def run(config_content): information = CommandHistoryInfo(config_content) console(4) console(0, "开始历史命令安全检查") if len(information.history_status['evil_content']) == 0: console(1, "命令历史正常") else: for content in information.history_status['evil_content']: content = content.replace('\n', '') console(3, f"存在恶意命令:{content}") console(4) del information
def check(config_content): # 系统信息 SysInfo.run() pool = Pool(4) missions = {} # 系统初始化项检查 if config_content['System']['enable'] == 1: missions[System.run] = config_content['System'] # 账户信息检查 if config_content['Account']['enable'] == 1: missions[Account.run]= config_content['Account'] # 文件扫描 if config_content['File']['enable'] == 1: missions[File.run] = config_content['File'] # 用户历史命令分析 if config_content['CommandHistory']['enable'] == 1: missions[CommandHistory.run] = config_content['CommandHistory'] # 进程分析 if config_content['Process']['enable'] == 1: missions[Process.run] = config_content['Process'] # 网络 if config_content['NetWork']['enable'] == 1: missions[NetWork.run] = config_content['NetWork'] # 后门分析 if config_content['Backdoor']['enable'] == 1: missions[Backdoor.run] = config_content['Backdoor'] for key,value in missions.items(): pool.apply_async(key, (value,)) pool.close() pool.join() console(4) console(0,"检查完毕") console(4)
def run(config_content): information = FileInfo(config_content) console(4) console(0, "开始文件安全检查") console(0, "指定时间内主机上所有增加或改动过的文件:") for file in information.moved_files['moved_files']: console(2, "此文件被添加或修改过:" + file) console(1, f"指定时间内一共 {information.moved_files['file_count']} 处文件被增加或改动") console(0, "检查系统重要可执行文件Hash值:") if 'error_message' in information.command_status.keys(): console(3, "出现错误:" + information.command_status['error_message']) else: if len(information.command_status['unexist_command']) == 0 and len( information.command_status['unsafe_command']) == 0: console(1, "命令哈希值全部正常") else: # for command in information.command_status['safe_command']: # console(1,f" {command} 命令正常") for command in information.command_status['prelink_command']: console(2, f" {command} 由prelink服务更新过 请手动检查") for command in information.command_status['unexist_command']: console(2, f" {command} 命令不存在 请手动修改配置文件") for command in information.command_status['unsafe_command']: console(3, f" {command} 命令哈希值不正确 可能存在被替换的风险 请手动排查或更新数据配置") console(0, "检查系统上可能存在的恶意文件:") if len(information.system_integrity['evil_file']) == 0: console(1, "未检测出关键文件存在恶意特征") else: for file in information.system_integrity['evil_file']: console(3, f"存在恶意文件:{file} . ") # for file in information.system_integrity['wrong_file']: # console(2,f"文件查询出错:{file} . 可能文件无权限打开或文件为空或文件太大") console(0, "检查系统临时文件目录:") if len(information.tmp_file_status['evil_file']) == 0: console(1, "未检测出关键文件存在恶意特征") else: for file in information.tmp_file_status['evil_file']: console(3, f"存在恶意文件:{file} . ") # for file in information.tmp_file_status['wrong_file']: # console(2,f"文件查询出错:{file} . 可能文件无权限打开或文件为空或文件太大") console(0, "检查系统各用户目录:") if len(information.user_file_status['evil_file']) == 0: console(1, "未检测出关键文件存在恶意特征") else: for file in information.user_file_status['evil_file']: console(3, f"存在恶意文件:{file} . ") # for file in information.user_file_status['wrong_file']: # console(2,f"文件查询出错:{file} . 可能文件无权限打开或文件为空或文件太大") console(0, "检查系统可疑隐藏文件:") if len(information.hide_files_status['evil_file']) == 0: console(1, "未发现可疑隐藏文件") else: for file in information.hide_files_status['evil_file']: console(3, f"存在可疑隐藏文件:{file}") console(4) del information
def run(config_content): information = System(config_content) console(4) console(0,"开始系统初始化项检查") console(0,"开始检查系统Alias:") if len(information.alias_status['error_message']) != 0: for error_message in information.alias_status['error_message']: console(2,error_message) if len(information.alias_status['evil_alias']) != 0: for result in information.alias_status['evil_alias']: console(3,f"发现异常Alias 所属文件 : {result.belongfile} . 命令为 : {result.content}") else: console(1,"未发现异常Alias") console(4) del information
def run(config_content): information = ProcessInfo(config_content) console(4) console(0,"开始进程安全检测") console(0,"开始分析占用CPU高的进程:") if len(information.cpu_status) == 0: console(1,"进程使用CPU正常") else: for info in information.cpu_status: console(3,f"存在超过CPU阈值的进程。所属用户为 {info[0]} . 进程号为 {info[1]} . 占用CPU率为 {info[2]} . 对应命令为 {info[4]} .") console(0,"开始分析占用内存高的进程:") if len(information.memory_status) == 0: console(1,"进程使用CPU正常") else: for info in information.memory_status: console(3,f"存在超过CPU阈值的进程。所属用户为 {info[0]} . 进程号为 {info[1]} . 占用内存率为 {info[2]} . 对应命令为 {info[4]} .") console(0,"开始隐藏进程检查:") if len(information.hidden_processes) == 0: console(1,"未发现隐藏进程") else: for info in information.hidden_processes: console(3,f"发现隐藏进程 进程号为 {info} . 建议人工检查 /proc/{info}/ .") console(0,"开始检查是否存在反弹Shell进程") if len(information.reverse_shell_status) == 0: console(1,"未发现反弹Shell进程") else: for key,value in information.reverse_shell_status.items(): console(3,f"发现反弹Shell进程 进程路径 {key} . 进程号为 {value[0]} . 内容为 {value[1]}") console(0,"开始分析进程的执行文件:") if len(information.exe_file_status) == 0: console(1,"未发现进程恶意执行文件") else: for key,value in information.exe_file_status.items(): console(3,f"发现进程恶意执行文件 进程名: {key} . 内容为 : {value}") console(4) del information
def run(config_content): information = AccountInfo(config_content) console(4) console(0, '开始检查账户安全') console(0, "检查账户安全:") if len(information.special_accounts["evil_users"]) != 0: console(3, "检测到UID为0的非root账户:") for evil_user in information.special_accounts["evil_users"]: console(3, f"{evil_user} 为存在于主机上的UID为0的用户") else: console(1, "不存在UID为0的非root账户") if information.special_accounts['status'] == 0: console(3, f"出现错误:{information.special_accounts['exception']}") else: if len(information.special_accounts["empty_users"]) != 0: console(3, "检测存在空口令账户:") for evil_user in information.special_accounts["empty_users"]: console(3, f"{evil_user} 为存在于主机上的空口令账户") else: console(1, "不存在空口令账户") console(0, '检查口令策略相关信息:') if information.password_policy['status'] == 0: console(2, f"未检测到存在口令策略 {information.password_policy['filepath']} 存在") else: if information.password_policy['pass_max'] and int( information.password_policy['pass_max']) <= int( config_content['policy']['pass_max']): console( 1, f"口令最大生存周期符合要求 现周期为:{information.password_policy['pass_max']}") else: console( 2, f"口令最大生存周期不符合要求,建议小于等于{config_content['policy']['pass_max']}天 现周期为:{information.password_policy['pass_max']}" ) if information.password_policy['pass_min'] and int( information.password_policy['pass_min']) >= int( config_content['policy']['pass_min']): console( 1, f"口令最小更改时间符合要求 现周期为:{information.password_policy['pass_min']}") else: console( 2, f"口令最小更改时间不符合要求,建议大于等于{config_content['policy']['pass_min']}天 现周期为:{information.password_policy['pass_min']}" ) if information.password_policy['pass_len'] and int( information.password_policy['pass_len']) <= int( config_content['policy']['pass_len']): console( 1, f"口令最小长度符合要求 现周期为:{information.password_policy['pass_len']}") else: console( 2, f"口令最小长度不符合要求,建议大于等于{config_content['policy']['pass_len']}天 现周期为:{information.password_policy['pass_len']}" ) if information.password_policy['pass_age'] and int( information.password_policy['pass_age']) >= int( config_content['policy']['pass_age']): console( 1, f"口令过期警告时间符合要求 现周期为:{information.password_policy['pass_age']}") else: console( 2, f"口令过期警告时间不符合要求,建议小于等于{config_content['policy']['pass_age']}天并小于口令最大生存周期 现周期为:{information.password_policy['pass_age']}" ) console(0, '检查账号自动注销设置:') if information.TMOUT['status'] == 0: console(2, f"未检测到存在口令策略 {information.TMOUT['filepath']} 存在") else: if information.TMOUT['TMOUT_Time']: if int(information.TMOUT['TMOUT_Time']) < int( config_content['TMOUT']['timeout']): console(1, f"账号自动注销设置符合要求,时间为{information.TMOUT['TMOUT_Time']}") else: console(2, f"账号自动注销设置不符合要求,时间为{information.TMOUT['TMOUT_Time']}") else: console(2, f"未设置TMOUT账号自动注销") console(0, "检查当前登陆的用户:") if information.current_user['status'] == 0: console(1, '当前没有登陆的用户') else: for userinfo in information.current_user: console( 2, f"当前登陆的用户为:{userinfo['current_user']} . 登陆时间为 {current_user['login_time']} . 登陆来源为: {current_user['remote_ip']} ." ) console(0, "检查当前sudo用户") if information.sudo_status['status'] == 0: console(1, "未发现sudo权限用户") else: for key, value in information.sudo_status['data'].items(): console(2, f"发现sudo权限用户 文件 {value['file']} . 用户 {value['content']} ") console(0, "开始检查免密登录公钥情况") if information.authorized_keys_status['status'] == 0: console(1, "免密登录公钥情况正常") else: for key, value in information.authorized_keys_status['data']: console(2, f"发现免密登陆证书 路径:{value['file']} . 客户端 {value['content']} ") console(0, "开始检查密码文件权限情况") if information.passwd_file_status['status'] == 0: console(1, "密码文件权限情况正常") else: for key, value in information.passwd_file_status['data']: console(2, f"{value['file']}文件权限情况不正常 权限为 {value['content']}") console(4) del information
def run(config_content): information = BackdoorInfo(config_content) console(4) console(0, "开始后门检测") console(0, "检测环境变量") if information.PATHBackdoor['status'] == 0: console(1, "未发现环境变量后门") else: for key_1, content in information.PATHBackdoor['data'].items(): for key_2, value_2 in content.items(): if type(value_2) == dict: for key_3, value_3 in value_2.items(): console( 3, f"发现环境变量后门 后门类型 {content['tag']} . 文件 {value_3['file']} . 内容 {value_3['content']} . 请人工检查" ) console(0, "开始检测ld.so.preload后门:") if information.ld_so_preload['status'] == 0: console(1, "未发现ld.so.preload后门") else: for key, value in information.ld_so_preload['data'].items(): console( 3, f"发现ld.so.preload后门 文件位置 {value['file']} . 内容 {value['content']}" ) console(0, "开始检测定时任务后门") if information.cron_status['status'] == 0: console(1, "未发现定时任务后门") else: for key, value in information.cron_status['data'].items(): console(3, f"发现定时任务后门 文件位置 {value['file']} . 内容 {value['content']}") console(0, "开始检测SSH Server wrapper后门") if information.ssh_wrapper['status'] == 0: console(1, "未检测到SSH Server wrapper后门") else: console(3, "检测到SSH Server wrapper后门 。文件位于 /usr/sbin/sshd") console(0, "开始检测系统启动项") if information.init_status['status'] == 0: console(1, "未发现异常系统启动项") else: for key, value in information.init_status['data'].items(): console(3, f"发现异常系统启动项 文件 {value['file']} . 内容 {value['content']} .") console(0, "开始检测SUID提权后门") if information.suid_stauts['status'] == 0: console(1, "未检测到SUID提权后门") else: for key, value in information.suid_stauts['data'].items(): console(3, f"检测到SUID提权后门 内容为 {value['content']}") console(4) del information
def run(config_content): information = NetWorkInfo(config_content) console(4) console(0, "开始网络分析:") console(0, "开始网络链接检测") if information.network_link['status'] == 0: console(1, "未发现建立远程通信的链接") else: for key, value in information.network_link['data'].items(): if value['IP_Information']['status'] == 1: if value['IP_Information']['Overseas'] == 1: console( 3, f"紧急!!!发现境外远程通信链接 链接方式为 {value['LinkMethod']} IP和端口为 {value['IP']}:{value['Port']} 进程PID为 {value['PID']} 详细IP信息为 国家 {value['IP_Information']['Country']} 城市 {value['IP_Information']['City']} 所属运营商 {value['IP_Information']['ISP']}" ) else: console( 3, f"发现远程通信链接 链接方式为 {value['LinkMethod']} IP和端口为 {value['IP']}:{value['Port']} 进程PID为 {value['PID']} 详细IP信息为 国家 {value['IP_Information']['Country']} 城市 {value['IP_Information']['City']} 所属运营商 {value['IP_Information']['ISP']}" ) else: console( 3, f"发现远程通信链接 链接方式为 {value['LinkMethod']} IP和端口为 {value['IP']}:{value['Port']} 进程PID为 {value['PID']}" ) console(0, "开始网卡是否开启混杂模式检测") if information.network_promisc['status'] == 1: console(2, "检测到网卡开启混杂模式") else: console(1, "网卡未开启混杂模式") console(4) del information
def run(): information = sysinfo() console(4) console(0, "系统信息:") console(1, "主机名 : " + information.hostname) console(1, "内核版本 : " + information.sys_version) console(1, "系统版本 : " + information.host_version) console(1, "系统架构 : " + information.arch) if information.remote_ip == "NETWORKERROR": console(3, "公网IP: 未联网或网络不通畅,无法显示公网IP") else: console(1, "公网IP:" + information.remote_ip) console(4) del information