# 合规检查规划要点
1. 检查范围确定
– 确定需要检查的系统范围
– 识别关键系统和敏感数据
– 制定检查优先级

2. 检查标准选择
– 选择适用的合规标准
– 定制企业内部检查标准
– 定期更新检查标准

3. 检查频率规划
– 日常检查：基础安全项
– 周检查：服务配置项
– 月检查：全面合规检查
– 季度检查：深度安全审计

4. 检查工具部署
– 部署自动化检查工具
– 配置检查报告生成
– 建立问题跟踪机制

# 查看可用的合规检查工具
# dnf search scap
Last metadata expiration check: 0:00:00 ago on Fri Apr 2 14:00:00 2026.
======================== Name Exactly Matched: scap =========================
scap-security-guide.noarch : Security guidance and baselines in SCAP formats
scap-workbench.x86_64 : GUI tool for SCAP scanners
openscap-scanner.x86_64 : OpenSCAP scanner
openscap-utils.x86_64 : OpenSCAP utilities
openscap.x86_64 : Set of open source libraries enabling SCAP

# 安装OpenSCAP工具
# dnf install -y openscap-scanner scap-security-guide
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
openscap-scanner x86_64 1.3.6-3.el10 rhel-baseos 125 k
scap-security-guide noarch 0.1.63-1.el10 rhel-appstream 8.5 M
Installing dependencies:
openscap x86_64 1.3.6-3.el10 rhel-baseos 2.1 M
libxml2 x86_64 2.9.13-2.el10 rhel-baseos 345 k
libxslt x86_64 1.1.34-5.el10 rhel-baseos 180 k

Transaction Summary
================================================================================
Install 4 Packages

Total download size: 11 M
Installed size: 45 M
Downloading Packages:
(1/4): openscap-scanner-1.3.6-3.el10.x86_64.rpm 125 kB/s | 125 kB 00:01
(2/4): scap-security-guide-0.1.63-1.el10.noarch 5.2 MB/s | 8.5 MB 00:01
(3/4): openscap-1.3.6-3.el10.x86_64.rpm 1.3 MB/s | 2.1 MB 00:01
(4/4): libxml2-2.9.13-2.el10.x86_64.rpm 2.1 MB/s | 345 kB 00:00
——————————————————————————–
Total 6.7 MB/s | 11 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : libxml2-2.9.13-2.el10.x86_64 1/4
Installing : libxslt-1.1.34-5.el10.x86_64 2/4
Installing : openscap-1.3.6-3.el10.x86_64 3/4
Installing : openscap-scanner-1.3.6-3.el10.x86_64 4/4
Installing : scap-security-guide-0.1.63-1.el10.noarch 5/4
Verifying : scap-security-guide-0.1.63-1.el10.noarch 1/5
Verifying : openscap-scanner-1.3.6-3.el10.x86_64 2/5
Verifying : openscap-1.3.6-3.el10.x86_64 3/5
Verifying : libxslt-1.1.34-5.el10.x86_64 4/5
Verifying : libxml2-2.9.13-2.el10.x86_64 5/5

Installed:
openscap-1.3.6-3.el10.x86_64
openscap-scanner-1.3.6-3.el10.x86_64
scap-security-guide-0.1.63-1.el10.noarch
libxml2-2.9.13-2.el10.x86_64
libxslt-1.1.34-5.el10.x86_64

Complete!

# 查看可用的SCAP内容
# ls /usr/share/xml/scap/ssg/content/
ssg-rhel10-ds.xml
ssg-rhel10-ocil.xml
ssg-rhel10-xccdf.xml
ssg-rhel10-cpe-dictionary.xml
ssg-rhel10-oval.xml

# 合规检查工作流程
1. 准备阶段
– 确定检查范围和标准
– 准备检查工具和脚本
– 通知相关人员

2. 执行阶段
– 收集系统信息
– 执行检查命令
– 记录检查结果

3. 分析阶段
– 分析检查结果
– 识别不合规项
– 评估风险等级

4. 整改阶段
– 制定整改方案
– 执行整改操作
– 验证整改效果

5. 报告阶段
– 生成合规报告
– 提交管理层审批
– 归档检查记录

6. 持续改进
– 定期复查
– 更新检查标准
– 优化检查流程

# 检查系统版本
# cat /etc/redhat-release
Red Hat Enterprise Linux release 10.0 (Plow)

# 检查内核版本
# uname -r
5.14.0-123.el10.x86_64

# 检查系统架构
# uname -m
x86_64

# 检查系统运行时间
# uptime
14:00:01 up 1 day, 4:00, 2 users, load average: 0.00, 0.01, 0.05

# 检查主机名
# hostnamectl
Static hostname: rhel10-server
Icon name: computer-vm
Chassis: vm
Machine ID: 1234567890abcdef1234567890abcdef
Boot ID: abcdef1234567890abcdef1234567890
Virtualization: kvm
Operating System: Red Hat Enterprise Linux 10.0 (Plow)
CPE OS Name: cpe:/o:redhat:enterprise_linux:10::baseos
Kernel: Linux 5.14.0-123.el10.x86_64
Architecture: x86-64

# 检查系统安装时间
# rpm -qi basesystem | grep “Install Date”
Install Date: Fri 02 Apr 2026 10:00:00 AM CST

# 检查系统语言设置
# localectl
System Locale: LANG=en_US.UTF-8
VC Keymap: us
X11 Layout: us

# 检查时区设置
# timedatectl
Local time: Fri 2026-04-02 14:00:01 CST
Universal time: Fri 2026-04-02 06:00:01 UTC
RTC time: Fri 2026-04-02 06:00:01
Time zone: Asia/Shanghai (CST, +0800)
System clock synchronized: yes
NTP service: active
RTC in local TZ: no

# 检查内存信息
# free -h
total used free shared buff/cache available
Mem: 7.6Gi 1.2Gi 5.8Gi 128Mi 640Mi 6.0Gi
Swap: 2.0Gi 0B 2.0Gi

# 检查磁盘信息
# df -h
Filesystem Size Used Avail Use% Mounted on
devtmpfs 4.0M 0 4.0M 0% /dev
tmpfs 3.9G 0 3.9G 0% /dev/shm
tmpfs 1.6G 9.5M 1.6G 1% /run
/dev/mapper/rhel-root 50G 3.5G 47G 7% /
/dev/sda1 1014M 256M 759M 26% /boot
/dev/mapper/rhel-home 50G 512M 50G 1% /home

# 检查CPU信息
# lscpu
Architecture: x86_64
CPU op-mode(s): 32-bit, 64-bit
Address sizes: 45 bits physical, 48 bits virtual
Byte Order: Little Endian
CPU(s): 4
On-line CPU(s) list: 0-3
Vendor ID: GenuineIntel
Model name: Intel(R) Core(TM) i7-10700K CPU @ 3.80GHz
CPU family: 6
Model: 158
Thread(s) per core: 2
Core(s) per socket: 2
Socket(s): 1
Stepping: 13
BogoMIPS: 7603.00

# 检查SELinux状态
# getenforce
Enforcing

# 检查SELinux配置
# cat /etc/selinux/config
# This file controls the state of SELinux on the system.
# SELINUX= can take one of these three values:
# enforcing – SELinux security policy is enforced.
# permissive – SELinux prints warnings instead of enforcing.
# disabled – No SELinux policy is loaded.
SELINUX=enforcing
# SELINUXTYPE= can take one of these three values:
# targeted – Targeted processes are protected,
# minimum – Modification of targeted policy. Only selected processes are protected.
# mls – Multi Level Security protection.
SELINUXTYPE=targeted

# 检查防火墙状态
# systemctl status firewalld
● firewalld.service – firewalld – dynamic firewall daemon
Loaded: loaded (/usr/lib/systemd/system/firewalld.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2026-04-02 10:00:00 CST; 4h ago
Docs: man:firewalld(1)
Main PID: 1234 (firewalld)
Tasks: 2 (limit: 23456)
Memory: 32.5M
CPU: 1.234s
CGroup: /system.slice/firewalld.service
└─1234 /usr/bin/python3 -Es /usr/sbin/firewalld –nofork –nopid

Apr 02 10:00:00 rhel10-server systemd[1]: Starting firewalld – dynamic firewall daemon…
Apr 02 10:00:00 rhel10-server systemd[1]: Started firewalld – dynamic firewall daemon.

# 检查防火墙规则
# firewall-cmd –list-all
public (active)
target: default
icmp-block-inversion: no
interfaces: enp0s3
sources:
services: cockpit dhcpv6-client ssh
ports:
protocols:
forward: no
masquerade: no
forward-ports:
source-ports:
icmp-blocks:
rich rules:

# 检查SSH配置
# cat /etc/ssh/sshd_config | grep -v “^#” | grep -v “^$”
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
PermitRootLogin no
PasswordAuthentication yes
ChallengeResponseAuthentication no
GSSAPIAuthentication yes
GSSAPICleanupCredentials no
UsePAM yes
X11Forwarding yes
PrintMotd no
AcceptEnv LANG LC_CTYPE LC_NUMERIC LC_TIME LC_COLLATE LC_MONETARY LC_MESSAGES
AcceptEnv LC_PAPER LC_NAME LC_ADDRESS LC_TELEPHONE LC_MEASUREMENT
AcceptEnv LC_IDENTIFICATION LC_ALL LANGUAGE
AcceptEnv XMODIFIERS
Subsystem sftp /usr/libexec/openssh/sftp-server

# 检查密码策略
# cat /etc/security/pwquality.conf | grep -v “^#” | grep -v “^$”
minlen = 8
minclass = 4
maxrepeat = 3
maxclassrepeat = 4
lcredit = -1
ucredit = -1
dcredit = -1
ocredit = -1

# 检查登录失败锁定策略
# cat /etc/security/faillock.conf | grep -v “^#” | grep -v “^$”
dir = /var/log/faillock
audit
silent
deny = 5
fail_interval = 900
unlock_time = 1800

# 检查用户密码过期设置
# cat /etc/login.defs | grep -E “PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_MIN_LEN|PASS_WARN_AGE”
PASS_MAX_DAYS 90
PASS_MIN_DAYS 0
PASS_MIN_LEN 8
PASS_WARN_AGE 7

# 检查root用户密码过期设置
# chage -l root
Last password change : Apr 02, 2026
Password expires : Jul 01, 2026
Password inactive : never
Account expires : never
Minimum number of days between password change : 0
Maximum number of days between password change : 90
Number of days of warning before password expires : 7

# 检查已启用的服务
# systemctl list-unit-files –type=service –state=enabled
UNIT FILE STATE VENDOR PRESET
auditd.service enabled enabled
crond.service enabled enabled
firewalld.service enabled enabled
getty@tty1.service enabled enabled
irqbalance.service enabled enabled
kdump.service enabled enabled
NetworkManager.service enabled enabled
rsyslog.service enabled enabled
sshd.service enabled enabled
systemd-resolved.service enabled enabled
tuned.service enabled enabled

11 unit files listed.

# 检查正在运行的服务
# systemctl list-units –type=service –state=running
UNIT LOAD ACTIVE SUB DESCRIPTION
auditd.service loaded active running Security Auditing Service
crond.service loaded active running Command Scheduler
dbus-broker.service loaded active running D-Bus System Message Bus
firewalld.service loaded active running firewalld – dynamic firewall daemon
getty@tty1.service loaded active running Getty on tty1
NetworkManager.service loaded active running Network Manager
polkit.service loaded active running Authorization Manager
rsyslog.service loaded active running System Logging Service
sshd.service loaded active running OpenSSH server daemon
systemd-journald.service loaded active running Journal Service
systemd-logind.service loaded active running Login Service
systemd-resolved.service loaded active running Network Name Resolution manager
systemd-udevd.service loaded active running Rule-based Manager for Device Events and Files
tuned.service loaded active running Dynamic System Tuning Daemon

LOAD = Reflects whether the unit definition was properly loaded.
ACTIVE = The high-level unit activation state, i.e. generalization of SUB.
SUB = The low-level unit activation state, values depend on unit type.

14 loaded units listed. Pass –all to see loaded but inactive units, too.
To show all installed unit files use ‘systemctl list-unit-files’.

# 检查监听端口
# ss -tuln
Netid State Recv-Q Send-Q Local Address:Port Peer Address:Port Process
udp UNCONN 0 0 127.0.0.1:323 0.0.0.0:*
udp UNCONN 0 0 [::1]:323 [::]:*
tcp LISTEN 0 128 0.0.0.0:22 0.0.0.0:*
tcp LISTEN 0 128 [::]:22 [::]:*

# 检查开放端口
# firewall-cmd –list-ports

# 检查允许的服务
# firewall-cmd –list-services
cockpit dhcpv6-client ssh

# 检查审计服务状态
# systemctl status auditd
● auditd.service – Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2026-04-02 10:00:00 CST; 4h ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Main PID: 5678 (auditd)
Tasks: 2 (limit: 23456)
Memory: 2.5M
CPU: 123ms
CGroup: /system.slice/auditd.service
└─5678 /sbin/auditd -f

Apr 02 10:00:00 rhel10-server augenrules[5678]: No rules
Apr 02 10:00:00 rhel10-server augenrules[5678]: enabled 1
Apr 02 10:00:00 rhel10-server augenrules[5678]: flag 1
Apr 02 10:00:00 rhel10-server augenrules[5678]: pid 5678
Apr 02 10:00:00 rhel10-server augenrules[5678]: rate_limit 0
Apr 02 10:00:00 rhel10-server augenrules[5678]: backlog_limit 8192
Apr 02 10:00:00 rhel10-server augenrules[5678]: lost 0
Apr 02 10:00:00 rhel10-server augenrules[5678]: backlog 0
Apr 02 10:00:00 rhel10-server systemd[1]: Started Security Auditing Service.

# 检查审计规则
# auditctl -l
No rules

# 检查日志服务状态
# systemctl status rsyslog
● rsyslog.service – System Logging Service
Loaded: loaded (/usr/lib/systemd/system/rsyslog.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2026-04-02 10:00:00 CST; 4h ago
Docs: man:rsyslogd(8)
https://www.rsyslog.com/doc/
Main PID: 9012 (rsyslogd)
Tasks: 3 (limit: 23456)
Memory: 1.5M
CPU: 234ms
CGroup: /system.slice/rsyslog.service
└─9012 /usr/sbin/rsyslogd -n

Apr 02 10:00:00 rhel10-server systemd[1]: Starting System Logging Service…
Apr 02 10:00:00 rhel10-server rsyslogd[9012]: [origin software=”rsyslogd” swVersion=”8.2204.0″ x-pid=”9012″ x-info=”https://www.rsyslog.com”] start
Apr 02 10:00:00 rhel10-server systemd[1]: Started System Logging Service.

# 使用OpenSCAP进行合规检查
# oscap info /usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml
Document type: Source Data Stream
Imported: 2026-01-01T00:00:00

Stream: scap_org.open-scap_datastream_from_xccdf_ssg-rhel10-xccdf.xml
Generated: (empty)
Version: 1.3

Checklists:
Ref-Id: scap_org.open-scap_cref_ssg-rhel10-xccdf.xml
Status: draft
Generated: 2026-01-01
Resolved: true
Profiles:
Title: Standard System Security Profile for Red Hat Enterprise Linux 10
Id: xccdf_org.ssgproject.content_profile_standard
Title: ANSSI-BP-028 (enhanced)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_enhanced
Title: ANSSI-BP-028 (high)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_high
Title: ANSSI-BP-028 (intermediary)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_intermediary
Title: ANSSI-BP-028 (minimal)
Id: xccdf_org.ssgproject.content_profile_anssi_bp28_minimal
Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 – Workstation
Id: xccdf_org.ssgproject.content_profile_cis_workstation_l2
Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 – Workstation
Id: xccdf_org.ssgproject.content_profile_cis_workstation_l1
Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 2 – Server
Id: xccdf_org.ssgproject.content_profile_cis_server_l2
Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 – Server
Id: xccdf_org.ssgproject.content_profile_cis_server_l1

# 执行CIS Level 1 Server合规检查
# oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_cis_server_l1 \
–results /tmp/cis-results.xml \
–report /tmp/cis-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

Title
Ensure /tmp Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_tmp
Ident CCE-86220-5
Result fail

Title
Ensure /var Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_var
Ident CCE-86221-3
Result fail

Title
Ensure /var/log Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log
Ident CCE-86222-1
Result fail

Title
Ensure /var/log/audit Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_var_log_audit
Ident CCE-86223-9
Result fail

Title
Ensure /home Located On Separate Partition
Rule xccdf_org.ssgproject.content_rule_partition_for_home
Ident CCE-86224-7
Result pass

# 查看检查报告
# firefox /tmp/cis-report.html

# 生成修复脚本
# oscap xccdf generate fix –profile xccdf_org.ssgproject.content_profile_cis_server_l1 \
–output /tmp/cis-remediation.sh \
/usr/share/xml/scap/ssg/content/ssg-rhel10-ds.xml

# 查看修复脚本
# head -50 /tmp/cis-remediation.sh
#!/bin/bash

# from:www.itpux.com.qq113257174.wx:itpux-com
# OpenSCAP remediation role for profile xccdf_org.ssgproject.content_profile_cis_server_l1
# Profile Title: CIS Red Hat Enterprise Linux 10 Benchmark for Level 1 – Server
# Profile Description:
# This profile defines a baseline that aligns to the Center for Internet Security
# Red Hat Enterprise Linux 10 Benchmark, Level 1.
# …

# 创建安全基线检查脚本
# cat > /tmp/security_baseline_check.sh << 'EOF' #!/bin/bash # from:www.itpux.com.qq113257174.wx:itpux-com echo "=========================================" echo "系统安全基线检查报告" echo "检查时间: $(date)" echo "=========================================" echo "" echo "1. 检查SELinux状态" SELINUX_STATUS=$(getenforce) if [ "$SELINUX_STATUS" == "Enforcing" ]; then echo " [PASS] SELinux状态: $SELINUX_STATUS" else echo " [FAIL] SELinux状态: $SELINUX_STATUS (应为Enforcing)" fi echo "" echo "2. 检查防火墙状态" FIREWALL_STATUS=$(systemctl is-active firewalld) if [ "$FIREWALL_STATUS" == "active" ]; then echo " [PASS] 防火墙状态: $FIREWALL_STATUS" else echo " [FAIL] 防火墙状态: $FIREWALL_STATUS (应为active)" fi echo "" echo "3. 检查SSH配置" SSH_ROOT_LOGIN=$(grep "^PermitRootLogin" /etc/ssh/sshd_config | awk '{print $2}') if [ "$SSH_ROOT_LOGIN" == "no" ]; then echo " [PASS] SSH禁止root登录: $SSH_ROOT_LOGIN" else echo " [FAIL] SSH禁止root登录: $SSH_ROOT_LOGIN (应为no)" fi echo "" echo "4. 检查密码策略" PASS_MAX_DAYS=$(grep "^PASS_MAX_DAYS" /etc/login.defs | awk '{print $2}') if [ "$PASS_MAX_DAYS" -le 90 ]; then echo " [PASS] 密码最大有效期: $PASS_MAX_DAYS天" else echo " [FAIL] 密码最大有效期: $PASS_MAX_DAYS天 (应≤90天)" fi echo "" echo "5. 检查审计服务" AUDIT_STATUS=$(systemctl is-active auditd) if [ "$AUDIT_STATUS" == "active" ]; then echo " [PASS] 审计服务状态: $AUDIT_STATUS" else echo " [FAIL] 审计服务状态: $AUDIT_STATUS (应为active)" fi echo "" echo "6. 检查不必要的服务" UNNECESSARY_SERVICES="telnet rsh rlogin rexec" for service in $UNNECESSARY_SERVICES; do if systemctl is-enabled $service.service 2>/dev/null; then
echo ” [FAIL] 不必要的服务已启用: $service”
else
echo ” [PASS] 不必要的服务未启用: $service”
fi
done
echo “”

echo “7. 检查默认账户”
DEFAULT_ACCOUNTS=”games gopher ftp news uucp”
for account in $DEFAULT_ACCOUNTS; do
if id $account 2>/dev/null; then
echo ” [WARN] 存在默认账户: $account”
else
echo ” [PASS] 不存在默认账户: $account”
fi
done
echo “”

echo “8. 检查文件权限”
CRITICAL_FILES=”/etc/passwd /etc/shadow /etc/gshadow /etc/group”
for file in $CRITICAL_FILES; do
PERMS=$(stat -c “%a” $file)
echo ” [INFO] $file 权限: $PERMS”
done
echo “”

echo “=========================================”
echo “检查完成”
echo “=========================================”
EOF

# 执行检查脚本
# chmod +x /tmp/security_baseline_check.sh
# /tmp/security_baseline_check.sh
=========================================
系统安全基线检查报告
检查时间: Fri Apr 2 14:00:00 CST 2026
=========================================

1. 检查SELinux状态
[PASS] SELinux状态: Enforcing

2. 检查防火墙状态
[PASS] 防火墙状态: active

3. 检查SSH配置
[PASS] SSH禁止root登录: no

4. 检查密码策略
[PASS] 密码最大有效期: 90天

5. 检查审计服务
[PASS] 审计服务状态: active

6. 检查不必要的服务
[PASS] 不必要的服务未启用: telnet
[PASS] 不必要的服务未启用: rsh
[PASS] 不必要的服务未启用: rlogin
[PASS] 不必要的服务未启用: rexec

7. 检查默认账户
[PASS] 不存在默认账户: games
[PASS] 不存在默认账户: gopher
[PASS] 不存在默认账户: ftp
[PASS] 不存在默认账户: news
[PASS] 不存在默认账户: uucp

8. 检查文件权限
[INFO] /etc/passwd 权限: 644
[INFO] /etc/shadow 权限: 0
[INFO] /etc/gshadow 权限: 0
[INFO] /etc/group 权限: 644

=========================================
检查完成
=========================================

# 安装Ansible
# dnf install -y ansible
Dependencies resolved.
================================================================================
Package Arch Version Repository Size
================================================================================
Installing:
ansible noarch 2.14.2-1.el10 rhel-appstream 25 M

Transaction Summary
================================================================================
Install 1 Package

Total download size: 25 M
Installed size: 150 M
Downloading Packages:
ansible-2.14.2-1.el10.noarch.rpm 15 MB/s | 25 MB 00:01
——————————————————————————–
Total 15 MB/s | 25 MB 00:01
Running transaction check
Transaction check succeeded.
Running transaction test
Transaction test succeeded.
Running transaction
Preparing : 1/1
Installing : ansible-2.14.2-1.el10.noarch 1/1
Verifying : ansible-2.14.2-1.el10.noarch 1/1

Installed:
ansible-2.14.2-1.el10.noarch

Complete!

# 创建Ansible合规检查Playbook
# cat > /tmp/compliance_check.yml << 'EOF' --- - name: System Compliance Check hosts: localhost gather_facts: yes tasks: - name: Check SELinux status command: getenforce register: selinux_status changed_when: false - name: Display SELinux status debug: msg: "SELinux status: {{ selinux_status.stdout }}" - name: Check firewall status systemd: name: firewalld register: firewall_status changed_when: false - name: Display firewall status debug: msg: "Firewall status: {{ firewall_status.status.ActiveState }}" - name: Check SSH configuration lineinfile: path: /etc/ssh/sshd_config regexp: '^PermitRootLogin' line: 'PermitRootLogin no' state: present check_mode: yes register: ssh_config - name: Display SSH config status debug: msg: "SSH root login: {{ 'needs to be disabled' if ssh_config.changed else 'already disabled' }}" - name: Check password policy lineinfile: path: /etc/login.defs regexp: '^PASS_MAX_DAYS' line: 'PASS_MAX_DAYS 90' state: present check_mode: yes register: pass_policy - name: Display password policy status debug: msg: "Password max days: {{ 'needs to be set to 90' if pass_policy.changed else 'already set to 90' }}" - name: Generate compliance report copy: content: | Compliance Check Report ======================= Date: {{ ansible_date_time.iso8601 }} Hostname: {{ ansible_hostname }} Results: - SELinux: {{ selinux_status.stdout }} - Firewall: {{ firewall_status.status.ActiveState }} - SSH Root Login: {{ 'needs fix' if ssh_config.changed else 'OK' }} - Password Policy: {{ 'needs fix' if pass_policy.changed else 'OK' }} dest: /tmp/compliance_report.txt delegate_to: localhost EOF # 执行合规检查 # ansible-playbook /tmp/compliance_check.yml [WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all' PLAY [System Compliance Check] ************************************************** TASK [Gathering Facts] ********************************************************* ok: [localhost] TASK [Check SELinux status] **************************************************** ok: [localhost] TASK [Display SELinux status] ************************************************** ok: [localhost] => {
“msg”: “SELinux status: Enforcing”
}

TASK [Check firewall status] ***************************************************
ok: [localhost]

TASK [Display firewall status] *************************************************
ok: [localhost] => {
“msg”: “Firewall status: active”
}

TASK [Check SSH configuration] *************************************************
ok: [localhost]

TASK [Display SSH config status] ***********************************************
ok: [localhost] => {
“msg”: “SSH root login: already disabled”
}

TASK [Check password policy] ***************************************************
ok: [localhost]

TASK [Display password policy status] ******************************************
ok: [localhost] => {
“msg”: “Password max days: already set to 90”
}

TASK [Generate compliance report] **********************************************
changed: [localhost -> localhost]

PLAY RECAP *********************************************************************
localhost : ok=10 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

# 查看合规报告
# cat /tmp/compliance_report.txt
Compliance Check Report
=======================
Date: 2026-04-02T14:00:00Z
Hostname: rhel10-server

Results:
– SELinux: Enforcing
– Firewall: active
– SSH Root Login: OK
– Password Policy: OK

# 合规检查最佳实践
1. 建立检查机制
– 制定定期检查计划
– 建立自动化检查流程
– 配置检查报告通知

2. 标准化检查内容
– 参考行业标准
– 结合企业实际
– 定期更新检查项

3. 问题处理流程
– 发现问题及时记录
– 评估风险等级
– 制定整改方案
– 验证整改效果

4. 持续改进
– 定期回顾检查结果
– 优化检查流程
– 更新检查标准
– 培训相关人员

# 常用检查命令组合
# 快速安全检查
echo “=== SELinux ===” && getenforce
echo “=== Firewall ===” && systemctl is-active firewalld
echo “=== SSH ===” && grep “^PermitRootLogin” /etc/ssh/sshd_config
echo “=== Audit ===” && systemctl is-active auditd
echo “=== Updates ===” && dnf check-update –security

# 系统合规检查清单
□ 1. 系统版本检查
cat /etc/redhat-release
uname -r

□ 2. SELinux检查
getenforce
cat /etc/selinux/config

□ 3. 防火墙检查
systemctl status firewalld
firewall-cmd –list-all

□ 4. SSH配置检查
grep “^PermitRootLogin” /etc/ssh/sshd_config
grep “^PasswordAuthentication” /etc/ssh/sshd_config

□ 5. 密码策略检查
cat /etc/login.defs | grep PASS
cat /etc/security/pwquality.conf

□ 6. 用户账户检查
cat /etc/passwd
lastlog

□ 7. 服务检查
systemctl list-unit-files –type=service –state=enabled
ss -tuln

□ 8. 审计检查
systemctl status auditd
auditctl -l

□ 9. 日志检查
systemctl status rsyslog
ls -la /var/log/

□ 10. 补丁检查
dnf check-update –security

□ 11. 文件权限检查
ls -la /etc/passwd /etc/shadow /etc/group /etc/gshadow

□ 12. 内核参数检查
sysctl -a | grep -E “net.ipv4.conf.all.rp_filter|net.ipv4.conf.all.accept_source_route”

□ 13. 时间同步检查
timedatectl status
systemctl status chronyd

□ 14. 备份检查
ls -la /backup/
检查备份策略

□ 15. 监控检查
systemctl status 监控服务
检查告警配置

# 推荐的合规检查工具
1. OpenSCAP
– 开源合规检查工具
– 支持多种安全标准
– 提供修复建议

2. Red Hat Insights
– 红帽智能分析平台
– 实时监控和预警
– 提供修复方案

3. Ansible
– 自动化配置管理
– 合规检查和修复
– 批量执行能力

4. Lynis
– 开源安全审计工具
– 全面的安全检查
– 详细的报告

5. Tiger
– 安全审计工具
– 检查系统配置
– 生成安全报告

# 安装Lynis
# dnf install -y lynis

# 运行Lynis检查
# lynis audit system
[+] Initializing program
————————————
– Detecting OS… [ DONE ]
– Checking profiles… [ DONE ]

[+] System Tools
————————————
– Scanning available tools…
– Checking system file permissions… [ DONE ]
– Checking password file… [ DONE ]
– Checking group file… [ DONE ]

[+] Plugins (phase 1)
————————————
– Plugin: compliance [ ENABLED ]
– Plugin: control-panels [ ENABLED ]
– Plugin: crypto [ ENABLED ]

[+] Kernel
————————————
– Checking default run level… [ RUNLEVEL 5 ]
– Checking CPU support (PAE/NX)
– PAE (Physical Address Extension) [ FOUND ]
– NX (No-Execute) [ FOUND ]

[+] Users, Groups and Authentication
————————————
– Checking administrator accounts… [ OK ]
– Checking unique group IDs… [ OK ]
– Checking unique user IDs… [ OK ]