5.8.8 安全加固与审计采集脚本
本节给出安全加固与审计采集脚本的典型设计与落地要点,覆盖基线检查、自动加固、审计日志采集与上报,适用于批量主机与持续合规场景。
安全加固与审计采集原理草图
安全加固脚本目标与范围
- 统一安全基线:账号、认证、网络、系统内核、服务暴露面
- 降低误操作:提供可回滚的变更清单与执行记录
- 可验证:输出合规结果与差异项
- 可审计:保留变更前后配置与执行日志
安装与依赖准备(示例)
- 需要:bash、sudo、awk、sed、ss、systemctl、rsyslog、auditd(可选)
# Debian/Ubuntu
sudo apt-get update
sudo apt-get install -y rsyslog auditd
# RHEL/CentOS
sudo yum install -y rsyslog audit audit-libs
基线检查与加固项清单(含命令解释)
- 账号与认证
- 禁用空口令
bash
awk -F: '($2==""){print $1}' /etc/shadow
- 锁定无用账号
bash
sudo usermod -L testuser # -L 锁定账号
- 口令策略
bash
# /etc/login.defs
PASS_MAX_DAYS 90
PASS_MIN_DAYS 7
PASS_MIN_LEN 12
PASS_WARN_AGE 14
- SSH 安全
bash
sudo sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sudo sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
sudo systemctl reload sshd
- 服务暴露面
bash
ss -tulpn | awk 'NR==1||/LISTEN/'
systemctl list-unit-files --type=service | grep enabled
- 内核与系统参数
bash
sudo sysctl -w net.ipv4.ip_forward=0 # 禁用转发
sudo sysctl -w net.ipv4.conf.all.rp_filter=1
- 文件权限与SUID/SGID风险
bash
stat /etc/shadow /etc/passwd
find / -perm -4000 -o -perm -2000 2>/dev/null
- 日志与审计
bash
systemctl status rsyslog
systemctl status auditd
脚本流程设计建议(含目录示例)
/opt/secops/
├─ baseline.yaml # 基线模板
├─ snapshot/2024-01-01/ # 配置快照
├─ reports/ # 差异与合规报告
└─ logs/secops.log # 执行日志
核心脚本示例(可执行)
#!/usr/bin/env bash
# 文件: /opt/secops/sec_harden_audit.sh
set -euo pipefail
BASELINE="/opt/secops/baseline.yaml"
SNAPDIR="/opt/secops/snapshot/$(date +%F_%H%M%S)"
REPORT="/opt/secops/reports/$(date +%F_%H%M%S).txt"
LOG="/opt/secops/logs/secops.log"
DO_HARDEN="${1:-check}" # check|harden
log() { echo "$(date +%F' '%T) [$HOSTNAME] $1" | tee -a "$LOG"; }
precheck() {
for c in awk sed ss systemctl; do
command -v "$c" >/dev/null || { log "missing $c"; exit 1; }
done
mkdir -p "$SNAPDIR" /opt/secops/reports /opt/secops/logs
log "precheck ok"
}
snapshot() {
cp -a /etc/ssh/sshd_config "$SNAPDIR/"
cp -a /etc/login.defs "$SNAPDIR/"
cp -a /etc/sysctl.conf "$SNAPDIR/"
log "snapshot saved to $SNAPDIR"
}
check_sshd() {
local prl pa
prl=$(grep -E '^PermitRootLogin' /etc/ssh/sshd_config | awk '{print $2}')
pa=$(grep -E '^PasswordAuthentication' /etc/ssh/sshd_config | awk '{print $2}')
echo "sshd: PermitRootLogin=$prl PasswordAuthentication=$pa" >> "$REPORT"
}
harden_sshd() {
sed -i 's/^#\?PermitRootLogin.*/PermitRootLogin no/' /etc/ssh/sshd_config
sed -i 's/^#\?PasswordAuthentication.*/PasswordAuthentication no/' /etc/ssh/sshd_config
systemctl reload sshd
log "sshd hardened"
}
check_sysctl() {
sysctl net.ipv4.ip_forward net.ipv4.conf.all.rp_filter >> "$REPORT"
}
harden_sysctl() {
sysctl -w net.ipv4.ip_forward=0
sysctl -w net.ipv4.conf.all.rp_filter=1
log "sysctl hardened"
}
audit_collect() {
tar czf "$SNAPDIR/audit_logs.tgz" /var/log/secure /var/log/auth.log /var/log/messages 2>/dev/null || true
log "audit logs archived"
}
main() {
precheck
snapshot
: > "$REPORT"
check_sshd
check_sysctl
audit_collect
if [[ "$DO_HARDEN" == "harden" ]]; then
harden_sshd
harden_sysctl
fi
log "report generated: $REPORT"
}
main "$@"
执行与预期效果
sudo bash /opt/secops/sec_harden_audit.sh check
# 预期: 生成reports报告与snapshot快照,不修改系统
sudo bash /opt/secops/sec_harden_audit.sh harden
# 预期: sshd禁root、禁密码登录,sysctl参数生效
审计采集与上报示例
- rsyslog 转发(UDP 514)
# /etc/rsyslog.d/50-forward.conf
*.* @10.0.0.10:514
sudo systemctl restart rsyslog
- HTTP API 上报(脚本示例)
curl -X POST http://log.example.com/api/ingest \
-H 'Content-Type: application/json' \
-d '{"host":"'"$HOSTNAME"'","report":"'"$(sed 's/"/\\"/g' "$REPORT")"'"}'
排错与验证
- SSH 修改后无法登录:检查是否禁用了密码登录且无密钥
grep -E 'PermitRootLogin|PasswordAuthentication' /etc/ssh/sshd_config
journalctl -u sshd -n 50
- sysctl 未生效:查看冲突配置
sysctl -a | grep rp_filter
grep -R "rp_filter" /etc/sysctl.conf /etc/sysctl.d/
- rsyslog 未转发:验证连通性与端口监听
ss -ulpn | grep 514
tcpdump -nn udp port 514 -c 5
练习
1. 为脚本新增“检测空口令账号并输出到报告”的函数,要求与现有日志规范一致。
2. 将审计采集改为每日凌晨 2 点执行,并保留 7 天归档。
3. 扩展脚本支持“仅生成 JSON 报告”,字段包含 host、time、score、diff。
4. 将 SSH 端口改为 2222,验证防火墙与服务重启是否成功。
安全注意事项
- 所有变更需保留原始配置副本并加上时间戳
- 对生产环境启用最小变更策略,尽量避免服务中断
- 确保审计采集路径与权限安全,避免日志被篡改
- 对含敏感信息的输出进行脱敏处理