等保2.0三级安全基线全栈落地指南:CentOS/麒麟/UOS 多系统适配(保姆式脚本版)
<h2 id="一概述">一、概述</h2><h3 id="11-背景与合规依据">1.1 背景与合规依据</h3>
<p>随着《网络安全等级保护条例》实施,GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》(等保2.0)已成为网络空间安全防护核心标准。其中<strong>第三级安全计算环境</strong>对操作系统身份鉴别、访问控制、安全审计等提出强制要求。</p>
<p>本文覆盖<strong>CentOS 7/8/Stream</strong>、<strong>银河麒麟V10</strong>、<strong>统信UOS V20/V23</strong>等主流服务器操作系统,所有配置严格对标等保2.0三级标准,<strong>所有脚本均包含自动备份、系统适配、错误提示</strong>,直接复制即可执行,已在多环境完成兼容性验证。</p>
<h3 id="12-适用范围">1.2 适用范围</h3>
<ul>
<li>适用系统:CentOS 7/8/Stream、银河麒麟V10(x86/ARM)、统信UOS V20/V23(x86/ARM)</li>
<li>合规场景:等保2.0三级测评、企业内网加固、攻防演练前置防护</li>
<li>执行权限:所有操作需<strong>root权限</strong>执行,非root用户请先执行<code>sudo su -</code>切换</li>
</ul>
<h3 id="13-前置风险提示强制执行">1.3 前置风险提示(强制执行)</h3>
<ol>
<li><strong>严禁直接在已投产业务服务器执行未验证脚本</strong>,先在测试环境1:1复刻验证。</li>
<li>执行前自动备份核心配置,也可手动全量备份:<code>tar czf /data/os_bak_$(date +%F).tar.gz /etc</code>。</li>
<li>修改SSH、PAM等配置后,<strong>保留当前登录会话</strong>,新开终端验证成功后再关闭原会话。</li>
<li>系统核心账号(nobody、root、systemd相关)严禁删除,仅锁定明确无用账号。</li>
<li>所有变更需纳入企业变更流程,提前规划维护窗口与回滚方案。</li>
</ol>
<h2 id="二系统环境自动识别与基础工具安装">二、系统环境自动识别与基础工具安装</h2>
<h3 id="21-系统环境自动识别脚本">2.1 系统环境自动识别脚本</h3>
<pre><code class="language-bash">#!/bin/bash
# 系统环境自动识别与基础配置
# 直接复制执行即可
echo "===== 1. 系统环境识别 ====="
if [ -f /etc/redhat-release ]; then
OS_TYPE="CentOS"
OS_VERSION=$(cat /etc/redhat-release | grep -oE "+" | head -1)
PKG_MGR="yum"
[ "$OS_VERSION" -ge 8 ] && PKG_MGR="dnf"
elif [ -f /etc/kylin-release ]; then
OS_TYPE="Kylin"
OS_VERSION=$(cat /etc/kylin-release | grep -oE "V+" | head -1)
PKG_MGR="dnf"
[ -f /etc/debian_version ] && PKG_MGR="apt"
elif [ -f /etc/uos-release ]; then
OS_TYPE="UOS"
OS_VERSION=$(cat /etc/uos-release | grep -oE "V+" | head -1)
PKG_MGR="apt"
else
echo "[错误] 未识别的操作系统,脚本退出"
exit 1
fi
echo "操作系统类型:$OS_TYPE"
echo "操作系统版本:$OS_VERSION"
echo "包管理器:$PKG_MGR"
echo "===== 2. 创建备份目录 ====="
BACKUP_DIR="/data/equality_backup_$(date +%F)"
mkdir -p $BACKUP_DIR
echo "备份目录:$BACKUP_DIR"
echo "===== 3. 安装基础工具 ====="
if [ "$PKG_MGR" = "apt" ]; then
apt update -y
apt install -y curl wget vim net-tools auditd aide clamav fail2ban
else
$PKG_MGR install -y epel-release
$PKG_MGR install -y curl wget vim net-tools auditd aide clamav clamav-update fail2ban
fi
echo "===== 环境准备完成 ====="
# 保存环境变量供后续脚本使用
echo "export OS_TYPE=$OS_TYPE" > /tmp/os_env.sh
echo "export OS_VERSION=$OS_VERSION" >> /tmp/os_env.sh
echo "export PKG_MGR=$PKG_MGR" >> /tmp/os_env.sh
echo "export BACKUP_DIR=$BACKUP_DIR" >> /tmp/os_env.sh
</code></pre>
<h2 id="三等保20三级核心控制点整改配置保姆式脚本">三、等保2.0三级核心控制点整改配置(保姆式脚本)</h2>
<h3 id="31-身份鉴别gbt-22239-2019-8141">3.1 身份鉴别(GB/T 22239-2019 8.1.4.1)</h3>
<h4 id="311-口令生命周期与复杂度配置">3.1.1 口令生命周期与复杂度配置</h4>
<pre><code class="language-bash">#!/bin/bash
# 身份鉴别:口令策略配置
# 直接复制执行即可
source /tmp/os_env.sh
[ -z "$BACKUP_DIR" ] && echo "[错误] 请先执行环境准备脚本" && exit 1
echo "===== 1. 备份核心配置文件 ====="
cp /etc/login.defs $BACKUP_DIR/login.defs.bak
cp /etc/pam.d/system-auth $BACKUP_DIR/system-auth.bak 2>/dev/null
cp /etc/pam.d/common-password $BACKUP_DIR/common-password.bak 2>/dev/null
echo "===== 2. 配置口令生命周期 ====="
# 密码最小长度≥8位
if grep -q '^PASS_MIN_LEN' /etc/login.defs; then
sed -i 's/^PASS_MIN_LEN.*/PASS_MIN_LEN 8/g' /etc/login.defs
else
echo "PASS_MIN_LEN 8" >> /etc/login.defs
fi
# 密码最大使用周期≤90天
if grep -q '^PASS_MAX_DAYS' /etc/login.defs; then
sed -i 's/^PASS_MAX_DAYS.*/PASS_MAX_DAYS 90/g' /etc/login.defs
else
echo "PASS_MAX_DAYS 90" >> /etc/login.defs
fi
# 密码最小修改间隔≥1天
if grep -q '^PASS_MIN_DAYS' /etc/login.defs; then
sed -i 's/^PASS_MIN_DAYS.*/PASS_MIN_DAYS 1/g' /etc/login.defs
else
echo "PASS_MIN_DAYS 1" >> /etc/login.defs
fi
# 密码过期前≥7天预警
if grep -q '^PASS_WARN_AGE' /etc/login.defs; then
sed -i 's/^PASS_WARN_AGE.*/PASS_WARN_AGE 7/g' /etc/login.defs
else
echo "PASS_WARN_AGE 7" >> /etc/login.defs
fi
echo "===== 3. 配置口令复杂度 ====="
if [ "$OS_TYPE" = "CentOS" ] || ([ "$OS_TYPE" = "Kylin" ] && [ "$PKG_MGR" = "dnf" ]); then
# CentOS/麒麟(RHEL系):pam_pwquality
sed -i '/^password requisite/s/[[:space:]]*.credit=[^[:space:]]*//g' /etc/pam.d/system-auth
sed -i '/^password requisite/s/[[:space:]]*minlen=[^[:space:]]*//g' /etc/pam.d/system-auth
sed -i 's/^password requisite.*pam_pwquality.so.*/password requisite pam_pwquality.so try_first_pass local_users_only retry=3 minlen=8 minclass=4 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1/g' /etc/pam.d/system-auth
# 密码历史复用限制≥12次
sed -i '/^password sufficient/s/[[:space:]]*remember=[^[:space:]]*//g' /etc/pam.d/system-auth
sed -i 's/^password sufficient.*pam_unix.so.*/& remember=12/g' /etc/pam.d/system-auth
else
# 麒麟(Debian系)/UOS:pam_cracklib + pam_unix
if ! grep -q "pam_cracklib.so" /etc/pam.d/common-password; then
sed -i '1i password requisite pam_cracklib.so retry=3 minlen=8 minclass=4 ucredit=-1 lcredit=-1 dcredit=-1 ocredit=-1' /etc/pam.d/common-password
fi
if ! grep -q "remember=12" /etc/pam.d/common-password; then
sed -i 's/^password.*pam_unix.so.*/& remember=12/g' /etc/pam.d/common-password
fi
fi
echo "===== 口令策略配置完成 ====="
echo "备份文件路径:$BACKUP_DIR"
</code></pre>
<h4 id="312-登录失败锁定与会话超时配置">3.1.2 登录失败锁定与会话超时配置</h4>
<pre><code class="language-bash">#!/bin/bash
# 身份鉴别:登录失败锁定+会话超时+SSH安全
# 直接复制执行即可
source /tmp/os_env.sh
[ -z "$BACKUP_DIR" ] && echo "[错误] 请先执行环境准备脚本" && exit 1
echo "===== 1. 备份核心配置文件 ====="
cp /etc/profile $BACKUP_DIR/profile.bak
cp /etc/bashrc $BACKUP_DIR/bashrc.bak 2>/dev/null
cp /etc/ssh/sshd_config $BACKUP_DIR/sshd_config.bak
cp /etc/pam.d/system-auth $BACKUP_DIR/system-auth.lock.bak 2>/dev/null
cp /etc/pam.d/common-auth $BACKUP_DIR/common-auth.bak 2>/dev/null
echo "===== 2. 配置登录失败锁定 ====="
if [ "$OS_TYPE" = "CentOS" ] || ([ "$OS_TYPE" = "Kylin" ] && [ "$PKG_MGR" = "dnf" ]); then
# CentOS/麒麟(RHEL系)
if [ "$OS_VERSION" = "7" ] || ([ "$OS_TYPE" = "Kylin" ] && [ "$OS_VERSION" = "V10" ] && [ "$PKG_MGR" = "yum" ]); then
# pam_tally2
sed -i '/pam_tally2.so/d' /etc/pam.d/system-auth
sed -i '1i auth required pam_tally2.so deny=5 unlock_time=900 even_deny_root root_unlock_time=900' /etc/pam.d/system-auth
sed -i '1i account required pam_tally2.so' /etc/pam.d/system-auth
else
# pam_faillock
sed -i '/pam_faillock.so/d' /etc/pam.d/system-auth
cat >> /etc/pam.d/system-auth << EOF
auth required pam_faillock.so preauth silent audit deny=5 unlock_time=900 even_deny_root
auth pam_faillock.so authfail audit deny=5 unlock_time=900 even_deny_root
auth sufficient pam_faillock.so authsucc audit deny=5 unlock_time=900 even_deny_root
account required pam_faillock.so
EOF
fi
else
# 麒麟(Debian系)/UOS:pam_tally2
if ! grep -q "pam_tally2.so" /etc/pam.d/common-auth; then
sed -i '1i auth required pam_tally2.so deny=5 unlock_time=900 even_deny_root root_unlock_time=900' /etc/pam.d/common-auth
sed -i '1i account required pam_tally2.so' /etc/pam.d/common-auth
fi
fi
echo "===== 3. 配置会话超时 ====="
# 全局shell超时300秒
if grep -iq '^export TMOUT' /etc/profile; then
sed -i "s/^export TMOUT.*/export TMOUT=300/g" /etc/profile
else
echo "export TMOUT=300" >> /etc/profile
fi
[ -f /etc/bashrc ] && sed -i "s/^export TMOUT.*/export TMOUT=300/g" /etc/bashrc 2>/dev/null || echo "export TMOUT=300" >> /etc/bashrc
echo "===== 4. 配置SSH安全 ====="
# 禁止root远程登录
if grep -iq '^PermitRootLogin' /etc/ssh/sshd_config; then
sed -i "s/^PermitRootLogin.*/PermitRootLogin no/g" /etc/ssh/sshd_config
else
echo "PermitRootLogin no" >> /etc/ssh/sshd_config
fi
# SSH超时300秒
if grep -iq '^ClientAliveInterval' /etc/ssh/sshd_config; then
sed -i "s/^ClientAliveInterval.*/ClientAliveInterval 300/g" /etc/ssh/sshd_config
else
echo "ClientAliveInterval 300" >> /etc/ssh/sshd_config
fi
if grep -iq '^ClientAliveCountMax' /etc/ssh/sshd_config; then
sed -i "s/^ClientAliveCountMax.*/ClientAliveCountMax 0/g" /etc/ssh/sshd_config
else
echo "ClientAliveCountMax 0" >> /etc/ssh/sshd_config
fi
# 仅使用SSH v2
sed -i '/^Protocol/d' /etc/ssh/sshd_config
echo "Protocol 2" >> /etc/ssh/sshd_config
# 重启SSH服务(保留当前会话!)
systemctl restart sshd
echo "[提示] SSH服务已重启,请新开终端验证登录成功后再关闭当前会话"
echo "===== 登录安全配置完成 ====="
echo "备份文件路径:$BACKUP_DIR"
</code></pre>
<h4 id="313-无用账号清理与锁定">3.1.3 无用账号清理与锁定</h4>
<pre><code class="language-bash">#!/bin/bash
# 身份鉴别:无用账号清理与锁定
# 直接复制执行即可
source /tmp/os_env.sh
[ -z "$BACKUP_DIR" ] && echo "[错误] 请先执行环境准备脚本" && exit 1
echo "===== 1. 备份passwd/shadow ====="
cp /etc/passwd $BACKUP_DIR/passwd.bak
cp /etc/shadow $BACKUP_DIR/shadow.bak
echo "===== 2. 锁定无用账号 ====="
UNUSED_USERS="games news ftp lp uucp operator gopher listen gdm webservd noaccess"
for i in $UNUSED_USERS; do
if grep -q "^$i:" /etc/passwd; then
if ! passwd -S $i 2>/dev/null | grep -q " LK "; then
usermod -L $i
echo "已锁定无用账号:$i"
fi
fi
done
echo "===== 3. 强制锁定空口令账号 ====="
EMPTY_PASS_USERS=$(awk -F: '($2==""){print $1}' /etc/shadow)
for i in $EMPTY_PASS_USERS; do
usermod -L $i
echo "[高危] 已锁定空口令账号:$i"
done
echo "===== 账号清理完成 ====="
echo "备份文件路径:$BACKUP_DIR"
</code></pre>
<h3 id="32-访问控制gbt-22239-2019-8142">3.2 访问控制(GB/T 22239-2019 8.1.4.2)</h3>
<pre><code class="language-bash">#!/bin/bash
# 访问控制:umask+关键文件权限+sudo最小化
# 直接复制执行即可
source /tmp/os_env.sh
[ -z "$BACKUP_DIR" ] && echo "[错误] 请先执行环境准备脚本" && exit 1
echo "===== 1. 备份核心配置文件 ====="
cp /etc/profile $BACKUP_DIR/profile.umask.bak
cp /etc/login.defs $BACKUP_DIR/login.defs.umask.bak
cp /etc/sudoers $BACKUP_DIR/sudoers.bak
cp /etc/pam.d/su $BACKUP_DIR/su.bak 2>/dev/null
echo "===== 2. 配置全局umask=027 ====="
if grep -iq ^umask /etc/profile; then
sed -i "s/^umask.*/umask 027/g" /etc/profile
else
sed -i '1i\umask 027' /etc/profile
fi
sed -i "s/^umask.*/umask 027/g" /etc/login.defs
[ -f /etc/bashrc ] && sed -i "s/^umask.*/umask 027/g" /etc/bashrc 2>/dev/null
echo "===== 3. 关键文件权限加固 ====="
chmod 644 /etc/passwd /etc/group
chmod 000 /etc/shadow /etc/gshadow
chown root:root /etc/passwd /etc/shadow /etc/group /etc/gshadow
chmod 440 /etc/sudoers
chown root:root /etc/sudoers
[ -d /etc/sudoers.d ] && chmod -R 440 /etc/sudoers.d/ && chown -R root:root /etc/sudoers.d/
echo "===== 4. 限制su命令权限 ====="
if ! grep -q "pam_wheel.so" /etc/pam.d/su 2>/dev/null; then
sed -i '1i auth required pam_wheel.so use_uid' /etc/pam.d/su
fi
echo "===== 5. sudo权限最小化 ====="
cp /etc/sudoers /etc/sudoers.tmp
sed -i '/^[^#].*ALL=(ALL).*ALL/s/^/# /g' /etc/sudoers.tmp
if ! grep -q '^%wheel ALL=(ALL) ALL' /etc/sudoers.tmp; then
echo "%wheel ALL=(ALL) ALL" >> /etc/sudoers.tmp
fi
visudo -c -f /etc/sudoers.tmp >/dev/null 2>&1
if [ $? -eq 0 ]; then
mv /etc/sudoers.tmp /etc/sudoers
echo "sudo权限已最小化,仅wheel组成员拥有全权限"
else
rm /etc/sudoers.tmp
echo "[警告] sudoers配置校验失败,已回滚"
fi
echo "===== 访问控制配置完成 ====="
echo "备份文件路径:$BACKUP_DIR"
</code></pre>
<h3 id="33-安全审计gbt-22239-2019-8143">3.3 安全审计(GB/T 22239-2019 8.1.4.3)</h3>
<pre><code class="language-bash">#!/bin/bash
# 安全审计:auditd+rsyslog+日志轮转
# 直接复制执行即可
source /tmp/os_env.sh
[ -z "$BACKUP_DIR" ] && echo "[错误] 请先执行环境准备脚本" && exit 1
echo "===== 1. 备份审计配置文件 ====="
cp /etc/audit/auditd.conf $BACKUP_DIR/auditd.conf.bak 2>/dev/null
cp /etc/rsyslog.conf $BACKUP_DIR/rsyslog.conf.bak 2>/dev/null
cp /etc/logrotate.conf $BACKUP_DIR/logrotate.conf.bak
echo "===== 2. 启用并配置auditd ====="
systemctl enable auditd --now
systemctl start auditd 2>/dev/null
# 配置审计日志保留≥6个月
sed -i 's/^max_log_file =.*/max_log_file = 500/g' /etc/audit/auditd.conf 2>/dev/null
sed -i 's/^num_logs =.*/num_logs = 26/g' /etc/audit/auditd.conf 2>/dev/null
sed -i 's/^max_log_file_action =.*/max_log_file_action = rotate/g' /etc/audit/auditd.conf 2>/dev/null
# 写入等保合规审计规则
cat > /etc/audit/rules.d/equality-compliance.rules << EOF
-w /etc/passwd -p wa -k identity_changes
-w /etc/group -p wa -k identity_changes
-w /etc/shadow -p wa -k identity_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /etc/ssh/sshd_config -p wa -k ssh_config_changes
-w /var/log/secure -p wa -k login_log_changes
EOF
auditctl -R /etc/audit/rules.d/equality-compliance.rules 2>/dev/null
systemctl restart auditd
echo "===== 3. 配置rsyslog日志 ====="
SYSLOG_CONF="/etc/rsyslog.conf"
if [ -f $SYSLOG_CONF ]; then
if ! grep -q '^authpriv.*' $SYSLOG_CONF; then
echo "authpriv.* /var/log/secure" >> $SYSLOG_CONF
fi
fi
systemctl enable rsyslog --now
systemctl restart rsyslog 2>/dev/null
# 日志文件权限加固
LOG_FILES="/var/log/secure /var/log/messages /var/log/cron /var/log/audit/audit.log"
for i in $LOG_FILES; do
[ -f $i ] && chmod 640 $i && chown root:adm $i 2>/dev/null
done
echo "===== 4. 配置日志轮转保留6个月 ====="
sed -i 's/^weekly.*/monthly/g' /etc/logrotate.conf
sed -i 's/^rotate.*/rotate 6/g' /etc/logrotate.conf
echo "===== 安全审计配置完成 ====="
echo "备份文件路径:$BACKUP_DIR"
</code></pre>
<h3 id="34-入侵防范gbt-22239-2019-8144">3.4 入侵防范(GB/T 22239-2019 8.1.4.4)</h3>
<pre><code class="language-bash">#!/bin/bash
# 入侵防范:高危服务禁用+防火墙+SELinux+内核加固
# 直接复制执行即可
source /tmp/os_env.sh
[ -z "$BACKUP_DIR" ] && echo "[错误] 请先执行环境准备脚本" && exit 1
echo "===== 1. 备份核心配置文件 ====="
cp /etc/selinux/config $BACKUP_DIR/selinux_config.bak 2>/dev/null
cp /etc/sysctl.conf $BACKUP_DIR/sysctl.conf.bak
echo "===== 2. 禁用高危服务 ====="
systemctl stop telnet.socket xinetd rsh.socket rexec.socket rpcbind rpcbind.socket 2>/dev/null
systemctl disable telnet.socket xinetd rsh.socket rexec.socket rpcbind rpcbind.socket 2>/dev/null
if [ "$PKG_MGR" = "apt" ]; then
apt remove -y telnet-server rsh-server 2>/dev/null
else
$PKG_MGR remove -y telnet-server rsh-server 2>/dev/null
fi
echo "===== 3. 启用防火墙 ====="
if [ "$OS_TYPE" = "CentOS" ] || ([ "$OS_TYPE" = "Kylin" ] && [ "$PKG_MGR" = "dnf" ]); then
systemctl enable firewalld --now
firewall-cmd --set-default-zone=public --permanent
firewall-cmd --add-port=22/tcp --permanent 2>/dev/null
firewall-cmd --reload
else
# 麒麟/UOS(Debian系):ufw
systemctl enable ufw --now
ufw default deny incoming
ufw default allow outgoing
ufw allow 22/tcp
ufw --force enable
fi
echo "===== 4. 启用SELinux/AppArmor ====="
if [ -f /etc/selinux/config ]; then
# SELinux
sed -i 's/^SELINUX=.*/SELINUX=enforcing/g' /etc/selinux/config
setenforce 1 2>/dev/null
echo "[提示] SELinux已设置为Enforcing,建议重启系统后验证"
else
# AppArmor
systemctl enable apparmor --now 2>/dev/null
fi
echo "===== 5. 内核参数入侵加固 ====="
cat > /etc/sysctl.d/equality-compliance.conf << EOF
net.ipv4.tcp_syncookies = 1
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.rp_filter = 1
net.ipv4.conf.default.rp_filter = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
kernel.randomize_va_space = 2
fs.suid_dumpable = 0
EOF
sysctl -p /etc/sysctl.d/equality-compliance.conf
echo "===== 6. 配置安全补丁定时更新 ====="
if [ "$PKG_MGR" = "apt" ]; then
echo "0 0 1 * * root apt update -y && apt upgrade --security -y" >> /etc/crontab
else
echo "0 0 1 * * root $PKG_MGR update --security -y" >> /etc/crontab
fi
systemctl enable crond --now 2>/dev/null
systemctl enable cron --now 2>/dev/null
echo "===== 入侵防范配置完成 ====="
echo "备份文件路径:$BACKUP_DIR"
</code></pre>
<h3 id="35-恶意代码防范可信验证数据备份">3.5 恶意代码防范+可信验证+数据备份</h3>
<pre><code class="language-bash">#!/bin/bash
# 恶意代码防范+可信验证+数据备份
# 直接复制执行即可
source /tmp/os_env.sh
[ -z "$BACKUP_DIR" ] && echo "[错误] 请先执行环境准备脚本" && exit 1
echo "===== 1. 恶意代码防范:ClamAV+fail2ban ====="
systemctl enable clamav-daemon --now 2>/dev/null
systemctl enable clamd@scan --now 2>/dev/null
systemctl enable fail2ban --now
# 配置fail2ban SSH防护
cat > /etc/fail2ban/jail.d/sshd.conf << EOF
enabled = true
port = ssh
filter = sshd
logpath = /var/log/secure
maxretry = 5
bantime = 900
EOF
[ ! -f /var/log/secure ] && sed -i 's/logpath = \/var\/log\/secure/logpath = \/var\/log\/auth.log/g' /etc/fail2ban/jail.d/sshd.conf
systemctl restart fail2ban
# 配置ClamAV每日更新
echo "0 1 * * * root freshclam --quiet 2>/dev/null" >> /etc/crontab
echo "0 2 * * 0 root clamscan -r / --exclude-dir=/sys --exclude-dir=/proc --exclude-dir=/dev -i -l /var/log/clamav/scan.log 2>/dev/null" >> /etc/crontab
echo "===== 2. 可信验证:AIDE文件完整性 ====="
if ! grep -q "/etc p+i+n+u+g+s+m+c+sha256" /etc/aide.conf 2>/dev/null; then
cat >> /etc/aide.conf << EOF
/etc p+i+n+u+g+s+m+c+sha256
/usr/bin p+i+n+u+g+s+m+c+sha256
/usr/sbin p+i+n+u+g+s+m+c+sha256
/boot p+i+n+u+g+s+m+c+sha256
/root p+i+n+u+g+s+m+c+sha256
EOF
fi
aide --init 2>/dev/null
mv /var/lib/aide/aide.db.new.gz /var/lib/aide/aide.db.gz 2>/dev/null
echo "0 3 * * * root aide --check 2>/dev/null | mail -s 'AIDE完整性告警' root" >> /etc/crontab
echo "===== 3. 数据备份恢复 ====="
BACKUP_DIR="/data/backup"
mkdir -p $BACKUP_DIR
chmod 700 $BACKUP_DIR
cat > /usr/local/bin/system_backup.sh << EOF
#!/bin/bash
BACKUP_NAME="system_config_bak_\$(date +%F_%H%M)"
tar czf $BACKUP_DIR/\$BACKUP_NAME.tar.gz /etc /root /var/log/audit 2>/dev/null
find $BACKUP_DIR -name "system_config_bak_*.tar.gz" -mtime +30 -delete
EOF
chmod +x /usr/local/bin/system_backup.sh
echo "0 0 * * * root /usr/local/bin/system_backup.sh" >> /etc/crontab
echo "===== 4. 其他安全加固 ====="
mv /etc/issue $BACKUP_DIR/issue.bak 2>/dev/null
mv /etc/issue.net $BACKUP_DIR/issue.net.bak 2>/dev/null
touch /etc/issue /etc/issue.net
RISK_FILES=".netrc hosts.equiv .rhosts"
for i in $RISK_FILES; do
find /root /home -maxdepth 4 -name "$i" -exec mv {} {}.bak_$(date +%F) \; 2>/dev/null
done
echo "===== 补充配置完成 ====="
echo "备份文件路径:$BACKUP_DIR"
</code></pre>
<h2 id="四多系统适配等保20三级合规测评验证">四、多系统适配等保2.0三级合规测评验证</h2>
<table>
<thead>
<tr>
<th>控制点</th>
<th>测评项</th>
<th>通用测评命令</th>
<th>达标判据</th>
</tr>
</thead>
<tbody>
<tr>
<td><strong>身份鉴别</strong></td>
<td>空口令账户</td>
<td><code>awk -F: '($2==""){print $1}' /etc/shadow</code></td>
<td>无输出</td>
</tr>
<tr>
<td></td>
<td>密码生命周期</td>
<td>`grep -E "PASS_MAX_DAYS</td>
<td>PASS_MIN_DAYS</td>
</tr>
<tr>
<td></td>
<td>登录失败锁定</td>
<td>`grep -E "deny=</td>
<td>unlock_time=" /etc/pam.d/system-auth /etc/pam.d/common-auth 2>/dev/null`</td>
</tr>
<tr>
<td></td>
<td>SSH root登录</td>
<td><code>grep ^PermitRootLogin /etc/ssh/sshd_config</code></td>
<td>PermitRootLogin=no</td>
</tr>
<tr>
<td><strong>访问控制</strong></td>
<td>关键文件权限</td>
<td><code>ls -l /etc/passwd /etc/shadow /etc/group /etc/gshadow</code></td>
<td>passwd(644)、shadow(000)</td>
</tr>
<tr>
<td></td>
<td>全局umask</td>
<td><code>grep umask /etc/profile /etc/login.defs</code></td>
<td>umask=027</td>
</tr>
<tr>
<td><strong>安全审计</strong></td>
<td>auditd状态</td>
<td><code>systemctl status auditd && systemctl is-enabled auditd</code></td>
<td>active & enabled</td>
</tr>
<tr>
<td></td>
<td>审计规则</td>
<td>`auditctl -l 2>/dev/null</td>
<td>wc -l`</td>
</tr>
<tr>
<td><strong>入侵防范</strong></td>
<td>防火墙状态</td>
<td>`systemctl status firewalld 2>/dev/null</td>
<td></td>
</tr>
<tr>
<td></td>
<td>SELinux/AppArmor</td>
<td>`getenforce 2>/dev/null</td>
<td></td>
</tr>
<tr>
<td><strong>恶意代码防范</strong></td>
<td>ClamAV状态</td>
<td>`systemctl status clamav-daemon 2>/dev/null</td>
<td></td>
</tr>
<tr>
<td><strong>数据备份</strong></td>
<td>备份任务</td>
<td>`crontab -l</td>
<td>grep -i backup`</td>
</tr>
</tbody>
</table>
<h2 id="五一键化工具套件">五、一键化工具套件</h2>
<h3 id="51-一键全量整改脚本按顺序执行">5.1 一键全量整改脚本(按顺序执行)</h3>
<pre><code class="language-bash">#!/bin/bash
# 一键全量等保三级整改(按顺序执行)
# 执行前请先在测试环境验证!
echo "===== 步骤1:环境准备 ====="
# 复制本文2.1的环境准备脚本内容到此处执行
echo "===== 步骤2:身份鉴别-口令策略 ====="
# 复制本文3.1.1的脚本内容到此处执行
echo "===== 步骤3:身份鉴别-登录安全 ====="
# 复制本文3.1.2的脚本内容到此处执行
echo "===== 步骤4:身份鉴别-账号清理 ====="
# 复制本文3.1.3的脚本内容到此处执行
echo "===== 步骤5:访问控制 ====="
# 复制本文3.2的脚本内容到此处执行
echo "===== 步骤6:安全审计 ====="
# 复制本文3.3的脚本内容到此处执行
echo "===== 步骤7:入侵防范 ====="
# 复制本文3.4的脚本内容到此处执行
echo "===== 步骤8:补充配置 ====="
# 复制本文3.5的脚本内容到此处执行
echo "===== 全量整改完成 ====="
echo "请立即新开终端验证登录,确认无异常后再重启系统"
</code></pre>
<h3 id="52-一键合规巡检脚本">5.2 一键合规巡检脚本</h3>
<pre><code class="language-bash">#!/bin/bash
# 多系统等保2.0三级一键合规巡检
# 直接复制执行即可
LOG_FILE="./equality_check_$(date +%F).log"
echo "===== 等保2.0三级合规巡检报告 =====" > $LOG_FILE
echo "巡检时间:$(date "+%Y-%m-%d %H:%M:%S")" >> $LOG_FILE
echo "系统版本:$(cat /etc/redhat-release 2>/dev/null || cat /etc/kylin-release 2>/dev/null || cat /etc/uos-release 2>/dev/null)" >> $LOG_FILE
echo "=====================================" >> $LOG_FILE
echo "" >> $LOG_FILE
echo "===== 1. 身份鉴别 =====" >> $LOG_FILE
EMPTY_PASS=$(awk -F: '($2==""){print $1}' /etc/shadow)
[ -z "$EMPTY_PASS" ] && echo "[合规] 无空口令账户" >> $LOG_FILE || echo "[不合规] 空口令账户:$EMPTY_PASS" >> $LOG_FILE
grep -E "PASS_MAX_DAYS|PASS_MIN_DAYS|PASS_WARN_AGE" /etc/login.defs >> $LOG_FILE
grep -E "PermitRootLogin|ClientAliveInterval" /etc/ssh/sshd_config >> $LOG_FILE
echo "" >> $LOG_FILE
echo "===== 2. 访问控制 =====" >> $LOG_FILE
ls -l /etc/passwd /etc/shadow /etc/group /etc/gshadow 2>/dev/null >> $LOG_FILE
grep umask /etc/profile /etc/login.defs | head -2 >> $LOG_FILE
echo "" >> $LOG_FILE
echo "===== 3. 安全审计 =====" >> $LOG_FILE
systemctl is-active auditd 2>/dev/null >> $LOG_FILE
systemctl is-enabled auditd 2>/dev/null >> $LOG_FILE
auditctl -l 2>/dev/null | wc -l >> $LOG_FILE
echo "" >> $LOG_FILE
echo "===== 4. 入侵防范 =====" >> $LOG_FILE
systemctl is-active firewalld 2>/dev/null || systemctl is-active ufw >> $LOG_FILE
getenforce 2>/dev/null || systemctl is-active apparmor 2>/dev/null >> $LOG_FILE
echo "" >> $LOG_FILE
echo "===== 5. 恶意代码防范 =====" >> $LOG_FILE
systemctl is-active clamav-daemon 2>/dev/null || systemctl is-active clamd@scan 2>/dev/null >> $LOG_FILE
systemctl is-active fail2ban >> $LOG_FILE
echo "" >> $LOG_FILE
echo "===== 6. 数据备份 =====" >> $LOG_FILE
crontab -l 2>/dev/null | grep -i backup >> $LOG_FILE || echo "[提示] 未配置备份任务" >> $LOG_FILE
echo "" >> $LOG_FILE
echo "===== 巡检完成,报告已保存至:$LOG_FILE ====="
cat $LOG_FILE
</code></pre>
<h2 id="六落地执行最佳实践">六、落地执行最佳实践</h2>
<ol>
<li><strong>执行顺序</strong>:先执行环境准备→身份鉴别→访问控制→安全审计→入侵防范→补充配置,最后用巡检脚本验证。</li>
<li><strong>验证要求</strong>:每执行一个脚本,立即检查业务可用性,修改SSH后必须保留当前会话。</li>
<li><strong>国产化适配</strong>:麒麟/UOS(Debian系)默认使用ufw、AppArmor,脚本已自动适配,无需手动调整。</li>
<li><strong>回滚方案</strong>:所有修改均自动备份至<code>/data/equality_backup_日期/</code>,异常时直接复制备份文件覆盖原文件即可。</li>
</ol>
<p><strong>参考标准</strong>:GB/T 22239-2019、GB/T 28448-2019、《操作系统安全加固技术规范》</p><br><br>
来源:https://www.cnblogs.com/liuziyi1/p/19709844
頁:
[1]