安全合规的核心:CIS基准理解、检查与修复
CIS(Center for Internet Security)基准是业界最广泛认可的安全配置标准,覆盖操作系统、云平台、数据库等200+技术栈。CIS基准分为两个级别:Level 1(基本安全,影响小)和Level 2(深度安全,可能影响功能)。
对Linux服务器执行CIS基准检查,是最基础也最重要的合规操作。
# ===== CIS Linux基准检查脚本 =====
cat > /tmp/cis_check.sh <<'SCRIPT'
#!/bin/bash
echo "========================================"
echo " CIS Linux Benchmark 检查"
echo "========================================"
PASS=0; FAIL=0; WARN=0
check() {
local id="$1" desc="$2" status="$3"
if [ "$status" = "PASS" ]; then
echo " ✅ [$id] $desc"
((PASS++))
elif [ "$status" = "FAIL" ]; then
echo " ❌ [$id] $desc"
((FAIL++))
else
echo " ⚠️ [$id] $desc"
((WARN++))
fi
}
# ===== 1. 系统配置 =====
echo -e "\n[1] 系统配置"
# 1.1 文件系统分区
check "1.1.1" "独立/tmp分区" \
$(mount | grep -q ' /tmp ' && echo PASS || echo WARN)
check "1.1.2" "独立/var分区" \
$(mount | grep -q ' /var ' && echo PASS || echo WARN)
check "1.1.3" "独立/var/log分区" \
$(mount | grep -q ' /var/log ' && echo PASS || echo WARN)
# 1.2 禁用不需要的文件系统
check "1.1.4" "禁用 cramfs" \
$(lsmod | grep -q cramfs && echo FAIL || echo PASS)
check "1.1.5" "禁用 freevxfs" \
$(lsmod | grep -q freevxfs && echo FAIL || echo PASS)
check "1.1.6" "禁用 jffs2" \
$(lsmod | grep -q jffs2 && echo FAIL || echo PASS)
# ===== 2. 服务配置 =====
echo -e "\n[2] 服务配置"
# 2.1 inetd服务
check "2.1.1" "禁用 chargen-dgram" \
$(systemctl is-enabled chargen-dgram 2>/dev/null | grep -q enabled && echo FAIL || echo PASS)
# 2.2 SSH配置
echo -e "\n SSH配置检查:"
SSHD_CONFIG="/etc/ssh/sshd_config"
if [ -f "$SSHD_CONFIG" ]; then
check "2.2.1" "SSH Protocol版本2" \
$(grep -q "^Protocol 2" "$SSHD_CONFIG" && echo PASS || echo WARN)
check "2.2.2" "禁止root SSH登录" \
$(grep -qi "^PermitRootLogin no" "$SSHD_CONFIG" && echo PASS || echo FAIL)
check "2.2.3" "SSH空闲超时" \
$(grep -q "^ClientAliveInterval" "$SSHD_CONFIG" && echo PASS || echo FAIL)
check "2.2.4" "禁用空密码登录" \
$(grep -qi "^PermitEmptyPasswords no" "$SSHD_CONFIG" && echo PASS || echo FAIL)
check "2.2.5" "MaxAuthTries ≤ 4" \
$(grep -q "^MaxAuthTries [1-4]" "$SSHD_CONFIG" && echo PASS || echo FAIL)
else
echo " ⚠️ SSH配置文件不存在"
((WARN+=5))
fi
# ===== 3. 账户安全 =====
echo -e "\n[3] 账户安全"
# 3.1 密码策略
check "3.1.1" "密码最大使用天数 ≤ 90" \
$(grep "^PASS_MAX_DAYS" /etc/login.defs 2>/dev/null | awk '$2<=90' | grep -q . && echo PASS || echo FAIL)
check "3.1.2" "密码最小长度 ≥ 8" \
$(grep "^PASS_MIN_LEN" /etc/login.defs 2>/dev/null | awk '$2>=8' | grep -q . && echo PASS || echo FAIL)
# 3.2 账户锁定
check "3.2.1" "除root外无UID=0账户" \
$(awk -F: '($3==0 && $1!="root")' /etc/passwd | grep -q . && echo FAIL || echo PASS)
# 3.3 默认账户
check "3.3.1" "无空密码账户" \
$(awk -F: '($2=="" && $1!="root")' /etc/passwd 2>/dev/null | grep -q . && echo FAIL || echo PASS)
# ===== 4. 网络配置 =====
echo -e "\n[4] 网络配置"
# 4.1 防火墙
check "4.1.1" "防火墙启用(iptables/nftables)" \
$(iptables -L INPUT 2>/dev/null | grep -q "DROP\|REJECT" && echo PASS || echo WARN)
# 4.2 网络参数
check "4.2.1" "禁用IP转发" \
$(sysctl net.ipv4.ip_forward 2>/dev/null | grep -q "= 0" && echo PASS || echo FAIL)
check "4.2.2" "禁用源路由" \
$(sysctl net.ipv4.conf.all.accept_source_route 2>/dev/null | grep -q "= 0" && echo PASS || echo WARN)
check "4.2.3" "禁用ICMP重定向" \
$(sysctl net.ipv4.conf.all.accept_redirects 2>/dev/null | grep -q "= 0" && echo PASS || echo WARN)
# ===== 5. 日志审计 =====
echo -e "\n[5] 日志审计"
check "5.1.1" "rsyslog服务运行" \
$(systemctl is-active rsyslog 2>/dev/null | grep -q active && echo PASS || echo WARN)
check "5.1.2" "auditd服务运行" \
$(systemctl is-active auditd 2>/dev/null | grep -q active && echo PASS || echo WARN)
# ===== 6. 文件权限 =====
echo -e "\n[6] 关键文件权限"
check "6.1.1" "/etc/passwd权限 ≤ 644" \
$(stat -c %a /etc/passwd 2>/dev/null | grep -qE "^[0-6]44" && echo PASS || echo FAIL)
check "6.1.2" "/etc/shadow权限 ≤ 600" \
$(stat -c %a /etc/shadow 2>/dev/null | grep -qE "^600" && echo PASS || echo FAIL)
check "6.1.3" "/etc/ssh/sshd_config权限 ≤ 600" \
$(stat -c %a /etc/ssh/sshd_config 2>/dev/null | grep -qE "^600" && echo PASS || echo WARN)
# ===== 汇总 =====
echo -e "\n========================================"
echo " CIS基准检查结果汇总"
echo "========================================"
TOTAL=$((PASS+FAIL+WARN))
echo " ✅ 通过: $PASS/$TOTAL"
echo " ❌ 失败: $FAIL/$TOTAL"
echo " ⚠️ 警告: $WARN/$TOTAL"
echo ""
if [ "$FAIL" -eq 0 ]; then
echo " 🎉 CIS Level 1 基准检查通过!"
else
echo " ⚡ 需要修复 $FAIL 项不合规配置"
fi
echo "========================================"
SCRIPT
chmod +x /tmp/cis_check.sh
bash /tmp/cis_check.sh
# ===== Docker CIS基准检查 =====
cat > /tmp/cis_docker.sh <<'SCRIPT'
#!/bin/bash
echo "========================================"
echo " CIS Docker Benchmark 检查"
echo "========================================"
# ===== 1. Docker守护进程配置 =====
echo -e "\n[1] Docker守护进程配置"
# 检查Docker是否安装
if command -v docker &>/dev/null; then
echo " Docker版本: $(docker --version)"
# 1.1 限制网络流量
echo -e "\n [1.1] 网络配置"
iptables -L DOCKER 2>/dev/null | grep -q "DOCKER" && \
echo " ✅ Docker iptables规则存在" || \
echo " ⚠️ Docker iptables规则未配置"
# 1.2 日志级别
echo -e "\n [1.2] 日志配置"
docker info 2>/dev/null | grep "Logging Driver" || \
echo " ⚠️ 未配置日志驱动"
# 1.3 用户命名空间
echo -e "\n [1.3] 用户命名空间"
docker info 2>/dev/null | grep -q "userns-remap" && \
echo " ✅ 用户命名空间已启用" || \
echo " ❌ 用户命名空间未启用(CIS 2.1)"
else
echo " ⚠️ Docker未安装,跳过Docker基准检查"
fi
# ===== 2. 容器镜像安全 =====
echo -e "\n[2] 容器安全检查"
# 2.1 特权容器检查
if command -v docker &>/dev/null; then
PRIV=$(docker ps -q 2>/dev/null | xargs -r docker inspect \
--format='{{.Name}} {{.HostConfig.Privileged}}' 2>/dev/null | \
grep "true" | wc -l)
[ "$PRIV" -eq 0 ] && \
echo " ✅ 无特权容器运行" || \
echo " ❌ 发现 $PRIV 个特权容器"
# 2.2 容器root用户检查
ROOT_CONTAINERS=$(docker ps -q 2>/dev/null | xargs -r docker inspect \
--format='{{.Name}} {{.Config.User}}' 2>/dev/null | \
grep -E "(root|^/[^ ]* $)" | wc -l)
[ "$ROOT_CONTAINERS" -eq 0 ] && \
echo " ✅ 无容器以root运行" || \
echo " ❌ 发现 $ROOT_CONTAINERS 个容器以root运行"
fi
# ===== 3. Docker Daemon配置文件 =====
echo -e "\n[3] Daemon配置文件安全"
DAEMON_JSON="/etc/docker/daemon.json"
if [ -f "$DAEMON_JSON" ]; then
echo " ✅ daemon.json 存在"
# 检查关键配置
grep -q "log-driver" "$DAEMON_JSON" && \
echo " ✅ 日志驱动已配置" || echo " ❌ 日志驱动未配置"
grep -q "userns-remap" "$DAEMON_JSON" && \
echo " ✅ 用户命名空间已配置" || echo " ❌ 用户命名空间未配置"
grep -q "live-restore" "$DAEMON_JSON" && \
echo " ✅ 实时恢复已启用" || echo " ❌ 实时恢复未启用"
else
echo " ❌ daemon.json 不存在"
fi
# ===== 4. 文件权限 =====
echo -e "\n[4] Docker文件权限"
for file in /etc/docker/daemon.json /var/lib/docker /etc/docker/certs.d; do
if [ -e "$file" ]; then
perms=$(stat -c %a "$file" 2>/dev/null)
[ "$perms" = "600" ] || [ "$perms" = "700" ] && \
echo " ✅ $file 权限: $perms" || \
echo " ❌ $file 权限: $perms (应为600/700)"
fi
done
echo -e "\n========================================"
echo " Docker CIS基准检查完成"
echo "========================================"
SCRIPT
chmod +x /tmp/cis_docker.sh
bash /tmp/cis_docker.sh
# ===== SSH安全加固 =====
echo "=== SSH安全加固 ==="
# 备份原始配置
cp /etc/ssh/sshd_config /etc/ssh/sshd_config.bak 2>/dev/null || true
# CIS推荐的SSH配置
cat >> /etc/ssh/sshd_config 2>/dev/null <<'EOF' || echo "[仅展示,需要root权限]"
# === CIS Benchmark SSH Hardening ===
Protocol 2
PermitRootLogin no
PermitEmptyPasswords no
MaxAuthTries 4
MaxSessions 10
ClientAliveInterval 300
ClientAliveCountMax 0
X11Forwarding no
AllowTcpForwarding no
AllowAgentForwarding no
EOF
echo "[+] SSH加固配置完成(或已展示)"
# ===== 密码策略加固 =====
echo -e "\n=== 密码策略加固 ==="
# /etc/login.defs
cat >> /etc/login.defs 2>/dev/null <<'EOF' || echo "[仅展示]"
# CIS密码策略
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
EOF
# ===== 内核参数加固 =====
echo -e "\n=== 内核网络参数加固 ==="
# /etc/sysctl.d/99-security.conf
cat > /tmp/99-security.conf <<'EOF'
# CIS网络参数
net.ipv4.ip_forward = 0
net.ipv4.conf.all.send_redirects = 0
net.ipv4.conf.default.send_redirects = 0
net.ipv4.conf.all.accept_source_route = 0
net.ipv4.conf.default.accept_source_route = 0
net.ipv4.conf.all.accept_redirects = 0
net.ipv4.conf.default.accept_redirects = 0
net.ipv4.conf.all.secure_redirects = 0
net.ipv4.conf.default.secure_redirects = 0
net.ipv4.conf.all.log_martians = 1
net.ipv4.conf.default.log_martians = 1
net.ipv4.icmp_echo_ignore_broadcasts = 1
net.ipv4.icmp_ignore_bogus_error_responses = 1
net.ipv4.tcp_syncookies = 1
net.ipv6.conf.all.accept_ra = 0
net.ipv6.conf.default.accept_ra = 0
EOF
echo "[+] 内核安全参数配置创建完成"
# 应用参数(需要root)
# sysctl -p /tmp/99-security.conf
# ===== 文件权限修复 =====
echo -e "\n=== 关键文件权限修复 ==="
chmod 600 /etc/shadow 2>/dev/null && echo " ✅ /etc/shadow → 600" || echo " [展示] chmod 600 /etc/shadow"
chmod 644 /etc/passwd 2>/dev/null && echo " ✅ /etc/passwd → 644" || echo " [展示] chmod 644 /etc/passwd"
chmod 600 /etc/ssh/sshd_config 2>/dev/null && echo " ✅ /etc/ssh/sshd_config → 600" || echo " [展示] chmod 600 /etc/ssh/sshd_config"
| 工具 | 类型 | 支持基准 | 自动化程度 |
|---|---|---|---|
| CIS-CAT Pro | 官方工具 | 全部CIS基准 | 全自动+修复 |
| OpenSCAP | 开源 | CIS/STIG/NIST | 全自动+报告 |
| kube-bench | 开源 | CIS Kubernetes | 全自动 |
| Docker Bench | 开源 | CIS Docker | 全自动 |
| AWS Config | 云原生 | CIS AWS | 持续监控 |
| Azure Policy | 云原生 | CIS Azure | 持续监控 |