各位大佬,想看那种网络设备/操作系统/数据库/中间件的测评命令清单,可在留言区留言!
依据 GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》第三级”安全计算环境” 条款,结合金蝶Apusic官方安全指南及现场测评实践。
适用产品:Apusic应用服务器 V9.x / V10.x / V11.x(标准版/企业版)
一、身份鉴别
1.1 管理员账户与认证
| 控制项 | 测评命令/配置 | 达标判据 |
|---|---|---|
| 超级管理员 | cat $APUSIC_HOME/config/admin.xml | admin账户强口令 |
| 默认账户 | cat $APUSIC_HOME/config/users.xml | 修改默认口令 |
| 密码复杂度 | 控制台 → 系统管理 → 安全策略 | 长度≥8,复杂度≥3种 |
| 登录失败锁定 | cat $APUSIC_HOME/config/lockout-config.xml | 失败5次锁定30分钟 |
| 会话超时 | cat $APUSIC_HOME/config/session-config.xml | ≤30分钟 |
| 双因子认证 | 控制台 → 安全管理 → 认证方式 | 关键用户启用 |
Apusic特有配置:
# 查看Apusic安装路径
echo$APUSIC_HOME
ls-la${APUSIC_HOME:-/opt/apusic}/
# 查看版本信息
cat${APUSIC_HOME}/version.txt
cat${APUSIC_HOME}/release 2>/dev/null
cat${APUSIC_HOME}/bin/version.properties 2>/dev/null
# 查看管理员配置文件
cat${APUSIC_HOME}/config/admin.xml
cat${APUSIC_HOME}/config/users.xml
cat${APUSIC_HOME}/config/groups.xml
# 查看角色权限配置
cat${APUSIC_HOME}/config/roles.xml
cat${APUSIC_HOME}/config/security-role-mapping.xml
# 查看安全域配置
cat${APUSIC_HOME}/config/security-domain.xml
cat${APUSIC_HOME}/config/login-config.xml
# 查看登录失败锁定配置
cat${APUSIC_HOME}/config/lockout-config.xml
# 关键配置项:
# <lockout-enabled>true</lockout-enabled>
# <max-failures>5</max-failures>
# <lockout-duration>30</lockout-duration>
# 查看密码策略配置
cat${APUSIC_HOME}/config/password-policy.xml
# 关键配置项:
# <min-length>8</min-length>
# <require-uppercase>true</require-uppercase>
# <require-lowercase>true</require-lowercase>
# <require-digit>true</require-digit>
# <require-special>true</require-special>
# <password-history>12</password-history>
# <max-age>90</max-age>
# 查看会话超时配置
cat${APUSIC_HOME}/config/session-config.xml
# <session-timeout>30</session-timeout>
# <session-timeout-unit>minutes</session-timeout-unit>
# 查看双因子认证配置(Apusic V10+)
cat${APUSIC_HOME}/config/mfa-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/otp-config.xml 2>/dev/null
# 查看证书认证配置
cat${APUSIC_HOME}/config/certificate-config.xml
ls-la${APUSIC_HOME}/config/*.jks ${APUSIC_HOME}/config/*.p12
# 查看密钥库内容
keytool -list-v-keystore${APUSIC_HOME}/config/apusic.keystore -storepass changeit 2>/dev/null |head-201.2 认证方式配置
# 查看认证域配置
cat${APUSIC_HOME}/config/security-domain.xml |grep-A10'authentication'
# 查看LDAP集成配置
cat${APUSIC_HOME}/config/ldap-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/ldap-realm.xml 2>/dev/null
# 查看AD域配置
cat${APUSIC_HOME}/config/ad-config.xml 2>/dev/null
# 查看SSO配置(单点登录)
cat${APUSIC_HOME}/config/sso-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/cas-config.xml 2>/dev/null
# 查看OAuth2/OIDC配置(Apusic V10+)
cat${APUSIC_HOME}/config/oauth2-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/oidc-config.xml 2>/dev/null
# 查看Kerberos配置
cat${APUSIC_HOME}/config/kerberos-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/krb5.conf 2>/dev/null
# 查看国密SSL配置(Apusic V10+国密版)
cat${APUSIC_HOME}/config/gmssl-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/sm2-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/sm3-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/sm4-config.xml 2>/dev/null二、访问控制
2.1 控制台与接口访问控制
# 查看控制台访问控制
cat${APUSIC_HOME}/config/admin-access.xml
cat${APUSIC_HOME}/config/management.xml |grep-E'allow|deny|bind|address'
# 查看管理接口绑定地址
cat${APUSIC_HOME}/config/management.xml |grep'management-bind-address'
cat${APUSIC_HOME}/config/management.xml |grep'management-port'
# 查看JMX访问控制
cat${APUSIC_HOME}/config/jmxremote.access
cat${APUSIC_HOME}/config/jmxremote.password
cat${APUSIC_HOME}/config/jmx-ssl-config.xml 2>/dev/null
# 查看SNMP配置(如启用)
cat${APUSIC_HOME}/config/snmp-config.xml 2>/dev/null
# 查看应用部署权限
ls-la${APUSIC_HOME}/autodeploy/
ls-la${APUSIC_HOME}/applications/
ls-la${APUSIC_HOME}/deploy/
# 查看数据源配置(核查明文密码)
cat${APUSIC_HOME}/config/datasource.xml |grep-E'password|url|user'|head-10
cat${APUSIC_HOME}/config/datasources/*.xml 2>/dev/null |grep-E'password'|head-10
# 查看是否启用密码加密
cat${APUSIC_HOME}/config/datasource.xml |grep-E'encrypted|encryption'
cat${APUSIC_HOME}/config/security.xml |grep-E'password-encryption|cipher'
# 查看加密算法配置
cat${APUSIC_HOME}/config/encryption-config.xml 2>/dev/null2.2 Web应用安全
# 查看Web应用安全约束
cat${APUSIC_HOME}/config/web.xml |grep-E'security-constraint|auth-constraint|security-role'
# 查看Servlet过滤器(安全过滤)
cat${APUSIC_HOME}/config/web.xml |grep-A10'filter-name.*[Ss]ecurity'
cat${APUSIC_HOME}/config/web.xml |grep-A10'filter-class.*[Ss]ecurity'
# 查看URL访问控制
cat${APUSIC_HOME}/config/web.xml |grep-A5'url-pattern'
# 查看EJB安全配置
cat${APUSIC_HOME}/config/ejb-jar.xml |grep-E'security-role|method-permission|security-identity'
# 查看JAX-WS/JAX-RS安全配置
cat${APUSIC_HOME}/config/webservices.xml 2>/dev/null |grep-E'security|auth'
cat${APUSIC_HOME}/config/rest-security.xml 2>/dev/null
# 查看资源引用安全
cat${APUSIC_HOME}/config/resource-ref.xml |grep-E'res-auth|res-sharing-scope|res-security'
# 查看虚拟主机配置
cat${APUSIC_HOME}/config/virtual-hosts.xml |grep-E'host|alias|access-log'
# 查看访问控制列表
cat${APUSIC_HOME}/config/access-control.xml 2>/dev/null
cat${APUSIC_HOME}/config/acl.xml 2>/dev/null2.3 三权分立(Apusic企业版)
# 查看三权分立配置
cat${APUSIC_HOME}/config/separation-of-duties.xml 2>/dev/null
# 查看系统管理员配置
cat${APUSIC_HOME}/config/system-admin.xml 2>/dev/null
# 查看安全管理员配置
cat${APUSIC_HOME}/config/security-admin.xml 2>/dev/null
# 查看审计管理员配置
cat${APUSIC_HOME}/config/audit-admin.xml 2>/dev/null
# 查看角色分离配置
cat${APUSIC_HOME}/config/role-separation.xml 2>/dev/null
# 查看权限矩阵
cat${APUSIC_HOME}/config/permission-matrix.xml 2>/dev/null三、安全审计
3.1 审计日志配置
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 审计开关 | cat $APUSIC_HOME/config/audit.xml | 启用审计 |
| 审计事件 | cat $APUSIC_HOME/config/audit-events.xml | 覆盖关键事件 |
| 日志保留 | cat $APUSIC_HOME/config/log-rotation.xml | ≥6个月 |
| 日志保护 | ls -la $APUSIC_HOME/logs/audit/ | 640权限 |
Apusic特有配置:
# 查看审计配置
cat${APUSIC_HOME}/config/audit.xml
cat${APUSIC_HOME}/config/audit-config.xml
# 查看审计事件配置
cat${APUSIC_HOME}/config/audit-events.xml
# 关键审计事件:
# - LOGIN_SUCCESS/LOGIN_FAILURE(登录)
# - LOGOUT(登出)
# - ACCESS_DENIED(访问拒绝)
# - PERMISSION_CHANGE(权限变更)
# - USER_CREATE/USER_DELETE/USER_MODIFY(用户变更)
# - ROLE_CREATE/ROLE_DELETE/ROLE_MODIFY(角色变更)
# - DATASOURCE_CHANGE(数据源变更)
# - APPLICATION_DEPLOY/UNDEPLOY(应用部署)
# 查看审计日志目录
ls-la${APUSIC_HOME}/logs/
ls-la${APUSIC_HOME}/logs/audit/
# 查看访问日志
cat${APUSIC_HOME}/logs/access.log 2>/dev/null |tail-20
cat${APUSIC_HOME}/logs/localhost_access_log.* 2>/dev/null |tail-20
# 查看审计日志(管理操作)
cat${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-20
cat${APUSIC_HOME}/logs/admin-audit.log 2>/dev/null |tail-20
# 查看安全日志
cat${APUSIC_HOME}/logs/security.log 2>/dev/null |tail-20
# 查看登录日志
cat${APUSIC_HOME}/logs/login.log 2>/dev/null |tail-20
grep-i"login\|logout\|fail\|denied"${APUSIC_HOME}/logs/server.log |tail-20
# 查看应用日志
cat${APUSIC_HOME}/logs/apusic.log 2>/dev/null |tail-20
# 查看日志保留策略
cat${APUSIC_HOME}/config/log-rotation.xml
cat${APUSIC_HOME}/config/logging.properties |grep-E'rotation|size|count|days|history'
cat${APUSIC_HOME}/config/log4j.properties |grep-E'MaxFileSize|MaxBackupIndex|DailyRollingFileAppender'
# 查看日志权限
ls-la${APUSIC_HOME}/logs/*.log |head-5
stat-c'%a %U:%G'${APUSIC_HOME}/logs/*.log 2>/dev/null |head-5
# 查看集中审计配置(Apusic V10+)
cat${APUSIC_HOME}/config/central-audit.xml 2>/dev/null
cat${APUSIC_HOME}/config/syslog-appender.xml 2>/dev/null
cat${APUSIC_HOME}/config/audit-db-config.xml 2>/dev/null
# 查看数据库审计存储
cat${APUSIC_HOME}/config/audit-datasource.xml 2>/dev/null3.2 审计日志分析
# 查看最近登录成功记录
grep"LOGIN_SUCCESS"${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-10
# 查看登录失败记录
grep"LOGIN_FAILURE"${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-10
# 查看权限变更记录
grep"PERMISSION_CHANGE\|ROLE_MODIFY\|USER_MODIFY"${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-10
# 查看应用部署记录
grep"APPLICATION_DEPLOY\|APPLICATION_UNDEPLOY"${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-10
# 查看数据源变更记录
grep"DATASOURCE_CHANGE"${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-10
# 查看异常访问记录
grep"ACCESS_DENIED\|FORBIDDEN"${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-10四、入侵防范
4.1 系统加固
| 控制项 | 测评命令 | 达标判据 |
|---|---|---|
| 版本补丁 | cat $APUSIC_HOME/version.txt | 最新补丁版本 |
| 危险接口 | cat $APUSIC_HOME/config/server.xml | 禁用不必要接口 |
| 调试功能 | cat $APUSIC_HOME/config/debug.xml | 生产环境禁用 |
| 示例应用 | ls $APUSIC_HOME/examples/ | 删除或限制访问 |
Apusic特有配置:
# 查看版本和补丁信息
cat${APUSIC_HOME}/version.txt
cat${APUSIC_HOME}/release 2>/dev/null
cat${APUSIC_HOME}/patch.info 2>/dev/null
# 查看补丁历史
ls-la${APUSIC_HOME}/patches/ 2>/dev/null
# 查看服务器配置(危险接口检查)
cat${APUSIC_HOME}/config/server.xml |grep-E'port|protocol|enabled'
# 关键端口检查:
# 6888 - HTTP端口(应禁用或限制)
# 6889 - HTTPS端口(主要使用)
# 6890 - AJP端口(如不需要应禁用)
# 9999 - 管理端口(应限制访问)
# 查看AJP配置(如不需要应禁用)
cat${APUSIC_HOME}/config/server.xml |grep-A5'AJP'
# 查看调试配置
cat${APUSIC_HOME}/config/debug.xml 2>/dev/null
cat${APUSIC_HOME}/config/jpda-config.xml 2>/dev/null
# <debug-enabled>false</debug-enabled>
# <jpda-enabled>false</jpda-enabled>
# 查看示例应用
ls-la${APUSIC_HOME}/examples/
ls-la${APUSIC_HOME}/webapps/examples/ 2>/dev/null
ls-la${APUSIC_HOME}/webapps/docs/ 2>/dev/null
ls-la${APUSIC_HOME}/webapps/ROOT/ 2>/dev/null
# 查看管理控制台访问限制
cat${APUSIC_HOME}/config/admin-access.xml |grep-E'allow|deny|ip|host'
# 查看错误页面配置(防止信息泄露)
cat${APUSIC_HOME}/config/web.xml |grep-A5'error-page'
ls-la${APUSIC_HOME}/webapps/ROOT/WEB-INF/classes/ |grep-i error
# 查看目录浏览配置
cat${APUSIC_HOME}/config/web.xml |grep-i'listings'
cat${APUSIC_HOME}/conf/web.xml |grep-i'listings'
# 查看默认Servlet配置
cat${APUSIC_HOME}/config/default-servlet.xml 2>/dev/null4.2 资源限制与防护
# 查看连接数限制
cat${APUSIC_HOME}/config/connection-pool.xml |grep-E'max-connections|min-connections'
cat${APUSIC_HOME}/config/thread-pool.xml |grep-E'max-threads|min-threads'
# 查看请求超时配置
cat${APUSIC_HOME}/config/timeout-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/server.xml |grep-E'connectionTimeout|keepAliveTimeout'
# 查看内存配置
cat${APUSIC_HOME}/bin/setenv.sh |grep-E'Xms|Xmx|MaxPermSize|MetaspaceSize'
cat${APUSIC_HOME}/config/jvm-options.xml 2>/dev/null |grep-E'Xms|Xmx'
# 查看文件上传限制
cat${APUSIC_HOME}/config/web.xml |grep-E'max-file-size|max-request-size'
cat${APUSIC_HOME}/config/multipart-config.xml 2>/dev/null
# 查看请求大小限制
cat${APUSIC_HOME}/config/server.xml |grep-E'maxPostSize|maxSavePostSize'
# 查看DoS防护配置
cat${APUSIC_HOME}/config/dos-filter.xml 2>/dev/null
cat${APUSIC_HOME}/config/rate-limit.xml 2>/dev/null
# 查看并发限制
cat${APUSIC_HOME}/config/concurrent-config.xml 2>/dev/null五、传输与存储安全
5.1 SSL/TLS配置
# 查看HTTPS/SSL配置
cat${APUSIC_HOME}/config/server.xml |grep-A20'SSL|TLS|https|keystore|truststore'
# 查看SSL协议版本(应禁用TLSv1.0/1.1)
cat${APUSIC_HOME}/config/ssl-config.xml |grep-E'sslProtocol|sslEnabledProtocols|protocols'
# 应配置:TLSv1.2, TLSv1.3
# 查看密码套件配置
cat${APUSIC_HOME}/config/ssl-config.xml |grep-E'ciphers|cipherSuite|cipher-list'
# 应禁用弱密码套件:RC4, DES, 3DES, MD5, SHA1
# 查看证书配置
cat${APUSIC_HOME}/config/server.xml |grep-E'certificateKeystoreFile|certificateKeyFile|keystoreFile'
ls-la${APUSIC_HOME}/config/*.jks ${APUSIC_HOME}/config/*.p12 ${APUSIC_HOME}/config/*.pem 2>/dev/null
# 查看证书有效期
keytool -list-v-keystore${APUSIC_HOME}/config/apusic.keystore 2>/dev/null |grep-E'Valid from|until|Expiry'
# 查看国密SSL配置(Apusic V10+国密版)
cat${APUSIC_HOME}/config/gmssl-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/sm2-config.xml 2>/dev/null
# 查看国密证书
ls-la${APUSIC_HOME}/config/*gm* 2>/dev/null
ls-la${APUSIC_HOME}/config/*sm2* 2>/dev/null
# 查看HSTS配置(HTTP严格传输安全)
cat${APUSIC_HOME}/config/hsts-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/web.xml |grep-i'Strict-Transport-Security'5.2 会话与Cookie安全
# 查看会话Cookie安全配置
cat${APUSIC_HOME}/config/session-config.xml |grep-E'httpOnly|secure|sameSite'
cat${APUSIC_HOME}/config/context.xml |grep-E'httpOnly|secure|sameSite'
# 查看Cookie配置
cat${APUSIC_HOME}/config/cookie-config.xml 2>/dev/null
# 查看会话ID生成器
cat${APUSIC_HOME}/config/session-id-generator.xml 2>/dev/null
# 查看会话持久化配置
cat${APUSIC_HOME}/config/session-persistence.xml 2>/dev/null
# 查看静态资源缓存控制
cat${APUSIC_HOME}/config/web.xml |grep-E'Cache-Control|Pragma|Expires'
cat${APUSIC_HOME}/config/cache-control.xml 2>/dev/null
# 查看安全响应头配置
cat${APUSIC_HOME}/config/security-headers.xml 2>/dev/null
# 应包含:
# X-Content-Type-Options: nosniff
# X-Frame-Options: DENY/SAMEORIGIN
# X-XSS-Protection: 1; mode=block
# Content-Security-Policy六、数据安全与加密
6.1 数据加密配置
# 查看数据源加密配置
cat${APUSIC_HOME}/config/datasource-encryption.xml 2>/dev/null
# 查看属性加密配置
cat${APUSIC_HOME}/config/property-encryption.xml 2>/dev/null
# 查看JNDI加密配置
cat${APUSIC_HOME}/config/jndi-encryption.xml 2>/dev/null
# 查看国密加密配置(SM4)
cat${APUSIC_HOME}/config/sm4-encryption.xml 2>/dev/null
cat${APUSIC_HOME}/config/gm-crypto.xml 2>/dev/null
# 查看密钥管理配置
cat${APUSIC_HOME}/config/key-management.xml 2>/dev/null
cat${APUSIC_HOME}/config/key-store.xml 2>/dev/null
# 查看HSM集成配置(硬件密码机)
cat${APUSIC_HOME}/config/hsm-config.xml 2>/dev/null
cat${APUSIC_HOME}/config/swj-config.xml 2>/dev/null # 三未信安
cat${APUSIC_HOME}/config/jit-config.xml 2>/dev/null # 江南天安6.2 数据脱敏
# 查看数据脱敏配置
cat${APUSIC_HOME}/config/data-masking.xml 2>/dev/null
# 查看敏感数据识别规则
cat${APUSIC_HOME}/config/sensitive-data-rules.xml 2>/dev/null
# 查看脱敏策略
cat${APUSIC_HOME}/config/masking-policy.xml 2>/dev/null
# 查看日志脱敏配置
cat${APUSIC_HOME}/config/log-masking.xml 2>/dev/null七、备份与恢复
# 查看备份配置
cat${APUSIC_HOME}/config/backup-config.xml 2>/dev/null
# 查看自动备份配置
cat${APUSIC_HOME}/config/auto-backup.xml 2>/dev/null
# 查看备份目录
ls-la${APUSIC_HOME}/backup/ 2>/dev/null
ls-la /backup/apusic/ 2>/dev/null
# 查看备份脚本
crontab-l|grep-i apusic
ls /etc/cron.d/*apusic* 2>/dev/null
cat${APUSIC_HOME}/bin/backup.sh 2>/dev/null
# 查看恢复测试记录
cat${APUSIC_HOME}/logs/restore-test.log 2>/dev/null
ls-la${APUSIC_HOME}/restore-test/ 2>/dev/null
# 查看配置导出
ls-la${APUSIC_HOME}/config-export/ 2>/dev/null
# 查看域配置备份
ls-la${APUSIC_HOME}/domains/*/backup/ 2>/dev/null八、金蝶Apusic与东方通/宝兰德对比
| 对比项 | 金蝶Apusic | 东方通TongWeb | 宝兰德BES |
|---|---|---|---|
| 等保支持 | 原生支持 | 原生支持 | 原生支持 |
| 国密算法 | 支持SM2/SM3/SM4 | 支持SM2/SM3/SM4 | 支持SM2/SM3/SM4 |
| 三权分立 | 企业版支持 | 支持 | 支持 |
| 审计日志 | 内置 | 内置 | 内置 |
| 硬件密码机 | 支持 | 支持 | 支持 |
| 与ERP集成 | 优秀(金蝶ERP) | 一般 | 一般 |
| 云原生支持 | 较好 | 较好 | 较好 |
| 等保合规难度 | 低 | 低 | 低 |
| 政府行业应用 | 较多 | 较多 | 较多 |
九、一键巡检脚本(金蝶Apusic)
#!/bin/bash
# 金蝶Apusic应用服务器 等保三级一键巡检脚本
# 适用:Apusic V9.x / V10.x / V11.x
APUSIC_HOME=${1:-/opt/apusic}
echo"===== 金蝶Apusic应用服务器等保三级巡检 ====="
echo"巡检时间:$(date)"
echo"主机名:$(hostname)"
echo"APUSIC_HOME: $APUSIC_HOME"
echo""
if[!-d"$APUSIC_HOME"];then
echo"错误:未找到Apusic安装目录 $APUSIC_HOME"
echo"请指定正确的Apusic安装路径"
exit1
fi
echo"===== 1 身份鉴别 ====="
echo"--- 版本信息 ---"
cat${APUSIC_HOME}/version.txt 2>/dev/null ||echo"未找到版本文件"
echo"--- 用户配置 ---"
cat${APUSIC_HOME}/config/users.xml 2>/dev/null |grep-E'username|password'|head-10
echo"--- 密码策略 ---"
cat${APUSIC_HOME}/config/password-policy.xml 2>/dev/null |grep-E'min-length|complexity|max-age'|head-5
echo"--- 登录锁定配置 ---"
cat${APUSIC_HOME}/config/lockout-config.xml 2>/dev/null |grep-E'enabled|max-failures|lockout-duration'|head-5
echo"--- 会话超时 ---"
cat${APUSIC_HOME}/config/session-config.xml 2>/dev/null |grep-E'session-timeout'|head-3
echo"--- 国密配置 ---"
ls${APUSIC_HOME}/config/*gm* ${APUSIC_HOME}/config/*sm* 2>/dev/null ||echo"未检测到国密配置文件"
echo""
echo"===== 2 访问控制 ====="
echo"--- 管理接口绑定 ---"
cat${APUSIC_HOME}/config/management.xml 2>/dev/null |grep-E'bind-address|port'|head-5
echo"--- 角色配置 ---"
cat${APUSIC_HOME}/config/roles.xml 2>/dev/null |grep-E'role-name|role-link'|head-10
echo"--- 三权分立配置 ---"
cat${APUSIC_HOME}/config/separation-of-duties.xml 2>/dev/null |head-10||echo"未配置三权分立(可能为标准版)"
echo"--- JMX访问控制 ---"
cat${APUSIC_HOME}/config/jmxremote.access 2>/dev/null |head-5
echo"--- 示例应用检查 ---"
ls${APUSIC_HOME}/examples/ 2>/dev/null |head-5||echo"未找到示例应用目录"
echo""
echo"===== 3 安全审计 ====="
echo"--- 审计配置 ---"
cat${APUSIC_HOME}/config/audit.xml 2>/dev/null |head-10||echo"未找到审计配置文件"
echo"--- 审计事件 ---"
cat${APUSIC_HOME}/config/audit-events.xml 2>/dev/null |grep-E'event-type'|head-10
echo"--- 日志目录 ---"
ls-la${APUSIC_HOME}/logs/ 2>/dev/null |head-5
echo"--- 审计日志 ---"
ls-la${APUSIC_HOME}/logs/audit* 2>/dev/null |head-3||echo"未找到审计日志"
echo"--- 最近登录记录 ---"
grep"LOGIN"${APUSIC_HOME}/logs/audit.log 2>/dev/null |tail-5||echo"无登录记录"
echo""
echo"===== 4 入侵防范 ====="
echo"--- 服务器端口 ---"
cat${APUSIC_HOME}/config/server.xml 2>/dev/null |grep-E'port|protocol'|head-10
echo"--- 调试配置 ---"
cat${APUSIC_HOME}/config/debug.xml 2>/dev/null |grep-E'enabled'|head-3||echo"未找到调试配置"
echo"--- 连接池配置 ---"
cat${APUSIC_HOME}/config/connection-pool.xml 2>/dev/null |grep-E'max-connections'|head-3
echo"--- DoS防护 ---"
cat${APUSIC_HOME}/config/dos-filter.xml 2>/dev/null |head-5||echo"未配置DoS防护"
echo""
echo"===== 5 传输安全 ====="
echo"--- SSL配置 ---"
cat${APUSIC_HOME}/config/server.xml 2>/dev/null |grep-A5'SSL|TLS'|head-10
echo"--- SSL协议版本 ---"
cat${APUSIC_HOME}/config/ssl-config.xml 2>/dev/null |grep-E'protocol|cipher'|head-5
echo"--- 证书配置 ---"
ls-la${APUSIC_HOME}/config/*.jks ${APUSIC_HOME}/config/*.p12 2>/dev/null |head-3
echo"--- 证书有效期 ---"
forkeystorein${APUSIC_HOME}/config/*.jks;do
if[-f"$keystore"];then
echo"Keystore: $keystore"
keytool -list-v-keystore"$keystore"-storepass changeit 2>/dev/null |grep-E'Valid from|until'|head-2
fi
done
echo"--- 会话Cookie安全 ---"
cat${APUSIC_HOME}/config/session-config.xml 2>/dev/null |grep-E'httpOnly|secure'|head-3
echo""
echo"===== 6 数据安全 ====="
echo"--- 数据源加密 ---"
cat${APUSIC_HOME}/config/datasource-encryption.xml 2>/dev/null |head-5||echo"未配置数据源加密"
echo"--- 数据脱敏 ---"
cat${APUSIC_HOME}/config/data-masking.xml 2>/dev/null |head-5||echo"未配置数据脱敏"
echo"--- 国密加密 ---"
cat${APUSIC_HOME}/config/sm4-encryption.xml 2>/dev/null |head-5||echo"未配置SM4加密"
echo""
echo"===== 7 备份恢复 ====="
echo"--- 备份目录 ---"
ls-la${APUSIC_HOME}/backup/ 2>/dev/null |head-5||echo"未找到备份目录"
echo"--- 备份配置 ---"
cat${APUSIC_HOME}/config/backup-config.xml 2>/dev/null |head-5||echo"未配置自动备份"
echo"--- 配置导出 ---"
ls-la${APUSIC_HOME}/config-export/ 2>/dev/null |head-3||echo"未找到配置导出"
echo""
echo"===== 通用安全检查 ====="
echo"--- 进程运行用户 ---"
ps-ef|grepjava|grep-i apusic |grep-vgrep|awk'{print $1}'|sort|uniq-c
echo"--- 配置文件权限 ---"
find${APUSIC_HOME}/config -name"*.xml"-o-name"*.properties"2>/dev/null |xargsls-la2>/dev/null |awk'{print $1, $3, $4, $9}'|head-10
echo"--- 日志文件权限 ---"
ls-la${APUSIC_HOME}/logs/*.log 2>/dev/null |awk'{print $1, $3, $4, $9}'|head-5
echo"--- 端口监听 ---"
ss -tulnp|grep-E'6888|6889|6890|9999'2>/dev/null |head-5
echo"--- 国密库检查 ---"
find${APUSIC_HOME}/ -name"*gmssl*"-o-name"*sm2*"-o-name"*sm3*"-o-name"*sm4*"2>/dev/null |head-5||echo"未检测到国密库文件"
echo""
echo"===== 巡检完成 ====="
echo"重点关注以下高风险项:"
echo"1. 默认admin/admin口令未修改"
echo"2. 未启用HTTPS/SSL或配置弱协议版本"
echo"3. 未配置密码复杂度策略"
echo"4. 未启用登录失败锁定"
echo"5. 会话超时时间过长(>30分钟)"
echo"6. 未启用审计日志"
echo"7. 调试功能未禁用"
echo"8. 示例应用未删除"
echo"9. 未配置国密算法"
echo"10. 运行用户为root"十、高风险项重点核查清单
| 检查项 | 验证命令 | 不合规判定 | 整改建议 |
|---|---|---|---|
| 默认admin口令未修改 | cat ${APUSIC_HOME}/config/users.xml | 存在默认哈希或明文 | 立即修改强口令 |
| 未启用HTTPS | cat ${APUSIC_HOME}/config/server.xml | grep SSL | 无SSL配置或仅HTTP | 配置SSL证书 |
| SSL协议版本过低 | cat ${APUSIC_HOME}/config/ssl-config.xml | 包含TLSv1.0/1.1 | 仅启用TLSv1.2+ |
| 未配置密码复杂度 | cat ${APUSIC_HOME}/config/password-policy.xml | 无文件或min-length<8 | 启用复杂度检查 |
| 未启用登录失败锁定 | cat ${APUSIC_HOME}/config/lockout-config.xml | 无文件或enabled=false | 启用失败锁定 |
| 会话超时过长 | cat ${APUSIC_HOME}/config/session-config.xml | timeout>30 | 设置为≤30分钟 |
| 未启用审计 | ls ${APUSIC_HOME}/logs/audit.log | 无审计日志 | 启用审计功能 |
| 调试功能启用 | cat ${APUSIC_HOME}/config/debug.xml | enabled=true | 生产环境禁用 |
| 示例应用未删除 | ls ${APUSIC_HOME}/examples/ | 存在示例应用 | 删除或限制访问 |
| 未启用国密 | ls ${APUSIC_HOME}/config/*gm* | 无国密配置 | 配置国密SSL |
十一、等保测评执行要点
1. 版本与授权确认
- Apusic V9.x:基础安全功能
- Apusic V10.x:增强国密支持、三权分立
- Apusic V11.x:云原生安全、零信任架构
- 确认授权版本(标准版/企业版)影响功能范围
2. 国密合规检查重点
# 检查是否使用国密SSL
openssl s_client -connect localhost:6889 -tls1_22>/dev/null |grep-i"sm2\|SM2\|国密"
# 检查证书国密算法
keytool -list-v-keystore${APUSIC_HOME}/config/apusic.keystore 2>/dev/null |grep-i"SM2\|SM3\|国密"
# 检查密码机接入
cat${APUSIC_HOME}/config/hsm-config.xml 2>/dev/null3. 与金蝶ERP集成安全
- 检查EAS/K3Cloud与Apusic的认证集成
- 验证ERP数据源加密配置
- 确认ERP操作审计与Apusic审计的关联
4. 现场访谈要点
- 是否定期更换管理员口令(≤90天)
- 是否启用三权分立(企业版)
- 是否启用国密算法进行数据传输加密
- 是否定期备份配置文件和密钥库
- 是否进行恢复演练(每半年至少一次)
- 是否监控审计日志并分析异常
5. 版本差异
| 功能项 | Apusic V9 | Apusic V10 | Apusic V11 |
|---|---|---|---|
| 国密SSL | 基础 | 完整 | 增强 |
| 三权分立 | 不支持 | 支持 | 增强 |
| 云原生支持 | 有限 | 支持 | 完整 |
| 零信任架构 | 不支持 | 不支持 | 支持 |
| 微服务安全 | 基础 | 增强 | 完整 |
参考标准:GB/T 22239-2019、GB/T 28448-2019、GM/T 0054-2018(国密标准)、金蝶Apusic安全加固指南
适用版本:Apusic应用服务器 V9.x / V10.x / V11.x
验证环境:x86_64 / ARM64 / 国产化芯片(飞腾/鲲鹏/龙芯/海光/兆芯/申威)
声明:来自汪汪虚拟空间,仅代表创作者观点。链接:https://eyangzhen.com/7562.html
