各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言,我会以最快速度给你们总结,然后发出来!
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级”安全计算环境” 条款,结合 Gentoo Linux 官方安全指南、CIS Gentoo Benchmark 及多家测评机构现场实践,给出可直接落地的 测评命令清单。
已在 Gentoo Linux (amd64/x86_64, OpenRC/systemd) 环境验证通过,支持 Stage3 / Systemd / musl / SELinux 多种配置组合。
一、身份鉴别(8.1.4.1)
1.1 账户唯一性与密码策略
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 空口令检查 | awk -F: '$2==""{print $1}' /etc/shadow | 无输出 |
| 密码锁定账户 | awk -F: '$2~"^!"{print $1}' /etc/shadow | 核实锁定原因 |
| 密码有效期 | grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs | ≤90天,≥1天,≥7天预警 |
| 密码复杂度 | grep -r 'minlen|dcredit|ucredit|ocredit|lcredit' /etc/security/pwquality.conf /etc/pam.d/system-auth | 启用pam_pwquality,minlen=8,minclass=3 |
| 密码历史 | grep 'remember' /etc/pam.d/system-auth /etc/pam.d/passwd | remember≥12 |
Gentoo特有配置:
# Gentoo使用OpenRC或systemd,PAM配置与传统发行版略有不同
# 查看密码策略(Gentoo默认使用pam_pwquality)
cat /etc/pam.d/system-auth | grep pam_pwquality
cat /etc/security/pwquality.conf
# 查看用户密码状态
chage -l username
# 查看所有用户密码过期信息
for user in $(awk -F: '$3>=1000{print $1}' /etc/passwd); do
echo "=== $user ==="
chage -l $user 2>/dev/null | head -5
done
# Gentoo特有:查看make.conf中安全相关USE标志
grep -E 'USE.*-pam|USE.*passwdqc|USE.*cracklib' /etc/portage/make.conf /etc/portage/package.use/* 2>/dev/null
# 检查是否启用passwdqc(替代pwquality)
cat /etc/pam.d/system-auth | grep pam_passwdqc
cat /etc/security/passwdqc.conf 2>/dev/null1.2 登录失败处理与会话超时
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 登录失败锁定 | cat /etc/pam.d/system-auth /etc/pam.d/login | grep pam_faillock | deny=5,unlock_time=300 |
| 失败记录查看 | faillock --user username | 查看具体用户失败记录 |
| 会话超时 | echo $TMOUT / cat /etc/profile.d/tmout.sh | TMOUT=600(秒) |
| SSH超时 | grep -E 'ClientAliveInterval|ClientAliveCountMax' /etc/ssh/sshd_config | 300秒无操作断开 |
Gentoo特有配置:
# Gentoo默认使用pam_faillock(替代pam_tally2)
cat /etc/pam.d/system-auth | grep faillock
cat /etc/pam.d/login | grep faillock
cat /etc/security/faillock.conf 2>/dev/null
# 查看特定用户失败记录
faillock --user root
faillock --user username --reset
# 查看全局超时配置(Gentoo推荐/etc/profile.d方式)
cat /etc/profile.d/tmout.sh 2>/dev/null || grep TMOUT /etc/profile /etc/bash/bashrc
# Gentoo特有:OpenRC服务超时配置
grep 'rc_timeout' /etc/rc.conf 2>/dev/null
# 查看SSH安全配置(Gentoo默认较严格)
grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|ClientAlive' /etc/ssh/sshd_config
# 检查是否安装并启用fail2ban
rc-status fail2ban 2>/dev/null || systemctl status fail2ban 2>/dev/null
cat /etc/fail2ban/jail.local 2>/dev/null | grep -E 'bantime|maxretry|backend'1.3 远程管理安全
# 查看SSH服务状态(Gentoo使用OpenRC或systemd)
rc-status sshd 2>/dev/null || systemctl status sshd 2>/dev/null || /etc/init.d/sshd status 2>/dev/null
# 检查SSH安全配置
grep -E 'PermitRootLogin|Protocol|PasswordAuthentication|PubkeyAuthentication|AllowUsers|AllowGroups' /etc/ssh/sshd_config
# 查看SSH监听地址
ss -tlnp | grep :22
# 检查Telnet(应未安装)
qlist -I telnet 2>/dev/null || emerge -pv telnet 2>/dev/null | grep -i telnet
# 检查是否安装Dropbear或其他SSH
qlist -I dropbear 2>/dev/null
# 查看允许的SSH用户/组
grep -E 'AllowUsers|AllowGroups|DenyUsers|DenyGroups' /etc/ssh/sshd_config
# Gentoo特有:检查package.use中SSH相关安全标志
grep -r 'ssh\|libressl\|openssl' /etc/portage/package.use/ 2>/dev/null | head -5高风险项:启用Telnet或允许root远程登录、SSH使用Protocol 1、未限制SSH用户,直接判定不符合三级要求。
1.4 双因子认证(高风险项)
测评方法:
- 访谈确认:是否采用”口令+Google Authenticator/硬件令牌/YubiKey”组合
- 技术核查:
# 检查Google Authenticator配置
cat /etc/pam.d/sshd | grep google-authenticator
cat /etc/pam.d/login | grep google-authenticator
# 检查YubiKey配置
cat /etc/pam.d/sshd | grep yubikey
qlist -I yubikey 2>/dev/null || emerge -pv yubikey-personalization-gui 2>/dev/null
# 检查智能卡/CCID配置
cat /etc/pam.d/sshd | grep pam_pkcs11
qlist -I opensc 2>/dev/null
# 查看已安装的2FA软件包
qlist -I | grep -E 'google-authenticator|yubikey|libu2f-host|pam_u2f'
# 检查SSH密钥认证
ls -la /home/*/.ssh/authorized_keys 2>/dev/null | head -5
find /home -name "authorized_keys" -exec ls -la {} \; 2>/dev/null | head -5
# Gentoo特有:检查是否使用libressl替代openssl(安全加固)
qlist -I libressl 2>/dev/null && echo "使用LibreSSL替代OpenSSL"二、访问控制(8.1.4.2)
2.1 账户与权限管理
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 系统账户 | awk -F: '$3<1000 && $1!="root"{print $1}' /etc/passwd | 仅保留必需系统账户 |
| sudo授权 | cat /etc/sudoers / ls -la /etc/sudoers.d/ | 最小权限原则,使用wheel组 |
| 关键文件权限 | stat -c '%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow | 644/000/644/000 |
| umask值 | grep -r 'umask' /etc/profile.d/ /etc/profile /etc/bash/bashrc 2>/dev/null | 022或027 |
Gentoo特有配置:
# Gentoo默认sudo配置(使用wheel组)
grep '%wheel' /etc/sudoers
grep '%sudo' /etc/sudoers 2>/dev/null || echo "未使用sudo组,使用wheel组"
ls -la /etc/sudoers.d/
# 查看具体用户sudo权限
sudo -l -U username
# 检查doas配置(Gentoo轻量级替代sudo)
cat /etc/doas.conf 2>/dev/null
qlist -I doas 2>/dev/null && echo "已安装doas"
# 检查关键文件权限
stat -c '%a %U:%G' /etc/passwd /etc/shadow /etc/group /etc/gshadow
# Gentoo特有:检查OpenRC服务权限
ls -la /etc/init.d/ | head -10
stat -c '%a %U:%G' /etc/init.d/sshd /etc/init.d/cronie 2>/dev/null
# 检查配置文件权限(Gentoo Portage)
stat -c '%a %U:%G' /etc/portage/make.conf
stat -c '%a %U:%G' /etc/portage/package.use/2.2 默认账户清理
# 确认默认账户禁用或删除
grep -E 'games|news|uucp|proxy|www-data|backup|list|irc|gnats' /etc/shadow
# Gentoo特有:检查portage用户(编译专用)
grep 'portage' /etc/passwd
id portage
# 检查无登录shell的账户
awk -F: '$7=="/sbin/nologin" || $7=="/bin/false" || $7=="/usr/sbin/nologin"{print $1}' /etc/passwd | head -10
# 锁定不必要的账户
sudo passwd -l games 2>/dev/null
sudo passwd -l news 2>/dev/null
# Gentoo特有:检查是否安装不必要的基础系统组件
cat /var/lib/portage/world | grep -E 'games|emulation|x11-drivers' | head -5
# 检查是否启用multilib(32位兼容,如不需要应禁用)
grep 'ABI_X86' /etc/portage/make.conf 2>/dev/null2.3 SELinux/Grsecurity强制访问控制(Gentoo特色)
# 检查SELinux状态(Gentoo支持但非默认)
sestatus 2>/dev/null || echo "SELinux未启用"
getenforce 2>/dev/null
# 检查是否使用hardened profile(Gentoo安全强化)
eselect profile list | grep hardened
eselect profile show | grep hardened
# 检查是否启用PaX/Grsecurity(内核级安全)
grep -i 'pax\|grsec' /boot/config-$(uname -r) 2>/dev/null | head -10
sysctl -a 2>/dev/null | grep pax
# 检查是否启用RBAC(基于角色的访问控制)
cat /etc/grsec/rbac.policy 2>/dev/null || echo "未配置Grsecurity RBAC"
# 检查是否启用PIE/SSP/Fortify(编译时安全)
grep -E 'CFLAGS|CXXFLAGS' /etc/portage/make.conf | grep -E 'fPIE|fstack-protector|D_FORTIFY'
gcc -v 2>&1 | grep -i 'enable-default-pie\|enable-default-ssp'
# 检查 hardened toolchain
qlist -I | grep -E 'hardened|selinux|pax|grsec'三、安全审计(8.1.4.3)
3.1 审计服务启用
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| auditd服务 | rc-status auditd 2>/dev/null || systemctl is-active auditd | active & enabled |
| 审计规则 | auditctl -l | wc -l | ≥30条 |
| 日志保留 | grep -E 'max_log_file|num_logs' /etc/audit/auditd.conf | 单文件≥50MB,保留≥6个月 |
| 日志权限 | stat -c '%a %U:%G' /var/log/audit/audit.log | 640 root:root |
Gentoo特有配置:
# Gentoo auditd安装检查
qlist -I audit 2>/dev/null || emerge -pv audit 2>/dev/null | head -3
# 查看审计服务状态(OpenRC)
rc-status auditd
rc-update show auditd
# 或systemd
systemctl is-active auditd && systemctl is-enabled auditd
# 查看审计规则
auditctl -l 2>/dev/null | wc -l
auditctl -l 2>/dev/null | head -20
# 查看审计规则文件
ls -la /etc/audit/rules.d/
cat /etc/audit/rules.d/audit.rules 2>/dev/null || cat /etc/audit/audit.rules
# Gentoo特有:检查是否通过package.use启用audit USE标志
grep 'audit' /etc/portage/package.use/* /etc/portage/make.conf 2>/dev/null
# 生成审计报告
ausearch --summary 2>/dev/null | head -20
aureport --login --summary -i 2>/dev/null
aureport --user -i --summary 2>/dev/null
# 查看SELinux审计(如启用)
ausearch -m avc,user_avc,selinux_err -ts today 2>/dev/null | head -103.2 日志管理与保护
# Gentoo使用metalog、syslog-ng或rsyslog
qlist -I metalog syslog-ng rsyslog 2>/dev/null
# 查看metalog配置(Gentoo默认)
cat /etc/metalog/metalog.conf 2>/dev/null | head -30
# 查看syslog-ng配置
cat /etc/syslog-ng/syslog-ng.conf 2>/dev/null | grep -v '^#' | grep -v '^$' | head -20
# 查看远程日志转发
grep '@' /etc/syslog-ng/syslog-ng.conf /etc/metalog/metalog.conf 2>/dev/null
# 查看journald配置(systemd profile)
cat /etc/systemd/journald.conf 2>/dev/null | grep -v '^#' | grep -v '^$'
# 查看日志持久化
grep Storage /etc/systemd/journald.conf 2>/dev/null # 应为persistent
# 查看日志磁盘使用
journalctl --disk-usage 2>/dev/null || echo "journalctl不可用"
# 查看日志权限
ls -la /var/log/ | head -15
# Gentoo特有:检查是否启用logrotate
qlist -I logrotate 2>/dev/null
cat /etc/logrotate.conf 2>/dev/null | head -10
ls /etc/logrotate.d/ 2>/dev/null | head -10四、入侵防范(8.1.4.4)
4.1 最小化安装与漏洞修复
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 待更新包 | emerge -puv @world 2>/dev/null | grep -c 'ebuild' | 及时更新安全补丁 |
| GLSA检查 | glsa-check -l all 2>/dev/null | grep -c 'Vulnerable' | 0漏洞 |
| 服务最小化 | rc-status --all 2>/dev/null | grep -c '\[started\]' | 仅业务所需 |
| 监听端口 | ss -tulnp | grep LISTEN | 无高危端口(111, 23, 513等) |
Gentoo特有配置:
# 查看可更新包(Portage特有)
emerge -puv @world 2>/dev/null | head -20
# 检查GLSA(Gentoo Linux Security Advisories)
glsa-check -l all 2>/dev/null | head -20
glsa-check -t all 2>/dev/null | head -10 # 测试修复
glsa-check -f all 2>/dev/null | head -10 # 自动修复
# 查看已安装包数量
qlist -I 2>/dev/null | wc -l
# 查看world文件(显式安装的包)
cat /var/lib/portage/world | wc -l
cat /var/lib/portage/world
# 检查不必要的服务(OpenRC)
rc-status --all 2>/dev/null | grep '\[started\]'
rc-update show --all 2>/dev/null | grep '| default'
# 或systemd
systemctl list-unit-files --state=enabled 2>/dev/null | grep -vE 'ssh|audit|syslog|cron|systemd' | head -20
# 检查高危端口
ss -tulnp | grep LISTEN | grep -E ':23|:111|:513|:514|:2049'
# Gentoo特有:检查USE标志最小化
grep 'USE' /etc/portage/make.conf | head -5
diff -u <(cat /var/lib/portage/world) <(qlist -I 2>/dev/null) | head -20 # 查看依赖引入的包4.2 防火墙与网络防护
# Gentoo防火墙方案:iptables/nftables/firewalld/ufw
# 检查iptables(传统)
iptables -L -n -v | head -20
cat /etc/iptables/rules.v4 2>/dev/null || cat /etc/sysconfig/iptables 2>/dev/null
# 检查nftables(现代推荐)
nft list ruleset 2>/dev/null | head -30
cat /etc/nftables.conf 2>/dev/null
# 检查firewalld
firewall-cmd --state 2>/dev/null
firewall-cmd --list-all 2>/dev/null
# 检查ufw
ufw status verbose 2>/dev/null
# Gentoo特有:检查是否通过package.use选择防火墙后端
grep -r 'iptables\|nftables\|firewalld' /etc/portage/package.use/ /etc/portage/make.conf 2>/dev/null | head -5
# 查看TCP Wrapper配置
cat /etc/hosts.allow
cat /etc/hosts.deny
# 检查fail2ban(入侵防御)
rc-status fail2ban 2>/dev/null || systemctl status fail2ban 2>/dev/null
fail2ban-client status 2>/dev/null
fail2ban-client status sshd 2>/dev/null
# 检查网络内核参数(Gentoo可深度定制)
sysctl -a 2>/dev/null | grep -E 'icmp_echo_ignore_all|rp_filter|syncookies' | head -10
cat /etc/sysctl.conf 2>/dev/null | grep -v '^#' | head -104.3 编译时安全加固(Gentoo核心特色)
# 检查 hardened toolchain
gcc -v 2>&1 | grep -i 'hardened\|specs'
# 检查PIE(位置无关可执行文件)
grep 'fPIE\|pie' /etc/portage/make.conf 2>/dev/null
readelf -h /bin/ls 2>/dev/null | grep 'Type:' # 应为DYN (Shared object file)
# 检查SSP(栈保护)
grep 'fstack-protector' /etc/portage/make.conf 2>/dev/null
readelf -s /bin/ls 2>/dev/null | grep '__stack_chk_fail'
# 检查Fortify Source
grep 'D_FORTIFY_SOURCE' /etc/portage/make.conf 2>/dev/null
readelf -s /bin/ls 2>/dev/null | grep '__*_chk'
# 检查RELRO和BIND_NOW
readelf -d /bin/ls 2>/dev/null | grep -E 'BIND_NOW|FLAGS_1'
readelf -l /bin/ls 2>/dev/null | grep -E 'GNU_RELRO'
# 检查CFI(控制流完整性,Clang特有)
grep 'fsanitize=cfi' /etc/portage/make.conf 2>/dev/null
# 查看当前profile的安全特性
eselect profile show
portageq envvar CFLAGS CXXFLAGS LDFLAGS 2>/dev/null | grep -E 'fstack|fPIE|D_FORTIFY|Wl,-z,relro|Wl,-z,now'
# 检查是否启用Scudo或jemalloc(安全内存分配器)
qlist -I scudo 2>/dev/null
qlist -I jemalloc 2>/dev/null五、恶意代码防范(8.1.4.5)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| ClamAV安装 | qlist -I clamav 2>/dev/null | 已安装 |
| ClamAV状态 | rc-status clamd 2>/dev/null || systemctl is-active clamd | active |
| 病毒库更新 | freshclam --version 2>/dev/null | 24小时内更新 |
| 实时扫描 | rc-status clamav-daemon 2>/dev/null | active(如安装) |
Gentoo特有配置:
# 检查ClamAV安装
qlist -I clamav 2>/dev/null || emerge -pv clamav 2>/dev/null | head -3
# 查看ClamAV服务(OpenRC)
rc-status clamd 2>/dev/null
rc-status freshclam 2>/dev/null
# 或systemd
systemctl is-active clamd 2>/dev/null
systemctl is-active freshclam 2>/dev/null
# 手动更新病毒库
sudo freshclam
# 查看病毒库版本
freshclam --version 2>/dev/null
# 查看ClamScan计划任务
cat /etc/cron.d/clamav 2>/dev/null
crontab -l 2>/dev/null | grep clam
# 检查Rootkit Hunter
qlist -I rkhunter 2>/dev/null || emerge -pv rkhunter 2>/dev/null | head -3
sudo rkhunter --check --sk 2>/dev/null | tail -20
# 检查 chkrootkit
qlist -I chkrootkit 2>/dev/null
# Gentoo特有:检查mtree(文件完整性,Gentoo原生支持)
qlist -I mtree 2>/dev/null
cat /etc/mtree/ 2>/dev/null | head -5
# 检查AIDE(高级入侵检测环境)
qlist -I aide 2>/dev/null
cat /etc/aide/aide.conf 2>/dev/null | head -20六、可信验证(8.1.4.6)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| TPM状态 | dmesg | grep -i tpm | TPM 2.0就绪 |
| Secure Boot | mokutil --sb-state 2>/dev/null | SecureBoot enabled |
| 内核模块签名 | cat /proc/sys/kernel/modules_disabled | 模块签名验证 |
| 文件完整性 | qcheck -e 2>/dev/null | head -20 | 无关键文件被篡改 |
Gentoo特有配置:
# 查看TPM状态
dmesg | grep -i "tpm\|trusted platform"
ls /dev/tpm* 2>/dev/null
# 查看Secure Boot状态
mokutil --sb-state 2>/dev/null || echo "mokutil未安装或Secure Boot未启用"
# 查看内核安全启动
cat /proc/sys/kernel/secure_boot 2>/dev/null
# 查看内核模块签名
modinfo $(lsmod | awk 'NR==2{print $1}') 2>/dev/null | grep sig
# Gentoo特有:使用qcheck验证包完整性(Portage原生)
qcheck -e vim 2>/dev/null | head -10 # 检查特定包
qcheck -e 2>/dev/null | head -20 # 检查所有包
# 使用qfile查找文件归属
qfile /bin/ls 2>/dev/null
# 检查内核配置安全选项
grep -E 'CONFIG_SECURITY|CONFIG_INTEGRITY|CONFIG_IMA|CONFIG_EVM' /boot/config-$(uname -r) 2>/dev/null | head -20
# 检查IMA/EVM(完整性度量架构)
cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null | head -5
# 安装并运行Lynis安全扫描
qlist -I lynis 2>/dev/null || emerge -pv lynis 2>/dev/null | head -3
sudo lynis audit system --quick 2>/dev/null | grep -E 'Warning|Suggestion' | head -20七、数据备份与恢复(8.1.4.9)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 备份策略 | cat /etc/cron.d/backup 2>/dev/null | grep -i backup | 每日/每周任务 |
| 备份工具 | qlist -I | grep -E 'backup|bacula|amanda|restic|borg' | 已安装备份工具 |
| 备份目录权限 | stat -c '%a %U:%G' /backup | 700 root:root |
| 恢复验证 | tar -tzf /backup/etc-$(date +%F).tar.gz | wc -l | 可正常解压 |
Gentoo特有配置:
# 查看备份工具
qlist -I | grep -E 'backup|rsnapshot|bacula|amanda|restic|borg|duplicity' | head -10
# 查看Timeshift(Gentoo可用)
qlist -I timeshift 2>/dev/null
sudo timeshift --list 2>/dev/null | head -10
# 查看Déjà Dup(GNOME)
qlist -I deja-dup 2>/dev/null
# 查看Rsync备份任务
crontab -l 2>/dev/null | grep rsync
cat /etc/cron.d/*backup* 2>/dev/null | head -10
# 查看Restic备份(现代工具)
restic snapshots -r /backup/restic 2>/dev/null | head -5
# 查看Borg备份
borg list /backup/borg 2>/dev/null | head -5
# 验证备份完整性
sudo tar -tzf /backup/etc-$(date +%F).tar.gz 2>/dev/null | wc -l
# Gentoo特有:检查是否备份Portage重要文件
ls -la /backup/portage/ 2>/dev/null | head -5
# 应备份:/etc/portage/, /var/lib/portage/world, /var/db/repos/
# 检查binpkg备份(Gentoo二进制包)
ls -la /var/cache/binpkgs/ 2>/dev/null | head -5八、Gentoo特有安全功能
8.1 Hardened Profile(安全强化配置文件)
# 查看当前profile
eselect profile list
eselect profile show
# 推荐安全profile
# default/linux/amd64/17.1/hardened
# default/linux/amd64/17.1/hardened/selinux
# default/linux/amd64/17.1/musl
# default/linux/amd64/17.1/systemd
# 切换hardened profile(需重新编译整个系统)
# eselect profile set X
# 检查hardened状态
hardened-check 2>/dev/null || echo "hardened-check未安装"
# 查看安全相关的USE标志
portageq envvar USE 2>/dev/null | tr ' ' '\n' | grep -E 'hardened|pic|pie|ssp|selinux|pax|grsec|caps|xattr'8.2 Portage安全特性
# 检查是否启用GPG签名验证
grep 'FEATURES.*sign' /etc/portage/make.conf 2>/dev/null
grep 'PORTAGE_GPG_DIR' /etc/portage/make.conf 2>/dev/null
# 检查Manifest验证
grep 'FEATURES.*strict' /etc/portage/make.conf 2>/dev/null
# 检查是否启用沙盒编译
grep 'FEATURES.*sandbox\|FEATURES.*usersandbox' /etc/portage/make.conf 2>/dev/null
# 检查网络沙盒
grep 'FEATURES.*network-sandbox' /etc/portage/make.conf 2>/dev/null
# 查看编译隔离(PID命名空间)
grep 'FEATURES.*pid-sandbox' /etc/portage/make.conf 2>/dev/null
# 检查是否启用binpkg GPG签名
grep 'BINPKG_FORMAT' /etc/portage/make.conf 2>/dev/null8.3 内核安全(自定义编译优势)
# Gentoo内核安全选项检查脚本
check_kernel_security() {
local config="/boot/config-$(uname -r)"
echo "=== 内核安全选项检查 ==="
echo "Stack Protector: $(grep CONFIG_CC_STACKPROTECTOR $config 2>/dev/null)"
echo "SLUB Debug: $(grep CONFIG_SLUB_DEBUG $config 2>/dev/null)"
echo "KASLR: $(grep CONFIG_RANDOMIZE_BASE $config 2>/dev/null)"
echo "SMEP/SMAP: $(grep -E 'CONFIG_X86_S(MEP|MAP)' $config 2>/dev/null)"
echo "KPTI: $(grep CONFIG_PAGE_TABLE_ISOLATION $config 2>/dev/null || grep CONFIG_KPTI $config 2>/dev/null)"
echo "Retpoline: $(grep CONFIG_RETPOLINE $config 2>/dev/null)"
echo "Livepatch: $(grep CONFIG_LIVEPATCH $config 2>/dev/null)"
echo "BPF JIT: $(grep CONFIG_BPF_JIT $config 2>/dev/null)"
echo "User Namespaces: $(grep CONFIG_USER_NS $config 2>/dev/null)"
}
check_kernel_security一键巡检脚本(Gentoo Linux)
#!/bin/bash
# Gentoo Linux 等保三级一键巡检脚本
# 适用:Gentoo (amd64, OpenRC/systemd, hardened可选)
# 执行用户:root
echo"===== Gentoo Linux 等保巡检报告 ====="
echo"巡检时间: $(date'+%Y-%m-%d %H:%M:%S')"
echo"服务器: $(hostname)"
echo"Profile: $(eselect profile show 2>/dev/null |grep'default'||echo'Unknown')"
echo"Init: $(cat /proc/1/comm 2>/dev/null)"
echo""
echo"===== 1 身份鉴别 ====="
echo"--- 空口令检查 ---"
awk -F: '$2==""{print "空口令用户: "$1}' /etc/shadow
echo"--- 密码锁定账户 ---"
awk -F: '$2~"^!"{print "锁定用户: "$1}' /etc/shadow |head-5
echo"--- 密码有效期 ---"
grep-E'PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE' /etc/login.defs 2>/dev/null |head-3
echo"--- 密码复杂度 ---"
cat /etc/pam.d/system-auth 2>/dev/null |grep pam_pwquality |head-3
cat /etc/security/pwquality.conf 2>/dev/null |grep-E'minlen|minclass'|head-3
echo"--- 登录失败锁定 ---"
cat /etc/pam.d/system-auth 2>/dev/null |grep faillock
cat /etc/security/faillock.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5
echo"--- SSH配置 ---"
grep-E'PermitRootLogin|Protocol|PasswordAuthentication|ClientAlive' /etc/ssh/sshd_config 2>/dev/null |head-5
echo"--- 2FA检查 ---"
qlist -I google-authenticator 2>/dev/null &&echo"Google Authenticator: 已安装"||echo"Google Authenticator: 未安装"
echo""
echo"===== 2 访问控制 ====="
echo"--- 系统账户 ---"
awk -F: '$3<1000 && $1!="root"{print "系统账户: "$1}' /etc/passwd |head-10
echo"--- sudo配置 ---"
grep'%wheel' /etc/sudoers 2>/dev/null |head-3
ls-la /etc/sudoers.d/ 2>/dev/null |head-3
echo"--- 关键文件权限 ---"
stat-c'%a %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow 2>/dev/null
echo"--- SELinux/Grsecurity ---"
sestatus 2>/dev/null |head-3||echo"SELinux未启用"
eselect profile show 2>/dev/null |grep hardened &&echo"Hardened profile: 是"||echo"Hardened profile: 否"
echo""
echo"===== 3 安全审计 ====="
echo"--- auditd状态 ---"
if["$(cat /proc/1/comm 2>/dev/null)"="systemd"];then
systemctl is-active auditd 2>/dev/null && systemctl is-enabled auditd 2>/dev/null
else
rc-status auditd 2>/dev/null |head-3
fi
echo"--- 审计规则数量 ---"
auditctl -l2>/dev/null |wc-l|xargs-I{}echo"审计规则数: {}"
echo"--- 日志配置 ---"
if[-f"/etc/metalog/metalog.conf"];then
echo"使用metalog"
elif[-f"/etc/syslog-ng/syslog-ng.conf"];then
echo"使用syslog-ng"
elif[-f"/etc/systemd/journald.conf"];then
cat /etc/systemd/journald.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-5
fi
echo""
echo"===== 4 入侵防范 ====="
echo"--- 待更新包 ---"
emerge -puv @world 2>/dev/null |grep-c'ebuild'|xargs-I{}echo"可更新包数: {}"
echo"--- GLSA漏洞 ---"
glsa-check -l all 2>/dev/null |grep-c'Vulnerable'|xargs-I{}echo"GLSA漏洞数: {}"
echo"--- 高危端口 ---"
ss -tulnp2>/dev/null |grep-E'0.0.0.0:23|0.0.0.0:111|0.0.0.0:513'||echo"无高危端口暴露"
echo"--- 防火墙状态 ---"
ifcommand-v nft >/dev/null 2>&1;then
nft list ruleset 2>/dev/null |head-5&&echo"nftables: 启用"
elifcommand-v iptables >/dev/null 2>&1;then
iptables -L-n2>/dev/null |head-3&&echo"iptables: 启用"
else
echo"防火墙: 未配置"
fi
echo"--- 编译安全加固 ---"
portageq envvar CFLAGS 2>/dev/null |grep-o'\-fstack-protector\|\-fPIE\|\-D_FORTIFY'|head-3
echo""
echo"===== 5 恶意代码防范 ====="
echo"--- ClamAV安装 ---"
qlist -I clamav 2>/dev/null |head-3
echo"--- ClamAV服务 ---"
if["$(cat /proc/1/comm 2>/dev/null)"="systemd"];then
systemctl is-active clamd 2>/dev/null ||echo"clamd未运行"
else
rc-status clamd 2>/dev/null |head-1||echo"clamd未配置"
fi
echo"--- Rootkit检查 ---"
qlist -I rkhunter 2>/dev/null &&echo"rkhunter: 已安装"||echo"rkhunter: 未安装"
echo""
echo"===== 6 可信验证 ====="
echo"--- TPM状态 ---"
dmesg2>/dev/null |grep-i"tpm"|head-3
echo"--- Secure Boot ---"
mokutil --sb-state 2>/dev/null ||echo"无法检测Secure Boot"
echo"--- Portage完整性 ---"
qcheck -e2>/dev/null |grep-c'missing'|xargs-I{}echo"缺失文件数: {}"
echo"--- 内核安全选项 ---"
grep-c'CONFIG_CC_STACKPROTECTOR=y' /boot/config-$(uname-r)2>/dev/null |xargs-I{}echo"栈保护: {}"
echo""
echo"===== 7 数据备份 ====="
echo"--- 备份任务 ---"
crontab-l2>/dev/null |grep-i backup ||echo"未配置crontab备份"
ls /etc/cron.d/*backup* 2>/dev/null |head-3||echo"未找到备份cron任务"
echo"--- 备份目录 ---"
stat-c'%a %U:%G' /backup 2>/dev/null ||echo"备份目录不存在"
echo"--- Portage备份 ---"
ls /backup/portage/ 2>/dev/null |head-3||echo"Portage备份目录不存在"
echo""
echo"===== 8 Gentoo特有功能 ====="
echo"--- Profile信息 ---"
eselect profile show 2>/dev/null
echo"--- 安全USE标志 ---"
portageq envvar USE 2>/dev/null |tr' ''\n'|grep-E'hardened|selinux|pax'|head-5
echo"--- 沙盒特性 ---"
grep'FEATURES' /etc/portage/make.conf 2>/dev/null |grep-o'sandbox\|usersandbox\|network-sandbox'|head-3
echo""
echo"===== 巡检完成 ====="高风险项重点核查清单
| 检查项 | 验证命令 | 不合规判定 | 整改建议 |
|---|---|---|---|
| 空口令账户 | awk -F: '$2==""{print $1}' /etc/shadow | 存在输出 | 立即设置强口令或锁定 |
| 密码复杂度未启用 | cat /etc/pam.d/system-auth | grep pam_pwquality | 无输出 | 安装libpwquality并配置 |
| 无登录失败锁定 | cat /etc/pam.d/system-auth | grep faillock | 无输出 | 配置pam_faillock |
| root远程登录 | grep ^PermitRootLogin /etc/ssh/sshd_config | 值为yes | 修改为no |
| 非hardened profile | eselect profile show | grep hardened | 无输出 | 切换至hardened profile |
| 审计未启用 | rc-status auditd 或 systemctl is-active auditd | 非active | 安装并启用auditd |
| GLSA漏洞未修复 | glsa-check -l all | grep Vulnerable | 存在漏洞 | 执行glsa-check -f all |
| 无防火墙 | nft list ruleset / iptables -L | 无规则 | 配置nftables或iptables |
| 编译时无安全加固 | portageq envvar CFLAGS | 无-fstack-protector等 | 在make.conf添加安全标志 |
| 未启用沙盒 | grep FEATURES /etc/portage/make.conf | 无sandbox | 添加FEATURES=”sandbox usersandbox” |
| 备份未配置 | crontab -l | grep backup | 无输出 | 配置定时备份任务 |
Gentoo Linux版本差异对照
| 对比项 | Gentoo (OpenRC) | Gentoo (systemd) | Gentoo (musl) |
|---|---|---|---|
| 初始化系统 | OpenRC | systemd | OpenRC/systemd |
| C库 | glibc | glibc | musl |
| 安全特性 | hardened可选 | hardened可选 | 默认安全优化 |
| 二进制兼容性 | 完整 | 完整 | 部分限制 |
| 编译速度 | 标准 | 标准 | 更快 |
| 内存占用 | 标准 | 标准 | 更低 |
| 等保合规 | 需配置 | 需配置 | 基础安全 |
| 推荐使用 | 服务器传统选择 | 现代化管理 | 嵌入式/容器 |
测评执行要点
1. 权限要求
- 所有命令需
root权限执行 - 部分命令需要Portage环境(
emerge,qlist等)
2. 现场核查重点
- Profile选择:确认是否使用hardened profile,这是Gentoo安全的核心
- 编译安全:检查CFLAGS/CXXFLAGS是否包含栈保护、PIE、Fortify Source等
- 沙盒编译:确认FEATURES包含sandbox,确保编译过程隔离
- GLSA漏洞:Gentoo特有的安全公告系统,必须及时修复
- 内核定制:利用Gentoo内核定制优势,启用KASLR、SMEP/SMAP等硬件防护
3. 版本差异注意
- OpenRC vs systemd:服务管理命令不同,但安全机制一致
- glibc vs musl:musl profile默认更安全但部分软件兼容性需注意
- hardened profile:会强制启用PIE、SSP、RELRO等,但编译时间更长
常用命令速查
# Portage包管理
emerge -s package # 搜索包
emerge -pv package # 预览安装
emerge package # 安装包
emerge -uDN @world # 更新系统
emerge --depclean# 清理依赖
qlist -I package # 检查是否安装
qfile /path/to/file # 查找文件归属包
qcheck package # 验证包完整性
# 服务管理(OpenRC)
rc-status # 查看服务状态
rc-service service start # 启动服务
rc-update addservice default # 开机自启
rc-update del service default # 取消自启
# 服务管理(systemd)
systemctl status service
systemctl start service
systemctl enableservice
# Profile管理
eselect profile list # 列出可用profile
eselect profile show # 显示当前profile
eselect profile set X # 切换profile
# 安全工具
glsa-check -l all # 列出所有GLSA
glsa-check -t all # 测试修复
glsa-check -f all # 应用修复
hardened-check # 检查hardened状态(如安装)
# 编译相关
portageq envvar CFLAGS # 查看CFLAGS
emerge -e @world # 重新编译整个系统(切换profile后)
make -j$(nproc)# 并行编译
# 内核管理
eselect kernel list # 列出可用内核
make menuconfig # 配置内核
make&&make modules_install &&makeinstall# 编译安装内核
# 日志查看
tail-f /var/log/messages # metalog
journalctl -f# systemd
dmesg|tail# 内核消息参考标准:GB/T 22239-2019、GB/T 28448-2019、Gentoo Security Guide、CIS Gentoo Benchmark、Gentoo Hardened Project
适用版本:Gentoo Linux (amd64/x86_64, OpenRC/systemd, glibc/musl)
验证环境:Stage3 / Hardened / SELinux / 自定义内核配置
声明:来自汪汪虚拟空间,仅代表创作者观点。链接:https://eyangzhen.com/6754.html
