From af01e626b77191120c80768f916525b4e4a20d03 Mon Sep 17 00:00:00 2001 From: trackers-love Date: Fri, 10 Jun 2022 19:25:28 +0800 Subject: [PATCH 1/2] add protocol 2 --- .../1.41-ensure-ssh-server-use-protocol_2.md | 38 +++++++++++++++++++ 1 file changed, 38 insertions(+) create mode 100644 benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md diff --git a/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md new file mode 100644 index 0000000..8f6c535 --- /dev/null +++ b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md @@ -0,0 +1,38 @@ +# 1.41-ssh服务使用协议2 + +## 安全等级 + +Level 1 + +## 描述 + +建议ssh服务使用相对于旧版本(1)更安全的协议2 + +## 修复建议 + +ssh配置中确保 protocol 2 ,存在该选项则修改为2,没有则添加: + +1.执行以下命令,修改或添加ssh配置文件中的Protocol配置: + +```shell +# grep -qiP '^Protocol' /etc/ssh/sshd_config && sed -i "/^Protocol/cProtocol 2" /etc/ssh/sshd_config || echo -e "Protocol 2" >> /etc/ssh/sshd_config +``` + +2.执行以下命令,重启sshd服务: + +```shell +# systemctl restart sshd +``` + +## 扫描检测 + +sshd -T 查看默认选项或查看文件内容 + +```shell +# grep -R "^Protocol" /etc/ssh/sshd_config +Protocol 2 +``` + +如结果为`Protocol 2`,则视为通过此项检查。 + +## 参考 -- Gitee From 62d058536df07584bbc9846e9c5f1e69f8a010fc Mon Sep 17 00:00:00 2001 From: trackers-love Date: Wed, 15 Jun 2022 14:44:53 +0800 Subject: [PATCH 2/2] modify content for 1.41-ensure-ssh-server-use-protocol_2.md --- .../1.41-ensure-ssh-server-use-protocol_2.md | 2 +- .../2.19-ensure-audit-is-installed.md | 35 +++++++++++++++++++ .../2.20-ensure-audit-service-is-enabled.md | 34 ++++++++++++++++++ docs/development-guide.md | 1 + 4 files changed, 71 insertions(+), 1 deletion(-) create mode 100644 benchmarks/logging-and-auditing/2.19-ensure-audit-is-installed.md create mode 100644 benchmarks/logging-and-auditing/2.20-ensure-audit-service-is-enabled.md diff --git a/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md index 8f6c535..dc49e37 100644 --- a/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md +++ b/benchmarks/access-and-control/1.41-ensure-ssh-server-use-protocol_2.md @@ -26,7 +26,7 @@ ssh配置中确保 protocol 2 ,存在该选项则修改为2,没有则添加 ## 扫描检测 -sshd -T 查看默认选项或查看文件内容 +查看ssh配置文件Protocol行内容 ```shell # grep -R "^Protocol" /etc/ssh/sshd_config diff --git a/benchmarks/logging-and-auditing/2.19-ensure-audit-is-installed.md b/benchmarks/logging-and-auditing/2.19-ensure-audit-is-installed.md new file mode 100644 index 0000000..8ea2a33 --- /dev/null +++ b/benchmarks/logging-and-auditing/2.19-ensure-audit-is-installed.md @@ -0,0 +1,35 @@ +# 2.19 确保审计工具已安装 + +## 安全等级 + +Level 1 + +## 描述 + +审计工具是 Linux 审计系统的用户空间组件。它负责将审计记录写入磁盘,使管理员能够确定是否正在发生对其系统的未经授权的访问 + +**审计工具**应该在系统上安装 + +## 修复建议 + +目标:确保审计工具已安装。 + +1. 使用以下命令安装审计工具: + +```shell +# dnf install audit audit-libs +``` + +## 扫描检测 + +1. 执行以下命令,检查审计工具是否安装: + +```shell +# rpm -q audit audit-libs +audit- +audit-libs- +``` + +为软件版本信息。如输出结果符合预期,则视为通过此项检查。 + +## 参考 diff --git a/benchmarks/logging-and-auditing/2.20-ensure-audit-service-is-enabled.md b/benchmarks/logging-and-auditing/2.20-ensure-audit-service-is-enabled.md new file mode 100644 index 0000000..04d57c5 --- /dev/null +++ b/benchmarks/logging-and-auditing/2.20-ensure-audit-service-is-enabled.md @@ -0,0 +1,34 @@ +# 2.20 确保已启用审计服务 + +## 安全等级 + +Level 3 + +## 描述 + +审计工具包括但不限于:查看和操作审计信息所需的供应商或开源工具,如自定义查询和报告生成器等。因此,启用审计服务是非常必要的,以防未经授权的用户对审计信息进行提取或操作。 + +**审计服务**已启用 + +## 修复建议 + +目标:确保审计服务已启用。 + +1. 使用以下命令启用审计服务: + +```shell +# systemctl --now enable auditd +``` + +## 扫描检测 + +1. 执行以下命令,检查审计服务是否已启用: + +```shell +# systemctl is-enabled auditd +enabled +``` + +输出结果为 enabled ,那么审计服务已启用,则视为通过此项检查。 + +## 参考 diff --git a/docs/development-guide.md b/docs/development-guide.md index e8d119b..bdf9d54 100644 --- a/docs/development-guide.md +++ b/docs/development-guide.md @@ -49,6 +49,7 @@ ## 安全等级 ## 描述 +## 前置条件 ## 修复建议 ## 扫描检测 ## 参考 -- Gitee