231 lines
6.6 KiB
Bash
231 lines
6.6 KiB
Bash
#!/bin/bash
|
||
# Saikyo OS Server Security Audit Tool
|
||
# Copyright (c) 2025-2026 OOO "SAIKO"
|
||
# License: GPL-3.0
|
||
|
||
set -e
|
||
|
||
VERSION="1.0.0"
|
||
SCRIPT_NAME=$(basename "$0")
|
||
|
||
# Colors
|
||
RED='\033[0;31m'
|
||
GREEN='\033[0;32m'
|
||
YELLOW='\033[1;33m'
|
||
BLUE='\033[0;34m'
|
||
NC='\033[0m'
|
||
|
||
print_header() {
|
||
echo -e "${BLUE}================================================${NC}"
|
||
echo -e "${BLUE} Saikyo OS Server - Security Audit Tool v${VERSION}${NC}"
|
||
echo -e "${BLUE} Разработка: ООО «САЙКО»${NC}"
|
||
echo -e "${BLUE} https://saikyo-server.ru${NC}"
|
||
echo -e "${BLUE}================================================${NC}"
|
||
echo ""
|
||
}
|
||
|
||
check_passed() {
|
||
echo -e "[${GREEN}PASS${NC}] $1"
|
||
}
|
||
|
||
check_failed() {
|
||
echo -e "[${RED}FAIL${NC}] $1"
|
||
}
|
||
|
||
check_warning() {
|
||
echo -e "[${YELLOW}WARN${NC}] $1"
|
||
}
|
||
|
||
check_info() {
|
||
echo -e "[${BLUE}INFO${NC}] $1"
|
||
}
|
||
|
||
audit_ssh() {
|
||
echo -e "\n${BLUE}=== Проверка SSH ===${NC}"
|
||
|
||
if grep -q "^PermitRootLogin no" /etc/ssh/sshd_config 2>/dev/null; then
|
||
check_passed "Root-логин через SSH отключён"
|
||
else
|
||
check_failed "Root-логин через SSH разрешён"
|
||
fi
|
||
|
||
if grep -q "^PasswordAuthentication no" /etc/ssh/sshd_config 2>/dev/null; then
|
||
check_passed "Аутентификация по паролю отключена"
|
||
else
|
||
check_warning "Аутентификация по паролю включена"
|
||
fi
|
||
|
||
if grep -q "^PubkeyAuthentication yes" /etc/ssh/sshd_config 2>/dev/null; then
|
||
check_passed "Аутентификация по ключам включена"
|
||
else
|
||
check_failed "Аутентификация по ключам отключена"
|
||
fi
|
||
}
|
||
|
||
audit_firewall() {
|
||
echo -e "\n${BLUE}=== Проверка Firewall ===${NC}"
|
||
|
||
if systemctl is-active --quiet firewalld; then
|
||
check_passed "Firewalld активен"
|
||
elif systemctl is-active --quiet ufw; then
|
||
check_passed "UFW активен"
|
||
elif systemctl is-active --quiet nftables; then
|
||
check_passed "nftables активен"
|
||
else
|
||
check_failed "Firewall не активен"
|
||
fi
|
||
}
|
||
|
||
audit_apparmor() {
|
||
echo -e "\n${BLUE}=== Проверка AppArmor ===${NC}"
|
||
|
||
if systemctl is-active --quiet apparmor; then
|
||
check_passed "AppArmor активен"
|
||
|
||
if command -v aa-status &>/dev/null; then
|
||
PROFILES=$(aa-status --profiled 2>/dev/null || echo "0")
|
||
check_info "Загружено профилей: ${PROFILES}"
|
||
fi
|
||
else
|
||
check_failed "AppArmor не активен"
|
||
fi
|
||
}
|
||
|
||
audit_fail2ban() {
|
||
echo -e "\n${BLUE}=== Проверка Fail2ban ===${NC}"
|
||
|
||
if systemctl is-active --quiet fail2ban; then
|
||
check_passed "Fail2ban активен"
|
||
|
||
if command -v fail2ban-client &>/dev/null; then
|
||
JAILS=$(fail2ban-client status 2>/dev/null | grep "Jail list" | cut -d: -f2 | tr -d ' ')
|
||
check_info "Активные jail: ${JAILS:-нет}"
|
||
fi
|
||
else
|
||
check_warning "Fail2ban не активен"
|
||
fi
|
||
}
|
||
|
||
audit_auditd() {
|
||
echo -e "\n${BLUE}=== Проверка Auditd ===${NC}"
|
||
|
||
if systemctl is-active --quiet auditd; then
|
||
check_passed "Auditd активен"
|
||
|
||
RULES=$(auditctl -l 2>/dev/null | wc -l)
|
||
check_info "Загружено правил аудита: ${RULES}"
|
||
else
|
||
check_warning "Auditd не активен"
|
||
fi
|
||
}
|
||
|
||
audit_updates() {
|
||
echo -e "\n${BLUE}=== Проверка обновлений ===${NC}"
|
||
|
||
if dpkg -l | grep -q unattended-upgrades; then
|
||
check_passed "unattended-upgrades установлен"
|
||
else
|
||
check_warning "unattended-upgrades не установлен"
|
||
fi
|
||
|
||
if systemctl is-active --quiet unattended-upgrades; then
|
||
check_passed "Автообновления активны"
|
||
else
|
||
check_warning "Автообновления не активны"
|
||
fi
|
||
}
|
||
|
||
audit_passwords() {
|
||
echo -e "\n${BLUE}=== Проверка политики паролей ===${NC}"
|
||
|
||
if [ -f /etc/security/pwquality.conf ]; then
|
||
check_passed "pwquality.conf настроен"
|
||
|
||
if grep -q "minlen" /etc/security/pwquality.conf; then
|
||
MINLEN=$(grep "minlen" /etc/security/pwquality.conf | grep -v "^#" | cut -d= -f2 | tr -d ' ')
|
||
check_info "Минимальная длина пароля: ${MINLEN:-не задана}"
|
||
fi
|
||
else
|
||
check_warning "pwquality.conf не найден"
|
||
fi
|
||
}
|
||
|
||
audit_integrity() {
|
||
echo -e "\n${BLUE}=== Проверка контроля целостности ===${NC}"
|
||
|
||
if command -v aide &>/dev/null; then
|
||
check_passed "AIDE установлен"
|
||
else
|
||
check_warning "AIDE не установлен"
|
||
fi
|
||
|
||
if command -v rkhunter &>/dev/null; then
|
||
check_passed "rkhunter установлен"
|
||
else
|
||
check_warning "rkhunter не установлен"
|
||
fi
|
||
}
|
||
|
||
generate_report() {
|
||
echo -e "\n${BLUE}=== Генерация отчёта ===${NC}"
|
||
|
||
REPORT_FILE="/var/log/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
|
||
|
||
{
|
||
echo "Saikyo OS Server Security Audit Report"
|
||
echo "Date: $(date)"
|
||
echo "Hostname: $(hostname)"
|
||
echo "OS: $(cat /etc/os-release | grep PRETTY_NAME | cut -d= -f2 | tr -d '"')"
|
||
echo ""
|
||
echo "=== Summary ==="
|
||
} > "$REPORT_FILE" 2>/dev/null || {
|
||
REPORT_FILE="/tmp/saikyo-security-audit-$(date +%Y%m%d-%H%M%S).log"
|
||
echo "Saikyo OS Server Security Audit Report" > "$REPORT_FILE"
|
||
}
|
||
|
||
check_info "Отчёт сохранён: ${REPORT_FILE}"
|
||
}
|
||
|
||
main() {
|
||
print_header
|
||
|
||
check_info "Начало аудита безопасности..."
|
||
check_info "Хост: $(hostname)"
|
||
check_info "Дата: $(date)"
|
||
|
||
audit_ssh
|
||
audit_firewall
|
||
audit_apparmor
|
||
audit_fail2ban
|
||
audit_auditd
|
||
audit_updates
|
||
audit_passwords
|
||
audit_integrity
|
||
|
||
generate_report
|
||
|
||
echo -e "\n${GREEN}Аудит завершён.${NC}"
|
||
}
|
||
|
||
case "$1" in
|
||
--version|-v)
|
||
echo "$SCRIPT_NAME version $VERSION"
|
||
echo "Copyright (c) 2025-2026 OOO SAIKO"
|
||
;;
|
||
--help|-h)
|
||
echo "Usage: $SCRIPT_NAME [OPTIONS]"
|
||
echo ""
|
||
echo "Saikyo OS Server Security Audit Tool"
|
||
echo ""
|
||
echo "Options:"
|
||
echo " -h, --help Show this help"
|
||
echo " -v, --version Show version"
|
||
echo ""
|
||
echo "Website: https://saikyo-server.ru"
|
||
echo "Support: support@saikyo-os.ru"
|
||
;;
|
||
*)
|
||
main
|
||
;;
|
||
esac
|