核查与访谈(yum)
部分内容如日志备份情况(包括上面运行的中间件如nginx等)须手动确认,防病毒软件版本号和特征库信息也需要手动确认,其他可直接执行以下脚本:
curl -fsSL https://www.nat.ac.cn/shell/collect_system_info.collect_system_centos.sh | sudo env INSTALL_DEPS=0 INSTALL_AIDE=0 bash -s以下为脚本完整内容:
#!/bin/bash
#set Check-euo if running on Linuxpipefail
if [[ "$(uname)" != "Linux" ]]; then
echo "This script is designed to run only on仅支持在 Linux systems."上运行"; exit 1
fi
#heartbeat() Get{ systemwhile IPtrue; addressdo forecho filename"[heartbeat] $(date '+%F %T') 正在巡检..."; sleep 5; done; }
heartbeat & HEARTBEAT_PID=$!
cleanup() { kill "$HEARTBEAT_PID" 2>/dev/null || true; }
trap cleanup EXIT
SYSTEM_IP=$(ip addr show | grep -w inet | grep -v 127.0.0.1 | awk '{print $2}' | cut -d/ -f1 | head -n1)
if [ -z "$SYSTEM_IP" ]; then&& SYSTEM_IP="unknown"
fi
# Create output file with IP and timestamp
TIMESTAMP=$(date +%Y%m%d%H%M%S)
OUTPUT_FILE="$HOME/${SYSTEM_IP}_${TIMESTAMP}.txt"
touch "$OUTPUT_FILE"
# Function to run command with echo explanation
run_command() {
local cmd="$1" local explanation=desc="$2"
# Echo explanation to terminal
echo "$explanation"desc"
#{
Echo explanation to fileecho; echo -e "\nechoecho \"$explanation\desc\"" >> "$OUTPUT_FILE"
# Echo the command to file; echo "echo \"Running: $cmd\"" >> "$OUTPUT_FILE"; echo "$cmd"
>> "$OUTPUT_FILE"
# Execute the command and save output
eval "$cmd" >> "$OUTPUT_FILE" 2>&1 || echo "Command failed or not available" >> "$OUTPUT_FILE"命令缺失或执行失败"
echo -e "----------------------------------------\n""
} >> "$OUTPUT_FILE"
}
echo "Starting system information collection.开始采集..." > "$OUTPUT_FILE"
echo "Output file:输出文件: $OUTPUT_FILE" >> "$OUTPUT_FILE"
echo "Collection time:采集时间: $(date)" >> "$OUTPUT_FILE"
echo -e "----------------------------------------\n"" >> "$OUTPUT_FILE"
# System可选安装开关(默认不安装)
informationINSTALL_DEPS="${INSTALL_DEPS:-0}" commands# sudo/util-linux/audit/pwquality/google-authenticator
INSTALL_SELINUX="${INSTALL_SELINUX:-0}" # 单独控制 SELinux 相关工具
# 检测包管理器(CentOS 8+ 使用 dnf,CentOS 7 使用 yum)
if command -v dnf >/dev/null 2>&1; then
PKG_MGR="dnf"
elif command -v yum >/dev/null 2>&1; then
PKG_MGR="yum"
else
PKG_MGR="yum"
fi
if [[ "$INSTALL_DEPS" == "1" || "$INSTALL_SELINUX" == "1" ]]; then
run_command "$PKG_MGR makecache || true" "更新软件源缓存(失败忽略)"
fi
if [[ "$INSTALL_DEPS" == "1" ]]; then
run_command "$PKG_MGR install -y sudo util-linux audit libpwquality google-authenticator || true" "可选安装巡检相关包(失败忽略)"
fi
if [[ "$INSTALL_SELINUX" == "1" ]]; then
run_command "$PKG_MGR install -y policycoreutils policycoreutils-python-utils selinux-policy selinux-policy-targeted || true" "可选安装 SELinux 工具(失败忽略)"
fi
if command -v sudo >/dev/null 2>&1; then SUDO="sudo"; else SUDO=""; fi
############ 基础信息 ############
run_command "hostnamectl" "This command displays system hostname and operating system information"主机名与操作系统信息"
run_command "timedatectl" "This command displays system time and date information"时间/时区同步状态"
run_command "ip addr showshow" "IP 配置"
run_command "uname -a" "内核与架构"
run_command "cat /etc/redhat-release 2>/dev/null || grepcat inet"/etc/os-release" "This发行版信息"
command############ displays账号与鉴别 all############
IPrun_command addresses"cat configured/etc/passwd" on the system"
# User and group information"本地账户"
run_command "cat /etc/group" "This command displays all groups defined on the system"本地用户组"
run_command "cat${SUDO} /etc/passwd" "This command displays all user accounts defined on the system"
run_command "cat /etc/shadow" "This口令哈希(需 command displays password and account expiration information"root)"
run_command "${SUDO} cat /etc/sudoers | grep -v ^#"# && ${SUDO} ls -l /etc/sudoers.d" "This command displays sudo configuration and permissions (non-comment lines)"配置"
run_command "w" "This command shows who is logged in and what they are doing"当前登录会话"
run_command "who" "This command shows who is logged in"在线用户"
run_command "last | head -n 5"head" "This近期登录记录(缺命令请安装 commandutil-linux shows或补 the first 5 recent login records"/var/log/wtmp)"
run_command "lastlastlog | tail -n 5"head" "This command shows the last 5 login records"
# Password and authentication configuration账户最近登录"
run_command "cat /etc/login.defs |${SUDO} grep -v ^#"# /etc/login.defs" "This command displays system-wide login settings (non-comment lines)"登录/口令周期策略"
run_command "chage -l \$(whoami)" "This当前用户口令有效期"
command############ displays口令复杂度/PAM password expiration information for current user"############
run_command "yum list installed | grep libpwquality" "This command checks if password quality enforcement is installed"
run_command "yum list installed | grep google-authenticator" "This command checks if Google Authenticator 2FA is installed"
# PAM configuration
run_command "cat /etc/pam.d/login | grep -v ^#" "This command displays login authentication configuration (non-comment lines)"
run_command "cat /etc/pam.d/passwd | grep -v ^#" "This command displays password change authentication configuration (non-comment lines)"
run_command "cat /etc/pam.d/ | grep -v ^#" "This command displays common password authentication configuration (non-comment lines)"
run_command "cat /etc/pam.d/system-auth | grep -v ^#" "This command displays common authentication configuration (non-comment lines)"
# Password quality (pwquality) configuration
run_command "cat /etc/security/pwquality.conf |${SUDO} grep -v ^# |/etc/pam.d/system-auth" "PAM 系统认证策略"
run_command "${SUDO} grep -v ^$"# /etc/pam.d/password-auth" "ThisPAM command displays password complexity policy settings (non-comment, non-empty lines)"口令认证策略"
run_command "${SUDO} grep pam_pwquality /etc/pam.d/system-auth" "This command checks if pwquality module is enabled in system authentication"
run_command "grep pam_pwqualityauth /etc/pam.d/password-auth" "This是否启用 command checks if pwquality module is enabled in password authentication"pwquality"
run_command "cat${SUDO} grep -v '^#' /etc/security/pwquality.conf" "pwquality 主配置"
run_command "${SUDO} grep -v '^#' /etc/security/pwquality.conf.d/*.conf 2>/dev/null" "pwquality 追加配置"
run_command "rpm -qa | grep libpwquality || yum list installed 2>/dev/null | grep libpwquality" "pwquality 模块是否安装"
run_command "${SUDO} grep -H 'pam_google_authenticator.so' /etc/pam.d/sshd /etc/pam.d/system-auth /etc/pam.d/password-auth 2>/dev/null" "PAM 是否启用 Google Authenticator(二次认证)"
############ SSH 访问控制 ############
run_command "${SUDO} grep -E '^(Protocol|PermitRootLogin|PasswordAuthentication|PermitEmptyPasswords|ChallengeResponseAuthentication|AuthenticationMethods|ClientAliveInterval|ClientAliveCountMax)' /etc/ssh/sshd_config" "SSH 核心配置"
run_command "cat \$HOME/.ssh/authorized_keys" "当前用户公钥授权"
############ 会话与最小权限 ############
run_command "${SUDO} grep -v ^# |/etc/pam.d/su" "su 限制"
run_command "${SUDO} grep -v ^$"# /etc/pam.d/sudo" "Thissudo commandPAM displays additional password quality configuration files if they exist"
# SSH configuration限制"
run_command "catecho \${TMOUT:-unset}; ${SUDO} grep TMOUT /etc/ssh/sshd_config | grep Protocol" "This command displays SSH protocol version configuration"
run_command "catprofile /etc/ssh/sshd_configbashrc | grep PermitEmptyPasswords"2>/dev/null" "This会话超时(bash)"
command############ checks审计与日志 if empty passwords are allowed for SSH"
run_command "cat /etc/ssh/sshd_config | grep PasswordAuthentication" "This command checks if password authentication is enabled for SSH"
run_command "cat $HOME/.ssh/authorized_keys" "This command displays authorized SSH keys for the current user"
run_command "cat /etc/ssh/sshd_config | grep ClientAliveInterval" "This command displays SSH session timeout settings"
run_command "cat /etc/ssh/sshd_config | grep AuthenticationMethods" "This command displays SSH authentication methods configuration"
run_command "cat /etc/ssh/sshd_config | grep ChallengeResponseAuthentication" "This command checks if challenge-response authentication is enabled for SSH"
run_command "cat /etc/ssh/sshd_config | grep PermitRootLogin" "This command checks if root login is permitted via SSH"
# System services############
run_command "ps -eo user,pid,cmd | grep rsyslogd"auditd" "This审计进程"
commandrun_command displays"${SUDO} runningsystemctl syslogstatus daemonauditd" processes""审计服务状态"
run_command "${SUDO} auditctl -l" "审计规则加载情况"
run_command "${SUDO} cat /etc/audit/audit.rules 2>/dev/null" "审计规则文件"
run_command "${SUDO} grep -v ^# /etc/audit/rules.d/*.rules 2>/dev/null" "审计规则片段"
run_command "ls -ltr /var/log | tail" "日志目录概览"
run_command "${SUDO} head -n 20 /var/log/messages" "系统日志片段"
run_command "${SUDO} head -n 20 /var/log/secure" "认证日志片段"
run_command "${SUDO} grep -v ^# /etc/logrotate.conf" "日志轮转主配置"
run_command "ls -l /etc/logrotate.d" "日志轮转子配置"
############ 网络与边界 ############
run_command "ss -lntp" "监听 TCP 端口及进程"
run_command "ip route" "路由表"
run_command "ip neigh" "ARP 表"
run_command "${SUDO} firewall-cmd --list-all 2>/dev/null || echo 'firewalld 未安装或未启用'" "firewalld 防火墙配置"
run_command "${SUDO} systemctl status firewalld" "firewalld 服务状态"
run_command "${SUDO} iptables -L -n -v" "iptables 规则列表"
############ 服务与自启 ############
run_command "systemctl list-unit-files --type=service --state=enabled" "开机自启服务"
run_command "systemctl show rsyslog.service -p User,Group,UID,GID" "Thisrsyslog command displays the user and group that the syslog service runs as"
run_command "ps -eo user,pid,cmd | grep auditd" "This command displays running audit daemon processes"运行身份"
run_command "systemctl show auditd.service -p User,Group,UID,GID" "Thisauditd command displays the user and group that the audit service runs as"
# Log files and network information运行身份"
run_command "lsps -ltreo /var/log"user,pid,cmd "This command displays all current log files"
run_command "cat /var/log/messages--sort=pid | head -n 5"30" "This进程基线前 30 条"
############ SELinux 安全增强(可选) ############
if command displays-v thegetenforce current>/dev/null running2>&1 information"&& [[ "$(getenforce 2>/dev/null)" != "Disabled" ]]; then
run_command "getenforce" "SELinux 当前状态"
run_command "${SUDO} sestatus" "SELinux 详细状态"
run_command "${SUDO} cat /etc/logrotate.confselinux/config" "SELinux 配置文件"
run_command "${SUDO} semodule -l | head -n 20" "SELinux 已加载模块(前20)"
run_command "${SUDO} getsebool -a | head -n 30" "SELinux 布尔值配置(前30)"
run_command "${SUDO} ls -Z /etc/passwd /etc/shadow /etc/group 2>/dev/null" "关键文件 SELinux 上下文"
run_command "${SUDO} ps -eZ | head -n 20" "进程 SELinux 上下文(前20)"
run_command "${SUDO} ausearch -m avc -ts recent 2>/dev/null | head -n 20 || echo 'audit 日志无 AVC 拒绝记录或 ausearch 未安装'" "SELinux 最近拒绝记录"
else
echo "SELinux 未安装或已禁用,跳过 SELinux 检查" | tee -a "$OUTPUT_FILE"
fi
############ 加固与内核参数(选查) ############
run_command "${SUDO} sysctl -a | grep -vE ^#"'net.ipv4.conf.all.(accept_source_route|accept_redirects|send_redirects|rp_filter|log_martians|forwarding)'" "This command displays non-commented lines in the log rotation configuration file"关键内核网络安全参数"
run_command "lsmount | grep -ltrE /etc/logrotate.d/'noexec|nodev|nosuid'" "This command lists log rotation configuration files for specific services"
run_command "netstat -nlpt" "This command displays all listening TCP ports and their associated processes"
run_command "ufw status" "This command displays the status of the Uncomplicated Firewall"
run_command "firewall-cmd --list-all" "This command displays firewalld configuration"挂载安全选项"
echo "All information has been collected and saved to采集完成,结果已保存到 $OUTPUT_FILE"