diff --git a/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.py b/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.py index 58343f90f0baa3ed0b41898ca2a92191e7e74b96..a541f264fea987bb71f3329a412e0fcc3e1d2335 100644 --- a/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.py +++ b/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.py @@ -1,7 +1,7 @@ # [OK] 为验证通过 # [WARNING] 为风险提示 -import pymysql +import subprocess import os import sys @@ -60,20 +60,20 @@ def l_print(zh_str, en_str) : # MySQL空口令检查 def check_mysql_empty_password(ip, port, username): try: - conn = pymysql.connect(host=ip, port=int(port), user=username, passwd="123456") - conn.close() - l_print(f"[WARNING] 检测到MySQL空密码: {ip}:{port}", + output = subprocess.run(['mysql', '-uroot'], input="exit\n", text=True,capture_output=True) + # output = output.decode('utf-8').strip() + # output = subprocess.Popen('ls',shell=True,close_fds=True) + # output.kill() + if output.returncode == 0: + l_print(f"[WARNING] 检测到MySQL空密码: {ip}:{port}", f"[WARNING] MySQL empty password detected for {ip}:{port}") - except pymysql.err.OperationalError: - l_print(f"[OK] MySQL空密码检查已通过: {ip}:{port}", - f"[OK] MySQL empty password check passed for {ip}:{port}") - except pymysql.err.InternalError: - l_print(f"[OK] MySQL空密码检查已通过: {ip}:{port}", + else: + l_print(f"[OK] MySQL空密码检查已通过: {ip}:{port}", f"[OK] MySQL empty password check passed for {ip}:{port}") except Exception as e: l_print(f"[OK] MySQL空密码检查已通过: {ip}:{port}", - f"[OK] MySQL empty password check passed for {ip}:{port}") + f"[OK] MySQL empty password check passed for {ip}:{port}") if __name__ == '__main__': arg_lang = sys.argv[1] - check_mysql_empty_password("localhost", 3306, "root") + check_mysql_empty_password("localhost", 3306, "song") diff --git a/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.yaml b/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.yaml index 5a3e6070bb1d1dac1905a674542935df98297e05..2ce898f81dd04a69dd01239227095e69c2a0572a 100644 --- a/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.yaml +++ b/data/BaseLine/AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.yaml @@ -11,6 +11,7 @@ SiteRequests: InterArgs : Exec : check_mysql_empty_password.py Args : + - zh Inter: - "[WARNING]" Condition: None diff --git a/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.py b/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.py index 274b8eb6c426b3204e2968b4307ab63d4026d92e..b7d00e8a0d59f6161c9d99b90a93667829c6c124 100644 --- a/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.py +++ b/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.py @@ -80,7 +80,7 @@ if __name__ == '__main__': const=0 # 读取字典中的弱口令 # 路径为口令字典路径按实际需求修改 - with open('../../../../../data/dic/weakPassword','r',encoding="utf-8-sig") as f : + with open('../data/dic/weakPassword','r',encoding="utf-8-sig") as f : for line in f: password = line.strip() password = password.encode('latin1','ignore') diff --git a/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.yaml b/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.yaml index 90d95a6f1c06d80d5d6f568e93b9a8945aeb9209..0dc43edd853d009d7b7071e74287e00b1c0ceafe 100644 --- a/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.yaml +++ b/data/BaseLine/AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.yaml @@ -11,6 +11,7 @@ SiteRequests: InterArgs : Exec : check_mysql_weak_password.py Args : + - zh Inter: - "[WARNING]" Condition: None diff --git a/data/BaseLine/AccountRisk/redis/check_redis_empty_password/check_redis_empty_password.yaml b/data/BaseLine/AccountRisk/redis/check_redis_empty_password/check_redis_empty_password.yaml index a4da2ab078c5c7a213d7e4fa535a3697d693bfdd..9049b710aa688c20ce2ddab17cf81d16494e7210 100644 --- a/data/BaseLine/AccountRisk/redis/check_redis_empty_password/check_redis_empty_password.yaml +++ b/data/BaseLine/AccountRisk/redis/check_redis_empty_password/check_redis_empty_password.yaml @@ -11,6 +11,7 @@ SiteRequests: InterArgs : Exec : check_redis_empty_password.py Args : + - zh Inter: - "[WARNING]" Condition: None diff --git a/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.py b/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.py index 4362d33df537bd2576f1934c00c9f5f0a8ffb53f..6a53a8b08ca3241249bb46933098aef25ee3519a 100644 --- a/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.py +++ b/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.py @@ -91,7 +91,7 @@ if __name__ == '__main__': # 读取字典中的弱口令 # 路径为口令字典路径按实际需求修改 - with open('../../../../../data/dic/weakPassword', 'r',encoding="utf-8-sig") as f : + with open('../data/dic/weakPassword', 'r',encoding="utf-8-sig") as f : for line in f: password = line.strip() password = password.encode('latin1','ignore') diff --git a/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.yaml b/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.yaml index 4f101c7a141dfab5eb09538662414c1026eed72a..9389e98827b7ac170e6c47477f23bfaf5fbbf50a 100644 --- a/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.yaml +++ b/data/BaseLine/AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.yaml @@ -11,6 +11,7 @@ SiteRequests: InterArgs : Exec : check_redis_weak_password.py Args : + - zh Inter: - "[WARNING]" Condition: None diff --git a/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.py b/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.py index 470e8b563cfaba0cd39f81f9be1a5a2721451a77..3cf0b3d7406465318ef1270620cf56e1230f9044 100644 --- a/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.py +++ b/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.py @@ -7,7 +7,7 @@ import crypt from pathlib import Path # 定义密码字典文件路径(请根据实际情况修改) -password_dict_path = '../../../../../data/dic/weakPassword' +password_dict_path = "../data/dic/weakPassword" # 定义shadow文件路径 shadow_file_path = "/etc/shadow" diff --git a/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.yaml b/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.yaml index 0c502c68e0a64fcfdd520741635d8e4e03374a95..3286d64d641731197685cc0ad4e01ea323173e46 100644 --- a/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.yaml +++ b/data/BaseLine/AccountRisk/user/check_weak_password/check_weak_password.yaml @@ -11,6 +11,7 @@ SiteRequests: InterArgs : Exec : check_weak_password.py Args : + - zh Inter: - "[WARNING]" Condition: None diff --git a/data/BaseLine/Audit/check_ssh_failed/check_ssh_failed.yaml b/data/BaseLine/Audit/check_ssh_failed/check_ssh_failed.yaml index 1294a4abbec03be85f699940745ccb8feafa4eef..9b98faf70109f0fd87e6328855d2d44f3d6de2a4 100644 --- a/data/BaseLine/Audit/check_ssh_failed/check_ssh_failed.yaml +++ b/data/BaseLine/Audit/check_ssh_failed/check_ssh_failed.yaml @@ -11,6 +11,7 @@ SiteRequests: InterArgs : Exec : check_ssh_failed.py Args : + - zh Inter: - "[WARNING]" Condition: None diff --git a/data/BaseLine/BaseLine.yaml b/data/BaseLine/BaseLine.yaml index 55a55ba06ebffa0ca011eff5cde3d6ff1af84267..6404f14bf72b66e2a8a46c1c2ea6ba7079691614 100644 --- a/data/BaseLine/BaseLine.yaml +++ b/data/BaseLine/BaseLine.yaml @@ -1,13 +1,151 @@ ConfigFilePrefix: ../data/BaseLine/ Type: baseline ExplorerItems: - - ConfigFile: UserAnalysis/checkUser.yaml #检测root权限用户 - - ConfigFile: UserAnalysis/checkGid.yaml #检测特权组用户 - - ConfigFile: UserAnalysis/checkEmpty.yaml #检测空口令账户 - - ConfigFile: UserAnalysis/checkUserAuthorizedKeys.yaml #检测普通用户是否是免密登录的公钥 - - ConfigFile: UserAnalysis/checkRootAuthorizedKeys.yaml #检测root是否是免密登录的公钥 - - ConfigFile: UserAnalysis/checkSshPwdAnalysis.yaml #检测ssh空密码登录 - - ConfigFile: UserAnalysis/checkShadowFile.yaml #检测shadow文件权限 - - ConfigFile: UserAnalysis/checkPasswdFile.yaml #检测Passwd文件权限 - - ConfigFile: UserAnalysis/checkSshBruteProtectionAnalysis.yaml #检测ssh暴力破解防护是否开启 - - ConfigFile: FileCheck/CheckFileJurisdiction.yaml #检测root目录下存在777权限的文件 \ No newline at end of file + # remote services + + # -- ssh + - ConfigFile: RemoteServices/ssh/check_ssh_alert/check_ssh_alert.yaml + - ConfigFile: RemoteServices/ssh/check_ssh_disable_port_forwarding/check_ssh_disable_port_forwarding.yaml + - ConfigFile: RemoteServices//ssh/check_ssh_disable_x11_forwarding/check_ssh_disable_x11_forwarding.yaml + - ConfigFile: RemoteServices/ssh/check_ssh_hostbased_auth/check_ssh_hostbased_auth.yaml + - ConfigFile: RemoteServices/ssh/check_ssh_login_timeout/check_ssh_login_timeout.yaml + - ConfigFile: RemoteServices/ssh/check_ssh_max_login_attempts/check_ssh_max_login_attempts.yaml + - ConfigFile: RemoteServices/ssh/check_ssh_strong_mac/check_ssh_strong_mac.yaml + + # local services + + # -- redis + - ConfigFile: LocalServices/redis/check_redis_empty_password/check_redis_empty_password.yaml + - ConfigFile: LocalServices/redis/check_redis_weak_password/check_redis_weak_password.yaml + # -- mysql + - ConfigFile: LocalServices/mysql/check_mysql_empty_password/check_mysql_empty_password.yaml + - ConfigFile: LocalServices/mysql/check_mysql_weak_password/check_mysql_weak_password.yaml + - ConfigFile: LocalServices/mysql/check_mysql_access_permissions/check_mysql_access_permissions.yaml + # -- filePermissions + - ConfigFile: LocalServices/filePermissions/check_file_permission/check_file_permission.yaml + # -- high_risk_port + - ConfigFile: LocalServices/highRiskPort/check_high_risk_port/check_high_risk_port.yaml + - ConfigFile: LocalServices/highRiskPort/check_high_risk_port/check_high_risk_port_631.yaml + # -- firewall + - ConfigFile: LocalServices/firewall/check_firewall_log/check_firewall_log.yaml + # -- kysec + - ConfigFile: LocalServices/kysec/check_kysec_status/check_kysec_status.yaml + + + # -- Audit + + # -- ssh_failed + - ConfigFile: Audit/check_ssh_failed/check_ssh_failed.yaml + + # -- AccountRisk + + # -- redis + - ConfigFile: AccountRisk/redis/check_redis_empty_password/check_redis_empty_password.yaml + - ConfigFile: AccountRisk/redis/check_redis_weak_password/check_redis_weak_password.yaml + # -- mysql + - ConfigFile: AccountRisk/mysql/check_mysql_empty_password/check_mysql_empty_password.yaml + - ConfigFile: AccountRisk/mysql/check_mysql_weak_password/check_mysql_weak_password.yaml + # -- user + - ConfigFile: AccountRisk/user/check_weak_password/check_weak_password.yaml + + #-- permission + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/1/01密码超时停留时间应为0.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/2/02sudoers配置文件中不存在免密提权配置.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/3/03创建uid一致账号.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/4/04创建同名账号.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/5/05加密算法为sm3.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/6/06非root的账号不能为0.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/7/07管理员修改普通用户密码.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/8/08普通用户修改管理员密码.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/9/09sync账户检查.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/10/10shutdown账户检查.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/11/11halt账户检查.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/12/12用户对文件的a权限.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/13/13用户对文件的i权限.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/14/14不能继承用户环境变量.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/15/15不存在无属主文件.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/16/16不存在无属组文件.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/17/17home目录权限.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/18/18默认存储条数不大于1000.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/19/19shadow文件访问控制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/20/20记录用户登录日志.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/21/21日志模块占用资源.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/22/22系统具备数据备份还原功能.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/23/23系统启用SYN Cookies.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/24/24防火墙默认拒绝服务.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/25/25防火墙默认只允许必要服务.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/26/26系统开启反向过滤.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/27/27ipv4不应接收icmp安全重定向.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/28/28ipv6不应接收icmp安全重定向.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/29/29系统不应接受来自源路由的IPV4重定向数据包.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/30/30启用ASLR功能.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/31/31开启防火墙.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/32/32系统限制dmesg缓冲区查看权限.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/33/33启用内核地址限制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/34/34系统保护mem.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/35/35系统启用了链接和ptrace限制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/36/36限制多重并发会话数.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/37/37禁止ssh自动登录.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/38/38禁止系统自动登录.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/39/39设置系统时间同步.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/40/40检查是否安装时间同步软件包.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/41/41设置sudo命令使用伪终端执行.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/42/42启用sudo日志.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/43/43关闭多IP绑定.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/44/44关闭IP伪装.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/45/45swatch软件加固.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/46/46selinux应为开启状态.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/47/47禁止安装SNMP.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/48/48禁止安装telnet服务端程序.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/49/49系统默认提供ssh服务.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/50/50镜像中安全组件版本与仓库中软件版本一致.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/51/51系统中不能存在调试组件.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/52/52Repo源的地址要配置正确.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/53/53包管理器中配置了GPG.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/54/54源地址采用https协议.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/55/55审计进程的权限不应大于755.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/56/56审计日志滚动写入.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/57/57确保可疑数据包都被记录.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/58/58系统启动auditd和rsyslog服务.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/59/59系统重要文件的属主和权限应严格限定.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/60/60存储敏感数据的文件加密存储.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/61/61日志中不能打印个人或敏感信息.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/62/62audit存在访问控制机制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/63/63shadow文件存在访问控制机制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/64/64系统创建用户时默认是最小权限.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/65/65crontab中配置的文件应限制写权限.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/66/66sudo配置中不存在高危命令.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/67/67图形界面登录启用超时锁屏机制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/68/68系统账号配置了防暴力破解机制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/69/69设置审计存储阈值.yaml + # - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/70/70关闭系统不必要的端口21.yaml 重复检测 + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/71/71关闭系统不必要的端口22.yaml + # - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/72/72关闭系统不必要的端口23.yaml 重复检测 + # - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/73/73关闭系统不必要的端口25.yaml 重复检测 + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/74/74关闭系统不必要的端口53.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/75/75关闭系统不必要的端口69.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/76/76关闭系统不必要的端口80.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/77/77关闭系统不必要的端口110.yaml + # - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/78/78关闭系统不必要的端口111.yaml 重复检测 + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/79/79关闭系统不必要的端口443.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/80/80关闭系统不必要的端口1080.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/81/81关闭系统不必要的端口2049.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/82/82限制ssh服务可访问源.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/83/83限制用户使用计划任务.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/84/84检查不安全组件.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/85/85管理员在命令行中修改自己口令需要验证旧口令.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/86/86普通用户在命令行中修改自己口令需要验证旧口令.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/87/87ssh禁止空密码登录.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/88/88设置登录后系统提示信息.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/89/89检查是否安装入侵检测工具.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/90/90检查潜在危险.netrc文件.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/91/91检查潜在危险host.equiv文件.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/92/92检查潜在危险.rhosts文件.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/93/93检查是否安装chkrootkit.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/94/94文件系统和磁盘完整性校验.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/95/95检查系统资源使用控制.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/96/96关闭系统信任机制equiv.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/97/97关闭系统信任机制rhosts.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/98/98限制仅允许系统管理员进入维护模式.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/99/99检查ssh安全协议.yaml + - ConfigFile: LocalServices/TestingDepartmentPrivateUseCases/100/100设置ssh无法免密登录.yaml diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_alert/check_ssh_alert.py b/data/BaseLine/RemoteServices/ssh/check_ssh_alert/check_ssh_alert.py new file mode 100644 index 0000000000000000000000000000000000000000..8ed450d776b4652a227932acb60fa7f6ffca1b93 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_alert/check_ssh_alert.py @@ -0,0 +1,79 @@ +# [OK] 为验证通过 +# [WARNING] 为风险提示 + +import subprocess +import os +import sys + +arg_lang = "" + +################################ +# 常量 + +# for get_env_lang() +STR_GET_ENV_LANG_ZH = "语言环境为中文" +STR_GET_ENV_LANG_EN = "语言环境为英文" +STR_GET_ENV_LANG_UNKNOW = "语言环境未知" + +# for is_root() +STR_IS_ROOT_TRUE = "当前用户为root权限" +STR_IS_ROOT_FALSE = "当前用户没有root权限" + +################################ +# 环境检查函数 + +def get_env_lang(): +# lang = os.getenv("LANG") +# if lang.startswith("zh"): +# return STR_GET_ENV_LANG_ZH +# elif lang.startswith("en"): +# return STR_GET_ENV_LANG_EN +# else: +# return STR_GET_ENV_LANG_UNKNOW +# + if arg_lang == "zh": + return STR_GET_ENV_LANG_ZH + elif arg_lang == "en": + return STR_GET_ENV_LANG_EN + else: + return STR_GET_ENV_LANG_UNKNOW + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +################################ +# 辅助函数 +def l_print(zh_str, en_str) : + if STR_GET_ENV_LANG_ZH == get_env_lang() : + print(zh_str); + else : + print(en_str); + +################################ +# 功能函数 + +# 确保已配置SSH警告通知 +def check_ssh_alert(): + try: + output = subprocess.check_output("grep '# Banner\|#Banner\|Banner none' /etc/ssh/sshd_config", shell=True) + output = output.decode('utf-8').strip() + l_print("[WARNING] SSH告警没有被配置", + "[WARNING] SSH alert not configured") + except: + l_print("[OK] SSH告警配置检查通过", + "[OK] SSH alert not configured check passed") + +# 示例代码主函数 +def main(): + + check_ssh_alert() + +if __name__ == '__main__': + arg_lang = sys.argv[1] + + main() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_alert/check_ssh_alert.yaml b/data/BaseLine/RemoteServices/ssh/check_ssh_alert/check_ssh_alert.yaml new file mode 100644 index 0000000000000000000000000000000000000000..cae201d6475aa4e558b0661e122ea5d5eb467053 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_alert/check_ssh_alert.yaml @@ -0,0 +1,23 @@ +FormatVer: 20230518 +Id: check_ssh_alert +Belong: baseline +SiteInfo: + Name: 远程服务检测 -- 确保已配置SSH警告通知 +Power : +SiteRequests: + Implement: + ImArray: + - Inter : python3 + InterArgs : + Exec : check_ssh_alert.py + Args : + - zh + Inter: + - "[WARNING]" + Condition: None +RepairArgs: + - Inter : python3 + InterArgs : + Exec : fix_ssh_warning_banner.py + Args : + RepairPower: root # root权限或者普通用户权限 diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_alert/fix_ssh_warning_banner.py b/data/BaseLine/RemoteServices/ssh/check_ssh_alert/fix_ssh_warning_banner.py new file mode 100644 index 0000000000000000000000000000000000000000..c40cf44a9dec91b7d79294b5454bd13fe4780d20 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_alert/fix_ssh_warning_banner.py @@ -0,0 +1,18 @@ +# [OK]为修复成功 +# 执行修复脚本权限需要root权限执行 + +import subprocess + +# 确保已配置SSH警告通知 +def fix_ssh_warning_banner(): + cmd1 = "sed -i 's/# Banner.*/Banner \/etc\/issue.net/g' /etc/ssh/sshd_config" + cmd2 = "sed -i 's/#Banner.*/Banner \/etc\/issue.net/g' /etc/ssh/sshd_config" + cmd3 = "echo 'Authorized uses only. All activity may be monitored and reported.' > /etc/issue.net" + subprocess.run(cmd1, shell=True, check=True) + subprocess.run(cmd2, shell=True, check=True) + subprocess.run(cmd3, shell=True, check=True) + print("[OK] SSH warning enabled") + +if __name__ == '__main__': + # 运行修复函数 + fix_ssh_warning_banner() \ No newline at end of file diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/check_ssh_disable_port_forwarding.py b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/check_ssh_disable_port_forwarding.py new file mode 100644 index 0000000000000000000000000000000000000000..3e670594bf09668d1faaf129c1489e730486d57b --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/check_ssh_disable_port_forwarding.py @@ -0,0 +1,97 @@ +# [OK] 为验证通过 +# [WARNING] 为风险提示 +# 此检测项需要使用root权限执行 + +import subprocess +import os +import sys + +arg_lang = "" + +################################ +# 常量 + +# for get_env_lang() +STR_GET_ENV_LANG_ZH = "语言环境为中文" +STR_GET_ENV_LANG_EN = "语言环境为英文" +STR_GET_ENV_LANG_UNKNOW = "语言环境未知" + +# for is_root() +STR_IS_ROOT_TRUE = "当前用户为root权限" +STR_IS_ROOT_FALSE = "当前用户没有root权限" + +################################ +# 环境检查函数 + +def get_env_lang(): +# lang = os.getenv("LANG") +# if lang.startswith("zh"): +# return STR_GET_ENV_LANG_ZH +# elif lang.startswith("en"): +# return STR_GET_ENV_LANG_EN +# else: +# return STR_GET_ENV_LANG_UNKNOW +# + if arg_lang == "zh": + return STR_GET_ENV_LANG_ZH + elif arg_lang == "en": + return STR_GET_ENV_LANG_EN + else: + return STR_GET_ENV_LANG_UNKNOW + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +################################ +# 辅助函数 +def l_print(zh_str, en_str) : + if STR_GET_ENV_LANG_ZH == get_env_lang() : + print(zh_str); + else : + print(en_str); + +################################ +# 功能函数 + +# 检查SSH服务是否已禁用端口转发功能 +def check_ssh_disable_port_forwarding(): + command = 'sudo sshd -T | grep -i permitopen' + result = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + + if result.returncode == 0: + output = result.stdout.decode('utf-8').strip() + if 'PermitOpen' and 'permitopen' not in output: + l_print("[OK] SSH 端口转发禁用 检测通过", + "[OK] SSH disable port forwarding check passed") + else: + permitopen_value = output.split(' ')[1] + if permitopen_value == '' or permitopen_value == 'none' or permitopen_value == 'None': + l_print("[OK] SSH 端口转发禁用 检测通过", + "[OK] SSH disable port forwarding check passed") + else: + l_print("[WARNING] SSH开启了端口转发功能", + "[WARNING] SSH port forwarding may be enabled") + else: + print('运行SSH命令时出错:', result.stderr.decode('utf-8').strip()) +# 示例代码主函数 +def main(): + + check_ssh_disable_port_forwarding() + +if __name__ == '__main__': + arg_lang = sys.argv[1] + + main() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/check_ssh_disable_port_forwarding.yaml b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/check_ssh_disable_port_forwarding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..21b731456a9471dd8b7d85c76ba5fffe77455c3f --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/check_ssh_disable_port_forwarding.yaml @@ -0,0 +1,23 @@ +FormatVer: 20230518 +Id: check_ssh_disable_port_forwarding +Belong: baseline +SiteInfo: + Name: 远程服务检测 -- 检查SSH服务是否已禁用端口转发功能 +Power : "root" +SiteRequests: + Implement: + ImArray: + - Inter : python3 + InterArgs : + Exec : check_ssh_disable_port_forwarding.py + Args : + - zh + Inter: + - "[WARNING]" + Condition: None +RepairArgs: + - Inter : python3 + InterArgs : + Exec : fix_ssh_disable_port_forwarding.py + Args : + RepairPower: root # root权限或者普通用户权限 diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/fix_ssh_disable_port_forwarding.py b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/fix_ssh_disable_port_forwarding.py new file mode 100644 index 0000000000000000000000000000000000000000..5e97430c96af435a8b08ae0234527c443a40653b --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_port_forwarding/fix_ssh_disable_port_forwarding.py @@ -0,0 +1,29 @@ +# [OK]为修复成功 +# 执行修复脚本权限需要root权限执行 + +from importlib.resources import open_binary +import subprocess +from tabnanny import check + + +def fix_ssh_disable_port_forwarding(): + try: + output = subprocess.check_output("grep 'PermitOpen' /etc/ssh/sshd_config", shell=True) + output = output.decode('utf-8').strip() + # 运行SSH命令禁用PermitOpen选项 + command = 'sudo sed -i "s/PermitOpen.*/PermitOpen none/g" /etc/ssh/sshd_config' + result = subprocess.run(command, shell=True, stdout=subprocess.PIPE, stderr=subprocess.PIPE) + + if result.returncode == 0: + print('[OK] The port forwarding function of SSH service has been disabled and fixed') + else: + print('[ERROR] Error disabling port forwarding function for SSH service:', result.stderr.decode('utf-8').strip()) + except: + with open('/etc/ssh/sshd_config','a') as f: + f.write('PermitOpen none') + print('[OK] The port forwarding function of SSH service has been disabled and fixed') + + +if __name__ == '__main__': + # 运行所有的修复函数 + fix_ssh_disable_port_forwarding() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/check_ssh_disable_x11_forwarding.py b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/check_ssh_disable_x11_forwarding.py new file mode 100644 index 0000000000000000000000000000000000000000..a48082d62de9122f394b42cd75c893f27fa8cbec --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/check_ssh_disable_x11_forwarding.py @@ -0,0 +1,88 @@ +# [OK] 为验证通过 +# [WARNING] 为风险提示 + +import re +import subprocess +import os +import sys + +arg_lang = "" + +################################ +# 常量 + +# for get_env_lang() +STR_GET_ENV_LANG_ZH = "语言环境为中文" +STR_GET_ENV_LANG_EN = "语言环境为英文" +STR_GET_ENV_LANG_UNKNOW = "语言环境未知" + +# for is_root() +STR_IS_ROOT_TRUE = "当前用户为root权限" +STR_IS_ROOT_FALSE = "当前用户没有root权限" + +################################ +# 环境检查函数 + +def get_env_lang(): +# lang = os.getenv("LANG") +# if lang.startswith("zh"): +# return STR_GET_ENV_LANG_ZH +# elif lang.startswith("en"): +# return STR_GET_ENV_LANG_EN +# else: +# return STR_GET_ENV_LANG_UNKNOW +# + if arg_lang == "zh": + return STR_GET_ENV_LANG_ZH + elif arg_lang == "en": + return STR_GET_ENV_LANG_EN + else: + return STR_GET_ENV_LANG_UNKNOW + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +################################ +# 辅助函数 +def l_print(zh_str, en_str) : + if STR_GET_ENV_LANG_ZH == get_env_lang() : + print(zh_str); + else : + print(en_str); + +################################ +# 功能函数 + +# 确保SSH X11转发被禁用 +def check_ssh_disable_x11_forwarding(): + try: + output = subprocess.check_output("grep '^X11Forwarding' /etc/ssh/sshd_config", shell=True) + output = output.decode('utf-8').strip() + pattern = r'^X11Forwarding\s+(.*)$' + match = re.search(pattern, output) + if match: + if "no" in match.group(1): + l_print("[OK] SSH X11 端口转发禁用 检测通过", + "[OK] SSH X11 forwarding check passed") + else: + l_print(f"[WARNING] SSH X11转发设置为 {match.group(1)}", + f"[WARNING] SSH X11 forwarding set to {match.group(1)}") + else: + l_print("[OK] SSH X11 转发为配置 检测通过", + "[OK] SSH X11 forwarding not configured check passed") + except: + l_print("[OK] SSH X11 转发为配置 检测通过", + "[OK] SSH X11 forwarding not configured check passed") +# 示例代码主函数 +def main(): + check_ssh_disable_x11_forwarding() + +if __name__ == '__main__': + arg_lang = sys.argv[1] + + main() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/check_ssh_disable_x11_forwarding.yaml b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/check_ssh_disable_x11_forwarding.yaml new file mode 100644 index 0000000000000000000000000000000000000000..261fd4e473aabef30e783385b2b025046a5e700e --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/check_ssh_disable_x11_forwarding.yaml @@ -0,0 +1,23 @@ +FormatVer: 20230518 +Id: check_ssh_disable_x11_forwarding +Belong: baseline +SiteInfo: + Name: 远程服务检测 -- 确保SSH X11转发被禁用 +Power : +SiteRequests: + Implement: + ImArray: + - Inter : python3 + InterArgs : + Exec : check_ssh_disable_x11_forwarding.py + Args : + - zh + Inter: + - "[WARNING]" + Condition: None +RepairArgs: + - Inter : python3 + InterArgs : + Exec : fix_ssh_disable_x11_forwarding.py + Args : + RepairPower: root # root权限或者普通用户权限 diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/fix_ssh_disable_x11_forwarding.py b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/fix_ssh_disable_x11_forwarding.py new file mode 100644 index 0000000000000000000000000000000000000000..8b480ed7cf9c00754f957ef6043073afcb9a68b5 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_disable_x11_forwarding/fix_ssh_disable_x11_forwarding.py @@ -0,0 +1,15 @@ +# [OK]为修复成功 +# 执行修复脚本权限需要root权限执行 + +from json.tool import main +import subprocess + + +# 确保SSH X11转发被禁用 +def fix_ssh_disable_x11_forwarding(): + cmd = "sed -i 's/^X11Forwarding.*/X11Forwarding no/g' /etc/ssh/sshd_config" + subprocess.run(cmd, shell=True, check=True) + print('[OK] fix suff') + +if __name__ == '__main__': + fix_ssh_disable_x11_forwarding() \ No newline at end of file diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/check_ssh_hostbased_auth.py b/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/check_ssh_hostbased_auth.py new file mode 100644 index 0000000000000000000000000000000000000000..c2c3de6b9f57efbf7bdc1ff81803a3f9df480b31 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/check_ssh_hostbased_auth.py @@ -0,0 +1,89 @@ +# [OK] 为验证通过 +# [WARNING] 为风险提示 + +import re +import subprocess +import os +import sys + +arg_lang = "" + +################################ +# 常量 + +# for get_env_lang() +STR_GET_ENV_LANG_ZH = "语言环境为中文" +STR_GET_ENV_LANG_EN = "语言环境为英文" +STR_GET_ENV_LANG_UNKNOW = "语言环境未知" + +# for is_root() +STR_IS_ROOT_TRUE = "当前用户为root权限" +STR_IS_ROOT_FALSE = "当前用户没有root权限" + +################################ +# 环境检查函数 + +def get_env_lang(): +# lang = os.getenv("LANG") +# if lang.startswith("zh"): +# return STR_GET_ENV_LANG_ZH +# elif lang.startswith("en"): +# return STR_GET_ENV_LANG_EN +# else: +# return STR_GET_ENV_LANG_UNKNOW +# + if arg_lang == "zh": + return STR_GET_ENV_LANG_ZH + elif arg_lang == "en": + return STR_GET_ENV_LANG_EN + else: + return STR_GET_ENV_LANG_UNKNOW + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +################################ +# 辅助函数 +def l_print(zh_str, en_str) : + if STR_GET_ENV_LANG_ZH == get_env_lang() : + print(zh_str); + else : + print(en_str); + +################################ +# 功能函数 + +# 确保SSH的HostbasedAuthentication被禁用 +def check_ssh_hostbased_auth(): + try: + output = subprocess.check_output("grep '^HostbasedAuthentication' /etc/ssh/sshd_config", shell=True) + output = output.decode('utf-8').strip() + pattern = r'^HostbasedAuthentication\s+(.*)$' + match = re.search(pattern, output) + if match: + if "no" in match.group(1): + l_print("[OK] SSH HostbasedAuthentication 检测通过", + "[OK] SSH HostbasedAuthentication check passed") + else: + l_print(f"[WARNING] SSH HostbasedAuthentication 设置为 {match.group(1)}", + f"[WARNING] SSH HostbasedAuthentication set to {match.group(1)}" ) + else: + l_print("[OK] SSH HostbasedAuthentication未配置 检测通过", + "[OK] SSH HostbasedAuthentication not configured check passed") + except: + l_print("[OK] SSH HostbasedAuthentication未配置 检测通过", + "[OK] SSH HostbasedAuthentication not configured check passed") +# 示例代码主函数 +def main(): + + check_ssh_hostbased_auth() + +if __name__ == '__main__': + arg_lang = sys.argv[1] + + main() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/check_ssh_hostbased_auth.yaml b/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/check_ssh_hostbased_auth.yaml new file mode 100644 index 0000000000000000000000000000000000000000..3f3a0d5c5617e3e532b7309aaed791b94fae592d --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/check_ssh_hostbased_auth.yaml @@ -0,0 +1,23 @@ +FormatVer: 20230518 +Id: check_ssh_hostbased_auth +Belong: baseline +SiteInfo: + Name: 远程服务检测 -- 确保SSH的HostbasedAuthentication被禁用 +Power : +SiteRequests: + Implement: + ImArray: + - Inter : python3 + InterArgs : + Exec : check_ssh_hostbased_auth.py + Args : + - zh + Inter: + - "[WARNING]" + Condition: None +RepairArgs: + - Inter : python3 + InterArgs : + Exec : fix_ssh_hostbased_auth.py + Args : + RepairPower: root # root权限或者普通用户权限 diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/fix_ssh_hostbased_auth.py b/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/fix_ssh_hostbased_auth.py new file mode 100644 index 0000000000000000000000000000000000000000..54b966497373acf3b5f4181192a3e80de511800f --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_hostbased_auth/fix_ssh_hostbased_auth.py @@ -0,0 +1,11 @@ +# [OK]为修复成功 +# 执行修复脚本权限需要root权限执行 +import subprocess + +def fix_ssh_hostbased_auth(): + cmd = "sed -i 's/^HostbasedAuthentication.*/HostbasedAuthentication no/g' /etc/ssh/sshd_config" + subprocess.run(cmd, shell=True, check=True) + print('[OK] fix suff') + +if __name__ == '__main__': + fix_ssh_hostbased_auth() \ No newline at end of file diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/check_ssh_login_timeout.py b/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/check_ssh_login_timeout.py new file mode 100644 index 0000000000000000000000000000000000000000..081594815ea9be12dae66029c4955593841f4efc --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/check_ssh_login_timeout.py @@ -0,0 +1,93 @@ +# [OK] 为验证通过 +# [WARNING] 为风险提示 + +import re +import subprocess +import os +import sys + +arg_lang = "" +################################ +# 常量 + +# for get_env_lang() +STR_GET_ENV_LANG_ZH = "语言环境为中文" +STR_GET_ENV_LANG_EN = "语言环境为英文" +STR_GET_ENV_LANG_UNKNOW = "语言环境未知" + +# for is_root() +STR_IS_ROOT_TRUE = "当前用户为root权限" +STR_IS_ROOT_FALSE = "当前用户没有root权限" + +################################ +# 环境检查函数 + +def get_env_lang(): +# lang = os.getenv("LANG") +# if lang.startswith("zh"): +# return STR_GET_ENV_LANG_ZH +# elif lang.startswith("en"): +# return STR_GET_ENV_LANG_EN +# else: +# return STR_GET_ENV_LANG_UNKNOW +# + if arg_lang == "zh": + return STR_GET_ENV_LANG_ZH + elif arg_lang == "en": + return STR_GET_ENV_LANG_EN + else: + return STR_GET_ENV_LANG_UNKNOW + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +################################ +# 辅助函数 +def l_print(zh_str, en_str) : + if STR_GET_ENV_LANG_ZH == get_env_lang() : + print(zh_str); + else : + print(en_str); + +################################ +# 功能函数 + +# 确保SSH登录连接超时小于等于60秒 +def check_ssh_login_timeout(): + output = subprocess.check_output("grep 'LoginGraceTime' /etc/ssh/sshd_config", shell=True) + output = output.decode('utf-8').strip() + pattern = r'^LoginGraceTime\s+(.*)$' + match = re.search(pattern, output) + if match: + if "60s" in match.group(1): + l_print("[OK] SSH登录连接超时 检查通过", + "[OK] SSH login timeout check passed") + else: + l_print(f"[WARNING] SSH登录连接超时 设置为 {match.group(1)}", + f"[WARNING] SSH login timeout set to {match.group(1)}") + else: + l_print("[OK] SSH登录连接超时未配置 检查通过", + "[OK] SSH login timeout not configured check passed") + +# 示例代码主函数 +def main(): + + check_ssh_login_timeout() + +if __name__ == '__main__': + arg_lang = sys.argv[1] + + main() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/check_ssh_login_timeout.yaml b/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/check_ssh_login_timeout.yaml new file mode 100644 index 0000000000000000000000000000000000000000..e59aeca0ec3ffb465f621f81d72df83b9a319f54 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/check_ssh_login_timeout.yaml @@ -0,0 +1,23 @@ +FormatVer: 20230518 +Id: check_ssh_login_timeout +Belong: baseline +SiteInfo: + Name: 远程服务检测 -- 确保SSH登录连接超时小于等于60秒 +Power : +SiteRequests: + Implement: + ImArray: + - Inter : python3 + InterArgs : + Exec : check_ssh_login_timeout.py + Args : + - zh + Inter: + - "[WARNING]" + Condition: None +RepairArgs: + - Inter : python3 + InterArgs : + Exec : fix_ssh_login_timeout.py + Args : + RepairPower: root # root权限或者普通用户权限 diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/fix_ssh_login_timeout.py b/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/fix_ssh_login_timeout.py new file mode 100644 index 0000000000000000000000000000000000000000..e060fb1401eb8a7ddc0e68a4da00eee72e73beb5 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_login_timeout/fix_ssh_login_timeout.py @@ -0,0 +1,13 @@ +# [OK]为修复成功 +# 执行修复脚本权限需要root权限执行 + +import subprocess + +# 确保SSH登录连接超时小于等于60秒 +def fix_ssh_login_timeout(): + cmd = "sed -i 's/^LoginGraceTime.*/LoginGraceTime 60s/g' /etc/ssh/sshd_config" + subprocess.run(cmd, shell=True, check=True) + print('[OK] fix suff') + +if __name__ == '__main__': + fix_ssh_login_timeout() \ No newline at end of file diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/check_ssh_max_login_attempts.py b/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/check_ssh_max_login_attempts.py new file mode 100644 index 0000000000000000000000000000000000000000..c346b587ec0d3e161654cc4ec7fe7403c8170da5 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/check_ssh_max_login_attempts.py @@ -0,0 +1,90 @@ +# [OK] 为验证通过 +# [WARNING] 为风险提示 + +import re +import subprocess +import os +import sys + +arg_lang = "" + +################################ +# 常量 + +# for get_env_lang() +STR_GET_ENV_LANG_ZH = "语言环境为中文" +STR_GET_ENV_LANG_EN = "语言环境为英文" +STR_GET_ENV_LANG_UNKNOW = "语言环境未知" + +# for is_root() +STR_IS_ROOT_TRUE = "当前用户为root权限" +STR_IS_ROOT_FALSE = "当前用户没有root权限" + +################################ +# 环境检查函数 + +def get_env_lang(): +# lang = os.getenv("LANG") +# if lang.startswith("zh"): +# return STR_GET_ENV_LANG_ZH +# elif lang.startswith("en"): +# return STR_GET_ENV_LANG_EN +# else: +# return STR_GET_ENV_LANG_UNKNOW +# + if arg_lang == "zh": + return STR_GET_ENV_LANG_ZH + elif arg_lang == "en": + return STR_GET_ENV_LANG_EN + else: + return STR_GET_ENV_LANG_UNKNOW + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +################################ +# 辅助函数 +def l_print(zh_str, en_str) : + if STR_GET_ENV_LANG_ZH == get_env_lang() : + print(zh_str); + else : + print(en_str); + +################################ +# 功能函数 + +# 确保SSH登录最大尝试次数小于等于4次 +def check_ssh_max_login_attempts(): + try: + output = subprocess.check_output("grep '^MaxAuthTries' /etc/ssh/sshd_config", shell=True) + output = output.decode('utf-8').strip() + pattern = r'^MaxAuthTries\s+(.*)$' + match = re.search(pattern, output) + if match: + if "4" in match.group(1): + l_print("[OK] SSH 最大尝试登录次数 检测通过", + "[OK] SSH max login attempts check passed") + else: + l_print(f"[WARNING] SSH 最大尝试登录次数设置为 {match.group(1)}", + f"[WARNING] SSH max login attempts set to {match.group(1)}") + else: + l_print("[OK] SSH 最大尝试登录次数未配置 检测通过", + "[OK] SSH max login attempts not configured,check passed") + except: + l_print("[OK] SSH 最大尝试登录次数未配置 检测通过", + "[OK] SSH max login attempts not configured,check passed") + +# 示例代码主函数 +def main(): + + check_ssh_max_login_attempts() + +if __name__ == '__main__': + arg_lang = sys.argv[1] + + main() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/check_ssh_max_login_attempts.yaml b/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/check_ssh_max_login_attempts.yaml new file mode 100644 index 0000000000000000000000000000000000000000..0ef7cbed441628d7f7581dcd5c0b2fa627784fa7 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/check_ssh_max_login_attempts.yaml @@ -0,0 +1,23 @@ +FormatVer: 20230518 +Id: check_ssh_max_login_attempts +Belong: baseline +SiteInfo: + Name: 远程服务检测 -- 确保SSH登录最大尝试次数小于等于4次 +Power : +SiteRequests: + Implement: + ImArray: + - Inter : python3 + InterArgs : + Exec : check_ssh_max_login_attempts.py + Args : + - zh + Inter: + - "[WARNING]" + Condition: None +RepairArgs: + - Inter : python3 + InterArgs : + Exec : fix_ssh_login_max_attempts.py + Args : + RepairPower: root # root权限或者普通用户权限 diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/fix_ssh_login_max_attempts.py b/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/fix_ssh_login_max_attempts.py new file mode 100644 index 0000000000000000000000000000000000000000..3138459bb68930075be485d0ff78a7796543ead2 --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_max_login_attempts/fix_ssh_login_max_attempts.py @@ -0,0 +1,12 @@ +# [OK]为修复成功 +# 执行修复脚本权限需要root权限执行 + +import subprocess + +# 确保SSH 登录最大尝试次数小于等于4次 +def fix_ssh_login_max_attempts(): + cmd = "sed -i 's/^MaxAuthTries.*/MaxAuthTries 4/g' /etc/ssh/sshd_config" + subprocess.run(cmd, shell=True, check=True) + print('[OK] fix suff') +if __name__ == '__main__': + fix_ssh_login_max_attempts() \ No newline at end of file diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/check_ssh_strong_mac.py b/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/check_ssh_strong_mac.py new file mode 100644 index 0000000000000000000000000000000000000000..8a6d314837fc48a702929b754f1f8603503fdaaf --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/check_ssh_strong_mac.py @@ -0,0 +1,97 @@ +# [OK] 为验证通过 +# [WARNING] 为风险提示 + +import re +import subprocess +import os +import sys +from unittest import result + +arg_lang = "" + +################################ +# 常量 + +# for get_env_lang() +STR_GET_ENV_LANG_ZH = "语言环境为中文" +STR_GET_ENV_LANG_EN = "语言环境为英文" +STR_GET_ENV_LANG_UNKNOW = "语言环境未知" + +# for is_root() +STR_IS_ROOT_TRUE = "当前用户为root权限" +STR_IS_ROOT_FALSE = "当前用户没有root权限" + +################################ +# 环境检查函数 + +def get_env_lang(): +# lang = os.getenv("LANG") +# if lang.startswith("zh"): +# return STR_GET_ENV_LANG_ZH +# elif lang.startswith("en"): +# return STR_GET_ENV_LANG_EN +# else: +# return STR_GET_ENV_LANG_UNKNOW +# + if arg_lang == "zh": + return STR_GET_ENV_LANG_ZH + elif arg_lang == "en": + return STR_GET_ENV_LANG_EN + else: + return STR_GET_ENV_LANG_UNKNOW + +def is_root(): + if os.geteuid() == 0: + print(STR_IS_ROOT_TRUE) + return True + else: + print(STR_IS_ROOT_FALSE) + return False + +################################ +# 辅助函数 +def l_print(zh_str, en_str) : + if STR_GET_ENV_LANG_ZH == get_env_lang() : + print(zh_str); + else : + print(en_str); + +################################ +# 功能函数 + +# 确保SSH配置使用强MAC算法 +def check_ssh_strong_mac(): + try: + output = subprocess.check_output("grep 'MACs' /etc/ssh/ssh_config", shell=True) + + result=str(output).find("#") + if result == -1: + output = output.decode('utf-8').strip() + pattern = r'^MACs\s+([^\s]+)' + match = re.search(pattern, output) + if match: + if "hmac-sha2-512,hmac-sha2-256,hmac-ripemd160" in match.group(1): + l_print("[OK] SSH 强MAC算法 检测通过", + "[OK] SSH strong MAC check passed") + else: + l_print(f"[WARNING] SSH MAC算法设置为 {match.group(1)}", + f"[WARNING] SSH MACs set to {match.group(1)}") + else: + l_print("[OK] SSH MAC算法未配置 检测通过", + "[OK] SSH MACs not configured check passed") + else : + l_print("[OK] SSH MAC算法未配置 检测通过1", + "[OK] SSH MACs not configured check passed") + + except ValueError as err: + # print(err) + l_print("[OK] SSH MAC算法未配置 检测通过0", + "[OK] SSH MACs not configured check passed") +# 示例代码主函数 +def main(): + check_ssh_strong_mac() + +if __name__ == '__main__': + arg_lang = sys.argv[1] + + main() diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/check_ssh_strong_mac.yaml b/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/check_ssh_strong_mac.yaml new file mode 100644 index 0000000000000000000000000000000000000000..a957c36e988d0fe5442af75d54661a2593cd657c --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/check_ssh_strong_mac.yaml @@ -0,0 +1,23 @@ +FormatVer: 20230518 +Id: check_ssh_strong_mac +Belong: baseline +SiteInfo: + Name: 远程服务检测 -- 确保SSH配置使用强MAC算法 +Power : +SiteRequests: + Implement: + ImArray: + - Inter : python3 + InterArgs : + Exec : check_ssh_strong_mac.py + Args : + - zh + Inter: + - "[WARNING]" + Condition: None +RepairArgs: + - Inter : python3 + InterArgs : + Exec : fix_ssh_strong_mac.py + Args : + RepairPower: root # root权限或者普通用户权限 diff --git a/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/fix_ssh_strong_mac.py b/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/fix_ssh_strong_mac.py new file mode 100644 index 0000000000000000000000000000000000000000..2c9534243c9f8629810d8b332b38bddd70cb18ae --- /dev/null +++ b/data/BaseLine/RemoteServices/ssh/check_ssh_strong_mac/fix_ssh_strong_mac.py @@ -0,0 +1,12 @@ +# [OK]为修复成功 +# 执行修复脚本权限需要root权限执行 + +import subprocess + +# 确保SSH配置使用强MAC算法 +def fix_ssh_strong_mac(): + cmd = "sed -i 's/MACs.*/MACs hmac-sha2-512,hmac-sha2-256,hmac-ripemd160/g' /etc/ssh/ssh_config" + subprocess.run(cmd, shell=True, check=True) + print('[OK] fix suff') +if __name__ == '__main__': + fix_ssh_strong_mac() \ No newline at end of file diff --git a/exp_dir/data b/exp_dir/data deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/src/exp_dir/data b/src/exp_dir/data deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/src/exp_dir/data2 b/src/exp_dir/data2 deleted file mode 100644 index e69de29bb2d1d6434b8b29ae775ad8c2e48c5391..0000000000000000000000000000000000000000 diff --git a/src/exp_dir/uaf b/src/exp_dir/uaf deleted file mode 120000 index 460aa0ea10b839c0a511fa2428884291a66d5c1d..0000000000000000000000000000000000000000 --- a/src/exp_dir/uaf +++ /dev/null @@ -1 +0,0 @@ -./data \ No newline at end of file