공공기업에서 보안점검대비하여 많은 서버들의 일일이 직접 접속하여
보안조치를 취할수 있는 방법이 어렵기 때문에 아래와 같은 스크립트를 작성하여
손쉽게 조치를 할수 있습니다.
적용 서버는 HPUX 11.31, 11.23,
Linux
그외 OS 는 테스트 해보지 않았지만 비슷할거 같네요
직접 만들어 보시기 바랍니다.
아래 압축 파일을 압축을 해제하면 여러게의 파일이 나옵니다.
대략 보시면 뭘 수행해야 될지 감이 잡히실 겁니다.
#!/bin/sh
# HP-UX System weekpoint check
#edit by guppy
echo "########################"
echo "######## step 1 ########"
echo "########################"
echo ""
echo "cat /etc/passwd"
echo ""
echo "## Visual Check ##"
echo ""
echo ""
cat /etc/passwd
echo ""
echo "########################"
echo "######## step 2 ########"
echo "########################"
echo ""
RO=`cat /etc/passwd | grep -v root | awk -F":" '{print $3}'`
for check in $RO
do
if [ $check -eq 0 ]
then
echo " passwd file check root roll "
cat /etc/passwd | grep :0:
fi
done
echo ""
echo "Empty is OK"
echo ""
echo "########################"
echo "######## step 3 ########"
echo "########################"
echo ""
Def_ID="adm lp uucp nuucp hpdb smbnull iwww owww tftp "
for check in $Def_ID
do
if [ `cat /etc/passwd | awk -F: '{print $1}' | grep ^$check | wc -l ` -gt 0 ]
then
echo " Default ID exist : $check"
userdel $check
echo " $check delete "
fi
done
echo ""
echo "########################"
echo "######## step 4 ########"
echo "########################"
echo "Securv TOS"
echo "########################"
echo "######## step 5 ########"
echo "########################"
echo ""
if [ -f /etc/hosts ]
then
if [ `ls -alL /etc/hosts | grep "...-.--.--.*.*" | wc -l` -eq 1 ]
then
echo "/etc/hosts perm ok "
else
echo "/etc/hosts perm reset "
chmod 644 /etc/hosts
fi
else
echo "/etc/hosts NOT Found"
fi
echo ""
echo "########################"
echo "######## step 6 ########"
echo "########################"
echo ""
if [ -f /etc/syslog.conf ]
then
if [ `ls -alL /etc/syslog.conf | grep "...-.--.--" | wc -l` -eq 1 ]
then
echo "/etc/syslog.conf perm ok"
else
echo "/etc/syslog.conf perm reset"
chown 644 /etc/syslog.conf
fi
else
echo "/etc/syslog.conf Not Found"
fi
echo ""
if [ `cat /sbin/init.d/syslogd | grep MV | grep date | wc -l ` -eq 0 ] ; then
if [ -f /sbin/init.d/syslogd.org ] ; then
mv /sbin/init.d/syslogd.org /sbin/init.d/syslogd.bak
fi
mv /sbin/init.d/syslogd /sbin/init.d/syslogd.org
cp $1/syslogd11.23 /sbin/init.d/syslogd
chmod 555 /sbin/init.d/syslogd
chown bin:bin /sbin/init.d/syslogd
echo " syslog rotate configured "
/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start
echo ""
echo ""
ls -la /var/adm/syslog
else
echo " syslog rotate ok (6Month) "
fi
echo ""
echo ""
if [ `cat /etc/syslog.conf | grep notice | wc -l` -eq 1 ] ; then
echo " syslog notice setting ok "
echo ""
cat /etc/syslog.conf | grep notice
else
if [ ! -d /var/adm/sulogd ] ; then
mkdir -p /var/adm/sulogd
fi
echo ""
echo "*.notice /var/adm/sulogd/syslog.log" >> /etc/syslog.conf
echo ""
/sbin/init.d/syslogd stop
/sbin/init.d/syslogd start
echo " notice syslog reconfigured "
fi
echo ""
echo "########################"
echo "######## step 7 ########"
echo "########################"
echo ""
if [ `ls -la /sbin/init.d/* | grep ".....w..w..*.*" | wc -l` -eq 0 ]
then
echo " Network Daemon Perm 555 ok "
else
echo " Network Daemon Perm reset "
ls -la /sbin/init.d/* | grep ".....w..w..*.*"
chmod 555 /sbin/init.d/*
fi
echo ""
echo "########################"
echo "######## step 8 ########"
echo "########################"
echo ""
echo "OTP"
echo ""
echo "########################"
echo "######## step 9 ########"
echo "########################"
echo ""
if [ `ls -alL /etc/passwd | grep "...-.--.--.*root.*" | wc -l` -eq 1 ]
then
echo "passwd file perm ok"
else
chmod 444 /etc/passwd
chown root:sys /etc/passwd
echo "passwd file perm 444 set"
fi
if [ `ls -alL /etc/group | grep "...-.--.--.*.*" | wc -l` -eq 1 ]
then
echo "group file perm ok"
else
chmod 444 /etc/group
echo "group file perm 444 set"
fi
if [ -f /etc/shadow ]
then
if [ `ls -alL /etc/shadow | grep ".r.-------.*root.*" | wc -l` -eq 1 ]
then
echo "/etc/shadow perm ok "
else
echo "/etc/shadow perm reset"
chmod 400 /etc/shadow
chown root:sys /etc/shadow
fi
else
echo "/etc/shadow file not found"
fi
echo ""
echo "########################"
echo "######## step 10 #######"
echo "########################"
echo ""
echo ""
echo "## Visual Check ##"
echo ""
ls -la /etc/passwd
ls -la /etc/shadow
echo ""
echo "########################"
echo "######## step 11 #######"
echo "########################"
echo ""
if [ -f /etc/hosts.equiv ]
then
if [ `ls -alL /etc/hosts.equiv | grep ".r.-------.*root.*" | wc -l` -eq 1 ]
then
echo "/etc/hosts.equiv perm ok"
else
echo "/etc/hosts.equiv perm reset"
chown root:root /etc/hosts.equiv
chmod 400 /etc/hosts.equiv
fi
else
echo "/etc/hosts.equiv file Not Found is ok"
fi
HOMEDIRS=`cat /etc/passwd | awk -F":" 'length($6) > 0 {print $6}' | sort -u`
for dir in $HOMEDIRS
do
if [ -f $dir/.rhosts ]
then
ls -la $dir/.rhosts
echo " Delete file $dir/.rhosts "
rm -rf $dir/.rhosts
# else
# echo " .rhosts file not found "
fi
if [ -f $dir/.netrc ]
then
ls -la $dir/.netrc
echo " Delete file $dir/.netrc "
rm -rf $dir/.netrc
# else
# echo " .netrc file not found "
fi
done
echo ""
echo "r-service Listen is ..."
echo ""
netstat -na | grep LISTEN | grep "\.512 "
netstat -na | grep LISTEN | grep "\.513 "
netstat -na | grep LISTEN | grep "\.514 "
echo " "
echo "########################"
echo "######## step 12 #######"
echo "########################"
echo " "
SERVICE_INETD="rsh|rlogin|rexec"
if [ -f /etc/inetd.conf ]
then
if [ `cat /etc/inetd.conf | grep -v '^ *#' | egrep $SERVICE_INETD | wc -l ` -eq 0 ]; then
echo " rsh|rlogin|rexec Not Found "
fi
else
echo "/etc/inetd.conf file NOT Found"
fi
echo " "
echo ""
echo "rpcinfo is ..."
rpcinfo -p 127.0.0.1 2>&1
echo ""
echo "########################"
echo "######## step 13 #######"
echo "########################"
if [ -f /etc/services ]
then
if [ `ls -alL /etc/services | grep "...-.--.--.*.*" | wc -l` -eq 1 ]
then
echo "/etc/services file perm ok"
else
echo "/etc/services file perm reset"
chmod 444 /etc/services
fi
else
echo "/etc/services not found" >> $HOSTNAME.txt 2>&1
fi
echo " "
echo "telnet services is .. "
grep telnet /etc/services
echo " "
echo "telnet Listen is .. "
netstat -na | grep *.23
echo " "
echo "ftp services is .. "
grep ^ftp /etc/services
echo " "
echo "ftp Listen is .. "
netstat -na | grep *.23
netstat -na | grep *.21
echo "########################"
echo "######## step 14 #######"
echo "########################"
echo " "
cat /etc/passwd | grep ftp | grep -v tftp
echo " "
if [ -f /etc/ftpd/ftpaccess ] ; then
if [ `cat /etc/ftpd/ftpaccess | grep -v ^\# | grep anonymous | wc -l ` -eq 0 ]
then
echo " Anonymous FTP NO Setting"
else
echo " Setting requiore Anonymous FTP Delete at /etc/ftpd/ftpaccess "
echo " #mv /etc/ftpd/ftpaccess /etc/ftpd/ftpaccess.org "
#mv /etc/ftpd/ftpaccess /etc/ftpd/ftpaccess.org
fi
else
echo " /etc/ftpd/ftpaccess file not found "
fi
echo " "
echo "########################"
echo "######## step 15 #######"
echo "########################"
echo " "
echo " step 11 same"
echo " "
echo "########################"
echo "######## step 16 #######"
echo "########################"
echo " "
echo " inetd service is ... "
cat /etc/inetd.conf | grep -v ^\#
echo " "
echo "########################"
echo "######## step 17 #######"
echo "########################"
echo " "
echo ""
echo "## Visual Check ##"
echo " "
echo " "
if [ -f /var/adm/inetd.sec ]
then
echo "#ls -la /var/adm/inetd.sec"
cat /var/adm/inetd.sec | grep -v ^\#
else
echo "/var/adm/inetd.sec net found"
fi
echo " "
if [ -f /etc/hosts.allow ]
then
echo "#ls -la /etc/hosts.allow"
cat /etc/hosts.allow | grep -v ^\#
else
echo "/etc/hosts.allow net found"
fi
echo " "
if [ -f /etc/hosts.deny ]
then
echo "#ls -la /etc/hosts.deny"
cat /etc/hosts.deny | grep -v ^\#
else
echo "/etc/hosts.deny net found"
fi
echo " "
echo "########################"
echo "######## step 18 #######"
echo "########################"
echo " "
echo " ## cron file perm check "
ls -la /var/spool/cron/crontabs
echo " "
echo " ## cron file roll check "
cat /var/adm/cron/cron.allow
echo " "
echo "########################"
echo "######## step 19 #######"
echo "########################"
echo " "
if [ `cat /etc/rc.config.d/Snmp* | grep -v ^\# | grep -v export | grep =1 | wc -l ` -eq 0 ] ; then
echo " Snmp stoped setting is ok"
else
echo " Snmp started setting "
echo " Require stop setting "
fi
echo " "
echo "Snmp service is ... "
ps -ef | grep snmp | grep -v grep
echo " "
if [ -f /etc/snmpd.conf ] ; then
if [ `cat /etc/snmpd.conf | grep community-name | grep public | wc -l ` -eq 0 ] ; then
echo " Snmpd.conf community-name: public Not Found is ok"
else
echo " Snmpd.conf community-name: public Found and renamed Snmpd.conf.org"
mv /etc/snmpd.conf /etc/snmpd.conf.org
fi
else
echo " /etc/snmpd.conf file not found "
fi
echo " "
echo "########################"
echo "######## step 20 #######"
echo "########################"
echo " "
if [ `grep finger /etc/inetd.conf | grep -v "^#" | wc -l` -eq 0 ]
then
echo "finger service not used "
else
grep finger /etc/inetd.conf
echo "Require finger service delete it "
fi
echo " "
echo " Finger Listen is ..."
netstat -na | grep tcp | grep 79 | grep LISTEN
echo " "
echo " "
echo " "
echo "########################"
echo "####### bye bye ########"
echo "########################"
echo " "
echo " "
echo " "
echo "#########################"
echo "# root remote access check"
echo "#########################"
echo ""
if [ -f /etc/securetty ] ; then
if [ `grep console /etc/securetty | wc -l` -eq 1 ] ; then
echo "/etc/securetty set ok "
else
cat "console" >> /etc/securetty
fi
else
touch /etc/securetty
cat "console" > /etc/securetty
echo "/etc/securetty create ok "
fi
echo ""
echo ""
if [ `grep "PermitRootLogin" /opt/ssh/etc/sshd_config | grep -v \# | grep yes | wc -l` -eq 1 ]
then
echo "sshd_config NO PermitRootLogin set require and sshd restart"
else
echo "sshd_config NO PermitRootLogin set ok"
fi
echo ""
echo ""
echo "#########################"
echo "# umask check"
echo "#########################"
umask
if [ `umask` -eq 022 ] ; then
echo " UMASK set ok "
else
echo "umask 022" >> /etc/profile
echo "UMASK=0022" >> /etc/default/security
echo " UMASK 0022 Set"
fi
echo ""
echo ""
echo "#########################"
echo "# SUID SGID check "
echo "#########################"
find / -user root -type f \( -perm -04000 -o -perm -02000 \) -xdev -exec ls -al {} \;
#FILECHECK="/opt/perf/bin/glance /usr/dt/bin/dtprintinfo /usr/sbin/swreg /opt/perf/bin/gpm /usr/sbin/arp /usr/sbin/swremove /opt/video/lbin/camServer /usr/sbin/lanadmin /usr/contrib/bin/traceroute /usr/bin/at /usr/sbin/landiag /usr/dt/bin/dtappgather /usr/bin/lpalt /usr/sbin/lpsched /usr/sbin/swmodify /usr/bin/mediainit /usr/sbin/swacl /usr/sbin/swpackage /usr/bin/newgrp /usr/sbin/swconfig /usr/bin/rdist /usr/sbin/swinstall"
#for check in $FILECHECK
#do
#if [ -f $check ]
# then
# ls -la $check
#
# else
# echo "$check no exist"
#fi
#done
echo ""
echo ""
echo "#########################"
echo "# NFS service check"
echo "#########################"
echo " "
echo " IF Not USED NFS service stop AND mountd daemon stop "
echo " "
ps -ef | grep mountd | grep -v grep
ps -ef | grep nfs | grep -v grep
echo "#########################"
echo "# automountd service check"
echo "#########################"
echo " "
echo " Must Be stop automount daemon ..."
echo " "
ps -ef | grep automount | grep -v grep
echo " "
echo " "
echo "#########################"
echo "# PATH secure check "
echo "#########################"
cat /.profile | grep PATH=
cat /etc/profile | grep PATH=
echo " ## . findout . delete "
echo "#########################"
echo "# netstat -na"
echo "#########################"
netstat -na | grep *.
rm -rf hpux.sh linux2632.sh runme.sh syslogd11.23 hpux.sh11.23 linux269.sh syslogd ../script*.tar
댓글 0
| 번호 | 제목 | 날짜 | 조회 수 |
|---|---|---|---|
| 65 | BCP | 2017.11.01 | 589 |
| 64 | WLAN, VLAN | 2017.11.01 | 189 |
| 63 | ISMS - 정보보호관리체계 | 2017.11.01 | 169 |
| 62 | 위험관리 | 2017.11.01 | 218 |
| 61 | 법규 - 추가작성 | 2017.11.01 | 113 |
| 60 |
개발보안
 | 2017.11.01 | 563 |
| 59 |
어플리케이션 보안
| 2017.11.01 | 133 |
| 58 |
시스템보안
| 2017.11.01 | 1314 |
| 57 |
DDos 공격대응 가이드 - kisa 자료
| 2017.10.31 | 290 |
| 56 |
블록체인
| 2017.10.31 | 161 |
| 55 |
route access-list
| 2017.10.30 | 590 |
| 54 |
전자서명의 원리
| 2017.10.30 | 183 |
| 53 |
사이버 침해사고 대응 절차
| 2017.10.29 | 236 |
| 52 |
스니핑용 promisc 모드
| 2017.10.29 | 320 |
| 51 |
DDoS 공격도구
| 2017.10.18 | 221 |
