diff --git a/roles/security_check/files/rocky.sh b/roles/security_check/files/rocky.sh index 05d80d3..9104b7b 100644 --- a/roles/security_check/files/rocky.sh +++ b/roles/security_check/files/rocky.sh @@ -1,6 +1,6 @@ #!/bin/bash -resultfile="/tmp/$(hostname).txt" +resultfile="Results_$(date '+%F_%H:%M:%S').txt" U_01() { echo "" >> $resultfile 2>&1 @@ -13,7 +13,7 @@ U_01() { telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#telnet_port[@]}; i++)) do - netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l` + netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l` if [ $netstat_telnet_count -gt 0 ]; then if [ -f /etc/pam.d/login ]; then pam_securetty_so_count=`grep -vE '^#|^\s#' /etc/pam.d/login | grep -i 'pam_securetty.so' | wc -l` @@ -86,7 +86,7 @@ U_01() { ssh_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ssh" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ssh_port[@]}; i++)) do - netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$i]} " | wc -l` + netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$i]} " | wc -l` if [ $netstat_sshd_enable_count -gt 0 ]; then if [ ${#sshd_config_file[@]} -eq 0 ]; then echo "※ U-01 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 @@ -115,7 +115,7 @@ U_01() { ssh_port=(`grep -vE '^#|^\s#' ${sshd_config_file[$i]} | grep -i 'port' | awk '{print $2}'`) for ((j=0; j<${#ssh_port[@]}; j++)) do - netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$j]} " | wc -l` + netstat_sshd_enable_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$j]} " | wc -l` if [ $netstat_sshd_enable_count -gt 0 ]; then for ((k=0; k<${#sshd_config_file[@]}; k++)) do @@ -1179,7 +1179,7 @@ U_19() { finger_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="finger" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#finger_port[@]}; i++)) do - netstat_finger_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${finger_port[$i]} " | wc -l` + netstat_finger_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${finger_port[$i]} " | wc -l` if [ $netstat_finger_count -gt 0 ]; then echo "※ U-19 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " finger 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -1566,7 +1566,7 @@ U_30() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then rpm_smtp_version=`rpm -qa 2>/dev/null | grep 'sendmail' | awk -F 'sendmail-' '{print $2}'` dnf_smtp_version=`dnf list installed sendmail 2>/dev/null | grep -v 'Installed Packages' | awk '{print $2}'` @@ -1603,7 +1603,7 @@ U_31() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then sendmailcf_exists_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $sendmailcf_exists_count -gt 0 ]; then @@ -1656,7 +1656,7 @@ U_32() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then sendmailcf_exists_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $sendmailcf_exists_count -gt 0 ]; then @@ -2850,7 +2850,7 @@ U_60() { telent_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#telent_port[@]}; i++)) do - netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telent_port[$i]} " | wc -l` + netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telent_port[$i]} " | wc -l` if [ $netstat_telnet_count -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " Telnet 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -2863,7 +2863,7 @@ U_60() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -2883,7 +2883,7 @@ U_60() { telent_port=(`grep -vE '^#|^\s#' ${vsftpdconf_files[$i]} | grep 'listen_port' | awk -F = '{gsub(" ", "", $0); print $2}'`) for ((j=0; j<${#telent_port[@]}; j++)) do - if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telent_port[$j]} " | wc -l` -gt 0 ]; then + if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telent_port[$j]} " | wc -l` -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 return 0 @@ -2903,7 +2903,7 @@ U_60() { telent_port=(`grep -vE '^#|^\s#' ${proftpdconf_files[$i]} | grep 'Port' | awk '{print $2}'`) for ((j=0; j<${#telent_port[@]}; j++)) do - if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telent_port[$j]} " | wc -l` -gt 0 ]; then + if [ `netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telent_port[$j]} " | wc -l` -gt 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 return 0 @@ -2935,7 +2935,7 @@ U_60() { ssh_port=(`grep -vE '^#|^\s#' ${sshdconfig_files[$i]} | grep -i 'Port' | awk '{print $2}'`) for ((j=0; j<${#ssh_port[@]}; j++)) do - netstat_ssh_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ssh_port[$j]} " | wc -l` + netstat_ssh_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ssh_port[$j]} " | wc -l` if [ $netstat_ssh_count -eq 0 ]; then echo "※ U-60 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " SSH 서비스가 비활성화 상태입니다." >> $resultfile 2>&1 @@ -2976,7 +2976,7 @@ U_61() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -2996,7 +2996,7 @@ U_61() { ftp_port=(`grep -vE '^#|^\s#' ${vsftpdconf_files[$i]} | grep 'listen_port' | awk -F = '{gsub(" ", "", $0); print $2}'`) for ((j=0; j<${#ftp_port[@]}; j++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$j]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$j]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -3018,7 +3018,7 @@ U_61() { ftp_port=(`grep -vE '^#|^\s#' ${proftpdconf_files[$i]} | grep 'Port' | awk '{print $2}'`) for ((j=0; j<${#ftp_port[@]}; j++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$j]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$j]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then echo "※ U-61 결과 : 취약(Vulnerable)" >> $resultfile 2>&1 echo " ftp 서비스가 실행 중입니다." >> $resultfile 2>&1 @@ -3123,7 +3123,7 @@ U_64() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk -F " " 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then ((ftp_running_count++)) for ((j=0; j<${#ftpusers_files[@]}; j++)) @@ -3351,7 +3351,7 @@ U_68() { telnet_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="telnet" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#telnet_port[@]}; i++)) do - netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${telnet_port[$i]} " | wc -l` + netstat_telnet_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${telnet_port[$i]} " | wc -l` if [ $netstat_telnet_count -gt 0 ]; then if [ -f /etc/issue.net ]; then if [ `grep -vE '^ *#|^$' /etc/issue.net | wc -l` -eq 0 ]; then @@ -3388,7 +3388,7 @@ U_68() { ftp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="ftp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#ftp_port[@]}; i++)) do - netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${ftp_port[$i]} " | wc -l` + netstat_ftp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${ftp_port[$i]} " | wc -l` if [ $netstat_ftp_count -gt 0 ]; then ftpdconf_file_exists_count=0 if [ -f /etc/vsftpd.conf ]; then @@ -3470,7 +3470,7 @@ U_68() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then find_sendmailcf_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $find_sendmailcf_count -gt 0 ]; then @@ -3576,7 +3576,7 @@ U_70() { smtp_port=(`grep -vE '^#|^\s#' /etc/services | awk 'tolower($1)=="smtp" {print $2}' | awk -F / 'tolower($2)=="tcp" {print $1}'`) for ((i=0; i<${#smtp_port[@]}; i++)) do - netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep ":${smtp_port[$i]} " | wc -l` + netstat_smtp_count=`netstat -nat 2>/dev/null | grep -w 'tcp' | grep -Ei 'listen|established|syn_sent|syn_received' | grep ":${smtp_port[$i]} " | wc -l` if [ $netstat_smtp_count -gt 0 ]; then find_sendmailcf_count=`find / -name 'sendmail.cf' -type f 2>/dev/null | wc -l` if [ $find_sendmailcf_count -gt 0 ]; then @@ -3678,7 +3678,7 @@ echo "" > $resultfile 2>&1 echo " 점검일 : `date +'%F %H:%M:%S'`" >> $resultfile 2>&1 echo "##############################################################################" >> $resultfile 2>&1 echo "# #" >> $resultfile 2>&1 -echo "# Rocky vulnerability assessment results Version 1.1.1 #" >> $resultfile 2>&1 +echo "# Rocky vulnerability assessment results Version 1.1.3 #" >> $resultfile 2>&1 echo "# Copyright (c) 2023 Kim Jei #" >> $resultfile 2>&1 echo "# #" >> $resultfile 2>&1 echo "##############################################################################" >> $resultfile 2>&1 diff --git a/roles/security_check/files/ubuntu.sh b/roles/security_check/files/ubuntu.sh index 41530f1..2b538f4 100644 --- a/roles/security_check/files/ubuntu.sh +++ b/roles/security_check/files/ubuntu.sh @@ -3616,78 +3616,78 @@ echo "# Copyright (c) 2023 Kim Jei echo "# #" >> $resultfile 2>&1 echo "##############################################################################" >> $resultfile 2>&1 -#U_01 -#U_02 -#U_03 +U_01 +U_02 +U_03 U_04 U_05 -#U_06 -#U_07 -#U_08 -#U_09 -#U_10 -#U_11 -#U_12 -#U_13 -#U_14 -#U_15 -#U_16 -#U_17 -#U_18 -#U_19 -#U_20 -#U_21 -#U_22 -#U_23 -#U_24 -#U_25 -#U_26 -#U_27 -#U_28 -#U_29 -#U_30 -#U_31 -#U_32 -#U_33 -#U_34 -#U_35 -#U_36 -#U_37 -#U_38 -#U_39 -#U_40 -#U_41 -#U_42 -#U_43 -#U_44 -#U_45 -#U_46 -#U_47 -#U_48 -#U_49 -#U_50 -#U_51 -#U_52 -#U_53 -#U_54 -#U_55 -#U_56 -#U_57 -#U_58 -#U_59 -#U_60 -#U_61 -#U_62 -#U_63 -#U_64 -#U_65 -#U_66 -#U_67 -#U_68 -#U_69 -#U_70 -#U_71 -#U_72 +U_06 +U_07 +U_08 +U_09 +U_10 +U_11 +U_12 +U_13 +U_14 +U_15 +U_16 +U_17 +U_18 +U_19 +U_20 +U_21 +U_22 +U_23 +U_24 +U_25 +U_26 +U_27 +U_28 +U_29 +U_30 +U_31 +U_32 +U_33 +U_34 +U_35 +U_36 +U_37 +U_38 +U_39 +U_40 +U_41 +U_42 +U_43 +U_44 +U_45 +U_46 +U_47 +U_48 +U_49 +U_50 +U_51 +U_52 +U_53 +U_54 +U_55 +U_56 +U_57 +U_58 +U_59 +U_60 +U_61 +U_62 +U_63 +U_64 +U_65 +U_66 +U_67 +U_68 +U_69 +U_70 +U_71 +U_72 echo "" >> $resultfile 2>&1 echo "================================ 진단 결과 요약 ================================" >> $resultfile 2>&1