Skip to content

U
ubains-module-test
提交 7c495066 authored 作者: 陈泽健's avatar 陈泽健
浏览文件
操作

Merge remote-tracking branch 'origin/develop' into develop

上级 e2c1fad2 9de5fe8c
展开全部 隐藏空白字符变更
内嵌 并排
正在显示 包含 4651 行增加0 行删除
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_auditd.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_auditd.sh
# 功能描述: 检查麒麟v10系统auditd安全日志功能是否启用
# 使用方法: ./check_auditd.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_auditd.log"
AUDIT_LOG_DIR="/var/log/audit"
AUDIT_LOG_FILE="$AUDIT_LOG_DIR/audit.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} Auditd安全日志功能检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_auditd() {
print_header
local auditd_installed=false
local auditd_running=false
local auditd_enabled=false
local audit_log_exists=false
# 检查auditd是否安装
echo "检查auditd安装状态:"
if command -v auditd &> /dev/null; then
echo -e " ${GREEN}[PASS]${NC} auditd已安装"
auditd_installed=true
elif [ -f "/usr/sbin/auditd" ]; then
echo -e " ${GREEN}[PASS]${NC} auditd已安装"
auditd_installed=true
else
echo -e " ${RED}[NG]${NC} auditd未安装"
fi
if [ "$auditd_installed" = false ]; then
echo ""
echo -e "合规状态: ${RED}FAIL${NC} - auditd未安装"
log_error "auditd未安装"
echo ""
echo "修复建议:"
echo " 安装auditd: yum install -y audit"
return 1
fi
# 检查auditd服务状态
echo ""
echo "检查auditd服务状态:"
if systemctl is-active --quiet auditd 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} auditd服务正在运行"
auditd_running=true
else
echo -e " ${RED}[NG]${NC} auditd服务未运行"
fi
# 检查auditd是否开机自启
echo ""
echo "检查auditd开机自启状态:"
if systemctl is-enabled --quiet auditd 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} auditd已设置开机自启"
auditd_enabled=true
else
echo -e " ${RED}[NG]${NC} auditd未设置开机自启"
fi
# 检查audit日志文件
echo ""
echo "检查audit日志文件:"
if [ -f "$AUDIT_LOG_FILE" ]; then
local log_size=$(du -h "$AUDIT_LOG_FILE" 2>/dev/null | cut -f1)
echo -e " ${GREEN}[PASS]${NC} $AUDIT_LOG_FILE 存在 (大小: $log_size)"
audit_log_exists=true
else
echo -e " ${YELLOW}[WARN]${NC} $AUDIT_LOG_FILE 不存在"
fi
# 判断合规状态
echo ""
echo "合规状态:"
if [ "$auditd_running" = true ] && [ "$auditd_enabled" = true ]; then
echo -e " ${GREEN}PASS${NC} - auditd安全日志功能已启用"
log_info "auditd安全日志功能检查: 通过"
return 0
else
echo -e " ${RED}FAIL${NC} - auditd安全日志功能未正确配置"
log_error "auditd安全日志功能检查: 不通过"
echo ""
echo "修复建议:"
echo " 启动auditd服务: systemctl start auditd"
echo " 设置开机自启: systemctl enable auditd"
return 1
fi
}
fix_auditd() {
print_header
echo -e "${YELLOW}执行模式: 配置修复${NC}"
echo ""
local fixed_count=0
# 检查是否安装auditd
if ! command -v auditd &> /dev/null && [ ! -f "/usr/sbin/auditd" ]; then
echo -n "安装auditd... "
if yum install -y audit &>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "安装auditd"
else
echo -e "${RED}失败${NC}"
echo "请手动安装: yum install -y audit"
return 1
fi
fi
# 启动auditd服务
echo -n "启动auditd服务... "
if systemctl is-active --quiet auditd 2>/dev/null; then
echo -e "${GREEN}已运行${NC}"
else
if systemctl start auditd 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "启动auditd服务"
else
echo -e "${RED}失败${NC}"
return 1
fi
fi
# 设置开机自启
echo -n "设置auditd开机自启... "
if systemctl is-enabled --quiet auditd 2>/dev/null; then
echo -e "${GREEN}已设置${NC}"
else
if systemctl enable auditd 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "设置auditd开机自启"
else
echo -e "${RED}失败${NC}"
fi
fi
# 确保日志目录存在
if [ ! -d "$AUDIT_LOG_DIR" ]; then
mkdir -p "$AUDIT_LOG_DIR"
chmod 750 "$AUDIT_LOG_DIR"
log_info "创建audit日志目录: $AUDIT_LOG_DIR"
fi
echo ""
echo "配置完成,audit日志将记录到: ${GREEN}$AUDIT_LOG_FILE${NC}"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_auditd
;;
--fix)
check_auditd > /dev/null
if [ $? -ne 0 ]; then
fix_auditd
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
--auto-fix)
check_auditd > /dev/null
if [ $? -ne 0 ]; then
fix_auditd
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_cron_logging.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_cron_logging.sh
# 功能描述: 检查麒麟v10系统cron日志功能是否启用
# 使用方法: ./check_cron_logging.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_cron_logging.log"
CRON_LOG_FILE="/var/log/cron.log"
RSYSLOG_CONF="/etc/rsyslog.conf"
RSYSLOG_D_DIR="/etc/rsyslog.d"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} Cron日志功能检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_cron_logging() {
print_header
local rsyslog_running=false
local cron_log_configured=false
local cron_log_exists=false
# 检查rsyslog服务状态
echo "检查rsyslog服务状态:"
if systemctl is-active --quiet rsyslog 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} rsyslog服务正在运行"
rsyslog_running=true
else
echo -e " ${RED}[NG]${NC} rsyslog服务未运行"
fi
# 检查cron日志配置
echo ""
echo "检查cron日志配置:"
# 检查/etc/rsyslog.conf
if grep -q "cron\.\*" "$RSYSLOG_CONF" 2>/dev/null || \
grep -q "^cron\." "$RSYSLOG_CONF" 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} $RSYSLOG_CONF 已配置cron日志"
cron_log_configured=true
else
echo -e " ${YELLOW}[WARN]${NC} $RSYSLOG_CONF 未配置cron日志"
fi
# 检查/etc/rsyslog.d/目录下的配置文件
if [ -d "$RSYSLOG_D_DIR" ]; then
for conf_file in "$RSYSLOG_D_DIR"/*.conf; do
if [ -f "$conf_file" ]; then
if grep -q "cron\.\*" "$conf_file" 2>/dev/null || \
grep -q "^cron\." "$conf_file" 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} $conf_file 已配置cron日志"
cron_log_configured=true
fi
fi
done
fi
if [ "$cron_log_configured" = false ]; then
echo -e " ${RED}[NG]${NC} 未找到cron日志配置"
fi
# 检查cron日志文件
echo ""
echo "检查cron日志文件:"
local possible_logs=(
"/var/log/cron"
"/var/log/cron.log"
"/var/log/syslog"
)
for log in "${possible_logs[@]}"; do
if [ -f "$log" ]; then
echo -e " ${GREEN}[PASS]${NC} $log 存在"
cron_log_exists=true
fi
done
if [ "$cron_log_exists" = false ]; then
echo -e " ${YELLOW}[WARN]${NC} 未找到cron日志文件"
fi
# 判断合规状态
echo ""
echo "合规状态:"
if [ "$rsyslog_running" = true ] && [ "$cron_log_configured" = true ]; then
echo -e " ${GREEN}PASS${NC} - cron日志功能已启用"
log_info "cron日志功能检查: 通过"
return 0
else
echo -e " ${RED}FAIL${NC} - cron日志功能未正确配置"
log_error "cron日志功能检查: 不通过"
echo ""
echo "修复建议:"
echo " 1. 启动rsyslog服务: systemctl start rsyslog"
echo " 2. 添加cron日志配置: echo 'cron.* /var/log/cron' >> /etc/rsyslog.d/cron.conf"
echo " 3. 重启rsyslog服务: systemctl restart rsyslog"
return 1
fi
}
fix_cron_logging() {
print_header
echo -e "${YELLOW}执行模式: 配置修复${NC}"
echo ""
local backup_file
local fixed_count=0
# 确保rsyslog服务运行
echo -n "[1/3] 启动rsyslog服务... "
if systemctl is-active --quiet rsyslog 2>/dev/null; then
echo -e "${GREEN}已运行${NC}"
else
if systemctl start rsyslog 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "启动rsyslog服务"
else
echo -e "${RED}失败${NC}"
return 1
fi
fi
# 配置cron日志
echo -n "[2/3] 配置cron日志... "
local cron_conf="$RSYSLOG_D_DIR/cron.conf"
if [ ! -f "$cron_conf" ]; then
echo "cron.* /var/log/cron" > "$cron_conf"
echo -e "${GREEN}成功${NC} (创建 $cron_conf)"
((fixed_count++))
log_info "创建cron日志配置: $cron_conf"
else
if grep -q "cron\.\*" "$cron_conf" 2>/dev/null; then
echo -e "${GREEN}已配置${NC}"
else
echo "cron.* /var/log/cron" >> "$cron_conf"
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "更新cron日志配置: $cron_conf"
fi
fi
# 重启rsyslog服务
echo -n "[3/3] 重启rsyslog服务... "
if systemctl restart rsyslog 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "重启rsyslog服务"
else
echo -e "${RED}失败${NC}"
return 1
fi
echo ""
echo "配置完成,cron日志将记录到: ${GREEN}/var/log/cron${NC}"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_cron_logging
;;
--fix)
check_cron_logging > /dev/null
if [ $? -ne 0 ]; then
fix_cron_logging
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
--auto-fix)
check_cron_logging > /dev/null
if [ $? -ne 0 ]; then
fix_cron_logging
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_dangerous_files.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_dangerous_files.sh
# 功能描述: 检查麒麟v10系统是否存在潜在危险文件
# 使用方法: ./check_dangerous_files.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_dangerous_files.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# 定义危险文件列表
DANGEROUS_FILES=(
".rhosts"
".netrc"
)
DANGEROUS_SYSTEM_FILES=(
"/etc/hosts.equiv"
)
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 潜在危险文件检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_dangerous_files() {
print_header
local found_files=()
local total_checked=0
echo "检查用户目录下的危险文件:"
# 检查/home目录下的危险文件
for dangerous_file in "${DANGEROUS_FILES[@]}"; do
while IFS= read -r file; do
if [ -n "$file" ]; then
echo -e " ${RED}${NC} $file"
found_files+=("$file")
((total_checked++))
fi
done < <(find /home -name "$dangerous_file" 2>/dev/null)
done
# 检查/root目录
for dangerous_file in "${DANGEROUS_FILES[@]}"; do
if [ -f "/root/$dangerous_file" ]; then
echo -e " ${RED}${NC} /root/$dangerous_file"
found_files+=("/root/$dangerous_file")
((total_checked++))
fi
done
echo ""
echo "检查系统级危险文件:"
# 检查系统级危险文件
for sys_file in "${DANGEROUS_SYSTEM_FILES[@]}"; do
if [ -e "$sys_file" ]; then
echo -e " ${RED}${NC} $sys_file"
found_files+=("$sys_file")
((total_checked++))
fi
done
echo ""
echo "检查结果:"
echo " 检查文件数: $total_checked"
echo " 发现危险文件: ${#found_files[@]}"
if [ ${#found_files[@]} -eq 0 ]; then
echo ""
echo -e " ${GREEN}[PASS]${NC} 未发现潜在危险文件"
log_info "危险文件检查: 通过"
echo ""
echo -e "合规状态: ${GREEN}PASS${NC}"
return 0
else
echo ""
echo -e " ${RED}[NG]${NC} 发现 ${#found_files[@]} 个潜在危险文件"
log_error "发现危险文件: ${found_files[*]}"
echo ""
echo -e "合规状态: ${RED}FAIL${NC}"
echo ""
echo "风险说明:"
echo " .rhosts - 允许无需密码的rsh/rlogin登录"
echo " .netrc - 包含FTP/自动登录凭据"
echo " hosts.equiv - 系统级信任主机配置"
echo ""
echo "修复建议: 删除这些危险文件"
return 1
fi
}
fix_dangerous_files() {
print_header
echo -e "${YELLOW}执行模式: 删除危险文件${NC}"
echo ""
local deleted_count=0
local failed_count=0
echo -n "正在删除危险文件... "
# 删除用户目录下的危险文件
for dangerous_file in "${DANGEROUS_FILES[@]}"; do
while IFS= read -r file; do
if [ -n "$file" ] && [ -f "$file" ]; then
rm -f "$file" 2>/dev/null
if [ $? -eq 0 ]; then
((deleted_count++))
log_info "删除危险文件: $file"
else
((failed_count++))
fi
fi
done < <(find /home -name "$dangerous_file" 2>/dev/null)
done
# 删除/root目录下的危险文件
for dangerous_file in "${DANGEROUS_FILES[@]}"; do
if [ -f "/root/$dangerous_file" ]; then
rm -f "/root/$dangerous_file" 2>/dev/null
if [ $? -eq 0 ]; then
((deleted_count++))
log_info "删除危险文件: /root/$dangerous_file"
else
((failed_count++))
fi
fi
done
# 删除系统级危险文件
for sys_file in "${DANGEROUS_SYSTEM_FILES[@]}"; do
if [ -e "$sys_file" ]; then
rm -f "$sys_file" 2>/dev/null
if [ $? -eq 0 ]; then
((deleted_count++))
log_info "删除危险文件: $sys_file"
else
((failed_count++))
fi
fi
done
echo -e "${GREEN}完成${NC}"
echo ""
echo "删除完成:"
echo " 成功删除: ${GREEN}${deleted_count}${NC} 个文件"
if [ $failed_count -gt 0 ]; then
echo " 删除失败: ${RED}${failed_count}${NC} 个文件"
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查危险文件(默认)"
echo " --fix 删除危险文件"
echo " --auto-fix 检查并自动删除"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_dangerous_files
;;
--fix)
check_dangerous_files > /dev/null
if [ $? -ne 0 ]; then
fix_dangerous_files
else
echo -e "${GREEN}未发现危险文件${NC}"
fi
;;
--auto-fix)
check_dangerous_files > /dev/null
if [ $? -ne 0 ]; then
fix_dangerous_files
else
echo -e "${GREEN}未发现危险文件${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_disk_usage.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_disk_usage.sh
# 功能描述: 检查麒麟v10系统磁盘分区使用率
# 使用方法: ./check_disk_usage.sh [warning_percent] [critical_percent]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_disk_usage.log"
WARNING_THRESHOLD="${1:-80}"
CRITICAL_THRESHOLD="${2:-90}"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 磁盘分区使用率检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_disk_usage() {
print_header
local total_partitions=0
local warning_count=0
local critical_count=0
local critical_partitions=()
local warning_partitions=()
echo "磁盘分区使用率检查:"
echo "警告阈值: ${WARNING_THRESHOLD}%"
echo "严重阈值: ${CRITICAL_THRESHOLD}%"
echo ""
echo "文件系统 大小 已用 可用 使用率 挂载点"
echo "--------------------------------------------------------------------------"
while IFS= read -r line; do
# 跳过标题行和tmpfs等
if [[ "$line" =~ ^Filesystem ]] || [[ "$line" =~ tmpfs ]] || [[ "$line" =~ overlay ]]; then
continue
fi
((total_partitions++))
# 解析df输出
local filesystem=$(echo "$line" | awk '{print $1}')
local size=$(echo "$line" | awk '{print $2}')
local used=$(echo "$line" | awk '{print $3}')
local avail=$(echo "$line" | awk '{print $4}')
local use_percent=$(echo "$line" | awk '{print $5}' | tr -d '%')
local mountpoint=$(echo "$line" | awk '{print $6}')
# 格式化输出
printf "%-30s %-6s %-6s %-6s " "$filesystem" "$size" "$used" "$avail"
# 判断使用率状态
if [ "$use_percent" -ge "$CRITICAL_THRESHOLD" ]; then
echo -e "${RED}%-8s${NC} %s" "$use_percent%" "$mountpoint"
critical_partitions+=("$filesystem:$mountpoint:$use_percent%")
((critical_count++))
elif [ "$use_percent" -ge "$WARNING_THRESHOLD" ]; then
echo -e "${YELLOW}%-8s${NC} %s" "$use_percent%" "$mountpoint"
warning_partitions+=("$filesystem:$mountpoint:$use_percent%")
((warning_count++))
else
echo -e "${GREEN}%-8s${NC} %s" "$use_percent%" "$mountpoint"
fi
done < <(df -h 2>/dev/null | grep -v "^Filesystem")
echo ""
echo "检查结果:"
echo " 检查分区数: $total_partitions"
if [ $critical_count -gt 0 ]; then
echo -e " 严重使用率: ${RED}${critical_count}${NC} 个分区 (≥${CRITICAL_THRESHOLD}%)"
fi
if [ $warning_count -gt 0 ]; then
echo -e " 警告使用率: ${YELLOW}${warning_count}${NC} 个分区 (≥${WARNING_THRESHOLD}%)"
fi
if [ $critical_count -gt 0 ]; then
echo ""
echo -e "严重分区列表:"
for partition in "${critical_partitions[@]}"; do
IFS=: read -r fs mount percent <<< "$partition"
echo -e " ${RED}${NC} $fs ($mount): $percent"
done
log_error "发现$critical_count个分区使用率≥${CRITICAL_THRESHOLD}%"
fi
if [ $warning_count -gt 0 ] && [ $critical_count -eq 0 ]; then
echo ""
echo -e "警告分区列表:"
for partition in "${warning_partitions[@]}"; do
IFS=: read -r fs mount percent <<< "$partition"
echo -e " ${YELLOW}!${NC} $fs ($mount): $percent"
done
log_info "发现$warning_count个分区使用率≥${WARNING_THRESHOLD}%"
fi
echo ""
echo "合规状态:"
if [ $critical_count -eq 0 ] && [ $warning_count -eq 0 ]; then
echo -e " ${GREEN}PASS${NC} - 磁盘使用率正常"
log_info "磁盘使用率检查: 通过"
return 0
elif [ $critical_count -eq 0 ]; then
echo -e " ${YELLOW}WARN${NC} - 存在分区使用率较高"
return 1
else
echo -e " ${RED}FAIL${NC} - 存在分区使用率严重过高"
echo ""
echo "建议操作:"
echo " 1. 清理日志文件: find /var/log -name \"*.log\" -mtime +30 -delete"
echo " 2. 清理临时文件: rm -rf /tmp/*"
echo " 3. 检查并删除大文件: find / -size +100M -type f"
echo " 4. 配置日志轮转: logrotate"
echo " 5. 扩容磁盘或添加新磁盘"
return 2
fi
}
show_usage() {
echo "用法: $0 [警告阈值%] [严重阈值%]"
echo ""
echo "选项:"
echo " -h, --help 显示帮助"
echo ""
echo "参数:"
echo " 警告阈值 - 默认80%"
echo " 严重阈值 - 默认90%"
echo ""
echo "示例:"
echo " $0 # 使用默认阈值"
echo " $0 70 85 # 设置警告70%,严重85%"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
-h|--help)
show_usage
exit 0
;;
*)
# 检查参数是否为数字
if [[ "$1" =~ ^[0-9]+$ ]]; then
WARNING_THRESHOLD="$1"
fi
if [[ "$2" =~ ^[0-9]+$ ]]; then
CRITICAL_THRESHOLD="$2"
fi
check_disk_usage
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_empty_password.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_empty_password.sh
# 功能描述: 检查麒麟v10系统是否存在空口令账号
# 使用方法: ./check_empty_password.sh
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_empty_password.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 空口令账号检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_empty_password() {
print_header
local empty_users=()
# 检查空口令账号(排除锁定的账号)
while IFS=: read -r username x uid gid gecos home shell; do
# 跳过系统用户
if [ "$uid" -lt 1000 ]; then
continue
fi
# 检查密码字段(第二列)
local passwd_entry=$(grep "^${username}:" /etc/shadow 2>/dev/null)
if [ -n "$passwd_entry" ]; then
local password_hash=$(echo "$passwd_entry" | cut -d: -f2)
# 空密码、!!、*、! 表示无密码或锁定
if [ -z "$password_hash" ] || [ "$password_hash" = "!!" ] || [ "$password_hash" = "*" ]; then
empty_users+=("$username")
fi
fi
done < /etc/passwd
echo "检查结果:"
if [ ${#empty_users[@]} -eq 0 ]; then
echo -e " ${GREEN}[PASS]${NC} 不存在空口令账号"
log_info "空口令检查: 通过"
echo ""
echo -e "合规状态: ${GREEN}PASS${NC}"
return 0
else
echo -e " ${RED}[NG]${NC} 发现 ${#empty_users[@]} 个空口令账号"
echo ""
echo "空口令账号列表:"
for user in "${empty_users[@]}"; do
echo -e " ${RED}${NC} $user"
done
log_error "发现空口令账号: ${empty_users[*]}"
echo ""
echo -e "合规状态: ${RED}FAIL${NC}"
echo ""
echo "修复建议:"
echo " 为空口令账号设置密码: passwd <username>"
echo " 或锁定账号: passwd -l <username>"
return 1
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " -h, --help 显示帮助"
echo ""
echo "功能:"
echo " 检查系统中是否存在空口令账号"
echo ""
echo "修复方法:"
echo " passwd username # 设置密码"
echo " passwd -l username # 锁定账号"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
-h|--help)
show_usage
exit 0
;;
*)
check_empty_password
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_ftp_anonymous.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_ftp_anonymous.sh
# 功能描述: 检查麒麟v10系统FTP匿名登录配置
# 使用方法: ./check_ftp_anonymous.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_ftp_anonymous.log"
VSFTPD_CONF="/etc/vsftpd/vsftpd.conf"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} FTP匿名登录检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_ftp_anonymous() {
print_header
local ftp_installed=false
local anonymous_enabled=false
local anonymous_enable_value=""
local ftp_service=""
# 检查FTP服务
echo "检查FTP服务:"
if systemctl is-active --quiet vsftpd 2>/dev/null || [ -f "$VSFTPD_CONF" ]; then
echo -e " ${GREEN}[INFO]${NC} 使用vsftpd服务"
ftp_service="vsftpd"
ftp_installed=true
elif systemctl is-active --quiet proftpd 2>/dev/null; then
echo -e " ${GREEN}[INFO]${NC} 使用proftpd服务"
ftp_service="proftpd"
ftp_installed=true
elif systemctl is-active --quiet pure-ftpd 2>/dev/null; then
echo -e " ${GREEN}[INFO]${NC} 使用pure-ftpd服务"
ftp_service="pure-ftpd"
ftp_installed=true
else
echo -e " ${YELLOW}[INFO]${NC} 未检测到FTP服务运行"
echo ""
echo -e "合规状态: ${GREEN}PASS${NC} - FTP服务未运行"
return 0
fi
if [ "$ftp_installed" = false ]; then
return 0
fi
echo ""
echo "检查匿名登录配置:"
# 检查vsftpd配置
if [ "$ftp_service" = "vsftpd" ]; then
if [ -f "$VSFTPD_CONF" ]; then
anonymous_enable_value=$(grep "^anonymous_enable" "$VSFTPD_CONF" 2>/dev/null | head -1 | awk -F= '{print $2}' | tr -d ' ')
if [ -z "$anonymous_enable_value" ]; then
echo -e " ${YELLOW}[INFO]${NC} anonymous_enable未设置(默认允许)"
anonymous_enable_value="YES"
anonymous_enabled=true
elif [ "$anonymous_enable_value" = "YES" ] || [ "$anonymous_enable_value" = "yes" ]; then
echo -e " ${RED}[NG]${NC} anonymous_enable=$anonymous_enable_value"
anonymous_enabled=true
else
echo -e " ${GREEN}[PASS]${NC} anonymous_enable=$anonymous_enable_value"
fi
fi
fi
# 检查proftpd配置
if [ "$ftp_service" = "proftpd" ]; then
local proftpd_conf="/etc/proftpd.conf"
if [ -f "$proftpd_conf" ]; then
if grep -q "<Anonymous.*>" "$proftpd_conf" 2>/dev/null; then
echo -e " ${RED}[NG]${NC} 发现<Anonymous>配置段"
anonymous_enabled=true
else
echo -e " ${GREEN}[PASS]${NC} 未配置匿名访问"
fi
fi
fi
# 检查pure-ftpd配置
if [ "$ftp_service" = "pure-ftpd" ]; then
if systemctl status pure-ftpd 2>/dev/null | grep -q "--noanonymous"; then
echo -e " ${GREEN}[PASS]${NC} 已启用--noanonymous参数"
else
echo -e " ${RED}[NG]${NC} 未启用--noanonymous参数"
anonymous_enabled=true
fi
fi
echo ""
echo "合规状态:"
if [ "$anonymous_enabled" = false ]; then
echo -e " ${GREEN}PASS${NC} - FTP匿名登录已禁用"
log_info "FTP匿名登录检查: 通过"
return 0
else
echo -e " ${RED}FAIL${NC} - FTP匿名登录未禁用"
log_error "FTP匿名登录检查: 不通过"
echo ""
echo "风险: 匿名FTP访问可能被滥用"
echo ""
echo "修复建议:"
if [ "$ftp_service" = "vsftpd" ]; then
echo " 修改$VSFTPD_CONF:"
echo " anonymous_enable=NO"
echo " 重启服务: systemctl restart vsftpd"
elif [ "$ftp_service" = "proftpd" ]; then
echo " 删除/etc/proftpd.conf中的<Anonymous>配置段"
echo " 重启服务: systemctl restart proftpd"
elif [ "$ftp_service" = "pure-ftpd" ]; then
echo " 添加--noanonymous参数"
fi
return 1
fi
}
fix_ftp_anonymous() {
print_header
echo -e "${YELLOW}执行模式: 禁用FTP匿名登录${NC}"
echo ""
local fixed_count=0
if [ ! -f "$VSFTPD_CONF" ]; then
echo -e "${RED}错误: vsftpd配置文件不存在${NC}"
return 1
fi
local backup_file="${VSFTPD_CONF}.bak.$(date +%Y%m%d%H%M%S)"
echo -n "[1/2] 备份配置文件... "
cp "$VSFTPD_CONF" "$backup_file"
echo -e "${GREEN}成功${NC}"
echo -n "[2/2] 禁用匿名登录... "
if grep -q "^anonymous_enable" "$VSFTPD_CONF" 2>/dev/null; then
sed -i "s/^anonymous_enable.*/anonymous_enable=NO/" "$VSFTPD_CONF"
echo -e "${GREEN}成功${NC} (更新)"
((fixed_count++))
else
echo "" >> "$VSFTPD_CONF"
echo "# 禁止匿名FTP登录" >> "$VSFTPD_CONF"
echo "anonymous_enable=NO" >> "$VSFTPD_CONF"
echo -e "${GREEN}成功${NC} (添加)"
((fixed_count++))
fi
log_info "禁用FTP匿名登录"
echo ""
echo "重启FTP服务... "
if systemctl restart vsftpd 2>/dev/null; then
echo -e "${GREEN}vsftpd服务已重启${NC}"
else
echo -e "${YELLOW}请手动重启FTP服务${NC}"
fi
echo ""
echo "配置完成,FTP匿名登录已禁用"
echo "备份文件: $backup_file"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_ftp_anonymous
;;
--fix)
check_ftp_anonymous > /dev/null
if [ $? -ne 0 ]; then
fix_ftp_anonymous
else
echo -e "${GREEN}FTP匿名登录已禁用${NC}"
fi
;;
--auto-fix)
check_ftp_anonymous > /dev/null
if [ $? -ne 0 ]; then
fix_ftp_anonymous
else
echo -e "${GREEN}FTP匿名登录已禁用${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_ftp_chroot.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_ftp_chroot.sh
# 功能描述: 检查麒麟v10系统FTP用户目录限制配置
# 使用方法: ./check_ftp_chroot.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_ftp_chroot.log"
VSFTPD_CONF="/etc/vsftpd/vsftpd.conf"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} FTP目录限制检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_ftp_chroot() {
print_header
local ftp_installed=false
local chroot_local_user=false
local chroot_list_enable=false
local ftp_service=""
# 检查FTP服务
echo "检查FTP服务:"
if systemctl is-active --quiet vsftpd 2>/dev/null || [ -f "$VSFTPD_CONF" ]; then
echo -e " ${GREEN}[INFO]${NC} 使用vsftpd服务"
ftp_service="vsftpd"
ftp_installed=true
elif systemctl is-active --quiet proftpd 2>/dev/null; then
echo -e " ${GREEN}[INFO]${NC} 使用proftpd服务"
ftp_service="proftpd"
ftp_installed=true
else
echo -e " ${YELLOW}[INFO]${NC} 未检测到FTP服务运行"
echo ""
echo -e "合规状态: ${GREEN}PASS${NC} - FTP服务未运行"
return 0
fi
if [ "$ftp_installed" = false ]; then
return 0
fi
echo ""
echo "检查FTP目录限制配置:"
# 检查vsftpd配置
if [ "$ftp_service" = "vsftpd" ]; then
if [ -f "$VSFTPD_CONF" ]; then
local chroot_local_value=$(grep "^chroot_local_user" "$VSFTPD_CONF" 2>/dev/null | head -1 | awk -F= '{print $2}' | tr -d ' ')
local chroot_list_value=$(grep "^chroot_list_enable" "$VSFTPD_CONF" 2>/dev/null | head -1 | awk -F= '{print $2}' | tr -d ' ')
echo " chroot_local_user: ${chroot_local_value:-未设置}"
echo " chroot_list_enable: ${chroot_list_value:-未设置}"
if [ "$chroot_local_value" = "YES" ] || [ "$chroot_local_value" = "yes" ]; then
echo -e " ${GREEN}[PASS]${NC} 已启用用户目录限制"
chroot_local_user=true
else
echo -e " ${RED}[NG]${NC} 未启用用户目录限制"
fi
if [ "$chroot_list_value" = "YES" ] || [ "$chroot_list_value" = "yes" ]; then
echo -e " ${GREEN}[PASS]${NC} 已启用例外列表"
chroot_list_enable=true
# 检查例外列表文件
local chroot_list_file=$(grep "^chroot_list_file" "$VSFTPD_CONF" 2>/dev/null | awk -F= '{print $2}' | tr -d ' ')
echo " 例外列表文件: ${chroot_list_file:-/etc/vsftpd/chroot_list}"
fi
fi
fi
# 检查proftpd配置
if [ "$ftp_service" = "proftpd" ]; then
local proftpd_conf="/etc/proftpd.conf"
if [ -f "$proftpd_conf" ]; then
if grep -q "DefaultRoot" "$proftpd_conf" 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} 已配置DefaultRoot"
chroot_local_user=true
else
echo -e " ${RED}[NG]${NC} 未配置DefaultRoot"
fi
fi
fi
echo ""
echo "合规状态:"
if [ "$chroot_local_user" = true ]; then
echo -e " ${GREEN}PASS${NC} - FTP用户目录限制已配置"
log_info "FTP目录限制检查: 通过"
return 0
else
echo -e " ${YELLOW}WARN${NC} - FTP用户目录限制未配置"
log_error "FTP目录限制检查: 未配置"
echo ""
echo "风险: FTP用户可能访问整个文件系统"
echo ""
echo "修复建议:"
if [ "$ftp_service" = "vsftpd" ]; then
echo " 修改$VSFTPD_CONF:"
echo " chroot_local_user=YES"
echo " chroot_list_enable=YES"
echo " chroot_list_file=/etc/vsftpd/chroot_list"
echo " 创建例外列表: touch /etc/vsftpd/chroot_list"
echo " 重启服务: systemctl restart vsftpd"
elif [ "$ftp_service" = "proftpd" ]; then
echo " 在/etc/proftpd.conf中添加:"
echo " DefaultRoot ~"
echo " 重启服务: systemctl restart proftpd"
fi
return 1
fi
}
fix_ftp_chroot() {
print_header
echo -e "${YELLOW}执行模式: 配置FTP目录限制${NC}"
echo ""
if [ ! -f "$VSFTPD_CONF" ]; then
echo -e "${RED}错误: vsftpd配置文件不存在${NC}"
return 1
fi
local backup_file="${VSFTPD_CONF}.bak.$(date +%Y%m%d%H%M%S)"
local fixed_count=0
echo -n "[1/3] 备份配置文件... "
cp "$VSFTPD_CONF" "$backup_file"
echo -e "${GREEN}成功${NC}"
echo -n "[2/3] 配置目录限制... "
# 配置chroot_local_user
if grep -q "^chroot_local_user" "$VSFTPD_CONF" 2>/dev/null; then
sed -i "s/^chroot_local_user.*/chroot_local_user=YES/" "$VSFTPD_CONF"
else
echo "" >> "$VSFTPD_CONF"
echo "# 将用户限制在主目录" >> "$VSFTPD_CONF"
echo "chroot_local_user=YES" >> "$VSFTPD_CONF"
fi
((fixed_count++))
# 配置chroot_list_enable
if grep -q "^chroot_list_enable" "$VSFTPD_CONF" 2>/dev/null; then
sed -i "s/^chroot_list_enable.*/chroot_list_enable=YES/" "$VSFTPD_CONF"
else
echo "chroot_list_enable=YES" >> "$VSFTPD_CONF"
echo "chroot_list_file=/etc/vsftpd/chroot_list" >> "$VSFTPD_CONF"
fi
((fixed_count++))
echo -e "${GREEN}成功${NC}"
log_info "配置FTP目录限制"
# 创建例外列表文件
echo -n "[3/3] 创建例外列表文件... "
local chroot_list_file="/etc/vsftpd/chroot_list"
if [ ! -f "$chroot_list_file" ]; then
touch "$chroot_list_file"
echo -e "${GREEN}成功${NC}"
else
echo -e "${GREEN}已存在${NC}"
fi
echo ""
echo "重启FTP服务... "
if systemctl restart vsftpd 2>/dev/null; then
echo -e "${GREEN}vsftpd服务已重启${NC}"
else
echo -e "${YELLOW}请手动重启FTP服务${NC}"
fi
echo ""
echo "配置完成,FTP用户将被限制在各自的主目录中"
echo ""
echo "例外列表: $chroot_list_file"
echo "在例外列表中的用户不受限制"
echo "备份文件: $backup_file"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_ftp_chroot
;;
--fix)
check_ftp_chroot > /dev/null
if [ $? -ne 0 ]; then
fix_ftp_chroot
else
echo -e "${GREEN}FTP目录限制已配置${NC}"
fi
;;
--auto-fix)
check_ftp_chroot > /dev/null
if [ $? -ne 0 ]; then
fix_ftp_chroot
else
echo -e "${GREEN}FTP目录限制已配置${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_ftp_root.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_ftp_root.sh
# 功能描述: 检查麒麟v10系统FTP root用户登录配置
# 使用方法: ./check_ftp_root.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_ftp_root.log"
FTPUSERS="/etc/vsftpd/ftpusers"
USER_LIST="/etc/vsftpd/user_list"
VSFTPD_CONF="/etc/vsftpd/vsftpd.conf"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} FTP Root登录检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_ftp_root() {
print_header
local ftp_installed=false
local root_in_ftpusers=false
local root_in_user_list=false
local ftp_service=""
# 检查FTP服务类型
echo "检查FTP服务:"
if systemctl is-active --quiet vsftpd 2>/dev/null || [ -f "$VSFTPD_CONF" ]; then
echo -e " ${GREEN}[INFO]${NC} 使用vsftpd服务"
ftp_service="vsftpd"
ftp_installed=true
elif systemctl is-active --quiet proftpd 2>/dev/null; then
echo -e " ${GREEN}[INFO]${NC} 使用proftpd服务"
ftp_service="proftpd"
ftp_installed=true
elif systemctl is-active --quiet pure-ftpd 2>/dev/null; then
echo -e " ${GREEN}[INFO]${NC} 使用pure-ftpd服务"
ftp_service="pure-ftpd"
ftp_installed=true
else
echo -e " ${YELLOW}[INFO]${NC} 未检测到FTP服务运行"
echo ""
echo -e "合规状态: ${GREEN}PASS${NC} - FTP服务未运行"
return 0
fi
if [ "$ftp_installed" = false ]; then
return 0
fi
echo ""
echo "检查root用户FTP登录限制:"
# 检查vsftpd配置
if [ "$ftp_service" = "vsftpd" ]; then
# 检查ftpusers文件
if [ -f "$FTPUSERS" ]; then
if grep -q "^root$" "$FTPUSERS" 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} root在$FTPUSERS中"
root_in_ftpusers=true
else
echo -e " ${RED}[NG]${NC} root不在$FTPUSERS中"
fi
else
echo -e " ${YELLOW}[INFO]${NC} $FTPUSERS文件不存在"
fi
# 检查user_list文件
if [ -f "$USER_LIST" ]; then
if grep -q "^root$" "$USER_LIST" 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} root在$USER_LIST中"
root_in_user_list=true
else
# 检查user_list的设置
if grep -q "^userlist_deny=NO" "$VSFTPD_CONF" 2>/dev/null; then
echo -e " ${YELLOW}[INFO]${NC} user_list为允许模式,root不在列表中"
else
echo -e " ${RED}[NG]${NC} root不在$USER_LIST中"
fi
fi
fi
fi
# 检查proftpd配置
if [ "$ftp_service" = "proftpd" ]; then
local proftpd_conf="/etc/proftpd.conf"
if [ -f "$proftpd_conf" ]; then
if grep -q "<Limit LOGIN>" "$proftpd_conf" 2>/dev/null; then
if grep -A 10 "<Limit LOGIN>" "$proftpd_conf" | grep -q "DenyUser root"; then
echo -e " ${GREEN}[PASS]${NC} root登录已被拒绝"
root_in_ftpusers=true
else
echo -e " ${RED}[NG]${NC} 未配置拒绝root登录"
fi
else
echo -e " ${YELLOW}[INFO]${NC} 未配置登录限制"
fi
fi
fi
echo ""
echo "合规状态:"
if [ "$root_in_ftpusers" = true ] || [ "$root_in_user_list" = true ]; then
echo -e " ${GREEN}PASS${NC} - root用户FTP登录已被限制"
log_info "FTP root登录检查: 通过"
return 0
else
echo -e " ${RED}FAIL${NC} - root用户可以FTP登录"
log_error "FTP root登录检查: 不通过"
echo ""
echo "修复建议:"
echo " 添加root到FTP禁止列表:"
if [ "$ftp_service" = "vsftpd" ]; then
echo " echo root >> $FTPUSERS"
echo " 或"
echo " echo root >> $USER_LIST"
echo " systemctl restart vsftpd"
elif [ "$ftp_service" = "proftpd" ]; then
echo " 在/etc/proftpd.conf中添加:"
echo " <Limit LOGIN>"
echo " DenyUser root"
echo " </Limit LOGIN>"
fi
return 1
fi
}
fix_ftp_root() {
print_header
echo -e "${YELLOW}执行模式: 禁止root FTP登录${NC}"
echo ""
local fixed_count=0
# 处理vsftpd
if [ -f "$FTPUSERS" ]; then
echo -n "添加root到$FTPUSERS... "
if grep -q "^root$" "$FTPUSERS" 2>/dev/null; then
echo -e "${GREEN}已存在${NC}"
else
if echo "root" >> "$FTPUSERS" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "添加root到ftpusers"
else
echo -e "${RED}失败${NC}"
fi
fi
fi
if [ -f "$USER_LIST" ]; then
echo -n "添加root到$USER_LIST... "
if grep -q "^root$" "$USER_LIST" 2>/dev/null; then
echo -e "${GREEN}已存在${NC}"
else
if echo "root" >> "$USER_LIST" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "添加root到user_list"
else
echo -e "${RED}失败${NC}"
fi
fi
fi
# 重启FTP服务
if [ $fixed_count -gt 0 ]; then
echo ""
echo "重启FTP服务..."
if systemctl restart vsftpd 2>/dev/null; then
echo -e "${GREEN}vsftpd服务已重启${NC}"
elif systemctl restart proftpd 2>/dev/null; then
echo -e "${GREEN}proftpd服务已重启${NC}"
else
echo -e "${YELLOW}请手动重启FTP服务${NC}"
fi
fi
echo ""
if [ $fixed_count -gt 0 ]; then
echo "配置完成,root用户已被禁止FTP登录"
else
echo "root用户FTP登录已被限制"
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_ftp_root
;;
--fix)
check_ftp_root > /dev/null
if [ $? -ne 0 ]; then
fix_ftp_root
else
echo -e "${GREEN}root FTP登录已被限制${NC}"
fi
;;
--auto-fix)
check_ftp_root > /dev/null
if [ $? -ne 0 ]; then
fix_ftp_root
else
echo -e "${GREEN}root FTP登录已被限制${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_group_management.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_group_management.sh
# 功能描述: 检查麒麟v10系统组管理和用户组配置
# 使用方法: ./check_group_management.sh
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_group_management.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 组管理配置检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_group_management() {
print_header
local total_users=0
local users_with_private_group=0
local users_without_private_group=()
echo "检查用户组归属:"
# 检查普通用户的组配置
while IFS=: read -r username x uid gid gecos home shell; do
# 跳过系统用户
if [ "$uid" -lt 1000 ]; then
continue
fi
((total_users++))
# 检查用户是否有独立组(UID=GID表示有私有组)
if [ "$uid" = "$gid" ]; then
((users_with_private_group++))
else
users_without_private_group+=("$username(uid=$uid,gid=$gid)")
fi
done < /etc/passwd
echo " 普通用户总数: $total_users"
echo " 有独立组的用户: $users_with_private_group"
echo " 无独立组的用户: ${#users_without_private_group[@]}"
if [ ${#users_without_private_group[@]} -gt 0 ]; then
echo ""
echo "无独立组的用户:"
for user in "${users_without_private_group[@]}"; do
echo -e " ${YELLOW}!${NC} $user"
done
fi
# 检查重要组
echo ""
echo "检查重要系统组:"
local important_groups=("wheel" "docker" "sudo" "root")
for group in "${important_groups[@]}"; do
if getent group "$group" &>/dev/null; then
local members=$(getent group "$group" | cut -d: -f4)
if [ -n "$members" ]; then
echo -e " ${GREEN}${NC} $group: $members"
else
echo -e " ${YELLOW}!${NC} $group: (无成员)"
fi
fi
done
echo ""
echo "合规状态:"
if [ ${#users_without_private_group[@]} -eq 0 ]; then
echo -e " ${GREEN}PASS${NC} - 用户组配置合理"
log_info "组管理检查: 通过"
else
echo -e " ${YELLOW}INFO${NC} - 建议为用户创建独立用户组"
log_info "组管理检查: ${#users_without_private_group[@]}个用户无独立组"
echo ""
echo "建议操作:"
echo " 为用户创建独立组:"
echo " groupadd <username>"
echo " usermod -g <username> <username>"
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " -h, --help 显示帮助"
echo ""
echo "功能:"
echo " 检查系统用户组管理配置"
echo ""
echo "示例:"
echo " $0"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
-h|--help)
show_usage
exit 0
;;
*)
check_group_management
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_grub_password.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_grub_password.sh
# 功能描述: 检查麒麟v10系统GRUB引导管理器密码配置
# 使用方法: ./check_grub_password.sh [--check|--fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_grub_password.log"
GRUB_USERS_FILE="/etc/grub.d/01_users"
GRUB_CFG="/boot/grub2/grub.cfg"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} GRUB引导密码检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_grub_password() {
print_header
local grub2_installed=false
local password_set=false
local superusers=""
# 检查grub2是否安装
echo "检查GRUB2安装状态:"
if [ -d "/boot/grub2" ] || [ -f "$GRUB_CFG" ]; then
echo -e " ${GREEN}[PASS]${NC} GRUB2已安装"
grub2_installed=true
else
echo -e " ${YELLOW}[INFO]${NC} 未检测到GRUB2,可能使用其他引导方式"
return 0
fi
if [ "$grub2_installed" = false ]; then
return 0
fi
# 检查GRUB用户配置文件
echo ""
echo "检查GRUB密码配置:"
if [ -f "$GRUB_USERS_FILE" ]; then
# 检查是否配置了超级用户
superusers=$(grep "^GRUB_SUPERUSERS" "$GRUB_USERS_FILE" 2>/dev/null | cut -d= -f2 | tr -d '" ')
if [ -n "$superusers" ]; then
echo " 超级用户: $superusers"
# 检查是否配置了密码
if grep -q "^password_pbkdf2" "$GRUB_USERS_FILE" 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} 已配置GRUB密码"
password_set=true
else
echo -e " ${RED}[NG]${NC} 超级用户未设置密码"
fi
else
echo -e " ${RED}[NG]${NC} 未配置超级用户"
fi
# 显示配置内容(脱敏)
echo ""
echo "配置文件内容(部分):"
grep -v "^#" "$GRUB_USERS_FILE" 2>/dev/null | head -5 | while IFS= read -r line; do
if [[ "$line" =~ password ]]; then
echo " $(echo $line | cut -c1-50)... (密码已隐藏)"
else
echo " $line"
fi
done
else
echo -e " ${RED}[NG]${NC} GRUB用户配置文件不存在: $GRUB_USERS_FILE"
fi
echo ""
echo "合规状态:"
if [ "$password_set" = true ]; then
echo -e " ${GREEN}PASS${NC} - GRUB密码已配置"
log_info "GRUB密码检查: 通过"
return 0
else
echo -e " ${RED}FAIL${NC} - GRUB密码未配置"
log_error "GRUB密码检查: 未配置"
echo ""
echo "配置方法:"
echo " 1. 使用 grub2-setpassword 设置超级用户密码:"
echo " grub2-setpassword"
echo ""
echo " 2. 或使用 grub2-mkpasswd-pbkdf2 创建PBKDF2密码:"
echo " grub2-mkpasswd-pbkdf2"
echo " 然后编辑 $GRUB_USERS_FILE"
echo ""
echo " 3. 更新GRUB配置:"
echo " grub2-mkconfig -o $GRUB_CFG"
return 1
fi
}
fix_grub_password() {
print_header
echo -e "${YELLOW}执行模式: 配置GRUB密码${NC}"
echo ""
if [ ! -f "$GRUB_USERS_FILE" ]; then
echo -e "${RED}错误: GRUB配置文件不存在${NC}"
return 1
fi
echo "使用grub2-setpassword配置GRUB密码"
echo ""
echo "请按照提示输入超级用户密码:"
echo ""
if grub2-setpassword; then
echo ""
echo -e "${GREEN}GRUB密码配置成功${NC}"
log_info "配置GRUB密码"
echo ""
echo "更新GRUB配置..."
if grub2-mkconfig -o "$GRUB_CFG" &>/dev/null; then
echo -e "${GREEN}GRUB配置已更新${NC}"
else
echo -e "${YELLOW}GRUB配置更新可能需要手动执行${NC}"
fi
else
echo ""
echo -e "${RED}GRUB密码配置失败${NC}"
echo ""
echo "请手动执行以下命令:"
echo " grub2-setpassword"
echo " grub2-mkconfig -o $GRUB_CFG"
return 1
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 交互式配置密码"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
echo ""
echo "注意: --fix模式需要交互式输入密码,无法自动执行"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_grub_password
;;
--fix)
check_grub_password > /dev/null
if [ $? -ne 0 ]; then
fix_grub_password
else
echo -e "${GREEN}GRUB密码已配置${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_history_commands.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_history_commands.sh
# 功能描述: 检查麒麟v10系统历史命令配置(HISTSIZE、HISTFILESIZE)
# 使用方法: ./check_history_commands.sh [--check|--fix|--auto-fix] [size]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_history_commands.log"
EXPECTED_HISTSIZE=1000
EXPECTED_HISTFILESIZE=2000
CONFIG_FILES=("/etc/bashrc" "/etc/profile")
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 历史命令配置检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_history_commands() {
print_header
local histsize_value=""
local histfilesize_value=""
local histsize_found=false
local histfilesize_found=false
echo "检查历史命令配置:"
# 检查HISTSIZE
for file in "${CONFIG_FILES[@]}"; do
if [ -f "$file" ]; then
local value=$(grep "^HISTSIZE" "$file" 2>/dev/null | awk -F= '{print $2}')
if [ -n "$value" ]; then
echo " $file: HISTSIZE=$value"
histsize_value=$value
histsize_found=true
fi
fi
done
if [ "$histsize_found" = false ]; then
echo -e " ${YELLOW}[WARN]${NC} 未配置HISTSIZE"
histsize_value=0
fi
echo ""
# 检查HISTFILESIZE
for file in "${CONFIG_FILES[@]}"; do
if [ -f "$file" ]; then
local value=$(grep "^HISTFILESIZE" "$file" 2>/dev/null | awk -F= '{print $2}')
if [ -n "$value" ]; then
echo " $file: HISTFILESIZE=$value"
histfilesize_value=$value
histfilesize_found=true
fi
fi
done
if [ "$histfilesize_found" = false ]; then
echo -e " ${YELLOW}[WARN]${NC} 未配置HISTFILESIZE"
histfilesize_value=0
fi
echo ""
echo "推荐值:"
echo " HISTSIZE: $EXPECTED_HISTSIZE"
echo " HISTFILESIZE: $EXPECTED_HISTFILESIZE"
echo ""
echo "合规状态:"
if [ "$histsize_found" = true ] && [ "$histfilesize_found" = true ]; then
if [ "$histsize_value" -gt 0 ] && [ "$histfilesize_value" -gt 0 ]; then
echo -e " ${GREEN}PASS${NC} - 历史命令配置已设置"
echo " HISTSIZE=$histsize_value, HISTFILESIZE=$histfilesize_value"
log_info "历史命令配置检查: 通过"
return 0
fi
fi
echo -e " ${YELLOW}WARN${NC} - 历史命令配置不完整或未设置"
log_error "历史命令配置检查: 不完整"
echo ""
echo "建议配置:"
echo " 在/etc/bashrc或/etc/profile中添加:"
echo " HISTSIZE=$EXPECTED_HISTSIZE"
echo " HISTFILESIZE=$EXPECTED_HISTFILESIZE"
return 1
}
fix_history_commands() {
local hist_size="${1:-$EXPECTED_HISTSIZE}"
local hist_file_size="${2:-$EXPECTED_HISTFILESIZE}"
print_header
echo -e "${YELLOW}执行模式: 配置修复${NC}"
echo "设置值: HISTSIZE=$hist_size, HISTFILESIZE=$hist_file_size"
echo ""
# 优先修改/etc/bashrc
local config_file="/etc/bashrc"
local backup_file="${config_file}.bak.$(date +%Y%m%d%H%M%S)"
echo -n "[1/3] 备份配置文件... "
if [ -f "$config_file" ]; then
cp "$config_file" "$backup_file"
echo -e "${GREEN}成功${NC}"
else
echo -e "${YELLOW}文件不存在,将创建${NC}"
fi
echo -n "[2/3] 配置HISTSIZE... "
if grep -q "^HISTSIZE" "$config_file" 2>/dev/null; then
sed -i "s/^HISTSIZE.*/HISTSIZE=$hist_size/" "$config_file"
echo -e "${GREEN}成功${NC} (更新)"
else
echo "" >> "$config_file"
echo "# 历史命令记录条数" >> "$config_file"
echo "HISTSIZE=$hist_size" >> "$config_file"
echo -e "${GREEN}成功${NC} (添加)"
fi
echo -n "[3/3] 配置HISTFILESIZE... "
if grep -q "^HISTFILESIZE" "$config_file" 2>/dev/null; then
sed -i "s/^HISTFILESIZE.*/HISTFILESIZE=$hist_file_size/" "$config_file"
echo -e "${GREEN}成功${NC} (更新)"
else
echo "# 历史命令文件大小" >> "$config_file"
echo "HISTFILESIZE=$hist_file_size" >> "$config_file"
echo -e "${GREEN}成功${NC} (添加)"
fi
log_info "配置历史命令: HISTSIZE=$hist_size, HISTFILESIZE=$hist_file_size"
echo ""
echo "配置完成:"
echo " HISTSIZE: ${GREEN}${hist_size}${NC}"
echo " HISTFILESIZE: ${GREEN}${hist_file_size}${NC}"
echo ""
echo "请执行以下命令使配置生效:"
echo " source /etc/bashrc"
echo "备份文件: $backup_file"
}
show_usage() {
echo "用法: $0 [选项] [HISTSIZE] [HISTFILESIZE]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix [size] 修复配置(默认1000 2000)"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix 1000 2000"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_history_commands
;;
--fix)
check_history_commands > /dev/null
if [ $? -ne 0 ]; then
fix_history_commands "$2" "$3"
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
--auto-fix)
check_history_commands > /dev/null
if [ $? -ne 0 ]; then
fix_history_commands
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_home_directory_permissions.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_home_directory_permissions.sh
# 功能描述: 检查麒麟v10系统用户家目录权限设置
# 使用方法: ./check_home_directory_permissions.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
CONFIG_FILE="/etc/login.defs"
PARAM_NAME="UMASK"
EXPECTED_VALUE="027"
MAX_HOME_PERM="755"
LOG_FILE="/var/log/baseline_check_home_permissions.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 用户家目录权限检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo "配置文件: $CONFIG_FILE"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_home_permissions() {
print_header
local umask_value=$(grep "^${PARAM_NAME}" "$CONFIG_FILE" 2>/dev/null | awk '{print $2}')
local excessive_perms=()
local total_users=0
local skip_count=0
echo "当前配置:"
if [ -n "$umask_value" ]; then
echo -e " ${PARAM_NAME}: ${umask_value}"
else
echo -e " ${YELLOW}[WARN]${NC} ${PARAM_NAME} 未配置"
fi
echo ""
echo "检查用户家目录权限:"
# 检查所有用户的家目录权限
while IFS=: read -r username x uid gid gecos home shell; do
((total_users++))
# 跳过系统用户
if [ "$uid" -lt 1000 ]; then
((skip_count++))
continue
fi
# 检查家目录权限
if [ -d "$home" ]; then
local perm=$(stat -c "%a" "$home" 2>/dev/null)
# 检查权限是否过高 (超过755)
if [ "$perm" -gt "$MAX_HOME_PERM" ]; then
excessive_perms+=("$username:$home:$perm")
fi
fi
done < /etc/passwd
echo " 总用户数: $total_users"
echo " 跳过系统用户: $skip_count"
echo " 已检查用户数: $((total_users - skip_count))"
echo ""
if [ ${#excessive_perms[@]} -eq 0 ]; then
echo -e " ${GREEN}[PASS]${NC} 不存在权限过高的家目录"
log_info "家目录权限检查: 通过"
echo ""
echo -e "合规状态: ${GREEN}PASS${NC}"
return 0
else
echo -e " ${RED}[NG]${NC} 发现 ${#excessive_perms[@]} 个权限过高的家目录"
echo ""
echo "权限过高目录列表 (权限 > ${MAX_HOME_PERM}):"
echo " 用户名:家目录:当前权限"
for item in "${excessive_perms[@]}"; do
IFS=: read -r user home perm <<< "$item"
echo -e " ${RED}${NC} $user:$home:$perm"
done
log_error "发现权限过高的家目录: ${excessive_perms[*]}"
echo ""
echo -e "合规状态: ${RED}FAIL${NC}"
echo ""
echo "修复建议:"
echo " chmod 755 /home/username"
echo " 或修改umask配置: UMASK 027"
return 1
fi
}
fix_home_permissions() {
print_header
echo -e "${YELLOW}执行模式: 权限修复${NC}"
echo ""
local fixed_count=0
local failed_count=0
# 修复家目录权限
while IFS=: read -r username x uid gid gecos home shell; do
# 跳过系统用户
if [ "$uid" -lt 1000 ]; then
continue
fi
if [ -d "$home" ]; then
local perm=$(stat -c "%a" "$home" 2>/dev/null)
if [ "$perm" -gt "$MAX_HOME_PERM" ]; then
echo -n "修复 $home ($perm -> ${MAX_HOME_PERM})... "
if chmod "$MAX_HOME_PERM" "$home" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "修复家目录权限: $home"
else
echo -e "${RED}失败${NC}"
((failed_count++))
log_error "修复失败: $home"
fi
fi
fi
done < /etc/passwd
# 修复umask配置
echo ""
echo -n "修复umask配置... "
local backup_file="${CONFIG_FILE}.bak.$(date +%Y%m%d%H%M%S)"
cp "$CONFIG_FILE" "$backup_file"
if grep -q "^${PARAM_NAME}" "$CONFIG_FILE"; then
sed -i "s/^${PARAM_NAME}.*/${PARAM_NAME} ${EXPECTED_VALUE}/" "$CONFIG_FILE"
else
echo "" >> "$CONFIG_FILE"
echo "# 用户家目录默认权限掩码" >> "$CONFIG_FILE"
echo "${PARAM_NAME} ${EXPECTED_VALUE}" >> "$CONFIG_FILE"
fi
echo -e "${GREEN}成功${NC}"
echo ""
echo "修复完成:"
echo " 修复家目录数: ${GREEN}${fixed_count}${NC}"
if [ $failed_count -gt 0 ]; then
echo " 修复失败数: ${RED}${failed_count}${NC}"
fi
echo " umask已配置: ${EXPECTED_VALUE}"
echo ""
echo "备份文件: $backup_file"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复权限"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_home_permissions
;;
--fix)
check_home_permissions > /dev/null
if [ $? -ne 0 ]; then
fix_home_permissions
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
--auto-fix)
check_home_permissions > /dev/null
if [ $? -ne 0 ]; then
fix_home_permissions
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_important_file_permissions.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_important_file_permissions.sh
# 功能描述: 检查麒麟v10系统重要目录和文件权限设置
# 使用方法: ./check_important_file_permissions.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_important_permissions.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# 定义重要文件及其标准权限
declare -A IMPORTANT_FILES=(
["/etc/passwd"]="644"
["/etc/shadow"]="600"
["/etc/group"]="644"
["/etc/gshadow"]="600"
["/etc/ssh/sshd_config"]="600"
)
# 定义重要目录及其标准权限
declare -A IMPORTANT_DIRS=(
["/etc"]="755"
["/boot"]="755"
["/bin"]="755"
["/sbin"]="755"
["/usr/bin"]="755"
["/usr/sbin"]="755"
["/root"]="700"
)
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 重要目录和文件权限检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_important_permissions() {
print_header
local failed_items=()
local passed_count=0
local failed_count=0
echo "检查重要文件权限:"
echo " 文件路径:当前权限:标准权限"
for file in "${!IMPORTANT_FILES[@]}"; do
if [ -e "$file" ]; then
local actual_perm=$(stat -c "%a" "$file" 2>/dev/null)
local expected_perm=${IMPORTANT_FILES[$file]}
if [ "$actual_perm" = "$expected_perm" ]; then
echo -e " ${GREEN}${NC} $file:$actual_perm:$expected_perm"
((passed_count++))
else
echo -e " ${RED}${NC} $file:$actual_perm:$expected_perm"
failed_items+=("$file:$actual_perm:$expected_perm")
((failed_count++))
fi
else
echo -e " ${YELLOW}!${NC} $file:文件不存在"
fi
done
echo ""
echo "检查重要目录权限:"
echo " 目录路径:当前权限:标准权限"
for dir in "${!IMPORTANT_DIRS[@]}"; do
if [ -e "$dir" ]; then
local actual_perm=$(stat -c "%a" "$dir" 2>/dev/null)
local expected_perm=${IMPORTANT_DIRS[$dir]}
if [ "$actual_perm" = "$expected_perm" ]; then
echo -e " ${GREEN}${NC} $dir:$actual_perm:$expected_perm"
((passed_count++))
else
echo -e " ${RED}${NC} $dir:$actual_perm:$expected_perm"
failed_items+=("$dir:$actual_perm:$expected_perm")
((failed_count++))
fi
else
echo -e " ${YELLOW}!${NC} $dir:目录不存在"
fi
done
echo ""
echo "检查结果:"
echo " 通过数: ${GREEN}${passed_count}${NC}"
echo " 失败数: ${RED}${failed_count}${NC}"
if [ $failed_count -eq 0 ]; then
echo ""
echo -e "合规状态: ${GREEN}PASS${NC}"
log_info "重要目录和文件权限检查: 通过"
return 0
else
echo ""
echo -e "合规状态: ${RED}FAIL${NC}"
log_error "重要目录和文件权限检查: 不通过"
return 1
fi
}
fix_important_permissions() {
print_header
echo -e "${YELLOW}执行模式: 权限修复${NC}"
echo ""
local fixed_count=0
local failed_count=0
echo "修复重要文件权限:"
for file in "${!IMPORTANT_FILES[@]}"; do
if [ -e "$file" ]; then
local actual_perm=$(stat -c "%a" "$file" 2>/dev/null)
local expected_perm=${IMPORTANT_FILES[$file]}
if [ "$actual_perm" != "$expected_perm" ]; then
echo -n "修复 $file ($actual_perm -> ${expected_perm})... "
if chmod "$expected_perm" "$file" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "修复文件权限: $file -> $expected_perm"
else
echo -e "${RED}失败${NC}"
((failed_count++))
log_error "修复失败: $file"
fi
fi
fi
done
echo ""
echo "修复重要目录权限:"
for dir in "${!IMPORTANT_DIRS[@]}"; do
if [ -e "$dir" ]; then
local actual_perm=$(stat -c "%a" "$dir" 2>/dev/null)
local expected_perm=${IMPORTANT_DIRS[$dir]}
if [ "$actual_perm" != "$expected_perm" ]; then
echo -n "修复 $dir ($actual_perm -> ${expected_perm})... "
if chmod "$expected_perm" "$dir" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "修复目录权限: $dir -> $expected_perm"
else
echo -e "${RED}失败${NC}"
((failed_count++))
log_error "修复失败: $dir"
fi
fi
fi
done
echo ""
echo "修复完成:"
echo " 修复成功数: ${GREEN}${fixed_count}${NC}"
if [ $failed_count -gt 0 ]; then
echo " 修复失败数: ${RED}${failed_count}${NC}"
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复权限"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_important_permissions
;;
--fix)
check_important_permissions > /dev/null
if [ $? -ne 0 ]; then
fix_important_permissions
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
--auto-fix)
check_important_permissions > /dev/null
if [ $? -ne 0 ]; then
fix_important_permissions
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_ip_forward.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_ip_forward.sh
# 功能描述: 检查麒麟v10系统IP数据包转发功能状态
# 使用方法: ./check_ip_forward.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_ip_forward.log"
SYSCTL_CONF="/etc/sysctl.conf"
SYSCTL_D_DIR="/etc/sysctl.d"
EXPECTED_VALUE=0
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} IP数据包转发功能检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_ip_forward() {
print_header
local ipv4_forward_value=""
local ipv6_forward_value=""
local is_compliant=true
echo "检查当前IP转发状态:"
# 检查IPv4转发
ipv4_forward_value=$(sysctl -n net.ipv4.ip_forward 2>/dev/null)
echo " net.ipv4.ip_forward = $ipv4_forward_value"
# 检查IPv6转发
ipv6_forward_value=$(sysctl -n net.ipv6.conf.all.forwarding 2>/dev/null)
if [ -n "$ipv6_forward_value" ]; then
echo " net.ipv6.conf.all.forwarding = $ipv6_forward_value"
else
echo " net.ipv6.conf.all.forwarding = (未配置或IPv6未启用)"
ipv6_forward_value=$EXPECTED_VALUE
fi
echo ""
echo "检查持久化配置:"
# 检查配置文件
local ipv4_configured=false
local ipv6_configured=false
if grep -q "net.ipv4.ip_forward.*=.*0" "$SYSCTL_CONF" 2>/dev/null; then
echo -e " ${GREEN}${NC} $SYSCTL_CONF 已配置IPv4转发关闭"
ipv4_configured=true
fi
if [ -d "$SYSCTL_D_DIR" ]; then
for conf_file in "$SYSCTL_D_DIR"/*.conf; do
if [ -f "$conf_file" ]; then
if grep -q "net.ipv4.ip_forward.*=.*0" "$conf_file" 2>/dev/null; then
echo -e " ${GREEN}${NC} $conf_file 已配置IPv4转发关闭"
ipv4_configured=true
fi
if grep -q "net.ipv6.conf.all.forwarding.*=.*0" "$conf_file" 2>/dev/null; then
echo -e " ${GREEN}${NC} $conf_file 已配置IPv6转发关闭"
ipv6_configured=true
fi
fi
done
fi
if [ "$ipv4_configured" = false ]; then
echo -e " ${YELLOW}!${NC} 未找到IPv4转发持久化配置"
fi
echo ""
echo "合规状态:"
if [ "$ipv4_forward_value" = "$EXPECTED_VALUE" ] && \
[ "$ipv6_forward_value" = "$EXPECTED_VALUE" ]; then
echo -e " ${GREEN}PASS${NC} - IP数据包转发功能已关闭"
log_info "IP转发检查: 通过"
return 0
else
echo -e " ${RED}FAIL${NC} - IP数据包转发功能未关闭"
log_error "IP转发检查: 不通过 (ipv4=$ipv4_forward_value, ipv6=$ipv6_forward_value)"
echo ""
echo "注意: 如果本机不需要作为路由器使用,应关闭IP转发"
echo "如果本机需要作为路由器,可以忽略此检查"
return 1
fi
}
fix_ip_forward() {
print_header
echo -e "${YELLOW}执行模式: 关闭IP转发${NC}"
echo ""
local sysctl_file="$SYSCTL_D_DIR/99-security.conf"
# 确保sysctl.d目录存在
if [ ! -d "$SYSCTL_D_DIR" ]; then
mkdir -p "$SYSCTL_D_DIR"
fi
echo -n "[1/2] 配置IP转发参数... "
# 添加或更新配置
if [ -f "$sysctl_file" ]; then
# 删除旧的配置
sed -i '/^net.ipv4.ip_forward/d' "$sysctl_file" 2>/dev/null
sed -i '/^net.ipv6.conf.all.forwarding/d' "$sysctl_file" 2>/dev/null
fi
# 添加新配置
echo "" >> "$sysctl_file"
echo "# 关闭IP数据包转发" >> "$sysctl_file"
echo "net.ipv4.ip_forward = 0" >> "$sysctl_file"
echo "net.ipv6.conf.all.forwarding = 0" >> "$sysctl_file"
echo -e "${GREEN}成功${NC}"
echo -n "[2/2] 应用配置... "
if sysctl -p "$sysctl_file" &>/dev/null; then
echo -e "${GREEN}成功${NC}"
else
# 尝试直接应用
if sysctl -w net.ipv4.ip_forward=0 &>/dev/null; then
echo -e "${GREEN}成功${NC}"
else
echo -e "${YELLOW}部分成功${NC}"
fi
fi
log_info "配置IP转发关闭"
echo ""
echo "配置完成,IP数据包转发已关闭"
echo "配置文件: $sysctl_file"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 关闭IP转发"
echo " --auto-fix 检查并自动关闭"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
echo ""
echo "注意: 如果本机作为路由器使用,不应关闭IP转发"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_ip_forward
;;
--fix)
check_ip_forward > /dev/null
if [ $? -ne 0 ]; then
fix_ip_forward
else
echo -e "${GREEN}IP转发已关闭${NC}"
fi
;;
--auto-fix)
check_ip_forward > /dev/null
if [ $? -ne 0 ]; then
fix_ip_forward
else
echo -e "${GREEN}IP转发已关闭${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_kernel_params.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_kernel_params.sh
# 功能描述: 检查麒麟v10系统内核安全参数配置
# 使用方法: ./check_kernel_params.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_kernel_params.log"
SYSCTL_CONF="/etc/sysctl.conf"
SYSCTL_D_DIR="/etc/sysctl.d"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# 定义推荐的安全内核参数
declare -A SAFE_KERNEL_PARAMS=(
["net.ipv4.icmp_echo_ignore_broadcasts"]="1"
["net.ipv4.conf.all.accept_source_route"]="0"
["net.ipv4.conf.default.accept_source_route"]="0"
["net.ipv4.conf.all.accept_redirects"]="0"
["net.ipv4.conf.default.accept_redirects"]="0"
["net.ipv4.conf.all.send_redirects"]="0"
["net.ipv4.conf.default.send_redirects"]="0"
["net.ipv4.conf.all.log_martians"]="1"
["net.ipv4.conf.default.log_martians"]="1"
["net.ipv4.icmp_ignore_bogus_error_responses"]="1"
["net.ipv4.tcp_syncookies"]="1"
["net.ipv4.conf.all.rp_filter"]="1"
["net.ipv4.conf.default.rp_filter"]="1"
)
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 内核安全参数检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_kernel_params() {
print_header
local passed_count=0
local failed_count=0
local failed_params=()
echo "检查内核安全参数:"
for param in "${!SAFE_KERNEL_PARAMS[@]}"; do
local expected_value=${SAFE_KERNEL_PARAMS[$param]}
local current_value=$(sysctl -n "$param" 2>/dev/null)
if [ -z "$current_value" ]; then
echo -e " ${YELLOW}!${NC} $param: 未设置"
failed_params+=("$param:未设置")
((failed_count++))
elif [ "$current_value" = "$expected_value" ]; then
echo -e " ${GREEN}${NC} $param = $current_value"
((passed_count++))
else
echo -e " ${RED}${NC} $param = $current_value (应为 $expected_value)"
failed_params+=("$param:$current_value")
((failed_count++))
fi
done
echo ""
echo "检查结果:"
echo " 通过: ${GREEN}${passed_count}${NC}"
echo " 失败: ${RED}${failed_count}${NC}"
echo ""
echo "合规状态:"
if [ $failed_count -eq 0 ]; then
echo -e " ${GREEN}PASS${NC} - 内核安全参数配置正确"
log_info "内核参数检查: 通过"
return 0
else
echo -e " ${YELLOW}WARN${NC} - 部分内核参数需要优化"
log_error "内核参数检查: ${failed_count}个参数不合规"
echo ""
echo "不合规参数:"
for param in "${failed_params[@]}"; do
echo " $param"
done
return 1
fi
}
fix_kernel_params() {
print_header
echo -e "${YELLOW}执行模式: 修复内核参数${NC}"
echo ""
local sysctl_file="$SYSCTL_D_DIR/99-security.conf"
local fixed_count=0
# 确保sysctl.d目录存在
if [ ! -d "$SYSCTL_D_DIR" ]; then
mkdir -p "$SYSCTL_D_DIR"
fi
echo -n "[1/2] 配置内核安全参数... "
# 创建/覆盖配置文件
cat > "$sysctl_file" << 'EOF'
# 内核安全参数配置
# 由check_kernel_params.sh脚本自动生成
# 禁止响应广播报文
net.ipv4.icmp_echo_ignore_broadcasts = 1
# 禁止源路由包
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
# 禁止ICMP重定向
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
# 禁止发送重定向
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
# 记录来源非法的IP包
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
# 忽略 bogus ICMP 错误响应
net.ipv4.icmp_ignore_bogus_error_responses = 1
# 启用SYN Cookies防护
net.ipv4.tcp_syncookies = 1
# 启用反向路径过滤
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
EOF
echo -e "${GREEN}成功${NC}"
((fixed_count++))
# 应用配置
echo -n "[2/2] 应用配置... "
if sysctl -p "$sysctl_file" &>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "应用内核安全参数配置"
else
echo -e "${YELLOW}部分成功${NC}"
fi
echo ""
echo "配置完成,已修改 ${GREEN}${fixed_count}${NC} 项配置"
echo "配置文件: $sysctl_file"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_kernel_params
;;
--fix)
check_kernel_params > /dev/null
if [ $? -ne 0 ]; then
fix_kernel_params
else
echo -e "${GREEN}内核参数已优化${NC}"
fi
;;
--auto-fix)
check_kernel_params > /dev/null
if [ $? -ne 0 ]; then
fix_kernel_params
else
echo -e "${GREEN}内核参数已优化${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_log_file_permissions.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_log_file_permissions.sh
# 功能描述: 检查麒麟v10系统日志文件权限设置
# 使用方法: ./check_log_file_permissions.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_log_permissions.log"
LOG_DIR="/var/log"
MAX_LOG_PERM="640"
MAX_DIR_PERM="755"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
# 重要日志文件列表
IMPORTANT_LOGS=(
"/var/log/messages"
"/var/log/secure"
"/var/log/auth.log"
"/var/log/syslog"
"/var/log/kern.log"
"/var/log/cron"
"/var/log/boot.log"
)
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 日志文件权限检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_log_permissions() {
print_header
local passed_count=0
local failed_count=0
local excessive_perms=()
echo "检查日志目录权限:"
local dir_perm=$(stat -c "%a" "$LOG_DIR" 2>/dev/null)
if [ "$dir_perm" -le "$MAX_DIR_PERM" ]; then
echo -e " ${GREEN}[PASS]${NC} $LOG_DIR 权限: $dir_perm (≤$MAX_DIR_PERM)"
((passed_count++))
else
echo -e " ${RED}[NG]${NC} $LOG_DIR 权限: $dir_perm (>$MAX_DIR_PERM)"
excessive_perms+=("$LOG_DIR:$dir_perm")
((failed_count++))
fi
echo ""
echo "检查重要日志文件权限:"
for log_file in "${IMPORTANT_LOGS[@]}"; do
if [ -f "$log_file" ]; then
local file_perm=$(stat -c "%a" "$log_file" 2>/dev/null)
# 检查权限是否过高
if [ "$file_perm" -le "$MAX_LOG_PERM" ]; then
echo -e " ${GREEN}${NC} $log_file: $file_perm"
((passed_count++))
else
echo -e " ${RED}${NC} $log_file: $file_perm (>$MAX_LOG_PERM)"
excessive_perms+=("$log_file:$file_perm")
((failed_count++))
fi
fi
done
# 检查日志目录中其他权限过高的文件
echo ""
echo "检查其他日志文件:"
while IFS= read -r file; do
local file_perm=$(stat -c "%a" "$file" 2>/dev/null)
# 检查other用户有写权限
if [ "$((file_perm & 2))" -ne 0 ]; then
echo -e " ${RED}${NC} $file: $file_perm (other可写)"
excessive_perms+=("$file:$file_perm")
((failed_count++))
fi
done < <(find "$LOG_DIR" -type f -name "*.log" 2>/dev/null | head -20)
echo ""
echo "检查结果:"
echo " 通过: ${GREEN}${passed_count}${NC}"
echo " 失败: ${RED}${failed_count}${NC}"
if [ $failed_count -eq 0 ]; then
echo ""
echo -e "合规状态: ${GREEN}PASS${NC}"
log_info "日志文件权限检查: 通过"
return 0
else
echo ""
echo -e "合规状态: ${RED}FAIL${NC}"
log_error "日志文件权限检查: $failed_count个文件权限过高"
echo ""
echo "权限过高的文件/目录:"
for item in "${excessive_perms[@]}"; do
IFS=: read -r path perm <<< "$item"
echo " $path: $perm"
done
echo ""
echo "修复建议:"
echo " chmod 640 <logfile>"
echo " chmod 755 $LOG_DIR"
return 1
fi
}
fix_log_permissions() {
print_header
echo -e "${YELLOW}执行模式: 修复日志文件权限${NC}"
echo ""
local fixed_count=0
local failed_count=0
echo "修复日志目录权限..."
local dir_perm=$(stat -c "%a" "$LOG_DIR" 2>/dev/null)
if [ "$dir_perm" -gt "$MAX_DIR_PERM" ]; then
echo -n " 修复 $LOG_DIR ($dir_perm -> $MAX_DIR_PERM)... "
if chmod "$MAX_DIR_PERM" "$LOG_DIR" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "修复日志目录权限: $LOG_DIR"
else
echo -e "${RED}失败${NC}"
((failed_count++))
fi
fi
echo ""
echo "修复日志文件权限..."
for log_file in "${IMPORTANT_LOGS[@]}"; do
if [ -f "$log_file" ]; then
local file_perm=$(stat -c "%a" "$log_file" 2>/dev/null)
if [ "$file_perm" -gt "$MAX_LOG_PERM" ]; then
echo -n " 修复 $log_file ($file_perm -> $MAX_LOG_PERM)... "
if chmod "$MAX_LOG_PERM" "$log_file" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "修复日志文件权限: $log_file"
else
echo -e "${RED}失败${NC}"
((failed_count++))
fi
fi
fi
done
# 修复other有写权限的文件
while IFS= read -r file; do
local file_perm=$(stat -c "%a" "$file" 2>/dev/null)
if [ "$((file_perm & 2))" -ne 0 ]; then
echo -n " 修复 $file (移除other写权限)... "
if chmod o-w "$file" 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
else
echo -e "${RED}失败${NC}"
((failed_count++))
fi
fi
done < <(find "$LOG_DIR" -type f -perm /002 -name "*.log" 2>/dev/null)
echo ""
echo "修复完成:"
echo " 成功修复: ${GREEN}${fixed_count}${NC}"
if [ $failed_count -gt 0 ]; then
echo " 修复失败: ${RED}${failed_count}${NC}"
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_log_permissions
;;
--fix)
check_log_permissions > /dev/null
if [ $? -ne 0 ]; then
fix_log_permissions
else
echo -e "${GREEN}日志文件权限已合规${NC}"
fi
;;
--auto-fix)
check_log_permissions > /dev/null
if [ $? -ne 0 ]; then
fix_log_permissions
else
echo -e "${GREEN}日志文件权限已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_ntp_sync.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_ntp_sync.sh
# 功能描述: 检查麒麟v10系统NTP时间同步服务状态
# 使用方法: ./check_ntp_sync.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_ntp_sync.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} NTP时间同步服务检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_ntp_sync() {
print_header
local ntp_service=""
local ntp_running=false
local ntp_enabled=false
local time_sync_status=""
echo "检测NTP服务:"
# 检测chronyd或ntpd
if systemctl is-active --quiet chronyd 2>/dev/null; then
ntp_service="chronyd"
ntp_running=true
echo -e " ${GREEN}[PASS]${NC} chronyd服务正在运行"
elif systemctl is-active --quiet ntpd 2>/dev/null; then
ntp_service="ntpd"
ntp_running=true
echo -e " ${GREEN}[PASS]${NC} ntpd服务正在运行"
else
echo -e " ${RED}[NG]${NC} NTP服务未运行"
ntp_service="none"
fi
# 检查开机自启
echo ""
echo "检查开机自启状态:"
if [ "$ntp_service" != "none" ]; then
if systemctl is-enabled --quiet "$ntp_service" 2>/dev/null; then
echo -e " ${GREEN}[PASS]${NC} $ntp_service 已设置开机自启"
ntp_enabled=true
else
echo -e " ${YELLOW}[WARN]${NC} $ntp_service 未设置开机自启"
fi
fi
# 检查时间同步状态
echo ""
echo "检查时间同步状态:"
if [ "$ntp_service" = "chronyd" ]; then
if command -v chronyc &>/dev/null; then
local tracking=$(chronyc tracking 2>/dev/null)
if [ $? -eq 0 ]; then
local leap_status=$(echo "$tracking" | grep "Leap status" | awk '{print $3}')
local ref_id=$(echo "$tracking" | grep "Reference ID" | awk '{print $3}')
echo " Leap status: $leap_status"
echo " Reference ID: $ref_id"
if [ "$leap_status" = "Normal" ] || [ "$leap_status" = "004" ]; then
time_sync_status="synced"
echo -e " ${GREEN}[PASS]${NC} 时间已同步"
else
echo -e " ${YELLOW}[WARN]${NC} 时间同步状态: $leap_status"
fi
fi
fi
elif [ "$ntp_service" = "ntpd" ]; then
if command -v ntpq &>/dev/null; then
local ntpq_output=$(ntpq -p 2>/dev/null | tail -n +3)
if [ -n "$ntpq_output" ]; then
echo "$ntpq_output" | head -5
time_sync_status="configured"
fi
fi
fi
echo ""
echo "合规状态:"
if [ "$ntp_running" = true ] && [ "$ntp_enabled" = true ]; then
echo -e " ${GREEN}PASS${NC} - NTP时间同步服务已配置"
log_info "NTP时间同步检查: 通过 ($ntp_service)"
return 0
else
echo -e " ${RED}FAIL${NC} - NTP时间同步服务未正确配置"
log_error "NTP时间同步检查: 不通过"
echo ""
echo "修复建议:"
if [ "$ntp_service" = "none" ]; then
echo " 安装并启动chronyd:"
echo " yum install -y chrony"
echo " systemctl start chronyd"
echo " systemctl enable chronyd"
elif [ "$ntp_enabled" = false ]; then
echo " 设置开机自启:"
echo " systemctl enable $ntp_service"
fi
return 1
fi
}
fix_ntp_sync() {
print_header
echo -e "${YELLOW}执行模式: 配置NTP服务${NC}"
echo ""
local ntp_service=""
# 检测已安装的NTP服务
if command -v chronyd &>/dev/null || rpm -q chrony &>/dev/null; then
ntp_service="chronyd"
elif command -v ntpd &>/dev/null || rpm -q ntp &>/dev/null; then
ntp_service="ntpd"
fi
# 安装chrony(推荐)
if [ -z "$ntp_service" ]; then
echo -n "[1/3] 安装chrony... "
if yum install -y chrony &>/dev/null; then
echo -e "${GREEN}成功${NC}"
ntp_service="chronyd"
log_info "安装chrony"
else
echo -e "${RED}失败${NC}"
return 1
fi
fi
# 启动服务
echo -n "[2/3] 启动$ntp_service服务... "
if systemctl is-active --quiet "$ntp_service" 2>/dev/null; then
echo -e "${GREEN}已运行${NC}"
else
if systemctl start "$ntp_service" &>/dev/null; then
echo -e "${GREEN}成功${NC}"
log_info "启动$ntp_service服务"
else
echo -e "${RED}失败${NC}"
return 1
fi
fi
# 设置开机自启
echo -n "[3/3] 设置开机自启... "
if systemctl is-enabled --quiet "$ntp_service" 2>/dev/null; then
echo -e "${GREEN}已设置${NC}"
else
if systemctl enable "$ntp_service" &>/dev/null; then
echo -e "${GREEN}成功${NC}"
log_info "设置$ntp_service开机自启"
else
echo -e "${YELLOW}失败${NC}"
fi
fi
echo ""
echo "配置完成,NTP服务($ntp_service)已启用"
# 显示时间同步状态
if [ "$ntp_service" = "chronyd" ] && command -v chronyc &>/dev/null; then
echo ""
echo "时间同步状态:"
chronyc tracking 2>/dev/null | head -5
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_ntp_sync
;;
--fix)
check_ntp_sync > /dev/null
if [ $? -ne 0 ]; then
fix_ntp_sync
else
echo -e "${GREEN}NTP服务已配置${NC}"
fi
;;
--auto-fix)
check_ntp_sync > /dev/null
if [ $? -ne 0 ]; then
fix_ntp_sync
else
echo -e "${GREEN}NTP服务已配置${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_pam_su_wheel.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_pam_su_wheel.sh
# 功能描述: 检查麒麟v10系统PAM是否配置禁止wheel组外用户su为root
# 使用方法: ./check_pam_su_wheel.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
CONFIG_FILE="/etc/pam.d/su"
LOG_FILE="/var/log/baseline_check_pam_su_wheel.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} PAM SU Wheel组检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo "配置文件: $CONFIG_FILE"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_pam_su_wheel() {
print_header
local pam_wheel_configured=false
local wheel_group_exists=false
local wheel_members=()
# 检查wheel组是否存在
echo "检查wheel组状态:"
if getent group wheel > /dev/null 2>&1; then
echo -e " ${GREEN}[PASS]${NC} wheel组存在"
wheel_group_exists=true
# 获取wheel组成员
local members=$(getent group wheel | cut -d: -f4)
if [ -n "$members" ]; then
echo " 成员列表: $members"
IFS=',' read -ra wheel_members <<< "$members"
else
echo -e " ${YELLOW}[WARN]${NC} wheel组没有成员"
fi
else
echo -e " ${RED}[NG]${NC} wheel组不存在"
fi
# 检查PAM su配置
echo ""
echo "检查PAM su配置:"
# 检查是否配置了pam_wheel.so
if grep -q "pam_wheel.so" "$CONFIG_FILE" 2>/dev/null; then
# 检查配置是否被注释
local pam_wheel_line=$(grep "pam_wheel.so" "$CONFIG_FILE" | grep -v "^#" | head -1)
if [ -n "$pam_wheel_line" ]; then
echo -e " ${GREEN}[PASS]${NC} 已配置pam_wheel.so"
echo " 配置行: $pam_wheel_line"
pam_wheel_configured=true
else
echo -e " ${YELLOW}[WARN]${NC} pam_wheel.so配置被注释"
local commented_line=$(grep "pam_wheel.so" "$CONFIG_FILE" | head -1)
echo " 注释行: $commented_line"
fi
else
echo -e " ${RED}[NG]${NC} 未配置pam_wheel.so"
fi
# 判断合规状态
echo ""
echo "合规状态:"
if [ "$pam_wheel_configured" = true ] && [ "$wheel_group_exists" = true ]; then
if [ ${#wheel_members[@]} -eq 0 ]; then
echo -e " ${YELLOW}WARN${NC} - PAM配置正确但wheel组无成员"
log_info "PAM SU Wheel检查: 通过但wheel组无成员"
else
echo -e " ${GREEN}PASS${NC} - PAM wheel组限制已配置"
log_info "PAM SU Wheel检查: 通过"
fi
return 0
else
echo -e " ${RED}FAIL${NC} - PAM wheel组限制未正确配置"
log_error "PAM SU Wheel检查: 不通过"
echo ""
echo "修复建议:"
echo " 修改 $CONFIG_FILE"
echo " 添加: auth required pam_wheel.so trust use_uid"
echo " 添加用户到wheel组: usermod -G wheel username"
return 1
fi
}
fix_pam_su_wheel() {
print_header
echo -e "${YELLOW}执行模式: 配置修复${NC}"
echo ""
local backup_file="${CONFIG_FILE}.bak.$(date +%Y%m%d%H%M%S)"
local fixed_count=0
# 备份配置文件
echo -n "[1/3] 备份配置文件... "
cp "$CONFIG_FILE" "$backup_file"
echo -e "${GREEN}成功${NC}"
# 确保wheel组存在
echo -n "[2/3] 确保wheel组存在... "
if getent group wheel > /dev/null 2>&1; then
echo -e "${GREEN}已存在${NC}"
else
if groupadd wheel 2>/dev/null; then
echo -e "${GREEN}成功${NC}"
((fixed_count++))
log_info "创建wheel组"
else
echo -e "${RED}失败${NC}"
return 1
fi
fi
# 配置PAM
echo -n "[3/3] 配置PAM wheel限制... "
# 检查是否已有配置(包括注释的)
if grep -q "pam_wheel.so" "$CONFIG_FILE"; then
# 取消注释
sed -i 's/^#[[:space:]]*\(auth.*pam_wheel.so.*\)/\1/' "$CONFIG_FILE"
echo -e "${GREEN}成功${NC} (取消注释)"
((fixed_count++))
log_info "取消pam_wheel.so注释"
else
# 添加新配置
echo "" >> "$CONFIG_FILE"
echo "# 限制只有wheel组用户可以su到root" >> "$CONFIG_FILE"
echo "auth required pam_wheel.so trust use_uid" >> "$CONFIG_FILE"
echo -e "${GREEN}成功${NC} (添加配置)"
((fixed_count++))
log_info "添加pam_wheel.so配置"
fi
# 显示wheel组成员
echo ""
echo "wheel组成员:"
local members=$(getent group wheel | cut -d: -f4)
if [ -n "$members" ]; then
echo " $members"
else
echo -e " ${YELLOW}(wheel组当前没有成员)${NC}"
echo ""
echo "添加用户到wheel组的命令:"
echo " usermod -G wheel username"
echo " 或"
echo " gpasswd -a username wheel"
fi
echo ""
echo "配置完成,只有wheel组成员可以su到root"
echo "备份文件: $backup_file"
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix 修复配置"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix"
echo ""
echo "添加用户到wheel组:"
echo " usermod -G wheel username"
echo " gpasswd -a username wheel"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_pam_su_wheel
;;
--fix)
check_pam_su_wheel > /dev/null
if [ $? -ne 0 ]; then
fix_pam_su_wheel
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
--auto-fix)
check_pam_su_wheel > /dev/null
if [ $? -ne 0 ]; then
fix_pam_su_wheel
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_password_complexity.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_password_complexity.sh
# 功能描述: 检查和配置麒麟v10系统设备密码复杂度策略
# 使用方法: ./check_password_complexity.sh [--check|--fix|--auto-fix]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
#-------------------------------------------------------------------------------
# 配置参数
#-------------------------------------------------------------------------------
CONFIG_FILE="/etc/pam.d/system-auth"
BACKUP_DIR="/etc/pam.d/backup"
LOG_FILE="/var/log/baseline_check_password_complexity.log"
TIMESTAMP=$(date +%Y%m%d%H%M%S)
# 密码复杂度配置(至少配置3项)
CONFIG_OPTION="ucredit=-1 lcredit=-1 dcredit=-1"
# 颜色输出
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
#-------------------------------------------------------------------------------
# 日志函数
#-------------------------------------------------------------------------------
log_info() {
local msg="$1"
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $msg" | tee -a "$LOG_FILE"
}
log_error() {
local msg="$1"
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $msg" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 密码复杂度策略检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo "配置文件: $CONFIG_FILE"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
#-------------------------------------------------------------------------------
# 检查当前密码复杂度配置
#-------------------------------------------------------------------------------
check_current_config() {
print_header
local count=0
# 检查pam_cracklib或pam_pwquality模块
local config_line=$(grep -E "pam_cracklib|pam_pwquality" "$CONFIG_FILE" | grep "password" | grep -v "^#")
if [ -z "$config_line" ]; then
echo -e "${RED}[NG]${NC} 未找到密码复杂度模块配置"
log_error "未找到密码复杂度模块配置"
return 1
fi
echo -e "${BLUE}检测到配置行:${NC} $config_line"
echo ""
echo "各项配置状态:"
echo "-------------------------------------------"
# 检查各项配置
for param in ucredit lcredit dcredit ocredit; do
local value=$(echo "$config_line" | grep -oP "${param}=(-?\d+)" | cut -d= -f2)
local desc=""
case $param in
ucredit) desc="大写字母" ;;
lcredit) desc="小写字母" ;;
dcredit) desc="数字" ;;
ocredit) desc="特殊字符" ;;
esac
if [ "$value" == "-1" ]; then
echo -e " ${GREEN}[OK]${NC} ${param} (${desc}): $value"
((count++))
elif [ -n "$value" ]; then
echo -e " ${YELLOW}[WARN]${NC} ${param} (${desc}): $value (期望值为-1)"
else
echo -e " ${RED}[NG]${NC} ${param} (${desc}): 未配置"
fi
done
echo ""
if [ $count -ge 3 ]; then
echo -e "合规状态: ${GREEN}PASS${NC} (已配置${count}项)"
log_info "密码复杂度检查: 通过 (已配置${count}项)"
return 0
else
echo -e "合规状态: ${RED}FAIL${NC} (仅配置${count}项,至少需要3项)"
log_error "密码复杂度检查: 不通过 (仅配置${count}项)"
return 1
fi
}
#-------------------------------------------------------------------------------
# 备份配置文件
#-------------------------------------------------------------------------------
backup_config() {
if [ ! -d "$BACKUP_DIR" ]; then
mkdir -p "$BACKUP_DIR"
fi
local backup_file="${BACKUP_DIR}/system-auth.bak.${TIMESTAMP}"
cp "$CONFIG_FILE" "$backup_file"
if [ $? -eq 0 ]; then
log_info "配置文件已备份: $backup_file"
echo "$backup_file"
return 0
else
log_error "备份失败"
return 1
fi
}
#-------------------------------------------------------------------------------
# 修复配置
#-------------------------------------------------------------------------------
fix_config() {
print_header
echo -e "${YELLOW}执行模式: 配置修复${NC}"
echo ""
# 检查当前配置
echo -n "[1/5] 检查当前配置... "
check_current_config > /dev/null
local check_result=$?
echo -e "${BLUE}完成${NC}"
# 备份配置文件
echo -n "[2/5] 备份配置文件... "
local backup_file=$(backup_config)
if [ $? -ne 0 ]; then
echo -e "${RED}失败${NC}"
return 1
fi
echo -e "${GREEN}成功${NC}"
# 修改配置文件
echo -n "[3/5] 修改配置文件... "
# 检查是否存在pam_cracklib或pam_pwquality
if grep -q "pam_pwquality.so" "$CONFIG_FILE"; then
# 使用pam_pwquality
local module_line=$(grep "pam_pwquality.so" "$CONFIG_FILE" | grep "password")
local module_path=$(echo "$module_line" | awk '{print $1}')
# 在现有行后添加参数
sed -i "s|^password[[:space:]]\+requisite[[:space:]]\+${module_path}.*|password requisite ${module_path} ${CONFIG_OPTION}|g" "$CONFIG_FILE"
elif grep -q "pam_cracklib.so" "$CONFIG_FILE"; then
# 使用pam_cracklib
local module_line=$(grep "pam_cracklib.so" "$CONFIG_FILE" | grep "password")
local module_path=$(echo "$module_line" | awk '{print $1}')
# 在现有行后添加参数
sed -i "s|^password[[:space:]]\+requisite[[:space:]]\+${module_path}.*|password requisite ${module_path} ${CONFIG_OPTION}|g" "$CONFIG_FILE"
else
# 添加新的配置行
echo "password requisite pam_cracklib.so ${CONFIG_OPTION}" >> "$CONFIG_FILE"
fi
echo -e "${GREEN}成功${NC}"
# 验证配置
echo -n "[4/5] 验证配置... "
sleep 1
echo -e "${GREEN}完成${NC}"
# 生成报告
echo -n "[5/5] 生成报告... "
echo -e "${GREEN}完成${NC}"
echo ""
echo "修复结果: ${GREEN}成功${NC}"
echo "备份文件: $backup_file"
echo "配置参数: ${CONFIG_OPTION}"
log_info "密码复杂度配置已修复"
}
#-------------------------------------------------------------------------------
# 回滚配置
#-------------------------------------------------------------------------------
rollback_config() {
echo -e "${BLUE}===== 密码复杂度策略回滚 =====${NC}"
local latest_backup=$(ls -t ${BACKUP_DIR}/system-auth.bak.* 2>/dev/null | head -1)
if [ -z "$latest_backup" ]; then
echo "未找到备份文件"
return 1
fi
echo "可用的备份文件:"
ls -lt ${BACKUP_DIR}/system-auth.bak.* 2>/dev/null | head -5
echo ""
echo -e "${YELLOW}确认恢复备份文件: $latest_backup ? (y/n): ${NC}"
read -r confirm
if [ "$confirm" == "y" ]; then
cp "$latest_backup" "$CONFIG_FILE"
echo "回滚完成"
else
echo "取消回滚"
fi
}
#-------------------------------------------------------------------------------
# 显示帮助
#-------------------------------------------------------------------------------
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " --check 检查密码复杂度配置(默认)"
echo " --fix 修复密码复杂度配置"
echo " --auto-fix 检查并自动修复配置"
echo " --rollback 回滚到备份配置"
echo " -h, --help 显示此帮助信息"
echo ""
echo "示例:"
echo " $0 --check # 检查配置"
echo " $0 --fix # 修复配置"
echo " $0 --auto-fix # 检查并自动修复"
echo ""
echo "配置参数: ${CONFIG_OPTION}"
echo "配置文件: $CONFIG_FILE"
echo "日志文件: $LOG_FILE"
}
#-------------------------------------------------------------------------------
# 主函数
#-------------------------------------------------------------------------------
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_current_config
;;
--fix)
fix_config
;;
--auto-fix)
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 自动修复模式${NC}"
echo -e "${BLUE}============================================${NC}"
echo ""
check_current_config > /dev/null
local check_result=$?
if [ $check_result -ne 0 ]; then
echo -e "${YELLOW}检测到配置不合规,正在自动修复...${NC}"
echo ""
fix_config
else
echo -e "${GREEN}配置已合规,无需修复${NC}"
fi
;;
--rollback)
rollback_config
;;
-h|--help)
show_usage
exit 0
;;
*)
echo -e "${RED}错误: 未知参数 '$1'${NC}"
echo ""
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_password_history.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_password_history.sh
# 功能描述: 检查和配置麒麟v10系统密码重复使用次数限制
# 使用方法: ./check_password_history.sh [--check|--fix|--auto-fix] [count]
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
CONFIG_FILE="/etc/pam.d/system-auth"
EXPECTED_VALUE=5
LOG_FILE="/var/log/baseline_check_password_history.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} 密码重复使用次数限制检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo "配置文件: $CONFIG_FILE"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_history() {
print_header
# 检查pam_pwhistory或pam_unix中的remember参数
local remember_pwhistory=$(grep -oP "remember=\K[0-9]+" "$CONFIG_FILE" | grep -E "pam_pwhistory|pam_unix" | head -1)
local remember_unix=$(grep "pam_unix.so" "$CONFIG_FILE" | grep -oP "remember=\K[0-9]+")
local current_value=$remember_pwhistory
if [ -z "$current_value" ]; then
current_value=$remember_unix
fi
echo "当前配置:"
if [ -z "$current_value" ]; then
echo -e " ${RED}[NG]${NC} 未配置密码历史记录功能"
log_error "密码历史记录功能未配置"
return 1
else
echo -e " remember: ${current_value}"
fi
echo ""
echo "推荐值: ${EXPECTED_VALUE} (记住最近${EXPECTED_VALUE}次密码)"
if [ "$current_value" -ge "$EXPECTED_VALUE" ]; then
echo ""
echo -e "合规状态: ${GREEN}PASS${NC}"
log_info "密码历史记录检查: 通过 (remember=${current_value})"
return 0
else
echo ""
echo -e "合规状态: ${RED}FAIL${NC} (小于${EXPECTED_VALUE})"
log_error "密码历史记录检查: 不通过 (remember=${current_value})"
return 1
fi
}
fix_history() {
local count="${1:-$EXPECTED_VALUE}"
print_header
echo -e "${YELLOW}执行模式: 配置修复${NC}"
echo "设置次数: $count"
echo ""
# 备份
echo -n "[1/3] 备份配置文件... "
local backup_file="${CONFIG_FILE}.bak.$(date +%Y%m%d%H%M%S)"
cp "$CONFIG_FILE" "$backup_file"
echo -e "${GREEN}成功${NC}"
# 修改配置
echo -n "[2/3] 修改配置文件... "
if grep -q "pam_pwhistory.so" "$CONFIG_FILE"; then
# 更新或添加remember参数
if grep -q "remember=" "$CONFIG_FILE"; then
sed -i "s/remember=[0-9]*/remember=${count}/g" "$CONFIG_FILE"
else
sed -i "/pam_pwhistory.so/s/$/ remember=${count}/" "$CONFIG_FILE"
fi
elif grep -q "pam_unix.so" "$CONFIG_FILE"; then
if grep -q "remember=" "$CONFIG_FILE"; then
sed -i "s/remember=[0-9]*/remember=${count}/g" "$CONFIG_FILE"
else
sed -i "/pam_unix.so/s/$/ remember=${count}/" "$CONFIG_FILE"
fi
else
# 添加pam_pwhistory配置
echo "password required pam_pwhistory.so remember=${count}" >> "$CONFIG_FILE"
fi
echo -e "${GREEN}成功${NC}"
# 验证
echo -n "[3/3] 验证配置... "
local new_value=$(grep -oP "remember=\K[0-9]+" "$CONFIG_FILE" | head -1)
if [ "$new_value" -ge "$count" ]; then
echo -e "${GREEN}通过${NC}"
echo ""
echo "配置完成,记住最近密码次数: ${GREEN}${new_value}${NC}"
log_info "密码历史记录已配置为 remember=${new_value}"
else
echo -e "${RED}失败${NC}"
return 1
fi
echo ""
echo "备份文件: $backup_file"
}
show_usage() {
echo "用法: $0 [选项] [次数]"
echo ""
echo "选项:"
echo " --check 检查配置(默认)"
echo " --fix [count] 修复配置(默认5次)"
echo " --auto-fix 检查并自动修复"
echo " -h, --help 显示帮助"
echo ""
echo "示例:"
echo " $0 --check"
echo " $0 --fix 5"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
--check)
check_history
;;
--fix)
check_history
if [ $? -ne 0 ]; then
fix_history "$2"
fi
;;
--auto-fix)
check_history > /dev/null
if [ $? -ne 0 ]; then
fix_history "$2"
else
echo -e "${GREEN}配置已合规${NC}"
fi
;;
-h|--help)
show_usage
exit 0
;;
*)
show_usage
exit 1
;;
esac
}
main "$@"
AuxiliaryTool/漏洞修复/KylinV10BaselineCheck/check_uid_zero.sh 0 → 100644
浏览文件 @ 7c495066
#!/bin/bash
#===============================================================================
# 脚本名称: check_uid_zero.sh
# 功能描述: 检查麒麟v10系统是否存在除root之外UID为0的用户
# 使用方法: ./check_uid_zero.sh
# 作者: AI生成
# 日期: 2026-03-25
# 版本: v1.0.0
#===============================================================================
LOG_FILE="/var/log/baseline_check_uid_zero.log"
RED='\033[0;31m'
GREEN='\033[0;32m'
YELLOW='\033[1;33m'
BLUE='\033[0;34m'
NC='\033[0m'
log_info() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] INFO: $1" | tee -a "$LOG_FILE"
}
log_error() {
echo "[$(date '+%Y-%m-%d %H:%M:%S')] ERROR: $1" | tee -a "$LOG_FILE"
}
print_header() {
echo -e "${BLUE}============================================${NC}"
echo -e "${BLUE} UID为0的用户检查报告${NC}"
echo -e "${BLUE}============================================${NC}"
echo "检查时间: $(date '+%Y-%m-%d %H:%M:%S')"
echo ""
}
check_root_privilege() {
if [ "$(id -u)" -ne 0 ]; then
echo -e "${RED}错误: 请使用root用户执行此脚本${NC}"
exit 1
fi
}
check_uid_zero() {
print_header
local uid_zero_users=()
local root_exists=false
# 检查UID为0的所有用户
while IFS=: read -r username x uid gid gecos home shell; do
if [ "$uid" -eq 0 ]; then
if [ "$username" = "root" ]; then
root_exists=true
else
uid_zero_users+=("$username:$gid:$gecos")
fi
fi
done < /etc/passwd
echo "检查结果:"
echo " root用户存在: $root_exists"
if [ ${#uid_zero_users[@]} -eq 0 ]; then
echo ""
echo -e " ${GREEN}[PASS]${NC} 不存在除root外的UID为0的用户"
log_info "UID为0的用户检查: 通过"
echo ""
echo -e "合规状态: ${GREEN}PASS${NC}"
return 0
else
echo ""
echo -e " ${RED}[NG]${NC} 发现 ${#uid_zero_users[@]} 个除root外的UID为0的用户"
echo ""
echo "异常用户列表:"
echo " 用户名:GID:描述"
for user_info in "${uid_zero_users[@]}"; do
IFS=: read -r user gid desc <<< "$user_info"
echo -e " ${RED}${NC} $user:$gid:$desc"
done
log_error "发现除root外的UID为0的用户"
echo ""
echo -e "合规状态: ${RED}FAIL${NC}"
echo ""
echo "修复建议:"
echo " 修改用户UID: usermod -u 新UID username"
echo " 或删除异常用户: userdel username"
return 1
fi
}
show_usage() {
echo "用法: $0 [选项]"
echo ""
echo "选项:"
echo " -h, --help 显示帮助"
echo ""
echo "功能:"
echo " 检查系统中是否存在除root外的UID为0的用户"
echo ""
echo "修复方法:"
echo " usermod -u 1000 username # 修改用户UID"
echo " userdel username # 删除用户"
}
main() {
check_root_privilege
local log_dir=$(dirname "$LOG_FILE")
if [ ! -d "$log_dir" ]; then
mkdir -p "$log_dir"
fi
case "${1:---check}" in
-h|--help)
show_usage
exit 0
;;
*)
check_uid_zero
;;
esac
}
main "$@"
Docs/PRD/.claude/settings.local.json 0 → 100644
浏览文件 @ 7c495066
此差异已折叠。
Markdown 格式
0%
您添加了 0 到此讨论。请谨慎行事。
请先完成此评论的编辑!
注册 或者 后发表评论