diff --git a/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md b/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md index fd5b73190424c402cb61d316f25f37ae3077281f..03660c3b79eb5517e9039b7e4384df0431d0257b 100644 --- a/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md +++ b/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md @@ -8,11 +8,29 @@ 定期进行文件系统完整性检查,有助于系统管理员跟踪了解关键文件的变化,及时发现关键文件是否有被未经授权的更改或删除。 +文件系统完整性检查依赖于aide工具,请在执行修复前,确认当前环境是否正确安装并初始化了aide工具。 + ## 修复建议 建立对文件系统的定期检查机制。 -1. 使用`cron`工具调度和执行文件系统检查: +1. 检查是否安装了aide: + +```bash +# rpm -q aide +aide- +``` + +2. 检查aide是否已正确初始化: + +```bash +# ls /var/lib/aide/aide.db.gz +/var/lib/aide/aide.db.gz +``` + +如以上检查输出结果均符合预期,则可进行第3步,否则请检查是否正确安装并初始化了aide工具。 + +3. 使用`cron`工具调度和执行文件系统检查: * 打开定时任务编辑: diff --git a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh index 19a3257427a6605328e7d039f8ef43aade1a43bf..d611e123112e9833b79f6a78638fb2df418b0f43 100644 --- a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -1 +1,3 @@ -usermod -g 0 root \ No newline at end of file +rootGid=$(grep "^root:" /etc/passwd | cut -f4 -d:) + +[[ $rootGid != 0 ]] && usermod -g 0 root \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh index 119fe0f3ebf34fc7b4adb3b3de55f5e32c001b6e..96d649bae77cf3d68ca62069cb7c7daf49d75a3a 100644 --- a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,5 +1,5 @@ -grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/set_umask.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile.d/set_umask.sh || echo "umask 027" >> /etc/profile.d/set_umask.sh -grep -Eq "umask\s+[0-9][0-9][0-9]" /etc/bashrc && sed -ri 's/umask\s+[0-9][0-9][0-9]/umask 027/' /etc/bashrc || echo "umask 027" >> /etc/bashrc +[[ -z /etc/profile.d/set_umask.sh ]] && grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/set_umask.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile.d/set_umask.sh || echo "umask 027" >> /etc/profile.d/set_umask.sh +grep -Eq "(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/bashrc || echo "umask 027" >> /etc/bashrc grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile || echo "umask 027" >> /etc/profile grep -Eq "^(\s*)UMASK\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)UMASK\s+\S+(\s*#.*)?\s*$/\1UMASK 027\2/" /etc/login.defs || echo "UMASK 027" >> /etc/login.defs grep -q "USERGROUPS_ENAB" /etc/login.defs && sed -ri "s/^(\s*)USERGROUPS_ENAB\s+\S+(\s*#.*)?\s*$/\1USERGROUPS_ENAB no\2/" /etc/login.defs || echo "USERGROUPS_ENAB no" >> /etc/login.defs diff --git a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh index 0696642b59104f6f2ee63815761974496e237fc5..fb4c736a2ec1e28c3da3017c1127d6e3e54ae2fa 100644 --- a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -1,2 +1,2 @@ -grep -Eq "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service -grep -Eq "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service +grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service +grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service diff --git a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh index c1dad998d19340c7509a6ccc932ad8ab6eda6cfc..5879a6396f9ac66062b1961d2462a5136182c673 100644 --- a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1,2 +1,4 @@ +dnf install pip -y +pip install toml update-crypto-policies --set DEFAULT update-crypto-policies \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh index 1473e993c61203c218420ea7db20d9bb50ed2f41..ee68146a6b1e5ef8515790a317363bd999367804 100644 --- a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1 +1 @@ -(crontab -u root -l; crontab -u root -l | grep -Eq "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - +rpm -q aide | grep -Piq aide-.* && (crontab -u root -l; crontab -u root -l | grep -Eq "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - diff --git a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh index 843470d873b4d5ac763cd80ef5b4b8b7f711180c..a92de9823e550e4e165da9fb041c95c484655b12 100644 --- a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh +++ b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh @@ -1,6 +1,6 @@ result_rsyslog=false result_rsyslog_d=false -conf_file_path=`ls /etc/rsyslog.d/*.conf` +conf_file_path=`find /etc/rsyslog.d/ -name *.conf` if [[ -a /etc/rsyslog.conf && -a $conf_file_path ]]; then grep -q "^*.*[^I][^I]*@" /etc/rsyslog.conf && result_rsyslog=true diff --git a/tools/remediation-kits/README.md b/tools/remediation-kits/README.md index ef6f600ffb4629469c6773578d978ec9af37b513..799e11059070ff7ace5932f87fbcdc8aa4154cf3 100644 --- a/tools/remediation-kits/README.md +++ b/tools/remediation-kits/README.md @@ -64,7 +64,7 @@ config文件建议存放在`security-benchmark/tools/remediation-kits/config`目 - 建议只添加未通过检查需要修复的项目编号,已通过检查的项目不需要重复执行加固。 - 默认配置文件(Anolis_security_benchmark_level1.config)内仅加入了需要修复的项目,剔除了系统初始状态已通过的项目。 - Anolis_security_benchmark_level3.config 包含(level-1 + level-3)中需要修复的项目,剔除了系统初始状态已通过的项目。 -- level-3 中 SElinux 相关项目(5.2/5.3/5.4)的修复需重启才可生效,且对系统影响较大,请谨慎选择是否修复。 +- level-3 中 SElinux 相关项目(5.2/5.3/5.4)的修复需重启才可生效。目前默认不执行5.4修复项目,仅执行5.3项目。执行后将启用 SElinux 的 Permissive 模式(宽容模式:仅收集日志和警告,不强制拒绝访问),避免造成无法登录系统的情况。如确有需求,请在查看相关日志并确认影响后,手动执行5.4修复脚本并重启系统,即可启用 SElinux 的 Enforcing 模式(工作模式)。 3. 执行脚本: diff --git a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config index 120b11e261bdc8d9843e65513e69d6650c448700..326994ea0fed421dae7807e08497fc2dc48fa0b9 100644 --- a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config +++ b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config @@ -9,10 +9,12 @@ 1.20 1.21 1.22 +1.23 1.24 1.27 1.28 1.29 +1.30 1.31 1.32 1.34 @@ -44,6 +46,7 @@ 4.9 4.11 4.13 +4.14 4.44 4.45 4.46 @@ -64,5 +67,4 @@ 5.1 5.2 5.3 -5.4 4.1 \ No newline at end of file