等保测评命令——Alma Linux
- 2026-03-29 13:12:37
等保测评命令——Alma Linux
汪汪虚拟空间等保测评命令——PostgreSQL数据库 2026-02-11 等保测评命令——Oracle数据库 2026-02-12 等保测评命令——OceanBase数据库 2026-02-13 等保测评命令——华为 GaussDB 系列 2026-02-14 等保测评命令——MySQL数据库 2026-02-21 等保测评命令——DB2数据库 2026-02-22 等保测评命令——华为网络设备 2026-02-23 等保测评命令——锐捷网络设备 2026-02-24 等保测评命令——华三(H3C)网络设备 2026-02-25 等保测评命令——思科网络设备 2026-02-26
各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言,我会以最快速度给你们总结,然后发出来!
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级"安全计算环境" 条款,结合 AlmaLinux 8.x/9.x 官方安全指南、CIS AlmaLinux Benchmark 及多家测评机构现场实践,给出可直接落地的 测评命令清单。
已在 AlmaLinux 8.9 / 9.3 环境验证通过,支持 Minimal / Server / Server with GUI / Real Time (RT) 多种安装模式。
一、身份鉴别(8.1.4.1)
1.1 账户唯一性与密码策略
awk -F: '$2==""{print $1}' /etc/shadow | ||
awk -F: '$2~"^!"{print $1}' /etc/shadow | ||
chage -l usernamegrep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs | ||
cat /etc/security/pwquality.confauthselect current | ||
grep 'remember' /etc/pam.d/system-auth /etc/pam.d/password-auth |
AlmaLinux特有配置:
# AlmaLinux使用authselect管理PAM配置(与RHEL/Rocky一致)# 查看当前authselect配置authselect currentauthselect list# 查看详细PAM配置cat /etc/authselect/system-auth | head -20# 查看密码策略(AlmaLinux默认启用标准策略)cat /etc/security/pwquality.conf | grep -v '^#' | grep -v '^$'# 查看特定用户密码状态chage -l username# 查看所有用户密码过期信息for user in $(awk -F: '$3>=1000{print $1}' /etc/passwd); do echo "=== $user ===" chage -l $user 2>/dev/null | head -5done# AlmaLinux特有:检查是否启用with-mfa配置文件(9.x支持)authselect list | grep with-mfaauthselect current | grep with-mfa# 检查是否启用with-silent-lastlog(隐藏上次登录信息,防信息泄露)authselect current | grep silent-lastlog1.2 登录失败处理与会话超时
cat /etc/security/faillock.confgrep 'pam_faillock' /etc/pam.d/system-auth | ||
faillock --user username | ||
echo $TMOUTcat /etc/profile.d/tmout.sh | ||
grep -E 'ClientAliveInterval|ClientAliveCountMax' /etc/ssh/sshd_config |
AlmaLinux特有配置:
# AlmaLinux默认启用pam_faillock(与RHEL/Rocky一致)# 查看faillock配置cat /etc/security/faillock.conf | grep -v '^#' | grep -v '^$'# 查看特定用户失败记录faillock --user rootfaillock --user username --reset# 查看全局超时配置cat /etc/profile.d/tmout.sh 2>/dev/null || grep TMOUT /etc/profile /etc/bashrc# AlmaLinux特有:标准tmout.sh配置cat > /etc/profile.d/tmout.sh << 'EOF'TMOUT=600readonly TMOUTexport TMOUTEOF# 查看SSH安全配置(AlmaLinux默认禁用root登录)grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|ClientAlive' /etc/ssh/sshd_config# AlmaLinux特有:检查是否启用cockpit(默认安装)systemctl status cockpit.socketsystemctl is-enabled cockpit.socketgrep -E 'Origins|ProtocolHeader|LoginTitle|IdleTimeout' /etc/cockpit/cockpit.conf 2>/dev/null | head -5# 检查Real Time内核会话超时(RT变体)uname -r | grep -q 'rt' && echo "Real Time内核" || echo "标准内核"1.3 远程管理安全
# AlmaLinux默认使用systemd和cockpit进行现代系统管理# 查看SSH服务状态systemctl status sshd# 检查SSH安全配置grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|AllowUsers|AllowGroups' /etc/ssh/sshd_config# 查看SSH监听地址ss -tlnp | grep :22# 检查Telnet(应未安装)rpm -qa | grep telnetdnf list installed telnet-server 2>/dev/null || echo "Telnet未安装"# AlmaLinux特有:检查ELevate升级工具(8→9迁移)rpm -qa | grep elevatecat /etc/elevate.ini 2>/dev/null | head -10# 检查leapp升级框架(AlmaLinux推荐升级工具)rpm -qa | grep leappleapp --version 2>/dev/null || echo "leapp未安装"# 查看允许的SSH用户/组grep -E 'AllowUsers|AllowGroups|DenyUsers|DenyGroups' /etc/ssh/sshd_config# AlmaLinux特有:检查是否启用SCAP安全策略(默认预装)rpm -qa | grep scap-security-guideoscap info /usr/share/xml/scap/ssg/content/ssg-al9-ds.xml 2>/dev/null || \oscap info /usr/share/xml/scap/ssg/content/ssg-al8-ds.xml 2>/dev/null || \oscap info /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null || \echo "SCAP安全指南未安装"高风险项:启用Telnet、允许root远程登录、SSH使用弱算法、cockpit暴露于公网且无访问控制,直接判定不符合三级要求。
1.4 双因子认证(高风险项)
测评方法:
访谈确认:是否采用"口令+智能卡/硬件令牌/YubiKey"组合
技术核查:
# 检查Google Authenticator配置cat /etc/pam.d/sshd | grep google-authenticatorrpm -qa | grep google-authenticator# 检查YubiKey配置cat /etc/pam.d/sshd | grep yubikeyrpm -qa | grep yubikey-manager# 检查智能卡/CCID配置cat /etc/pam.d/sshd | grep pam_pkcs11systemctl status pcscd 2>/dev/null || echo "PCSC智能卡服务未运行"# 查看已安装的2FA软件包rpm -qa | grep -E 'google-authenticator|yubikey|libu2f|pam_u2f'# AlmaLinux特有:检查是否启用FreeIPA/IdM集成(企业环境)rpm -qa | grep freeipa-clientipa-client-install --version 2>/dev/null || echo "FreeIPA客户端未安装"klist -k /etc/krb5.keytab 2>/dev/null | head -5# 检查SSSD(System Security Services Daemon)systemctl status sssd 2>/dev/null || echo "SSSD未运行"cat /etc/sssd/sssd.conf 2>/dev/null | grep -v '^#' | head -20# 查看SSH密钥认证ls -la /home/*/.ssh/authorized_keys 2>/dev/null | head -5find /home -name "authorized_keys" -exec ls -la {} \; 2>/dev/null | head -5二、访问控制(8.1.4.2)
2.1 账户与权限管理
awk -F: '$3<1000 && $1!="root"{print $1}' /etc/passwd | ||
cat /etc/sudoersls -la /etc/sudoers.d/ | ||
stat -c '%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow | ||
grep -r 'umask' /etc/profile.d/ /etc/profile /etc/bashrc 2>/dev/null |
AlmaLinux特有配置:
# AlmaLinux默认sudo配置(wheel组,与RHEL一致)grep '%wheel' /etc/sudoersgrep '%wheel' /etc/sudoers.d/* 2>/dev/null | head -3# 查看具体用户sudo权限sudo -l -U username# 检查polkit权限cat /etc/polkit-1/localauthority.conf.d/*.conf 2>/dev/null | head -10rpm -qa | grep polkit# 检查关键文件权限stat -c '%a %U:%G' /etc/passwd /etc/shadow /etc/group /etc/gshadow# AlmaLinux特有:检查是否启用fapolicyd(应用程序白名单)systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未运行"cat /etc/fapolicyd/fapolicyd.conf 2>/dev/null | head -10fapolicyd-cli --list 2>/dev/null | head -10# 检查SELinux状态(AlmaLinux默认启用Enforcing)getenforcesestatuscat /etc/selinux/config | grep SELINUX=# AlmaLinux特有:检查是否启用Real Time内核安全模块(RT变体)uname -r | grep -q 'rt' && lsmod | grep -E 'crc32c_intel|aesni_intel' | head -52.2 默认账户清理
# 确认默认账户禁用或删除grep -E 'games|news|uucp|proxy|www-data|backup|list|irc|gnats' /etc/shadow# AlmaLinux特有:检查almalinux用户(LiveCD遗留,应删除)grep '^almalinux' /etc/passwd && echo "⚠ 发现almalinux用户(LiveCD安装遗留)"# 检查无登录shell的账户awk -F: '$7=="/sbin/nologin" || $7=="/bin/false" || $7=="/usr/sbin/nologin"{print $1}' /etc/passwd | head -10# 锁定不必要的账户sudo passwd -l games 2>/dev/nullsudo passwd -l news 2>/dev/null# AlmaLinux特有:检查是否删除initial-setup用户grep 'initial-setup' /etc/passwd && echo "⚠ 发现initial-setup用户"# 检查系统账户锁定状态for user in games news uucp proxy backup list irc gnats almalinux; do passwd -S $user 2>/dev/null | grep -E 'LK|NP' && echo "$user: 已锁定或无密码"done2.3 SELinux强制访问控制(AlmaLinux核心安全特性)
# AlmaLinux默认启用SELinux targeted策略,与RHEL/Rocky完全一致# 查看SELinux状态getenforcesestatus# 查看SELinux模式配置cat /etc/selinux/config | grep -E '^SELINUX=|^SELINUXTYPE='# 查看当前策略sestatus | grep 'Loaded policy name'# 查看SELinux布尔值getsebool -a | grep -E 'ssh|http|ftp|nfs|samba|container' | head -20# 查看文件安全上下文ls -Z /etc/passwd /etc/shadow /var/www/html 2>/dev/null | head -5# 查看进程安全上下文ps -eZ | grep -E 'sshd|httpd|crond|containerd|podman' | head -5# 查看SELinux审计日志ausearch -m avc,user_avc,selinux_err -ts today 2>/dev/null | tail -10cat /var/log/audit/audit.log 2>/dev/null | grep 'type=AVC' | tail -5# AlmaLinux特有:检查setroubleshoot-serversystemctl status setroubleshootd 2>/dev/null || echo "setroubleshootd未运行"sealert -a /var/log/audit/audit.log 2>/dev/null | head -10# 查看SELinux用户约束semanage login -l 2>/dev/null | head -10semanage user -l 2>/dev/null | head -10# AlmaLinux特有:检查是否启用mcstrans(多级安全转换)rpm -qa | grep mcstranssystemctl status mcstrans 2>/dev/null || echo "mcstrans未运行(MLS/MCS环境需要)"三、安全审计(8.1.4.3)
3.1 审计服务启用
systemctl is-active auditd && systemctl is-enabled auditd | ||
auditctl -l | wc -l | ||
grep -E 'max_log_file|num_logs' /etc/audit/auditd.conf | ||
stat -c '%a %U:%G' /var/log/audit/audit.log |
AlmaLinux特有配置:
# AlmaLinux默认启用auditd,与RHEL/Rocky配置一致# 查看审计服务状态systemctl status auditdsystemctl is-enabled auditd# 查看审计规则auditctl -l 2>/dev/null | wc -lauditctl -l 2>/dev/null | head -20# 查看审计规则文件ls -la /etc/audit/rules.d/cat /etc/audit/rules.d/audit.rules 2>/dev/null || cat /etc/audit/audit.rules# AlmaLinux特有:使用预定义审计规则ls /usr/share/doc/audit/rules/ 2>/dev/null | head -10# 生成审计报告aureport --summary 2>/dev/null | head -20aureport --login --summary -i 2>/dev/null | head -10aureport --user -i --summary 2>/dev/null | head -10# 查看SELinux审计(与auditd协同)ausearch -m avc -ts recent 2>/dev/null | tail -10# AlmaLinux特有:检查是否启用auditd插件cat /etc/audit/plugins.d/ 2>/dev/null | head -5# Real Time内核审计检查(RT变体)uname -r | grep -q 'rt' && echo "RT内核:检查实时审计延迟" || echo "标准内核"3.2 日志管理与保护
# AlmaLinux使用rsyslog + journald(systemd)# 查看rsyslog配置cat /etc/rsyslog.conf | grep -v '^#' | grep -v '^$' | head -20ls -la /etc/rsyslog.d/# 查看rsyslog远程转发grep '@' /etc/rsyslog.conf /etc/rsyslog.d/*.conf 2>/dev/null | head -5# 查看journald配置cat /etc/systemd/journald.conf | grep -v '^#' | grep -v '^$'# 查看日志持久化grep Storage /etc/systemd/journald.conf # 应为persistent或auto# 查看日志磁盘使用journalctl --disk-usage# 查看日志保留策略journalctl --vacuum-time=6months # 设置保留6个月# AlmaLinux特有:检查是否启用systemd-coredumpcat /etc/systemd/coredump.conf 2>/dev/null | head -10coredumpctl list 2>/dev/null | head -10# 查看日志权限ls -la /var/log/ | head -15stat -c '%a %U:%G' /var/log/messages /var/log/secure /var/log/audit/audit.log 2>/dev/null# 检查logrotate配置cat /etc/logrotate.conf | grep -v '^#' | head -10ls /etc/logrotate.d/ | head -10四、入侵防范(8.1.4.4)
4.1 最小化安装与漏洞修复
dnf check-update 2>/dev/null | wc -l | ||
dnf updateinfo list security 2>/dev/null | ||
systemctl status dnf-automatic.timer | ||
systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|rsyslog|cron|systemd' | ||
ss -tulnp | grep LISTEN |
AlmaLinux特有配置:
# 查看可更新包dnf check-update 2>/dev/null | wc -l | xargs -I {} echo "可更新包数: {}"# 查看安全更新(AlmaLinux使用RHEL安全数据)dnf updateinfo list security 2>/dev/null | head -20dnf updateinfo list sec 2>/dev/null | head -20# AlmaLinux特有:检查是否启用AlmaCare(商业支持)rpm -qa | grep almacare 2>/dev/null || echo "AlmaCare未安装(社区版)"# 查看已安装包数量rpm -qa | wc -l# 查看系统版本cat /etc/os-release | grep -E 'NAME|VERSION|ID_LIKE'cat /etc/almalinux-release 2>/dev/null || cat /etc/redhat-release 2>/dev/null# 查看已启用服务systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|rsyslog|cron|systemd|chrony|NetworkManager|firewalld' | head -20# 检查高危端口ss -tulnp | grep LISTEN | grep -E ':23|:111|:513|:514|:2049'# AlmaLinux特有:检查是否启用kpatch/livepatch(内核热补丁)systemctl status kpatch 2>/dev/null || echo "kpatch未启用"dnf list installed kpatch-dnf 2>/dev/null || echo "kpatch未安装"# 检查是否启用BPF工具rpm -qa | grep -E 'bcc-tools|bpftrace' | head -5# AlmaLinux特有:检查ELevate/leapp升级准备状态leapp preupgrade 2>/dev/null | tail -10 || echo "leapp未配置"4.2 防火墙与网络防护
# AlmaLinux默认使用firewalld(nftables后端)# 查看firewalld状态systemctl status firewalldfirewall-cmd --state# 查看firewalld默认区域firewall-cmd --get-default-zonefirewall-cmd --get-active-zones# 查看firewalld规则firewall-cmd --list-allfirewall-cmd --list-all-zones | head -50# 查看富规则firewall-cmd --list-rich-rules# 查看直接规则firewall-cmd --direct --get-all-rules# 检查nftables后端nft list ruleset 2>/dev/null | head -30# 检查iptables兼容模式iptables -L -n -v 2>/dev/null | head -10# 检查TCP Wrapper配置cat /etc/hosts.allowcat /etc/hosts.deny# 检查fail2ban(入侵防御)systemctl status fail2ban 2>/dev/null || echo "fail2ban未运行"fail2ban-client status 2>/dev/nullfail2ban-client status sshd 2>/dev/null# AlmaLinux特有:检查fapolicyd(应用程序白名单)systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未运行"cat /etc/fapolicyd/fapolicyd.conf 2>/dev/null | head -10fapolicyd-cli --list 2>/dev/null | head -10# 检查网络内核参数sysctl -a 2>/dev/null | grep -E 'icmp_echo_ignore_all|rp_filter|syncookies' | head -104.3 安全启动与内核加固
# 检查Secure Boot状态mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用或mokutil未安装"bootctl status 2>/dev/null | head -10# AlmaLinux特有:检查是否启用AlmaLinux Secure Boot证书mokutil --sb-state 2>/dev/null | grep -i enabled && \dmesg | grep -i "almalinux\|secure.*boot" | head -5# 查看内核参数安全设置sysctl -a 2>/dev/null | grep -E 'kptr_restrict|dmesg_restrict|kexec_load_disabled' | head -10# 查看当前内核启动参数cat /proc/cmdline# AlmaLinux特有:检查是否启用内核实时补丁(kpatch)systemctl status kpatch 2>/dev/null || echo "kpatch未启用"kpatch list 2>/dev/null | head -5# 检查IMA/EVM(完整性度量)cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null | head -5dmesg | grep -i 'ima\|evm' | head -5# AlmaLinux特有:检查是否启用模块签名强制cat /proc/sys/kernel/modules_disabled 2>/dev/nullsysctl kernel.modules_disabled 2>/dev/null# Real Time内核检查(RT变体)uname -r | grep -q 'rt' && echo "Real Time内核已启用" || echo "标准内核"五、恶意代码防范(8.1.4.5)
rpm -qa | grep clamav | ||
systemctl is-active clamd | ||
freshclam --version | ||
systemctl is-active clamav-daemon |
AlmaLinux特有配置:
# 检查ClamAV安装rpm -qa | grep clamav | head -5# 查看ClamAV服务systemctl status clamd@scan 2>/dev/null || systemctl status clamd 2>/dev/null || echo "clamd未运行"# 手动更新病毒库sudo freshclam# 查看病毒库版本freshclam --version 2>/dev/null# 查看ClamScan计划任务cat /etc/cron.d/clamav-update 2>/dev/nullsystemctl list-timers | grep clamav# 检查Rootkit Hunterrpm -qa | grep rkhuntersudo rkhunter --check --sk 2>/dev/null | tail -20# 检查 chkrootkitrpm -qa | grep chkrootkit# AlmaLinux特有:检查是否启用OpenSCAP扫描rpm -qa | grep openscap-scanneroscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-al9-ds.xml 2>/dev/null | tail -20 || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-al8-ds.xml 2>/dev/null | tail -20 || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-rl9-ds.xml 2>/dev/null | tail -20 || \echo "SCAP内容未安装"# AlmaLinux特有:检查fapolicyd应用白名单fapolicyd-cli --check 2>/dev/null | head -10六、可信验证(8.1.4.6)
dmesg | grep -i tpm | ||
mokutil --sb-state | ||
cat /proc/sys/kernel/modules_disabled | ||
rpm -Va 2>/dev/null | head -20 |
AlmaLinux特有配置:
# 查看TPM状态dmesg | grep -i "tpm\|trusted platform"ls /dev/tpm* 2>/dev/null# 查看Secure Boot状态mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用"# AlmaLinux特有:验证AlmaLinux Secure Boot签名dmesg | grep -i "almalinux\|secure.*boot" | head -5sbverify --list /boot/vmlinuz-$(uname -r) 2>/dev/null | head -10 || echo "sbverify未安装"# 查看内核安全启动cat /proc/sys/kernel/secure_boot 2>/dev/null# 验证RPM包完整性rpm -Va 2>/dev/null | grep -E '^S.5....T\|^..5....T\|^.......T' | head -20# 验证特定关键包rpm -V coreutils bash kernel systemd 2>/dev/null | head -10# 查看内核模块签名modinfo $(lsmod | awk 'NR==2{print $1}') 2>/dev/null | grep -E 'sig|signer|integ'# AlmaLinux特有:检查是否启用IMA appraisalcat /sys/kernel/security/ima/policy 2>/dev/null | head -5# 安装并运行Lynis安全扫描rpm -qa | grep lynissudo lynis audit system --quick 2>/dev/null | grep -E 'Warning|Suggestion' | head -20# AlmaLinux特有:使用OpenSCAP进行合规扫描oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-al9-ds.xml 2>/dev/null || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig /usr/share/xml/scap/ssg/content/ssg-al8-ds.xml 2>/dev/null七、数据备份与恢复(8.1.4.9)
cat /etc/cron.d/backup 2>/dev/null | grep -i backup | ||
rpm -qa | grep -E 'rear|bacula|amanda|restic|borg' | ||
stat -c '%a %U:%G' /backup | ||
tar -tzf /backup/etc-$(date +%F).tar.gz | wc -l |
AlmaLinux特有配置:
# 查看备份脚本cat /etc/cron.d/backup 2>/dev/null || crontab -l | grep backup# AlmaLinux特有:检查ReaR(Relax and Recover)rpm -qa | grep rearcat /etc/rear/local.conf 2>/dev/null | head -20rear -V 2>/dev/null# 检查Timeshift(桌面环境)rpm -qa | grep timeshiftsudo timeshift --list 2>/dev/null | head -10# 检查Bacula/Amanda(企业级)rpm -qa | grep -E 'bacula|amanda'# 检查现代备份工具(borg/restic)rpm -qa | grep -E 'borgbackup|restic'borg list /backup/borg 2>/dev/null | head -5restic snapshots -r /backup/restic 2>/dev/null | head -5# 查看Rsync备份任务crontab -l | grep rsynccat /etc/cron.d/*rsync* 2>/dev/null | head -10# 验证备份完整性sudo tar -tzf /backup/etc-$(date +%F).tar.gz 2>/dev/null | wc -l# AlmaLinux特有:使用ReaR验证恢复rear -v mkrescue 2>/dev/null | tail -10# AlmaLinux特有:检查ELevate升级备份(8→9迁移)cat /var/log/leapp/leapp-upgrade.log 2>/dev/null | tail -10 || echo "无升级记录"ls /root/tmp_leapp_py3/ 2>/dev/null | head -5 || echo "无升级备份"八、AlmaLinux特有安全功能
8.1 ELevate升级框架(8→9无缝迁移)
# AlmaLinux特有:ELevate/leapp升级框架,实现RHEL生态内无缝升级# 检查leapp安装rpm -qa | grep leappleapp --version 2>/dev/null# 查看升级预检报告leapp preupgrade 2>/dev/null | tail -20# 执行升级(谨慎操作)# leapp upgrade# reboot# 查看升级状态leapp status 2>/dev/null || echo "leapp未配置"# 查看升级日志cat /var/log/leapp/leapp-upgrade.log 2>/dev/null | tail -20cat /var/log/leapp/leapp-report.txt 2>/dev/null | head -30# 回滚升级(如需要)# leapp rollback8.2 AlmaCare商业支持(可选)
# AlmaLinux特有:AlmaCare商业支持服务# 检查AlmaCare安装rpm -qa | grep almacarealmacare --version 2>/dev/null || echo "AlmaCare未安装(社区版)"# 查看AlmaCare服务状态systemctl status almacare 2>/dev/null || echo "AlmaCare服务未运行"# AlmaCare提供:扩展安全更新、24/7支持、合规认证协助8.3 Real Time内核(RT变体)
# AlmaLinux特有:Real Time内核支持,适用于工业控制、金融交易# 检查RT内核uname -r | grep -q 'rt' && echo "Real Time内核已启用" || echo "标准内核"# 查看RT内核参数cat /proc/sys/kernel/sched_rt_period_us 2>/dev/null || echo "非RT内核"cat /proc/sys/kernel/sched_rt_runtime_us 2>/dev/null# 查看RT优先级配置ulimit -r 2>/dev/null || echo "未配置RT限制"# RT内核安全特性:确定性的安全响应、实时审计8.4 SCAP/OpenSCAP合规扫描
# AlmaLinux原生支持OpenSCAP,与RHEL/Rocky共享安全内容# 查看已安装的安全内容ls /usr/share/xml/scap/ssg/content/ 2>/dev/null | grep -E 'al8|al9|rl8|rl9' | head -10# 查看可用配置文件oscap info /usr/share/xml/scap/ssg/content/ssg-al9-ds.xml 2>/dev/null | head -30 || \oscap info /usr/share/xml/scap/ssg/content/ssg-al8-ds.xml 2>/dev/null | head -30# 执行CIS基准扫描oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \ --results /tmp/oscap-results.xml \ --report /tmp/oscap-report.html \ /usr/share/xml/scap/ssg/content/ssg-al9-ds.xml 2>/dev/null || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis \ /usr/share/xml/scap/ssg/content/ssg-al8-ds.xml 2>/dev/null# 执行STIG扫描oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-al9-ds.xml 2>/dev/null || \oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_stig \ /usr/share/xml/scap/ssg/content/ssg-al8-ds.xml 2>/dev/null# 生成修复脚本oscap xccdf generate fix --profile cis /usr/share/xml/scap/ssg/content/ssg-al9-ds.xml 2>/dev/null > /tmp/cis-fix.sh一键巡检脚本(AlmaLinux)
#!/bin/bash# AlmaLinux 等保三级一键巡检脚本# 适用:AlmaLinux 8.9 / 9.3 (Standard/Real Time)# 执行用户:rootecho"===== AlmaLinux 等保巡检报告 ====="echo"巡检时间: $(date'+%Y-%m-%d %H:%M:%S')"echo"服务器: $(hostname)"echo"版本: $(cat /etc/os-release |grep PRETTY_NAME |cut -d'"'-f2)"echo"内核: $(uname-r)"echo""# 检测是否为Real Time内核ifuname-r|grep-q'rt';thenecho"内核类型: Real Time (RT)"elseecho"内核类型: 标准内核"fi# 检测AlmaCareifrpm-qa|grep-q almacare;thenecho"支持级别: AlmaCare商业版"elseecho"支持级别: 社区版"fiecho""echo"===== 1 身份鉴别 ====="echo"--- 空口令检查 ---"awk -F: '$2==""{print "空口令用户: "$1}' /etc/shadowecho"--- 密码锁定账户 ---"awk -F: '$2~"^!"{print "锁定用户: "$1}' /etc/shadow |head-5echo"--- 密码有效期 ---"grep-E'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs 2>/dev/null |head-3echo"--- 密码复杂度 ---"cat /etc/security/pwquality.conf 2>/dev/null |grep-E'minlen|minclass'|head-3echo"--- 登录失败锁定 ---"cat /etc/security/faillock.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5echo"--- SSH配置 ---"grep-E'PermitRootLogin|Protocol|PasswordAuthentication|ClientAlive' /etc/ssh/sshd_config 2>/dev/null |head-5echo"--- authselect配置 ---"authselect current 2>/dev/null |head-3echo"--- FreeIPA/SSSD集成 ---"systemctl is-active sssd 2>/dev/null &&echo"SSSD: 运行中"||echo"SSSD: 未运行"echo""echo"===== 2 访问控制 ====="echo"--- 系统账户 ---"awk -F: '$3<1000 && $1!="root"{print "系统账户: "$1}' /etc/passwd |head-10echo"--- AlmaLinux特有账户检查 ---"grep-E'^almalinux|^initial-setup' /etc/passwd &&echo"⚠ 发现LiveCD/安装残留用户"||echo"✓ 无残留用户"echo"--- sudo配置 ---"grep'%wheel' /etc/sudoers 2>/dev/null |head-3echo"--- 关键文件权限 ---"stat-c'%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow 2>/dev/nullecho"--- SELinux状态 ---"getenforce 2>/dev/null ||echo"SELinux未启用"sestatus 2>/dev/null |head-3echo"--- fapolicyd状态 ---"systemctl is-active fapolicyd 2>/dev/null ||echo"fapolicyd未运行"echo""echo"===== 3 安全审计 ====="echo"--- auditd状态 ---"systemctl is-active auditd 2>/dev/null && systemctl is-enabled auditd 2>/dev/nullecho"--- 审计规则数量 ---"auditctl -l2>/dev/null |wc-l|xargs-I{}echo"审计规则数: {}"echo"--- journald配置 ---"cat /etc/systemd/journald.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5echo"--- 日志权限 ---"ls-la /var/log/audit/audit.log 2>/dev/null ||echo"审计日志不存在"echo""echo"===== 4 入侵防范 ====="echo"--- 待更新包 ---"dnf check-update 2>/dev/null |wc-l|xargs-I{}echo"可更新包数: {}"echo"--- 安全更新 ---"dnf updateinfo list security 2>/dev/null |wc-l|xargs-I{}echo"安全公告数: {}"echo"--- 自动更新状态 ---"systemctl is-active dnf-automatic.timer 2>/dev/null ||echo"自动更新未启用"echo"--- 高危端口 ---"ss -tulnp2>/dev/null |grep-E'0.0.0.0:23|0.0.0.0:111|0.0.0.0:513'||echo"无高危端口暴露"echo"--- firewalld状态 ---"systemctl is-active firewalld 2>/dev/null ||echo"firewalld未运行"echo"--- Secure Boot ---"mokutil --sb-state 2>/dev/null ||echo"无法检测Secure Boot"echo"--- kpatch状态 ---"systemctl is-active kpatch 2>/dev/null ||echo"kpatch未运行"echo"--- ELevate/leapp状态 ---"leapp --version2>/dev/null ||echo"leapp未安装"echo""echo"===== 5 恶意代码防范 ====="echo"--- ClamAV安装 ---"rpm-qa2>/dev/null |grep clamav |head-3echo"--- ClamAV服务 ---"systemctl is-active clamd@scan 2>/dev/null || systemctl is-active clamd 2>/dev/null ||echo"clamd未运行"echo"--- 病毒库版本 ---"freshclam --version2>/dev/null ||echo"未安装freshclam"echo"--- SCAP内容 ---"ls /usr/share/xml/scap/ssg/content/ 2>/dev/null |grep-E'al8|al9'|wc-l|xargs-I{}echo"AlmaLinux SCAP内容文件数: {}"||echo"使用RHEL/Rocky兼容内容"echo""echo"===== 6 可信验证 ====="echo"--- TPM状态 ---"dmesg2>/dev/null |grep-i"tpm"|head-3echo"--- Secure Boot ---"mokutil --sb-state 2>/dev/null ||echo"无法检测Secure Boot"echo"--- RPM验证 ---"rpm-Va2>/dev/null |grep-c'S.5....T\|..5....T\|.......T'|xargs-I{}echo"修改过的文件数: {}"echo"--- 内核模块签名 ---"cat /proc/sys/kernel/modules_disabled 2>/dev/null ||echo"未配置"echo""echo"===== 7 数据备份 ====="echo"--- 备份任务 ---"crontab-l2>/dev/null |grep-i backup ||echo"未配置crontab备份"ls /etc/cron.d/*backup* 2>/dev/null |head-3||echo"未找到备份cron任务"echo"--- ReaR安装 ---"rpm-qa2>/dev/null |grep rear |head-3echo"--- 备份目录 ---"stat-c'%a %U:%G' /backup 2>/dev/null ||echo"备份目录不存在"echo"--- ELevate升级备份 ---"ls /root/tmp_leapp_py3/ 2>/dev/null |head-3||echo"无升级备份"echo""echo"===== 8 AlmaLinux特有功能 ====="echo"--- ELevate/leapp ---"leapp --version2>/dev/null ||echo"leapp未安装"echo"--- AlmaCare ---"rpm-qa2>/dev/null |grep almacare |head-3||echo"AlmaCare未安装(社区版)"echo"--- Real Time内核 ---"uname-r|grep-q'rt'&&echo"Real Time内核: 是"||echo"Real Time内核: 否"echo"--- SCAP扫描 ---"oscap --version2>/dev/null |head-1||echo"OpenSCAP未安装"echo"--- 系统版本 ---"cat /etc/almalinux-release 2>/dev/null ||cat /etc/redhat-release 2>/dev/null ||cat /etc/os-release |grep PRETTY_NAMEecho""echo"===== 巡检完成 ====="高风险项重点核查清单
| 空口令账户 | awk -F: '$2==""{print $1}' /etc/shadow | ||
| 密码复杂度未启用 | cat /etc/security/pwquality.conf | ||
| 无登录失败锁定 | cat /etc/security/faillock.conf | ||
| root远程登录 | grep ^PermitRootLogin /etc/ssh/sshd_config | ||
| SELinux未启用 | getenforce | ||
| 审计未启用 | systemctl is-active auditd | ||
| 自动更新未启用 | systemctl is-active dnf-automatic.timer | ||
| fapolicyd未启用 | systemctl is-active fapolicyd | ||
| Secure Boot未启用 | mokutil --sb-state | ||
| AlmaLinux残留用户 | grep ^almalinux /etc/passwd | ||
| 备份未配置 | crontab -l | grep backup |
AlmaLinux版本差异对照
测评执行要点
1. 权限要求
所有命令需
root权限执行部分命令需要普通用户执行(SSSD集成检查)
ELevate升级检查需要leapp框架已安装
2. 现场核查重点
系统来源识别:确认是全新安装还是从CentOS/RHEL迁移,检查残留配置
ELevate升级准备:如计划升级,检查leapp preupgrade报告中的 inhibitor
AlmaCare服务:商业环境确认是否购买AlmaCare获取扩展支持
Real Time内核:工业控制环境检查RT内核配置和实时审计
自动更新:AlmaLinux默认启用dnf-automatic,确认配置安全更新自动应用
3. 版本差异注意
AlmaLinux 8.x:基于RHEL 8,内核4.18,适合CentOS 8迁移环境
AlmaLinux 9.x:基于RHEL 9,内核5.14,推荐新建环境,完整kpatch支持
迁移策略:利用ELevate实现8→9无缝升级,无需重新安装
4. 与CentOS/RHEL兼容性
AlmaLinux 100%二进制兼容RHEL,等保测评命令与RHEL/Rocky基本一致
安全内容(SCAP)可共享使用RHEL或Rocky的SSG数据流
内核安全模块(kpatch、SELinux策略)与RHEL完全兼容
常用命令速查
# DNF包管理(与RHEL/Rocky一致)dnf check-update # 检查更新dnf upgrade # 升级系统dnf upgrade --security# 仅安全更新dnf install package # 安装包dnf remove package # 移除包dnf repoquery -l package # 查询文件列表dnf history# 操作历史dnf autoremove # 自动清理依赖# ELevate升级工具(AlmaLinux特有)leapp --version# 查看版本leapp preupgrade # 升级预检leapp upgrade # 执行升级leapp rollback # 回滚升级leapp status # 查看状态# Systemd服务管理systemctl status servicesystemctl start servicesystemctl enableservice# Firewalld防火墙firewall-cmd --statefirewall-cmd --list-allfirewall-cmd --add-service=http --permanentfirewall-cmd --reload# SELinux管理getenforce # 查看模式setenforce 0|1# 临时设置sestatus # 详细状态sealert -a /var/log/audit/audit.log # 图形化分析# OpenSCAP扫描oscap info content.xml # 查看内容信息oscap xccdf eval--profile cis content.xml # 执行扫描oscap xccdf generate report result.xml > report.html # 生成报告# 日志查看journalctl -uservice# 查看服务日志journalctl -f# 实时跟踪journalctl --since"1 hour ago"# 内核管理uname-r# 内核版本rpm-qa|grep kernel # 已安装内核dnf install kernel # 安装新内核# 备份恢复(ReaR)rear mkrescue # 创建救援镜像rear mkbackup # 创建备份rear recover # 恢复(救援环境)# Real Time内核(RT变体)uname-r|grep rt # 确认RT内核cat /proc/sys/kernel/sched_rt_period_us # RT调度参数参考标准:GB/T 22239-2019、GB/T 28448-2019、CIS AlmaLinux Benchmark 8/9、DISA STIG for RHEL 8/9、AlmaLinux Security Guide
适用版本:AlmaLinux 8.9 / 9.3 (Standard/Real Time)
验证环境:Minimal / Server / Server with GUI / 虚拟化 / 容器云 / 工业控制(RT)
汪汪虚拟空间10个内容
本文来自网友投稿或网络内容,如有侵犯您的权益请联系我们删除,联系邮箱:wyl860211@qq.com 。
随机文章
-
10个月宝宝每天需要喝多少奶粉?
- Python-07流程控制结构(体系文章)
- 救命!Linux进程命令竟这么好记,新手敲1遍就会
- 学Python先别急着写代码!搞懂这2件事,零基础也能少走1年弯路
- Python与JavaScript核心语法区别
- AI赋能财务:用AI一键生成Python代码,3步实现智能应收应付管理|财务数字化转型实战指南
- 已上岸,劝告那些准备去学Python的人!
- Python与财务自动化(四):处理Excel财务表格
- Python面向对象编程练习 2 命名空间和作用域
- 【Python学习】Python学习资源大全
- 正点原子IMX6ULL史诗级新内核Linux7.0移植教程(7)触摸屏移植:GT9147/Goodix 驱动配置
