From 6d1cd59b3388af15d035900c47d8f0976414d194 Mon Sep 17 00:00:00 2001 From: YuQing-Rain Date: Mon, 24 Apr 2023 13:43:22 +0800 Subject: [PATCH 1/4] 4.9-ensure-filesystem-integrity-is-regularly-checked.md Add verification that the aide tool is installed correctly. Signed-off-by: YuQing-Rain --- ...lesystem-integrity-is-regularly-checked.md | 20 ++++++++++++++++++- 1 file changed, 19 insertions(+), 1 deletion(-) diff --git a/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md b/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md index fd5b731..03660c3 100644 --- a/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md +++ b/benchmarks/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.md @@ -8,11 +8,29 @@ 定期进行文件系统完整性检查,有助于系统管理员跟踪了解关键文件的变化,及时发现关键文件是否有被未经授权的更改或删除。 +文件系统完整性检查依赖于aide工具,请在执行修复前,确认当前环境是否正确安装并初始化了aide工具。 + ## 修复建议 建立对文件系统的定期检查机制。 -1. 使用`cron`工具调度和执行文件系统检查: +1. 检查是否安装了aide: + +```bash +# rpm -q aide +aide- +``` + +2. 检查aide是否已正确初始化: + +```bash +# ls /var/lib/aide/aide.db.gz +/var/lib/aide/aide.db.gz +``` + +如以上检查输出结果均符合预期,则可进行第3步,否则请检查是否正确安装并初始化了aide工具。 + +3. 使用`cron`工具调度和执行文件系统检查: * 打开定时任务编辑: -- Gitee From 8bf3478936bf2dc23877efaf6f78c9d1a28b78b6 Mon Sep 17 00:00:00 2001 From: YuQing-Rain Date: Mon, 24 Apr 2023 13:45:38 +0800 Subject: [PATCH 2/4] 1. tools/remediation-kits/README.md Add a fix description for SElinux related rules. 2. tools/remediation-kits/config/Anolis_security_benchmark_level3.config Add some rules to support anolis23. Signed-off-by: YuQing-Rain --- tools/remediation-kits/README.md | 2 +- .../config/Anolis_security_benchmark_level3.config | 4 +++- 2 files changed, 4 insertions(+), 2 deletions(-) diff --git a/tools/remediation-kits/README.md b/tools/remediation-kits/README.md index ef6f600..799e110 100644 --- a/tools/remediation-kits/README.md +++ b/tools/remediation-kits/README.md @@ -64,7 +64,7 @@ config文件建议存放在`security-benchmark/tools/remediation-kits/config`目 - 建议只添加未通过检查需要修复的项目编号,已通过检查的项目不需要重复执行加固。 - 默认配置文件(Anolis_security_benchmark_level1.config)内仅加入了需要修复的项目,剔除了系统初始状态已通过的项目。 - Anolis_security_benchmark_level3.config 包含(level-1 + level-3)中需要修复的项目,剔除了系统初始状态已通过的项目。 -- level-3 中 SElinux 相关项目(5.2/5.3/5.4)的修复需重启才可生效,且对系统影响较大,请谨慎选择是否修复。 +- level-3 中 SElinux 相关项目(5.2/5.3/5.4)的修复需重启才可生效。目前默认不执行5.4修复项目,仅执行5.3项目。执行后将启用 SElinux 的 Permissive 模式(宽容模式:仅收集日志和警告,不强制拒绝访问),避免造成无法登录系统的情况。如确有需求,请在查看相关日志并确认影响后,手动执行5.4修复脚本并重启系统,即可启用 SElinux 的 Enforcing 模式(工作模式)。 3. 执行脚本: diff --git a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config index 120b11e..326994e 100644 --- a/tools/remediation-kits/config/Anolis_security_benchmark_level3.config +++ b/tools/remediation-kits/config/Anolis_security_benchmark_level3.config @@ -9,10 +9,12 @@ 1.20 1.21 1.22 +1.23 1.24 1.27 1.28 1.29 +1.30 1.31 1.32 1.34 @@ -44,6 +46,7 @@ 4.9 4.11 4.13 +4.14 4.44 4.45 4.46 @@ -64,5 +67,4 @@ 5.1 5.2 5.3 -5.4 4.1 \ No newline at end of file -- Gitee From 96826aa95786407cedde191652128faf6ae06fa6 Mon Sep 17 00:00:00 2001 From: YuQing-Rain Date: Mon, 24 Apr 2023 13:51:52 +0800 Subject: [PATCH 3/4] scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh fix "ls: cannot access No such file or directory" following error. Signed-off-by: YuQing-Rain --- ...e-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh index 843470d..a92de98 100644 --- a/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh +++ b/scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh @@ -1,6 +1,6 @@ result_rsyslog=false result_rsyslog_d=false -conf_file_path=`ls /etc/rsyslog.d/*.conf` +conf_file_path=`find /etc/rsyslog.d/ -name *.conf` if [[ -a /etc/rsyslog.conf && -a $conf_file_path ]]; then grep -q "^*.*[^I][^I]*@" /etc/rsyslog.conf && result_rsyslog=true -- Gitee From 7462fb6766d60f9a566db036f8d28671acce7946 Mon Sep 17 00:00:00 2001 From: YuQing-Rain Date: Mon, 24 Apr 2023 13:53:40 +0800 Subject: [PATCH 4/4] 1. remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh fix "usermod: no changes" following error. 2. remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh fix "grep No such file or directory" following error. 3. remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh Add determining whether aide is installed. 4. remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh fix "grep: warning: stray \ before =" following error. 5. remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh fix update-crypto-policies command unavailable in anolis23. Signed-off-by: YuQing-Rain --- ...1.38-ensure-default-group-for-the-root-account-is-gid-0.sh | 4 +++- ...39-ensure-default-user-umask-is-027-or-more-restrictive.sh | 4 ++-- ....12-ensure-authentication-required-for-single-user-mode.sh | 4 ++-- .../4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh | 2 ++ .../4.9-ensure-filesystem-integrity-is-regularly-checked.sh | 2 +- 5 files changed, 10 insertions(+), 6 deletions(-) diff --git a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh index 19a3257..d611e12 100644 --- a/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh +++ b/remediation-kits/access-and-control/1.38-ensure-default-group-for-the-root-account-is-gid-0.sh @@ -1 +1,3 @@ -usermod -g 0 root \ No newline at end of file +rootGid=$(grep "^root:" /etc/passwd | cut -f4 -d:) + +[[ $rootGid != 0 ]] && usermod -g 0 root \ No newline at end of file diff --git a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh index 119fe0f..96d649b 100644 --- a/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh +++ b/remediation-kits/access-and-control/1.39-ensure-default-user-umask-is-027-or-more-restrictive.sh @@ -1,5 +1,5 @@ -grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/set_umask.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile.d/set_umask.sh || echo "umask 027" >> /etc/profile.d/set_umask.sh -grep -Eq "umask\s+[0-9][0-9][0-9]" /etc/bashrc && sed -ri 's/umask\s+[0-9][0-9][0-9]/umask 027/' /etc/bashrc || echo "umask 027" >> /etc/bashrc +[[ -z /etc/profile.d/set_umask.sh ]] && grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile.d/set_umask.sh && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile.d/set_umask.sh || echo "umask 027" >> /etc/profile.d/set_umask.sh +grep -Eq "(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/bashrc && sed -ri "s/(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/bashrc || echo "umask 027" >> /etc/bashrc grep -Eq "^(\s*)umask\s+\S+(\s*#.*)?\s*$" /etc/profile && sed -ri "s/^(\s*)umask\s+\S+(\s*#.*)?\s*$/\1umask 027\2/" /etc/profile || echo "umask 027" >> /etc/profile grep -Eq "^(\s*)UMASK\s+\S+(\s*#.*)?\s*$" /etc/login.defs && sed -ri "s/^(\s*)UMASK\s+\S+(\s*#.*)?\s*$/\1UMASK 027\2/" /etc/login.defs || echo "UMASK 027" >> /etc/login.defs grep -q "USERGROUPS_ENAB" /etc/login.defs && sed -ri "s/^(\s*)USERGROUPS_ENAB\s+\S+(\s*#.*)?\s*$/\1USERGROUPS_ENAB no\2/" /etc/login.defs || echo "USERGROUPS_ENAB no" >> /etc/login.defs diff --git a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh index 0696642..fb4c736 100644 --- a/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh +++ b/remediation-kits/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh @@ -1,2 +1,2 @@ -grep -Eq "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service -grep -Eq "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service +grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/rescue.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell rescue/" /usr/lib/systemd/system/rescue.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell rescue" >> /usr/lib/systemd/system/rescue.service +grep -Pq "^\s*ExecStart\=" /usr/lib/systemd/system/emergency.service && sed -ri "s/(^[[:space:]]*ExecStart[[:space:]]*=[[:space:]]*).*$/\1-\/usr\/lib\/systemd\/systemd\-sulogin\-shell emergency/" /usr/lib/systemd/system/emergency.service || echo "ExecStart=-/usr/lib/systemd/systemd-sulogin-shell emergency" >> /usr/lib/systemd/system/emergency.service diff --git a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh index c1dad99..5879a63 100644 --- a/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh +++ b/remediation-kits/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh @@ -1,2 +1,4 @@ +dnf install pip -y +pip install toml update-crypto-policies --set DEFAULT update-crypto-policies \ No newline at end of file diff --git a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh index 1473e99..ee68146 100644 --- a/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh +++ b/remediation-kits/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh @@ -1 +1 @@ -(crontab -u root -l; crontab -u root -l | grep -Eq "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - +rpm -q aide | grep -Piq aide-.* && (crontab -u root -l; crontab -u root -l | grep -Eq "^0 5 \* \* \* /usr/sbin/aide --check$" || echo "0 5 * * * /usr/sbin/aide --check" ) | crontab -u root - -- Gitee