Notifications

Clear all

Linux服务器巡检脚本 & 检测系统是否被入侵

Last Post

RSS

Sunny Heart

(@sunnyheart)

Member Admin Registered

Joined: 6 years ago

Posts: 102

Topic starter 14/06/2024 10:42 am

多时候我们需要进行服务器巡查，但是每台服务器都去检查有点费时费力。不想写了，直接看图吧

#!/bin/bash
#参数定义
date=`date +"%Y-%m-%d-%H:%M:%S"`
centosVersion=$(awk '{print $(NF-1)}' /etc/redhat-release)
VERSION=`date +%F`
#日志相关
LOGPATH="/tmp/awr"
[ -e $LOGPATH ] || mkdir -p $LOGPATH
RESULTFILE="$LOGPATH/HostCheck-`hostname`-`date +%Y%m%d`.txt"

#调用函数库
[ -f /etc/init.d/functions ] && source /etc/init.d/functions
export PATH=/usr/local/sbin:/usr/local/bin:/sbin:/bin:/usr/sbin:/usr/bin:/root/bin
source /etc/profile


#root用户执行脚本
[ $(id -u) -gt 0 ] && echo "请用root用户执行此脚本！" && exit 1

 
function version(){
    echo ""
    echo ""
    echo "[${date}] >>> `hostname -s` 主机巡检"
}


function getSystemStatus(){
    echo ""
    echo -e "\033[33m*************************************************系统检查*************************************************\033[0m"
    if [ -e /etc/sysconfig/i18n ];then
        default_LANG="$(grep "LANG=" /etc/sysconfig/i18n | grep -v "^#" | awk -F '"' '{print $2}')"
    else
        default_LANG=$LANG
    fi
    export LANG="en_US.UTF-8"
    Release=$(cat /etc/redhat-release 2>/dev/null)
    Kernel=$(uname -r)
    OS=$(uname -o)
    Hostname=$(uname -n)
    SELinux=$(/usr/sbin/sestatus | grep "SELinux status: " | awk '{print $3}')
    LastReboot=$(who -b | awk '{print $3,$4}')
    uptime=$(uptime | sed 's/.*up \([^,]*\), .*/\1/')
    echo "     系统：$OS"
    echo " 发行版本：$Release"
    echo "     内核：$Kernel"
    echo "   主机名：$Hostname"
    echo "  SELinux：$SELinux"
    echo "语言/编码：$default_LANG"
    echo " 当前时间：$(date +'%F %T')"
    echo " 最后启动：$LastReboot"
    echo " 运行时间：$uptime"
    export LANG="$default_LANG"
}

function getCpuStatus(){
    echo ""
    echo -e "\033[33m*************************************************CPU检查***********************************************\033[0m"
    Physical_CPUs=$(grep "physical id" /proc/cpuinfo| sort | uniq | wc -l)
    Virt_CPUs=$(grep "processor" /proc/cpuinfo | wc -l)
    CPU_Kernels=$(grep "cores" /proc/cpuinfo|uniq| awk -F ': ' '{print $2}')
    CPU_Type=$(grep "model name" /proc/cpuinfo | awk -F ': ' '{print $2}' | sort | uniq)
    CPU_Arch=$(uname -m)
    echo "物理CPU个数:$Physical_CPUs"
    echo "逻辑CPU个数:$Virt_CPUs"
    echo "每CPU核心数:$CPU_Kernels"
    echo "    CPU型号:$CPU_Type"
    echo "    CPU架构:$CPU_Arch"
}

function getMemStatus(){
    echo ""
    echo  -e "\033[33m********************************************内存检查**************************************************\033[0m"
    if [[ $centosVersion < 7 ]];then
        free -mo
    else
        free -h
    fi
    #报表信息
    MemTotal=$(grep MemTotal /proc/meminfo| awk '{print $2}')  #KB
    MemFree=$(grep MemFree /proc/meminfo| awk '{print $2}')    #KB
    let MemUsed=MemTotal-MemFree
    MemPercent=$(awk "BEGIN {if($MemTotal==0){printf 100}else{printf \"%.2f\",$MemUsed*100/$MemTotal}}") 
}

function getDiskStatus(){
    echo ""
    echo -e "\033[33m***********************************************磁盘检查***************************************************\033[0m"
    df -hiP | sed 's/Mounted on/Mounted/'> /tmp/inode
    df -hTP | sed 's/Mounted on/Mounted/'> /tmp/disk 
    join /tmp/disk /tmp/inode | awk '{print $1,$2,"|",$3,$4,$5,$6,"|",$8,$9,$10,$11,"|",$12}'| column -t
    #报表信息
    diskdata=$(df -TP | sed '1d' | awk '$2!="tmpfs"{print}') #KB
    disktotal=$(echo "$diskdata" | awk '{total+=$3}END{print total}') #KB
    diskused=$(echo "$diskdata" | awk '{total+=$4}END{print total}')  #KB
    diskfree=$((disktotal-diskused)) #KB
    diskusedpercent=$(echo $disktotal $diskused | awk '{if($1==0){printf 100}else{printf "%.2f",$2*100/$1}}') 
    inodedata=$(df -iTP | sed '1d' | awk '$2!="tmpfs"{print}')
    inodetotal=$(echo "$inodedata" | awk '{total+=$3}END{print total}')
    inodeused=$(echo "$inodedata" | awk '{total+=$4}END{print total}')
    inodefree=$((inodetotal-inodeused))
    inodeusedpercent=$(echo $inodetotal $inodeused | awk '{if($1==0){printf 100}else{printf "%.2f",$2*100/$1}}')
}



function get_resource(){
    echo ""
    echo -e "\033[33m***********************************************资源消耗统计********************************************\033[0m"

    echo -e "\033[36m*******带宽资源消耗统计**********\033[0m"
    #用数组存放网卡名
    nic=(`ifconfig | grep ^[a-z] | grep -vE 'lo|docker0'| awk -F: '{print $1}'`)
    time=`date "+%Y-%m-%d %k:%M"`
    num=0
    
    for ((i=0;i<${#nic[@]};i++))
    do
       #循环五次，避免看到的是偶然的数据
       while (( $num<5 ))
       do
         rx_before=$(cat /proc/net/dev | grep '${nic[$i]}' | tr : " " | awk '{print $2}')
         tx_before=$(cat /proc/net/dev | grep '${nic[$i]}' | tr : " " | awk '{print $10}')
         sleep 2
         #用sed先获取第7列,再用awk获取第2列，再cut切割,从第7个到最后，即只切割网卡流量数字部分
         rx_after=$(cat /proc/net/dev | grep '${nic[$i]}' | tr : " " | awk '{print $2}')
         tx_after=$(cat /proc/net/dev | grep '${nic[$i]}' | tr : " " | awk '{print $10}')
         #注意下面截取的相差2秒的两个时刻的累计和发送的bytes(即累计传送和接收的位)
         rx_result=$[(rx_after-rx_before)/1024/1024/2*8]
         tx_result=$[(tx_after-tx_before)/1024/1024/2*8]
         echo  "$time Now_In_Speed: $rx_result Mbps  Now_OUt_Speed: $tx_result Mbps" >> /tmp/network.txt
         let "num++"
       done
       #注意下面grep后面的$time变量要用双引号括起来
       rx_result=$(cat /tmp/network.txt|grep "$time"|awk '{In+=$4}END{print In}')
       tx_result=$(cat /tmp/network.txt|grep "$time"|awk '{Out+=$7}END{print Out}')
       In_Speed=$(echo "scale=2;$rx_result/5"|bc)
       Out_Speed=$(echo "scale=2;$tx_result/5"|bc)
       echo -e  "\033[32m In_Speed_average: $In_Speed Mbps Out_Speed_average: $Out_Speed Mbps! \033[0m" 
    done


    echo -e "\033[36m**********CPU资源消耗统计*******\033[0m"

    #使用vmstat 1 5命令统计5秒内的使用情况，再计算每秒使用情况
    total=`vmstat 1 5|awk '{x+=$13;y+=$14}END{print x+y}'`
    cpu_average=$(echo "scale=2;$total/5"|bc)
    
    #判断CPU使用率（浮点数与整数比较）
    if [ `echo "${cpu_average} > 70" | bc` -eq 1 ];then
        echo -e  "\033[31m Total CPU is already use: ${cpu_average}%,请及时处理！\033[0m" 
    else 
        echo -e  "\033[32m Total CPU is already use: ${cpu_average}%! \033[0m" 
    fi


    echo -e "\033[36m*******磁盘资源消耗统计*******\033[0m"
    #磁盘使用情况(注意：需要用sed先进行格式化才能进行累加处理)
    disk_used=$(df -m | sed '1d;/ /!N;s/\n//;s/ \+/ /;' | awk '{used+=$3} END{print used}')
    disk_totalSpace=$(df -m | sed '1d;/ /!N;s/\n//;s/ \+/ /;' | awk '{totalSpace+=$2} END{print totalSpace}')
    disk_all=$(echo "scale=4;$disk_used/$disk_totalSpace" | bc)
    disk_percent1=$(echo $disk_all | cut -c 2-3)
    disk_percent2=$(echo $disk_all | cut -c 4-5)
    disk_warning=`df -m | sed '1d;/ /!N;s/\n//;s/ \+/ /;' | awk '{if ($5>85) print $6 "目录使用率：" $5;} '`
    
    echo -e  "\033[32m Total disk has used: $disk_percent1.$disk_percent2% \033[0m" 
    #echo -e "\t\t.." 表示换行
    if [ -n  "$disk_warning" ];then
        echo -e "\033[31m${disk_warning} \n [Error]以上目录使用率超过85%，请及时处理！\033[0m" 
    fi
    
    echo -e "\033[36m*******内存资源消耗统计*******\033[0m"
    
    #获得系统总内存
    memery_all=$(free -m | awk 'NR==2' | awk '{print $2}')
    #获得占用内存（操作系统 角度）
    system_memery_used=$(free -m | awk 'NR==2' | awk '{print $3}')
    #获得buffer、cache占用内存，当内存不够时会及时回收，所以这两部分可用于可用内存的计算
    buffer_used=$(free -m | awk 'NR==2' | awk '{print $6}')
    cache_used=$(free -m | awk 'NR==2' | awk '{print $7}')
    #获得被使用内存，所以这部分可用于可用内存的计算，注意计算方法
    actual_used_all=$[memery_all-(free+buffer_used+cache_used)]
    #获得实际占用的内存
    actual_used_all=`expr $memery_all - $free + $buffer_used + $cache_used `
    memery_percent=$(echo "scale=4;$system_memery_used / $memery_all" | bc)
    memery_percent2=$(echo "scale=4; $actual_used_all / $memery_all" | bc)
    percent_part1=$(echo $memery_percent | cut -c 2-3)
    percent_part2=$(echo $memery_percent | cut -c 4-5)
    percent_part11=$(echo $memery_percent2 | cut -c 2-3)
    percent_part22=$(echo $memery_percent2 | cut -c 4-5)
    
    #获得占用内存（操作系统角度）
    echo -e "\033[32m system memery is already use: $percent_part1.$percent_part2% \033[0m"
    #获得实际内存占用率
    echo -e "\033[32m actual memery is already use: $percent_part11.$percent_part22% \033[0m"
    echo -e "\033[32m buffer is already used : $buffer_used M \033[0m"
    echo -e "\033[32m cache is already used : $cache_used M \033[0m"
}



function getServiceStatus(){
    echo ""
    echo -e "\033[33m*******************************************服务检查*************************************************\033[0m"
    echo ""
    if [[ $centosVersion > 7 ]];then
        conf=$(systemctl list-unit-files --type=service --state=enabled --no-pager | grep "enabled")
        process=$(systemctl list-units --type=service --state=running --no-pager | grep ".service")      
    else
        conf=$(/sbin/chkconfig | grep -E ":on|:启用")
        process=$(/sbin/service --status-all 2>/dev/null | grep -E "is running|正在运行")        
    fi
    echo -e "\033[36m************服务配置************\033[0m"
    echo "$conf"  | column -t
    echo ""
    echo -e "\033[36m********正在运行的服务**********\033[0m"
    echo "$process"
}


function getAutoStartStatus(){
    echo ""
    echo -e "\033[33m*****************************************自启动检查*************************************************\033[0m"
    echo -e "\033[36m**********自启动命令***********\033[0m"
    conf=$(grep -v "^#" /etc/rc.d/rc.local| sed '/^$/d')
    echo "$conf"  
}


function getLoginStatus(){
    echo ""
    echo -e "\033[33m******************************************登录检查**************************************************\033[0m"
    last | head 
}

function getNetworkStatus(){
    echo ""
    echo -e "\033[33m******************************************网络检查**************************************************\033[0m"
    if [[ $centosVersion < 7 ]];then
        /sbin/ifconfig -a | grep -v packets | grep -v collisions | grep -v i
        net6
    else
        #ip a
        for i in $(ip link | grep BROADCAST | awk -F: '{print $2}');do ip add show $i | grep -E "BROADCAST|global"| awk '{print $2}' | tr '\n' ' ' ;echo "" ;done
    fi
    GATEWAY=$(ip route | grep default | awk '{print $3}')
    DNS=$(grep nameserver /etc/resolv.conf| grep -v "#" | awk '{print $2}' | tr '\n' ',' | sed 's/,$//')
    echo ""
    echo "网关：$GATEWAY "
    echo "DNS：$DNS"
    #报表信息
    IP=$(ip -f inet addr | grep -v 127.0.0.1 |  grep inet | awk '{print $NF,$2}' | tr '\n' ',' | sed 's/,$//')
    MAC=$(ip link | grep -v "LOOPBACK\|loopback" | awk '{print $2}' | sed 'N;s/\n//' | tr '\n' ',' | sed 's/,$//')
    echo ""
ping -c 4 www.baidu.com >/dev/null 2>&1
if [ $? -eq 0 ];then
   echo ""
   echo -e "\033[32m网络连接：正常！\033[0m" 
else
   echo ""
   echo -e "\033[31m网络连接：异常！\033[0m" 
fi 
}


function getListenStatus(){
    echo ""
    echo  -e "\033[33m*****************************************监听检查**************************************************\033[0m"
    TCPListen=$(ss -ntul | column -t)
    echo "$TCPListen"
}


function getCronStatus(){
    echo ""
    echo -e "\033[33m****************************************计划任务检查************************************************\033[0m"
    Crontab=0
    for shell in $(grep -v "/sbin/nologin" /etc/shells);do
        for user in $(grep "$shell" /etc/passwd| awk -F: '{print $1}');do
            crontab -l -u $user >/dev/null 2>&1
            status=$?
            if [ $status -eq 0 ];then
                echo -e "\033[36m******$user用户的定时任务***********\033[0m"
                crontab -l -u $user
                let Crontab=Crontab+$(crontab -l -u $user | wc -l)
                echo ""
            fi
        done
    done
    #计划任务
    #find /etc/cron* -type f | xargs -i ls -l {} | column  -t
    #let Crontab=Crontab+$(find /etc/cron* -type f | wc -l) 
}


function getHowLongAgo(){
    # 计算一个时间戳离现在有多久了
    datetime="$*"
    [ -z "$datetime" ] && echo `stat /etc/passwd|awk "NR==6"`
    Timestamp=$(date +%s -d "$datetime")  
    Now_Timestamp=$(date +%s)
    Difference_Timestamp=$(($Now_Timestamp-$Timestamp))
    days=0;hours=0;minutes=0;
    sec_in_day=$((60*60*24));
    sec_in_hour=$((60*60));
    sec_in_minute=60
    while (( $(($Difference_Timestamp-$sec_in_day)) > 1 ))
    do
        let Difference_Timestamp=Difference_Timestamp-sec_in_day
        let days++
    done
    while (( $(($Difference_Timestamp-$sec_in_hour)) > 1 ))
    do
        let Difference_Timestamp=Difference_Timestamp-sec_in_hour
        let hours++
    done
    echo "$days 天 $hours 小时前"
}


function getUserLastLogin(){
    # 获取用户最近一次登录的时间，含年份
    # 很遗憾last命令不支持显示年份，只有"last -t YYYYMMDDHHMMSS"表示某个时间之间的登录，我
    # 们只能用最笨的方法了，对比今天之前和今年元旦之前（或者去年之前和前年之前……）某个用户
    # 登录次数，如果登录统计次数有变化，则说明最近一次登录是今年。
    username=$1
    : ${username:="`whoami`"}
    thisYear=$(date +%Y)
    oldesYear=$(last | tail -n1 | awk '{print $NF}')
    while(( $thisYear >= $oldesYear));do
        loginBeforeToday=$(last $username | grep $username | wc -l)
        loginBeforeNewYearsDayOfThisYear=$(last $username -t $thisYear"0101000000" | grep $username | wc -l)
        if [ $loginBeforeToday -eq 0 ];then
            echo "从未登录过"
            break
        elif [ $loginBeforeToday -gt $loginBeforeNewYearsDayOfThisYear ];then
            lastDateTime=$(last -i $username | head -n1 | awk '{for(i=4;i<(NF-2);i++)printf"%s ",$i}')" $thisYear" 
            lastDateTime=$(date "+%Y-%m-%d %H:%M:%S" -d "$lastDateTime")
            echo "$lastDateTime"
            break
        else
            thisYear=$((thisYear-1))
        fi
    done
}


function getUserStatus(){
    echo ""
    echo -e "\033[33m**********************************************用户检查*************************************************\033[0m"
    #/etc/passwd 最后修改时间
    pwdfile="$(cat /etc/passwd)"
    Modify=$(stat /etc/passwd | grep Modify | tr '.' ' ' | awk '{print $2,$3}')
    echo "/etc/passwd: $Modify ($(getHowLongAgo $Modify))"
    echo ""
    echo -e "\033[36m************特权用户************\033[0m"
    RootUser=""
    for user in $(echo "$pwdfile" | awk -F: '{print $1}');do
        if [ $(id -u $user) -eq 0 ];then
            echo "$user"
            RootUser="$RootUser,$user"
        fi
    done
    echo ""
    echo -e "\033[36m************用户列表************\033[0m"
    USERs=0
    echo "$(
    echo "用户名 UID GID HOME SHELL 最后一次登录"
    for shell in $(grep -v "/sbin/nologin" /etc/shells);do
        for username in $(grep "$shell" /etc/passwd| awk -F: '{print $1}');do
            userLastLogin="$(getUserLastLogin $username)"
            echo "$pwdfile" | grep -w "$username" |grep -w "$shell"| awk -F: -v lastlogin="$(echo "$userLastLogin" | tr ' ' '_')" '{print $1,$3,$4,$6,$7,lastlogin}'
        done
        let USERs=USERs+$(echo "$pwdfile" | grep "$shell"| wc -l)
    done
    )" | column -t
    echo ""
    echo -e "\033[36m************空密码用户**********\033[0m"
    USEREmptyPassword=""
    for shell in $(grep -v "/sbin/nologin" /etc/shells);do
            for user in $(echo "$pwdfile" | grep "$shell" | cut -d: -f1);do
            r=$(awk -F: '$2=="!!"{print $1}' /etc/shadow | grep -w $user)
            if [ ! -z $r ];then
                echo $r
                USEREmptyPassword="$USEREmptyPassword,"$r
            fi
        done    
    done
    echo ""
    echo -e "\033[36m***********相同ID用户***********\033[0m"
    USERTheSameUID=""
    UIDs=$(cut -d: -f3 /etc/passwd | sort | uniq -c | awk '$1>1{print $2}')
    for uid in $UIDs;do
        echo -n "$uid";
        USERTheSameUID="$uid"
        r=$(awk -F: 'ORS="";$3=='"$uid"'{print ":",$1}' /etc/passwd)
        echo "$r"
        echo ""
        USERTheSameUID="$USERTheSameUID $r,"
    done 
}


function getPasswordStatus {
    echo ""
    echo -e "\033[33m*******************************************密码检查*************************************************\033[0m"
    pwdfile="$(cat /etc/passwd)"
    echo ""
    echo -e "\033[36m**********密码过期检查*************\033[0m"
    result=""
    for shell in $(grep -v "/sbin/nologin" /etc/shells);do
        for user in $(echo "$pwdfile" | grep "$shell" | cut -d: -f1);do
            get_expiry_date=$(/usr/bin/chage -l $user | grep 'Password expires' | cut -d: -f2)
            if [[ $get_expiry_date = ' never' || $get_expiry_date = 'never' ]];then
                printf "%-15s 永不过期\n" $user
                result="$result,$user:never"
            else
                password_expiry_date=$(date -d "$get_expiry_date" "+%s")
                current_date=$(date "+%s")
                diff=$(($password_expiry_date-$current_date))
                let DAYS=$(($diff/(60*60*24)))
                printf "%-15s %s天后过期\n" $user $DAYS
                result="$result,$user:$DAYS days"
            fi
        done
    done
    report_PasswordExpiry=$(echo $result | sed 's/^,//')
    echo ""
    echo -e "\033[36m*************密码策略检查**********\033[0m"
    grep -v "#" /etc/login.defs | grep -E "PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_MIN_LEN|PASS_WARN_AGE"
}


function getSudoersStatus(){
    echo ""
    echo -e "\033[33m****************************************Sudoers检查*************************************************\033[0m"
    conf=$(grep -v "^#" /etc/sudoers| grep -v "^Defaults" | sed '/^$/d')
    echo "$conf"
    echo ""
}


function getInstalledStatus(){
    echo ""
    echo -e "\033[33m*******************************************软件检查*************************************************\033[0m"
    rpm -qa --last | head | column -t 
}


function getProcessStatus(){
    echo ""
    echo -e "\033[33m*******************************************进程检查*************************************************\033[0m"
    if [ $(ps -ef | grep defunct | grep -v grep | wc -l) -ge 1 ];then
        echo ""
        echo -e "\033[36m*********僵尸进程*********\033[0m"
        ps -ef | head -n1
        ps -ef | grep defunct | grep -v grep
    fi
    echo ""
    echo -e "\033[36m******CPU占用TOP 10进程*******\033[0m"
    echo -e "用户 进程ID %CPU 命令 
    $(ps aux | awk '{print $1, $2, $3, $11}' | sort -k3rn | head -n 10 )"| column -t 
    echo ""
    echo -e "\033[36m******内存占用TOP 10进程*******\033[0m"
    echo -e "用户 进程ID %MEM 虚拟内存  常驻内存 命令 
    $(ps aux | awk '{print $1, $2, $4, $5, $6, $11}' | sort -k3rn | head -n 10 )"| column -t 
    #echo ""
    #echo -e "\033[36m******SWAP占用TOP 10进程*******\033[0m"
    #awk: fatal: cannot open file `/proc/18713/smaps' for reading (No such file or directory)
    #for i in `cd /proc;ls |grep "^[0-9]"|awk ' $0 >100'`;do awk '{if (-f /proc/$i/smaps) print "$i file is not exist"; else print "$i"}';done
    #    for i in `cd /proc;ls |grep "^[0-9]"|awk ' $0 >100'` ;do awk '/Swap:/{a=a+$2}END{print '"$i"',a/1024"M"}' /proc/$i/smaps ;done |sort -k2nr > /tmp/swap.txt
    #echo -e "进程ID SWAP使用 $(cat /tmp/swap.txt|grep -v awk | head -n 10)"| column -t
}



function getSyslogStatus(){
    echo ""
    echo -e "\033[33m*****************************************syslog检查*************************************************\033[0m"
    echo "SYSLOG服务状态：$(getState rsyslog)"
    echo ""
    echo -e "\033[36m*********rsyslog配置************\033[0m"
    cat /etc/rsyslog.conf 2>/dev/null | grep -v "^#" | grep -v "^\\$" | sed '/^$/d'  | column -t
}


function getFirewallStatus(){
    echo ""
    echo -e "\033[33m*****************************************防火墙检查*************************************************\033[0m"

    echo -e "\033[36m**********防火墙状态************\033[0m"
    if [[ $centosVersion = 7 ]];then
        systemctl status firewalld >/dev/null  2>&1
        status=$?
        if [ $status -eq 0 ];then
                s="active"
        elif [ $status -eq 3 ];then
                s="inactive"
        elif [ $status -eq 4 ];then
                s="permission denied"
        else
                s="unknown"
        fi
    else
        s="$(getState iptables)"
    fi
    echo "firewalld: $s"
    echo ""
    echo -e "\033[36m**********防火墙配置************\033[0m"
    cat /etc/sysconfig/firewalld 2>/dev/null
}


function getSNMPStatus(){
    #SNMP服务状态，配置等
    echo ""
    echo -e "\033[33m*****************************************SNMP检查***************************************************\033[0m"
    status="$(getState snmpd)"
    echo "SNMP服务状态：$status"
    echo ""
    if [ -e /etc/snmp/snmpd.conf ];then
        echo "/etc/snmp/snmpd.conf"
        echo "--------------------"
        cat /etc/snmp/snmpd.conf 2>/dev/null | grep -v "^#" | sed '/^$/d'
    fi
}


function getState(){
    if [[ $centosVersion < 7 ]];then
        if [ -e "/etc/init.d/$1" ];then
            if [ `/etc/init.d/$1 status 2>/dev/null | grep -E "is running|正在运行" | wc -l` -ge 1 ];then
                r="active"
            else
                r="inactive"
            fi
        else
            r="unknown"
        fi
    else
        #CentOS 7+
        r="$(systemctl is-active $1 2>&1)"
    fi
    echo "$r"
}


function getSSHStatus(){
    #SSHD服务状态，配置,受信任主机等
    echo ""
    echo -e "\033[33m******************************************SSH检查***************************************************\033[0m"
    #检查受信任主机
    pwdfile="$(cat /etc/passwd)"
    echo "SSH服务状态：$(getState sshd)"
    Protocol_Version=$(cat /etc/ssh/sshd_config | grep Protocol | awk '{print $2}')
    echo "SSH协议版本：$Protocol_Version"
    echo ""
    echo -e "\033[36m**********信任主机************\033[0m"
    authorized=0
    for user in $(echo "$pwdfile" | grep /bin/bash | awk -F: '{print $1}');do
        authorize_file=$(echo "$pwdfile" | grep -w $user | awk -F: '{printf $6"/.ssh/authorized_keys"}')
        authorized_host=$(cat $authorize_file 2>/dev/null | awk '{print $3}' | tr '\n' ',' | sed 's/,$//')
        if [ ! -z $authorized_host ];then
            echo "$user 授权 \"$authorized_host\" 无密码访问"
        fi
        let authorized=authorized+$(cat $authorize_file 2>/dev/null | awk '{print $3}'|wc -l)
    done
    echo ""
    echo -e "\033[36m*是否允许ROOT远程登录*********\033[0m"
    config=$(cat /etc/ssh/sshd_config | grep PermitRootLogin)
    firstChar=${config:0:1}
    if [ $firstChar == "#" ];then
        PermitRootLogin="yes" 
    else
        PermitRootLogin=$(echo $config | awk '{print $2}')
    fi
    echo "PermitRootLogin $PermitRootLogin"
    echo ""
    echo -e "\033[36m*******ssh服务配置************\033[0m"
    cat /etc/ssh/sshd_config | grep -v "^#" | sed '/^$/d'
}


function getNTPStatus(){
    #NTP服务状态，当前时间，配置等
    echo ""
    echo -e "\033[33m*****************************************NTP检查****************************************************\033[0m"
    if [ -e /etc/ntp.conf ];then
        echo "NTP服务状态：$(getState ntpd)"
        echo ""
        echo -e "\033[36m*******NTP服务配置***************\033[0m"
        cat /etc/ntp.conf 2>/dev/null | grep -v "^#" | sed '/^$/d'
    fi
}


function check(){
    version
    getSystemStatus
    get_resource
    getCpuStatus
    getMemStatus
    getDiskStatus
    getNetworkStatus
    getListenStatus
    getProcessStatus
    getServiceStatus
    getAutoStartStatus
    getLoginStatus
    getCronStatus
    getUserStatus
    getPasswordStatus
    getSudoersStatus
    getFirewallStatus
    getSSHStatus
    getSyslogStatus
    getSNMPStatus
    getNTPStatus
    getInstalledStatus
}
#执行检查并保存检查结果
check > $RESULTFILE
echo -e "\033[44;37m 主机巡检结果存放在：$RESULTFILE   \033[0m"

#上传检查结果的文件
#curl -F "filename=@$RESULTFILE" "$uploadHostDailyCheckApi" 2>/dev/null
cat $RESULTFILE

https://blog.ossq.cn/2085.html

Linux检测系统是否被入侵

入侵者在入侵成功后，往往会留下后门以便再次访问被入侵的系统，而创建系统账号是一种比较常见的后门方式。在做入侵排查的时候，用户配置文件/etc/passwd和密码配置文件/etc/shadow是需要去重点关注的地方。

检测系统是否被入侵

查询特权用户特权用户(uid 为0)

awk -F: '$3==0{print $1}' /etc/passwd

查找远程可以登录的账户

awk '/\$1|\$5|\$6/{print $1}' /etc/shadow

$1：MD5（长度 22个字符）
$5：SHA-256（长度 43 个字符）
$6：SHA-512（长度86 个字符）

检查sudo权限

cat /etc/sudoers | grep -v "^#\|^$" | grep "ALL=(ALL"
删除或锁定账号
通过上面的步骤可以找到可疑的账号

usermod -L rooot #禁用帐号，帐号无法登录，/etc/shadow第二栏为!开头
userdel rooot #删除user用户
userdel -r rooot #将删除root用户，并且将/home目录下的root目录一并删除

查看当前登录系统的信息

who #查看当前登录用户（tty本地登陆 pts远程登录）
w #查看系统信息，想知道某一时刻用户的行为
uptime #查看登陆多久、多少用户，负载

检查异常端口

使用netstat 网络连接命令，分析可疑端口、IP、PID等信息。

netstat -tunlp | less

抓包分析

tcpdump -c 10 -q //精简模式显示 10个包

使用ps命令检查可疑的进程

ps -ef

查超系统中占用资源最高的资源

top

发现异常进一步检查

ps eho command -p $PID #查看该进程启动的完整命令行
readlink /proc/$PID/cwd #查看该进程启动时候所在的目录
ls -l /proc/$PID/exe #查看下pid所对应的进程文件路径
strings -f /proc/$PID/environ | cut -f2 -d #查看该进程启动时的完整环境变量:
lsof -p $PID #列出该进程所打开的所有文件

检查系统服务

Linux系统服务管理，CentOS7使用systemd控制 CentOS6之前使用chkconfig控制。

检查开机自启的服务

//对于systemd服务管理器来说，可以通过下述方式查看开机自启的服务
systemctl list-unit-files --type=service | grep "enabled"
//chkconfig就是CentOS6以前用来控制系统服务的工具，查看服务自启动状态
chkconfig --list | grep "3:on\|5:on"

检查启动项脚本

命令查看下开机启动项中是否有异常的启动服务。

cat /etc/rc.local

检查计划任务

利用计划任务进行权限维持，可作为一种持久性机制被入侵者利用。检查异常的计划任务，需要重点关注以下目录中是否存在恶意脚本。

/var/spool/cron/* 
/etc/crontab
/etc/cron.d/*
/etc/cron.daily/* 
/etc/cron.hourly/* 
/etc/cron.monthly/*
/etc/cron.weekly/
/etc/anacrontab
/var/spool/anacron/*

检查系统的异常文件

查看敏感目录，如/tmp目录下的文件，同时注意隐藏文件夹，以.为名的文件夹具有隐藏属性

ls -al
查找1天以内被访问过的文件

find /opt -iname "*" -atime 1 -type f
-iname不区分大小写,-atime最近一次被访问的时间,-type文件类型

检查历史命令

查看被入侵后,在系统上执行过哪些命令,使用root用户登录系统，检查/home目录下的用户主目录的.bash_history文件

默认情况下，系统可以保存1000条的历史命令，并不记录命令执行的时间，根据需要进行安全加固。

设置保存1万条命令
sed -i 's/HISTSIZE=1000/HISTSIZE=10000/g' /etc/profile
history加固
vim /etc/profile

USER_IP=`who -u am i 2>/dev/null | awk '{print $NF}' | sed -e 's/[()]//g'`
if [ "$USER_IP"=="" ]
then
   USER_IP=`hostname`
fi

export HISTTIMEFORMAT="%F %T $USER_IP `whoami`"

为防止会话退出时覆盖其他会话写到HISTFILE的内容

shopt -s histappend
export PROMPT_COMMAND="history -a"
//配置生效
source /etc/profile

PROMPT_COMMAND是什么
PS1-PS4介绍了一些用于提示信息控制的环境变量，而在此之前可以进行回调的一个环境变量就是PROMPT_COMMAND，这个环境变量中设定的内容将在交互式脚本的提示(PS1)出现之前被执行。

检查系统日志

在Linux上一般跟系统相关的日志默认都会放到/var/log下面，若是一旦出现问题，用户就可以通过查看日志来迅速定位，及时解决问题。常用日志文件如下：

/var/log/btmp
记录错误登录日志,这个文件是二进制文件,不能用vi直接查看,可以用lastb看

/var/log/lastlog
记录系统中所有用户最后一次成功登录系统的时间,这是一个二进制文件,不能用vi查看,可以用lastlog查看

/var/log/wtmp
永久记录所有用户的登录、注销信息，同时记录系统的启动、重启、关机事件。同样这个文件也是一个二进制文件，不能直接vi，而需要使用last命令来查看。

/var/log/utmp
记录当前已经登录的用户信息，这个文件会随着用户的登录和注销不断变化，只记录当前登录用户的信息。同样这个文件不能直接vi，而要使用w,who,users等命令来查询。

/var/log/secure
记录验证和授权方面的信息，只要涉及账号和密码的程序都会记录，比如SSH登录，su切换用户，sudo授权，甚至添加用户和修改用户密码都会记录在这个日志文件中

查找登录系统失败的20个账号
lastb | awk '{print $1}' | sort | uniq -c | sort -nr | head -n 20
定位有多少IP在爆破主机的root帐号
grep "Failed password for root" /var/log/secure | sort | uniq -c | sort -nr | more
查看所有重启日志信息
last reboot
查看系统正常的运行时间
uptime -s
查看哪些IP在爆破
grep "Failed password" /var/log/secure|grep -E -o "(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)\.(25[0-5]|2[0-4][0-9]|[01]?[0-9][0-9]?)"|uniq -c
查看哪些IP登录成功了
grep "Accepted" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -nr | more
登录成功的日期,用户名,IP
gerp "Accepted" /var/log/secure | awk '{print $1,$2,$3,$9,$11}'
希望本文对你有所帮助~~如果对软件测试、接口测试、自动化测试、性能测试、面试经验交流感兴趣可以私聊我

Quote

Topic Tags

Sunny Heart

(@sunnyheart)

Member Admin Registered

Joined: 6 years ago

Posts: 102

Topic starter 14/06/2024 10:43 am

Linux安全基线检查与自动化

目前企业中对安全看得非常的重要，这也是我们为什么要做安全相关的动作，这是一个保证企业的业务能够免受其非法分子的侵害，在安全角度来看，也从个人角度来看，随时保证自身的服务器安全，也是我们应该做的事情。

检查确认点

1.1 帐号管理
1.1.1 检查root是否为唯一的UID为0用户
1.1.2 检查是否按用户分配账号
1.1.3 检查是否删除与设备运行、维护等工作无关的账号
1.1.4 检查是否设置不同的用户组
1.1.5 检查GID是否唯一

1.2 口令策略
1.2.1 检查是否设置口令生存周期
1.2.2 检查是否设置口令更改最小间隔天数
1.2.3 检查设备密码复杂度策略
1.2.4 检查是否设置口令过期前警告天数
1.2.5 检查是否存在空口令账号
1.2.6 检查密码重复使用次数限制
1.2.7 检查账户认证失败次数限制

1.3 认证授权
1.3.1 检查用户目录缺省访问权限设置
1.3.2 检查是否设置SSH登录前警告Banner

1.4 日志审计
1.4.1 检查是否对登录进行日志记录
1.4.2 检查是否启用cron行为日志功能
1.4.3 检查是否配置远程日志功能
1.4.4 检查是否配置su命令使用情况记录
1.4.5 检查日志文件权限设置
1.4.6 检查安全事件日志配置
10.79.3.10
1.5 文件权限
1.5.1 检查FTP用户上传的文件所具有的权限
1.5.2 检查重要目录或文件权限设置

1.6 网络通信
1.6.1 检查是否禁止root用户远程登录
1.6.2 检查使用IP协议远程维护的设备是否配置SSH协议，禁用Telnet协议
1.6.3 检查是否修改SNMP默认团体字
1.6.4 检查是否禁止root用户登录FTP
1.6.5 检查是否使用PAM认证模块禁止wheel组之外的用户su为root

1.7 其他配置
1.7.1 检查是否禁止匿名用户登录FTP
1.7.2 检查是否删除了潜在危险文件
1.7.3 检查是否设置命令行界面超时退出
1.7.4 检查系统是否禁用Ctrl+Alt+Delete组合键
1.7.5 检查root用户的path环境变量
1.7.6 检查历史命令设置
1.7.7 检查是否设置SSH成功登录后Banner
1.7.8 检查是否限制FTP用户登录后能访问的目录
1.7.9 检查是否关闭数据包转发功能
1.7.10 检查别名文件/etc/aliase
1.7.11 检查是否使用NTP（网络时间协议）保持时间同步
1.7.12 检查是否限制远程登录IP范围
1.7.13 检查NFS（网络文件系统）服务配置
1.7.14 检查是否配置定时自动屏幕锁定
1.7.15 检查是否安装chkrootkit进行系统监测
1.7.16 检查是否安装OS补丁
1.7.17 检查FTP banner设置
1.7.18 检查Telnet banner设置
1.7.19 检查系统内核参数配置
1.7.20 检查系统openssh安全配置
1.7.21 检查系统coredump设置
1.7.22 检查是否关闭不必要的服务和端口
1.7.23 检查磁盘空间占用率

#!/usr/bin/env bash
#
# CIS-LBK CIS Debian Family Linux Benchmark v1.0.0 Build Kit script
# ~/CIS-LBK/DEBIAN_FAMILY_LBK.sh
# 
# Name                Date       Description
# ------------------------------------------------------------------------------------------------
# Eric Pinnell       12/01/20    Build Kit "CIS Debian Family Linux Benchmark v1.0.0"
#

if [ ! "$BASH_VERSION" ] ; then
	exec /bin/bash "$0" "$@"
fi
# Set global variables
BDIR="$(dirname "$(readlink -f "$0")")"
FDIR=$BDIR/functions
RECDIR="$FDIR"/recommendations
GDIR="$FDIR"/general
LDIR=$BDIR/logs
RDIR=$BDIR/backup
DTG=$(date +%m_%d_%Y_%H%M)
mkdir $LDIR/$DTG
mkdir $RDIR/$DTG
LOGDIR=$LDIR/$DTG
BKDIR=$RDIR/$DTG
LOG=$LOGDIR/CIS-LBK_verbose.log
SLOG=$LOGDIR/CIS-LBK.log
ELOG=$LOGDIR/CIS-LBK_error.log
FRLOG=$LOGDIR/CIS-LBK_failed.log
MANLOG=$LOGDIR/CIS-LBK_manual.log
passed_recommendations="0"
failed_recommendations="0"
remediated_recommendations="0"
not_applicable_recommendations="0"
excluded_recommendations="0"
manual_recommendations="0"
skipped_recommendations="0"
total_recommendations="0"
# Load functions (Order matters)
for func in "$GDIR"/*.sh; do
	[ -e "$func" ] || break
	. "$func"
done
for func in "$RECDIR"/*.sh; do
	[ -e "$func" ] || break
	. "$func"
done

#Clear the screen for output
clear
# Display the build kit banner
BANR
# Ensure script is being run as root
ROOTUSRCK
# Display the terms of use
# terms_of_use
# Display CIS Linux Build Kit warning banner
WARBNR
#run_profile=L2S # Uncomment this line to provide profile to be run manually
# Profile Options:
# L1S - For Level 1 Server
# L1W - For Level 1 Workstation
# L2S - For Level 2 Server
# L2W - For Level 2 Workstation
# Have user select profile to run
select_profile
# Recommediations This is where a BM specific script begins.

# Generated for specific Benchmark

#
# 1 Initial Setup
#
#
# 1.1 Filesystem Configuration
#
#
# 1.1.1 Disable unused filesystems
#
RN="1.1.1.1"
RNA="Ensure mounting of cramfs filesystems is disabled"
profile="L1S L1W"
REC="cramfs_filesystem_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.1.2"
RNA="Ensure mounting of freevxfs filesystems is disabled"
profile="L1S L1W"
REC="freevxfs_filesystem_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.1.3"
RNA="Ensure mounting of jffs2 filesystems is disabled"
profile="L1S L1W"
REC="jffs2_filesystem_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.1.4"
RNA="Ensure mounting of hfs filesystems is disabled"
profile="L1S L1W"
REC="hfs_filesystem_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.1.5"
RNA="Ensure mounting of hfsplus filesystems is disabled"
profile="L1S L1W"
REC="hfsplus_filesystem_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.1.6"
RNA="Ensure mounting of squashfs filesystems is disabled"
profile="L1S L1W"
REC="squashfs_filesystem_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.1.7"
RNA="Ensure mounting of udf filesystems is disabled"
profile="L1S L1W"
REC="udf_filesystem_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.2"
RNA="Ensure /tmp is configured"
profile="L1S L1W"
REC="ensure_tmp_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.3"
RNA="Ensure nodev option set on /tmp partition"
profile="L1S L1W"
REC="ensure_nodev_tmp"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.4"
RNA="Ensure nosuid option set on /tmp partition"
profile="L1S L1W"
REC="ensure_nosuid_tmp"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.5"
RNA="Ensure noexec option set on /tmp partition"
profile="L1S L1W"
REC="ensure_noexec_tmp"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.6"
RNA="Ensure separate partition exists for /var"
profile="L2S L2W"
REC="var_partition_exists"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.7"
RNA="Ensure separate partition exists for /var/tmp"
profile="L2S L2W"
REC="var_tmp_partition_exists"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.8"
RNA="Ensure nodev option set on /var/tmp partition"
profile="L1S L1W"
REC="ensure_nodev_var_tmp"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.9"
RNA="Ensure nosuid option set on /var/tmp partition"
profile="L1S L1W"
REC="ensure_nosuid_var_tmp"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.10"
RNA="Ensure noexec option set on /var/tmp partition"
profile="L1S L1W"
REC="ensure_noexec_var_tmp"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.11"
RNA="Ensure separate partition exists for /var/log"
profile="L2S L2W"
REC="var_log_partition_exists"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.12"
RNA="Ensure separate partition exists for /var/log/audit"
profile="L2S L2W"
REC="var_log_audit_partition_exists"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.13"
RNA="Ensure separate partition exists for /home"
profile="L2S L2W"
REC="home_partition_exists"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.14"
RNA="Ensure nodev option set on /home partition"
profile="L1S L1W"
REC="ensure_nodev_home"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.15"
RNA="Ensure nodev option set on /dev/shm partition"
profile="L1S L1W"
REC="ensure_nodev_dev_shm"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.16"
RNA="Ensure nosuid option set on /dev/shm partition"
profile="L1S L1W"
REC="ensure_nosuid_dev_shm"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.17"
RNA="Ensure noexec option set on /dev/shm partition"
profile="L1S L1W"
REC="ensure_noexec_dev_shm"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.18"
RNA="Ensure nodev option set on removable media partitions"
profile="L1S L1W"
REC="ensure_nodev_removable_media"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.19"
RNA="Ensure nosuid option set on removable media partitions"
profile="L1S L1W"
REC="ensure_nosuid_removable_media"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.20"
RNA="Ensure noexec option set on removable media partitions"
profile="L1S L1W"
REC="ensure_noexec_removable_media"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.21"
RNA="Ensure sticky bit is set on all world-writable directories"
profile="L1S L1W"
REC="ensure_stickybit_world_writable_directories"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.22"
RNA="Disable Automounting"
profile="L1S L2W"
REC="disable_automounting"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.1.23"
RNA="Disable USB Storage"
profile="L1S L2W"
REC="disable_usb_storage"
total_recommendations=$((total_recommendations+1))
runrec

#
# 1.2 Configure Software Updates
#
RN="1.2.1"
RNA="Ensure package manager repositories are configured"
profile="L1S L1W"
REC="ensure_package_manager_repositories_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.2.2"
RNA="Ensure GPG keys are configured"
profile="L1S L1W"
REC="ensure_gpg_keys_configured"
total_recommendations=$((total_recommendations+1))
runrec

#
# 1.3 Configure sudo
#
RN="1.3.1"
RNA="Ensure sudo is installed"
profile="L1S L1W"
REC="ensure_sudo_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.3.2"
RNA="Ensure sudo commands use pty"
profile="L1S L1W"
REC="ensure_sudo_commands_pty"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.3.3"
RNA="Ensure sudo log file exists"
profile="L1S L1W"
REC="ensure_sudo_logfile_exists"
total_recommendations=$((total_recommendations+1))
runrec

#
# 1.4 Filesystem Integrity Checking
#
RN="1.4.1"
RNA="Ensure AIDE is installed"
profile="L1S L1W "
REC="ensure_aide_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.4.2"
RNA="Ensure filesystem integrity is regularly checked"
profile="L1S L1W"
REC="deb_ensure_filesystem_integrity_checked"
total_recommendations=$((total_recommendations+1))
runrec

#
# 1.5 Secure Boot Settings
#
RN="1.5.1"
RNA="Ensure permissions on bootloader config are configured"
profile="L1S L1W"
REC="deb_ensure_bootloader_password_set"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.5.2"
RNA="Ensure bootloader password is set"
profile="L1S L1W"
REC="ensure_permissions_bootloader_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.5.3"
RNA="Ensure authentication required for single user mode"
profile="L1S L1W"
REC="deb_ensure_authentication_required_single_user_mode"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.6"
RNA="Additional Process Hardening"
profile=""
REC=""
total_recommendations=$((total_recommendations+1))
runrec

RN="1.6.1"
RNA="Ensure XD/NX support is enabled"
profile="L1S L1W"
REC="ensure_XD_NX_support_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.6.2"
RNA="Ensure address space layout randomization (ASLR) is enabled"
profile="L1S L1W"
REC="ensure_aslr_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.6.3"
RNA="Ensure prelink is disabled"
profile="L1S L1W"
REC="ensure_prelink_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.6.4"
RNA="Ensure core dumps are restricted"
profile="L1S L1W"
REC="core_dumps_restricted"
total_recommendations=$((total_recommendations+1))
runrec

#
# 1.7 Mandatory Access Control
#
#
# 1.7.1 Configure AppArmor
#
RN="1.7.1.1"
RNA="Ensure AppArmor is installed"
profile="L1S L1W"
REC="deb_ensure_apparmor_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.7.1.2"
RNA="Ensure AppArmor is enabled in the bootloader configuration"
profile="L1S L1W"
REC="deb_ensure_apparmor_enabled_bootloader_configuration"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.7.1.3"
RNA="Ensure all AppArmor Profiles are in enforce or complain mode"
profile="L1S L1W"
REC="deb_ensure_apparmor_profiles_in_enforce_or_complain_mode"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.7.1.4"
RNA="Ensure all AppArmor Profiles are enforcing"
profile="L2S L2W"
REC="deb_ensure_apparmor_profiles_are_enforcing"
total_recommendations=$((total_recommendations+1))
runrec

#
# 1.8 Warning Banners
#
RN="1.8.1"
RNA="Ensure message of the day is configured properly"
profile="L1S L1W"
REC="nix_ensure_motd_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.8.2"
RNA="Ensure permissions on /etc/issue.net are configured"
profile="L1S L1W"
REC="nix_ensure_local_login_warning_banner_configured_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.8.3"
RNA="Ensure permissions on /etc/issue are configured"
profile="L1S L1W"
REC="nix_ensure_remote_login_warning_banner_configured_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.8.4"
RNA="Ensure permissions on /etc/motd are configured"
profile="L1S L1W"
REC="nix_ensure_permissions_motd_configured_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.8.5"
RNA="Ensure remote login warning banner is configured properly"
profile="L1S L1W"
REC="nix_ensure_permissions_issue_configured_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.8.6"
RNA="Ensure local login warning banner is configured properly"
profile="L1S L1W"
REC="nix_ensure_permissions_issue_net_configured_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.9"
RNA="Ensure GDM is removed or login is configured"
profile="L1S L1W"
REC="deb_ensure_gdm_login_banner_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="1.10"
RNA="Ensure updates patches and additional security software are installed"
profile="L1S L1W"
REC="deb_ensure_updates_patches_additional_security_software_installed"
total_recommendations=$((total_recommendations+1))
runrec

#
# 2 Services
#
#
# 2.1 Special Purpose Services
#
#
# 2.1.1 Time Synchronization
#
RN="2.1.1.1"
RNA="Ensure time synchronization is in use"
profile="L1S L1W"
REC="deb_ensure_time_synchronization_in_use"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.1.2"
RNA="Ensure systemd-timesyncd is configured"
profile="L1S L1W"
REC="deb_ensure_systemd-timesyncd_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.1.3"
RNA="Ensure chrony is configured"
profile="L1S L1W"
REC="deb_chrony_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.1.4"
RNA="Ensure ntp is configured"
profile="L1S L1W"
REC="deb_ensure_ntp_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.2"
RNA="Ensure X Window System is not installed"
profile="L1S"
REC="deb_ensure_xwindows_system_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.3"
RNA="Ensure Avahi Server is not installed"
profile="L1S L1W"
REC="deb_ensure_avahi_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.4"
RNA="Ensure CUPS is not installed"
profile="L1S L2W"
REC="ensure_cups_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.5"
RNA="Ensure DHCP Server is not installed"
profile="L1S L1W"
REC="deb_ensure_dhcp_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.6"
RNA="Ensure LDAP server is not installed"
profile="L1S L1W"
REC="deb_ensure_ldap_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.7"
RNA="Ensure NFS is not installed"
profile="L1S L1W"
REC="deb_ensure_nfs_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.8"
RNA="Ensure DNS Server is not installed"
profile="L1S L1W"
REC="deb_ensure_dns_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.9"
RNA="Ensure FTP Server is not installed"
profile="L1S L1W"
REC="ensure_ftp_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.10"
RNA="Ensure HTTP server is not installed"
profile="L1S L1W"
REC="deb_ensure_http_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.11"
RNA="Ensure IMAP and POP3 server are not installed"
profile="L1S L1W"
REC="deb_ensure_imap_pop3_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.12"
RNA="Ensure Samba is not installed"
profile="L1S L1W"
REC="ensure_samba_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.13"
RNA="Ensure HTTP Proxy Server is not installed"
profile="L1S L1W"
REC="ensure_http_proxy_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.14"
RNA="Ensure SNMP Server is not installed"
profile="L1S L1W"
REC="deb_ensure_snmp_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.15"
RNA="Ensure mail transfer agent is configured for local-only mode"
profile="L1S L1W"
REC="ensure_mail_transfer_agent_configured_local_only"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.16"
RNA="Ensure rsync service is not installed"
profile="L1S L1W"
REC="deb_ensure_rsync_service_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.1.17"
RNA="Ensure NIS Server is not installed"
profile="L1S L1W"
REC="deb_ensure_nis_server_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

#
# 2.2 Service Clients
#
RN="2.2.1"
RNA="Ensure NIS Client is not installed"
profile="L1S L1W"
REC="deb_ensure_nis_client_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.2.2"
RNA="Ensure rsh client is not installed"
profile="L1S L1W"
REC="deb_ensure_rsh_client_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.2.3"
RNA="Ensure talk client is not installed"
profile="L1S L1W"
REC="ensure_talk_client_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.2.4"
RNA="Ensure telnet client is not installed"
profile="L1S L1W"
REC="ensure_telnet_client_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.2.5"
RNA="Ensure LDAP client is not installed"
profile="L1S L1W"
REC="deb_ensure_ldap_client_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.2.6"
RNA="Ensure  RPC is not installed"
profile="L1S L1W"
REC="deb_ensure_rpc_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="2.3"
RNA="Ensure nonessential services are removed or masked"
profile="L1S L1W"
REC="ensure_nonessential_services_removed_or_masked"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3 Network Configuration
#
#
# 3.1 Disable unused network protocols and devices
#
RN="3.1.1"
RNA="Disable IPv6"
profile="L2S L2W"
REC="disable_ipv6"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.1.2"
RNA="Ensure wireless interfaces are disabled"
profile="L1S L1W"
REC="ensure_wireless_interfaces_disabled"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.2 Network Parameters (Host Only)
#
RN="3.2.1"
RNA="Ensure packet redirect sending is disabled"
profile="L1S L1W"
REC="packet_redirect_sending_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.2.2"
RNA="Ensure IP forwarding is disabled"
profile="L1S L1W"
REC="ip_forwarding_disabled"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.3 Network Parameters (Host and Router)
#
RN="3.3.1"
RNA="Ensure source routed packets are not accepted"
profile="L1S L1W"
REC="ensure_source_routed_packets_not_accepted"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.2"
RNA="Ensure ICMP redirects are not accepted"
profile="L1S L1W"
REC="ensure_icmp_redirects_not_accepted"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.3"
RNA="Ensure secure ICMP redirects are not accepted"
profile="L1S L1W"
REC="ensure_secure_icmp_redirects_not_accepted"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.4"
RNA="Ensure suspicious packets are logged"
profile="L1S L1W"
REC="ensure_suspicious_packets_logged"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.5"
RNA="Ensure broadcast ICMP requests are ignored"
profile="L1S L1W"
REC="ensure_broadcast_icmp_requests_ignored"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.6"
RNA="Ensure bogus ICMP responses are ignored"
profile="L1S L1W"
REC="nix_ensure_bogus_icmp_responses_ignored"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.7"
RNA="Ensure Reverse Path Filtering is enabled"
profile="L1S L1W"
REC="ensure_reverse_path_filtering_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.8"
RNA="Ensure TCP SYN Cookies is enabled"
profile="L1S L1W"
REC="ensure_tcp_syn_cookies_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.3.9"
RNA="Ensure IPv6 router advertisements are not accepted"
profile="L1S L1W"
REC="ensure_ipv6_router_advertisements_not_accepted"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.5 Uncommon Network Protocols
#
RN="3.5.1"
RNA="Ensure DCCP is disabled"
profile="L2S L2W"
REC="ensure_dccp_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.5.2"
RNA="Ensure SCTP is disabled"
profile="L2S L2W"
REC="ensure_sctp_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.5.3"
RNA="Ensure RDS is disabled"
profile="L2S L2W"
REC="ensure_rds_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.5.4"
RNA="Ensure TIPC is disabled"
profile="L2S L2W"
REC="ensure_tipc_disabled"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.6 Firewall Configuration
#
#
# 3.6.1 Configure UncomplicatedFirewall
#
RN="3.6.1.1"
RNA="Ensure Uncomplicated Firewall is installed"
profile="L1S L1W"
REC="deb_ensure_uncomplicated_firewall_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.1.2"
RNA="Ensure iptables-persistent is not installed"
profile="L1S L1W"
REC="deb_ensure_iptables_persistent_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.1.3"
RNA="Ensure ufw service is enabled"
profile="L1S L1W"
REC="deb_ensure_ufw_service_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.1.4"
RNA="Ensure loopback traffic is configured"
profile="L1S L1W"
REC="deb_ensure_ufw_loopback_traffic_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.1.5"
RNA="Ensure outbound connections are configured"
profile="L1S L1W"
REC="deb_ensure_outbound_connections_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.1.6"
RNA="Ensure firewall rules exist for all open ports"
profile="L1S L1W"
REC="deb_ensure_firewall_rules_exist_all_open_ports"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.1.7"
RNA="Ensure default deny firewall policy"
profile="L1S L1W"
REC="deb_ensure_default_deny_firewall_policy"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.6.2 Configure nftables
#
RN="3.6.2.1"
RNA="Ensure nftables is installed"
profile="L1S L1W"
REC="deb_ensure_nftables_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.2"
RNA="Ensure Uncomplicated Firewall is not installed or disabled"
profile="L1S L1W"
REC="deb_ensure_ufw_not_installed_or_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.3"
RNA="Ensure iptables are flushed"
profile="L1S L1W"
REC="deb_ensure_iptables_flushed"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.4"
RNA="Ensure a table exists"
profile="L1S L1W"
REC="deb_ensure_table_exists"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.5"
RNA="Ensure base chains exist"
profile="L1S L1W"
REC="deb_ensure_base_chains_exists"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.6"
RNA="Ensure loopback traffic is configured"
profile="L1S L1W"
REC="deb_nft_ensure_loopback_traffic_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.7"
RNA="Ensure outbound and established connections are configured"
profile="L1S L1W"
REC="deb_nft_ensure_outbound_established_connections_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.8"
RNA="Ensure default deny firewall policy"
profile="L1S L1W"
REC="deb_nft_ensure_default_deny_firewall_policy"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.9"
RNA="Ensure nftables service is enabled"
profile="L1S L1W"
REC="deb_ensure_nftables_service_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.2.10"
RNA="Ensure nftables rules are permanent"
profile="L1S L1W"
REC="deb_ensure_nftables_rules_permanent"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.6.3 Configure iptables
#
#
# 3.6.3.1 Configure software
#
RN="3.6.3.1.1"
RNA="Ensure iptables packages are installed"
profile="L1S L1W"
REC="deb_ensure_iptables_packages_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.1.2"
RNA="Ensure nftables is not installed"
profile="L1S L1W"
REC="deb_ensure_nftables_not_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.1.3"
RNA="Ensure Uncomplicated Firewall is not installed or disabled"
profile="L1S L1W"
REC="deb_ensure_ufw_not_installed_or_disabled"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.6.3.2 Configure IPv4 iptables
#
RN="3.6.3.2.1"
RNA="Ensure default deny firewall policy"
profile="L1S L1W"
REC="deb_ensure_ipv4_default_deny_firewall_policy"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.2.2"
RNA="Ensure loopback traffic is configured"
profile="L1S L1W"
REC="deb_ensure_ipv4_loopback_traffic_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.2.3"
RNA="Ensure outbound and established connections are configured"
profile="L1S L1W"
REC="deb_ensure_ipv4_outbound_and_established_connections_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.2.4"
RNA="Ensure firewall rules exist for all open ports"
profile="L1S L1W"
REC="deb_ensure_ipv4_firewall_rules_exist_all_open_ports"
total_recommendations=$((total_recommendations+1))
runrec

#
# 3.6.3.3 Configure IPv6  ip6tables
#
RN="3.6.3.3.1"
RNA="Ensure IPv6 default deny firewall policy"
profile="L1S L1W"
REC="deb_ensure_ipv6_default_deny_firewall_policy"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.3.2"
RNA="Ensure IPv6 loopback traffic is configured"
profile="L1S L1W"
REC="deb_ensure_ipv6_loopback_traffic_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.3.3"
RNA="Ensure IPv6 outbound and established connections are configured"
profile="L1S L1W"
REC="deb_ensure_ipv6_outbound_and_established_connections_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="3.6.3.3.4"
RNA="Ensure IPv6 firewall rules exist for all open ports"
profile="L1S L1W"
REC="deb_ensure_ipv6_firewall_rules_exist_all_open_ports"
total_recommendations=$((total_recommendations+1))
runrec

#
# 4 Logging and Auditing
#
#
# 4.1 Configure System Accounting (auditd)
#
#
# 4.1.1 Ensure auditing is enabled
#
RN="4.1.1.1"
RNA="Ensure auditd is installed"
profile="L2S L2W"
REC="deb_ensure_auditd_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.1.2"
RNA="Ensure auditd service is enabled"
profile="L2S L2W"
REC="ensure_auditd_service_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.1.3"
RNA="Ensure auditing for processes that start prior to auditd is enabled"
profile="L2S L2W"
REC="ensure_auditing_processes_start_prior_auditd_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.1.4"
RNA="Ensure audit_backlog_limit is sufficient"
profile="L2S L2W"
REC="ensure_audit_backlog_limit_sufficient"
total_recommendations=$((total_recommendations+1))
runrec

#
# 4.1.2 Configure Data Retention
#
RN="4.1.2.1"
RNA="Ensure audit log storage size is configured"
profile="L2S L2W"
REC="ensure_audit_log_storage_size_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.2.2"
RNA="Ensure audit logs are not automatically deleted"
profile="L2S L2W"
REC="ensure_audit_logs_not_automatically_deleted"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.2.3"
RNA="Ensure system is disabled when audit logs are full"
profile="L2S L2W"
REC="ensure_system_disabled_audit_logs_full"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.3"
RNA="Ensure events that modify date and time information are collected"
profile="L2S L2W"
REC="ensure_events_modify_date_time_information_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.4"
RNA="Ensure events that modify user/group information are collected"
profile="L2S L2W"
REC="ensure_events_modify_user_group_information_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.5"
RNA="Ensure events that modify the systems network environment are collected"
profile="L2S L2W"
REC="ensure_events_modify_systems_network_environment_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.6"
RNA="Ensure events that modify the systems Mandatory Access Controls are collected"
profile="L2S L2W"
REC="deb_ensure_events_modify_systems_mac_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.7"
RNA="Ensure login and logout events are collected"
profile="L2S L2W"
REC="deb_ensure_login_logout_events_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.8"
RNA="Ensure session initiation information is collected"
profile="L2S L2W"
REC="ensure_session_initiation_information_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.9"
RNA="Ensure discretionary access control permission modification events are collected"
profile="L2S L2W"
REC="ensure_dac_permission_modification_events_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.10"
RNA="Ensure unsuccessful unauthorized file access attempts are collected"
profile="L2S L2W"
REC="ensure_unsuccessful_unauthorized_file_access_attempts_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.11"
RNA="Ensure use of privileged commands is collected"
profile="L2S L2W"
REC="ensure_use_privileged_commands_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.12"
RNA="Ensure successful file system mounts are collected"
profile="L2S L2W"
REC="ensure_successful_file_system_mounts_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.13"
RNA="Ensure file deletion events by users are collected"
profile="L2S L2W"
REC="ensure_file_deletion_events_by_users_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.14"
RNA="Ensure changes to system administration scope (sudoers) is collected"
profile="L2S L2W"
REC="ensure_changes_sudoers_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.15"
RNA="Ensure system administrator command executions (sudo) are collected"
profile="L2S L2W"
REC="ensure_system_administrator_command_executions_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.16"
RNA="Ensure kernel module loading and unloading is collected"
profile="L2S L2W"
REC="ensure_kernel_module_loading_unloading_collected"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.1.17"
RNA="Ensure the audit configuration is immutable"
profile="L2S L2W"
REC="ensure_audit_configuration_immutable"
total_recommendations=$((total_recommendations+1))
runrec

#
# 4.2 Configure Logging
#
RN="4.2.1"
RNA="Configure rsyslog"
profile=""
REC=""
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.1.1"
RNA="Ensure rsyslog is installed"
profile="L1S L1W"
REC="ensure_rsyslog_installed"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.1.2"
RNA="Ensure rsyslog Service is enabled"
profile="L1S L1W"
REC="ensure_rsyslog_service_enabled_running"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.1.3"
RNA="Ensure logging is configured"
profile="L1S L1W"
REC="ensure_logging_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.1.4"
RNA="Ensure rsyslog default file permissions configured"
profile="L1S L1W"
REC="ensure_rsyslog_default_file_permissions_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.1.5"
RNA="Ensure rsyslog is configured to send logs to a remote log host"
profile="L1S L1W"
REC="ensure_rsyslog_configured_send_logs_remote_host"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.1.6"
RNA="Ensure remote rsyslog messages are only accepted on designated log hosts."
profile="L1S L1W"
REC="ensure_remote_rsyslog_messages_only_accepted_designated_host"
total_recommendations=$((total_recommendations+1))
runrec

#
# 4.2.2 Configure journald
#
RN="4.2.2.1"
RNA="Ensure journald is configured to send logs to rsyslog"
profile="L1S L1W"
REC="ensure_journald_configured_send_logs_rsyslog"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.2.2"
RNA="Ensure journald is configured to compress large log files"
profile="L1S L1W"
REC="ensure_journald_configured_compress_large_files"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.2.3"
RNA="Ensure journald is configured to write logfiles to persistent disk"
profile="L1S L1W"
REC="ensure_journald_configured_write_logfiles_disk"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.2.3"
RNA="Ensure permissions on all logfiles are configured"
profile="L1S L1W"
REC="ensure_permissions_on_logfiles_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.3"
RNA="Ensure logrotate is configured"
profile="L1S L1W"
REC="ensure_logrotate_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="4.4"
RNA="Ensure logrotate assigns appropriate permissions"
profile="L1S L1W"
REC="ensure_logrotate_assigns_appropriate_permissions"
total_recommendations=$((total_recommendations+1))
runrec

#
# 5 Access Authentication and Authorization
#
#
# 5.1 Configure time-based job schedulers
#
RN="5.1.1"
RNA="Ensure cron daemon is enabled and running"
profile="L1S L1W"
REC="deb_ensure_cron_daemon_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.2"
RNA="Ensure permissions on /etc/crontab are configured"
profile="L1S L1W"
REC="ensure_permissions_crontab_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.3"
RNA="Ensure permissions on /etc/cron.hourly are configured"
profile="L1S L1W"
REC="ensure_permissions_cron_hourly_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.4"
RNA="Ensure permissions on /etc/cron.daily are configured"
profile="L1S L1W"
REC="ensure_permissions_cron_daily_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.5"
RNA="Ensure permissions on /etc/cron.weekly are configured"
profile="L1S L1W"
REC="ensure_permissions_cron_weekly_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.6"
RNA="Ensure permissions on /etc/cron.monthly are configured"
profile="L1S L1W"
REC="ensure_permissions_cron_monthly_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.7"
RNA="Ensure permissions on /etc/cron.d are configured"
profile="L1S L1W"
REC="ensure_permissions_cron_d_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.8"
RNA="Ensure cron is restricted to authorized users"
profile="L1S L1W"
REC="ensure_cron_restricted_authorized_users"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.1.9"
RNA="Ensure at is restricted to authorized users"
profile="L1S L1W"
REC="ensure_at_restricted_authorized_users"
total_recommendations=$((total_recommendations+1))
runrec

#
# 5.2 Configure SSH Server
#
RN="5.2.1"
RNA="Ensure permissions on /etc/ssh/sshd_config are configured"
profile="L1S L1W"
REC="ensure_permissions_sshd_config_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.2"
RNA="Ensure permissions on SSH private host key files are configured"
profile="L1S L1W"
REC="ensure_permissions_ssh_private_hostkey_files_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.3"
RNA="Ensure permissions on SSH public host key files are configured"
profile="L1S L1W"
REC="ensure_permissions_ssh_public_hostkey_files_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.4"
RNA="Ensure SSH LogLevel is appropriate"
profile="L1S L1W"
REC="ensure_ssh_loglevel_appropriate"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.5"
RNA="Ensure SSH X11 forwarding is disabled"
profile="L2S L1W"
REC="ensure_ssh_x11_forwarding_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.6"
RNA="Ensure SSH MaxAuthTries is set to 4 or less"
profile="L1S L1W"
REC="ensure_ssh_maxauthtries_4_or_less"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.7"
RNA="Ensure SSH IgnoreRhosts is enabled"
profile="L1S L1W"
REC="ensure_ssh_ignorerhosts_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.8"
RNA="Ensure SSH HostbasedAuthentication is disabled"
profile="L1S L1W"
REC="ensure_ssh_hostbasedauthentication_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.9"
RNA="Ensure SSH root login is disabled"
profile="L1S L1W"
REC="ensure_ssh_root_login_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.10"
RNA="Ensure SSH PermitEmptyPasswords is disabled"
profile="L1S L1W"
REC="ensure_ssh_permitemptypasswords_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.11"
RNA="Ensure SSH PermitUserEnvironment is disabled"
profile="L1S L1W"
REC="ensure_ssh_permituserenvironment_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.12"
RNA="Ensure only strong Ciphers are used"
profile="L1S L1W"
REC="ssh7_ensure_strong_ciphers_used"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.13"
RNA="Ensure only strong MAC algorithms are used"
profile="L1S L1W"
REC="ssh7_ensure_strong_mac_algorithms_used"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.14"
RNA="Ensure only strong Key Exchange algorithms are used"
profile="L1S L1W"
REC="ssh7_ensure_strong_key_exchange_algorithms_used"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.15"
RNA="Ensure SSH Idle Timeout Interval is configured"
profile="L1S L1W"
REC="fed28_ensure_ssh_idle_timeout_interval_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.16"
RNA="Ensure SSH LoginGraceTime is set to one minute or less"
profile="L1S L1W"
REC="ensure_ssh_logingracetime_one_minute_or_less"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.17"
RNA="Ensure SSH access is limited"
profile="L1S L1W"
REC="ensure_ssh_access_limited"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.18"
RNA="Ensure SSH warning banner is configured"
profile="L1S L1W"
REC="ensure_ssh_warning_banner_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.19"
RNA="Ensure SSH PAM is enabled"
profile="L1S L1W"
REC="ensure_ssh_pam_enabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.20"
RNA="Ensure SSH AllowTcpForwarding is disabled"
profile="L1S L1W"
REC="ensure_ssh_allowtcpforwarding_disabled"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.21"
RNA="Ensure SSH MaxStartups is configured"
profile="L1S L1W"
REC="ensure_ssh_warning_maxstartups_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.2.22"
RNA="Ensure SSH MaxSessions is limited"
profile="L1S L1W"
REC="ensure_ssh_maxsessions_limited"
total_recommendations=$((total_recommendations+1))
runrec

#
# 5.3 Configure PAM
#
RN="5.3.1"
RNA="Ensure password creation requirements are configured"
profile="L1S L1W"
REC="deb_ensure_password_creation_requirements_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.3.2"
RNA="Ensure lockout for failed password attempts is configured"
profile="L1S L1W"
REC="deb_ensure_lockout_failed_password_attempts_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.3.3"
RNA="Ensure password reuse is limited"
profile="L1S L1W"
REC="deb_ensure_password_reuse_limited"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.3.4"
RNA="Ensure password hashing algorithm is SHA-512"
profile="L1S L1W"
REC="deb_ensure_password_hashing_algorithm_sha512"
total_recommendations=$((total_recommendations+1))
runrec

#
# 5.4 User Accounts and Environment
#
#
# 5.4.1 Set Shadow Password Suite Parameters
#
RN="5.4.1.1"
RNA="Ensure password expiration is 365 days or less"
profile="L1S L1W"
REC="password_expiration_365_days_less"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.1.2"
RNA="Ensure minimum days between password changes is  configured"
profile="L1S L1W"
REC="ensure_minimum_days_between_password_changes_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.1.3"
RNA="Ensure password expiration warning days is 7 or more"
profile="L1S L1W"
REC="ensure_expiration_warning_days_7_more"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.1.4"
RNA="Ensure inactive password lock is 30 days or less"
profile="L1S L1W"
REC="ensure_inactive_password_lock_30_days_less"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.1.5"
RNA="Ensure all users last password change date is in the past"
profile="L1S L1W"
REC="ensure_all_users_last_password_change_in_past"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.2"
RNA="Ensure system accounts are secured"
profile="L1S L1W"
REC="ensure_system_accounts_secured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.3"
RNA="Ensure default group for the root account is GID 0"
profile="L1S L1W"
REC="ensure_default_group_for_root_gid_0"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.4"
RNA="Ensure default user umask is 027 or more restrictive"
profile="L1S L1W"
REC="ensure_default_user_umask_027_more_restrictive_v2"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.4.5"
RNA="Ensure default user shell timeout is 900 seconds or less"
profile="L1S L1W"
REC="ensure_default_user_shell_timeout_configured"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.5"
RNA="Ensure root login is restricted to system console"
profile="L1S L1W"
REC="ensure_root_login_restricted_system_console"
total_recommendations=$((total_recommendations+1))
runrec

RN="5.6"
RNA="Ensure access to the su command is restricted"
profile="L1S L1W"
REC="deb_ensure_access_su_command_restricted"
total_recommendations=$((total_recommendations+1))
runrec

#
# 6 System Maintenance
#
#
# 6.1 System File Permissions
#
RN="6.1.1"
RNA="Audit system file permissions"
profile="L2S L2W"
REC="audit_system_file_permissions"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.2"
RNA="Ensure permissions on /etc/passwd are configured"
profile="L1S L1W"
REC="ensure_perms_etc_passwd_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.3"
RNA="Ensure permissions on /etc/passwd- are configured"
profile="L1S L1W"
REC="ensure_perms_etc_passwd_dash_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.4"
RNA="Ensure permissions on /etc/group are configured"
profile="L1S L1W"
REC="ensure_perms_etc_group_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.5"
RNA="Ensure permissions on /etc/group- are configured"
profile="L1S L1W"
REC="ensure_perms_etc_group_dash_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.6"
RNA="Ensure permissions on /etc/shadow are configured"
profile="L1S L1W"
REC="ensure_perms_etc_shadow_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.7"
RNA="Ensure permissions on /etc/shadow- are configured"
profile="L1S L1W"
REC="ensure_perms_etc_shadow_dash_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.8"
RNA="Ensure permissions on /etc/gshadow are configured"
profile="L1S L1W"
REC="ensure_perms_etc_gshadow_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.9"
RNA="Ensure permissions on /etc/gshadow- are configured"
profile="L1S L1W"
REC="ensure_perms_etc_gshadow_dash_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.10"
RNA="Ensure no world writable files exist"
profile="L1S L1W"
REC="no_world_writable_files_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.11"
RNA="Ensure no unowned files or directories exist"
profile="L1S L1W"
REC="no_ungrouped_files_dirs_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.12"
RNA="Ensure no ungrouped files or directories exist"
profile="L1S L1W"
REC="no_ungrouped_files_dirs_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.13"
RNA="Audit SUID executables"
profile="L1S L1W"
REC="audit_suid_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.1.14"
RNA="Audit SGID executables"
profile="L1S L1W"
REC="audit_sgid_fct"
total_recommendations=$((total_recommendations+1))
runrec

#
# 6.2 User and Group Settings
#
RN="6.2.1"
RNA="Ensure accounts in /etc/passwd use shadowed passwords"
profile="L1S L1W"
REC="ensure_accounts_in_etc_passwd_use_shadowed_passwords"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.2"
RNA="Ensure password fields are not empty"
profile="L1S L1W"
REC="nonempty_pw_fields_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.3"
RNA="Ensure all users home directories exist"
profile="L1S L1W"
REC="ensure_users_home_directories_exist"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.4"
RNA="Ensure users own their home directories"
profile="L1S L1W"
REC="ensure_users_own_their_home_directories"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.5"
RNA="Ensure users home directories permissions are 750 or more restrictive"
profile="L1S L1W"
REC="restrictive_home_dir_check_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.6"
RNA="Ensure users dot files are not group or world writable"
profile="L1S L1W"
REC="ensure_users_dot_files_not_group_world_writable"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.7"
RNA="Ensure no users have .netrc files"
profile="L1S L1W"
REC="ensure_no_users_have_dot_netrc_files"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.8"
RNA="Ensure no users have .forward files"
profile="L1S L1W"
REC="ensure_no_users_have_dot_forward_files"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.9"
RNA="Ensure no users have .rhosts files"
profile="L1S L1W"
REC="ensure_no_users_have_dot_rhosts_files"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.10"
RNA="Ensure root is the only UID 0 account"
profile="L1S L1W"
REC="root_only_uid_0_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.11"
RNA="Ensure root PATH Integrity"
profile="L1S L1W"
REC="root_path_integrity_fct"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.12"
RNA="Ensure all groups in /etc/passwd exist in /etc/group"
profile="L1S L1W"
REC="ensure_all_groups_etc_passwd_exist_etc_group"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.13"
RNA="Ensure no duplicate UIDs exist"
profile="L1S L1W"
REC="ensure_no_duplicate_uid_exist"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.14"
RNA="Ensure no duplicate GIDs exist"
profile="L1S L1W"
REC="ensure_no_duplicate_gid_exist"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.15"
RNA="Ensure no duplicate user names exist"
profile="L1S L1W"
REC="ensure_no_duplicate_user_names_exist"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.16"
RNA="Ensure no duplicate group names exist"
profile="L1S L1W"
REC="ensure_no_duplicate_group_names_exist"
total_recommendations=$((total_recommendations+1))
runrec

RN="6.2.17"
RNA="Ensure shadow group is empty"
profile="L1S L1W"
REC="ensure_shadow_group_empty"
total_recommendations=$((total_recommendations+1))
runrec

# End of generation for specific Benchmark
#End of recommendations

# Update grub.cfg permissions (again)
[ -e /boot/grub/grub.cfg ] && chmod og-rwx /boot/grub/grub.cfg
[ -e /boot/grub2/grub.cfg ] && chmod og-rwx /boot/grub2/grub.cfg

# Provide summery report
summery_report