依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》等保2.0三级 标准,针对 Debian Linux(12/11/10 版本) 给出可直接落地的测评命令清单。
覆盖身份鉴别、访问控制、安全审计、入侵防范、恶意代码防范等核心控制点,并结合 Debian 特有机制(如 AppArmor/SELinux、Apt 包管理、Systemd)进行优化调整。
一、身份鉴别(8.1.4.1)
1.1 账户唯一性与密码复杂度
| | |
|---|
awk -F: '$2==""{print $1}' /etc/shadow | | |
awk -F: '{print $3}' /etc/passwd | sort | uniq -d | | |
grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS' /etc/login.defs | | |
grep -E 'pam_pwquality|pam_cracklib' /etc/pam.d/common-password | | |
Debian 特有配置:
# 查看默认启用的密码复杂度模块(Debian 12默认使用pam_pwquality)
cat /etc/pam.d/common-password |grep-E"pam_pwquality|pam_cracklib"
# 安装并配置密码复杂度(如未安装)
sudoaptinstall libpam-pwquality -y
# 合规配置示例(/etc/security/pwquality.conf)
minlen =8
minclass =3
maxrepeat =2
dcredit =-1
ucredit =-1
lcredit =-1
ocredit =-1
# 要求:至少8位,包含3种字符类型(大写、小写、数字、特殊字符选3)
1.2 登录失败处理与会话超时
| | |
|---|
grep pam_faillock /etc/pam.d/common-auth | | |
grep pam_tally2 /etc/pam.d/common-auth | | |
grep TMOUT /etc/profile /etc/bash.bashrc | | |
grep -E 'ClientAliveInterval|ClientAliveCountMax' /etc/ssh/sshd_config | | |
Debian 登录失败锁定配置:
# Debian 12推荐使用pam_faillock(替代旧的pam_tally2)
grep-E"pam_faillock" /etc/pam.d/common-auth /etc/pam.d/common-account
# 配置示例(/etc/pam.d/common-auth):
auth required pam_faillock.so preauth silent audit deny=5unlock_time=300
auth [default=die] pam_faillock.so authfail audit deny=5unlock_time=300
# 查看失败锁定状态
faillock --user username
faillock --user username --reset# 手动解锁
1.3 远程管理安全
# 确认SSH服务运行
systemctl status ssh
# 检查SSH安全配置(Debian默认已较安全)
cat /etc/ssh/sshd_config |grep-E'PermitRootLogin|Protocol|PubkeyAuthentication|PasswordAuthentication'
# 合规要求:PermitRootLogin no、Protocol 2、PubkeyAuthentication yes、PasswordAuthentication no(或yes但配合密钥)
# 确认未开放Telnet
ss -tuln|grep':23'
# 检查SSH版本(Debian 12默认OpenSSH 9.x)
ssh-V
高风险项:使用Telnet或允许root远程登录,直接判定不符合三级要求。
1.4 双因子认证(高风险项)
测评方法:
# 检查SSH公钥认证配置
grep"PubkeyAuthentication yes" /etc/ssh/sshd_config
# 检查PAM模块是否集成双因子
cat /etc/pam.d/sshd |grep-E"pam_google_authenticator|pam_u2f|pam_pkcs11"
# 安装Google Authenticator示例
sudoaptinstall libpam-google-authenticator -y
# 查看证书存储(如使用智能卡)
ls /etc/pki/nssdb/ 2>/dev/null ||echo"未配置PKI"
dpkg -l|grep-E"opensc|libpam-pkcs11"
二、访问控制(8.1.4.2)
2.1 账户与权限管理
| | |
|---|
grep -E 'adm|lp|sync|halt|news|uucp|operator|games|gopher' /etc/shadow | | |
stat -c '%a %n' /etc/passwd /etc/shadow /etc/group | | |
grep -v '^#' /etc/sudoers | grep -v '^$' | | |
awk -F: '$3==0 && $1!="root"{print $1}' /etc/passwd | | |
getent group sudo | | |
Debian 账户安全加固:
# 锁定无用默认账户(Debian已较精简,但需确认)
foruserin games gnats irc list news uucp;do
sudousermod-L$user2>/dev/null &&echo"已锁定: $user"
done
# 检查/etc/shadow中锁定状态(!或*表示锁定)
grep-E"^games:|^gnats:|^irc:" /etc/shadow
2.2 强制访问控制(MAC)
Debian 默认支持 AppArmor(推荐)或可选 SELinux:
# 检查AppArmor状态(Debian默认)
sudo aa-status
# 查看已加载的配置文件
sudo aa-status |grep enforce
# 安装并启用AppArmor(如未安装)
sudoaptinstall apparmor apparmor-profiles apparmor-utils -y
sudo systemctl enable apparmor --now
# 验证关键进程策略
sudo apparmor_parser -q /etc/apparmor.d/usr.sbin.sshd
sudo apparmor_parser -q /etc/apparmor.d/usr.sbin.mysql
# 查看AppArmor日志
sudodmesg|grep-i apparmor
sudocat /var/log/kern.log |grep-i apparmor
# 切换为enforce模式
sudo aa-enforce /etc/apparmor.d/*
SELinux替代方案(如需):
# Debian默认未启用SELinux,如需使用需安装
sudoaptinstall selinux-basics selinux-policy-default -y
sudo selinux-activate
sestatus
getenforce
达标判据:关键进程(sshd、mysqld、nginx等)应配置AppArmor/SELinux策略并处于enforce模式。
三、安全审计(8.1.4.3)
3.1 审计服务启用
| | |
|---|
systemctl is-active auditd && systemctl is-enabled auditd | | |
auditctl -l | wc -l | | |
aureport -i | head -20 | | |
stat -c '%a %U:%G' /var/log/audit/audit.log | | |
Debian auditd 安装与配置:
# 安装auditd(Debian默认可能未安装)
sudoaptinstall auditd audispd-plugins -y
sudo systemctl enable auditd --now
# 查看审计规则
sudo auditctl -l
# 持久化规则配置(/etc/audit/rules.d/audit.rules)
-w /etc/passwd -p wa -k identity_changes
-w /etc/shadow -p wa -k identity_changes
-w /etc/group -p wa -k identity_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /var/log/audit/ -p wa -k audit_logs
-a always,exit -Farch=b64 -S setuid -S setgid -S setreuid -S setregid -k privilege_escalation
# 重新加载规则
sudo augenrules --load
3.2 日志备份与防篡改
# 检查远程日志备份配置(rsyslog)
grep-E'@\w+.*514' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null
# 配置远程日志服务器
echo"*.* @192.168.1.100:514"|sudotee-a /etc/rsyslog.d/99-remote.conf
sudo systemctl restart rsyslog
# 查看日志加密传输(TLS)
grep-E'DefaultNetstreamDriverCAFile|ActionSendStreamDriverMode' /etc/rsyslog.conf
# 安装并配置journald持久化存储(Debian默认内存存储)
sudomkdir-p /var/log/journal
sudo systemd-tmpfiles --create--prefix /var/log/journal
sudo systemctl restart systemd-journald
# 查看journald配置
cat /etc/systemd/journald.conf |grep-E"Storage|SystemMaxUse"
四、入侵防范(8.1.4.4)
4.1 最小化安装与漏洞修复
| | |
|---|
dpkg --list | grep -E 'telnet|ftp|rsh|talk|ntalk' | | |
apt list --upgradable 2>/dev/null | wc -l | | |
systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|cron|rsyslog|systemd' | | |
debian-security-support | | |
Debian 安全更新机制:
# 配置安全更新源(Debian 12)
cat /etc/apt/sources.list |grep security
# 应包含:deb http://security.debian.org/debian-security bookworm-security main contrib non-free
# 检查可用安全更新
sudoapt update
apt list --upgradable2>/dev/null |grep-i security
# 安装安全更新
sudoapt upgrade -y
# 或仅安装安全更新
sudoaptinstall-t bookworm-security --only-upgrade $(apt list --upgradable2>/dev/null |grep security |cut -d/ -f1)
# 安装安全支持检查工具
sudoaptinstall debian-security-support -y
check-support-status # 检查是否有失去安全支持的包
4.2 端口与防火墙管控
| | |
|---|
ss -tunlp | grep -E '0.0.0.0:23|0.0.0.0:111|0.0.0.0:513|0.0.0.0:514' | | |
ufw status verbose | | |
iptables -L -n | head -20 | | |
cat /etc/hosts.deny | | |
Debian 防火墙配置(推荐nftables/ufw):
# 方案1:使用UFW(简易版)
sudoaptinstall ufw -y
sudo ufw default deny incoming
sudo ufw default allow outgoing
sudo ufw allow from 10.1.1.0/24 to any port 22 proto tcp
sudo ufw enable
sudo ufw status numbered
# 方案2:使用nftables(Debian 12默认,推荐)
sudo nft list ruleset
sudo systemctl enable nftables --now
# 基础nftables配置示例
sudotee /etc/nftables.conf <<'EOF'
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy drop;
iif lo accept
ct state established,related accept
tcp dport 22 ip saddr 10.1.1.0/24 accept
counter drop
}
chain forward { type filter hook forward priority 0; policy drop; }
chain output { type filter hook output priority 0; policy accept; }
}
EOF
sudo systemctl restart nftables
五、恶意代码防范(8.1.4.5)
| | |
|---|
systemctl is-active clamav-daemon && systemctl is-enabled clamav-daemon | | |
freshclam --version | | |
ps -ef | grep clamd | | |
dpkg -l | grep -E 'rkhunter|chkrootkit|lynis' | | |
Debian ClamAV 部署:
# 安装ClamAV
sudoaptinstall clamav clamav-daemon clamav-freshclam -y
# 更新病毒库
sudo freshclam
sudo systemctl enable clamav-freshclam --now
# 启用实时扫描(On-Access Scanning)
sudoaptinstall clamav-daemon -y
sudo systemctl enable clamav-daemon --now
# 查看状态
sudo systemctl status clamav-daemon
sudo clamconf |grep-E"LocalSocket|MaxConnectionQueueLength"
# 手动扫描
sudo clamscan -r--infected--remove /home
sudo clamscan -r--infected /var/www
# 配置定时扫描(crontab)
echo"0 2 * * * root clamscan -r /var/www >> /var/log/clamav/scan.log"|sudotee /etc/cron.d/clamav-scan
Rootkit检测:
# 安装rkhunter和chkrootkit
sudoaptinstall rkhunter chkrootkit -y
# 更新rkhunter数据库
sudo rkhunter --update
sudo rkhunter --propupd
# 执行检测
sudo rkhunter --check--sk# --sk跳过按键继续
sudo chkrootkit
# 查看报告
sudocat /var/log/rkhunter.log
六、可信验证(8.1.4.6)
| | |
|---|
bootctl status | | |
mokutil --sb-state | | |
dmesg | grep -i tpm | | |
cat /proc/cmdline | grep -E 'ima|evm|integrity' | | |
dmidecode -t 0 | | |
Debian 可信启动配置:
# 检查UEFI Secure Boot状态
mokutil --sb-state 2>/dev/null ||echo"非UEFI启动或工具未安装"
# 安装TPM工具
sudoaptinstall tpm2-tools tpm2-abrmd -y
# 查看TPM信息
tpm2_getcap properties-fixed
cat /sys/class/tpm/tpm0/tpm_version_major 2>/dev/null
# 检查IMA(Integrity Measurement Architecture)
cat /proc/cmdline |grep ima
cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null |head-5
# 启用IMA(需内核参数)
# 编辑/etc/default/grub,添加:GRUB_CMDLINE_LINUX_DEFAULT="ima_policy=tcb"
sudoupdate-grub
七、数据备份与恢复(8.1.4.9)
| | |
|---|
crontab -l | grep -i backup | | |
stat -c '%a %U:%G' /backup | | |
tar -tzf /backup/etc-$(date +%F).tar.gz | wc -l | | |
systemctl status rsnapshot | | |
Debian 备份方案:
# 方案1:使用rsnapshot(基于rsync的快照)
sudoaptinstall rsnapshot -y
# 配置/etc/rsnapshot.conf
# 关键配置:
# snapshot_root /backup/
# backup /etc/ localhost/
# backup /home/ localhost/
# retain daily 7
# retain weekly 4
sudo systemctl enable rsnapshot --now
# 方案2:使用borgbackup(现代重复数据删除)
sudoaptinstall borgbackup -y
# 初始化仓库:borg init --encryption=repokey /backup/borg
# 创建备份:borg create /backup/borg::$(date +%F) /etc /home /var/www
# 方案3:原生tar压缩备份脚本
sudomkdir-p /backup
sudotar-czpf /backup/etc-$(date +%F).tar.gz /etc --exclude=/etc/ssl/private 2>/dev/null
sudotar-czpf /backup/home-$(date +%F).tar.gz /home 2>/dev/null
# 验证备份
sudotar-tzf /backup/etc-$(date +%F).tar.gz |head-5
一键巡检脚本(Debian版)
#!/bin/bash
# Debian Linux 等保三级一键巡检脚本
# 执行用户:root
# 适用版本:Debian 10/11/12
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
NC='\033[0m'# No Color
check_pass(){
echo-e"${GREEN}[PASS]${NC}$1"
}
check_fail(){
echo-e"${RED}[FAIL]${NC}$1"
}
check_warn(){
echo-e"${YELLOW}[WARN]${NC}$1"
}
echo"=========================================="
echo" Debian Linux 等保三级巡检脚本"
echo" 时间: $(date)"
echo" 主机: $(hostname)"
echo"=========================================="
echo""
echo"===== 1 身份鉴别 ====="
echo"--- 空口令检查 ---"
empty_pass=$(awk -F: '$2==""{print $1}' /etc/shadow)
if[-z"$empty_pass"];then
check_pass "无空口令用户"
else
check_fail "发现空口令用户: $empty_pass"
fi
echo"--- 密码有效期 ---"
pass_max=$(grep PASS_MAX_DAYS /etc/login.defs |grep-v"^#"|awk'{print $2}')
if["$pass_max"-le90]2>/dev/null;then
check_pass "密码最大有效期: $pass_max 天"
else
check_fail "密码最大有效期不合规: $pass_max 天(应≤90)"
fi
echo"--- 密码复杂度 ---"
ifgrep-q"pam_pwquality" /etc/pam.d/common-password;then
check_pass "已启用pam_pwquality"
grep"pam_pwquality" /etc/pam.d/common-password |head-1
else
check_fail "未启用密码复杂度检查"
fi
echo"--- 登录失败锁定 ---"
ifgrep-q"pam_faillock" /etc/pam.d/common-auth;then
check_pass "已启用登录失败锁定(pam_faillock)"
elifgrep-q"pam_tally2" /etc/pam.d/common-auth;then
check_warn "使用旧版pam_tally2,建议升级"
else
check_fail "未配置登录失败锁定"
fi
echo"--- SSH配置 ---"
ifgrep-q"^PermitRootLogin no" /etc/ssh/sshd_config;then
check_pass "已禁止root远程登录"
else
check_fail "未禁止root远程登录"
fi
echo""
echo"===== 2 访问控制 ====="
echo"--- 默认账户状态 ---"
foruserin games gnats irc list news uucp;do
ifid"$user"&>/dev/null;then
status=$(grep"^$user:" /etc/shadow |cut -d: -f2)
if[["$status"=="!"* ]]||[["$status"=="*"]];then
check_pass "账户 $user 已锁定"
else
check_fail "账户 $user 未锁定"
fi
fi
done
echo"--- 关键文件权限 ---"
pass_perm=$(stat-c'%a' /etc/passwd)
shadow_perm=$(stat-c'%a' /etc/shadow)
echo"/etc/passwd权限: $pass_perm"
echo"/etc/shadow权限: $shadow_perm"
["$pass_perm"-le644]&& check_pass "passwd权限合规"|| check_fail "passwd权限过宽"
["$shadow_perm"-le640]&& check_pass "shadow权限合规"|| check_fail "shadow权限过宽"
echo"--- AppArmor状态 ---"
ifcommand-v aa-status &>/dev/null;then
if aa-status 2>/dev/null |grep-q"apparmor module is loaded";then
enforce_count=$(aa-status 2>/dev/null |grep-c"enforce mode")
check_pass "AppArmor已加载,$enforce_count个策略在enforce模式"
else
check_fail "AppArmor未启用"
fi
else
check_fail "未安装AppArmor工具"
fi
echo""
echo"===== 3 安全审计 ====="
echo"--- auditd状态 ---"
if systemctl is-active auditd &>/dev/null;then
check_pass "auditd服务运行中"
rule_count=$(auditctl -l2>/dev/null |wc-l)
["$rule_count"-ge30]&& check_pass "审计规则数量: $rule_count"|| check_warn "审计规则较少: $rule_count"
else
check_fail "auditd服务未运行"
fi
echo"--- 日志权限 ---"
if[-f /var/log/audit/audit.log ];then
perm=$(stat-c'%a' /var/log/audit/audit.log)
["$perm"-eq600]&& check_pass "审计日志权限正确(600)"|| check_fail "审计日志权限不合规($perm)"
else
check_warn "审计日志文件不存在"
fi
echo"--- 远程日志配置 ---"
ifgrep-rE'@\w+.*514' /etc/rsyslog* 2>/dev/null;then
check_pass "已配置远程日志服务器"
else
check_warn "未配置远程日志备份"
fi
echo""
echo"===== 4 入侵防范 ====="
echo"--- 高危端口 ---"
high_risk=$(ss -tunlp2>/dev/null |grep-E'0.0.0.0:23|0.0.0.0:111|0.0.0.0:513|0.0.0.0:514')
if[-z"$high_risk"];then
check_pass "未监听高危端口"
else
check_fail "发现高危端口监听:"
echo"$high_risk"
fi
echo"--- 待更新包 ---"
ifcommand-vapt&>/dev/null;then
updatable=$(apt list --upgradable2>/dev/null |grep-c"upgradable")
["$updatable"-eq0]&& check_pass "系统已最新"|| check_warn "有 $updatable 个包可更新"
fi
echo"--- 防火墙状态 ---"
ifcommand-v ufw &>/dev/null && ufw status 2>/dev/null |grep-q"Status: active";then
check_pass "UFW防火墙已启用"
elifcommand-v nft &>/dev/null && nft list ruleset 2>/dev/null |grep-q"hook input";then
check_pass "nftables防火墙已配置"
else
check_fail "防火墙未启用"
fi
echo""
echo"===== 5 恶意代码防范 ====="
echo"--- ClamAV状态 ---"
if systemctl is-active clamav-daemon &>/dev/null;then
check_pass "ClamAV运行中"
freshclam -V2>/dev/null |head-1
else
check_fail "ClamAV未运行"
fi
echo"--- Rootkit检测工具 ---"
if dpkg -l|grep-q"rkhunter";then
check_pass "已安装rkhunter"
else
check_warn "未安装rkhunter"
fi
echo""
echo"===== 6 可信验证 ====="
echo"--- Secure Boot ---"
ifcommand-v mokutil &>/dev/null;then
sb_state=$(mokutil --sb-state 2>&1)
echo"$sb_state"
echo"$sb_state"|grep-q"SecureBoot enabled"&& check_pass "Secure Boot已启用"|| check_warn "Secure Boot未启用"
else
check_warn "无法检测Secure Boot状态"
fi
echo"--- TPM状态 ---"
if[-d /sys/class/tpm/tpm0 ];then
check_pass "TPM设备存在"
cat /sys/class/tpm/tpm0/tpm_version_major 2>/dev/null ||echo"版本信息不可用"
else
check_warn "未检测到TPM设备"
fi
echo""
echo"===== 7 数据备份 ====="
echo"--- 备份任务 ---"
ifcrontab-l2>/dev/null |grep-qi backup ||ls /etc/cron* 2>/dev/null |xargsgrep-l backup 2>/dev/null;then
check_pass "已配置备份任务"
else
check_warn "未配置备份任务"
fi
echo"--- 备份目录 ---"
if[-d /backup ];then
perm=$(stat-c'%a' /backup)
["$perm"-le700]&& check_pass "备份目录权限正确"|| check_fail "备份目录权限过宽"
else
check_warn "备份目录不存在"
fi
echo""
echo"=========================================="
echo" 巡检完成"
echo"=========================================="
高风险项重点核查清单
| | | |
|---|
| 空口令账户 | awk -F: '$2==""{print $1}' /etc/shadow | | |
| 密码复杂度未启用 | grep pam_pwquality /etc/pam.d/common-password | | |
| root远程登录 | grep ^PermitRootLogin /etc/ssh/sshd_config | | |
| 无登录失败锁定 | grep pam_faillock /etc/pam.d/common-auth | | |
| 双因子认证缺失 | 访谈+ grep google-authenticator /etc/pam.d/sshd | | |
| AppArmor未启用 | aa-status | | |
| 审计未启用 | systemctl is-active auditd | | |
| 无杀毒软件 | systemctl is-active clamav-daemon | | |
| 防火墙未启用 | ufw status | | |
| 备份未配置 | crontab -l | grep backup | | |
Debian 特有安全功能
1. APT 安全机制
# 查看APT安全更新源
cat /etc/apt/sources.list |grep security
# 配置自动安全更新
sudoaptinstall unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades
# 或编辑 /etc/apt/apt.conf.d/50unattended-upgrades
# 验证包签名
apt-cache policy package_name
apt-getinstall--reinstall debian-archive-keyring
2. Needrestart 检查
# 安装needrestart(检查更新后需重启的服务)
sudoaptinstall needrestart -y
sudo needrestart # 检查哪些服务需要重启以应用更新
3. Debconf 配置管理
# 查看系统配置状态
debconf-show package_name
# 重新配置关键服务
sudo dpkg-reconfigure openssh-server
版本差异说明(Debian 10/11/12)
测评执行要点
1. 权限要求
所有命令需 root 或 sudo 权限执行
建议使用专用审计账户执行部分检查
2. 现场核查重点
密码策略:不仅看配置,需尝试创建弱口令用户验证策略是否生效
AppArmor策略:检查关键业务进程是否有定制策略
APT源完整性:确认只使用官方或可信镜像源
自动更新:检查unattended-upgrades是否配置并运行
3. 与Kylin/UOS对比
常用命令速查
# 系统信息
cat /etc/debian_version # Debian版本
uname-a# 内核版本
lsb_release -a# 发行版信息
dpkg --list|wc-l# 已安装包数量
# 用户与权限
cat /etc/passwd # 查看所有用户
cat /etc/shadow # 查看密码状态
getent group sudo# 查看sudo组
lastlog # 查看最后登录
faillock --user username # 查看登录失败
# 网络与安全
ss -tunlp# 查看监听端口
ufw status numbered # 查看UFW规则
nft list ruleset # 查看nftables规则
aa-status # 查看AppArmor状态
# 系统与日志
systemctl --failed# 查看失败服务
journalctl -xe# 查看系统日志
ausearch -ts today -k identity_changes # 搜索审计日志
cat /var/log/auth.log |tail-20# 查看认证日志
# 包管理
apt update &&apt upgrade # 更新系统
apt list --upgradable# 查看可更新包
apt-cache policy package # 查看包来源
debsums -s# 检查包文件完整性
# 可信计算
mokutil --sb-state # Secure Boot
dmesg|grep-i tpm # TPM状态
cat /proc/cmdline |grep ima # IMA启用状态
参考标准:GB/T 22239-2019、GB/T 28448-2019、Debian Security Guidelines
适用版本:Debian 10 (Buster)、Debian 11 (Bullseye)、Debian 12 (Bookworm)
验证环境:x86_64、ARM64、ARMhf 架构
10个月宝宝每天需要喝多少奶粉?
