系統安全檢查

以下是個人用在 Server 上進行安全性檢查的 Script, 放在 /etc/cron.daily 中每日執行乙次！

security.check.sh

#!/bin/bash
CHECKDAY=$(date +%Y-%m-%d)
LOGDAY=$(date -d"1 day ago" +%Y%m%d)
[email protected]
# 檢查 Gentoo 安全公告
# 做此項檢查必須安裝 app-portage/gentoolkit
/usr/bin/glsa-check -l | grep "[N]" > /tmp/security.check
if [ -s /tmp/security.check ]
then
  /bin/mailx -s "$CHECKDAY GLSA Security Check List" $EMAIL < /tmp/security.check
fi
# 檢查 rootkit 木馬
/usr/sbin/chkrootkit | grep -v "not" | grep -v "packlist" > /tmp/chkrootkit.log
/bin/mailx -s "$CHECKDAY Rootkit Check List" $EMAIL < /tmp/chkrootkit.log
# 檢查檔案特殊屬性
/bin/lsattr /sbin | /bin/grep -v ^------------- > /tmp/lsattr.lst
/bin/lsattr /bin | /bin/grep -v ^------------- >> /tmp/lsattr.lst
/bin/lsattr /usr/bin  | /bin/grep -v ^------------- >> /tmp/lsattr.lst
/bin/lsattr /usr/sbin | /bin/grep -v ^------------- >> /tmp/lsattr.lst
/bin/mailx -s "$CHECKDAY lsattr check list" $EMAIL < /tmp/lsattr.lst
# 檢查 sshd 登入狀態 及 /var/log/messes 中的錯誤記錄
/bin/grep "failure" /var/log/sshd/$LOGDAY.log > /tmp/sshd.check
/bin/grep "failure" /var/log/messages/$LOGDAY.log >> /tmp/sshd.check
/bin/mailx -s "$CHECKDAY sshd login status" $EMAIL < /tmp/sshd.check

另外 gentoo 也包了 rkhunter 檢查工具，請先 emerge rkhunter 後，修改 /etc/cron.daily/rkhunter 內容：

/etc/cron.daily/rkhunter

########################## Begin Configuration ###############################
# Default options - more options may be added depending on the
# configuration variables you set below
RKHUNTER_OPTS="-c --cronjob --skip-keypress"
# Set this to 'yes' to enable ; this script does nothing otherwise
ENABLE=yes
# Automatically update rkhunter's dat files prior to running?
UPDATE=yes
# Set this to 'yes' if you wish the output to be mailed to you
SEND_EMAIL=yes
# NOTE: the following EMAIL_* variables are only relevant if you set the
# SEND_EMAIL variable to 'yes'
EMAIL_SUBJECT="${HOSTNAME}: rkhunter output"
EMAIL_RECIPIENT=root
EMAIL_CMD="|mail -s "${EMAIL_SUBJECT}" ${EMAIL_RECIPIENT}"
# Log rkhunter output?
LOG=yes
# The default log location is /var/log/rkhunter.log. Set this variable if
# you'd like to use an alternate location.
#LOGFILE=""
# By default, the log file created by rkhunter is world-readable (0644). If
# you'd like to modify the permissions afterwards, set this variable.  The 
# value of this variable, must be a valid chmod argument such as '0600' or 
# 'u+rw,go-rwx'.  See the chmod(1) manual page for more information.
LOGFILE_PERMS="0600"
# By default, rkhunter overwrites the previous log.  Set this variable
# to 'yes' if you'd like the log output appended to the logfile, instead
# of overwriting it.
SAVE_OLD_LOGS=no
# Set to 1 to recieve only warnings & errors
# Set to 2 to recieve ALL rkhunter output
# Set to 3 to recieve rkhunter report
VERBOSITY=1
########################### End Configuration ################################