# CIS基线主要检查项
1.学习交流加群风哥微信: itpux-com 文件系统安全
– 分区配置
更多学习教程公众号风哥教程itpux_com – 文件权限
– 特殊权限

2. 系统服务安全
– 服务最小化
– 服务配置
– 服务访问控制

3. 网络配置安全
– 网络参数
– 防火墙配置
– 网络服务

4. 用户账户安全
– 密码策略
– 账户锁定
– 权限管理

5. 日志审计安全
– 日志配置
– 审计规则
– 日志保护

# 安装CIS基线检查工具
$ sudo dnf install -y scap-security-guide

# 执行CIS基线检查
$ sudo oscap xccdf eval –profile xccdf_org.ssgproject.content_profile_cis \
–report /tmp/cis-report.html \
/usr/share/xml/scap/ssg/content/ssg-rhel9-ds.xml

# 查看检查结果
$ firefox /tmp/cis-report.html

# 创建系统加固脚本
$ cat > /usr/local/bin/system-hardening.sh << 'EOF' #!/bin/bash LOG_FILE="/var/log/hardening.log" log() { echo "$(date): $1" | tee -a $LOG_FILE } backup_file() { if [ -f "$1" ]; then cp "$1" "$1.bak.$(date +%Y%m%d)" log "Backed up $1" fi } configure_password_policy() { log "Configuring password policy..." backup_file /etc/login.defs cat > /etc/login.defs << 'POLICY' PASS_MAX_DAYS 90 PASS_MIN_DAYS 7 PASS_MIN_LEN 12 PASS_WARN_AGE 14 POLICY backup_file /etc/security/pwquality.conf cat > /etc/security/pwquality.conf << 'POLICY' minlen = 12 minclass = 4 dcredit = -1 ucredit = -1 lcredit = -1 ocredit = -1 maxrepeat = 3 POLICY } configure_ssh() { log "Configuring SSH..." backup_file /etc/ssh/sshd_config cat > /etc/ssh/sshd_config << 'SSHCONFIG' Port 22 Protocol 2 PermitRootLogin no PasswordAuthentication no PubkeyAuthentication yes MaxAuthTries 3 MaxSessions 5 ClientAliveInterval 300 ClientAliveCountMax 2 X11Forwarding no SSHCONFIG systemctl restart sshd } configure_firewall() { log "Configuring firewall..." systemctl start firewalld systemctl enable firewalld firewall-cmd --permanent --add-service=ssh firewall-cmd --permanent --add-service=http firewall-cmd --permanent --add-service=https firewall-cmd --reload } configure_selinux() { log "Configuring SELinux..." sed -i 's/SELINUX=.*/SELINUX=enforcing/' /etc/selinux/config setenforce 1 } disable_services() { log "Disabling unnecessary services..." for service in telnet rsh rlogin rexec; do systemctl disable $service 2>/dev/null
systemctl stop $service 2>/dev/null
done
}

configure_audit() {
log “Configuring audit…”

cat > /etc/audit/rules.d/hardening.rules << 'AUDIT' -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k sudoers -w /var/log/secure -p wa -k logins AUDIT systemctl enable auditd systemctl start auditd } main() { log "Starting system hardening..." configure_password_policy configure_ssh configure_firewall configure_selinux disable_services configure_audit log "System hardening completed!" } main EOF chmod +x /usr/local/bin/system-hardening.sh # 执行加固脚本 $ sudo /usr/local/bin/system-hardening.sh

# 创建安全检查脚本
$ cat > /usr/local/bin/security-check.sh << 'EOF' #!/bin/bash REPORT_FILE="/tmp/security-report-$(date +%Y%m%d).txt" echo "Security Baseline Check Report" > $REPORT_FILE
echo “Date: $(date)” >> $REPORT_FILE
echo “================================” >> $REPORT_FILE

check_password_policy() {
echo -e “\n[Password Policy]” >> $REPORT_FILE

PASS_MAX=$(grep “^PASS_MAX_DAYS” /etc/login.defs | awk ‘{print $2}’)
PASS_MIN=$(grep “^PASS_MIN_DAYS” /etc/login.更多视频教程www.fgedu.net.cndefs | awk ‘{print $2}’)
PASS_LEN=$(grep “^PASS_MIN_LEN” /etc/login.defs | awk ‘{print $2}’)

if [ “$PASS_MAX” -le 90 ]; then
echo “PASS_MAX_DAYS: $PASS_MAX – OK” >> $REPORT_FILE
else
echo “PASS_MAX_DAYS: $PASS_MAX – FAIL (should be <= 90)" >> $REPORT_FILE
fi

if [ “$PASS_MIN” -ge 7 ]; then
echo “PASS_MIN_DAYS: $PASS_MIN – OK” >> $REPORT_FILE
else
echo “PASS_MIN_DAYS: $PASS_MIN – FAIL (should be >= 7)” >> $REPORT_FILE
fi

if [ “$PASS_LEN” -ge 12 ]; then
echo “PASS_MIN_LEN: $PASS_LEN – OK” >> $REPORT_FILE
else
echo “PASS_MIN_LEN: $PASS_LEN – FAIL (should be >= 12)” >> $REPORT_FILE
fi
}

check_ssh() {
echo -e “\n[SSH Configuration]” >> $REPORT_FILE

ROOT_LOGIN=$(grep “^PermitRootLogin” /etc/ssh/sshd_config | awk ‘{print $2}’)
PASS_AUTH=$(grep “^PasswordAuthentication” /etc/ssh/sshd_config | awk ‘{print $2}’)

if [ “$ROOT_LOGIN” == “no” ]; then
echo “PermitRootLogin: $ROOT_LOGIN – OK” >> $REPORT_FILE
else
echo “PermitRootLogin: $ROOT_LOGIN – FAIL (should be no)” >> $REPORT_FILE
fi

if [ “$PASS_AUTH” == “no” ]; then
echo “PasswordAuthentication: $PASS_AUTH – OK” >> $REPORT_FILE
else
echo “PasswordAuthentication: $PASS_AUTH – FAIL (should be no)” >> $REPORT_FILE
fi
}

check_selinux() {
echo -e “\n[SELinux]” >> $REPORT_FILE

SELINUX_STATUS=$(getenforce)

if [ “$SELINUX_STATUS” == “Enforcing” ]; then
echo “SELinux Status: $SELINUX_STATUS – OK” >> $REPORT_FILE
else
echo “SELinux Status: $SELINUX_STATUS – FAIL (should be Enforcing)” >> $REPORT_FILE
fi
}

check_firewall() {
echo -e “\n[Firewall]” >> $REPORT_FILE

FIREWALL_STATUS=$(firewall-cmd –state)

if [ “$FIREWALL_STATUS” == “running” ]; then
echo “Firewall Status: $FIREWALL_STATUS – OK” >> $REPORT_FILE
else
echo “Firewall Status: $FIREWALL_STATUS – FAIL (should be running)” >> $REPORT_FILE
fi
}

check_services() {
echo -e “\n[Services]” >> $REPORT_FILE

for service in telnet rsh rlogin rexec; do
if systemctl is-enabled $service &>/dev/null; then
echo “$service: Enabled – FAIL (should be disabled)” >> $REPORT_FILE
else
echo “$service: Disabled – OK” >> $REPORT_FILE
fi
done
}

check_file_permissions() {
echo -e “\n[File Permissions]” >> $REPORT_FILE

PASSWD_PERM=$(stat -c %a /etc/passwd)
SHADOW_PERM=$(stat -c %a /etc/shadow)

if [ “$PASSWD_PERM” == “644” ]; then
echo “/etc/passwd permissions: $PASSWD_PERM – OK” >> $REPORT_FILE
else
echo “/etc/passwd permissions: $PASSWD_PERM – FAIL (should be 644)” >> $REPORT_FILE
fi

if [ “$SHADOW_PERM” == “000” ]; then
echo “/etc/shadow permissions: $SHADOW_PERM – OK” >> $REPORT_FILE
else
echo “/etc/shadow permissions: $SHADOW_PERM – FAIL (should be 000)” >> $REPORT_FILE
fi
}

main() {
check_password_policy
check_ssh
check_selinux
check_firewall
check_services
check_file_permissions

echo -e “\nReport saved to: $REPORT_FILE”
cat $REPORT_FILE
}

main
EOF

chmod +x /usr/local/bin/security-check.sh

# 执行检查脚本
$ sudo /usr/local/bin/security-check.sh