok" >> $LOGFILE
else
echo "##/etc/services perm reset" >> $LOGFILE
chown 644 /etc/services >> $LOGFILE
fi
if [ `ls -ld /etc/services | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/services root ok " >> $LOGFILE
else
echo "##/etc/services root reset " >> $LOGFILE
chown root /etc/services >> $LOGFILE
fi
else
echo "##/etc/services Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "6. ####### sulog , su 4750 , root.wheel ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "##sulog file 20 Line check" >>$LOGFILE
tail -n 30 /var/adm/sulog>> $LOGFILE
echo >> $LOGFILE
echo "##su perm " >>$LOGFILE
ls -la /usr/bin/su >> $LOGFILE
echo >> $LOGFILE
if [ -f /usr/bin/su ]
then
if [ `ls -alL /usr/bin/su | grep ".rwsr-x---.*root.*wheel*" | wc -l` -eq 1 ]
then
echo "##/usr/bin/su perm ok" >> $LOGFILE
else
echo "##/usr/bin/su perm reset" >> $LOGFILE
chmod 4750 /usr/bin/su >> $LOGFILE
chown root /usr/bin/su >> $LOGFILE
chgrp wheel /usr/bin/su >> $LOGFILE
fi
else
echo "##/usr/bin/su Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
echo "##syslog.conf check" >>$LOGFILE
grep auth /etc/syslog.conf >> $LOGFILE 2>&1
echo >> $LOGFILE
if [ `cat /etc/syslog.conf | grep auth | wc -l` -gt 1 ] ; then
echo " syslog auth setting ok " >>$LOGFILE
echo "" >>$LOGFILE
cat /etc/syslog.conf | grep auth >>$LOGFILE
else
if [ ! -d /var/log/sulog ] ; then
mkdir -p /var/log/sulog
echo "/var/log/sulog directory create" >>$LOGFILE
fi
echo "" >>$LOGFILE
echo "auth.notice /var/log/sulog/syslog.log" >> /etc/syslog.conf
echo "" >>$LOGFILE
/sbin/init.d/syslogd stop >>$LOGFILE
/sbin/init.d/syslogd start >>$LOGFILE
echo " notice syslog reconfigured " >>$LOGFILE
fi
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo " #####################################################">> $LOGFILE
echo "7. ####### network daemon 644(555) g-w, o-w ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
ls -la /sbin/init.d/*>> $LOGFILE
echo >> $LOGFILE
if [ `find /sbin/init.d/ \( -perm -g+w -o -perm -o+w \) -print | wc -l` -eq 0 ]
then
echo "##Network Daemon Perm 755 ok " >> $LOGFILE
else
echo "##Network Daemon Perm reset " >> $LOGFILE
find /sbin/init.d/ \( -perm -g+w -o -perm -o+w \) -print >> $LOGFILE
find /sbin/init.d/ \( -perm -g+w -o -perm -o+w \) -exec chmod 755 {} \; >> $LOGFILE
fi
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo "" >>$LOGFILE
echo " #####################################################">> $LOGFILE
echo "8. ####### Password check (OTP or Not)) ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "9., 10. ####### passwd 644,root shadow 400,root ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
ls -la /etc/passwd>> $LOGFILE
if [ -f /etc/passwd ]
then
if [ `ls -alL /etc/passwd | grep "...-.--.--" | wc -l` -eq 1 ]
then
echo "##/etc/passwd perm ok" >> $LOGFILE
else
echo "##/etc/passwd perm reset" >> $LOGFILE
chown 644 /etc/passwd >> $LOGFILE
fi
if [ `ls -ld /etc/passwd | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/passwd root ok " >> $LOGFILE
else
echo "##/etc/passwd root reset " >> $LOGFILE
chown root /etc/passwd >> $LOGFILE
fi
else
echo "##/etc/passwd Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
ls -la /etc/shadow>> $LOGFILE 2>&1
if [ -f /etc/shadow ]
then
if [ `ls -alL /etc/shadow | grep "..--------" | wc -l` -eq 1 ]
then
echo "##/etc/shadow perm ok" >> $LOGFILE
else
echo "##/etc/shadow perm reset" >> $LOGFILE
chown 400 /etc/shadow >> $LOGFILE
fi
if [ `ls -ld /etc/shadow | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/shadow root ok " >> $LOGFILE
else
echo "##/etc/shadow root reset " >> $LOGFILE
chown root /etc/shadow >> $LOGFILE
fi
else
echo "##/etc/shadow Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo "##trustmode auth directory 400 check" >>$LOGFILE
ls -la /tcb/files/ >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "####### trustmode root check ##################">> $LOGFILE
ls -la /tcb/files/auth/r/root>> $LOGFILE 2>&1
cat /tcb/files/auth/r/root>> $LOGFILE 2>&1
/usr/lbin/getprdef -r>> $LOGFILE 2>&1
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "11. ####### remote shell check #################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
echo "##inetd.conf # check" >>$LOGFILE
grep rlogind /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "##hosts.equiv exist check" >>$LOGFILE
ls -la /etc/hosts.equiv >> $LOGFILE 2>&1
if [ -f /etc/hosts.equiv ]
then
if [ `ls -alL /etc/hosts.equiv | grep ".r.-------.*root.*" | wc -l` -eq 1 ]
then
echo "##/etc/hosts.equiv perm ok" >> $LOGFILE
else
echo "##/etc/hosts.equiv perm reset" >> $LOGFILE
chown root:root /etc/hosts.equiv >> $LOGFILE
chmod 400 /etc/hosts.equiv >> $LOGFILE
fi
else
echo "##/etc/hosts.equiv file Not Found is ok" >> $LOGFILE
fi
echo >> $LOGFILE
echo "##/home at .rhosts exist check" >>$LOGFILE
ls -la /home/*/.rhosts >> $LOGFILE 2>&1
HOMEDIRS=`cat /etc/passwd | awk -F":" 'length($6) > 0 {print $6}' | sort -u`
for dir in $HOMEDIRS
do
if [ -f $dir/.rhosts ]
then
ls -la $dir/.rhosts >> $LOGFILE
echo "## Delete file $dir/.rhosts " >> $LOGFILE
rm -rf $dir/.rhosts >> $LOGFILE
# else
# echo " .rhosts file not found "
fi
if [ -f $dir/.netrc ]
then
ls -la $dir/.netrc >> $LOGFILE
echo "## Delete file $dir/.netrc " >> $LOGFILE
rm -rf $dir/.netrc >> $LOGFILE
# else
# echo " .netrc file not found "
fi
done
echo >> $LOGFILE
echo "##remshd # check" >>$LOGFILE
grep remshd /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "12. ####### inetd 600,root rpc stop ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
ls -la /etc/inetd.conf >> $LOGFILE
if [ -f /etc/inetd.conf ]
then
if [ `ls -alL /etc/inetd.conf | grep "...-------" | wc -l` -eq 1 ]
then
echo "##/etc/inetd.conf perm ok" >> $LOGFILE
else
echo "##/etc/inetd.conf perm reset" >> $LOGFILE
chown 600 /etc/inetd.conf >> $LOGFILE
fi
if [ `ls -ld /etc/inetd.conf | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/inetd.conf root ok " >> $LOGFILE
else
echo "##/etc/inetd.conf root reset " >> $LOGFILE
chown root /etc/inetd.conf >> $LOGFILE
fi
else
echo "##/etc/inetd.conf Not Found">> $LOGFILE
fi
echo >> $LOGFILE
echo "##inetd.conf rpc config set check" >>$LOGFILE
cat /etc/inetd.conf | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo "##rpcinfo check" >>$LOGFILE
rpcinfo -p 127.0.0.1 >> $LOGFILE 2>&1
echo >> $LOGFILE
netstat -na | grep LISTEN | grep ".512 " >> $LOGFILE
netstat -na | grep LISTEN | grep ".513 " >> $LOGFILE
netstat -na | grep LISTEN | grep ".514 " >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "13. ####### ftp, telnet check ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
grep telnet /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "##telnet Listen is .. " >> $LOGFILE
netstat -na | grep ".23 " >> $LOGFILE
netstat -na | grep ".22 ">> $LOGFILE
netstat -na | grep ".2222 " >> $LOGFILE
echo >> $LOGFILE
grep ftp /etc/inetd.conf>> $LOGFILE
echo >> $LOGFILE
echo "## ftp Listen is .. " >> $LOGFILE
netstat -na | grep ".2929 " >> $LOGFILE
netstat -na | grep ".21 ">> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "14. ## Anonymous FTP check ############################" >> $LOGFILE
echo " #####################################################">> $LOGFILE
if [ -f /etc/ftpd/ftpaccess ] ; then
if [ `cat /etc/ftpd/ftpaccess | grep -v ^\# | grep anonymous | wc -l ` -eq 0 ]
then
echo "14. ## Anonymous FTP NO Setting" >> $LOGFILE
else
echo "14. ## Setting requiore Anonymous FTP Delete at /etc/ftpd/ftpaccess " >> $LOGFILE
echo "## mv /etc/ftpd/ftpaccess /etc/ftpd/ftpaccess.org " >> $LOGFILE
mv /etc/ftpd/ftpaccess /etc/ftpd/ftpaccess.org >> $LOGFILE
fi
else
echo "14. /etc/ftpd/ftpaccess file not found " >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "15. ####### find /home .netrc ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
find /home -name .netrc>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "16. ####### inetd running ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
ps -ef | grep inetd | grep -v grep >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "17. ####### last 20 Line ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
last -R | head -n 20>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "18. ####### Cron 640,root ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
#ls -laR /var/spool/cron>> $LOGFILE
echo >> $LOGFILE
ls -la /var/adm/cron/*.allow>> $LOGFILE 2>&1
ls -la /var/adm/cron/*.deny>> $LOGFILE 2>&1
echo >> $LOGFILE
cat /var/adm/cron/*.allow>> $LOGFILE 2>&1
cat /var/adm/cron/*.deny>> $LOGFILE 2>&1
echo >> $LOGFILE
if [ -f /var/adm/cron/cron.allow ]
then
if [ `ls -alL /var/adm/cron/cron.allow | grep "...-.-----" | wc -l` -eq 1 ]
then
echo "##/var/adm/cron/cron.allow perm ok" >>$LOGFILE
else
echo "##/var/adm/cron/cron.allow perm reset" >>$LOGFILE
chown 640 /var/adm/cron/cron.allow >>$LOGFILE
fi
if [ `ls -ld /var/adm/cron/cron.allow | awk '{ print $3 }' ` = "root" ]
then
echo "##/var/adm/cron/cron.allow root ok " >>$LOGFILE
else
echo "##/var/adm/cron/cron.allow root reset " >>$LOGFILE
chown root /var/adm/cron/cron.allow >>$LOGFILE
fi
else
echo "##/var/adm/cron/cron.allow Not Found" >>$LOGFILE
fi
echo >> $LOGFILE
if [ -f /var/adm/cron/cron.deny ]
then
if [ `ls -alL /var/adm/cron/cron.deny | grep "...-.-----" | wc -l` -eq 1 ]
then
echo "##/var/adm/cron/cron.deny perm ok" >>$LOGFILE
else
echo "##/var/adm/cron/cron.deny perm reset" >>$LOGFILE
chown 640 /var/adm/cron/cron.deny >>$LOGFILE
fi
if [ `ls -ld /var/adm/cron/cron.deny | awk '{ print $3 }' ` = "root" ]
then
echo "##/var/adm/cron/cron.deny root ok " >>$LOGFILE
else
echo "##/var/adm/cron/cron.deny root reset " >>$LOGFILE
chown root /var/adm/cron/cron.deny >>$LOGFILE
fi
else
echo "##/var/adm/cron/cron.deny Not Found" >>$LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "19. ####### Snmp ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
echo "##Process check" >>$LOGFILE
ps -ef | grep snmp | grep -v grep>> $LOGFILE
echo >> $LOGFILE
echo "##start shell check" >>$LOGFILE
cat /etc/rc.config.d/Snmp* |grep _START= | grep -v ^#>> $LOGFILE
echo >> $LOGFILE
echo "##community check" >>$LOGFILE
cat /etc/SnmpAgent.d/snmpd.conf | grep community-name: | grep -v ^#>> $LOGFILE
echo >> $LOGFILE
echo "##Listen check" >>$LOGFILE
netstat -na | grep .161 >> $LOGFILE
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "20. ####### ssh version ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo >> $LOGFILE
if [ $VER = B.11.31 ] ; then
swlist SecureShell >> $LOGFILE
swlist Secure_Shell >> $LOGFILE
fi
if [ $VER = B.11.23 ] ; then
swlist T1471AA >> $LOGFILE
fi
if [ $VER = B.11.11 ] ; then
swlist T1471AA >> $LOGFILE
fi
echo >> $LOGFILE
openssl version>> $LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
ls -la /etc/hosts>> $LOGFILE 2>&1
echo >> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "21. 22. ####### ndd check ##################">> $LOGFILE
echo " #####################################################">> $LOGFILE
echo "##ip_forwarding check" >>$LOGFILE
ndd -get /dev/ip ip_forwarding>> $LOGFILE
echo >> $LOGFILE
echo "##ip_forward_src_routed check" >>$LOGFILE
ndd -get /dev/ip ip_forward_src_routed>> $LOGFILE
echo >> $LOGFILE
echo "##ip_respond_to_echo_broadcast check" >>$LOGFILE
ndd -get /dev/ip ip_respond_to_echo_broadcast>> $LOGFILE
echo >> $LOGFILE
echo "##ip_forward_directed_broadcasts check" >>$LOGFILE
ndd -get /dev/ip ip_forward_directed_broadcasts>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##nddconf all show check" >>$LOGFILE
cat /etc/rc.config.d/nddconf | grep -v ^# >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### etc1 system check ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "#######/home .profile perm g-w, o-w ##################">> $LOGFILE
echo >> $LOGFILE
find /home/*/ -name .profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >> $LOGFILE 2>&1
find /home/*/ -name .bash_profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >>$LOGFILE 2>&1
find /home/*/ -name .*rc \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >>$LOGFILE 2>&1
find /home/*/ -name .login \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -print >>$LOGFILE 2>&1
find /home/*/ -name .profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >> $LOGFILE 2>&1
find /home/*/ -name .bash_profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >>$LOGFILE 2>&1
find /home/*/ -name .*rc \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >>$LOGFILE 2>&1
find /home/*/ -name .login \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >>$LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "####### Warm Message (/etc/motd) ##################">> $LOGFILE
cat /etc/motd >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "####### automount stop ##################">> $LOGFILE
ps -ef | grep automount |grep -v grep >> $LOGFILE
echo >> $LOGFILE
grep AUTOFS= /etc/rc.config.d/nfsconf >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "####### hosts.lpd 600,root ##################">> $LOGFILE
ls -la /etc/hosts.lpd>> $LOGFILE 2>&1
echo >> $LOGFILE
if [ -f /etc/hosts.lpd ]
then
if [ `ls -alL /etc/hosts.lpd | grep "...-------" | wc -l` -eq 1 ]
then
echo "##/etc/hosts.lpd perm ok"
else
echo "##/etc/hosts.lpd perm reset"
chown 600 /etc/hosts.lpd
fi
if [ `ls -ld /etc/hosts.lpd | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/hosts.lpd root ok "
else
echo "##/etc/hosts.lpd root reset "
chown root /etc/hosts.lpd
fi
else
echo "##/etc/hosts.lpd Not Found" >>$LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "####### TMOUT 600, umask (0)022 ##################">> $LOGFILE
echo "##/etc/profile check" >>$LOGFILE
echo >> $LOGFILE
echo "##TMOUT at profile" >>$LOGFILE
grep TMOUT /etc/profile>> $LOGFILE
echo >> $LOGFILE
echo "##UMASK at profile" >>$LOGFILE
grep UMASK /etc/profile>> $LOGFILE
echo >> $LOGFILE
echo "##umask config" >>$LOGFILE
grep umask /etc/profile>> $LOGFILE
echo "##umask setting">> $LOGFILE
umask >> $LOGFILE
if [ `umask` -eq 022 ] ; then
echo "## UMASK set ok " >> $LOGFILE
else
echo " umask 022" >> /etc/profile
echo "UMASK=0022" >> /etc/default/security
echo "## UMASK 0022 Set" >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/home at -nouser -o -nogroup check autorun chgrp user, chown root" >>$LOGFILE
#find /home \( -nouser -o -nogroup \) -xdev -exec ls -la {} \; 2> /dev/null >> $LOGFILE
#find /home \( -nouser -o -nogroup \) -xdev -exec chown root:root {} \; 2> /dev/null >> $LOGFILE
find /home -nouser -xdev -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -nouser -xdev -exec chown root {} \; 2> /dev/null >> $LOGFILE
find /home -nogroup -xdev -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -nogroup -xdev -exec chgrp user {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/home at setuid , getgid check if exist require delete file" >>$LOGFILE
echo "##/home at perm -04000 -o -perm -02000 check" >>$LOGFILE
find /home -type f \( -perm -04000 -o -perm -02000 \) -exec ls -la {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/home at world write file check autorun chmod o-w" >>$LOGFILE
find /home -type f -perm 2 -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -type f -perm 2 -exec chmod o-w {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
find /home -type d -perm 777 -exec ls -la {} \; 2> /dev/null >> $LOGFILE
find /home -type d -perm 777 -exec chmod o-w {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/dev at device file check if exist require delete file" >>$LOGFILE
find /dev -type -f -exec ls -la {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### system info ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##nwmgr " >>$LOGFILE
nwmgr >> $LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##netstat -in " >>$LOGFILE
netstat -in >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##netstat -rn " >>$LOGFILE
netstat -rn >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##bdf " >>$LOGFILE
bdf >> $LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##netstat -na " >>$LOGFILE
netstat -na >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##ps -ef " >>$LOGFILE
ps -ef >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
댓글 0
| 번호 | 제목 | 날짜 | 조회 수 |
|---|---|---|---|
| 32 | 외부로 통신이 되지 않을 때 가지고 있는 CD-ROM으로 yum 사용하는 방법 | 2020.08.25 | 590 |
| 31 | 국정원기반 서버 취약점 점검 스크립트 -Windows | 2020.07.01 | 953 |
| 30 | 국정원기반 서버 취약점 점검 스크립트 -Linux | 2020.07.01 | 781 |
| » | 국정원기반 서버 취약점 점검 스크립트 -HPUX | 2020.07.01 | 137 |
| 28 | AIX 내부적인 Memory 관리 방법 | 2020.04.14 | 72 |
| 27 | AIX SYSTEM CHECK SCRIPT | 2020.04.10 | 2283 |
| 26 | top을 통해 살펴보는 프로세스 정보들 | 2020.03.04 | 165 |
| 25 | netstat | 2020.02.05 | 174 |
| 24 | Linux Cache Memory Clear | 2020.01.20 | 183 |
| 23 | ThreadDump 분석 | 2020.01.02 | 146 |
| 22 | Apache나, Tomcat 버젼 노출 취약점 | 2019.12.09 | 723 |
| 21 | NetBackup Port Open | 2019.11.21 | 568 |
| 20 | CSQL 인터프리터 사용방법 | 2019.11.04 | 314 |
| 19 | Restore Database And Rename Database Files Example | 2019.03.25 | 2503 |
| 18 | HP-UX networking - 11.31 10G NIC | 2019.03.19 | 812 |