2005年1月14日

系統安全檢查

以下是個人用在 Server 上進行安全性檢查的 Script, 放在 /etc/cron.daily 中每日執行乙次!

security.check.sh
#!/bin/bash
CHECKDAY=$(date +%Y-%m-%d)
LOGDAY=$(date -d"1 day ago" +%Y%m%d)
EMAIL=root@your.domain.com

# 檢查 Gentoo 安全公告 # 做此項檢查必須安裝 app-portage/gentoolkit /usr/bin/glsa-check -l | grep "[N]" > /tmp/security.check

if [ -s /tmp/security.check ] then /bin/mailx -s "$CHECKDAY GLSA Security Check List" $EMAIL < /tmp/security.check fi

# 檢查 rootkit 木馬 /usr/sbin/chkrootkit | grep -v "not" | grep -v "packlist" > /tmp/chkrootkit.log /bin/mailx -s "$CHECKDAY Rootkit Check List" $EMAIL < /tmp/chkrootkit.log

# 檢查檔案特殊屬性 /bin/lsattr /sbin | /bin/grep -v ^------------- > /tmp/lsattr.lst /bin/lsattr /bin | /bin/grep -v ^------------- >> /tmp/lsattr.lst /bin/lsattr /usr/bin | /bin/grep -v ^------------- >> /tmp/lsattr.lst /bin/lsattr /usr/sbin | /bin/grep -v ^------------- >> /tmp/lsattr.lst

/bin/mailx -s "$CHECKDAY lsattr check list" $EMAIL < /tmp/lsattr.lst

# 檢查 sshd 登入狀態 及 /var/log/messes 中的錯誤記錄 /bin/grep "failure" /var/log/sshd/$LOGDAY.log > /tmp/sshd.check /bin/grep "failure" /var/log/messages/$LOGDAY.log >> /tmp/sshd.check /bin/mailx -s "$CHECKDAY sshd login status" $EMAIL < /tmp/sshd.check

另外 gentoo 也包了 rkhunter 檢查工具,請先 emerge rkhunter 後,修改 /etc/cron.daily/rkhunter 內容:

/etc/cron.daily/rkhunter
########################## Begin Configuration ###############################

# Default options - more options may be added depending on the # configuration variables you set below RKHUNTER_OPTS="-c --cronjob --skip-keypress"

# Set this to 'yes' to enable ; this script does nothing otherwise ENABLE=yes

# Automatically update rkhunter's dat files prior to running? UPDATE=yes

# Set this to 'yes' if you wish the output to be mailed to you SEND_EMAIL=yes

# NOTE: the following EMAIL_* variables are only relevant if you set the # SEND_EMAIL variable to 'yes' EMAIL_SUBJECT="${HOSTNAME}: rkhunter output" EMAIL_RECIPIENT=root EMAIL_CMD="|mail -s "${EMAIL_SUBJECT}" ${EMAIL_RECIPIENT}"

# Log rkhunter output? LOG=yes

# The default log location is /var/log/rkhunter.log. Set this variable if # you'd like to use an alternate location. #LOGFILE=""

# By default, the log file created by rkhunter is world-readable (0644). If # you'd like to modify the permissions afterwards, set this variable. The # value of this variable, must be a valid chmod argument such as '0600' or # 'u+rw,go-rwx'. See the chmod(1) manual page for more information. LOGFILE_PERMS="0600"

# By default, rkhunter overwrites the previous log. Set this variable # to 'yes' if you'd like the log output appended to the logfile, instead # of overwriting it. SAVE_OLD_LOGS=no

# Set to 1 to recieve only warnings & errors # Set to 2 to recieve ALL rkhunter output # Set to 3 to recieve rkhunter report VERBOSITY=1

########################### End Configuration ################################