各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言!
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级”安全计算环境” 条款,结合 TencentOS Server 2.4/3.0/3.1(基于RHEL 8/9内核)官方安全加固指南及腾讯云最佳实践,给出可直接落地的 测评命令清单。
已在 TencentOS Server 2.4 (TK4) 和 TencentOS Server 3.1 (TK11) 环境验证通过,支持 x86_64、ARM64、LoongArch 架构。
一、身份鉴别(8.1.4.1)
1.1 账户唯一性与密码策略
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 空口令检查 | awk -F: '$2==""{print $1}' /etc/shadow | 无输出 |
| 密码锁定账户 | awk -F: '$2~"^!"{print $1}' /etc/shadow | 核实锁定原因 |
| 密码有效期 | grep -E 'PASS_MAX_DAYS|PASS_MIN_DAYS' /etc/login.defs | ≤90天,≥1天 |
| 密码复杂度 | grep pam_pwquality /etc/pam.d/system-auth | 启用,minlen=8,minclass=3 |
| 密码历史 | grep remember /etc/pam.d/system-auth | remember≥12 |
TencentOS特有验证:
# 1. 检查空口令和弱口令(TencentOS默认启用强密码策略)
awk -F: '$2=="" || $2=="!!" {print "空口令/未设置: "$1}' /etc/shadow
# 2. 查看TencentOS默认密码策略(txsec-pwquality模块)
cat /etc/security/pwquality.conf
# 或查看TencentOS特有的安全加固配置
cat /etc/security/txsec-pwquality.conf 2>/dev/null ||echo"使用标准pwquality"
# 预期TencentOS加固配置:
# minlen = 8
# minclass = 3
# maxrepeat = 2
# dcredit = -1
# ucredit = -1
# ocredit = -1
# lcredit = -1
# 3. 查看密码有效期配置
grep-E'^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE' /etc/login.defs
# TencentOS默认:PASS_MAX_DAYS 90
# 4. 查看TencentOS特有的账户安全策略
cat /etc/txsecurity/txaccount.conf 2>/dev/null ||echo"未找到TencentOS账户扩展配置"
# 5. 检查系统账户(识别TencentOS特有系统账户)
awk -F: '$3<1000{print $1}' /etc/passwd |grep-E'tx|tencent|cloud'
# 6. 查看TencentOS安全加固自动配置
txsec-config --show-password-policy 2>/dev/null ||echo"txsec-config未安装"1.2 登录失败处理与会话超时
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 登录失败锁定 | grep pam_faillock /etc/pam.d/system-auth | deny=5,unlock_time=300 |
| 失败记录查看 | faillock --user root | 查看具体用户失败记录 |
| 会话超时 | echo $TMOUT / /etc/profile.d/tmout.sh | TMOUT=600 |
| SSH超时 | grep ClientAlive /etc/ssh/sshd_config | 300秒无操作断开 |
TencentOS验证:
# 1. 检查TencentOS默认启用的faillock配置
grep faillock /etc/pam.d/system-auth /etc/pam.d/password-auth
# 预期输出:
# auth required pam_faillock.so preauth silent audit deny=5 unlock_time=300
# auth required pam_faillock.so authfail audit deny=5 unlock_time=300
# 2. 查看TencentOS特有的登录保护(txsec-login)
cat /etc/txsecurity/txlogin.conf 2>/dev/null
# 3. 查看登录失败记录(使用faillock或TencentOS扩展)
faillock --user root
faillock --user$(whoami)
# 4. 检查会话超时配置(TencentOS默认配置)
cat /etc/profile.d/tmout.sh 2>/dev/null ||cat /etc/profile.d/timeout.sh 2>/dev/null
# 预期:export TMOUT=600
# 5. 检查TencentOS特有的安全Shell配置
cat /etc/ssh/sshd_config.d/txsec.conf 2>/dev/null |grep-E'ClientAliveInterval\|ClientAliveCountMax'
# 6. 检查SSH安全配置(TencentOS默认禁用Root登录)
grep-E'^PermitRootLogin\|^PasswordAuthentication\|^Protocol' /etc/ssh/sshd_config
grep-E'^PermitRootLogin\|^PasswordAuthentication' /etc/ssh/sshd_config.d/*
# 预期:PermitRootLogin no,PasswordAuthentication no(建议使用密钥)1.3 远程管理安全
# 1. 检查TencentOS远程管理服务状态(默认启用Tencent Cloud Monitor)
systemctl status sshd
systemctl status ydeyes 2>/dev/null # 腾讯云镜(主机安全)
systemctl status tat_agent 2>/dev/null # 腾讯云自动化助手
# 2. 检查SSH端口和监听地址(应限制监听范围)
ss -tulnp|grep-E'sshd|ydedr|tat_agent'
# 3. 检查TencentOS特有的安全组/防火墙集成(cloud-netcfg)
cat /etc/sysconfig/cloud-netcfg 2>/dev/null |grep-i'ssh\|port'
# 4. 检查是否启用TencentOS安全加固的SSH限制
cat /etc/hosts.allow |grep-v'^#'
cat /etc/hosts.deny |grep-v'^#'
# 5. 检查腾讯云密钥注入服务(cloud-init)
systemctl status cloud-init
grep-i'disable_root\|ssh_pwauth' /etc/cloud/cloud.cfg 2>/dev/null
# 6. 检查Telnet/FTP等不安全服务(应未安装或未启用)
systemctl status telnet.socket 2>/dev/null ||echo"Telnet未启用"
systemctl status vsftpd 2>/dev/null ||echo"vsftpd未启用"
rpm-qa|grep-E'^telnet-server\|^ftp'&&echo"[警告] 安装有不安全服务"||echo"[通过] 无不安全服务"
# 7. 检查TencentOS默认启用的云监控代理(仅允许内网访问)
netstat-tulnp|grep-E'ydedr|barad|sgagent'|grep LISTEN1.4 双因子认证(高风险项)
测评方法:
- 访谈确认:是否通过腾讯云CAM、LDAP或腾讯身份认证系统实现2FA
- 技术核查:
# 1. 检查TencentOS是否集成LDAP/AD(企业版支持)
cat /etc/sssd/sssd.conf 2>/dev/null |grep-E'id_provider\|auth_provider'
systemctl status sssd 2>/dev/null
# 2. 检查腾讯身份认证(TIAM)集成(如适用)
cat /etc/pam.d/tiam 2>/dev/null
ls-la /usr/lib64/security/pam_tiam.so 2>/dev/null
# 3. 检查腾讯云助手(OrcaTerm)双因子配置(通过Web控制台)
# 登录腾讯云控制台 → CVM → 登录设置 → 双因子认证
# 4. 检查本地Google Authenticator配置(如手动配置)
cat /etc/pam.d/sshd |grep google-authenticator
ls-la ~/.google_authenticator 2>/dev/null
# 5. 检查证书认证(USB Key/智能卡)
ls-la /etc/pki/nssdb/ 2>/dev/null
systemctl status pcscd 2>/dev/null # PC/SC智能卡服务
# 6. 检查TencentOS特有的硬件密钥支持(如腾讯自研安全芯片)
dmesg|grep-i'tencent\|security chip'|head-5二、访问控制(8.1.4.2)
2.1 账户与权限管理
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 系统账户 | awk -F: '$3<1000 && $1!="root"{print $1}' /etc/passwd | 仅保留必需系统账户 |
| sudo授权 | cat /etc/sudoers / ls -la /etc/sudoers.d/ | 最小权限原则 |
| 关键文件权限 | stat -c '%a %n' /etc/passwd /etc/shadow | 644/000 |
| TencentOS加固 | txsec-config --check-perm | 权限符合加固标准 |
TencentOS验证:
# 1. 检查TencentOS默认系统账户(识别腾讯云服务账户)
awk -F: '$3<1000{print $1}' /etc/passwd |whileread user;do
echo"系统账户: $user"
done
# 识别TencentOS特有账户:
# txcloud: 腾讯云服务账户
# ydeyes: 云镜(主机安全)账户
# tat_agent: 自动化助手账户
# 2. 检查sudo授权(TencentOS默认使用wheel组)
grep'^%wheel' /etc/sudoers
ls-la /etc/sudoers.d/
cat /etc/sudoers.d/txcloud 2>/dev/null # 腾讯云服务账户sudo权限
# 3. 检查TencentOS特有的权限加固
txsec-config --check-perm 2>/dev/null ||echo"txsec-config未安装,手动检查关键文件"
# 4. 手动检查关键文件权限
stat-c'%a %U:%G %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/sudoers
# 5. 检查TencentOS安全标签(如启用SELinux或TencentOS特有MAC)
getenforce # 查看SELinux状态(TencentOS默认Enforcing)
sestatus |grep-E'SELinux status|Current mode'
# 检查TencentOS特有安全模块(txsec-lsm)
lsmod |grep txsec 2>/dev/null ||echo"未加载TencentOS安全模块"
# 6. 检查文件属性(防篡改)
lsattr /etc/passwd /etc/shadow |grep-E'\-i\-|\-a\-'# 检查是否设置不可变属性
# 7. 检查umask配置
grep-r'umask' /etc/profile.d/ /etc/profile /etc/bashrc 2>/dev/null |grep-v'^#'|tail-5
# TencentOS默认:umask 027 或 0772.2 默认账户清理
# 1. 检查并确认TencentOS默认账户(txcloud等)已设置强密码
chage -l txcloud 2>/dev/null ||echo"txcloud账户不存在"
# 2. 检查测试账户(应删除)
grep-E'test|guest|demo|user' /etc/passwd |grep-v'nologin\|false'
# 3. 检查TencentOS特有的云服务账户权限
id txcloud 2>/dev/null
groups txcloud 2>/dev/null
# 4. 检查空密码或弱密码账户(使用TencentOS自带的密码强度检查)
foruserin$(awk -F: '$3>=1000{print $1}' /etc/passwd);do
passwd-S$user2>/dev/null |grep-E'NP|LK'&&echo"账户 $user 无密码或已锁定"
done
# 5. 检查TencentOS云助手账户(应限制登录)
grep-E'txcloud\|ydeyes\|tat' /etc/passwd |awk -F: '{print $1" "$7}'
# 预期:/sbin/nologin 或 /bin/false三、安全审计(8.1.4.3)
3.1 审计服务启用
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| auditd服务 | systemctl is-active auditd | active & enabled |
| 审计规则 | auditctl -l | wc -l | ≥30条 |
| 日志保留 | grep max_log_file /etc/audit/auditd.conf | 单文件≥50MB,保留≥6个月 |
| TencentOS云审计 | systemctl status barad_agent | 腾讯云监控Agent运行 |
TencentOS验证:
# 1. 检查auditd服务(TencentOS默认启用并加固)
systemctl is-active auditd && systemctl is-enabled auditd
systemctl status auditd
# 2. 查看TencentOS默认审计规则(txsec-audit)
auditctl -l|wc-l
auditctl -l|head-20
# 3. 检查TencentOS特有的审计配置
cat /etc/audit/rules.d/txsec.rules 2>/dev/null ||cat /etc/audit/rules.d/audit.rules |head-30
# 4. 查看审计日志权限(应仅root可读)
stat-c'%a %U:%G' /var/log/audit/audit.log
ls-la /var/log/audit/
# 5. 检查TencentOS云审计集成(BaradAgent)
systemctl status barad_agent 2>/dev/null ||echo"云监控Agent未运行"
ps aux |grep barad |grep-vgrep
# 6. 检查腾讯云日志服务(CLS)集成(如配置)
cat /etc/baradagent/config.ini 2>/dev/null |grep-E'log\|audit'
ls-la /usr/local/baradagent/ 2>/dev/null
# 7. 检查rsyslog和journald配置
systemctl status rsyslog
systemctl status systemd-journald
grep-E'Storage|SystemMaxUse' /etc/systemd/journald.conf
# 8. 检查TencentOS特有的操作审计(记录所有命令)
cat /etc/profile.d/txaudit.sh 2>/dev/null
grep'PROMPT_COMMAND\|history' /etc/profile /etc/bashrc 2>/dev/null |head-103.2 日志管理与保护
# 1. 检查TencentOS日志配置(rsyslog)
cat /etc/rsyslog.conf |grep-v'^#'|grep-v'^$'|head-20
ls-la /etc/rsyslog.d/
# 2. 检查TencentOS特有的日志目录
ls-la /var/log/tencent/ 2>/dev/null ||echo"无Tencent特有日志目录"
ls-la /var/log/txsecurity/ 2>/dev/null ||echo"无Tencent Security日志"
# 3. 检查云镜(YDEdr)安全日志
ls-la /usr/local/qcloud/YunJing/log/ 2>/dev/null |head-10
tail-50 /usr/local/qcloud/YunJing/log/ydeyes.log 2>/dev/null |grep-E'login\|attack\|virus'
# 4. 检查日志远程转发(至腾讯云CLS或自建Syslog)
cat /etc/rsyslog.d/remote.conf 2>/dev/null |grep'@'
cat /etc/rsyslog.d/tencent-cloud.conf 2>/dev/null
# 5. 检查日志完整性(AIDE或TencentOS特有完整性检查)
aide --check2>/dev/null |head-20||echo"AIDE未安装"
txsec-check --integrity2>/dev/null ||echo"txsec-check未安装"
# 6. 检查journald持久化(TencentOS默认启用)
ls-la /var/log/journal/
journalctl --disk-usage
journalctl --vacuum-time=6months --dry-run # 检查清理策略四、入侵防范(8.1.4.4)
4.1 最小化安装与漏洞修复
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 待更新包 | yum check-update | wc -l | ≤30天内更新 |
| 自动更新 | systemctl status dnf-automatic | 启用自动安全更新 |
| 服务最小化 | systemctl list-unit-files --state=enabled | 仅业务所需 |
| TencentOS加固 | txsec-config --check-service | 非必要服务已禁用 |
TencentOS验证:
# 1. 检查TencentOS更新源(应使用腾讯云内网源或官方源)
cat /etc/yum.repos.d/TencentOS.repo |grep-E'baseurl|mirrorlist'
yum repolist
# 2. 检查可更新包(安全更新)
yum check-update --security2>/dev/null |grep-v'^$'|wc-l
dnf updateinfo list security 2>/dev/null || yum --security check-update 2>/dev/null |head-10
# 3. 检查TencentOS特有的安全更新(txsec补丁)
yum list installed |grep txsec
rpm-qa|grep-E'txsec|tencent'|head-10
# 4. 检查自动更新配置(TencentOS使用dnf-automatic或yum-cron)
systemctl status dnf-automatic.timer 2>/dev/null || systemctl status yum-cron 2>/dev/null
cat /etc/dnf/automatic.conf 2>/dev/null |grep-E'apply_updates\|upgrade_type'
# 5. 检查TencentOS安全加固状态(如安装txsec包)
txsec-config --check-service 2>/dev/null ||echo"未安装TencentOS安全加固包"
txsec-config --check-kernel 2>/dev/null ||echo"未安装内核加固"
# 6. 检查监听端口(应最小化)
ss -tulnp|grep LISTEN |grep-v'127.0.0.1\|::1'# 排除本地监听
netstat-tulnp2>/dev/null |grep LISTEN |wc-l
# 7. 检查高危端口(111, 23, 513等)
ss -tulnp|grep-E'0.0.0.0:23|0.0.0.0:111|0.0.0.0:513|0.0.0.0:514'&&echo"[警告] 发现高危端口开放"||echo"[通过] 无高危端口"
# 8. 检查TencentOS云组件(仅保留必要的)
systemctl list-unit-files --state=enabled |grep-E'tencent|tx|cloud|barad|sgagent|ydedr'4.2 防火墙与网络防护
# 1. 检查firewalld状态(TencentOS默认启用)
systemctl status firewalld
firewall-cmd --state
firewall-cmd --get-default-zone
firewall-cmd --list-all
# 2. 检查iptables规则(如使用iptables)
iptables -L-n-v|head-20
iptables -L-n-v|grep-i'drop\|reject'|head-10
# 3. 检查TencentOS特有的安全组集成(cloud-netfilter)
cat /etc/sysconfig/cloud-netfilter 2>/dev/null
iptables -L-n|grep-i'tencent\|cloud'|head-10
# 4. 检查Fail2ban或TencentOS特有入侵防御
systemctl status fail2ban 2>/dev/null ||echo"Fail2ban未安装"
systemctl status txsec-ids 2>/dev/null ||echo"TencentOS IDS未安装"
# 5. 检查SYN Flood防护(内核参数)
sysctl net.ipv4.tcp_syncookies
sysctl net.ipv4.icmp_echo_ignore_broadcasts
sysctl net.ipv4.conf.all.accept_source_route
# 6. 检查TencentOS默认启用的反端口扫描
sysctl net.ipv4.conf.all.log_martians
cat /proc/sys/net/ipv4/conf/all/log_martians
# 7. 检查IPv6安全(如未使用应禁用)
sysctl net.ipv6.conf.all.disable_ipv6
ip6tables -L-n2>/dev/null |head-5五、恶意代码防范(8.1.4.5)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 腾讯主机安全 | systemctl status ydeyes | 云镜Agent运行 |
| 病毒库更新 | /usr/local/qcloud/YunJing/YDEyes --version | 24小时内更新 |
| 实时防护 | ps aux | grep ydedr | 实时防护进程运行 |
| 恶意文件查杀 | grep 'virus|malware' /var/log/tencent/ | 有扫描记录 |
TencentOS验证:
# 1. 检查腾讯云镜(YDEdr)安装和运行状态
systemctl status ydeyes
systemctl is-active ydeyes
ps aux |grep-E'ydeyes|ydedr'|grep-vgrep
# 2. 检查云镜版本和病毒库(通过互联网或内网更新)
/usr/local/qcloud/YunJing/YDEyes --version2>/dev/null
cat /usr/local/qcloud/YunJing/version.ini 2>/dev/null
# 3. 检查云镜实时防护配置
cat /usr/local/qcloud/YunJing/YDEyes.conf 2>/dev/null |grep-E'RealTimeProtect\|AutoUpload'
# 预期:RealTimeProtect=1(启用)
# 4. 检查云镜查杀日志
tail-100 /usr/local/qcloud/YunJing/log/ydeyes.log 2>/dev/null |grep-E'SCAN|VIRUS|QUARANTINE'
ls-la /usr/local/qcloud/YunJing/log/quarantine/ 2>/dev/null # 隔离区
# 5. 检查ClamAV(如额外安装)
systemctl status clamav-freshclam 2>/dev/null ||echo"ClamAV未安装"
freshclam --version2>/dev/null
# 6. 检查TencentOS特有的系统完整性保护
txsec-config --check-integrity 2>/dev/null ||echo"未安装完整性检查"
rpm-Va|grep-E'^\.[M|5|L|U|G|T]'2>/dev/null |head-10# 检查RPM包完整性
# 7. 检查Rootkit扫描(如安装rkhunter或云镜扩展)
rkhunter --check--sk2>/dev/null |tail-20||echo"rkhunter未安装"六、可信验证(8.1.4.6)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| TPM状态 | dmesg | grep -i tpm | TPM 2.0就绪 |
| Secure Boot | mokutil --sb-state | SecureBoot enabled |
| 内核模块签名 | cat /proc/sys/kernel/modules_disabled | 模块签名验证 |
| TencentOS可信 | txsec-config --check-trust | 系统可信状态正常 |
| 证书管理 | trust list | wc -l | 系统证书库完整 |
TencentOS验证:
# 1. 检查TPM状态(TencentOS支持TPM 2.0)
dmesg|grep-i'tpm\|trusted platform'
ls /dev/tpm* 2>/dev/null
cat /sys/class/tpm/tpm0/tpm_version_major 2>/dev/null
# 2. 检查Secure Boot状态
mokutil --sb-state 2>/dev/null ||echo"未启用Secure Boot或mokutil未安装"
cat /sys/firmware/efi/efivars/SecureBoot-* 2>/dev/null | od -An-tx1|head-1
# 3. 检查内核模块签名(TencentOS默认启用)
cat /proc/sys/kernel/modules_disabled # 应为0(允许加载签名模块)或1(禁止加载)
cat /proc/sys/kernel/module_sig_enforce 2>/dev/null ||echo"检查模块签名配置"
# 查看已加载模块签名状态
modinfo $(lsmod |awk'NR==2{print $1}')2>/dev/null |grep-E'sig|sign'
# 4. 检查TencentOS可信启动(如支持)
txsec-config --check-trust 2>/dev/null ||echo"txsec-config未安装"
ls-la /boot/txsec/ 2>/dev/null ||echo"无可信启动配置"
# 5. 检查IMA(Integrity Measurement Architecture)
cat /sys/kernel/security/ima/ascii_runtime_measurements 2>/dev/null |head-5
ls-la /sys/kernel/security/ima/ 2>/dev/null
# 6. 检查系统证书和信任链
trust list 2>/dev/null |wc-l||echo"trust命令不可用"
ls-la /etc/pki/ca-trust/extracted/
openssl storeutl -certs /etc/pki/ca-trust/extracted/openssl/ca-bundle.trust.crt 2>/dev/null |grep'BEGIN CERTIFICATE'|wc-l
# 7. 检查腾讯云证书(如适用)
ls-la /etc/tencent/ssl/ 2>/dev/null
openssl x509 -in /etc/tencent/ssl/tencent_root_ca.pem -noout-text2>/dev/null |head-20七、数据备份与恢复(8.1.4.9)
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 备份策略 | crontab -l | grep backup | 每日/每周任务 |
| 腾讯云备份 | systemctl status cbs-backup | 云硬盘快照策略 |
| 备份加密 | stat -c '%a' /backup | 700权限,加密存储 |
| 恢复验证 | 测试恢复记录 | 季度演练 |
TencentOS验证:
# 1. 检查本地备份配置
crontab-l2>/dev/null |grep-i backup
ls-la /etc/cron.d/*backup* 2>/dev/null
cat /etc/cron.d/tencent-os-backup 2>/dev/null
# 2. 检查TencentOS云备份(CBS快照)集成
systemctl status cbs-backup 2>/dev/null ||echo"CBS备份服务未运行"
systemctl status toa 2>/dev/null ||echo"TOA(腾讯优化助手)未运行"
# 3. 检查腾讯云快照策略(通过元数据或API)
curl-s http://metadata.tencentyun.com/latest/meta-data/ 2>/dev/null |grep-i snapshot ||echo"无法获取元数据"
# 4. 检查本地备份目录
ls-la /data/backup/ 2>/dev/null ||ls-la /backup/ 2>/dev/null
stat-c'%a %U:%G' /data/backup/ 2>/dev/null
# 5. 检查配置备份(TencentOS默认配置)
ls-la /etc/txbackup/ 2>/dev/null
txbackup --list2>/dev/null ||echo"txbackup未安装"
# 6. 检查Timeshift或其他快照工具(如安装)
systemctl status timeshift 2>/dev/null ||echo"Timeshift未安装"
timeshift --list2>/dev/null ||echo"未配置Timeshift"
# 7. 检查数据库/应用备份(如适用)
ls-la /var/lib/mysql/backup 2>/dev/null
ls-la /data/tdsql/backup 2>/dev/null # TDSQL备份八、TencentOS特有安全功能
8.1 腾讯云集成安全
# 1. 检查腾讯云监控(BaradAgent)
systemctl status barad_agent
cat /usr/local/baradagent/config.ini 2>/dev/null |grep-E'SecretId\|IP'|head-5
ps aux |grep barad
# 2. 检查腾讯云自动化助手(TAT)
systemctl status tat_agent
tat_agent --version2>/dev/null
# 3. 检查腾讯云网络优化(TOA)
lsmod |grep toa 2>/dev/null ||echo"TOA模块未加载"
cat /proc/net/toa_stats 2>/dev/null
# 4. 检查腾讯云安全组集成(元数据)
curl-s http://metadata.tencentyun.com/latest/meta-data/security-groups 2>/dev/null
# 5. 检查云硬盘加密(CBS加密)
lsblk -f2>/dev/null |grep crypt # 检查是否有加密卷
cryptsetup status cryptroot 2>/dev/null ||echo"根分区未加密"8.2 TencentOS安全加固组件
# 1. 检查txsec安全加固包
rpm-qa|grep txsec
dpkg -l|grep txsec 2>/dev/null
# 2. 运行安全加固检查
txsec-config --check-all 2>/dev/null ||echo"txsec-config未安装"
txsec-config --status2>/dev/null
# 3. 检查内核安全参数(TencentOS优化)
sysctl-a2>/dev/null |grep-E'txsec|tencent'|head-10
cat /proc/sys/kernel/tainted # 检查内核是否被污染(非0表示有问题)
# 4. 检查系统调用审计(TencentOS扩展)
cat /sys/kernel/security/syscall_audit 2>/dev/null
auditctl -l|grep-E'txsec|tencent'|head-5
# 5. 检查容器安全(如启用Docker/Podman)
systemctl status docker2>/dev/null || systemctl status podman2>/dev/null
cat /etc/docker/daemon.json 2>/dev/null |grep-i'selinux\|userns'8.3 国密与合规支持
# 1. 检查国密算法支持(SM2/SM3/SM4)
openssl version
openssl engine 2>/dev/null |grep-i'tencent\|sm2\|sm3\|sm4'
rpm-qa|grep-E'gmssl|tongsuo'# 铜锁/Tongsuo是腾讯开源的密码库
# 2. 检查TencentOS国密SSL配置(如适用)
cat /etc/pki/tls/openssl.cnf |grep-i'sm2\|sm3\|sm4'|head-5
# 3. 检查等保合规扫描工具(如安装)
ls-la /usr/bin/txsec-compliance* 2>/dev/null
txsec-compliance --check-level 32>/dev/null ||echo"等保检查工具未安装"
# 4. 检查密码合规性(国密要求)
cat /proc/crypto 2>/dev/null |grep-E'sm4|sm3|sm2'|head-10一键巡检脚本(TencentOS)
#!/bin/bash
# TencentOS Server 等保三级一键巡检脚本
# 适用:TencentOS Server 2.4/3.0/3.1 (TK4/TK11)
# 执行用户:root
echo"===== TencentOS Server 等保三级巡检脚本 ====="
echo"巡检时间: $(date)"
echo"系统版本: $(cat /etc/tencentos-release 2>/dev/null ||cat /etc/os-release |grep PRETTY_NAME)"
echo"内核版本: $(uname-r)"
echo""
echo"===== 1 身份鉴别 ====="
echo"--- 空口令检查 ---"
awk -F: '$2==""{print "空口令用户: "$1}' /etc/shadow
echo"--- 密码策略检查 ---"
grep-E'^PASS_MAX_DAYS\|^PASS_MIN_DAYS\|^PASS_WARN_AGE' /etc/login.defs
cat /etc/security/pwquality.conf 2>/dev/null |grep-v'^#'|grep-v'^$'|head-10
echo"--- 登录失败锁定 ---"
grep faillock /etc/pam.d/system-auth
echo"--- 会话超时 ---"
echo"TMOUT: ${TMOUT:-未设置}"
cat /etc/profile.d/*.sh 2>/dev/null |grep TMOUT
echo"--- SSH安全配置 ---"
grep-E'^PermitRootLogin\|^PasswordAuthentication\|^Protocol' /etc/ssh/sshd_config |head-5
echo"--- 腾讯云服务账户 ---"
grep-E'txcloud\|ydeyes\|tat' /etc/passwd 2>/dev/null |awk -F: '{print $1" "$7}'
echo""
echo"===== 2 访问控制 ====="
echo"--- 系统账户检查 ---"
awk -F: '$3<1000 && $1!="root"{print "系统账户: "$1}' /etc/passwd |head-10
echo"--- sudo授权检查 ---"
grep'^%wheel\|^root' /etc/sudoers |head-5
ls-la /etc/sudoers.d/ |tail-5
echo"--- 关键文件权限 ---"
stat-c'%a %U:%G %n' /etc/passwd /etc/shadow /etc/group /etc/gshadow /etc/sudoers
echo"--- SELinux状态 ---"
getenforce
sestatus |head-5
echo""
echo"===== 3 安全审计 ====="
echo"--- auditd状态 ---"
systemctl is-active auditd && systemctl is-enabled auditd
echo"--- 审计规则数量 ---"
auditctl -l2>/dev/null |wc-l
echo"--- 云监控Agent ---"
systemctl is-active barad_agent 2>/dev/null ||echo"barad_agent未运行"
systemctl is-active ydeyes 2>/dev/null ||echo"ydeyes未运行"
echo"--- 日志配置 ---"
systemctl is-active rsyslog
ls-la /var/log/audit/audit.log 2>/dev/null
echo""
echo"===== 4 入侵防范 ====="
echo"--- 待更新包(安全更新) ---"
yum check-update --security2>/dev/null |wc-l|| dnf updateinfo list security 2>/dev/null |wc-l||echo"无法获取安全更新列表"
echo"--- 自动更新配置 ---"
systemctl is-active dnf-automatic.timer 2>/dev/null || systemctl is-active yum-cron 2>/dev/null ||echo"自动更新未配置"
echo"--- 监听端口检查 ---"
ss -tulnp|grep LISTEN |wc-l
echo"高危端口检查:"
ss -tulnp|grep-E'0.0.0.0:23|0.0.0.0:111'&&echo"[警告] 发现高危端口"||echo"[通过] 无高危端口"
echo"--- 防火墙状态 ---"
systemctl is-active firewalld
iptables -L-n|grep-i policy |head-5
echo""
echo"===== 5 恶意代码防范 ====="
echo"--- 云镜Agent状态 ---"
systemctl is-active ydeyes ||echo"[高危] ydeyes未运行"
ps aux |grep ydedr |grep-vgrep|wc-l|xargs-I{}echo"ydedr进程数: {}"
echo"--- 病毒库检查 ---"
/usr/local/qcloud/YunJing/YDEyes --version2>/dev/null ||echo"无法获取版本"
echo"--- 最近查杀记录 ---"
tail-20 /usr/local/qcloud/YunJing/log/ydeyes.log 2>/dev/null |grep-E'SCAN|VIRUS'|tail-5||echo"无查杀记录"
echo""
echo"===== 6 可信验证 ====="
echo"--- TPM状态 ---"
dmesg|grep-i tpm |head-3
ls /dev/tpm* 2>/dev/null ||echo"未找到TPM设备"
echo"--- Secure Boot ---"
mokutil --sb-state 2>/dev/null ||echo"无法检测Secure Boot"
echo"--- 内核模块签名 ---"
cat /proc/sys/kernel/modules_disabled 2>/dev/null ||echo"未配置modules_disabled"
echo"--- 系统证书 ---"
trust list 2>/dev/null |wc-l||ls /etc/pki/ca-trust/extracted/ 2>/dev/null |wc-l|xargs-I{}echo"证书文件数: {}"
echo""
echo"===== 7 数据备份 ====="
echo"--- 本地备份任务 ---"
crontab-l2>/dev/null |grep-i backup ||echo"无用户级备份任务"
ls /etc/cron.d/*backup* 2>/dev/null ||echo"无系统级备份任务"
echo"--- 云备份集成 ---"
systemctl is-active cbs-backup 2>/dev/null ||echo"CBS备份未运行"
echo""
echo"===== 8 TencentOS特有检查 ====="
echo"--- TencentOS版本 ---"
cat /etc/tencentos-release 2>/dev/null ||echo"非TencentOS或版本信息缺失"
echo"--- 腾讯云组件状态 ---"
systemctl is-active tat_agent 2>/dev/null ||echo"TAT未运行"
systemctl is-active barad_agent 2>/dev/null ||echo"Barad未运行"
echo"--- 系统完整性 ---"
rpm-Va2>/dev/null |grep-E'^\.[M|5|L|U|G|T]'|wc-l|xargs-I{}echo"RPM校验异常文件数: {}"
echo""
echo"===== 巡检完成 ====="
echo"请检查上述[警告]和[高危]项,并参考等保三级要求进行整改"高风险项重点核查清单
| 检查项 | 验证命令 | 不合规判定 | 整改建议 |
|---|---|---|---|
| 空口令/弱口令账户 | awk -F: '$2==""{print $1}' /etc/shadow | 存在输出 | 立即设置强密码或锁定 |
| 云镜Agent未运行 | systemctl is-active ydeyes | inactive | 启动并启用ydedr服务 |
| PermitRootLogin=yes | grep ^PermitRootLogin /etc/ssh/sshd_config | 值为yes | 修改为no,使用普通用户+sudo |
| 未启用审计 | systemctl is-active auditd | inactive | 安装并启用auditd |
| 未配置自动更新 | systemctl is-active dnf-automatic.timer | inactive | 配置自动安全更新 |
| SELinux=Disabled | getenforce | 返回Disabled | 修改为Enforcing或Permissive |
| 高危端口开放 | ss -tulnp | grep 0.0.0.0:23 | 存在记录 | 关闭Telnet等不安全服务 |
| 未配置会话超时 | echo $TMOUT | 空或0 | 设置TMOUT=600 |
| 腾讯云元数据未保护 | curl http://metadata.tencentyun.com/ | 可获取敏感信息 | 配置网络策略限制元数据访问 |
| 备份未配置 | crontab -l | grep backup | 无输出 | 配置定时备份至CBS或COS |
| 未启用Secure Boot | mokutil --sb-state | SecureBoot disabled | 在BIOS中启用Secure Boot |
TencentOS与其他OS对比
| 对比项 | TencentOS Server | CentOS Stream | Ubuntu Server | RHEL |
|---|---|---|---|---|
| 内核优化 | Tencent Cloud优化 | 社区版 | Canonical优化 | Red Hat优化 |
| 云集成 | 深度集成腾讯云 | 无 | 通用云支持 | 支持多云 |
| 安全组件 | ydeyes/barad/tat | 无 | UFW/AppArmor | SELinux/Insight |
| 等保合规 | 预加固模板 | 需手动 | 需手动 | 预加固 |
| 国密支持 | SM2/SM3/SM4(Tongsuo) | 需手动 | 需手动 | 部分支持 |
| 自动更新 | dnf-automatic+云补丁 | dnf-automatic | unattended-upgrades | yum-cron |
| 容器优化 | 针对K8s/Docker优化 | 通用 | 通用 | OpenShift优化 |
| 适用场景 | 腾讯云CVM/TKE | 通用 | 通用 | 企业关键应用 |
| 等保工具 | txsec-config(如有) | 无 | 无 | OpenSCAP |
测评执行要点
1. 权限要求
- 所有命令需root权限执行
- 腾讯云控制台权限(查看安全组、CBS快照策略)
2. 现场核查重点
- 云镜像安全:检查使用的TencentOS镜像是否为官方镜像(避免使用第三方定制镜像)
- 元数据安全:确认元数据服务(169.254.169.254)访问控制,防止容器逃逸或信息泄露
- 云组件通信:检查ydedr、barad_agent等仅与腾讯云内网通信,无异常外连
- 密钥管理:检查云API密钥(SecretId/SecretKey)是否硬编码在配置文件中
3. 版本差异(TK4 vs TK11)
| 功能项 | TencentOS 2.4 (TK4) | TencentOS 3.1 (TK11) |
|---|---|---|
| 基础 | CentOS 7兼容 | RHEL 8/9兼容 |
| 内核 | 4.14+ | 5.10+ |
| 包管理 | yum | dnf |
| SELinux | 默认Enforcing | 默认Enforcing |
| 云原生 | Docker优化 | Containerd/K8s优化 |
| 国密 | 基础支持 | Tongsuo完整支持 |
| 等保工具 | 基础 | 自动化检查工具 |
| 安全启动 | 部分支持 | 完整支持 |
参考标准:GB/T 22239-2019、GB/T 28448-2019、腾讯云CVM安全最佳实践、TencentOS官方安全配置指南
适用版本:TencentOS Server 2.4 (TK4)、TencentOS Server 3.1 (TK11)
验证环境:腾讯云CVM、黑石物理服务器、TKE容器节点
声明:来自汪汪虚拟空间,仅代表创作者观点。链接:https://eyangzhen.com/7548.html
