分享一个可以跨平台进行等保核查的脚本
一、Linux等保核查脚本(linux_security_audit.sh)
#!/bin/bash
# Desc: Linux等保三级合规检查脚本
# 初始化变量
report_file="/tmp/security_audit_$(date +%Y%m%d).html"
tmpfile=$(mktemp /tmp/check.XXXXXX)
# HTML报告头
cat > $report_file <<EOF
<html>
<head>
<title>Linux安全基线核查报告</title>
<style>
body{font-family: Arial; margin: 20px;}
table{border-collapse: collapse; width: 100%;}
th,td{padding: 8px; text-align: left; border: 1px solid #ddd;}
th{background-color: #4CAF50; color: white;}
tr:nth-child(even){background-color: #f2f2f2;}
.pass{color: green;}
.fail{color: red;}
</style>
</head>
<body>
<h2>Linux系统安全基线核查报告</h2>
<p>生成时间:$(date "+%Y-%m-%d %H:%M:%S")</p>
<table>
<tr><th>检查项</th><th>状态</th><th>检测结果</th><th>标准要求</th><th>修复建议</th></tr>
EOF
# 检查结果记录函数
function add_result() {
local item=$1
local status=$2
local result=$3
local standard=$4
local suggestion=$5
echo "<tr><td>$item</td><td class='$status'>${status^^}</td><td>$result</td><td>$standard</td><td>$suggestion</td></tr>" >> $report_file
}
# 1. 身份鉴别检查
function check_auth() {
echo "[+] 正在进行身份鉴别检查..."
# 检查密码复杂度策略
local pass_ret=$(grep -P '^password\s+requisite\s+pam_pwquality.so' /etc/pam.d/system-auth)
if [[ $pass_ret =~ minlen=12 ]]; then
add_result "密码复杂度策略" "pass" "已配置(minlen=12)" "密码长度至少12位" "保持当前配置"
else
add_result "密码复杂度策略" "fail" "未满足要求" "密码长度至少12位" "在/etc/pam.d/system-auth中配置minlen=12"
fi
# 检查登录失败处理
if grep -q "pam_tally2.so.*deny=5" /etc/pam.d/sshd; then
add_result "登录失败处理" "pass" "失败锁定策略已启用" "登录失败5次锁定账户" "保持当前配置"
else
add_result "登录失败处理" "fail" "未配置登录锁定" "登录失败5次锁定账户" "在pam配置中添加auth required pam_tally2.so deny=5 unlock_time=600"
fi
}
# 2. 访问控制检查
function check_access() {
echo "[+] 正在进行访问控制检查..."
# 检查特权账户
if [[ $(awk -F: '$3==0{print $1}' /etc/passwd | wc -l) -eq 1 ]]; then
add_result "特权账户检查" "pass" "单一root账户" "只允许一个特权账户" "保持当前配置"
else
add_result "特权账户检查" "fail" "存在多个特权账户" "只允许一个特权账户" "删除多余特权账户"
fi
# 检查umask设置
if grep -q "umask 027" /etc/profile; then
add_result "默认umask值" "pass" "umask 027已配置" "默认权限不应超过750" "保持当前配置"
else
add_result "默认umask值" "fail" "umask配置不安全" "默认权限不应超过750" "在/etc/profile中添加umask 027"
fi
}
# 3. 安全审计检查
function check_audit() {
echo "[+] 正在进行安全审计检查..."
# 检查审计服务状态
if systemctl is-active auditd &>/dev/null; then
add_result "审计服务状态" "pass" "auditd服务运行中" "应启用安全审计功能" "保持服务启用状态"
else
add_result "审计服务状态" "fail" "审计服务未运行" "应启用安全审计功能" "启动auditd服务:systemctl start auditd"
fi
# 检查日志保存时间
if grep -q "rotate 180" /etc/logrotate.conf; then
add_result "日志保存策略" "pass" "日志保存180天" "审计记录至少保存180天" "保持当前配置"
else
add_result "日志保存策略" "fail" "日志保存时间不足" "审计记录至少保存180天" "修改logrotate配置为rotate 180"
fi
}
# 执行检查
check_auth
check_access
check_audit
# 生成报告尾
cat >> $report_file <<EOF
</table>
</body>
</html>
EOF
echo "检查完成,报告已生成至:$report_file"
[root@localhost tmp]# chmod +x linux_security_audit.sh
[root@localhost tmp]# ./linux_security_audit.sh
二、Windows等保核查脚本(windows_security_audit.ps1)
# Desc: Windows Server等保三级合规检查脚本
# Version: 2.0
# Date: 2024-06-20
# 初始化报告
$reportFile = Join-Path -Path $env:USERPROFILE\Documents -ChildPath "Windows安全核查报告_$(Get-Date -Format yyyyMMdd).html"
$style = @"
<style>
body{font-family: Arial; margin: 20px;}
table{border-collapse: collapse; width: 100%;}
th,td{padding: 8px; text-align: left; border: 1px solid #ddd;}
th{background-color: #4CAF50; color: white;}
tr:nth-child(even){background-color: #f2f2f2;}
.pass{color: green;}
.fail{color: red;}
</style>
"@
# 创建HTML报告
try {
ConvertTo-Html -Title "Windows安全基线核查报告" -Head $style -Body "<h2>Windows系统安全核查报告</h2><p>生成时间:$(Get-Date)</p><table>" | Out-File $reportFile
} catch {
Write-Host "创建报告文件时出错: $_"
return
}
# 检查函数
function Add-AuditResult {
param(
[string]$Item,
[string]$Status,
[string]$Result,
[string]$Standard,
[string]$Solution
)
$row = "<tr><td>$Item</td><td class='$Status'>$Status</td><td>$Result</td><td>$Standard</td><td>$Solution</td></tr>"
try {
Add-Content -Path $reportFile -Value $row
} catch {
Write-Host "写入报告文件时出错: $_"
}
}
# 1. 账户策略检查
function Check-AccountPolicy {
Write-Host "[+] 检查账户策略..."
# 密码复杂度
if (Test-Path "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System") {
try {
$passComplexity = (Get-ItemProperty "HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System").PasswordComplexity
if ($passComplexity -eq 1) {
Add-AuditResult -Item "密码复杂度" -Status "pass" -Result "已启用" -Standard "必须启用密码复杂性要求" -Solution "保持当前策略"
} else {
Add-AuditResult -Item "密码复杂度" -Status "fail" -Result "未启用" -Standard "必须启用密码复杂性要求" -Solution "在组策略中启用密码复杂性要求"
}
} catch {
Add-AuditResult -Item "密码复杂度" -Status "fail" -Result "读取注册表项时出错: $_" -Standard "必须启用密码复杂性要求" -Solution "检查注册表项或手动设置密码复杂度策略"
}
} else {
Add-AuditResult -Item "密码复杂度" -Status "fail" -Result "注册表项不存在" -Standard "必须启用密码复杂性要求" -Solution "检查注册表项是否存在或手动设置密码复杂度策略"
}
# 账户锁定策略
try {
$lockoutThreshold = (net accounts | Select-String "锁定阈值").ToString().Split(":")[1].Trim()
if ([int]$lockoutThreshold -le 5) {
Add-AuditResult -Item "账户锁定策略" -Status "pass" -Result "锁定阈值$lockoutThreshold次" -Standard "登录失败次数≤5次" -Solution "保持当前配置"
} else {
Add-AuditResult -Item "账户锁定策略" -Status "fail" -Result "当前阈值$lockoutThreshold次" -Standard "登录失败次数≤5次" -Solution "通过gpedit.msc调整账户锁定阈值"
}
} catch {
Add-AuditResult -Item "账户锁定策略" -Status "fail" -Result "获取账户锁定阈值时出错: $_" -Standard "登录失败次数≤5次" -Solution "手动检查账户锁定策略"
}
}
# 2. 日志审计检查
function Check-AuditPolicy {
Write-Host "[+] 检查审计策略..."
# 安全日志保留天数
if (Test-Path "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security") {
try {
$logRetention = (Get-ItemProperty "HKLM:\SOFTWARE\Policies\Microsoft\Windows\EventLog\Security").Retention
if ($logRetention -eq 180) {
Add-AuditResult -Item "日志保留天数" -Status "pass" -Result "保留180天" -Standard "日志至少保留180天" -Solution "保持当前配置"
} else {
Add-AuditResult -Item "日志保留天数" -Status "fail" -Result "当前保留${logRetention}天" -Standard "日志至少保留180天" -Solution "修改组策略:计算机配置→管理模板→Windows组件→事件日志→安全日志保留天数"
}
} catch {
Add-AuditResult -Item "日志保留天数" -Status "fail" -Result "读取注册表项时出错: $_" -Standard "日志至少保留180天" -Solution "检查注册表项或手动设置日志保留天数"
}
} else {
Add-AuditResult -Item "日志保留天数" -Status "fail" -Result "注册表项不存在" -Standard "日志至少保留180天" -Solution "检查注册表项是否存在或手动设置日志保留天数"
}
}
# 3. 服务配置检查
function Check-ServiceConfig {
Write-Host "[+] 检查服务配置..."
# 远程桌面服务状态
try {
$rdpStatus = (Get-Service TermService -ErrorAction SilentlyContinue).Status
if ($rdpStatus -eq "Running") {
if (Test-Path "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp") {
try {
$rdpPort = (Get-ItemProperty "HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp").PortNumber
if ($rdpPort -ne 3389) {
Add-AuditResult -Item "远程桌面配置" -Status "pass" -Result "非默认端口${rdpPort}" -Standard "应修改默认RDP端口" -Solution "保持当前配置"
} else {
Add-AuditResult -Item "远程桌面配置" -Status "fail" -Result "使用默认3389端口" -Standard "应修改默认RDP端口" -Solution "修改注册表HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp下的PortNumber值"
}
} catch {
Add-AuditResult -Item "远程桌面配置" -Status "fail" -Result "读取注册表项时出错: $_" -Standard "应修改默认RDP端口" -Solution "检查注册表项或手动设置RDP端口"
}
} else {
Add-AuditResult -Item "远程桌面配置" -Status "fail" -Result "注册表项不存在" -Standard "应修改默认RDP端口" -Solution "检查注册表项是否存在或手动设置RDP端口"
}
}
} catch {
Add-AuditResult -Item "远程桌面配置" -Status "fail" -Result "获取远程桌面服务状态时出错: $_" -Standard "应修改默认RDP端口" -Solution "手动检查远程桌面服务状态"
}
}
# 执行检查
try {
Check-AccountPolicy
Check-AuditPolicy
Check-ServiceConfig
} catch {
Write-Host "执行检查时出错: $_"
}
# 完成报告
try {
Add-Content -Path $reportFile -Value "</table></body></html>"
Write-Host "检查完成,报告已生成至:$reportFile"
} catch {
Write-Host "完成报告时出错: $_"
}
三、脚本特点说明
-
双平台支持:
- 分别针对Linux和Windows系统设计,符合各自系统特性
- 检查项覆盖等级保护2.0三级要求
-
核心检查项:
-
Linux版:
- 身份鉴别(密码策略、登录失败处理)
- 访问控制(特权账户、文件权限)
- 安全审计(审计服务、日志留存)
- 入侵防范(防火墙配置、SSH安全)
-
Windows版:
- 账户策略(密码复杂度、锁定策略)
- 审计策略(日志配置、事件查看)
- 安全配置(服务管理、共享设置)
- 补丁管理(系统更新状态)
-
C:\Users\zhh>Set-ExecutionPolicy RemoteSigned
C:\Users\zhh>Get-ExecutionPolicy
C:\Users\zhh>.\windows_security_audit.ps1
