等保测评命令——rocky linux
- 2026-03-25 11:13:30
等保测评命令——rocky linux
汪汪虚拟空间等保测评命令——PostgreSQL数据库 2026-02-11 等保测评命令——Oracle数据库 2026-02-12 等保测评命令——OceanBase数据库 2026-02-13 等保测评命令——华为 GaussDB 系列 2026-02-14 等保测评命令——MySQL数据库 2026-02-21 等保测评命令——DB2数据库 2026-02-22 等保测评命令——华为网络设备 2026-02-23 等保测评命令——锐捷网络设备 2026-02-24 等保测评命令——华三(H3C)网络设备 2026-02-25 等保测评命令——思科网络设备 2026-02-26
各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言,我会以最快速度给你们总结,然后发出来!
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级"安全计算环境" 条款,结合 Rocky Linux 8.x/9.x 官方安全指南、CIS Rocky Linux Benchmark 及多家测评机构现场实践,给出可直接落地的 测评命令清单。
已在 Rocky Linux 8.9 / 9.3 环境验证通过,支持 Minimal / Server / Server with GUI 多种安装模式。
一、身份鉴别(8.1.4.1)
1.1 账户唯一性与密码策略
awk -F: '$2==""{print $1}' /etc/shadow | ||
awk -F: '$2~"^!"{print $1}' /etc/shadow | ||
chage -l usernamegrep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs | ||
cat /etc/security/pwquality.confauthselect current | ||
grep 'remember' /etc/pam.d/system-auth /etc/pam.d/password-auth |
Rocky Linux特有配置:
# Rocky Linux使用authselect管理PAM配置(替代传统pam_tally2)authselect currentauthselect list# 查看密码策略详细配置cat /etc/security/pwquality.conf | grep -v '^#' | grep -v '^$'# 查看特定用户密码状态chage -l username# 查看所有用户密码过期信息for user in $(awk -F: '$3>=1000{print $1}' /etc/passwd); do echo "=== $user ===" chage -l $user 2>/dev/null | head -5done# Rocky特有:使用authselect启用with-pwhistory配置文件authselect select sssd --force 2>/dev/null || authselect select minimal with-pwhistory --force# 检查是否启用faillock(替代pam_tally2)grep 'pam_faillock' /etc/pam.d/system-auth /etc/pam.d/password-authcat /etc/security/faillock.conf | grep -v '^#' | grep -v '^$'1.2 登录失败处理与会话超时
cat /etc/security/faillock.confgrep 'pam_faillock' /etc/pam.d/system-auth | ||
faillock --user username | ||
echo $TMOUTcat /etc/profile.d/tmout.sh | ||
grep -E 'ClientAliveInterval|ClientAliveCountMax' /etc/ssh/sshd_config |
Rocky Linux特有配置:
# Rocky Linux 8/9默认使用pam_faillock(替代pam_tally2)cat /etc/pam.d/system-auth | grep faillockcat /etc/pam.d/password-auth | grep faillock# 查看faillock详细配置cat /etc/security/faillock.conf | grep -v '^#' | grep -v '^$'# 查看特定用户失败记录faillock --user rootfaillock --user username --reset# 查看全局超时配置cat /etc/profile.d/tmout.sh 2>/dev/null || grep TMOUT /etc/profile /etc/bashrc# Rocky特有:使用tmout.sh标准配置cat > /etc/profile.d/tmout.sh << 'EOF'TMOUT=600readonly TMOUTexport TMOUTEOF# 查看SSH安全配置grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|ClientAlive' /etc/ssh/sshd_config# 检查cockpit服务超时(Rocky默认启用)grep 'IdleTimeout' /etc/cockpit/cockpit.conf 2>/dev/null || echo "未配置cockpit超时"1.3 远程管理安全
# 查看SSH服务状态(Rocky使用systemd)systemctl status sshd# 检查SSH安全配置grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|AllowUsers|AllowGroups' /etc/ssh/sshd_config# 查看SSH监听地址ss -tlnp | grep :22# 检查Telnet(应未安装)rpm -qa | grep telnetdnf list installed telnet-server 2>/dev/null || echo "Telnet未安装"# 检查cockpit(Rocky默认Web管理工具)systemctl status cockpit.socket 2>/dev/null || echo "cockpit未启用"grep -E 'Origins|ProtocolHeader|ForwardTo' /etc/cockpit/cockpit.conf 2>/dev/null | head -5# 查看允许的SSH用户/组grep -E 'AllowUsers|AllowGroups|DenyUsers|DenyGroups' /etc/ssh/sshd_config# Rocky特有:检查是否启用SCAP安全策略rpm -qa | grep scap-security-guideoscap info /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null || \oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml 2>/dev/null || \echo "SCAP安全指南未安装"高风险项:启用Telnet或允许root远程登录、未限制cockpit访问、SSH使用弱算法,直接判定不符合三级要求。
1.4 双因子认证(高风险项)
测评方法:
访谈确认:是否采用"口令+智能卡/硬件令牌/YubiKey"组合
技术核查:
# 检查Google Authenticator配置cat /etc/pam.d/sshd | grep google-authenticatorcat /etc/pam.d/login | grep google-authenticator# 检查YubiKey配置cat /etc/pam.d/sshd | grep yubikeyrpm -qa | grep yubikey# 检查智能卡/CCID配置cat /etc/pam.d/sshd | grep pam_pkcs11systemctl status pcscd 2>/dev/null || echo "PCSC智能卡服务未运行"# 查看已安装的2FA软件包rpm -qa | grep -E 'google-authenticator|yubikey|libu2f|pam_u2f'# 检查SSH密钥认证ls -la /home/*/.ssh/authorized_keys 2>/dev/null | head -5find /home -name "authorized_keys" -exec ls -la {} \; 2>/dev/null | head -5# Rocky特有:检查是否启用FIDO2/WebAuthn(9.x支持)grep 'AuthenticationMethods' /etc/ssh/sshd_config 2>/dev/null二、访问控制(8.1.4.2)
2.1 账户与权限管理
awk -F: '$3<1000 && $1!="root"{print $1}' /etc/passwd | ||
cat /etc/sudoersls -la /etc/sudoers.d/ | ||
stat -c '%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow | ||
grep -r 'umask' /etc/profile.d/ /etc/profile /etc/bashrc 2>/dev/null |
Rocky Linux特有配置:
# Rocky默认sudo配置(使用wheel组)grep '%wheel' /etc/sudoersgrep '%wheel' /etc/sudoers.d/* 2>/dev/null | head -3# 查看具体用户sudo权限sudo -l -U username# 检查polkit权限(Rocky默认)cat /etc/polkit-1/localauthority.conf.d/*.conf 2>/dev/null | head -10rpm -qa | grep polkit# 检查关键文件权限stat -c '%a %U:%G' /etc/passwd /etc/shadow /etc/group /etc/gshadow# Rocky特有:检查是否启用fapolicyd(应用程序白名单)systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未启用"cat /etc/fapolicyd/rules.d/ 2>/dev/null | head -5# 检查SELinux状态(Rocky默认启用Enforcing)getenforcesestatuscat /etc/selinux/config | grep SELINUX=2.2 默认账户清理
# 确认默认账户禁用或删除grep -E 'games|news|uucp|proxy|www-data|backup|list|irc|gnats' /etc/shadow# Rocky特有:检查系统账户锁定状态for user in games news uucp proxy backup list irc gnats; do passwd -S $user 2>/dev/null | grep -E 'LK|NP' && echo "$user: 已锁定或无密码"done# 检查无登录shell的账户awk -F: '$7=="/sbin/nologin" || $7=="/bin/false" || $7=="/usr/sbin/nologin"{print $1}' /etc/passwd | head -10# 锁定不必要的账户sudo passwd -l games 2>/dev/nullsudo passwd -l news 2>/dev/null# Rocky特有:检查是否删除preuseradd创建的默认账户cat /etc/default/useradd | grep INACTIVEuseradd -D | grep INACTIVE2.3 SELinux强制访问控制(Rocky核心安全特性)
# Rocky Linux默认启用SELinux,这是与CentOS/RHEL一致的核心安全机制# 查看SELinux状态getenforcesestatus# 查看SELinux模式配置cat /etc/selinux/config | grep -E '^SELINUX=|^SELINUXTYPE='# 查看当前策略sestatus | grep 'Loaded policy name'# 查看SELinux布尔值getsebool -a | grep -E 'ssh|http|ftp|nfs|samba' | head -20# 查看文件安全上下文ls -Z /etc/passwd /etc/shadow /var/www/html 2>/dev/null | head -5# 查看进程安全上下文ps -eZ | grep -E 'sshd|httpd|crond' | head -5# 查看SELinux审计日志ausearch -m avc,user_avc,selinux_err -ts today 2>/dev/null | tail -10cat /var/log/audit/audit.log 2>/dev/null | grep 'type=AVC' | tail -5# 查看SELinux故障排除sealert -a /var/log/audit/audit.log 2>/dev/null | head -10 || echo "setroubleshoot未安装"# Rocky特有:检查是否启用SELinux用户约束semanage login -l 2>/dev/null | head -10semanage user -l 2>/dev/null | head -10三、安全审计(8.1.4.3)
3.1 审计服务启用
systemctl is-active auditd && systemctl is-enabled auditd | ||
auditctl -l | wc -l | ||
grep -E 'max_log_file|num_logs' /etc/audit/auditd.conf | ||
stat -c '%a %U:%G' /var/log/audit/audit.log |
Rocky Linux特有配置:
# Rocky默认启用auditd(与RHEL一致)systemctl status auditdsystemctl is-enabled auditd# 查看审计规则auditctl -l 2>/dev/null | wc -lauditctl -l 2>/dev/null | head -20# 查看审计规则文件ls -la /etc/audit/rules.d/cat /etc/audit/rules.d/audit.rules 2>/dev/null || cat /etc/audit/audit.rules# Rocky特有:使用预定义审计规则ls /usr/share/doc/audit/rules/ 2>/dev/null | head -10# 生成审计报告aureport --summary 2>/dev/null | head -20aureport --login --summary -i 2>/dev/null | head -10aureport --user -i --summary 2>/dev/null | head -10# 查看SELinux审计(与auditd协同)ausearch -m avc -ts recent 2>/dev/null | tail -10# Rocky特有:检查是否启用auditd插件(如syslog转发)cat /etc/audit/plugins.d/ 2>/dev/null | head -53.2 日志管理与保护
# Rocky使用rsyslog + journald(systemd)# 查看rsyslog配置cat /etc/rsyslog.conf | grep -v '^#' | grep -v '^$' | head -20ls -la /etc/rsyslog.d/# 查看rsyslog远程转发grep '@' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null | head -5# 查看journald配置cat /etc/systemd/journald.conf | grep -v '^#' | grep -v '^$'# 查看日志持久化grep Storage /etc/systemd/journald.conf # 应为persistent# 查看日志磁盘使用journalctl --disk-usage# 查看日志保留策略journalctl --vacuum-time=6months # 设置保留6个月# 查看日志权限ls -la /var/log/ | head -15stat -c '%a %U:%G' /var/log/messages /var/log/secure /var/log/audit/audit.log 2>/dev/null# Rocky特有:检查是否启用logrotate(默认启用)cat /etc/logrotate.conf | grep -v '^#' | head -10ls /etc/logrotate.d/ | head -10# 检查是否启用systemd-coredump(替代传统core dump)cat /etc/systemd/coredump.conf 2>/dev/null | head -10四、入侵防范(8.1.4.4)
4.1 最小化安装与漏洞修复
dnf check-update 2>/dev/null | wc -l | ||
dnf updateinfo list security 2>/dev/null | ||
systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|rsyslog|cron|systemd' | ||
ss -tulnp | grep LISTEN |
Rocky Linux特有配置:
# 查看可更新包dnf check-update 2>/dev/null | wc -l | xargs -I {} echo "可更新包数: {}"# 查看安全更新(Rocky特有,使用Red Hat安全数据)dnf updateinfo list security 2>/dev/null | head -20dnf updateinfo list sec 2>/dev/null | head -20# 查看已安装包数量rpm -qa | wc -l# 查看系统版本cat /etc/os-release | grep -E 'NAME|VERSION|ID_LIKE'cat /etc/redhat-release 2>/dev/null || cat /etc/rocky-release# 查看已启用服务systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|rsyslog|cron|systemd|chrony|NetworkManager|firewalld' | head -20# 检查高危端口ss -tulnp | grep LISTEN | grep -E ':23|:111|:513|:514|:2049'# Rocky特有:检查是否启用kpatch/livepatch(内核热补丁)systemctl status kpatch 2>/dev/null || echo "kpatch未启用"dnf list installed kpatch-dnf 2>/dev/null || echo "kpatch未安装"# 检查是否启用BPF/BCC工具rpm -qa | grep -E 'bcc-tools|bpftrace' | head -54.2 防火墙与网络防护
# Rocky默认使用firewalld(替代iptables)# 查看firewalld状态systemctl status firewalldfirewall-cmd --state# 查看firewalld默认区域firewall-cmd --get-default-zonefirewall-cmd --get-active-zones# 查看firewalld规则firewall-cmd --list-allfirewall-cmd --list-all-zones | head -50# 查看富规则firewall-cmd --list-rich-rules# 查看直接规则(兼容iptables)firewall-cmd --direct --get-all-rules# 检查nftables后端(Rocky 9默认)nft list ruleset 2>/dev/null | head -30# 检查iptables兼容模式iptables -L -n -v 2>/dev/null | head -10# 检查TCP Wrapper配置(传统兼容)cat /etc/hosts.allowcat /etc/hosts.deny# 检查fail2ban(入侵防御)systemctl status fail2ban 2>/dev/null || echo "fail2ban未运行"fail2ban-client status 2>/dev/nullfail2ban-client status sshd 2>/dev/null# Rocky特有:检查是否启用fapolicyd(应用程序白名单)systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未启用"cat /etc/fapolicyd/fapolicyd.conf 2>/dev/null | head -10fapolicyd-cli --list 2>/dev/null | head -104.3 安全启动与内核加固
# 检查Secure Boot状态mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用或mokutil未安装"bootctl status 2>/dev/null | head -10# 查看内核参数安全设置sysctl -a 2>/dev/null | grep -E 'icmp_echo_ignore_all|rp_filter|syncookies|kptr_restrict' | head -10# 查看当前内核启动参数cat /proc/cmdline# Rocky特有:检查是否启用内核模块签名cat /proc/sys/kernel/modules_disabled 2>/dev/nullsysctl kernel.modules_disabled 2>/dev/null# 查看内核锁定(Rocky 9支持)cat /proc/sys/kernel/lockdown 2>/dev/null || echo "内核锁定未配置"# 检查IMA/EVM(完整性度量)cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null | head -5dmesg | grep -i 'ima\|evm' | head -5# 查看已加载的内核模块签名状态modinfo $(lsmod | awk 'NR==2{print $1}') 2>/dev/null | grep -E 'sig|signer'五、恶意代码防范(8.1.4.5)
rpm -qa | grep clamav | ||
systemctl is-active clamd | ||
freshclam --version | ||
systemctl is-active clamav-daemon |
Rocky Linux特有配置:
# 检查ClamAV安装rpm -qa | grep clamav | head -5# 查看ClamAV服务systemctl status clamd@scan 2>/dev/null || systemctl status clamd 2>/dev/null || echo "clamd未运行"# 手动更新病毒库sudo freshclam# 查看病毒库版本freshclam --version 2>/dev/null# 查看ClamScan计划任务cat /etc/cron.d/clamav-update 2>/dev/nullcat /etc/sysconfig/freshclam 2>/dev/null | head -5# 检查Rootkit Hunterrpm -qa | grep rkhuntersudo rkhunter --check --sk 2>/dev/null | tail -20# 检查 chkrootkitrpm -qa | grep chkrootkit# Rocky特有:检查是否启用OpenSCAP扫描rpm -qa | grep openscap-scanneroscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null | tail -20 || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml 2>/dev/null | tail -20 || \echo "SCAP扫描未执行或内容未安装"# 检查是否启用AIDE(文件完整性)rpm -qa | grep aidecat /etc/aide.conf 2>/dev/null | head -20六、可信验证(8.1.4.6)
dmesg | grep -i tpm | ||
mokutil --sb-state | ||
cat /proc/sys/kernel/modules_disabled | ||
rpm -Va 2>/dev/null | head -20 |
Rocky Linux特有配置:
# 查看TPM状态dmesg | grep -i "tpm\|trusted platform"ls /dev/tpm* 2>/dev/null# 查看Secure Boot状态mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用"bootctl status 2>/dev/null | grep -E 'SecureBoot|SetupMode'# 查看内核安全启动cat /proc/sys/kernel/secure_boot 2>/dev/null# 验证RPM包完整性(Rocky原生支持)rpm -Va 2>/dev/null | grep -E '^S.5....T\|^..5....T\|^.......T' | head -20# 验证特定关键包rpm -V coreutils bash kernel systemd 2>/dev/null | head -10# 查看内核模块签名modinfo $(lsmod | awk 'NR==2{print $1}') 2>/dev/null | grep -E 'sig|signer|integ'# Rocky特有:检查是否启用IMA appraisalcat /sys/kernel/security/ima/policy 2>/dev/null | head -5# 安装并运行Lynis安全扫描rpm -qa | grep lynissudo lynis audit system --quick 2>/dev/null | grep -E 'Warning|Suggestion' | head -20# 使用OpenSCAP进行合规扫描oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml 2>/dev/null七、数据备份与恢复(8.1.4.9)
cat /etc/cron.d/backup 2>/dev/null | grep -i backup | ||
rpm -qa | grep -E 'rear|bacula|amanda|restic|borg' | ||
stat -c '%a %U:%G' /backup | ||
tar -tzf /backup/etc-$(date +%F).tar.gz | wc -l |
Rocky Linux特有配置:
# 查看备份脚本cat /etc/cron.d/backup 2>/dev/null || crontab -l | grep backup# 查看ReaR(Relax and Recover,Rocky推荐)rpm -qa | grep rearcat /etc/rear/local.conf 2>/dev/null | head -20rear -V 2>/dev/null# 查看Timeshift(桌面环境)rpm -qa | grep timeshiftsudo timeshift --list 2>/dev/null | head -10# 查看Bacula/Amanda(企业级)rpm -qa | grep -E 'bacula|amanda'# 查看Rsync备份任务crontab -l | grep rsynccat /etc/cron.d/*rsync* 2>/dev/null | head -10# 查看Restic备份(现代工具)restic snapshots -r /backup/restic 2>/dev/null | head -5# 查看Borg备份borg list /backup/borg 2>/dev/null | head -5# 验证备份完整性sudo tar -tzf /backup/etc-$(date +%F).tar.gz 2>/dev/null | wc -l# Rocky特有:使用ReaR验证恢复rear -v mkrescue 2>/dev/null | tail -10rear -v recover 2>/dev/null | tail -10 # 仅在恢复环境执行# 检查NBU/NetWorker等商业备份代理rpm -qa | grep -E 'NBU|NetWorker|TSM|Networker'八、Rocky特有安全功能
8.1 SCAP/OpenSCAP合规扫描
# Rocky Linux原生支持OpenSCAP,与RHEL一致# 查看已安装的安全内容ls /usr/share/xml/scap/ssg/content/ 2>/dev/null | grep -E 'rl8|rl9' | head -10# 查看可用配置文件oscap info /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null | head -30 || \oscap info /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml 2>/dev/null | head -30# 执行CIS基准扫描oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \ --results /tmp/oscap-results.xml \ --report /tmp/oscap-report.html \ /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \ /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml 2>/dev/null# 执行STIG扫描oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-rl8-ds.xml 2>/dev/null# 生成修复脚本oscap xccdf generate fix --profile cis /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null > /tmp/cis-fix.sh8.2 Systemd安全特性
# Rocky使用systemd作为初始化系统(Rocky 8/9)# 查看systemd安全状态systemd-analyze security 2>/dev/null | head -30# 查看特定服务安全评分systemd-analyze security sshd.service 2>/dev/nullsystemd-analyze security httpd.service 2>/dev/null# 查看沙盒服务systemctl show sshd.service -p MemoryMax -p CPUQuota -p IPAddressDeny 2>/dev/null# 查看私有挂载systemctl show sshd.service -p PrivateTmp -p PrivateDevices -p PrivateNetwork 2>/dev/null# 查看能力限制systemctl show sshd.service -p CapabilityBoundingSet -p NoNewPrivileges 2>/dev/null# 查看命名空间隔离systemctl show sshd.service -p ProtectSystem -p ProtectHome -p ProtectKernelTunables 2>/dev/null8.3 内核实时补丁(kpatch)
# Rocky 8/9支持kpatch(内核热补丁,无需重启)# 检查kpatch安装rpm -qa | grep kpatchdnf list installed kpatch-dnf 2>/dev/null# 查看kpatch服务systemctl status kpatch# 查看已应用的实时补丁kpatch list 2>/dev/null# 查看可用补丁(通过dnf)dnf updateinfo list kpatch 2>/dev/null | head -10# 自动应用kpatchkpatch install $(uname -r) 2>/dev/null || echo "无可用的实时补丁"一键巡检脚本(Rocky Linux)
#!/bin/bash# Rocky Linux 等保三级一键巡检脚本# 适用:Rocky Linux 8.9 / 9.3# 执行用户:rootecho"===== Rocky Linux 等保巡检报告 ====="echo"巡检时间: $(date'+%Y-%m-%d %H:%M:%S')"echo"服务器: $(hostname)"echo"版本: $(cat /etc/os-release |grep PRETTY_NAME |cut -d'"'-f2)"echo""echo"===== 1 身份鉴别 ====="echo"--- 空口令检查 ---"awk -F: '$2==""{print "空口令用户: "$1}' /etc/shadowecho"--- 密码锁定账户 ---"awk -F: '$2~"^!"{print "锁定用户: "$1}' /etc/shadow |head-5echo"--- 密码有效期 ---"grep-E'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs 2>/dev/null |head-3echo"--- 密码复杂度 ---"cat /etc/security/pwquality.conf 2>/dev/null |grep-E'minlen|minclass'|head-3echo"--- 登录失败锁定 ---"cat /etc/security/faillock.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5echo"--- SSH配置 ---"grep-E'PermitRootLogin|Protocol|PasswordAuthentication|ClientAlive' /etc/ssh/sshd_config 2>/dev/null |head-5echo"--- authselect配置 ---"authselect current 2>/dev/null |head-3echo""echo"===== 2 访问控制 ====="echo"--- 系统账户 ---"awk -F: '$3<1000 && $1!="root"{print "系统账户: "$1}' /etc/passwd |head-10echo"--- sudo配置 ---"grep'%wheel' /etc/sudoers 2>/dev/null |head-3ls-la /etc/sudoers.d/ 2>/dev/null |head-3echo"--- 关键文件权限 ---"stat-c'%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow 2>/dev/nullecho"--- SELinux状态 ---"getenforce 2>/dev/null ||echo"SELinux未启用"sestatus 2>/dev/null |head-3echo"--- fapolicyd状态 ---"systemctl is-active fapolicyd 2>/dev/null ||echo"fapolicyd未运行"echo""echo"===== 3 安全审计 ====="echo"--- auditd状态 ---"systemctl is-active auditd 2>/dev/null && systemctl is-enabled auditd 2>/dev/nullecho"--- 审计规则数量 ---"auditctl -l2>/dev/null |wc-l|xargs-I{}echo"审计规则数: {}"echo"--- journald配置 ---"cat /etc/systemd/journald.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5echo"--- 日志权限 ---"ls-la /var/log/audit/audit.log 2>/dev/null ||echo"审计日志不存在"echo""echo"===== 4 入侵防范 ====="echo"--- 待更新包 ---"dnf check-update 2>/dev/null |wc-l|xargs-I{}echo"可更新包数: {}"echo"--- 安全更新 ---"dnf updateinfo list security 2>/dev/null |wc-l|xargs-I{}echo"安全公告数: {}"echo"--- 高危端口 ---"ss -tulnp2>/dev/null |grep-E'0.0.0.0:23|0.0.0.0:111|0.0.0.0:513'||echo"无高危端口暴露"echo"--- firewalld状态 ---"systemctl is-active firewalld 2>/dev/null ||echo"firewalld未运行"firewall-cmd --state2>/dev/nullecho"--- Secure Boot ---"mokutil --sb-state 2>/dev/null ||echo"无法检测Secure Boot"echo"--- kpatch状态 ---"systemctl is-active kpatch 2>/dev/null ||echo"kpatch未运行"echo""echo"===== 5 恶意代码防范 ====="echo"--- ClamAV安装 ---"rpm-qa2>/dev/null |grep clamav |head-3echo"--- ClamAV服务 ---"systemctl is-active clamd@scan 2>/dev/null || systemctl is-active clamd 2>/dev/null ||echo"clamd未运行"echo"--- 病毒库版本 ---"freshclam --version2>/dev/null ||echo"未安装freshclam"echo"--- SCAP内容 ---"ls /usr/share/xml/scap/ssg/content/ 2>/dev/null |grep-E'rl8|rl9'|wc-l|xargs-I{}echo"SCAP内容文件数: {}"echo""echo"===== 6 可信验证 ====="echo"--- TPM状态 ---"dmesg2>/dev/null |grep-i"tpm"|head-3echo"--- RPM验证 ---"rpm-Va2>/dev/null |grep-c'S.5....T\|..5....T\|.......T'|xargs-I{}echo"修改过的文件数: {}"echo"--- 内核模块签名 ---"cat /proc/sys/kernel/modules_disabled 2>/dev/null ||echo"未配置"echo""echo"===== 7 数据备份 ====="echo"--- 备份任务 ---"crontab-l2>/dev/null |grep-i backup ||echo"未配置crontab备份"ls /etc/cron.d/*backup* 2>/dev/null |head-3||echo"未找到备份cron任务"echo"--- ReaR安装 ---"rpm-qa2>/dev/null |grep rear |head-3echo"--- 备份目录 ---"stat-c'%a %U:%G' /backup 2>/dev/null ||echo"备份目录不存在"echo""echo"===== 8 Rocky特有功能 ====="echo"--- SCAP扫描 ---"oscap --version2>/dev/null |head-1||echo"OpenSCAP未安装"echo"--- Systemd安全分析 ---"systemd-analyze security 2>/dev/null |tail-5||echo"无法执行安全分析"echo"--- 系统版本 ---"cat /etc/redhat-release 2>/dev/null ||cat /etc/rocky-release 2>/dev/null ||cat /etc/os-release |grep PRETTY_NAMEecho""echo"===== 巡检完成 ====="高风险项重点核查清单
| 空口令账户 | awk -F: '$2==""{print $1}' /etc/shadow | ||
| 密码复杂度未启用 | cat /etc/security/pwquality.conf | ||
| 无登录失败锁定 | cat /etc/security/faillock.conf | ||
| root远程登录 | grep ^PermitRootLogin /etc/ssh/sshd_config | ||
| SELinux未启用 | getenforce | ||
| 审计未启用 | systemctl is-active auditd | ||
| firewalld未启用 | firewall-cmd --state | ||
| 安全更新未修复 | dnf updateinfo list sec | dnf update --security | |
| Secure Boot未启用 | mokutil --sb-state | ||
| fapolicyd未启用 | systemctl is-active fapolicyd | ||
| 备份未配置 | crontab -l | grep backup |
Rocky Linux版本差异对照
测评执行要点
1. 权限要求
所有命令需
root权限执行建议使用
sudo或su -切换SCAP扫描可能需要安装额外内容包
2. 现场核查重点
SELinux状态:Rocky默认启用Enforcing,检查是否被手动禁用
SCAP合规:利用Rocky原生的OpenSCAP执行CIS或STIG扫描,生成合规报告
内核实时补丁:Rocky 9支持kpatch,检查是否启用以最小化重启需求
Systemd安全:使用
systemd-analyze security检查服务沙盒配置应用程序白名单:关键业务建议启用fapolicyd限制可执行文件
3. 版本差异注意
Rocky 8.x:基于RHEL 8,内核4.18,kpatch支持有限
Rocky 9.x:基于RHEL 9,内核5.14,完整kpatch支持,增强Systemd安全特性
迁移建议:Rocky 8到9的迁移需重新安装或执行leapp升级
常用命令速查
# DNF包管理(Rocky使用dnf替代yum)dnf check-update # 检查更新dnf update # 更新系统dnf update --security# 仅安全更新dnf install package # 安装包dnf remove package # 移除包dnf info package # 包信息dnf history# 操作历史# Systemd服务管理systemctl status servicesystemctl start servicesystemctl stop servicesystemctl enableservice# 开机自启systemctl disable service# 取消自启systemctl list-unit-files --state=enabled# Firewalld防火墙firewall-cmd --statefirewall-cmd --get-active-zonesfirewall-cmd --list-allfirewall-cmd --add-service=http --permanentfirewall-cmd --reload# SELinux管理getenforce # 查看模式setenforce 0|1# 临时设置(0=Permissive, 1=Enforcing)sestatus # 详细状态semanage login -l# 登录映射semanage user -l# SELinux用户restorecon -Rv /path # 恢复上下文chcon -ttype /path # 修改上下文# OpenSCAP扫描oscap info content.xml # 查看内容信息oscap xccdf eval--profile cis content.xml # 执行扫描oscap xccdf generate report result.xml > report.html # 生成报告# 日志查看journalctl -uservice# 查看服务日志journalctl -f# 实时跟踪journalctl --since"1 hour ago"journalctl --vacuum-time=1month # 清理日志# 内核管理uname-r# 内核版本rpm-qa|grep kernel # 已安装内核dnf install kernel # 安装新内核grub2-set-default 0# 设置默认启动项# 备份恢复(ReaR)rear mkrescue # 创建救援镜像rear mkbackup # 创建备份rear recover # 恢复(救援环境)参考标准:GB/T 22239-2019、GB/T 28448-2019、CIS Rocky Linux Benchmark 8/9、DISA STIG for RHEL 8/9、Rocky Linux Security Guide
适用版本:Rocky Linux 8.9 / 9.3
验证环境:Minimal / Server / Server with GUI / 虚拟化 / 容器云
汪汪虚拟空间10个内容
本文来自网友投稿或网络内容,如有侵犯您的权益请联系我们删除,联系邮箱:wyl860211@qq.com 。
随机文章
-
10个月宝宝每天需要喝多少奶粉?
- 谁还不会Python这5招?效率直接起飞
- Python-10基础语法-元组与字典(体系文章)
- 【2026 最新 Linux 零基础入门总结】第一章:认识Linux
- 【体系教程】如何利用python机器学习解决空间模拟与时间预测问题及经典案例分析;用Matplotlib打造顶级学术图表
- Python编程:从入门到实践 (第3版) PDF
- Linux日志管理与分析:ELK Stack实战指南(详细)
- 易经摇卦解卦,用python编写的
- 【Web安全】PHP反序列化漏洞
- Linux 演进史(七):面临50亿美元索赔,Linux如何活下来?
- Python 25个数据清洗技巧:让你的数据质量提升10倍
