# 常见合规标准
1. ISO 27001
– 信息安全管理体系
– 风险评估
– 安全控制措施

2. PCI DSS
– 支付卡行业数据安全标准
– 网络安全要求
– 数据保护要求

3. HIPAA
– 医疗信息保护
– 数据隐私要求
– 安全控制措施

4. SOX
– 萨班斯法案
– 财务报告控制
– IT控制要求

5. GDPR
– 通用数据保护条例
– 数据主体权利
– 数据处理要求

# 合规检查清单
$ cat > /etc/security/学习交流加群风哥QQ113257174compliance-checklist.txt << 'EOF' [访问控制] - 用户账户管理 - 权限分配 - 密码策略 - 账户锁定 [网络安全] - 防火墙配置 - 入侵检测 - 网络隔离 - 加密通信 [数据保护] - 数据分类 - 访问控制 - 加密存储 - 备份恢复 [日志审计] - 日志记录 - 日志保护 - 日志分析 - 审计报告 [变更管理] - 变更审批 - 变更记录 - 变更测试 - 变更回滚 [应急响应] - 应急预案 - 响应流程 - 演练记录 - 事件报告 EOF

# 创建合规检查脚本
$ cat > /usr/local/bin/compliance-check.sh << 'EOF' #!/bin/bash REPORT_FILE="/tmp/compliance-report-$(date +%Y%m%d).txt" echo "Compliance Check Report" > $REPORT_FILE
echo “Date: $(date)” >> $REPORT_FILE
echo “========================” >> $REPORT_FILE

check_access_control() {
echo -e “\n[Access Control]” >> $REPORT_FILE

PASS_MAX=$(grep “^PASS_MAX_DAYS” /etc/login.defs | awk ‘{print $2}’)
if [ “$PASS_MAX” -le 90 ]; then
echo “Password expiration: PASS (max $PASS_MAX days)” >> $REPORT_FILE
else
echo “Password expiration: FAIL (max $PASS_MAX days, should be <= 90)" >> $REPORT_FILE
fi

ROOT_LOGIN=$(grep “^PermitRootLogin” /etc/ssh/sshd_config | awk ‘{print $2}’)
if [ “$ROOT_LOGIN” == “no” ]; then
echo “Root SSH login: PASS (disabled)” >> $REPORT_FILE
else
echo “Root SSH login: FAIL (enabled)” >> $REPORT_FILE
fi
}

check_network_security() {
echo -e “\n[Network Security]” >> $REPORT_FILE

FIREWALL=$(firewall-cmd –state)
if [ “$FIREWALL” == “running” ]; then
echo “Firewall: PASS (running)” >> $REPORT_FILE
else
echo “Firewall: FAIL (not running)” >> $REPORT_FILE
fi

SELINUX=$(getenforce)
if [ “$SELINUX” == “Enforcing” ]; then
echo “SELinux: PASS (enforcing)” >> $REPORT_FILE
else
echo “SELinux: FAIL ($SELINUX)” >> $REPORT_FILE
fi
}

check_data_protection() {
echo -e “\n[Data Protection]” >> $REPORT_FILE

if [ -f /etc/luks/keyfile ]; then
echo “Disk encryption: PASS (LUKS configured)” >> $REPORT_FILE
else
echo “Disk encryption: FAIL (not configured)” >> $REPORT_FILE
fi

if grep -q “ssl” /etc/nginx/nginx.conf 2>/dev/null; then
echo “SSL/TLS: PASS (configured)” >> $REPORT_FILE
else
echo “SSL/TLS: FAIL (not configured)” >> $REPORT_FILE
fi
}

check_logging() {
echo -e “\n[Logging and Auditing]” >> $REPORT_FILE

if systemctl is-active auditd &>/dev/null; then
echo “Audit service: PASS (running)” >> $REPORT_FILE
else
echo “Audit service: FAIL (not running)” >> $REPORT_FILE
fi

if [ -f /var/log/secure ]; then
echo “Security logging: PASS (configured)” >> $REPORT_FILE
else
echo “Security logging: FAIL (not configured)” >> $REPORT_FILE
fi
}

check_change_management() {
echo -e “\n[Change Management]” >> $REPORT_FILE

if [ -d /etc/git ]; then
echo “Configuration version control: PASS (git configured)” >> $REPORT_FILE
else
echo “Configuration version control: FAIL (not configured)” >> $REPORT_FILE
fi
}

check_incident_response() {
echo -e “\n[Incident Response]” >> $REPORT_FILE

if [ -f /etc/security/incident-response-plan.txt ]; then
echo “Incident response plan: PASS (documented)” >> $REPORT_FILE
else
echo “Incident response plan: FAIL (not documented)” >> $REPORT_FILE
fi
}

generate_summary() {
echo -e “\n[Summary]” >> $REPORT_FILE

PASS=$(grep -c “PASS” $REPORT_FILE)
FAIL=$(grep -c “FAIL” $REPORT_FILE)

echo “Total checks: $((PASS + FAIL))” >> $REPORT_FILE
echo “Passed: $PASS” >> $REPORT_FILE
echo “Failed: $FAIL” >> $REPORT_FILE
echo “Compliance rate: $(awk “BEGIN {printf \”%.1f\”, ($PASS/($PASS+$FAIL))*100}”)%” >> $REPORT_FILE
}

main() {
check_access_control
check_network_security
check_data_protection
check_logging
check_change_management
check_incident_response
generate_summary

echo -e “\nReport saved to: $REPORT_FILE”
cat $REPORT_FILE
}

main
EOF

chmod +x /usr/local/bin/compliance-check.sh

# 执行合规检查
$ sudo /usr/local/bin/compliance-check.sh

# 创建合规报告生成脚本
$ cat > /usr/local/bin/generate-compliance-report.sh << 'EOF' #!/bin/bash REPORT_DIR="/var/log/compliance" mkdir -p $REPORT_DIR DATE=$(date +%Y%m%d) REPORT_FILE="$REPORT_DIR/compliance-report-$DATE.html" cat > $REPORT_FILE << 'HTML'

Compliance Report

Date: DATE_PLACEHOLDER

Summary

Detailed Results

DETAILS_PLACEHOLDER

HTML

# 替换占位符
sed -i “s/DATE_PLACEHOLDER/$(date)/” $REPORT_FILE

echo “Report generated: $REPORT_FILE”
EOF

chmod +x /usr/local/bin/generate-compliance-report.sh

# 配置定期合规检查
$ cat > /etc/cron.monthly/compliance-audit << 'EOF' #!/bin/bash /usr/local/bin/compliance-check.sh /usr/local/bin/generate-compliance-report.sh mail -s "Monthly Compliance Report" compliance@fgedu.net.cn < /tmp/compliance-report-$(date +%Y%m%d).txt EOF chmod +x /etc/cron.monthly/compliance-audit