#!/bin/bash # Saikyo OS Server Security Audit Tool # Copyright (c) 2025-2026 OOO "SAIKO" # License: GPL-3.0 set -e VERSION="1.0.0" SCRIPT_NAME=$(basename "$0") # Colors RED='\033[0;31m' GREEN='\033[0;32m' YELLOW='\033[1;33m' BLUE='\033[0;34m' NC='\033[0m' print_header() { echo -e "${BLUE}================================================${NC}" echo -e "${BLUE} Saikyo OS Server - Security Audit Tool v${VERSION}${NC}" echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}" echo -e "${BLUE} https://saikyo-server.ru${NC}" echo -e "${BLUE}================================================${NC}" echo "" } check_passed() { echo -e "[${GREEN}PASS${NC}] $1" } check_failed() { echo -e "[${RED}FAIL${NC}] $1" } check_warning() { echo -e "[${YELLOW}WARN${NC}] $1" } check_info() { echo -e "[${BLUE}INFO${NC}] $1" } audit_ssh() { echo -e "\n${BLUE}=== Проверка SSH ===${NC}" if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then check_passed "Root-логин через SSH отключён" else check_failed "Root-логин через SSH разрешён" fi if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then check_passed "Аутентификация по паролю отключена" else check_warning "Аутентификация по паролю включена" fi if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then check_passed "Аутентификация по ключам включена" else check_failed "Аутентификация по ключам отключена" fi } audit_firewall() { echo -e "\n${BLUE}=== Проверка Firewall ===${NC}" if systemctl is-active --quiet firewalld; then check_passed "Firewalld активен" elif systemctl is-active --quiet ufw; then check_passed "UFW активен" elif systemctl is-active --quiet nftables; then check_passed "nftables активен" else check_failed "Firewall не активен" fi } audit_apparmor() { echo -e "\n${BLUE}=== Проверка AppArmor ===${NC}" if systemctl is-active --quiet apparmor; then check_passed "AppArmor активен" if command -v aa-status &>/dev/null; then PROFILES=$(aa-status --profiled 2>/dev/null || echo "0") check_info "Загружено профилей: ${PROFILES}" fi else check_failed "AppArmor не активен" fi } audit_fail2ban() { echo -e "\n${BLUE}=== Проверка Fail2ban ===${NC}" if systemctl is-active --quiet fail2ban; then check_passed "Fail2ban активен" if command -v fail2ban-client &>/dev/null; then JAILS=$(fail2ban-client status 2>/dev/null | grep "Jail list" | cut -d: -f2 | tr -d ' ') check_info "Активные jail: ${JAILS:-нет}" fi else check_warning "Fail2ban не активен" fi } audit_auditd() { echo -e "\n${BLUE}=== Проверка Auditd ===${NC}" if systemctl is-active --quiet auditd; then check_passed "Auditd активен" RULES=$(auditctl -l 2>/dev/null | wc -l) check_info "Загружено правил аудита: ${RULES}" else check_warning "Auditd не активен" fi } audit_updates() { echo -e "\n${BLUE}=== Проверка обновлений ===${NC}" if dpkg -l | grep -q unattended-upgrades; then check_passed "unattended-upgrades установлен" else check_warning "unattended-upgrades не установлен" fi if systemctl is-active --quiet unattended-upgrades; then check_passed "Автообновления активны" else check_warning "Автообновления не активны" fi } audit_passwords() { echo -e "\n${BLUE}=== Проверка политики паролей ===${NC}" if [ -f /etc/security/pwquality.conf ]; then check_passed "pwquality.conf настроен" if grep -q "minlen" /etc/security/pwquality.conf; then MINLEN=$(grep "minlen" /etc/security/pwquality.conf | grep -v "^#" | cut -d= -f2 | tr -d ' ') check_info "Минимальная длина пароля: ${MINLEN:-не задана}" fi else check_warning "pwquality.conf не найден" fi } audit_integrity() { echo -e "\n${BLUE}=== Проверка контроля целостности ===${NC}" if command -v aide &>/dev/null; then check_passed "AIDE установлен" else check_warning "AIDE не установлен" fi if command -v rkhunter &>/dev/null; then check_passed "rkhunter установлен" else check_warning "rkhunter не установлен" fi } generate_report() { echo -e "\n${BLUE}=== Генерация отчёта ===${NC}" REPORT_FILE="/var/log/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log" { echo "Saikyo OS Server Security Audit Report" echo "Date: $(date)" echo "Hostname: $(hostname)" echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '"')" echo "" echo "=== Summary ===" } > "$REPORT_FILE" 2>/dev/null || { REPORT_FILE="/tmp/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log" echo "Saikyo OS Server Security Audit Report" > "$REPORT_FILE" } check_info "Отчёт сохранён: ${REPORT_FILE}" } main() { print_header check_info "Начало аудита безопасности..." check_info "Хост: $(hostname)" check_info "Дата: $(date)" audit_ssh audit_firewall audit_apparmor audit_fail2ban audit_auditd audit_updates audit_passwords audit_integrity generate_report echo -e "\n${GREEN}Аудит завершён.${NC}" } case "$1" in --version|-v) echo "$SCRIPT_NAME version $VERSION" echo "Copyright (c) 2025-2026 OOO SAIKO" ;; --help|-h) echo "Usage: $SCRIPT_NAME [OPTIONS]" echo "" echo "Saikyo OS Server Security Audit Tool" echo "" echo "Options:" echo " -h, --help Show this help" echo " -v, --version Show version" echo "" echo "Website: https://saikyo-server.ru" echo "Support: support@saikyo-os.ru" ;; *) main ;; esac