等保测评命令——Fedora Linux
- 2026-03-25 00:05:42
等保测评命令——Fedora Linux
汪汪虚拟空间等保测评命令——PostgreSQL数据库 2026-02-11 等保测评命令——Oracle数据库 2026-02-12 等保测评命令——OceanBase数据库 2026-02-13 等保测评命令——华为 GaussDB 系列 2026-02-14 等保测评命令——MySQL数据库 2026-02-21 等保测评命令——DB2数据库 2026-02-22 等保测评命令——华为网络设备 2026-02-23 等保测评命令——锐捷网络设备 2026-02-24 等保测评命令——华三(H3C)网络设备 2026-02-25 等保测评命令——思科网络设备 2026-02-26
各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言,我会以最快速度给你们总结,然后发出来!
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级"安全计算环境" 条款,结合 Fedora Linux 38/39/40 官方安全指南、CIS Fedora Benchmark 及多家测评机构现场实践,给出可直接落地的 测评命令清单。
已在 Fedora Linux 38 / 39 / 40 (Workstation/Server/Silverblue) 环境验证通过,支持 RPM-OSTree / Traditional / IoT 多种部署模式。
一、身份鉴别(8.1.4.1)
1.1 账户唯一性与密码策略
awk -F: '$2==""{print $1}' /etc/shadow | ||
awk -F: '$2~"^!"{print $1}' /etc/shadow | ||
chage -l usernamegrep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs | ||
cat /etc/security/pwquality.confauthselect current | ||
grep 'remember' /etc/pam.d/system-auth /etc/pam.d/password-auth |
Fedora特有配置:
# Fedora使用authselect管理PAM配置(与RHEL/Rocky一致,但默认配置更严格)# 查看当前authselect配置authselect currentauthselect list# 查看详细PAM配置cat /etc/authselect/system-auth | head -20# 查看密码策略(Fedora默认启用严格策略)cat /etc/security/pwquality.conf | grep -v '^#' | grep -v '^$'# 查看特定用户密码状态chage -l username# 查看所有用户密码过期信息for user in $(awk -F: '$3>=1000{print $1}' /etc/passwd); do echo "=== $user ===" chage -l $user 2>/dev/null | head -5done# Fedora特有:检查是否启用pass-otp(FIDO2/WebAuthn支持)authselect list | grep with-passkeyauthselect current | grep with-passkey# 查看生物识别认证(Fedora Workstation默认)cat /etc/pam.d/system-auth | grep pam_fprintdsystemctl status fprintd 2>/dev/null || echo "指纹服务未运行"1.2 登录失败处理与会话超时
cat /etc/security/faillock.confgrep 'pam_faillock' /etc/pam.d/system-auth | ||
faillock --user username | ||
echo $TMOUTcat /etc/profile.d/tmout.sh | ||
grep -E 'ClientAliveInterval|ClientAliveCountMax' /etc/ssh/sshd_config |
Fedora特有配置:
# Fedora默认启用pam_faillock,配置与RHEL一致但更激进# 查看faillock配置cat /etc/security/faillock.conf | grep -v '^#' | grep -v '^$'# 查看特定用户失败记录faillock --user rootfaillock --user username --reset# 查看全局超时配置cat /etc/profile.d/tmout.sh 2>/dev/null || grep TMOUT /etc/profile /etc/bashrc# Fedora特有:GNOME桌面环境会话超时(Workstation版)gsettings get org.gnome.desktop.session idle-delay 2>/dev/null || echo "非GNOME环境"gsettings get org.gnome.desktop.screensaver lock-enabled 2>/dev/null# 查看SSH安全配置(Fedora默认禁用root登录)grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|ClientAlive' /etc/ssh/sshd_config# Fedora特有:检查是否启用systemd-homed(Fedora 38+推荐)systemctl status systemd-homed 2>/dev/null || echo "未启用homed"homectl list 2>/dev/null | head -51.3 远程管理安全
# Fedora默认使用systemd和cockpit进行现代系统管理# 查看SSH服务状态systemctl status sshd# 检查SSH安全配置(Fedora默认更严格)grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|AllowUsers|AllowGroups' /etc/ssh/sshd_config# 查看SSH监听地址ss -tlnp | grep :22# 检查Telnet(应未安装)rpm -qa | grep telnetdnf list installed telnet-server 2>/dev/null || echo "Telnet未安装"# Fedora特有:检查cockpit(默认Web管理工具)systemctl status cockpit.socketsystemctl is-enabled cockpit.socketgrep -E 'Origins|ProtocolHeader|LoginTitle' /etc/cockpit/cockpit.conf 2>/dev/null | head -5# 检查cockpit会话超时grep 'IdleTimeout' /etc/cockpit/cockpit.conf 2>/dev/null || echo "未配置cockpit超时,默认无超时"# 查看允许的SSH用户/组grep -E 'AllowUsers|AllowGroups|DenyUsers|DenyGroups' /etc/ssh/sshd_config# Fedora特有:检查wireguard/quick隧道(现代VPN替代方案)systemctl status wg-quick@* 2>/dev/null || echo "WireGuard未配置"cat /etc/wireguard/*.conf 2>/dev/null | grep -v PrivateKey | head -10高风险项:启用Telnet、允许root远程登录、SSH使用弱算法、cockpit暴露于公网且无访问控制,直接判定不符合三级要求。
1.4 双因子认证(高风险项)
测评方法:
访谈确认:是否采用"口令+FIDO2/WebAuthn/硬件令牌"组合
技术核查:
# Fedora特有:原生FIDO2/WebAuthn支持(38+)authselect list | grep with-passkeyauthselect current | grep with-passkey# 检查系统级FIDO2配置cat /etc/pam.d/system-auth | grep pam_u2frpm -qa | grep pam_u2f# 检查GNOME桌面FIDO2集成(Workstation)rpm -qa | grep gnome-online-accountscat /etc/pam.d/gdm-password | grep pamu2f 2>/dev/null# 检查传统Google Authenticatorcat /etc/pam.d/sshd | grep google-authenticatorrpm -qa | grep google-authenticator# 检查YubiKey配置rpm -qa | grep yubikey-managerykman info 2>/dev/null || echo "YubiKey Manager未安装"# 检查智能卡/CCID(Fedora默认良好支持)systemctl status pcscdrpm -qa | grep openscpkcs11-tool -L 2>/dev/null | head -10# 查看SSH密钥认证ls -la /home/*/.ssh/authorized_keys 2>/dev/null | head -5find /home -name "authorized_keys" -exec ls -la {} \; 2>/dev/null | head -5# Fedora特有:检查systemd-cryptsetup(LUKS2+TPM2+FIDO2)systemd-cryptenroll --help 2>/dev/null | head -5cat /etc/crypttab | grep fido2 2>/dev/null || echo "未配置FIDO2磁盘加密"二、访问控制(8.1.4.2)
2.1 账户与权限管理
awk -F: '$3<1000 && $1!="root"{print $1}' /etc/passwd | ||
cat /etc/sudoersls -la /etc/sudoers.d/ | ||
stat -c '%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow | ||
grep -r 'umask' /etc/profile.d/ /etc/profile /etc/bashrc 2>/dev/null |
Fedora特有配置:
# Fedora默认sudo配置(wheel组)grep '%wheel' /etc/sudoersgrep '%wheel' /etc/sudoers.d/* 2>/dev/null | head -3# 查看具体用户sudo权限sudo -l -U username# 检查polkit权限(Fedora默认严格)cat /etc/polkit-1/localauthority.conf.d/*.conf 2>/dev/null | head -10rpm -qa | grep polkit# 检查关键文件权限stat -c '%a %U:%G' /etc/passwd /etc/shadow /etc/group /etc/gshadow# Fedora特有:检查systemd-homed用户权限(如启用)homectl inspect username 2>/dev/null | grep -E 'UID|GID|MemberOf'# 检查fapolicyd(应用程序白名单,Fedora 39+默认安装)systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未运行"cat /etc/fapolicyd/fapolicyd.conf 2>/dev/null | head -10fapolicyd-cli --list 2>/dev/null | head -10# 检查SELinux状态(Fedora默认启用Enforcing)getenforcesestatuscat /etc/selinux/config | grep SELINUX=2.2 默认账户清理
# 确认默认账户禁用或删除grep -E 'games|news|uucp|proxy|www-data|backup|list|irc|gnats' /etc/shadow# Fedora特有:检查fedora用户(LiveCD遗留)grep '^fedora' /etc/passwd && echo "⚠ 发现fedora用户(LiveCD安装遗留)"# 检查无登录shell的账户awk -F: '$7=="/sbin/nologin" || $7=="/bin/false" || $7=="/usr/sbin/nologin"{print $1}' /etc/passwd | head -10# 锁定不必要的账户sudo passwd -l games 2>/dev/nullsudo passwd -l news 2>/dev/null# Fedora特有:检查是否删除gnome-initial-setup用户(Workstation安装遗留)grep 'gnome-initial-setup' /etc/passwd && echo "⚠ 发现gnome-initial-setup用户"# 检查systemd-coredump用户(正常系统用户)id systemd-coredump 2>/dev/null2.3 SELinux强制访问控制(Fedora核心安全特性)
# Fedora默认启用最严格的SELinux策略,这是与RHEL/Rocky的主要区别# 查看SELinux状态getenforcesestatus# 查看SELinux模式配置cat /etc/selinux/config | grep -E '^SELINUX=|^SELINUXTYPE='# Fedora特有:使用targeted策略,但默认更严格sestatus | grep 'Loaded policy name'# 查看SELinux布尔值(Fedora默认禁用更多不安全功能)getsebool -a | grep -E 'ssh|http|ftp|nfs|samba|docker|podman' | head -30# 查看文件安全上下文ls -Z /etc/passwd /etc/shadow /var/www/html 2>/dev/null | head -5# 查看进程安全上下文ps -eZ | grep -E 'sshd|httpd|crond|podman|container' | head -5# 查看SELinux审计日志ausearch -m avc,user_avc,selinux_err -ts today 2>/dev/null | tail -10cat /var/log/audit/audit.log 2>/dev/null | grep 'type=AVC' | tail -5# Fedora特有:检查setroubleshoot(图形化SELinux故障排除)systemctl status setroubleshootd 2>/dev/null || echo "setroubleshootd未运行"sealert -a /var/log/audit/audit.log 2>/dev/null | head -10# 查看SELinux用户约束semanage login -l 2>/dev/null | head -10semanage user -l 2>/dev/null | head -10# Fedora特有:检查是否启用SELinux沙盒(sandbox)rpm -qa | grep policycoreutils-sandboxsandbox -X firefox 2>/dev/null || echo "SELinux沙盒未配置"三、安全审计(8.1.4.3)
3.1 审计服务启用
systemctl is-active auditd && systemctl is-enabled auditd | ||
auditctl -l | wc -l | ||
grep -E 'max_log_file|num_logs' /etc/audit/auditd.conf | ||
stat -c '%a %U:%G' /var/log/audit/audit.log |
Fedora特有配置:
# Fedora默认启用auditd,配置与RHEL一致但规则更现代# 查看审计服务状态systemctl status auditdsystemctl is-enabled auditd# 查看审计规则auditctl -l 2>/dev/null | wc -lauditctl -l 2>/dev/null | head -20# 查看审计规则文件ls -la /etc/audit/rules.d/cat /etc/audit/rules.d/audit.rules 2>/dev/null || cat /etc/audit/audit.rules# Fedora特有:使用预定义审计规则(更严格的容器审计)ls /usr/share/doc/audit/rules/ 2>/dev/null | head -10cat /etc/audit/rules.d/containers.rules 2>/dev/null | head -10# 生成审计报告aureport --summary 2>/dev/null | head -20aureport --login --summary -i 2>/dev/null | head -10aureport --user -i --summary 2>/dev/null | head -10# Fedora特有:检查podman/container审计ausearch -m avc -ts recent 2>/dev/null | grep -E 'container|podman' | tail -10# 检查auditd插件(如syslog转发)cat /etc/audit/plugins.d/ 2>/dev/null | head -53.2 日志管理与保护
# Fedora使用systemd-journald为主,rsyslog可选# 查看journald配置cat /etc/systemd/journald.conf | grep -v '^#' | grep -v '^$'# 查看日志持久化grep Storage /etc/systemd/journald.conf # 应为persistent或auto# 查看日志磁盘使用journalctl --disk-usage# 查看日志保留策略journalctl --vacuum-time=6months # 设置保留6个月# Fedora特有:检查systemd-coredump(替代传统core dump)cat /etc/systemd/coredump.conf 2>/dev/null | head -10coredumpctl list 2>/dev/null | head -10# 查看日志权限ls -la /var/log/journal/ 2>/dev/null | head -10stat -c '%a %U:%G' /var/log/journal/ 2>/dev/null# Fedora特有:检查是否启用systemd-pstore(持久化存储崩溃日志)systemctl status systemd-pstore 2>/dev/null || echo "systemd-pstore未启用"# 检查是否启用rsyslog(传统兼容)systemctl status rsyslog 2>/dev/null || echo "rsyslog未启用(使用journald)"四、入侵防范(8.1.4.4)
4.1 最小化安装与漏洞修复
dnf check-update 2>/dev/null | wc -l | ||
dnf updateinfo list security 2>/dev/null | ||
systemctl status dnf-automatic.timer | ||
systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|journald|cron|systemd' | ||
ss -tulnp | grep LISTEN |
Fedora特有配置:
# 查看可更新包dnf check-update 2>/dev/null | wc -l | xargs -I {} echo "可更新包数: {}"# 查看安全更新(Fedora安全公告)dnf updateinfo list security 2>/dev/null | head -20dnf updateinfo list sec 2>/dev/null | head -20# Fedora特有:检查自动更新(默认启用)systemctl status dnf-automatic.timersystemctl is-enabled dnf-automatic.timercat /etc/dnf/automatic.conf | grep -v '^#' | head -20# 查看已安装包数量rpm -qa | wc -l# 查看系统版本cat /etc/os-release | grep -E 'NAME|VERSION|VARIANT'cat /etc/fedora-release 2>/dev/null# 查看已启用服务systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|journald|cron|systemd|chrony|NetworkManager|firewalld|podman' | head -20# 检查高危端口ss -tulnp | grep LISTEN | grep -E ':23|:111|:513|:514|:2049'# Fedora特有:检查Silverblue/Kinoite(不可变系统)rpm-ostree status 2>/dev/null | head -20 || echo "传统RPM系统(非OSTree)"# 检查容器化服务(Fedora默认启用podman)systemctl --user status podman.socket 2>/dev/null || echo "rootless podman未启用"podman system info 2>/dev/null | head -104.2 防火墙与网络防护
# Fedora默认使用firewalld(nftables后端)+ podman防火墙集成# 查看firewalld状态systemctl status firewalldfirewall-cmd --state# 查看firewalld默认区域firewall-cmd --get-default-zonefirewall-cmd --get-active-zones# 查看firewalld规则firewall-cmd --list-allfirewall-cmd --list-all-zones | head -50# 查看富规则firewall-cmd --list-rich-rules# 查看直接规则firewall-cmd --direct --get-all-rules# 检查nftables后端nft list ruleset 2>/dev/null | head -30# Fedora特有:检查podman防火墙集成(根less容器)podman network ls 2>/dev/nullfirewall-cmd --get-active-zones | grep podman# 检查TCP Wrapper配置cat /etc/hosts.allowcat /etc/hosts.deny# 检查fail2ban(入侵防御)systemctl status fail2ban 2>/dev/null || echo "fail2ban未运行"fail2ban-client status 2>/dev/null# Fedora特有:检查fapolicyd(应用程序白名单,39+默认)systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未运行"fapolicyd-cli --list 2>/dev/null | head -10# 检查网络内核参数sysctl -a 2>/dev/null | grep -E 'icmp_echo_ignore_all|rp_filter|syncookies' | head -104.3 安全启动与内核加固
# 检查Secure Boot状态mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用或mokutil未安装"bootctl status 2>/dev/null | head -10# Fedora特有:检查是否启用UKI(统一内核镜像,40+实验性)ls /boot/efi/EFI/fedora/*.efi 2>/dev/null | grep -i uki || echo "传统EFI启动"# 查看内核参数安全设置sysctl -a 2>/dev/null | grep -E 'kptr_restrict|dmesg_restrict|kexec_load_disabled' | head -10# 查看当前内核启动参数cat /proc/cmdline# Fedora特有:检查是否启用内核实时补丁(kpatch)systemctl status kpatch 2>/dev/null || echo "kpatch未启用(Fedora主要版本更新快,kpatch支持有限)"# 检查IMA/EVM(完整性度量)cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null | head -5dmesg | grep -i 'ima\|evm' | head -5# Fedora特有:检查是否启用systemd-boot(替代GRUB,IoT/Silverblue默认)bootctl status 2>/dev/null | grep -E 'Systemd-Stub|Secure Boot'五、恶意代码防范(8.1.4.5)
rpm -qa | grep clamav | ||
systemctl is-active clamd | ||
freshclam --version | ||
systemctl is-active clamav-daemon |
Fedora特有配置:
# 检查ClamAV安装rpm -qa | grep clamav | head -5# 查看ClamAV服务systemctl status clamd@scan 2>/dev/null || systemctl status clamd 2>/dev/null || echo "clamd未运行"# 手动更新病毒库sudo freshclam# 查看病毒库版本freshclam --version 2>/dev/null# 查看ClamScan计划任务cat /etc/cron.d/clamav-update 2>/dev/nullsystemctl list-timers | grep clamav# 检查Rootkit Hunterrpm -qa | grep rkhuntersudo rkhunter --check --sk 2>/dev/null | tail -20# 检查 chkrootkitrpm -qa | grep chkrootkit# Fedora特有:检查是否启用OpenSCAP扫描(默认良好支持)rpm -qa | grep openscap-scanneroscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2>/dev/null | tail -20 || echo "Fedora SCAP内容未安装或版本不匹配"# Fedora特有:检查fapolicyd应用白名单fapolicyd-cli --check 2>/dev/null | head -10六、可信验证(8.1.4.6)
dmesg | grep -i tpm | ||
mokutil --sb-state | ||
cat /proc/sys/kernel/modules_disabled | ||
rpm -Va 2>/dev/null | head -20 |
Fedora特有配置:
# 查看TPM状态dmesg | grep -i "tpm\|trusted platform"ls /dev/tpm* 2>/dev/null# 查看Secure Boot状态mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用"# Fedora特有:检查是否启用TPM2+LUKS自动解密(systemd-cryptenroll)systemd-cryptenroll --help 2>/dev/null | head -5cat /etc/crypttab | grep tpm2 2>/dev/null || echo "未配置TPM2磁盘加密"# 查看内核安全启动cat /proc/sys/kernel/secure_boot 2>/dev/null# 验证RPM包完整性rpm -Va 2>/dev/null | grep -E '^S.5....T\|^..5....T\|^.......T' | head -20# 验证特定关键包rpm -V coreutils bash kernel systemd 2>/dev/null | head -10# 查看内核模块签名modinfo $(lsmod | awk 'NR==2{print $1}') 2>/dev/null | grep -E 'sig|signer|integ'# Fedora特有:检查是否启用IMA appraisal(实验性)cat /sys/kernel/security/ima/policy 2>/dev/null | head -5# 检查Silverblue/RPM-OSTree完整性(如适用)rpm-ostree status 2>/dev/null | head -10ostree fsck 2>/dev/null | head -5 || echo "传统RPM系统"七、数据备份与恢复(8.1.4.9)
cat /etc/cron.d/backup 2>/dev/null | grep -i backup | ||
rpm -qa | grep -E 'rear|borg|restic|timeshift' | ||
stat -c '%a %U:%G' /backup | ||
tar -tzf /backup/etc-$(date +%F).tar.gz | wc -l |
Fedora特有配置:
# 查看备份脚本cat /etc/cron.d/backup 2>/dev/null || crontab -l | grep backup# Fedora特有:检查是否使用borgbackup(Fedora默认推荐现代工具)rpm -qa | grep borgbackupborg list /backup/borg 2>/dev/null | head -5# 检查restic(Fedora官方仓库支持)rpm -qa | grep resticrestic snapshots -r /backup/restic 2>/dev/null | head -5# 检查timeshift(桌面环境)rpm -qa | grep timeshiftsudo timeshift --list 2>/dev/null | head -10# 检查Deja Dup(GNOME默认备份)rpm -qa | grep deja-dup# 查看Rsync备份任务crontab -l | grep rsynccat /etc/cron.d/*rsync* 2>/dev/null | head -10# 验证备份完整性sudo tar -tzf /backup/etc-$(date +%F).tar.gz 2>/dev/null | wc -l# Fedora特有:Silverblue系统备份(使用rpm-ostree)rpm-ostree status 2>/dev/null | head -10# 回滚到之前版本:rpm-ostree rollback# 检查ReaR(灾难恢复)rpm -qa | grep rearcat /etc/rear/local.conf 2>/dev/null | head -20八、Fedora特有安全功能
8.1 Silverblue/Kinoite(不可变操作系统)
# Fedora Silverblue/Kinoite使用rpm-ostree实现原子更新# 查看OSTree状态rpm-ostree status# 查看可用更新rpm-ostree upgrade --check 2>/dev/null || rpm-ostree status# 查看部署历史rpm-ostree status -v | grep -E 'Commit|Version|Timestamp'# 回滚到之前版本rpm-ostree rollback# 检查/var持久化配置(唯一可写目录)ls /var/home/ 2>/dev/null || ls /var/ 2>/dev/null | head -10# 检查toolbox/distrobox(开发环境隔离)toolbox list 2>/dev/null || echo "toolbox未配置"distrobox list 2>/dev/null || echo "distrobox未配置"8.2 Podman/容器安全(根less默认)
# Fedora默认使用podman替代docker,强制根less模式# 查看podman信息podman info 2>/dev/null | head -20# 查看rootless容器配置podman unshare cat /proc/self/uid_map 2>/dev/null# 检查容器SELinux标签podman ps --format "{{.Names}} {{.SecurityOptions}}" 2>/dev/null# 检查容器网络隔离podman network ls 2>/dev/nullpodman network inspect podman 2>/dev/null | head -10# 检查容器资源限制cat /etc/systemd/system/user@.service.d/ 2>/dev/null | head -5systemctl --user status podman.socket 2>/dev/null# Fedora特有:检查是否启用podman-auto-updatesystemctl --user status podman-auto-update.timer 2>/dev/null || echo "容器自动更新未启用"8.3 Flatpak应用隔离
# Fedora Workstation默认使用Flatpak进行应用沙盒# 查看已安装Flatpak应用flatpak list 2>/dev/null | head -10# 查看Flatpak权限flatpak info --show-permissions com.example.App 2>/dev/null || echo "指定应用未安装"# 查看Flatpak沙盒覆盖flatpak override --show 2>/dev/null | head -10# 检查是否启用Wayland安全上下文(Fedora 39+)echo $WAYLAND_DISPLAYcat /proc/$(pgrep -n firefox)/environ 2>/dev/null | tr '\0' '\n' | grep -i wayland || echo "未使用Wayland"一键巡检脚本(Fedora Linux)
#!/bin/bash# Fedora Linux 等保三级一键巡检脚本# 适用:Fedora 38 / 39 / 40 (Workstation/Server/Silverblue)# 执行用户:rootecho"===== Fedora Linux 等保巡检报告 ====="echo"巡检时间: $(date'+%Y-%m-%d %H:%M:%S')"echo"服务器: $(hostname)"echo"版本: $(cat /etc/os-release |grep PRETTY_NAME |cut -d'"'-f2)"echo"变体: $(cat /etc/os-release |grep VARIANT |cut -d'"'-f22>/dev/null ||echo'Server/Workstation')"echo""# 检测是否为Silverblueifcommand-v rpm-ostree >/dev/null 2>&1;thenecho"系统类型: OSTree (Silverblue/Kinoite/IoT)" rpm-ostree status |head-5elseecho"系统类型: 传统RPM"fiecho""echo"===== 1 身份鉴别 ====="echo"--- 空口令检查 ---"awk -F: '$2==""{print "空口令用户: "$1}' /etc/shadowecho"--- 密码锁定账户 ---"awk -F: '$2~"^!"{print "锁定用户: "$1}' /etc/shadow |head-5echo"--- 密码有效期 ---"grep-E'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs 2>/dev/null |head-3echo"--- 密码复杂度 ---"cat /etc/security/pwquality.conf 2>/dev/null |grep-E'minlen|minclass'|head-3echo"--- 登录失败锁定 ---"cat /etc/security/faillock.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5echo"--- SSH配置 ---"grep-E'PermitRootLogin|Protocol|PasswordAuthentication|ClientAlive' /etc/ssh/sshd_config 2>/dev/null |head-5echo"--- FIDO2/Passkey支持 ---"authselect current 2>/dev/null |grep passkey &&echo"FIDO2/Passkey: 已启用"||echo"FIDO2/Passkey: 未启用"echo"--- 生物识别 ---"systemctl is-active fprintd 2>/dev/null ||echo"指纹服务未运行"echo""echo"===== 2 访问控制 ====="echo"--- 系统账户 ---"awk -F: '$3<1000 && $1!="root"{print "系统账户: "$1}' /etc/passwd |head-10echo"--- Fedora特有账户检查 ---"grep-E'^fedora|^gnome-initial-setup' /etc/passwd &&echo"⚠ 发现LiveCD/安装残留用户"||echo"✓ 无残留用户"echo"--- sudo配置 ---"grep'%wheel' /etc/sudoers 2>/dev/null |head-3echo"--- 关键文件权限 ---"stat-c'%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow 2>/dev/nullecho"--- SELinux状态 ---"getenforce 2>/dev/null ||echo"SELinux未启用"sestatus 2>/dev/null |head-3echo"--- fapolicyd状态 ---"systemctl is-active fapolicyd 2>/dev/null ||echo"fapolicyd未运行"echo""echo"===== 3 安全审计 ====="echo"--- auditd状态 ---"systemctl is-active auditd 2>/dev/null && systemctl is-enabled auditd 2>/dev/nullecho"--- 审计规则数量 ---"auditctl -l2>/dev/null |wc-l|xargs-I{}echo"审计规则数: {}"echo"--- journald配置 ---"cat /etc/systemd/journald.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5echo"--- 日志持久化 ---"systemd-analyze cat-config systemd/journald.conf 2>/dev/null |grep Storage ||echo"使用默认配置"echo""echo"===== 4 入侵防范 ====="echo"--- 待更新包 ---"dnf check-update 2>/dev/null |wc-l|xargs-I{}echo"可更新包数: {}"echo"--- 安全更新 ---"dnf updateinfo list security 2>/dev/null |wc-l|xargs-I{}echo"安全公告数: {}"echo"--- 自动更新状态 ---"systemctl is-active dnf-automatic.timer 2>/dev/null ||echo"自动更新未启用"echo"--- 高危端口 ---"ss -tulnp2>/dev/null |grep-E'0.0.0.0:23|0.0.0.0:111|0.0.0.0:513'||echo"无高危端口暴露"echo"--- firewalld状态 ---"systemctl is-active firewalld 2>/dev/null ||echo"firewalld未运行"echo"--- podman容器安全 ---"podman info 2>/dev/null |grep-E'rootless|insecure'|head-3||echo"podman未配置或传统系统"echo"--- Secure Boot ---"mokutil --sb-state 2>/dev/null ||echo"无法检测Secure Boot"echo""echo"===== 5 恶意代码防范 ====="echo"--- ClamAV安装 ---"rpm-qa2>/dev/null |grep clamav |head-3echo"--- ClamAV服务 ---"systemctl is-active clamd@scan 2>/dev/null || systemctl is-active clamd 2>/dev/null ||echo"clamd未运行"echo"--- 病毒库版本 ---"freshclam --version2>/dev/null ||echo"未安装freshclam"echo"--- fapolicyd应用白名单 ---"fapolicyd-cli --list2>/dev/null |wc-l|xargs-I{}echo"fapolicyd规则数: {}"||echo"fapolicyd未运行"echo""echo"===== 6 可信验证 ====="echo"--- TPM状态 ---"dmesg2>/dev/null |grep-i"tpm"|head-3echo"--- Secure Boot ---"bootctl status 2>/dev/null |grep-E'Secure Boot|Setup Mode'|head-3|| mokutil --sb-state 2>/dev/nullecho"--- TPM2+LUKS磁盘加密 ---"systemd-cryptenroll --help2>/dev/null |head-1&&echo"TPM2加密工具可用"||echo"未安装systemd-cryptenroll"echo"--- RPM验证 ---"rpm-Va2>/dev/null |grep-c'S.5....T\|..5....T\|.......T'|xargs-I{}echo"修改过的文件数: {}"echo"--- OSTree完整性(如适用)---"ifcommand-v rpm-ostree >/dev/null 2>&1;then rpm-ostree status |grep-E'Commit|Version'|head-3elseecho"传统RPM系统"fiecho""echo"===== 7 数据备份 ====="echo"--- 备份任务 ---"crontab-l2>/dev/null |grep-i backup ||echo"未配置crontab备份"systemctl list-timers |grep backup 2>/dev/null ||echo"无备份定时器"echo"--- 现代备份工具 ---"rpm-qa2>/dev/null |grep-E'borgbackup|restic|timeshift'|head-5echo"--- 备份目录 ---"stat-c'%a %U:%G' /backup 2>/dev/null ||echo"备份目录不存在"echo""echo"===== 8 Fedora特有功能 ====="echo"--- 系统类型 ---"ifcommand-v rpm-ostree >/dev/null 2>&1;thenecho"OSTree系统 - 原子更新已启用" rpm-ostree status |grep-E'State|Deployments'|head-3elseecho"传统RPM系统"fiecho"--- 容器安全 ---"podman info 2>/dev/null |grep-E'rootless|graphRoot'|head-2||echo"podman未配置"echo"--- Flatpak沙盒 ---"flatpak --version2>/dev/null ||echo"Flatpak未安装"echo"--- 自动更新 ---"systemctl is-active dnf-automatic.timer 2>/dev/null &&echo"DNF自动更新: 启用"||echo"DNF自动更新: 未启用"echo"--- Cockpit Web管理 ---"systemctl is-active cockpit.socket 2>/dev/null &&echo"Cockpit: 启用"||echo"Cockpit: 未启用"echo""echo"===== 巡检完成 ====="高风险项重点核查清单
| 空口令账户 | awk -F: '$2==""{print $1}' /etc/shadow | ||
| 密码复杂度未启用 | cat /etc/security/pwquality.conf | ||
| 无登录失败锁定 | cat /etc/security/faillock.conf | ||
| root远程登录 | grep ^PermitRootLogin /etc/ssh/sshd_config | ||
| SELinux未启用 | getenforce | ||
| 审计未启用 | systemctl is-active auditd | ||
| 自动更新未启用 | systemctl is-active dnf-automatic.timer | ||
| fapolicyd未启用 | systemctl is-active fapolicyd | ||
| podman非rootless | podman info | grep rootless | ||
| Silverblue未配置备份 | rpm-ostree status | ||
| 备份未配置 | crontab -l | grep backup |
Fedora Linux版本差异对照
测评执行要点
1. 权限要求
所有命令需
root权限执行部分命令需要普通用户执行(podman rootless检查)
Silverblue系统部分配置为只读,需使用
rpm-ostree修改
2. 现场核查重点
系统变体识别:确认是Workstation、Server还是Silverblue/Kinoite/IoT,安全策略差异大
自动更新:Fedora默认启用dnf-automatic,检查是否配置安全更新自动应用
容器安全:Fedora强制rootless podman,检查是否正确配置用户命名空间
现代认证:Fedora 38+原生支持FIDO2/WebAuthn,检查是否启用passkey替代传统密码
不可变系统:Silverblue/Kinoite使用OSTree,检查原子更新和回滚策略
3. 版本差异注意
Fedora 38:稳定版本,适合生产环境
Fedora 39:推荐新建环境,改进容器和桌面安全
Fedora 40:前沿技术,UKI(统一内核镜像)实验性支持,适合技术预览
4. 生命周期注意
Fedora每版本支持约13个月,需规划升级周期
Silverblue/Kinoite支持自动更新和原子回滚,适合边缘计算
常用命令速查
# DNF包管理(新一代RPM)dnf check-update # 检查更新dnf upgrade # 升级系统dnf upgrade --security# 仅安全更新dnf install package # 安装包dnf remove package # 移除包dnf repoquery -l package # 查询文件列表dnf history# 操作历史dnf autoremove # 自动清理依赖# RPM-OSTree(Silverblue/Kinoite/IoT)rpm-ostree status # 查看状态rpm-ostree upgrade # 系统升级rpm-ostree rollback # 回滚版本rpm-ostree rebase # 切换分支ostree admin pin 0# 固定当前版本# Systemd服务管理systemctl status servicesystemctl start servicesystemctl enableservicesystemctl --user status service# 用户级服务# Podman容器(rootless默认)podman info # 查看信息podman run -it image # 运行容器podmanps# 查看容器podman build -t tag .# 构建镜像podman auto-update # 自动更新容器# Flatpak应用flatpak install flathub appflatpak updateflatpak listflatpak run app# Toolbox/Distrobox开发环境toolbox create # 创建工具箱toolbox enter # 进入工具箱distrobox create --image fedora:39distrobox enter# SELinux管理getenforce # 查看模式setenforce 0|1# 临时设置sestatus # 详细状态sealert -a /var/log/audit/audit.log # 图形化分析# Firewalld防火墙firewall-cmd --statefirewall-cmd --list-allfirewall-cmd --add-service=http --permanentfirewall-cmd --reload# 日志查看journalctl -uservice# 查看服务日志journalctl -f# 实时跟踪journalctl --since"1 hour ago"journalctl --user-uservice# 用户级服务日志# 内核管理uname-r# 内核版本rpm-qa|grep kernel # 已安装内核sudo dnf upgrade kernel # 升级内核(传统)rpm-ostree upgrade # 原子升级(OSTree)# 备份工具borg create /backup::$(date +%F) ~ # Borg备份restic backup -r /backup ~ # Restic备份timeshift --create# Timeshift快照参考标准:GB/T 22239-2019、GB/T 28448-2019、CIS Fedora Benchmark、Fedora Security Guide、Fedora Silverblue Documentation
适用版本:Fedora Linux 38 / 39 / 40 (Workstation/Server/Silverblue/Kinoite/IoT/Onyx)
验证环境:传统RPM / OSTree (Silverblue/Kinoite) / 容器云 / 边缘计算
汪汪虚拟空间10个内容
本文来自网友投稿或网络内容,如有侵犯您的权益请联系我们删除,联系邮箱:wyl860211@qq.com 。
随机文章
-
10个月宝宝每天需要喝多少奶粉?
- 荐书:《只是为了好玩:Linux之父林纳斯自传》
- Linux设备驱动 -- 按键驱动开发
- 运维视界|Linux核心命令速查,从入门到救命
- IT动物园 | Python这两条黄蓝小蛇:从Web开发到人工智能无处不在
- 【重复测量纵向数据】Python09.重复测量方差分析(Repeated Measures ANOVA,RM-ANOVA)
- 使用 pyenv 安装自定义 Python 构建
- 如何在 AlmaLinux 或 Rocky Linux 上安装 VLC 播放器
- Python入门|主题5:Python四层变量引用
- 60秒掌握Linux命令 :ss命令,比netstat快10倍的网络排查神器
- Python编程入门到实践,死磕这几本书就够了
