linux系统健康度巡检:shell脚本送上
#!/bin/bash
# File Name: system_safe_check.sh
# Version: V1.0
# Author: sanshi
# Organization: 暂无
# Created Time : 2022-04-08 20:59:53
# Description:
#################################################################
RED="\033[31m" #
GREEN="\033[32m" #
YELLOW="\033[33m" #
PURPLE="\033[35m" #
COLOURLESS="\033[0m" #
#################################################################
[ $USER != "root" ] && echo "root permit need." && exit 0
set tag_nice=0 tag_bad=0
result_file=/tmp/safy.txt
>$result_file
red_e() {
echo -e "${RED}$@$COLOURLESS" | tee -a $result_file
((tag_bad++))
}
green_e() {
echo -e "${GREEN}$@$COLOURLESS" | tee -a $result_file
((tag_nice++))
}
yellow_e() {
echo -e "${YELLOW}$@$COLOURLESS" | tee -a $result_file
((tag_bad++))
}
purple_e() {
echo -e "${PURPLE}$@$COLOURLESS" |tee -a $result_file
}
#获取服务器系统类型
function get_os_type
{
os_type=''
systemnum=''
arch=''
if [ -f /etc/redhat-release ];then
grep -qi centos /etc/redhat-release && os_type='CentOS'
grep -i red /etc/redhat-release | grep -i hat && os_type='RHEL'
systemnum=$(grep -o '[0-9]' /etc/redhat-release | head -1)
arch=$(sed "s/.*release \([0-9].[0-9]\).*/\1/g" /etc/redhat-release)
fi
}
get_os_type
################################################################
export LANG="en_US.UTF-8"
day=`date +%Y%m%d`
################################################################
#密码安全策略
purple_e "--密码安全策略--"
echo '--------------------'
de_1="密码最长使用天数............."
de_2="密码最短使用天数............."
de_3="密码设置最短长度............."
de_4="密码到期前警告天............."
PASS_MAX_DAYS=`grep "PASS_MAX_DAYS" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'`
: ${PASS_MAX_DAYS:=0}
[ $PASS_MAX_DAYS -le 90 ] && green_e "$de_1:$PASS_MAX_DAYS"
[ $PASS_MAX_DAYS -le 180 -a $PASS_MAX_DAYS -gt 90 ] && yellow_e "$de_1:$PASS_MAX_DAYS"
[ $PASS_MAX_DAYS -gt 180 ] && red_e "$de_1:$PASS_MAX_DAYS"
PASS_MIN_DAYS=`grep "PASS_MIN_DAYS" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'`
: ${PASS_MIN_DAYS:=0}
[ $PASS_MIN_DAYS -ge 1 ] && green_e "$de_2:$PASS_MIN_DAYS"
[ $PASS_MIN_DAYS -lt 1 ] && yellow_e "$de_2:$PASS_MIN_DAYS"
PASS_MIN_LEN=`grep "PASS_MIN_LEN" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'`
: ${PASS_MIN_LEN:=0}
[ $PASS_MIN_LEN -lt 8 ] && red_e "$de_3:$PASS_MIN_LEN"
[ $PASS_MIN_LEN -ge 8 ] && green_e "$de_3:$PASS_MIN_LEN"
PASS_WARN_AGE=`grep "PASS_WARN_AGE" /etc/login.defs | grep -v "#" |awk -F' ' '{print $2}'`
: ${PASS_WARN_AGE:=0}
[ $PASS_WARN_AGE -ge 7 ] && green_e "$de_4:$PASS_WARN_AGE"
[ $PASS_WARN_AGE -lt 7 -a $PASS_WARN_AGE -ge 1 ] && yellow_e "$de_4:$PASS_WARN_AGE"
[ $PASS_WARN_AGE -lt 1 ] && red_e "$de_4:$PASS_WARN_AGE"
#
##密码复杂度策略
echo
purple_e "--密码复杂度策略--"
echo '--------------------'
de_5="用户密码至少包含一个数字....."
de_6="用户密码至少包含一个小写....."
de_7="用户密码至少包含一个大写....."
de_8="用户密码至少包含一个特殊....."
de_9="用户密码最短长度不能超过....."
de_10="用户密码修改可尝试错误次....."
de_11="前后两次密码至少不同位数....."
de_12="用户密码是否适用root用户....."
case $os_type in
CentOS|RHEL)
case $systemnum in
5|6|7)
pam_pwquality=$(egrep -v "^(s*)#" /etc/pam.d/system-auth |grep password |grep pam_pwquality.so)
pam_cracklib=$(egrep -v "^(s*)#" /etc/pam.d/system-auth |grep password |grep pam_cracklib.so)
if [ -n "$pam_cracklib" ];then
dcredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep dcredit |awk -F'dcredit=-' '{print $2}' |awk '{print $1}'`
lcredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep lcredit |awk -F'lcredit=-' '{print $2}' |awk '{print $1}'`
ucredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep ucredit |awk -F'ucredit=-' '{print $2}' |awk '{print $1}'`
ocredit=`grep pam_cracklib.so /etc/pam.d/system-auth |grep ocredit |awk -F'ocredit=-' '{print $2}' |awk '{print $1}'`
retry=`grep pam_cracklib.so /etc/pam.d/system-auth |grep retry |awk -F'retry=' '{print $2}' |awk '{print $1}'`
minlen=`grep pam_cracklib.so /etc/pam.d/system-auth |grep minlen |awk -F'minlen=' '{print $2}' |awk '{print $1}'`
difok=`grep pam_cracklib.so /etc/pam.d/system-auth |grep difok |awk -F'difok=' '{print $2}' |awk '{print $1}'`
enforce_for_root=`grep pam_cracklib.so /etc/pam.d/system-auth |grep enforce_for_root`
elif [ -n "${pam_pwquality}" ];then
dcredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep dcredit |awk -F'dcredit=-' '{print $2}' |awk '{print $1}'`
lcredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep lcredit |awk -F'lcredit=-' '{print $2}' |awk '{print $1}'`
ucredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep ucredit |awk -F'ucredit=-' '{print $2}' |awk '{print $1}'`
ocredit=`grep pam_pwquality.so /etc/pam.d/system-auth |grep ocredit |awk -F'ocredit=-' '{print $2}' |awk '{print $1}'`
retry=`grep pam_pwquality.so /etc/pam.d/system-auth |grep retry |awk -F'retry=' '{print $2}' |awk '{print $1}'`
minlen=`grep pam_pwquality.so /etc/pam.d/system-auth |grep minlen |awk -F'minlen=' '{print $2}' |awk '{print $1}'`
difok=`grep pam_pwquality.so /etc/pam.d/system-auth |grep difok |awk -F'difok=' '{print $2}' |awk '{print $1}'`
enforce_for_root=`grep pam_pwquality.so /etc/pam.d/system-auth |grep enforce_for_root`
fi
;;
esac
;;
esac
: ${dcredit:=0}
: ${lcredit:=0}
: ${ucredit:=0}
: ${ocredit:=0}
: ${retry:=0}
: ${minlen:=0}
: ${difok:=0}
: ${enforce_for_root:=0}
[ $dcredit -ge 1 ] && green_e "$de_5:$dcredit" || red_e "$de_5:$dcredit"
[ $lcredit -ge 1 ] && green_e "$de_6:$lcredit" || red_e "$de_6:$lcredit"
[ $ucredit -ge 1 ] && green_e "$de_7:$ucredit" || red_e "$de_7:$ucredit"
[ $ocredit -ge 1 ] && green_e "$de_8:$ocredit" || red_e "$de_8:$ocredit"
[ $minlen -ge 8 ] && green_e "$de_9:$minlen" || red_e "$de_9:$minlen"
[ $retry -ge 3 ] && green_e "$de_10:$retry" || red_e "$de_10:$retry"
[ $difok -ge 3 ] && green_e "$de_11:$difok" || red_e "$de_11:$difok"
[ $enforce_for_root -eq 1 ] && green_e "$de_12:$enforce_for_root" || red_e "$de_12:$enforce_for_root"
#系统安全设置
echo
purple_e "--系统安全设置--"
echo '--------------------'
de_13="连续错误登陆的最大次数......."
de_14="普通用户锁定后解锁时间......."
de_15="root用户锁定后解锁时间......."
de_16="用户锁定是否也包括root......."
de_17="记..住..密..码..次..数......."
de_18="系统内是否有空口令账号......."
de_19="i.d为0的非root用户个数......."
de_20="配置wheel组用户.su切换......."
de_21="普通用户umask值.预设置......."
de_22="系统配置登录超时设置值......."
de_23="不要记录空用户登录信息......."
de_24="配置用户的密码尝试次数......."
de_25="记录用户上次登录的时间......."
de_35="系统已禁用ctrl+alt+del......."
de_36="禁止普通用户重起服务器......."
de_37="是否禁止.usb使用的权限......."
de_45="NTPD时间服务的当前状态......."
de_84="系统中是否存在异常用户......."
de_85="系统中是否存在异常组........."
de_86="有shell权限的非root用户......"
de_87="/etc/passwd等的ACL权限......."
de_88="字符界面登录界面告警信息....."
de_89="/etc/{issue,.net}是否存在...."
de_90="禁止系统生成tty3到tty6控制台."
de_91="grub界面超时时间设置........."
de_125="root用户TTY登录权限.........."
case $os_type in
CentOS|RHEL)
case $systemnum in
5|6|7)
deny_time=`grep pam_tally2.so /etc/pam.d/system-auth |grep deny |awk -F'deny=' '{print $2}' |awk '{print $1}'`
unlocktime=`grep pam_tally2.so /etc/pam.d/system-auth |grep unlock_time |awk -F'unlock_time=' '{print $2}' |awk '{print $1}'`
root_unlocktime=`grep pam_tally2.so /etc/pam.d/system-auth |grep root_unlock_time |awk -F'root_unlock_time=' '{print $2}' |awk '{print $1}'`
even_deny_root=`egrep auth /etc/pam.d/system-auth |grep pam_tally2.so |grep -c even_deny_root`
;;
esac
;;
esac
if [[ -n "${deny_time}" ]];then
deny_time=${deny_time}
else
case $os_type in
CentOS|RHEL)
case $systemnum in
5|6|7)
deny_time=`grep pam_tally2.so /etc/pam.d/login |grep deny |awk -F'deny=' '{print $2}' |awk '{print $1}'`
;;
esac
;;
esac
fi
if [[ -n "${unlocktime}" ]];then
unlocktime=${unlocktime}
else
case $os_type in
CentOS|RHEL)
case $systemnum in
5|6|7)
unlocktime=`grep pam_tally2.so /etc/pam.d/login |grep unlock_time |awk -F'unlock_time=' '{print $2}' |awk '{print $1}'`
;;
esac
;;
esac
fi
: ${deny_time:=0}
: ${unlocktime:=0}
: ${root_unlocktime:=0}
: ${even_deny_root:=0}
[ $deny_time -eq 6 ] && green_e "$de_13:$deny_time" || yellow_e "$de_13:$deny_time"
[ $unlocktime -eq 300 ] && green_e "$de_14:$unlocktime" || yellow_e "$de_14:$unlocktime"
[ $root_unlocktime -eq 300 ] && green_e "$de_15:$root_unlocktime" || yellow_e "$de_15:$root_unlocktime"
[ $even_deny_root -eq 1 ] && green_e "$de_16:$even_deny_root" || yellow_e "$de_16:$even_deny_root"
#检查密码次数设置
case $os_type in
CentOS|RHEL)
case $systemnum in
5|6|7)
rem_time=$(grep -v "^#" /etc/pam.d/system-auth |egrep password |grep pam_unix.so |grep remember |awk -F'remember=' '{print $2}' |awk '{print $1}')
;;
esac
;;
esac
: ${rem_time:=0}
[ $rem_time -eq 5 ] && green_e "$de_17:$rem_time" || yellow_e "$de_17:$rem_time"
#检查是否存在空口令账号
emptypasswd=`awk -F: '($2 == "!!") { print $1 }' /etc/shadow | wc -l`
: ${emptypasswd:=0}
[ $emptypasswd -eq 0 ] && green_e "$de_18:$emptypasswd" || yellow_e "$de_18:$emptypasswd"
#检查系统中是否存在其它id为0的用户
uid0=`awk -F: '($3 == 0) { print $1 }' /etc/passwd |grep -v root | wc -l`
: ${uid0:=0}
[ $uid0 -eq 0 ] && green_e "$de_19:$uid0" || red_e "$de_19:$uid0"
#使用PAM认证模块禁止wheel组之外的用户su到root
su_wheel=`grep -v '^#' /etc/pam.d/su |grep auth |grep pam_wheel.so |grep use_uid |grep -c root_only`
: ${su_wheel:=0}
[ $su_wheel -eq 1 ] && green_e "$de_20:$su_wheel" || red_e "$de_20:$su_wheel"
#用户umask值设置
umask_v=$(egrep -v "^(\s*)#" /etc/profile |grep -i umask|sed -n '1p' |awk '{print $2}')
: {$umask_v:=022}
[ $umask_v = "002" ] && green_e "$de_21:$umask_v" || red_e "$de_21:$umask_v"
#远程连接的超时时间(s)
tmout=`grep -v "^#" /etc/profile |grep -i TMOUT |egrep -o '[0-9].*'`
: ${tmout:=0}
[ $tmout -eq 300 ] && green_e "$de_22:$tmout" || yellow_e "$de_22:$tmout"
#系统登陆安全设置
LOG_UNKFAIL_ENAB=`cat /etc/login.defs |grep -v "^#" |grep LOG_UNKFAIL_ENAB |awk '{print $2}'`
LOGIN_RETRIES=`cat /etc/login.defs |grep -v "^#" |grep LOGIN_RETRIES |awk '{print $2}'`
LASTLOG_ENAB=`cat /etc/login.defs |grep -v "^#" |grep LASTLOG_ENAB |awk '{print $2}'`
: ${LOG_UNKFAIL_ENAB:=NULL}
: ${LOGIN_RETRIES:=0}
: ${LASTLOG_ENAB:=NULL}
[ $LOG_UNKFAIL_ENAB = "yes" ] && green_e "$de_23:$LOG_UNKFAIL_ENAB" || red_e "$de_23:$LOG_UNKFAIL_ENAB"
[ $LOGIN_RETRIES -eq 6 ] && green_e "$de_24:$LOGIN_RETRIES" || red_e "$de_24:$LOGIN_RETRIES"
[ $LASTLOG_ENAB = "yes" ] && green_e "$de_25:$LASTLOG_ENAB" ||red_e "$de_25:$LASTLOG_ENAB"
#是否禁用ctrl+alt+del
case $os_type in
CentOS|RHEL)
case $systemnum in
6)
ctrl_alt_del=`[ -f /etc/init/control-alt-delete.conf ] && grep -v "^#" /etc/init/control-alt-delete.conf |grep "control-alt-delete"`
if [[ -n "${ctrl_alt_del}" ]];then
let CTRL_ALT_DEL=1
else
let CTRL_ALT_DEL=0
fi
;;
5)
ctrl_alt_del=`grep -v "^#" /etc/inittab |grep ctrlaltdel`
if [[ -n "${ctrl_alt_del}" ]];then
let CTRL_ALT_DEL=1
else
let CTRL_ALT_DEL=0
fi
;;
7)
ctrl_alt_del=`ls /usr/lib/systemd/system/ctrl-alt-del.target 2>/dev/nul`
if [[ -n "${ctrl_alt_del}" ]];then
let CTRL_ALT_DEL=1
else
let CTRL_ALT_DEL=0
fi
;;
esac
;;
esac
[ $CTRL_ALT_DEL -eq 0 ] && green_e "$de_35:$CTRL_ALT_DEL" || yellow_e "$de_35:$CTRL_ALT_DEL"
#是否禁用usb存储设备
BAN_USB=`[ -f /etc/modprobe.d/usb-storage.conf ] && grep "install usb-storage /bin/ture" /etc/modprobe.d/usb-storage.conf`
if [[ -n $BAN_USB ]];then
let BAN_USB=1
else
let BAN_USB=0
fi
[ $BAN_USB -eq 0 ] && green_e "$de_37:$BAN_USB" || yellow_e "$de_37:$BAN_USB"
#是否禁止普通用户重起服务器权限
case $os_type in
CentOS|RHEL)
if [ -f /usr/bin/consolehelper ];then
permission_consolehelper=`stat /usr/bin/consolehelper |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
if [ "${permission_consolehelper}" = "744" ];then
let BAN_REBOOT=0
else
let BAN_REBOOT=1
fi
else
let BAN_REBOOT=2
fi
;;
esac
[ $BAN_REBOOT -eq 0 ] && green_e "$de_36:$BAN_REBOOT" || red_e "$de_36:$BAN_REBOOT"
##检查ntp服务是否正常
which ntpq &>/dev/null
if [ $? -eq 0 ];then
case $systemnum in
5|6)
service ntpd status &>/dev/null
if [ $? -eq 0 ];then
NTPD_STATUS=1
fi
;;
7)
systemctl status ntpd.service &> /dev/null
if [ $? -eq 0 ];then
NTPD_STATUS=1
fi
;;
esac
fi
which chronyc &>/dev/null
if [ $? -eq 0 ];then
case $systemnum in
7)
systemctl status chronyd.service &>/dev/null
if [ $? -eq 0 ];then
NTPD_STATUS=1
fi
;;
esac
fi
: ${NTPD_STATUS:=0}
[ $NTPD_STATUS -eq 1 ] && green_e "$de_45:$NTPD_STATUS" || yellow_e "$de_45:$NTPD_STATUS"
#检查ntpd服务器设置
if [ -f /etc/ntp.conf ];then
ntp_servers=$(egrep -v '^(\s*)#' /etc/ntp.conf 2>/dev/null |grep -v ^$ |grep '^server' |egrep -v "pool.ntp.org|127.127.1.0" |awk '{print $2}' |tr '\n' ';' |sed "s/\;$//g")
fi
if [ -f /etc/chrony.conf -a ! -f /etc/ntp.conf ];then
ntp_servers=$(egrep -v '^(\s*)#' /etc/chrony.conf 2>/dev/null |grep -v ^$ | grep '^server' |egrep -v "pool.ntp.org|127.127.1.0" |awk '{print $2}' |tr '\n' ';' |sed "s/\;$//g")
fi
: ${ntp_servers:=null}
[ $ntp_servers != "null" ] && green_e "$de_46:$ntp_servers" || red_e "$de_46:$ntp_servers"
#检查是否有以下账号games、uucp、lp、ftp、news、rpcuser、mail
user_check=$(grep -v ^# /etc/passwd |awk -F: '{print $1}' |egrep -c "games|uucp|lp|ftp|news|rpcuser|mail")
[ $user_check -eq 0 ] && green_e "$de_84:$user_check" || red_e "$de_84:$user_check"
#检查是否有以下组lp、mail、news、uucp、games、ftp、floppy、mailnull
GROUP_CHECK=$(grep -v ^# /etc/group |awk -F: '{print $1}' |egrep -c "lp|mail|news|uucp|games|ftp|floppy|mailnull")
: ${GROUP_CHECK:=0}
[ $GROUP_CHECK -eq 0 ] && green_e "$de_85:$GROUP_CHECK" || red_e "$de_85:$GROUP_CHECK"
#检查包含shell权限的非root账号
bash_user=$(grep -v root /etc/passwd |egrep -c 'bin/bash')
: ${bash_user:=0}
[ $bash_user -eq 0 ] && green_e "$de_86:$bash_user" || yellow_e "$de_86:$bash_user"
#检查以下文件是否配置acl权限:/etc/passwd,/etc/group,/etc/shadow
user_acl=`ls -l /etc/passwd /etc/group /etc/shadow | grep -c '+'`
[ $user_acl -eq 0 ] && green_e "$de_87:$user_acl" || red_e "$de_87:$user_acl"
#用户字符界面登录后,系统显示业务使用警告信息
grep 'authorization' /etc/motd | grep -q "monitor" &>/dev/null && let WARN_MESG=1 || let WARN_MESG=0
[ $WARN_MESG -eq 1 ] && green_e "$de_88:$WARN_MESG" || yellow_e "$de_88:$WARN_MESG"
#删除多余提示信息文件 /etc/issue和/etc/issue.net
[ -f /etc/issue -o -f /etc/issue.net ] && let DEL_MESG_FILE=1 || let DEL_MESG_FILE=0
[ $DEL_MESG_FILE -eq 0 ] && green_e "$de_89:$DEL_MESG_FILE" || yellow_e "$de_89:$DEL_MESG_FILE"
#禁止系统生成tty3到tty6控制台
TTY_SET=`ps aux | grep '/sbin/mingetty' | grep -v grep | grep -c tty[3-6]`
[ $TTY_SET -eq 0 ] && green_e "$de_90:$TTY_SET" || red_e "$de_90:$TTY_SET"
#grub超时设置
case $systemnum in
5|6)
grub_time=$(grep -v ^# /etc/grub.conf |grep timeout |awk -F'=' '{print $2}')
;;
7|12)
grub_time=$(grep -i GRUB_TIMEOUT /etc/default/grub |awk -F= '{print $2}')
;;
esac
: ${grub_time:=0}
[ $grub_time -eq 0 ] && green_e "$de_91:$grub_time" || yellow_e "$de_91:$grub_time"
#是否允许root登录tty
root_tty=$(cat /etc/securetty |egrep -v '^(\s*)#' |grep -v ^$ |grep tty)
if [ -n "$root_tty" ];then
ROOT_TTY=1
else
ROOT_TTY=0
fi
[ $ROOT_TTY -eq 0 ] && green_e "$de_125:$ROOT_TTY" || yellow_e "$de_125:$ROOT_TTY"
#系统资源限制设置
echo
purple_e "--系统资源限制设置--"
echo '--------------------'
de_26="应用程序转储文件最大值(硬)..."
de_27="应用程序转储文件最大值(软)..."
de_28="单程序打开最大文件句柄数(硬)."
de_29="单程序打开最大文件句柄数(软)."
de_30="单个程序创建最大线程数(硬)..."
de_31="单个程序创建最大线程数(软)..."
hard_core=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep hard |grep core |uniq | grep '\*' | awk '{print $NF}'`
soft_core=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep soft |grep core |uniq | grep '\*' | awk '{print $NF}'`
hard_nofile=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep hard |grep nofile |uniq | grep '\*' |awk '{print $NF}'`
soft_nofile=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep soft |grep nofile |uniq | grep '\*' |awk '{print $NF}'`
hard_nproc=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep hard |grep nproc |uniq |grep '\*' | awk '{print $NF}'`
soft_nproc=`grep -v "^#" /etc/security/limits.conf |grep -v ^$ |grep soft |grep nproc |uniq |grep '\*' | awk '{print $NF}'`
: ${hard_core:=0}
: ${soft_core:=0}
: ${hard_nofile:=0}
: ${soft_nofile:=0}
: ${hard_nproc:=0}
: ${soft_nproc:=0}
[ $hard_core -ge 102400 ] && green_e "$de_26:$hard_core" || yellow_e "$de_26:$hard_core"
[ $soft_core -ge 102400 -a $soft_core -le $hard_core ] && green_e "$de_27:$soft_core" || yellow_e "$de_27:$soft_core"
[ $hard_nofile -ge 65535 ] && green_e "$de_28:$hard_nofile" || yellow_e "$de_28:$hard_nofile"
[ $soft_nofile -ge 65535 -a $soft_nofile -le $hard_nofile ] && green_e "$de_29:$soft_nofile" || yellow_e "$de_29:$soft_nofile"
[ $hard_nproc -ge 4096 ] && green_e "$de_30:$hard_nproc" || yellow_e "$de_30:$hard_nproc"
[ $soft_nproc -ge 4096 -a $soft_nproc -le $hard_nproc ] && green_e "$de_31:$soft_nproc" || yellow_e "$de_31:$soft_nproc"
#历史命令设置
echo
purple_e "--历史命令设置--"
echo '--------------------'
de_32="历史命令输出记录数..........."
de_33="历史命令文件记录数..........."
de_34="历史命令时间戳设置..........."
HISTSIZE=`grep -v ^# /etc/profile |grep "^HISTSIZE=" |awk -F= '{print $2}'`
HISTFILESIZE=`grep -v ^# /etc/profile |grep "HISTFILESIZE=" |awk -F= '{print $2}'`
HISTIMEFORMAT=`grep -v ^# /etc/profile |grep HISTTIMEFORMAT |grep "export" |awk -F '"' '{print $2}'`
: ${HISTSIZE:=0}
: ${HISTFILESIZE:=0}
: ${HISTIMEFORMAT:=null}
[ $HISTSIZE -eq 1000 ] && green_e "$de_32:$HISTSIZE" || yellow_e "$de_32:$HISTSIZE"
[ $HISTFILESIZE -eq 5000 ] && green_e "$de_33:$HISTFILESIZE" || yellow_e "$de_33:$HISTFILESIZE"
[[ $HISTIMEFORMAT =~ "%F %T" ]] && green_e "$de_34:$HISTIMEFORMAT" || yellow_e "$de_34:$HISTIMEFORMAT"
#系统服务
echo
purple_e "--系统服务--"
echo '--------------------'
de_38="防火墙是否已开启............."
de_39="SELINUX.是否开启............."
de_40="是否禁止..telnet............."
de_41="r/syslog是否开启............."
de_92="服务状态检查:vsftpd.........."
de_93="服务状态检查:rlogin.........."
de_94="服务状态检查:rcp............."
de_95="服务状态检查:tftp............"
de_96="服务状态检查:imap............"
de_97="服务状态检查:cyrus..........."
de_98="服务状态检查:qpopper........."
de_99="服务状态检查:upower.........."
de_100="服务状态检查:avahi-daemon...."
de_101="服务状态检查:bluetooth......."
de_102="服务状态检查:cups............"
de_103="服务状态检查:cups-browsed...."
de_104="服务状态检查:dnsmasq........."
de_105="服务状态检查:firewalld......."
de_106="服务状态检查:ModemManager...."
de_107="服务状态检查:Sendmail........"
de_108="服务状态检查:postfix........."
de_109="服务状态检查:wpa_supplicant.."
de_110="服务状态检查:ypbind.........."
de_111="服务状态检查:xinetd.........."
#防火墙使用情况
case $os_type in
CentOS|RHEL)
case $systemnum in
5|6)
service iptables status &>/dev/null
if [ $? -eq 0 ];then
FIREWALL_STATUS=1
else
FIREWALL_STATUS=0
fi
;;
7)
systemctl status firewalld.service &>/dev/null
if [ $? -eq 0 ];then
FIREWALL_STATUS=1
else
FIREWALL_STATUS=0
fi
;;
esac
;;
esac
[ $FIREWALL_STATUS -eq 0 ] && green_e "$de_38:$FIREWALL_STATUS" || yellow_e "$de_38:$FIREWALL_STATUS"
#SELINUX 是否已开启
get_enforce=`getenforce`
: ${get_enforce:=0}
[ $get_enforce != "Enforcing" ] && green_e "$de_39:$get_enforce" || yellow_e "$de_39:$get_enforce"
#禁止telnet服务
case $os_type in
CentOS|RHEL)
case $systemnum in
5|6)
telnet=`chkconfig --list | grep telnet 2> /dev/null`
if [[ -n $telnet ]];then
service xinted status &>/dev/null
if [ $? -eq 0 ];then
if [ -f /etc/xinetd.d/telnet ];then
disable=`grep -v '^\s*#' /etc/xinetd.d/telnet | grep 'disable' | awk -F'=' '{print $2}' | sed 's/\s*//' 2> /dev/null`
if [[ -n $disable && $disable == 'no' ]];then
TELNET_STATUS=1
else
TELNET_STATUS=0
fi
else
TELNET_STATUS=0
fi
else
TELNET_STATUS=0
fi
else
TELNET_STATUS=2
fi
;;
7)
telnet=$(systemctl list-unit-files --no-pager | grep telnet.socket 2> /dev/null)
if [[ -n $telnet ]];then
systemctl status telnet.socket &>/dev/null
if [ $? -eq 0 ];then
TELNET_STATUS=1
else
TELNET_STATUS=0
fi
else
TELNET_STATUS=2
fi
;;
esac
;;
esac
[ $TELNET_STATUS -eq 0 ] && green_e "$de_40:$TELNET_STATUS" || yellow_e "$de_40:$TELNET_STATUS"
#syslog/rsyslog是否开启
case $systemnum in
5)
service syslog status &>/dev/null
syslog=$?
if [ "${syslog}" -eq 0 ];then
SYSLOG_STATUS=1
else
SYSLOG_STATUS=0
fi
;;
7)
systemctl status systemd-journald.service &>/dev/null
systemd_journald=$?
if [ "${systemd_journald}" -eq 0 ];then
SYSLOG_STATUS=1
else
SYSLOG_STATUS=0
fi
;;
6)
service rsyslog status &>/dev/null
rsyslog=$?
if [ "${rsyslog}" -eq 0 ];then
SYSLOG_STATUS=1
else
SYSLOG_STATUS=0
fi
;;
esac
[ $SYSLOG_STATUS -eq 1 ] && green_e "$de_41:$SYSLOG_STATUS" || red_e "$de_41:$SYSLOG_STATUS"
###############
check_ser() {
ser_name=$1
tag_info=$2
case $systemnum in
5|6)
ser_exited=$(chkconfig --list | grep $ser_name 2> /dev/null)
if [[ -n $ser_exited ]];then
service $ser_name status &>/dev/null
if [ $? -eq 0 ];then
CHECK_SER=1
else
CHECK_SER=0
fi
fi
;;
7)
ser_exited=$(systemctl list-unit-files --no-pager | grep ${ser_name}.service 2> /dev/null)
if [[ -n $ser_exited ]];then
systemctl status ${ser_name}.service &>/dev/null
if [ $? -eq 0 ];then
CHECK_SER=1
else
CHECK_SER=0
fi
fi
;;
esac
: ${CHECK_SER:=0}
[ $CHECK_SER -eq 0 ] && green_e "$tag_info:$CHECK_SER" || yellow_e "$tag_info:$CHECK_SER"
}
################
check_ser vsftpd $de_92
check_ser rlogin $de_93
check_ser rcp $de_94
check_ser tftp $de_95
check_ser imap $de_96
check_ser cyrus $de_97
check_ser qpopper $de_98
check_ser upower $de_99
check_ser avahi-daemon $de_100
check_ser bluetooth $de_101
check_ser cups $de_102
check_ser cups-browsed $de_103
check_ser dnsmasq $de_104
check_ser firewalld $de_105
check_ser ModemManager $de_106
check_ser Sendmail $de_107
check_ser postfix $de_108
check_ser wpa_supplicant $de_109
check_ser ypbind $de_110
check_ser xinetd $de_111
#审计配置
echo
purple_e "--审计配置--"
echo '--------------------'
de_42="audit是否配置并开启.........."
de_43="log文件最大大小(MB).........."
de_44="audit.保持log的数量.........."
#audit是否配置并开启
case $systemnum in
7)
systemctl status auditd.service &> /dev/null
audit=$?
if [ "${audit}" -eq 0 ];then
AUDIT_STATUS=1
else
AUDIT_STATUS=0
fi
;;
*)
service auditd status &>/dev/null
audit=$?
if [ "${audit}" -eq 0 ];then
AUDIT_STATUS=1
else
AUDIT_STATUS=0
fi
;;
esac
NUM_LOG=`grep -v ^# /etc/audit/auditd.conf |grep num_log |awk -F= '{print $2}' |sed 's/[[:space:]]//g'`
MAX_LOG_FILE=`grep -v ^# /etc/audit/auditd.conf |grep 'max_log_file ' |awk -F= '{print $2}' |sed 's/[[:space:]]//g'`
if [[ -n ${MAX_LOG_FILE} ]];then
MAX_LOG_FILE=${MAX_LOG_FILE}
else
MAX_LOG_FILE=NULL
fi
if [[ -n ${NUM_LOG} ]];then
NUM_LOG=${NUM_LOG}
else
NUM_LOG=NULL
fi
[ $AUDIT_STATUS -eq 1 ] && green_e "$de_42:$AUDIT_STATUS" || red_e "$de_42:$AUDIT_STATUS"
[ $NUM_LOG -ge 4 ] && green_e "$de_44:$NUM_LOG" || yellow_e "$de_44:$NUM_LOG"
[ $MAX_LOG_FILE -eq 50 ] && green_e "$de_43:$MAX_LOG_FILE" || yellow_e "$de_43:$MAX_LOG_FILE"
#重要文件权限
echo
purple_e "--重要文件权限--"
echo '--------------------'
de_47="/boot/grub/grub.conf........."
de_48="/etc/crontab................."
de_49="/etc/securetty..............."
de_50="/etc/hosts.allow............."
de_51="/etc/hosts.deny.............."
de_52="/etc/inittab................."
de_53="/etc/login.defs.............."
de_54="/etc/profile................."
de_55="/var/log/messages............"
de_56="/var/log/secure.............."
de_57="/var/log/maillog............."
de_58="/var/log/cron................"
de_59="/var/log/spooler............."
de_60="/var/log/boot.log............"
de_61="/etc/bashrc.................."
de_62="/etc/passwd.................."
de_112="SUID检查:/usr/bin/chage......"
de_113="SUID检查:/usr/bin/wall......."
de_114="SUID检查:/usr/bin/chfn......."
de_115="SUID检查:/usr/bin/chsh......."
de_116="SUID检查:/usr/bin/newgrp....."
de_117="SUID检查:/usr/bin/write......"
de_118="SUID检查:/bin/mount.........."
de_119="SUID检查:/bin/umount........."
de_120="SUID检查:/bin/ping..........."
de_121="/etc/init.d/目录下脚本......."
de_122="/etc/group..................."
de_123="/etc/shadow.................."
de_124="家目录下存在.netrc/.rhosts..."
##检查重要文件权限
CRONTAB=`stat /etc/crontab |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
SECURETTY=`stat /etc/securetty |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
HOSTS_ALLOW=`stat /etc/hosts.allow |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
HOSTS_DENY=`stat /etc/hosts.deny |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
INITTAB=`stat /etc/inittab |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
LOGIN_DEFS=`stat /etc/login.defs |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
PROFILE=`stat /etc/profile |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
LOG_MESSAGES=`stat /var/log/messages |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
LOG_SECURE=`stat /var/log/secure |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
LOG_MAILLOG=`stat /var/log/maillog |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
LOG_CRON=`stat /var/log/cron |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
LOG_SPOOLER=`stat /var/log/spooler |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
LOG_BOOT=`stat /var/log/boot.log |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
ETC_PASS=`stat /etc/passwd |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
BASHRC=`stat /etc/bashrc |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
ETC_GROUP=`stat /etc/group |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
ETC_SHADOW=`stat /etc/shadow |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
ETC_INIT=`stat /etc/init.d/ |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
case $systemnum in
5|6)
GRUB_CONF=`stat /boot/grub/grub.conf 2>/dev/null |grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
;;
7)
GRUB_CONF=`stat /boot/grub2/grub.cfg 2>/dev/null|grep "Access" |head -n 1 |awk '{print $2}' |cut -c 3-5`
;;
esac
: ${GRUB_CONF:=000}
: ${CRONTAB:=000}
: ${SECURETTY:=000}
: ${HOSTS_DENY:=000}
: ${HOSTS_ALLOW:=000}
: ${INITTAB:=000}
: ${LOGIN_DEFS:=000}
: ${PROFILE:=000}
: ${LOG_MESSAGES:=000}
: ${LOG_SECURE:=000}
: ${LOG_MAILLOG:=000}
: ${LOG_CRON:=000}
: ${LOG_SPOOLER:=000}
: ${LOG_BOOT:=000}
: ${ETC_PASS:=000}
: ${BASHRC:=000}
: ${ETC_GROUP:=000}
: ${ETC_SHADOW:=000}
: ${ETC_INIT:=000}
[ $GRUB_CONF = "600" ] && green_e "$de_47:$GRUB_CONF" || red_e "$de_47:$GRUB_CONF"
[ $CRONTAB = "400" ] && green_e "$de_48:$CRONTAB" || red_e "$de_48:$CRONTAB"
[ $SECURETTY = "400" ] && green_e "$de_49:$SECURETTY" || red_e "$de_49:$SECURETTY"
[ $HOSTS_DENY = "644" ] && green_e "$de_51:$HOSTS_DENY" || red_e "$de_51:$HOSTS_DENY"
[ $HOSTS_ALLOW = "644" ] && green_e "$de_50:$HOSTS_ALLOW" || red_e "$de_50:$HOSTS_ALLOW"
[ $INITTAB = "600" ] && green_e "$de_52:$INITTAB" || red_e "$de_52:$INITTAB"
[ $LOGIN_DEFS = "644" ] && green_e "$de_53:$LOGIN_DEFS" || red_e "$de_53:$LOGIN_DEFS"
[ $PROFILE = "644" ] && green_e "$de_54:$PROFILE" || red_e "$de_54:$PROFILE"
[ $LOG_MESSAGES = "600" ] && green_e "$de_55:$LOG_MESSAGES" || red_e "$de_55:$LOG_MESSAGES"
[ $LOG_SECURE = "600" ] && green_e "$de_56:$LOG_SECURE" || red_e "$de_56:$LOG_SECURE"
[ $LOG_MAILLOG = "600" ] && green_e "$de_57:$LOG_MAILLOG" || red_e "$de_57:$LOG_MAILLOG"
[ $LOG_CRON = "600" ] && green_e "$de_58:$LOG_CRON" || red_e "$de_58:$LOG_CRON"
[ $LOG_SPOOLER = "600" ] && green_e "$de_59:$LOG_SPOOLER" || red_e "$de_59:$LOG_SPOOLER"
[ $LOG_BOOT = "600" ] && green_e "$de_60:$LOG_BOOT" || red_e "$de_60:$LOG_BOOT"
[ $ETC_PASS = "644" ] && green_e "$de_62:$ETC_PASS" || red_e "$de_62:$ETC_PASS"
[ $ETC_GROUP = "644" ] && green_e "$de_122:$ETC_GROUP" || red_e "$de_122:$ETC_GROUP"
[ $ETC_SHADOW = "600" ] && green_e "$de_123:$ETC_PASS" || red_e "$de_123:$ETC_SHADOW"
[ $BASHRC = "644" ] && green_e "$de_61:$BASHRC" || red_e "$de_61:$BASHRC"
[ $ETC_INIT = "700" ] && green_e "$de_121:$ETC_INIT" || red_e "$de_121:$ETC_INIT"
############
sudo_check() {
c_name=$1
info_n=$2
[ -f $c_name ] && ls -lrt $c_name |awk '{print $1}' |grep 's' &>/dev/null
if [ $? -eq 0 ];then
FILE_SUID=1
else
FILE_SUID=0
fi
[ $FILE_SUID -eq 0 ] && green_e "$info_n:$FILE_SUID" || red_e "$info_n:$FILE_SUID"
}
############
sudo_check /usr/bin/chage $de_112
sudo_check /usr/bin/wall $de_113
sudo_check /usr/bin/chfn $de_114
sudo_check /usr/bin/chsh $de_115
sudo_check /usr/bin/newgrp $de_116
sudo_check /usr/bin/write $de_117
sudo_check /bin/mount $de_118
sudo_check /bin/umount $de_119
sudo_check /bin/ping $de_120
#检查主目录下是否有以下文件.netrc和.rhosts
file_list=$(find /root/ /home/ -type f -name ".netrc" -o -name ".rhosts")
if [ -n "$file_list" ];then
DEL_HOME_FILE=1
else
DEL_HOME_FILE=0
fi
[ $DEL_HOME_FILE -eq 0 ] && green_e "$de_124:$DEL_HOME_FILE" || red_e "$de_124:$DEL_HOME_FILE"
#ssh配置
echo
purple_e "--ssh文件配置--"
echo '--------------------'
de_63="ssh端口是否22................"
de_64="ssh协议是否2................."
de_65="记录信息级别................."
de_66="最大重试次数................."
de_67="允许密码验证................."
de_68="RhostsRSAAuthentication功能.."
de_69="是否允许设置空密码..........."
de_70="登陆前检查用户文件和目录属性."
de_71="指定密码类型................."
de_72="指定MAC算法用于数据完整性保护"
de_73="是否对远程主机名反向解析....."
ssh_Port=`grep -v "^#" /etc/ssh/sshd_config |grep Port |awk '{print $2}'`
ssh_Protocol=`grep -v "^#" /etc/ssh/sshd_config |grep Protocol |awk '{print $2}'`
ssh_loglevel=`grep -v "^#" /etc/ssh/sshd_config |grep LogLevel |awk '{print $2}'`
ssh_maxauthtries=`grep -v "^#" /etc/ssh/sshd_config |grep MaxAuthTries |awk '{print $2}'`
ssh_password=`grep -v "^#" /etc/ssh/sshd_config |grep PasswordAuthentication |awk '{print $2}'`
ssh_rss=`grep -v "^#" /etc/ssh/sshd_config |grep RhostsRSAAuthentication |awk '{print $2}'`
ssh_permitpwd=`grep -v "^#" /etc/ssh/sshd_config |grep PermitEmptyPasswords |awk '{print $2}'`
ssh_strictmodes=`grep -v "^#" /etc/ssh/sshd_config |grep StrictModes |awk '{print $2}'`
ssh_ciphers=`grep -v "^#" /etc/ssh/sshd_config |grep Ciphers |awk '{print $2}'`
ssh_macs=`grep -v "^#" /etc/ssh/sshd_config |grep MACs |awk '{print $2}'`
ssh_dns=`grep -v "^#" /etc/ssh/sshd_config |grep UseDNS |awk '{print $2}'`
: ${ssh_port:=22}
: ${ssh_Protocol:=1}
: ${ssh_loglevel:=INFO}
: ${ssh_maxauthtries:=6}
: ${ssh_password:=no}
: ${ssh_rss:=no}
: ${ssh_permitpwd:=no}
: ${ssh_strictmodes:=yes}
: ${ssh_ciphers:=any}
: ${ssh_macs:=any}
: ${ssh_dns:=yes}
[ $ssh_port -ne 22 ] && green_e "$de_63:$ssh_port" || yellow_e "$de_63:$ssh_port"
[ $ssh_Protocol -eq 2 ] && green_e "$de_64:$ssh_Protocol" || yellow_e "$de_64:$ssh_Protocol"
[ $ssh_loglevel = "INFO" ] && green_e "$de_65:$ssh_loglevel" || yellow_e "$de_65:$ssh_loglevel"
[ $ssh_maxauthtries -eq 3 ] && green_e "$de_66:$ssh_maxauthtries" || yellow_e "$de_66:$ssh_maxauthtries"
[ $ssh_password = "yes" ] && green_e "$de_67:$ssh_password" ||yellow_e "$de_67:$ssh_password"
[ $ssh_rss = "no" ] && green_e "$de_68:$ssh_rss" || yellow_e "$de_68:$ssh_rss"
[ $ssh_permitpwd = "no" ] && green_e "$de_69:$ssh_permitpwd" || yellow_e "$de_69:$ssh_permitpwd"
[ $ssh_strictmodes = "yes" ] && green_e "$de_70:$ssh_strictmodes" || yellow_e "$de_70:$ssh_strictmodes"
[ $ssh_ciphers = "3des-cbc" ] && green_e "$de_71:$ssh_ciphers" || yellow_e "$de_71:$ssh_ciphers"
[ $ssh_dns = "no" ] && green_e "$de_73:$ssh_dns" || yellow_e "$de_73:$ssh_dns"
[[ $ssh_macs =~ "hmac-sha1" && $ssh_macs =~ "hmac-md5" ]] && green_e "$de_72:$ssh_macs" || yellow_e "$de_72:$ssh_macs"
#内核参数配置
echo
purple_e "--核参数配置--"
echo '--------------------'
de_75="是否关闭路径MTU探测功能......"
de_76="是否接收重写过的数据包......."
de_77="默认是否接收重写过的数据包..."
de_78="允许发送重定向消息(router)."
de_79="只接受来自网关的重定向icmp包."
de_80="最大的syn包队列设置.........."
de_81="tcp.keepalive设置(时间:s)."
de_82="tcp.keepalive设置(次数)...."
de_83="tcp.keepalive设置(间隔:s)."
promote_secondaries=`cat /proc/sys/net/ipv4/conf/all/promote_secondaries`
ip_no_pmtu_disc=`cat /proc/sys/net/ipv4/ip_no_pmtu_disc`
all_accept_redirects=`cat /proc/sys/net/ipv4/conf/all/accept_redirects`
default_accept_redirects=`cat /proc/sys/net/ipv4/conf/default/accept_redirects`
all_send_redirects=`cat /proc/sys/net/ipv4/conf/all/send_redirects`
all_secure_redirects=`cat /proc/sys/net/ipv4/conf/all/secure_redirects`
tcp_max_syn_backlog=`cat /proc/sys/net/ipv4/tcp_max_syn_backlog`
tcp_keepalive_time=`cat /proc/sys/net/ipv4/tcp_keepalive_time`
tcp_keepalive_probes=`cat /proc/sys/net/ipv4/tcp_keepalive_probes`
tcp_keepalive_intvl=`cat /proc/sys/net/ipv4/tcp_keepalive_intvl`
[ $promote_secondaries -eq 1 ] && green_e "$de_74:$promote_secondaries" || yellow_e "$de_74:$promote_secondaries"
[ $ip_no_pmtu_disc -eq 1 ] && green_e "$de_75:$ip_no_pmtu_disc" || yellow_e "$de_75:$ip_no_pmtu_disc"
[ $all_accept_redirects -eq 0 ] && green_e "$de_76:$all_accept_redirects" || yellow_e "$de_76:$all_accept_redirects"
[ $default_accept_redirects -eq 0 ] && green_e "$de_77:$default_accept_redirects" || yellow_e "$de_77:$default_accept_redirects"
[ $all_send_redirects -eq 0 ] && green_e "$de_78:$all_send_redirects" || yellow_e "$de_78:$all_send_redirects"
[ $all_secure_redirects -eq 0 ] && green_e "$de_79:$all_secure_redirects" || yellow_e "$de_79:$all_secure_redirects"
[ $tcp_max_syn_backlog -eq 4096 ] && green_e "$de_80:$tcp_max_syn_backlog" || yellow_e "$de_80:$tcp_max_syn_backlog"
[ $tcp_keepalive_time -eq 150 ] && green_e "$de_81:$tcp_keepalive_time" || yellow_e "$de_81:$tcp_keepalive_time"
[ $tcp_keepalive_probes -eq 5 ] && green_e "$de_82:$tcp_keepalive_probes" || yellow_e "$de_82:$tcp_keepalive_probes"
[ $tcp_keepalive_intvl -eq 6 ] && green_e "$de_83:$tcp_keepalive_intvl" || yellow_e "$de_83:$tcp_keepalive_intvl"
clear
sleep 1
echo | tee -a $result_file
echo '--------++--------安全基线-------++------------' | tee -a $result_file
echo | tee -a $result_file
health_base=`awk "BEGIN{print $tag_nice/($tag_nice+$tag_bad)*100}"`
health_per=${health_base%.*}
if [ $health_per -ge 80 ]
then
purple_e "系统当前处于合格状态,健康度为: $health_per %."
elif [ $health_per -ge 50 -a $health_per -lt 80 ]
then
purple_e "系统当前处于亚健康状态,健康度为: $health_per %,请注意关注."
else
purple_e "系统当前处于危险状态,健康度低于: $health_per %,请抓紧优化."
fi
echo
purple_e "总检测指标数量为: $(echo $tag_nice + $tag_bad | bc)"
purple_e "达标的指标数量为: $tag_nice"
purple_e "详细的结果请查看: $result_file "
echo | tee -a $result_file
echo '--------++--------安全基线-------++------------' | tee -a $result_file
echo
unset tag_nice tag_bad
exit 0