各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言,我会以最快速度给你们总结,然后发出来!
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级”安全计算环境” 条款,结合 Fedora Linux 38/39/40 官方安全指南、CIS Fedora Benchmark 及多家测评机构现场实践,给出可直接落地的 测评命令清单。
已在 Fedora Linux 38 / 39 / 40 (Workstation/Server/Silverblue) 环境验证通过,支持 RPM-OSTree / Traditional / IoT 多种部署模式。
一、身份鉴别(8.1.4.1)
1.1 账户唯一性与密码策略
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 空口令检查 | awk -F: '$2==""{print $1}' /etc/shadow | 无输出 |
| 密码锁定账户 | awk -F: '$2~"^!"{print $1}' /etc/shadow | 核实锁定原因 |
| 密码有效期 | chage -l username / grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs | ≤90天,≥1天,≥7天预警 |
| 密码复杂度 | cat /etc/security/pwquality.conf / authselect current | 启用pam_pwquality,minlen=8,minclass=3 |
| 密码历史 | grep 'remember' /etc/pam.d/system-auth /etc/pam.d/password-auth | remember≥12 |
Fedora特有配置:
# Fedora使用authselect管理PAM配置(与RHEL/Rocky一致,但默认配置更严格)
# 查看当前authselect配置
authselect current
authselect list
# 查看详细PAM配置
cat /etc/authselect/system-auth | head -20
# 查看密码策略(Fedora默认启用严格策略)
cat /etc/security/pwquality.conf | grep -v '^#' | grep -v '^$'
# 查看特定用户密码状态
chage -l username
# 查看所有用户密码过期信息
for user in $(awk -F: '$3>=1000{print $1}' /etc/passwd); do
echo "=== $user ==="
chage -l $user 2>/dev/null | head -5
done
# Fedora特有:检查是否启用pass-otp(FIDO2/WebAuthn支持)
authselect list | grep with-passkey
authselect current | grep with-passkey
# 查看生物识别认证(Fedora Workstation默认)
cat /etc/pam.d/system-auth | grep pam_fprintd
systemctl status fprintd 2>/dev/null || echo "指纹服务未运行"1.2 登录失败处理与会话超时
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 登录失败锁定 | cat /etc/security/faillock.conf / grep 'pam_faillock' /etc/pam.d/system-auth | deny=5,unlock_time=300 |
| 失败记录查看 | faillock --user username | 查看具体用户失败记录 |
| 会话超时 | echo $TMOUT / cat /etc/profile.d/tmout.sh | TMOUT=600(秒) |
| SSH超时 | grep -E 'ClientAliveInterval|ClientAliveCountMax' /etc/ssh/sshd_config | 300秒无操作断开 |
Fedora特有配置:
# Fedora默认启用pam_faillock,配置与RHEL一致但更激进
# 查看faillock配置
cat /etc/security/faillock.conf | grep -v '^#' | grep -v '^$'
# 查看特定用户失败记录
faillock --user root
faillock --user username --reset
# 查看全局超时配置
cat /etc/profile.d/tmout.sh 2>/dev/null || grep TMOUT /etc/profile /etc/bashrc
# Fedora特有:GNOME桌面环境会话超时(Workstation版)
gsettings get org.gnome.desktop.session idle-delay 2>/dev/null || echo "非GNOME环境"
gsettings get org.gnome.desktop.screensaver lock-enabled 2>/dev/null
# 查看SSH安全配置(Fedora默认禁用root登录)
grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|ClientAlive' /etc/ssh/sshd_config
# Fedora特有:检查是否启用systemd-homed(Fedora 38+推荐)
systemctl status systemd-homed 2>/dev/null || echo "未启用homed"
homectl list 2>/dev/null | head -51.3 远程管理安全
# Fedora默认使用systemd和cockpit进行现代系统管理
# 查看SSH服务状态
systemctl status sshd
# 检查SSH安全配置(Fedora默认更严格)
grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|AllowUsers|AllowGroups' /etc/ssh/sshd_config
# 查看SSH监听地址
ss -tlnp | grep :22
# 检查Telnet(应未安装)
rpm -qa | grep telnet
dnf list installed telnet-server 2>/dev/null || echo "Telnet未安装"
# Fedora特有:检查cockpit(默认Web管理工具)
systemctl status cockpit.socket
systemctl is-enabled cockpit.socket
grep -E 'Origins|ProtocolHeader|LoginTitle' /etc/cockpit/cockpit.conf 2>/dev/null | head -5
# 检查cockpit会话超时
grep 'IdleTimeout' /etc/cockpit/cockpit.conf 2>/dev/null || echo "未配置cockpit超时,默认无超时"
# 查看允许的SSH用户/组
grep -E 'AllowUsers|AllowGroups|DenyUsers|DenyGroups' /etc/ssh/sshd_config
# Fedora特有:检查wireguard/quick隧道(现代VPN替代方案)
systemctl status wg-quick@* 2>/dev/null || echo "WireGuard未配置"
cat /etc/wireguard/*.conf 2>/dev/null | grep -v PrivateKey | head -10高风险项:启用Telnet、允许root远程登录、SSH使用弱算法、cockpit暴露于公网且无访问控制,直接判定不符合三级要求。
1.4 双因子认证(高风险项)
测评方法:
- 访谈确认:是否采用”口令+FIDO2/WebAuthn/硬件令牌”组合
- 技术核查:
# Fedora特有:原生FIDO2/WebAuthn支持(38+)
authselect list | grep with-passkey
authselect current | grep with-passkey
# 检查系统级FIDO2配置
cat /etc/pam.d/system-auth | grep pam_u2f
rpm -qa | grep pam_u2f
# 检查GNOME桌面FIDO2集成(Workstation)
rpm -qa | grep gnome-online-accounts
cat /etc/pam.d/gdm-password | grep pamu2f 2>/dev/null
# 检查传统Google Authenticator
cat /etc/pam.d/sshd | grep google-authenticator
rpm -qa | grep google-authenticator
# 检查YubiKey配置
rpm -qa | grep yubikey-manager
ykman info 2>/dev/null || echo "YubiKey Manager未安装"
# 检查智能卡/CCID(Fedora默认良好支持)
systemctl status pcscd
rpm -qa | grep opensc
pkcs11-tool -L 2>/dev/null | head -10
# 查看SSH密钥认证
ls -la /home/*/.ssh/authorized_keys 2>/dev/null | head -5
find /home -name "authorized_keys" -exec ls -la {} \; 2>/dev/null | head -5
# Fedora特有:检查systemd-cryptsetup(LUKS2+TPM2+FIDO2)
systemd-cryptenroll --help 2>/dev/null | head -5
cat /etc/crypttab | grep fido2 2>/dev/null || echo "未配置FIDO2磁盘加密"二、访问控制(8.1.4.2)
2.1 账户与权限管理
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 系统账户 | awk -F: '$3<1000 && $1!="root"{print $1}' /etc/passwd | 仅保留必需系统账户 |
| sudo授权 | cat /etc/sudoers / ls -la /etc/sudoers.d/ | 最小权限原则,使用wheel组 |
| 关键文件权限 | stat -c '%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow | 644/000/644/000 |
| umask值 | grep -r 'umask' /etc/profile.d/ /etc/profile /etc/bashrc 2>/dev/null | 022或027 |
Fedora特有配置:
# Fedora默认sudo配置(wheel组)
grep '%wheel' /etc/sudoers
grep '%wheel' /etc/sudoers.d/* 2>/dev/null | head -3
# 查看具体用户sudo权限
sudo -l -U username
# 检查polkit权限(Fedora默认严格)
cat /etc/polkit-1/localauthority.conf.d/*.conf 2>/dev/null | head -10
rpm -qa | grep polkit
# 检查关键文件权限
stat -c '%a %U:%G' /etc/passwd /etc/shadow /etc/group /etc/gshadow
# Fedora特有:检查systemd-homed用户权限(如启用)
homectl inspect username 2>/dev/null | grep -E 'UID|GID|MemberOf'
# 检查fapolicyd(应用程序白名单,Fedora 39+默认安装)
systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未运行"
cat /etc/fapolicyd/fapolicyd.conf 2>/dev/null | head -10
fapolicyd-cli --list 2>/dev/null | head -10
# 检查SELinux状态(Fedora默认启用Enforcing)
getenforce
sestatus
cat /etc/selinux/config | grep SELINUX=2.2 默认账户清理
# 确认默认账户禁用或删除
grep -E 'games|news|uucp|proxy|www-data|backup|list|irc|gnats' /etc/shadow
# Fedora特有:检查fedora用户(LiveCD遗留)
grep '^fedora' /etc/passwd && echo "⚠ 发现fedora用户(LiveCD安装遗留)"
# 检查无登录shell的账户
awk -F: '$7=="/sbin/nologin" || $7=="/bin/false" || $7=="/usr/sbin/nologin"{print $1}' /etc/passwd | head -10
# 锁定不必要的账户
sudo passwd -l games 2>/dev/null
sudo passwd -l news 2>/dev/null
# Fedora特有:检查是否删除gnome-initial-setup用户(Workstation安装遗留)
grep 'gnome-initial-setup' /etc/passwd && echo "⚠ 发现gnome-initial-setup用户"
# 检查systemd-coredump用户(正常系统用户)
id systemd-coredump 2>/dev/null2.3 SELinux强制访问控制(Fedora核心安全特性)
# Fedora默认启用最严格的SELinux策略,这是与RHEL/Rocky的主要区别
# 查看SELinux状态
getenforce
sestatus
# 查看SELinux模式配置
cat /etc/selinux/config | grep -E '^SELINUX=|^SELINUXTYPE='
# Fedora特有:使用targeted策略,但默认更严格
sestatus | grep 'Loaded policy name'
# 查看SELinux布尔值(Fedora默认禁用更多不安全功能)
getsebool -a | grep -E 'ssh|http|ftp|nfs|samba|docker|podman' | head -30
# 查看文件安全上下文
ls -Z /etc/passwd /etc/shadow /var/www/html 2>/dev/null | head -5
# 查看进程安全上下文
ps -eZ | grep -E 'sshd|httpd|crond|podman|container' | head -5
# 查看SELinux审计日志
ausearch -m avc,user_avc,selinux_err -ts today 2>/dev/null | tail -10
cat /var/log/audit/audit.log 2>/dev/null | grep 'type=AVC' | tail -5
# Fedora特有:检查setroubleshoot(图形化SELinux故障排除)
systemctl status setroubleshootd 2>/dev/null || echo "setroubleshootd未运行"
sealert -a /var/log/audit/audit.log 2>/dev/null | head -10
# 查看SELinux用户约束
semanage login -l 2>/dev/null | head -10
semanage user -l 2>/dev/null | head -10
# Fedora特有:检查是否启用SELinux沙盒(sandbox)
rpm -qa | grep policycoreutils-sandbox
sandbox -X firefox 2>/dev/null || echo "SELinux沙盒未配置"三、安全审计(8.1.4.3)
3.1 审计服务启用
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| auditd服务 | systemctl is-active auditd && systemctl is-enabled auditd | active & enabled |
| 审计规则 | auditctl -l | wc -l | ≥30条 |
| 日志保留 | grep -E 'max_log_file|num_logs' /etc/audit/auditd.conf | 单文件≥50MB,保留≥6个月 |
| 日志权限 | stat -c '%a %U:%G' /var/log/audit/audit.log | 640 root:root |
Fedora特有配置:
# Fedora默认启用auditd,配置与RHEL一致但规则更现代
# 查看审计服务状态
systemctl status auditd
systemctl is-enabled auditd
# 查看审计规则
auditctl -l 2>/dev/null | wc -l
auditctl -l 2>/dev/null | head -20
# 查看审计规则文件
ls -la /etc/audit/rules.d/
cat /etc/audit/rules.d/audit.rules 2>/dev/null || cat /etc/audit/audit.rules
# Fedora特有:使用预定义审计规则(更严格的容器审计)
ls /usr/share/doc/audit/rules/ 2>/dev/null | head -10
cat /etc/audit/rules.d/containers.rules 2>/dev/null | head -10
# 生成审计报告
aureport --summary 2>/dev/null | head -20
aureport --login --summary -i 2>/dev/null | head -10
aureport --user -i --summary 2>/dev/null | head -10
# Fedora特有:检查podman/container审计
ausearch -m avc -ts recent 2>/dev/null | grep -E 'container|podman' | tail -10
# 检查auditd插件(如syslog转发)
cat /etc/audit/plugins.d/ 2>/dev/null | head -53.2 日志管理与保护
# Fedora使用systemd-journald为主,rsyslog可选
# 查看journald配置
cat /etc/systemd/journald.conf | grep -v '^#' | grep -v '^$'
# 查看日志持久化
grep Storage /etc/systemd/journald.conf # 应为persistent或auto
# 查看日志磁盘使用
journalctl --disk-usage
# 查看日志保留策略
journalctl --vacuum-time=6months # 设置保留6个月
# Fedora特有:检查systemd-coredump(替代传统core dump)
cat /etc/systemd/coredump.conf 2>/dev/null | head -10
coredumpctl list 2>/dev/null | head -10
# 查看日志权限
ls -la /var/log/journal/ 2>/dev/null | head -10
stat -c '%a %U:%G' /var/log/journal/ 2>/dev/null
# Fedora特有:检查是否启用systemd-pstore(持久化存储崩溃日志)
systemctl status systemd-pstore 2>/dev/null || echo "systemd-pstore未启用"
# 检查是否启用rsyslog(传统兼容)
systemctl status rsyslog 2>/dev/null || echo "rsyslog未启用(使用journald)"四、入侵防范(8.1.4.4)
4.1 最小化安装与漏洞修复
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 待更新包 | dnf check-update 2>/dev/null | wc -l | 及时更新安全补丁 |
| 安全更新 | dnf updateinfo list security 2>/dev/null | 无未修复安全漏洞 |
| 自动更新 | systemctl status dnf-automatic.timer | 启用自动安全更新 |
| 服务最小化 | systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|journald|cron|systemd' | 仅业务所需 |
| 监听端口 | ss -tulnp | grep LISTEN | 无高危端口(111, 23, 513等) |
Fedora特有配置:
# 查看可更新包
dnf check-update 2>/dev/null | wc -l | xargs -I {} echo "可更新包数: {}"
# 查看安全更新(Fedora安全公告)
dnf updateinfo list security 2>/dev/null | head -20
dnf updateinfo list sec 2>/dev/null | head -20
# Fedora特有:检查自动更新(默认启用)
systemctl status dnf-automatic.timer
systemctl is-enabled dnf-automatic.timer
cat /etc/dnf/automatic.conf | grep -v '^#' | head -20
# 查看已安装包数量
rpm -qa | wc -l
# 查看系统版本
cat /etc/os-release | grep -E 'NAME|VERSION|VARIANT'
cat /etc/fedora-release 2>/dev/null
# 查看已启用服务
systemctl list-unit-files --state=enabled | grep -vE 'ssh|audit|journald|cron|systemd|chrony|NetworkManager|firewalld|podman' | head -20
# 检查高危端口
ss -tulnp | grep LISTEN | grep -E ':23|:111|:513|:514|:2049'
# Fedora特有:检查Silverblue/Kinoite(不可变系统)
rpm-ostree status 2>/dev/null | head -20 || echo "传统RPM系统(非OSTree)"
# 检查容器化服务(Fedora默认启用podman)
systemctl --user status podman.socket 2>/dev/null || echo "rootless podman未启用"
podman system info 2>/dev/null | head -104.2 防火墙与网络防护
# Fedora默认使用firewalld(nftables后端)+ podman防火墙集成
# 查看firewalld状态
systemctl status firewalld
firewall-cmd --state
# 查看firewalld默认区域
firewall-cmd --get-default-zone
firewall-cmd --get-active-zones
# 查看firewalld规则
firewall-cmd --list-all
firewall-cmd --list-all-zones | head -50
# 查看富规则
firewall-cmd --list-rich-rules
# 查看直接规则
firewall-cmd --direct --get-all-rules
# 检查nftables后端
nft list ruleset 2>/dev/null | head -30
# Fedora特有:检查podman防火墙集成(根less容器)
podman network ls 2>/dev/null
firewall-cmd --get-active-zones | grep podman
# 检查TCP Wrapper配置
cat /etc/hosts.allow
cat /etc/hosts.deny
# 检查fail2ban(入侵防御)
systemctl status fail2ban 2>/dev/null || echo "fail2ban未运行"
fail2ban-client status 2>/dev/null
# Fedora特有:检查fapolicyd(应用程序白名单,39+默认)
systemctl status fapolicyd 2>/dev/null || echo "fapolicyd未运行"
fapolicyd-cli --list 2>/dev/null | head -10
# 检查网络内核参数
sysctl -a 2>/dev/null | grep -E 'icmp_echo_ignore_all|rp_filter|syncookies' | head -104.3 安全启动与内核加固
# 检查Secure Boot状态
mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用或mokutil未安装"
bootctl status 2>/dev/null | head -10
# Fedora特有:检查是否启用UKI(统一内核镜像,40+实验性)
ls /boot/efi/EFI/fedora/*.efi 2>/dev/null | grep -i uki || echo "传统EFI启动"
# 查看内核参数安全设置
sysctl -a 2>/dev/null | grep -E 'kptr_restrict|dmesg_restrict|kexec_load_disabled' | head -10
# 查看当前内核启动参数
cat /proc/cmdline
# Fedora特有:检查是否启用内核实时补丁(kpatch)
systemctl status kpatch 2>/dev/null || echo "kpatch未启用(Fedora主要版本更新快,kpatch支持有限)"
# 检查IMA/EVM(完整性度量)
cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null | head -5
dmesg | grep -i 'ima\|evm' | head -5
# Fedora特有:检查是否启用systemd-boot(替代GRUB,IoT/Silverblue默认)
bootctl status 2>/dev/null | grep -E 'Systemd-Stub|Secure Boot'五、恶意代码防范(8.1.4.5)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| ClamAV安装 | rpm -qa | grep clamav | 已安装 |
| ClamAV状态 | systemctl is-active clamd | active |
| 病毒库更新 | freshclam --version | 24小时内更新 |
| 实时扫描 | systemctl is-active clamav-daemon | active(如安装) |
Fedora特有配置:
# 检查ClamAV安装
rpm -qa | grep clamav | head -5
# 查看ClamAV服务
systemctl status clamd@scan 2>/dev/null || systemctl status clamd 2>/dev/null || echo "clamd未运行"
# 手动更新病毒库
sudo freshclam
# 查看病毒库版本
freshclam --version 2>/dev/null
# 查看ClamScan计划任务
cat /etc/cron.d/clamav-update 2>/dev/null
systemctl list-timers | grep clamav
# 检查Rootkit Hunter
rpm -qa | grep rkhunter
sudo rkhunter --check --sk 2>/dev/null | tail -20
# 检查 chkrootkit
rpm -qa | grep chkrootkit
# Fedora特有:检查是否启用OpenSCAP扫描(默认良好支持)
rpm -qa | grep openscap-scanner
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_cis /usr/share/xml/scap/ssg/content/ssg-fedora-ds.xml 2>/dev/null | tail -20 || echo "Fedora SCAP内容未安装或版本不匹配"
# Fedora特有:检查fapolicyd应用白名单
fapolicyd-cli --check 2>/dev/null | head -10六、可信验证(8.1.4.6)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| TPM状态 | dmesg | grep -i tpm | TPM 2.0就绪 |
| Secure Boot | mokutil --sb-state | SecureBoot enabled |
| 内核模块签名 | cat /proc/sys/kernel/modules_disabled | 模块签名验证 |
| 文件完整性 | rpm -Va 2>/dev/null | head -20 | 无关键文件被篡改 |
Fedora特有配置:
# 查看TPM状态
dmesg | grep -i "tpm\|trusted platform"
ls /dev/tpm* 2>/dev/null
# 查看Secure Boot状态
mokutil --sb-state 2>/dev/null || echo "Secure Boot未启用"
# Fedora特有:检查是否启用TPM2+LUKS自动解密(systemd-cryptenroll)
systemd-cryptenroll --help 2>/dev/null | head -5
cat /etc/crypttab | grep tpm2 2>/dev/null || echo "未配置TPM2磁盘加密"
# 查看内核安全启动
cat /proc/sys/kernel/secure_boot 2>/dev/null
# 验证RPM包完整性
rpm -Va 2>/dev/null | grep -E '^S.5....T\|^..5....T\|^.......T' | head -20
# 验证特定关键包
rpm -V coreutils bash kernel systemd 2>/dev/null | head -10
# 查看内核模块签名
modinfo $(lsmod | awk 'NR==2{print $1}') 2>/dev/null | grep -E 'sig|signer|integ'
# Fedora特有:检查是否启用IMA appraisal(实验性)
cat /sys/kernel/security/ima/policy 2>/dev/null | head -5
# 检查Silverblue/RPM-OSTree完整性(如适用)
rpm-ostree status 2>/dev/null | head -10
ostree fsck 2>/dev/null | head -5 || echo "传统RPM系统"七、数据备份与恢复(8.1.4.9)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 备份策略 | cat /etc/cron.d/backup 2>/dev/null | grep -i backup | 每日/每周任务 |
| 备份工具 | rpm -qa | grep -E 'rear|borg|restic|timeshift' | 已安装现代备份工具 |
| 备份目录权限 | stat -c '%a %U:%G' /backup | 700 root:root |
| 恢复验证 | tar -tzf /backup/etc-$(date +%F).tar.gz | wc -l | 可正常解压 |
Fedora特有配置:
# 查看备份脚本
cat /etc/cron.d/backup 2>/dev/null || crontab -l | grep backup
# Fedora特有:检查是否使用borgbackup(Fedora默认推荐现代工具)
rpm -qa | grep borgbackup
borg list /backup/borg 2>/dev/null | head -5
# 检查restic(Fedora官方仓库支持)
rpm -qa | grep restic
restic snapshots -r /backup/restic 2>/dev/null | head -5
# 检查timeshift(桌面环境)
rpm -qa | grep timeshift
sudo timeshift --list 2>/dev/null | head -10
# 检查Deja Dup(GNOME默认备份)
rpm -qa | grep deja-dup
# 查看Rsync备份任务
crontab -l | grep rsync
cat /etc/cron.d/*rsync* 2>/dev/null | head -10
# 验证备份完整性
sudo tar -tzf /backup/etc-$(date +%F).tar.gz 2>/dev/null | wc -l
# Fedora特有:Silverblue系统备份(使用rpm-ostree)
rpm-ostree status 2>/dev/null | head -10
# 回滚到之前版本:rpm-ostree rollback
# 检查ReaR(灾难恢复)
rpm -qa | grep rear
cat /etc/rear/local.conf 2>/dev/null | head -20八、Fedora特有安全功能
8.1 Silverblue/Kinoite(不可变操作系统)
# Fedora Silverblue/Kinoite使用rpm-ostree实现原子更新
# 查看OSTree状态
rpm-ostree status
# 查看可用更新
rpm-ostree upgrade --check 2>/dev/null || rpm-ostree status
# 查看部署历史
rpm-ostree status -v | grep -E 'Commit|Version|Timestamp'
# 回滚到之前版本
rpm-ostree rollback
# 检查/var持久化配置(唯一可写目录)
ls /var/home/ 2>/dev/null || ls /var/ 2>/dev/null | head -10
# 检查toolbox/distrobox(开发环境隔离)
toolbox list 2>/dev/null || echo "toolbox未配置"
distrobox list 2>/dev/null || echo "distrobox未配置"8.2 Podman/容器安全(根less默认)
# Fedora默认使用podman替代docker,强制根less模式
# 查看podman信息
podman info 2>/dev/null | head -20
# 查看rootless容器配置
podman unshare cat /proc/self/uid_map 2>/dev/null
# 检查容器SELinux标签
podman ps --format "{{.Names}} {{.SecurityOptions}}" 2>/dev/null
# 检查容器网络隔离
podman network ls 2>/dev/null
podman network inspect podman 2>/dev/null | head -10
# 检查容器资源限制
cat /etc/systemd/system/user@.service.d/ 2>/dev/null | head -5
systemctl --user status podman.socket 2>/dev/null
# Fedora特有:检查是否启用podman-auto-update
systemctl --user status podman-auto-update.timer 2>/dev/null || echo "容器自动更新未启用"8.3 Flatpak应用隔离
# Fedora Workstation默认使用Flatpak进行应用沙盒
# 查看已安装Flatpak应用
flatpak list 2>/dev/null | head -10
# 查看Flatpak权限
flatpak info --show-permissions com.example.App 2>/dev/null || echo "指定应用未安装"
# 查看Flatpak沙盒覆盖
flatpak override --show 2>/dev/null | head -10
# 检查是否启用Wayland安全上下文(Fedora 39+)
echo $WAYLAND_DISPLAY
cat /proc/$(pgrep -n firefox)/environ 2>/dev/null | tr '\0' '\n' | grep -i wayland || echo "未使用Wayland"一键巡检脚本(Fedora Linux)
#!/bin/bash
# Fedora Linux 等保三级一键巡检脚本
# 适用:Fedora 38 / 39 / 40 (Workstation/Server/Silverblue)
# 执行用户:root
echo"===== Fedora Linux 等保巡检报告 ====="
echo"巡检时间: $(date'+%Y-%m-%d %H:%M:%S')"
echo"服务器: $(hostname)"
echo"版本: $(cat /etc/os-release |grep PRETTY_NAME |cut -d'"'-f2)"
echo"变体: $(cat /etc/os-release |grep VARIANT |cut -d'"'-f22>/dev/null ||echo'Server/Workstation')"
echo""
# 检测是否为Silverblue
ifcommand-v rpm-ostree >/dev/null 2>&1;then
echo"系统类型: OSTree (Silverblue/Kinoite/IoT)"
rpm-ostree status |head-5
else
echo"系统类型: 传统RPM"
fi
echo""
echo"===== 1 身份鉴别 ====="
echo"--- 空口令检查 ---"
awk -F: '$2==""{print "空口令用户: "$1}' /etc/shadow
echo"--- 密码锁定账户 ---"
awk -F: '$2~"^!"{print "锁定用户: "$1}' /etc/shadow |head-5
echo"--- 密码有效期 ---"
grep-E'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs 2>/dev/null |head-3
echo"--- 密码复杂度 ---"
cat /etc/security/pwquality.conf 2>/dev/null |grep-E'minlen|minclass'|head-3
echo"--- 登录失败锁定 ---"
cat /etc/security/faillock.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5
echo"--- SSH配置 ---"
grep-E'PermitRootLogin|Protocol|PasswordAuthentication|ClientAlive' /etc/ssh/sshd_config 2>/dev/null |head-5
echo"--- FIDO2/Passkey支持 ---"
authselect current 2>/dev/null |grep passkey &&echo"FIDO2/Passkey: 已启用"||echo"FIDO2/Passkey: 未启用"
echo"--- 生物识别 ---"
systemctl is-active fprintd 2>/dev/null ||echo"指纹服务未运行"
echo""
echo"===== 2 访问控制 ====="
echo"--- 系统账户 ---"
awk -F: '$3<1000 && $1!="root"{print "系统账户: "$1}' /etc/passwd |head-10
echo"--- Fedora特有账户检查 ---"
grep-E'^fedora|^gnome-initial-setup' /etc/passwd &&echo"⚠ 发现LiveCD/安装残留用户"||echo"✓ 无残留用户"
echo"--- sudo配置 ---"
grep'%wheel' /etc/sudoers 2>/dev/null |head-3
echo"--- 关键文件权限 ---"
stat-c'%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow 2>/dev/null
echo"--- SELinux状态 ---"
getenforce 2>/dev/null ||echo"SELinux未启用"
sestatus 2>/dev/null |head-3
echo"--- fapolicyd状态 ---"
systemctl is-active fapolicyd 2>/dev/null ||echo"fapolicyd未运行"
echo""
echo"===== 3 安全审计 ====="
echo"--- auditd状态 ---"
systemctl is-active auditd 2>/dev/null && systemctl is-enabled auditd 2>/dev/null
echo"--- 审计规则数量 ---"
auditctl -l2>/dev/null |wc-l|xargs-I{}echo"审计规则数: {}"
echo"--- journald配置 ---"
cat /etc/systemd/journald.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5
echo"--- 日志持久化 ---"
systemd-analyze cat-config systemd/journald.conf 2>/dev/null |grep Storage ||echo"使用默认配置"
echo""
echo"===== 4 入侵防范 ====="
echo"--- 待更新包 ---"
dnf check-update 2>/dev/null |wc-l|xargs-I{}echo"可更新包数: {}"
echo"--- 安全更新 ---"
dnf updateinfo list security 2>/dev/null |wc-l|xargs-I{}echo"安全公告数: {}"
echo"--- 自动更新状态 ---"
systemctl is-active dnf-automatic.timer 2>/dev/null ||echo"自动更新未启用"
echo"--- 高危端口 ---"
ss -tulnp2>/dev/null |grep-E'0.0.0.0:23|0.0.0.0:111|0.0.0.0:513'||echo"无高危端口暴露"
echo"--- firewalld状态 ---"
systemctl is-active firewalld 2>/dev/null ||echo"firewalld未运行"
echo"--- podman容器安全 ---"
podman info 2>/dev/null |grep-E'rootless|insecure'|head-3||echo"podman未配置或传统系统"
echo"--- Secure Boot ---"
mokutil --sb-state 2>/dev/null ||echo"无法检测Secure Boot"
echo""
echo"===== 5 恶意代码防范 ====="
echo"--- ClamAV安装 ---"
rpm-qa2>/dev/null |grep clamav |head-3
echo"--- ClamAV服务 ---"
systemctl is-active clamd@scan 2>/dev/null || systemctl is-active clamd 2>/dev/null ||echo"clamd未运行"
echo"--- 病毒库版本 ---"
freshclam --version2>/dev/null ||echo"未安装freshclam"
echo"--- fapolicyd应用白名单 ---"
fapolicyd-cli --list2>/dev/null |wc-l|xargs-I{}echo"fapolicyd规则数: {}"||echo"fapolicyd未运行"
echo""
echo"===== 6 可信验证 ====="
echo"--- TPM状态 ---"
dmesg2>/dev/null |grep-i"tpm"|head-3
echo"--- Secure Boot ---"
bootctl status 2>/dev/null |grep-E'Secure Boot|Setup Mode'|head-3|| mokutil --sb-state 2>/dev/null
echo"--- TPM2+LUKS磁盘加密 ---"
systemd-cryptenroll --help2>/dev/null |head-1&&echo"TPM2加密工具可用"||echo"未安装systemd-cryptenroll"
echo"--- RPM验证 ---"
rpm-Va2>/dev/null |grep-c'S.5....T\|..5....T\|.......T'|xargs-I{}echo"修改过的文件数: {}"
echo"--- OSTree完整性(如适用)---"
ifcommand-v rpm-ostree >/dev/null 2>&1;then
rpm-ostree status |grep-E'Commit|Version'|head-3
else
echo"传统RPM系统"
fi
echo""
echo"===== 7 数据备份 ====="
echo"--- 备份任务 ---"
crontab-l2>/dev/null |grep-i backup ||echo"未配置crontab备份"
systemctl list-timers |grep backup 2>/dev/null ||echo"无备份定时器"
echo"--- 现代备份工具 ---"
rpm-qa2>/dev/null |grep-E'borgbackup|restic|timeshift'|head-5
echo"--- 备份目录 ---"
stat-c'%a %U:%G' /backup 2>/dev/null ||echo"备份目录不存在"
echo""
echo"===== 8 Fedora特有功能 ====="
echo"--- 系统类型 ---"
ifcommand-v rpm-ostree >/dev/null 2>&1;then
echo"OSTree系统 - 原子更新已启用"
rpm-ostree status |grep-E'State|Deployments'|head-3
else
echo"传统RPM系统"
fi
echo"--- 容器安全 ---"
podman info 2>/dev/null |grep-E'rootless|graphRoot'|head-2||echo"podman未配置"
echo"--- Flatpak沙盒 ---"
flatpak --version2>/dev/null ||echo"Flatpak未安装"
echo"--- 自动更新 ---"
systemctl is-active dnf-automatic.timer 2>/dev/null &&echo"DNF自动更新: 启用"||echo"DNF自动更新: 未启用"
echo"--- Cockpit Web管理 ---"
systemctl is-active cockpit.socket 2>/dev/null &&echo"Cockpit: 启用"||echo"Cockpit: 未启用"
echo""
echo"===== 巡检完成 ====="高风险项重点核查清单
| 检查项 | 验证命令 | 不合规判定 | 整改建议 |
|---|---|---|---|
| 空口令账户 | awk -F: '$2==""{print $1}' /etc/shadow | 存在输出 | 立即设置强口令或锁定 |
| 密码复杂度未启用 | cat /etc/security/pwquality.conf | 无minlen配置 | 配置pam_pwquality |
| 无登录失败锁定 | cat /etc/security/faillock.conf | 无输出或deny=0 | 配置pam_faillock |
| root远程登录 | grep ^PermitRootLogin /etc/ssh/sshd_config | 值为yes | 修改为no |
| SELinux未启用 | getenforce | 返回Permissive或Disabled | 设置为Enforcing |
| 审计未启用 | systemctl is-active auditd | 非active | 安装并启用auditd |
| 自动更新未启用 | systemctl is-active dnf-automatic.timer | 未运行 | 启用dnf-automatic |
| fapolicyd未启用 | systemctl is-active fapolicyd | 未运行(关键业务建议启用) | 安装并配置fapolicyd |
| podman非rootless | podman info | grep rootless | 返回false | 配置rootless容器 |
| Silverblue未配置备份 | rpm-ostree status | 无自动更新回滚策略 | 配置rpm-ostree自动更新 |
| 备份未配置 | crontab -l | grep backup | 无输出 | 配置定时备份任务 |
Fedora Linux版本差异对照
| 对比项 | Fedora 38 | Fedora 39 | Fedora 40 |
|---|---|---|---|
| 内核版本 | 6.2 | 6.5 | 6.8+ |
| 默认初始化 | systemd | systemd | systemd |
| 桌面环境 | GNOME 44 | GNOME 45 | GNOME 46 |
| 默认容器 | Podman 4.4 | Podman 4.7 | Podman 5.0 |
| OSTree变体 | Silverblue/Kinoite/IoT | 同上 | 同上 + Onyx |
| UKI实验性 | 有限支持 | 改进 | 默认启用(部分) |
| 等保合规 | 基础合规 | 基础合规 | 增强合规 |
| 推荐使用 | 稳定环境 | 新建环境 | 前沿技术预览 |
测评执行要点
1. 权限要求
- 所有命令需
root权限执行 - 部分命令需要普通用户执行(podman rootless检查)
- Silverblue系统部分配置为只读,需使用
rpm-ostree修改
2. 现场核查重点
- 系统变体识别:确认是Workstation、Server还是Silverblue/Kinoite/IoT,安全策略差异大
- 自动更新:Fedora默认启用dnf-automatic,检查是否配置安全更新自动应用
- 容器安全:Fedora强制rootless podman,检查是否正确配置用户命名空间
- 现代认证:Fedora 38+原生支持FIDO2/WebAuthn,检查是否启用passkey替代传统密码
- 不可变系统:Silverblue/Kinoite使用OSTree,检查原子更新和回滚策略
3. 版本差异注意
- Fedora 38:稳定版本,适合生产环境
- Fedora 39:推荐新建环境,改进容器和桌面安全
- Fedora 40:前沿技术,UKI(统一内核镜像)实验性支持,适合技术预览
4. 生命周期注意
- Fedora每版本支持约13个月,需规划升级周期
- Silverblue/Kinoite支持自动更新和原子回滚,适合边缘计算
常用命令速查
# DNF包管理(新一代RPM)
dnf check-update # 检查更新
dnf upgrade # 升级系统
dnf upgrade --security# 仅安全更新
dnf install package # 安装包
dnf remove package # 移除包
dnf repoquery -l package # 查询文件列表
dnf history# 操作历史
dnf autoremove # 自动清理依赖
# RPM-OSTree(Silverblue/Kinoite/IoT)
rpm-ostree status # 查看状态
rpm-ostree upgrade # 系统升级
rpm-ostree rollback # 回滚版本
rpm-ostree rebase # 切换分支
ostree admin pin 0# 固定当前版本
# Systemd服务管理
systemctl status service
systemctl start service
systemctl enableservice
systemctl --user status service# 用户级服务
# Podman容器(rootless默认)
podman info # 查看信息
podman run -it image # 运行容器
podmanps# 查看容器
podman build -t tag .# 构建镜像
podman auto-update # 自动更新容器
# Flatpak应用
flatpak install flathub app
flatpak update
flatpak list
flatpak run app
# Toolbox/Distrobox开发环境
toolbox create # 创建工具箱
toolbox enter # 进入工具箱
distrobox create --image fedora:39
distrobox enter
# SELinux管理
getenforce # 查看模式
setenforce 0|1# 临时设置
sestatus # 详细状态
sealert -a /var/log/audit/audit.log # 图形化分析
# Firewalld防火墙
firewall-cmd --state
firewall-cmd --list-all
firewall-cmd --add-service=http --permanent
firewall-cmd --reload
# 日志查看
journalctl -uservice# 查看服务日志
journalctl -f# 实时跟踪
journalctl --since"1 hour ago"
journalctl --user-uservice# 用户级服务日志
# 内核管理
uname-r# 内核版本
rpm-qa|grep kernel # 已安装内核
sudo dnf upgrade kernel # 升级内核(传统)
rpm-ostree upgrade # 原子升级(OSTree)
# 备份工具
borg create /backup::$(date +%F) ~ # Borg备份
restic backup -r /backup ~ # Restic备份
timeshift --create# Timeshift快照参考标准:GB/T 22239-2019、GB/T 28448-2019、CIS Fedora Benchmark、Fedora Security Guide、Fedora Silverblue Documentation
适用版本:Fedora Linux 38 / 39 / 40 (Workstation/Server/Silverblue/Kinoite/IoT/Onyx)
验证环境:传统RPM / OSTree (Silverblue/Kinoite) / 容器云 / 边缘计算
声明:来自汪汪虚拟空间,仅代表创作者观点。链接:http://eyangzhen.com/6778.html
