국정원기반 서버 취약점 점검 스크립트 -Linux
아래 스크립트는 필자가 만든 스크립트입니다.
국정원이나 산자부 보안점검 대비 OS를 체크하기 위한 스크립트로
매우 주관적으로 만든 것이니 참고만 하시기 바랍니다.
#!/bin/sh
# NISK(National Intelligence Service Korea) Base Security Check Script for KookJung
# Edit by Guppy in 2020
# for Linux
LANG=C
DATE=`date +%Y%m%d%H%M`
#DAY=`date +%D`
DAY=`date +%m/%d/%Y`
LOGFILE=`hostname`_$DATE.txt
Kernel=`uname -r | awk '{ print substr($0,1,6);}'`
OS=`uname -s`
VER=`uname -r`
CURR="Linux"
if [ $OS != $CURR ] ; then
echo " This Version OS is Not RUN !! "
exit
fi
#echo $DATE > $LOGFILE
echo $DAY > $LOGFILE
echo $Kernel >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "#######OTP Setting check ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo >> $LOGFILE
grep /etc/pam_radius_auth.conf /etc/pam.d/su >> $LOGFILE 2>&1
echo >> $LOGFILE
grep /etc/pam_radius_auth.conf /etc/pam.d/sshd >> $LOGFILE 2>&1
echo >> $LOGFILE
cat /etc/pam_radius_auth.conf >> $LOGFILE 2>&1
echo >> $LOGFILE
grep -v ^# /etc/ssh/sshd_config | grep PAM >> $LOGFILE 2>&1
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################" >> $LOGFILE
echo "#######ftp, telnet check ##################" >> $LOGFILE
echo "############################################" >> $LOGFILE
echo "##Process Check" >>$LOGFILE
ps -ef | grep ftp | grep -v grep >> $LOGFILE
echo >> $LOGFILE
echo "##xinetd daemon Check" >>$LOGFILE
grep ftp /etc/xinetd.d/* >> $LOGFILE 2>&1
echo >> $LOGFILE
grep telnet /etc/xinetd.d/* >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "##xferlog Check" >>$LOGFILE
tail -n 20 /var/log/xferlog >> $LOGFILE 2>&1
echo >> $LOGFILE
if [ $Kernel = "3.10.0" ] || [ $Kernel = "4.4.16" ] ; then
systemctl list-unit-files | grep ftp >> $LOGFILE 2>&1
echo >> $LOGFILE
systemctl list-unit-files | grep telnet >> $LOGFILE 2>&1
fi
echo "############################################">> $LOGFILE
echo "####### ssh port 2222 ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##Port Check" >>$LOGFILE
grep Port /etc/ssh/sshd_config >> $LOGFILE
echo "##PermitRootLogin no Check" >>$LOGFILE
grep PermitRootLogin /etc/ssh/sshd_config >> $LOGFILE
echo >> $LOGFILE
echo "##2222 port Check" >>$LOGFILE
netstat -na | grep 2222 >> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/securetty ] ; then
if [ `grep pts /etc/securetty | wc -l` -eq 0 ] ; then
echo "##/etc/securetty set ok " >> $LOGFILE
else
echo "tty1" >> /etc/securetty
echo "##/etc/securetty reconfigure require " >> $LOGFILE
fi
else
touch /etc/securetty >>$LOGFILE
cat "tty1" > /etc/securetty
echo "##/etc/securetty create and reconfigure ok " >> $LOGFILE
fi
echo "" >> $LOGFILE
echo "" >> $LOGFILE
if [ `grep "PermitRootLogin" /etc/ssh/sshd_config | grep -v \# | grep no | wc -l` -eq 1 ]
then
echo "##sshd_config PermitRootLogin no set ok" >> $LOGFILE
else
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
if [ -f /etc/init.d/sshd ] ; then
/etc/init.d/sshd restart >> $LOGFILE 2>&1
else
systemctl restart sshd >> $LOGFILE 2>&1
fi
echo "##sshd_config PermitRootLogin no set reconfigured" >> $LOGFILE
fi
echo "" >> $LOGFILE
echo "" >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### ntp check ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##crontab Check" >>$LOGFILE
crontab -l | grep ntp >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "##ntp log Check" >>$LOGFILE
tail -n 20 /tmp/zws/ntpdate.log >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### ACL check ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##allow Check" >>$LOGFILE
cat /etc/hosts.allow | grep -v ^# | grep -v ^$ >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##deny Check" >>$LOGFILE
cat /etc/hosts.deny | grep -v ^# | grep -v ^$ >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "#######UID, GID 0-99 ##################">> $LOGFILE
echo "############################################">> $LOGFILE
cat /etc/passwd | head -n 30 >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##passwd Check" >>$LOGFILE
cat /etc/passwd | grep ~2018 >> $LOGFILE
echo >> $LOGFILE
cat /etc/passwd | grep ~2017 >> $LOGFILE
echo >> $LOGFILE
echo "####### group check ##################">> $LOGFILE
echo "##group id 100 Check" >>$LOGFILE
cat /etc/group | grep ^user >> $LOGFILE
echo >> $LOGFILE
echo "##delete group Check" >>$LOGFILE
Def_group="tty uucp smbnull tftp"
for check in $Def_group
do
if [ `cat /etc/group | grep -v /sbin/nologin | grep -v /bin/false | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
then
echo "## Default group exist : $check" >> $LOGFILE
groupdel $check >> $LOGFILE
echo "##group $check delete " >> $LOGFILE
fi
done
echo >> $LOGFILE
echo "##users 20 Check" >>$LOGFILE
cat /etc/passwd | grep :20:>> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "#######UID, GID 0 ##################">> $LOGFILE
echo "############################################">> $LOGFILE
cat /etc/passwd | grep :0: >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "#######Default ID check ##################">> $LOGFILE
echo "############################################">> $LOGFILE
Def_ID="adm lp uucp nuucp sync shutdown halt news operator games gopher nfsnobody squid hpdb smbnull iwww owww tftp"
for check in $Def_ID
do
if [ `cat /etc/passwd | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
then
echo "## Default ID exist : $check" >> $LOGFILE
userdel $check >> $LOGFILE 2>&1
echo "##user $check delete " >> $LOGFILE
fi
done
echo >> $LOGFILE
Def_nologin="mysql ssh"
for check in $Def_nologin
do
if [ `cat /etc/passwd | grep -v /sbin/nologin | grep -v /bin/false | grep ^$check: | awk -F: '{print $1}' | wc -l ` -gt 0 ]
then
echo "## Default user login exist : $check" >> $LOGFILE
usermod -s /bin/false $check >> $LOGFILE 2>&1
echo "##user $check nologin configured" >> $LOGFILE
fi
done
echo "##Shell nologin, false Check" >>$LOGFILE
cat /etc/passwd | grep -v /sbin/nologin | grep -v /bin/false | grep -v userid | grep -v userdev | grep -v usermaster >> $LOGFILE
echo >> $LOGFILE
echo "##test id Check" >>$LOGFILE
cat /etc/passwd | grep test >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### login fail count ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##/etc/pam.d Check" >>$LOGFILE
grep pam_tally /etc/pam.d/* >> $LOGFILE
ls -la /sbin/pam_tally* >> $LOGFILE 2>&1
ls -la /lib/security/pam_tally*.so >> $LOGFILE 2>&1
ls -la /lib64/security/pam_tally*.so >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### hosts file perm 644(444),root ##################">> $LOGFILE
echo "############################################">> $LOGFILE
ls -la /etc/hosts >> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/hosts ]
then
if [ `ls -alL /etc/hosts | grep "...-.--.--.*.*" | wc -l` -eq 1 ]
then
echo "##/etc/hosts perm ok " >> $LOGFILE
else
echo "##/etc/hosts perm reset " >> $LOGFILE
chmod 644 /etc/hosts >> $LOGFILE
fi
if [ `ls -ld /etc/hosts | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/hosts root ok " >> $LOGFILE
else
echo "##/etc/hosts root reset " >> $LOGFILE
chown root /etc/hosts >> $LOGFILE
fi
else
echo "##/etc/hosts NOT Found" >> $LOGFILE
fi
echo "####### syslog.conf 644(444),root ##################">> $LOGFILE
ls -la /etc/*syslog.conf>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/syslog.conf ]
then
if [ `ls -alL /etc/syslog.conf | grep "...-.--.--" | wc -l` -eq 1 ]
then
echo "##/etc/syslog.conf perm ok" >> $LOGFILE
else
echo "##/etc/syslog.conf perm reset" >> $LOGFILE
chown 644 /etc/syslog.conf >> $LOGFILE
fi
if [ `ls -ld /etc/syslog.conf | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/syslog.conf root ok " >> $LOGFILE
else
echo "##/etc/syslog.conf root reset " >> $LOGFILE
chown root /etc/syslog.conf >> $LOGFILE
fi
else
echo "##/etc/syslog.conf Not Found" >> $LOGFILE
fi
echo "####### services 644,root ##################">> $LOGFILE
ls -la /etc/services>> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/services ]
then
if [ `ls -alL /etc/services | grep "...-.--.--" | wc -l` -eq 1 ]
then
echo "##/etc/services perm ok" >> $LOGFILE
else
echo "##/etc/services perm reset" >> $LOGFILE
chown 644 /etc/services >> $LOGFILE
fi
if [ `ls -ld /etc/services | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/services root ok " >> $LOGFILE
else
echo "##/etc/services root reset " >> $LOGFILE
chown root /etc/services >> $LOGFILE
fi
else
echo "##/etc/services Not Found" >> $LOGFILE
fi
echo "############################################">> $LOGFILE
echo "####### sulog , su 4750 ,root.wheel ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##sulog check" >>$LOGFILE
grep sulog /etc/*syslog.conf >>$LOGFILE
CT=`grep sulog /etc/*syslog.conf | wc -l `
echo "">> $LOGFILE
if [ $CT -gt 1 ] ; then
tail -n 10 `grep sulog /etc/*syslog.conf | awk '{print $2}'` >>$LOGFILE 2>&1
fi
echo "##syslog.conf auth check" >>$LOGFILE
grep auth /etc/*syslog.conf >>$LOGFILE
if [ ! -d /var/log/sulogd ] ; then
mkdir -p /var/log/sulogd
touch /var/log/sulogd/sulog.log
echo "## /var/log/sulogd directory create" >>$LOGFILE
fi
if [ -f /etc/login.defs ]; then
if [ `grep SULOG /etc/login.defs | wc -l` -eq 0 ] ; then
echo "SULOG_FILE /var/log/sulogd/sulog.log" >> /etc/login.defs
fi
fi
if [ -f /etc/rsyslog.conf ]
then
if [ `cat /etc/rsyslog.conf | grep authpriv. | wc -l` -gt 0 ] ; then
echo "##syslog authpriv.notice setting ok " >>$LOGFILE
echo "" >>$LOGFILE
else
echo "##authpriv.notice syslog reconfigured " >>$LOGFILE
echo "" >>$LOGFILE
echo "authpriv.* /var/log/sulogd/sulog.log " >> /etc/rsyslog.conf
if [ $Kernel = "2.6.32" ] ; then
service rsyslog restart >>$LOGFILE 2>&1
else
systemctl restart rsyslog.service>>$LOGFILE 2>&1
fi
fi
fi
if [ -f /etc/syslog.conf ]
then
if [ `cat /etc/syslog.conf | grep auth. | wc -l` -gt 0 ] ; then
echo " syslog auth.notice setting ok " >>$LOGFILE
echo "" >>$LOGFILE
else
echo " auth.notice syslog reconfigured " >>$LOGFILE
echo "" >>$LOGFILE
echo "auth.* /var/log/sulogd/sulog.log " >> /etc/syslog.conf
service syslog restart >>$LOGFILE 2>&1
fi
fi
echo >> $LOGFILE
if [ -f /usr/bin/su ]
then
ls -la /usr/bin/su >> $LOGFILE
if [ `ls -alL /usr/bin/su | grep ".rwsr-x---.*root.*wheel*" | wc -l` -eq 1 ]
then
echo "##/usr/bin/su perm ok" >> $LOGFILE
else
echo "##/usr/bin/su perm reset" >> $LOGFILE
chmod 4750 /usr/bin/su >> $LOGFILE
chown root /usr/bin/su >> $LOGFILE
chgrp wheel /usr/bin/su >> $LOGFILE
fi
fi
if [ -f /bin/su ]
then
ls -la /bin/su >> $LOGFILE
if [ `ls -alL /bin/su | grep ".rwsr-x---.*root.*wheel*" | wc -l` -eq 1 ]
then
echo "##/bin/su perm ok" >> $LOGFILE
else
echo "##/bin/su perm reset" >> $LOGFILE
chown root:wheel /bin/su >> $LOGFILE
chmod 4750 /bin/su >> $LOGFILE
fi
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### network daemon 644(555) g-w, o-w ##################">> $LOGFILE
echo "############################################">> $LOGFILE
ls -la /etc/init.d/* >> $LOGFILE 2>&1
echo >> $LOGFILE
if [ `find /etc/init.d/ \( -perm -g+w -o -perm -o+w \) -type f | wc -l` -eq 0 ]
then
echo "##Network Daemon Perm 755 ok " >> $LOGFILE
else
echo "##Network Daemon Perm reset " >> $LOGFILE
find /etc/init.d/ \( -perm -g+w -o -perm -o+w \) -type f -exec ls -la {} \; >> $LOGFILE 2>&1
find /etc/init.d/ \( -perm -g+w -o -perm -o+w \) -type f -exec chmod 644 {} \; >> $LOGFILE 2>&1
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### Password OTP or Not ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### passwd 644,root shadow 400,root ##################">> $LOGFILE
echo "############################################">> $LOGFILE
ls -la /etc/passwd >> $LOGFILE
if [ -f /etc/passwd ]
then
if [ `ls -alL /etc/passwd | grep "...-.--.--" | wc -l` -eq 1 ]
then
echo "##/etc/passwd perm ok" >> $LOGFILE
else
echo "##/etc/passwd perm reset" >> $LOGFILE
chown 644 /etc/passwd >> $LOGFILE
fi
if [ `ls -ld /etc/passwd | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/passwd root ok " >> $LOGFILE
else
echo "##/etc/passwd root reset " >> $LOGFILE
chown root /etc/passwd >> $LOGFILE
fi
else
echo "##/etc/passwd Not Found" >> $LOGFILE
fi
ls -la /etc/shadow >> $LOGFILE 2>&1
if [ -f /etc/shadow ]
then
if [ `ls -alL /etc/shadow | grep "..--------" | wc -l` -eq 1 ]
then
echo "##/etc/shadow perm ok" >> $LOGFILE
else
echo "##/etc/shadow perm reset" >> $LOGFILE
chown 400 /etc/shadow >> $LOGFILE
fi
if [ `ls -ld /etc/shadow | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/shadow root ok " >> $LOGFILE
else
echo "##/etc/shadow root reset " >> $LOGFILE
chown root /etc/shadow >> $LOGFILE
fi
else
echo "##/etc/shadow Not Found" >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### remote shell check#################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##xinetd.conf check" >>$LOGFILE
ls -la /etc/xinetd.d/*login* >>$LOGFILE 2>&1
echo >> $LOGFILE
ls -la /etc/xinetd.d/*rsh* >>$LOGFILE 2>&1
echo >> $LOGFILE
ls -la /etc/xinetd.d/*rexec* >>$LOGFILE 2>&1
echo >> $LOGFILE
find /home -name .rhosts >>$LOGFILE 2>&1
echo >> $LOGFILE
HOMEDIRS=`cat /etc/passwd | awk -F":" 'length($6) > 0 {print $6}' | sort -u`
for dir in $HOMEDIRS
do
if [ -f $dir/.rhosts ]
then
ls -la $dir/.rhosts >> $LOGFILE
echo "## Delete file $dir/.rhosts " >> $LOGFILE
rm -rf $dir/.rhosts >> $LOGFILE
# else
# echo " .rhosts file not found "
fi
if [ -f $dir/.netrc ]
then
ls -la $dir/.netrc >> $LOGFILE
echo "## Delete file $dir/.netrc " >> $LOGFILE
rm -rf $dir/.netrc >> $LOGFILE
# else
# echo " .netrc file not found "
fi
done
echo "##hosts.equiv check" >>$LOGFILE
ls -la /etc/hosts.equiv >>$LOGFILE 2>&1
if [ -f /etc/hosts.equiv ]
then
if [ `ls -alL /etc/hosts.equiv | grep ".r.-------.*root.*" | wc -l` -eq 1 ]
then
echo "##/etc/hosts.equiv perm ok" >> $LOGFILE
else
echo "##/etc/hosts.equiv perm reset" >> $LOGFILE
chown root:root /etc/hosts.equiv >> $LOGFILE
chmod 400 /etc/hosts.equiv >> $LOGFILE
fi
else
echo "##/etc/hosts.equiv file Not Found is ok" >> $LOGFILE
fi
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### inetd 600,root rpc stop ##################">> $LOGFILE
echo "############################################">> $LOGFILE
runlevel >> $LOGFILE
echo >> $LOGFILE
if [ $Kernel = "3.10.0" ] || [ $Kernel = "4.4.16" ] ; then
/bin/systemctl list-unit-files | grep -v disabled >>$LOGFILE 2>&1
else
LANG=C ; chkconfig --list | grep -v `runlevel | awk '{print $2}'`:off >> $LOGFILE 2>&1
fi
echo >> $LOGFILE
if [ -f /etc/xinetd.conf ]
then
ls -la /etc/xinetd.conf >> $LOGFILE
if [ `ls -alL /etc/xinetd.conf | grep "...-------" | wc -l` -eq 1 ]
then
echo "##/etc/xinetd.conf perm ok" >> $LOGFILE
else
echo "##/etc/xinetd.conf perm reset" >> $LOGFILE
chown 600 /etc/xinetd.conf >> $LOGFILE
fi
if [ `ls -ld /etc/xinetd.conf | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/xinetd.conf root ok " >> $LOGFILE
else
echo "##/etc/xinetd.conf root reset " >> $LOGFILE
chown root /etc/xinetd.conf >> $LOGFILE
fi
ls -la /etc/xinetd.d/* >> $LOGFILE
else
echo "##/etc/xinetd.conf Not Found">> $LOGFILE
fi
echo >> $LOGFILE
if [ -f /etc/xinetd.conf ] ; then
echo "##xinetd.conf rpc config set check" >>$LOGFILE
cat /etc/xinetd.conf | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
fi
netstat -na | grep LISTEN | grep ":512 " >> $LOGFILE
netstat -na | grep LISTEN | grep ":513 " >> $LOGFILE
netstat -na | grep LISTEN | grep ":514 " >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### ftp, telnet check ##################" >> $LOGFILE
echo "############################################">> $LOGFILE
systemctl 2>&1 | grep ftp>> $LOGFILE
systemctl 2>&1 | grep telnet>> $LOGFILE
if [ $Kernel = "3.10.0" ] || [ $Kernel = "4.4.16" ] ; then
/bin/systemctl list-unit-files | grep telnet >>$LOGFILE 2>&1
else
LANG=C ; chkconfig --list | grep telnet >> $LOGFILE 2>&1
fi
grep telnet /etc/init.d/* >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "##telnet Listen is .. " >> $LOGFILE
netstat -na | grep ":23 " >> $LOGFILE
netstat -na | grep ":22 " >> $LOGFILE
netstat -na | grep ":2222 " >> $LOGFILE
if [ $Kernel = "3.10.0" ] || [ $Kernel = "4.4.16" ] ; then
/bin/systemctl list-unit-files | grep ftp >>$LOGFILE 2>&1
else
LANG=C ; chkconfig --list | grep ftp >> $LOGFILE 2>&1
fi
ls /etc/init.d/*ftp* >> $LOGFILE 2>&1
echo "## ftp Listen is .. " >> $LOGFILE
netstat -na | grep ":3333 " >> $LOGFILE
netstat -na | grep ":21 " >> $LOGFILE
echo >> $LOGFILE
if [ -f /etc/vsftpd/vsftpd.conf ] ; then
if [ `cat /etc/vsftpd/vsftpd.conf | grep -v ^\# | grep anonymous | egrep -v "no|NO"| wc -l ` -eq 0 ]
then
echo "## Anonymous FTP NO Setting" >> $LOGFILE
else
echo "## Setting require Anonymous FTP Delete at /etc/vsftpd/vsftpd.conf " >> $LOGFILE
fi
else
echo "## /etc/vsftpd/vsftpd.conf file Not Found " >> $LOGFILE
fi
echo "############################################">> $LOGFILE
echo "####### .netrc ##################">> $LOGFILE
echo "############################################">> $LOGFILE
find /home -name .netrc >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### last ##################">> $LOGFILE
echo "############################################">> $LOGFILE
last | head -n 20 >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### Cron 640,root g-x, o-x, o-r ##################">> $LOGFILE
echo "############################################">> $LOGFILE
#ls -laR /var/spool/cron >> $LOGFILE
echo >> $LOGFILE
ls -la /etc/cron* >> $LOGFILE 2>&1
echo >> $LOGFILE
if [ -f /etc/cron.allow ]
then
ls -la /etc/cron.allow >>$LOGFILE
if [ `ls -alL /etc/cron.allow | grep "...-.-----" | wc -l` -eq 1 ]
then
echo "##/etc/cron.allow perm ok" >>$LOGFILE
else
echo "##/etc/cron.allow perm reset" >>$LOGFILE
chown 640 /etc/cron.allow >>$LOGFILE
fi
if [ `ls -ld /etc/cron.allow | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/cron.allow root ok " >>$LOGFILE
else
echo "##/etc/cron.allow root reset " >>$LOGFILE
chown root /etc/cron.allow >>$LOGFILE
fi
else
echo "##/etc/cron.allow Not Found" >>$LOGFILE
fi
if [ -f /etc/cron.deny ]
then
ls -la /etc/cron.deny >>$LOGFILE
if [ `ls -alL /etc/cron.deny | grep "...-.-----" | wc -l` -eq 1 ]
then
echo "##/etc/cron.deny perm ok" >>$LOGFILE
else
echo "##/etc/cron.deny perm reset" >>$LOGFILE
chown 640 /etc/cron.deny >>$LOGFILE
fi
if [ `ls -ld /etc/cron.deny | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/cron.deny root ok " >>$LOGFILE
else
echo "##/etc/cron.deny root reset " >>$LOGFILE
chown root /etc/cron.deny >>$LOGFILE
fi
else
echo "##/etc/cron.deny Not Found" >>$LOGFILE
fi
echo "############################################">> $LOGFILE
echo "####### Snmp ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo "##Process check" >>$LOGFILE
ps -ef | grep snmp | grep -v grep >> $LOGFILE
echo >> $LOGFILE
echo "##start shell check" >>$LOGFILE
ls /etc/init.d/*snmp* >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "##community check" >>$LOGFILE
grep community /etc/snmp/snmpd.conf >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "##Listen check" >>$LOGFILE
netstat -na | grep ":161 " >> $LOGFILE
echo >> $LOGFILE
systemctl 2>&1 | grep snmp >> $LOGFILE
echo >> $LOGFILE
ls -la /etc/hosts >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### ssh version ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo >> $LOGFILE
if [ $Kernel = "4.4.16" ] ; then
rpm -qi openssh >> $LOGFILE 2>&1
else
rpm -qi openssh-server >> $LOGFILE 2>&1
fi
echo >> $LOGFILE
openssl version >> $LOGFILE 2>&1
echo >> $LOGFILE
ps -ef | grep ssh >> $LOGFILE 2>&1
echo >> $LOGFILE
ls -la /etc/hosts >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### sysctl check ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo >> $LOGFILE
sysctl net.ipv4.ip_forward >> $LOGFILE
if [ `sysctl -n net.ipv4.ip_forward` -eq 0 ] ; then
echo "## net.ipv4.ip_forward set ok " >> $LOGFILE
else
echo 0 > /proc/sys/net/ipv4/ip_forward
echo "## net.ipv4.ip_forward set configured " >> $LOGFILE
fi
echo >> $LOGFILE
sysctl net.ipv4.conf.default.accept_source_route >> $LOGFILE
if [ `sysctl -n net.ipv4.conf.default.accept_source_route` -eq 0 ] ; then
echo "## net.ipv4.conf.default.accept_source_route set ok " >> $LOGFILE
else
echo 0 > /proc/sys/net/ipv4/conf/default/accept_source_route
echo "## net.ipv4.conf.default.accept_source_route set configured " >> $LOGFILE
fi
echo >> $LOGFILE
echo "## sysctl.conf show check " >> $LOGFILE
cat /etc/sysctl.conf | grep -v ^# | grep -v ^$>> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### Etc System Check ##################">> $LOGFILE
echo "############################################">> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "####### /home .profile perm g-w, o-w ##################">> $LOGFILE
#ls -la /home/*/.profile >> $LOGFILE 2>&1
#ls -la /home/*/.bash_profile >> $LOGFILE 2>&1
#ls -la /home/*/.*rc >> $LOGFILE 2>&1
#ls -la /home/*/.login >> $LOGFILE 2>&1
echo >> $LOGFILE
find /home/*/ -name .profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec ls -la {} \; >> $LOGFILE 2>&1
find /home/*/ -name .bash_profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec ls -la {} \;>>$LOGFILE 2>&1
find /home/*/ -name .*rc \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec ls -la {} \;>>$LOGFILE 2>&1
find /home/*/ -name .login \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec ls -la {} \;>>$LOGFILE 2>&1
find /home/*/ -name .profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >> $LOGFILE 2>&1
find /home/*/ -name .bash_profile \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >>$LOGFILE 2>&1
find /home/*/ -name .*rc \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >>$LOGFILE 2>&1
find /home/*/ -name .login \( -perm -g+w -o -perm -o+w -o -perm -g+x -o -perm -o+x \) -type f -exec chmod 644 {} \; >>$LOGFILE 2>&1
echo "####### /home World Writable file autorun chmod o-w ##################">> $LOGFILE
find /home \( -type f -o -type d \) -perm -2 -ls >> $LOGFILE 2>&1
find /home -type f -perm -2 -exec chmod o-w {} \; >> $LOGFILE 2>&1
find /home -type d -perm 777 -exec chmod o-w {} \; >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "####### Warm Message (/etc/motd) ##################">> $LOGFILE
cat /etc/motd >> $LOGFILE 2>&1
echo >> $LOGFILE
echo "####### automount stop ##################">> $LOGFILE
ps -ef | grep automount |grep -v grep >> $LOGFILE
echo >> $LOGFILE
if [ `ps -ef | grep automount | grep -v grep | wc -l ` -gt 0 ] ; then
/etc/init.d/autofs stop >> $LOGFILE 2>&1
chkconfig --level 345 autofs off >> $LOGFILE 2>&1
echo "## stoped autofs " >> $LOGFILE 2>&1
fi
echo "####### hosts.lpd 600,root ##################">> $LOGFILE
ls -la /etc/hosts.lpd>> $LOGFILE 2>&1
if [ -f /etc/hosts.lpd ]
then
if [ `ls -alL /etc/hosts.lpd | grep "...-------" | wc -l` -eq 1 ]
then
echo "##/etc/hosts.lpd perm ok" >> $LOGFILE
else
echo "##/etc/hosts.lpd perm reset" >> $LOGFILE
chown 600 /etc/hosts.lpd >> $LOGFILE
fi
if [ `ls -ld /etc/hosts.lpd | awk '{ print $3 }' ` = "root" ]
then
echo "##/etc/hosts.lpd root ok " >> $LOGFILE
else
echo "##/etc/hosts.lpd root reset " >> $LOGFILE
chown root /etc/hosts.lpd
fi
else
echo "##/etc/hosts.lpd Not Found" >> $LOGFILE
fi
echo "####### TMOUT 600, umask (0)022 ##################">> $LOGFILE
echo "##/etc/profile check" >>$LOGFILE
echo >> $LOGFILE
echo "##TMOUT at profile" >>$LOGFILE
grep TMOUT /etc/profile>> $LOGFILE
echo >> $LOGFILE
echo "##UMASK at profile" >>$LOGFILE
grep UMASK /etc/profile>> $LOGFILE
echo >> $LOGFILE
echo "##umask config" >>$LOGFILE
grep umask /etc/profile>> $LOGFILE
echo "##umask setting">> $LOGFILE
umask >> $LOGFILE
if [ `umask` -eq 0022 ] ; then
echo "## UMASK set ok " >> $LOGFILE
else
echo " umask 0022" >> /etc/profile
echo "## UMASK 0022 Set" >> $LOGFILE
fi
echo >> $LOGFILE
echo "##/home at -nouser -o -nogroup check autorun chmod root, chgrp root" >>$LOGFILE
echo "" >>$LOGFILE
find /home \( -nouser -o -nogroup \) -exec ls -la {} \; >> $LOGFILE
find /home -nouser -exec chown root {} \; 2>&1 >> $LOGFILE
find /home -nogroup -exec chgrp root {} \; 2>&1 >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/home at perm -04000 -o -perm -02000 check if exist delete file" >>$LOGFILE
find /home -user root -type f \( -perm -04000 -o -perm -02000 \) -exec ls -la {} \; >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "##/dev device file check if exist delete file" >> $LOGFILE
find /dev -type f -exec -ls -l {} \; 2> /dev/null >> $LOGFILE
echo >> $LOGFILE
echo >> $LOGFILE
echo "############################################">> $LOGFILE
echo "####### system info ##################">> $LOGFILE
echo "############################################">> $LOGFILE
netstat -natp >> $LOGFILE
echo >> $LOGFILE
netstat -naup >> $LOGFILE
echo >> $LOGFILE
ps -ef >> $LOGFILE
echo >> $LOGFILE
df -HT >> $LOGFILE
echo >> $LOGFILE
ifconfig >> $LOGFILE
echo >> $LOGFILE
netstat -in >> $LOGFILE
echo >> $LOGFILE
netstat -rn >> $LOGFILE
echo >> $LOGFILE
free -m >> $LOGFILE
echo >> $LOGFILE
uname -a >> $LOGFILE
echo >> $LOGFILE
댓글 0
번호 | 제목 | 날짜 | 조회 수 |
---|---|---|---|
151 | 외부로 통신이 되지 않을 때 가지고 있는 CD-ROM으로 yum 사용하는 방법 | 2020.08.25 | 589 |
150 | 국정원기반 서버 취약점 점검 스크립트 -Windows | 2020.07.01 | 928 |
» | 국정원기반 서버 취약점 점검 스크립트 -Linux | 2020.07.01 | 769 |
148 | 국정원기반 서버 취약점 점검 스크립트 -HPUX | 2020.07.01 | 133 |
147 | AIX 내부적인 Memory 관리 방법 | 2020.04.14 | 72 |
146 | AIX SYSTEM CHECK SCRIPT | 2020.04.10 | 2283 |
145 | 아파치 톰캣 AJP 프로토콜에 '고스트캣(GhostCat)' 취약점 | 2020.04.06 | 508 |
144 | top을 통해 살펴보는 프로세스 정보들 | 2020.03.04 | 165 |
143 | netstat | 2020.02.05 | 174 |
142 | Linux Cache Memory Clear | 2020.01.20 | 182 |
141 | ThreadDump 분석 | 2020.01.02 | 146 |
140 | Apache나, Tomcat 버젼 노출 취약점 | 2019.12.09 | 707 |
139 | NetBackup Port Open | 2019.11.21 | 566 |
138 | CSQL 인터프리터 사용방법 | 2019.11.04 | 313 |
137 | 서버 취약점 점검 | 2019.10.30 | 833 |