安全资讯

安全计算环境-二级等级保护测评指导和自动化脚本

安全计算环境-二级等级保护测评指导和自动化脚本

前言

在等级保护测评工作如何更快的进行测评工作是一个问题,有的系统涉及很多设备手动挨个去点击和测试看结果会让进度非常缓慢,因此作者根据互联网已有的脚本和二级测评要求来优化总结出了一些安全计算环境的测评技术步骤和自动化检测基线。希望能够帮助做等级保护测评的读者提升一些工作效率。如文中有一些错误还希望大家进行私信更正,防止让使用者出坑。

终端设备

Windows

将下方给出的脚本复制保存为.bat运行即可,管理员权限运行会自动导出检测结果。之后只看导出的结果可以快速填写现场测评记录。

@echo offfor /f "tokens=4" %%a in ('route print^|findstr 0.0.0.0.*0.0.0.0') do ( if not "%%a" == "默认" set IPaddress=%%a)cd C:\md %IPaddress%cd %IPaddress%echo 1.系统信息(CreatedbyG) > %IPaddress% systeminfo >> %IPaddress%echo 2.网卡信息(CreatedbyG) >> %IPaddress% ipconfig >> %IPaddress%echo 3.监听端口(CreatedbyG) >> %IPaddress% netstat -an | find "LISTENING" >> %IPaddress%echo 4.系统服务(CreatedbyG) >> %IPaddress% net start >> %IPaddress%echo 5.系统进程(CreatedbyG) >> %IPaddress% tasklist >> %IPaddress%echo 6.软件列表(CreatedbyG) >> %IPaddress% for /f "tokens=3 delims=\" %%i in ('reg query HKLM\SOFTWARE') do ( >> %IPaddress%                echo  ****************** >> %IPaddress%                echo  软件名称:%%i >> %IPaddress%                echo  ****************** if not "%%i"=="Classes" for /f "tokens=4 delims=\" %%j in ('reg query HKLM\SOFTWARE\%%i 2^>nul') do (echo 软件信息: %%j>> %IPaddress%) ) echo 7.本地策略(CreatedbyG) >> %IPaddress% secedit /export /cfg C:\temp.txt echo ---密码策略--- >> %IPaddress% echo "0表示禁用,1表示启用" >> %IPaddress% echo *密码必须符合复杂性要求* >> %IPaddress% find "PasswordComplexity" C:\temp.txt |find "PasswordComplexity = ">> %IPaddress% echo *密码长度最小值* >> %IPaddress% find "MinimumPasswordLength" C:\temp.txt|find "MinimumPasswordLength = " >> %IPaddress% echo *密码最短使用期限* >> %IPaddress% find "MinimumPasswordAge" C:\temp.txt|find "MinimumPasswordAge = " >> %IPaddress% echo *密码最长使用期限* >> %IPaddress% find "MaximumPasswordAge" C:\temp.txt|find "MaximumPasswordAge = " >> %IPaddress% echo *强制密码历史* >> %IPaddress% find "PasswordHistorySize" C:\temp.txt|find "PasswordHistorySize = " >> %IPaddress% echo *用可还原的加密来存储密码* >> %IPaddress% find "ClearTextPassword" C:\temp.txt|find "ClearTextPassword = " >> %IPaddress% echo ---账户锁定策略(无结果表示未开启)--- >> %IPaddress% echo *账户锁定时间* >> %IPaddress% find "LockoutDuration" C:\temp.txt |find "LockoutDuration" >> %IPaddress% echo *复位账户锁定计时器* >> %IPaddress% find "ResetLockoutCount" C:\temp.txt |find "ResetLockoutCount">> %IPaddress% echo *账户锁定阈值* >> %IPaddress% find "LockoutBadCount" C:\temp.txt |find "LockoutBadCount" >> %IPaddress% echo ---审核策略--- >> %IPaddress% echo ---0表示无审核,1表示成功审核,2表示失败审核,3表示成功和失败审核--- >> %IPaddress% echo *审核帐户管理* >> %IPaddress% find "AuditAccountManage" C:\temp.txt | find "AuditAccountManage" >> %IPaddress% echo *审核帐户登录事件* >> %IPaddress% find "AuditAccountLogon" C:\temp.txt | find "AuditAccountLogon" >> %IPaddress% echo *审核系统事件* >> %IPaddress% find "AuditSystemEvents" C:\temp.txt | find "AuditSystemEvents" >> %IPaddress% echo *审核目录服务访问* >> %IPaddress% find "AuditDSAccess" C:\temp.txt | find "AuditDSAccess" >> %IPaddress% echo *审核过程跟踪* >> %IPaddress% find "AuditProcessTracking" C:\temp.txt | find "AuditProcessTracking" >> %IPaddress% echo *审核特权使用* >> %IPaddress% find "AuditPrivilegeUse" C:\temp.txt | find "AuditPrivilegeUse" >> %IPaddress% echo *审核对象访问* >> %IPaddress% find "AuditObjectAccess" C:\temp.txt | find "AuditObjectAccess" >> %IPaddress% echo *审核登录事件* >> %IPaddress% find "AuditLogonEvents" C:\temp.txt | find "AuditLogonEvents" >> %IPaddress% echo *审核策略更改* >> %IPaddress% find "AuditPolicyChange" C:\temp.txt | find "AuditPolicyChange" >> %IPaddress% echo ---安全选项--- >> %IPaddress% echo *0表示已停用,1表示已启用* >> %IPaddress% echo *在挂起会话之前所需的空闲时间* >> %IPaddress% find "AutoDisconnect" C:\temp.txt | find "AutoDisconnect" >> %IPaddress% echo *不显示上次登录的用户名* >> %IPaddress% find "DontDisplayLastUserName" C:\temp.txt | find "DontDisplayLastUserName" >> %IPaddress% echo *关机前清理虚拟内存页面* >> %IPaddress% find "ClearPageFileAtShutdown" C:\temp.txt | find "ClearPageFileAtShutdown" >> %IPaddress% echo *允许在未登录前关机* >> %IPaddress% find "ShutdownWithoutLogon" C:\temp.txt | find "ShutdownWithoutLogon" >> %IPaddress% echo ---用户权利分配---  >> %IPaddress% echo (Everyone:*S-1-1-0  Administrators:*S-1-5-32-544  Users:*S-1-5-32-545  Power Users:*S-1-5-32-547  Backup Operators:*S-1-5-32-551) >> %IPaddress% echo *从远程系统强制关机* >> %IPaddress% find "SeRemoteShutdownPrivilege" C:\temp.txt | find "SeRemoteShutdownPrivilege" >> %IPaddress% echo *取得文件或其他对象所有权* >> %IPaddress% find "SeTakeOwnershipPrivilege" C:\temp.txt | find "SeTakeOwnershipPrivilege" >> %IPaddress% echo *从本地登录此计算机* >> %IPaddress% find "SeInteractiveLogonRight" C:\temp.txt | find "SeInteractiveLogonRight" >> %IPaddress% echo *允许通过远程桌面服务登录* >> %IPaddress% find "SeRemoteInteractiveLogonRight" C:\temp.txt | find "SeRemoteInteractiveLogonRight" >> %IPaddress% echo *调试程序* >> %IPaddress% find "SeDebugPrivilege" C:\temp.txt | find "SeDebugPrivilege" >> %IPaddress% echo *更改系统时间* >> %IPaddress% find "SeSystemtimePrivilege" C:\temp.txt | find "SeSystemtimePrivilege" >> %IPaddress% echo *管理审核和安全日志* >> %IPaddress% find "SeSecurityPrivilege" C:\temp.txt | find "SeSecurityPrivilege" >> %IPaddress% del C:\temp.txtecho 8.系统用户(CreatedbyG) >> %IPaddress% net user >> %IPaddress% for /f "skip=4 delims=" %%a in ('net user^|findstr /vx "命令成功完成。"') do for %%i in (%%a) do net user %%i >> %IPaddress% net localgroup >> %IPaddress% net localgroup Administrators >> %IPaddress%  net localgroup Guests >> %IPaddress% echo 9.其它选项(CreatedbyG) >> %IPaddress%  echo *自动播放* (oxff为关闭全部自动播放,无结果则开启) >> %IPaddress% reg query HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoDriveTypeAutoRun |find "NoDriveTypeAutoRun" >> %IPaddress% echo ---屏幕保护程序--- >> %IPaddress% echo *是否开启屏保* (0关,1开)>> %IPaddress% reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveActive |find "ScreenSaveActive" >> %IPaddress% echo *屏保时间*(单位秒)>> %IPaddress% reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaveTimeOut |find "ScreenSaveTimeOut" >> %IPaddress% echo *屏保恢复时使用密码保护* (0否,1是)>> %IPaddress% reg query "HKEY_CURRENT_USER\Control Panel\Desktop" /v ScreenSaverIsSecure |find "ScreenSaverIsSecure" >> %IPaddress% echo *防火墙状态*(1开,0关)>> %IPaddress% reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile /v EnableFirewall |find "EnableFirewall" >> %IPaddress% echo *远程桌面* (0开,1关) >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections |find "fDenyTSConnections" >> %IPaddress% echo *3389端口* (d3d:3389) >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp" /v PortNumber |find "PortNumber" >> %IPaddress% echo *远程协助* (0关(合规),1开) >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\Remote Assistance" /v fAllowToGetHelp |find "fAllowToGetHelp" >> %IPaddress% echo *日志文件大小*  >> %IPaddress% echo *应用日志文件大小*(0x2800000以上为合规)  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application" /v MaxSize |find "MaxSize" >> %IPaddress% echo *达到事件日志最大大小时*(不存在或0均合规)  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Application" /v Retention |find "Retention" >> %IPaddress% echo *安全日志文件大小*(0x2800000以上为合规)  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security" /v MaxSize |find "MaxSize" >> %IPaddress% echo *达到事件日志最大大小时*(不存在或0均合规)  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\Security" /v Retention |find "Retention" >> %IPaddress% echo *系统日志文件大小*(0x2800000以上为合规)  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System" /v MaxSize |find "MaxSize" >> %IPaddress% echo *达到事件日志最大大小时*(不存在或0均合规)  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Eventlog\System" /v Retention |find "Retention" >> %IPaddress% echo *默认共享*(注册表 + net share查看)  >> %IPaddress% echo *分区共享*(存在且为0,为合规)  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v AutoShareServer |find "AutoShareServer" >> %IPaddress% echo *ADMIN共享*(存在且为0,为合规) >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters" /v AutoShareWks |find "AutoShareWks" >> %IPaddress% echo *IPC共享* (存在且为1,为合规) >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa" /v restrictanonymous |find "restrictanonymous" >> %IPaddress% echo *共享列表*  >> %IPaddress% reg query "HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\lanmanserver\shares" >> %IPaddress% echo *默认共享*  >> %IPaddress% net share >> %IPaddress% copy C:\Windows\WindowsUpdate.log .\ ren WindowsUpdate.log %IPaddress%.updatelog reg save hklm\sam %IPaddress%.sam reg save hklm\system %IPaddress%.systempause

Windows的一些快速命令可以帮助提升测评时间的命令,因为有一些测评项是需要打开Windows内置的一些面板去看配置策略是否合规的,使用下方命令就不用鼠标手动点过去了,直接命令执行快速打开面板!

calc                            计算器 notepad                         记事本 taskmgr                         任务管理器 osk                             打开屏幕键盘 gpedit.msc                      组策略 services.msc                    本地服务 compmgmt.msc                    计算机管理 devmgmt.msc                     设备管理器 winver                          查看系统版本 magnify                         放大镜实用程序 eventvwr                        事件查看器 Regedit                         打开注册表 resmon                          资源监视器 WMIC BIOS get releasedate       查看电脑生产日期

Linux

复制另存为.sh文件给与相应执行权限执行会自动导出结果到文本文件。可能还是有一些测评项没有包括在下方脚本内,使用者可以根据自己的情况对此进行优化和添加。

#!/bin/sh#网络信息echo -----------@ifconfig -a >> check.txtifconfig -a >> check.txt#系统内核、名称和版本echo -----------@uname -a >> check.txtuname -a >> check.txtecho -----------@cat /etc/redhat-release >> check.txtcat /etc/redhat-release >> check.txt#系统登录是否需要密码echo -----------@cat /etc/passwd >> check.txtcat /etc/passwd >> check.txt#系统hosts.equiv是否存在主机和用户echo -----------@cat /etc/hosts.equiv >> check.txtcat /etc/hosts.equiv >> check.txt#密码长度和更换周期echo -----------@cat /etc/login.defs >> check.txtcat /etc/login.defs >> check.txtecho -----------@cat /etc/security/pwquality.confcat /etc/security/pwquality.conf#密码复杂度和登录失败处理功能echo -----------@cat /etc/pam.d/system-auth >> check.txtcat /etc/pam.d/system-auth >> check.txt#是否关闭telnetecho -----------@cat /etc/xinetd/krb5-telnet >> check.txtcat /etc/xinetd/krb5-telnet >> check.txt#查看主机运行端口echo -----------@netstat -an >> check.txtnetstat -an >> check.txt#查看是否有多余的、过期的账户echo -----------@cat /etc/shadow >> check.txtcat /etc/shadow >> check.txt#查看审计功能有没有开启echo -----------@service rsyslog status >> check.txtservice rsyslog status >> check.txt#查看审计功能有没有开启守护进程echo -----------@service auditd status >> check.txt service auditd status >> check.txt#查看审计功能记录echo -----------@cat /etc/syslog.conf >> check.txtcat /etc/syslog.conf >> check.txt#版本不同查询不同echo -----------@cat /etc/rsyslog.conf >> check.txtcat /etc/rsyslog.conf >> check.txt#系统启动后的信息和错误日志及所在文件中的权限echo -----------@cat /var/log/message >> check.txtcat /var/log/message >> check.txtecho -----------@ls -l /var/log/message >> check.txtls -l /var/log/message >> check.txt#系统安全相关的日志信息及所在文件中的权限echo -----------@cat /var/log/secure >> check.txtcat /var/log/secure >> check.txtecho -----------@ls -l /var/log/secure >> check.txtls -l /var/log/secure >> check.txt#系统守护进程启动和停止相关的日志消息及所在文件中的权限echo -----------@cat /var/log/boot.log >> check.txtcat /var/log/boot.log >> check.txtecho -----------@ls -l /var/log/ >> check.txtls -l /var/log/ >> check.txt#系统最小安装原则echo -----------@cat /etc/redhat-release >> check.txtcat /etc/redhat-release >> check.txt#系统安装的软件包echo -----------@rpm -q redhat-release >> check.txtcat /etc/redhat-release >> check.txt#终端登录方式echo -----------@cat /etc/securetty >> check.txtcat /etc/securetty >> check.txtecho -----------@cat /etc/ssh/sshd_config >> check.txtcat /etc/ssh/sshd_config >> check.txt#终端超时锁定,查看TMOUTecho -----------@cat /etc/profile >> check.txtcat /etc/profile >> check.txt#最大最小资源使用限制echo -----------@cat /etc/security/limits.conf >> check.txtcat /etc/security/limits.conf >> check.txt#Linux系统主要目录的权限设置情况echo -----------@ls -l /etc/passwd  >> check.txtecho -----------@ls -l /etc/shadow  >> check.txtecho -----------@ls -l /etc/login.defs  >> check.txtecho -----------@ls -l /etc/profile  >> check.txtecho -----------@ls -l /etc/group  >> check.txtecho -----------@ls -l /etc/xinetd.conf  >> check.txtecho -----------@ls -l /etc/security/limits.conf  >> check.txtecho -----------@ls -l /etc/ssh/sshd_config  >> check.txtls -l /etc/passwd  >> check.txtls -l /etc/shadow  >> check.txtls -l /etc/login.defs  >> check.txtls -l /etc/profile  >> check.txtls -l /etc/group  >> check.txtls -l /etc/xinetd.conf  >> check.txtls -l /etc/security/limits.conf  >> check.txtls -l /etc/ssh/sshd_config  >> check.txt #Linux系统主要目录的权限设置情况echo -----------@ls -l /etc | grep pam.d >> check.txtls -l /etc | grep pam.d>> check.txt#Linux系统主要目录的权限设置情况echo -----------@ls -l /etc | grep security >> check.txtls -l /etc | grep security>> check.txt#访问控制列表echo -----------@iptables -L -n -v >> check.txtiptables -L -n -v >> check.txt#查看可登录用户名echo -----------@cat /etc/passwd|grep -v nologin|grep -v sync|grep -v halt|grep -v shutdown|awk -F":" '{ print $1"|"$3"|"$4 }'|more >> check.txtcat /etc/passwd|grep -v nologin|grep -v sync|grep -v halt|grep -v shutdown|awk -F":" '{ print $1"|"$3"|"$4 }'|more >> check.txt#三权分立echo -----------@cat /etc/sudoers >> check.txtcat /etc/sudoers >> check.txt#地址限定echo -----------@cat /etc/hosts.deny >> check.txtcat /etc/hosts.deny >> check.txtecho -----------@cat /etc/hosts.allow >> check.txtcat /etc/hosts.allow >> check.txt#密码复杂度echo -----------@cat /etc/security/pwquality.conf >> check.txtcat /etc/security/pwquality.conf >> check.txt

数据库

SQL Server

微软的mssql数据库大体的一些需要命令测评项是这样,别的直接可视化登录mssql官方的客户端进行鼠标点击进行评测即可

####mssql数据库测试相关命令######身份鉴别###1、右键点击服务器,“属性”-“安全性”,查看服务器身份验证。#2、在Microsoft SQL Server Management Studio中选择服务器组并展开,选择“安全性->登录名”项,右键点击管理员用户的“属性”,在“常规”中 查看“强制实施密码策略”和“强制密码过期”#3、在Microsoft SQL Server Management Studio中登录服务器并展开,右键点击服务器,选择“属性”,选择“高级”项,查看登录超时设定或输入“sp_configure”查看数据库启动的配置参数;其中remote login timeout为远程登录超时设定。 ##访问控制###查看是否存在默认账户select * from syslogins#查看所有数据库登录用户的信息及其权限exec sp_helplogins  ##安全审计##在Microsoft SQL Server Management Studio中登录服务器并展开,右键点击服务器,选择“属性”,选择“安全性”项,查看登录审核和是否启用C2 审计跟踪。#查看“c2 audit mode”项的值,“0”是未开启C2审计,“1”是开启C2审计sp_configure

MySQL

#身份鉴别1)尝试登录数据库,执行mysql -u root -p查看是否提示输入口令鉴别用户身份2)使用如下命令查询账号select user, host FROM mysql.user 结果输出用户列表,查看是否存在相同用户名 3)执行如下语句查询是否在空口令用:select * from mysql.user where length(password)= 0 or password is null输出结果是否为空4)执行如下语句查看用户口令复杂度相关配置:show variables like 'validate%'; 或show VARIABLES like "%password“ 1)询问管理员是否采取其他手段配置数据库登录失败处理功能。2)执行show variables like %max_connect_errors%";或核查my.cnf文件,应设置如下参数:max_connect_errors=1003) show variables like ”%timeout%“,查看返回值 1)是否采用加密等安全方式对系统进行远程管理2)执行show variables like %have_ssl%"查看是否支持ssl的连接特性,若为disabled说明此功能没有激活,或执行\s查看是否启用SSL;3)如果采用本地管理方式,该项为不适用 #访问控制1)执行语句select user,host FROM mysql.user 输出结果是否为网络管理员,安全管理员,系统管理员创建了不同账户:2)执行show grants for' XXXX'@' localhost':查看网络管理员,安全管理员、系统管理员用户账号的权限,权限间是否分离并相互制约 1)执行select user,host FROM mysql.user 输出结果查看root用户是否被重命名或被删除2)若root账户未被删除,是否更改其默认口令,避免空口令或弱口令. 1)在sqlplus中执行命令: select username,account_status from dba_users2)执行下列语句:select * from mysql.user where user=""select user, host FROM mysql.user依次核查列出的账户,是否存在无关的账户。3)访谈网络管理员,安全管理员、系统管理员不同用户是否采用不同账户登录系统 "1.访谈管理员是否制定了访问控制策略2.执行语句:selcec * from mysql.user\G -检查用户权限列selcec * from mysql.db\G --检查数据库权限列selcec * from mysql.tables_priv\G 一检查用户表权限列selcec * from mysql.columns_privi\G -检查列权限列管理员输出的权限列是是否与管理员制定的访问控制策略及规则一致3)登录不同的用户,验证是否存在越权访问的情形" "1)执行下列语句:selcec * from mysql.user\G -检查用户权限列selcec * from mysql.db\G --检查数据库权限列2)访谈管理员并核查访问控制粒度主体是否为用户级,客体是否为数据库表级" #安全审计 "1)执行下列语句:show variables like 'log_%'查看输出的日志内容是否覆盖到所有用户,记录审计记录覆盖内容 2)核查是否采取第三方工具增强MySQL日志功能。若有,记录第三方审计工具的审计内容,查看是否包括事件的日期和时间、用户、事件类型、事件是否成功及其他与审计相关的信息" #入侵防范 "访谈MySQL补丁升级机制,查看补丁安装情况:1)执行如下命令查看当前补于版本:show variables where  variable name like ""version""2)访谈数据库是否为企业版,是否定期进行漏洞扫描,针对高风险漏洞是否评估补丁并经测试后再进行安装"  检查是否对错误日志进行管理: show variables like 'log_error'; 检查是否配置二进制日志: show variables like 'log_bin';show binary logs;检查是否配置通用查询日志安全: show variables like '%general%';检查是否设置禁止MySQL对本地文件存取: show variables like 'local_infile'; load data local infile 'sqlfile.txt' into table users fields terminated by ',';检查test是否已被删除: show databases;检查是否对无关账号进行管理: SELECT user,host FROM mysql.user WHERE user = '';检查是否对user授权表进行控制: SELECT * FROM mysql.user\G;SELECT user,host from mysql.user where (select_priv='Y') or (insert_priv='Y') or (update_priv='Y') or (create_priv='Y') or (drop_priv='Y'); select user, host from mysql.user where File_priv = 'Y';select user, host from mysql.user where Process_priv = 'Y';select user, host from mysql.user where Super_priv = 'Y';SELECT user, host FROM mysql.user WHERE Shutdown_priv = 'Y';SELECT user, host FROM mysql.user WHERE Create_user_priv = 'Y';SELECT user, host FROM mysql.user WHERE Reload_priv = 'Y';SELECT user, host FROM mysql.db WHERE Grant_priv = 'Y';检查是否对db授权表进行控制: SELECT * FROM mysql.db\G;SELECT user, host FROM mysql.db WHERE db='mysql' AND ((select_priv='Y') OR (insert_priv='Y') OR (update_priv='Y') OR (delete_priv='Y') OR (create_priv='Y') OR (drop_priv='Y')); SELECT user,host,db FROM mysql.db WHERE select_priv='Y' OR insert_priv='Y' OR update_priv='Y' OR delete_priv='Y' OR create_priv='Y' OR drop_priv='Y' OR alter_priv='Y';检查是否对账号运行权限进行管理: select * from mysql.user\G;show grants;检查是否配置了单个用户最大连接数: show variables like '%max_connections%'; //整个服务器show variables like 'max_user_connections'; //单个用户最大连接数检查默认管理员账号是否已更名: SELECT * from MySQL.user where user='root';select user,host from user;检查是否使用默认端口: show global variables like 'port';

Oracle

###oracle数据库检测相关命令#### ##身份鉴别###查看数据库所有用户信息select * from sys.dba_profile;#查看账户修改时间(CTIME:创建时间、PTIME:修改时间、EXPTIME:过期时间、LTIME:锁定时间)select * from dba_profiles, dba_users where dba_profiles.profile = dba_users.profile  and dba_users.account_status='OPEN'  and resource_name='PASSWORD_GRACE_TIME';#检查Oracle是否启用口令复杂度函数。select limit from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_VERIFY_FUNCTION';#查看该口令复杂度函数的中对长度的要求:select text from dba_source where name= 'PASSWORD_VERIFY_FUNCTION' order by line;#查看管理员账户所对应概要文件的FAILED_LOGIN_ATTEMPTS(登录失败次数)的参数值select limit from dba_profiles where profile='DEFAULT' and resource_name='FAILED_LOGIN_ATTEMPTS'; select * from dba_profiles order by 1;#查看管理员账户所对应概要文件的PASSWORD_LOCK_TIME(锁定时间)的参数值。select limit from dba_profiles where profile='DEFAULT' and resource_name='PASSWORD_LOCK_TIME'; #超时的空闲远程连接是否自动断开根据实际需要设置合适的数值。在$ORACLE_HOME/network/admin/sqlnet.ora中设置下面参数:SQLNET.EXPIRE_TIME=10 ##访问控制###查看所有账户(是否存在默认或空口令账户:sys,system,dbsnmp,sysman,mgmt_view5)select username,password from dba_users;##查看管理用户权限分配情况###查看被赋予DBA角色的账户select * from DBA_ROLE_PRIVS where GRANTED_ROLE='DBA';#查看账户“USERNAME”所拥有的角色select * from dba_role_privs where GRANTEE='USERNAME';#查看账户“ROLENAME”所拥有的角色select * from dba_role_privs where GRANTEE='ROLENAME';#查看账户名为“USERNAME”以及该账户拥有的角色“ROLENAME”的系统权限;select * from DBA_SYS_PRIVS where GRANTEE='USERNAME’or GRANTEE='ROLENAME’;#查看账户名为“USERNAME”以及该账户拥有的角色“ROLENAME”的对象权限。select * from DBA_TAB_PRIVS where GRANTEE='USERNAME’or GRANTEE='ROLENAME’;#查看数据库重要的表的访问控制权限(A为表名)select * from dba_tab_privs where table_name = A; ##安全审计###查看系统的审计功能是否开启(None/False未开启,DB/TURE开启,DB只记录连接信息,DB,Extended除连接信#息还包含当时执行的具体语句’,OS审计写入一个操作系统文件)show parameters audit_trail;select value from v$parameter where name='audit_trail';#查看是否对所有sys用户的操作进行了记录;show parameter audit_sys_operations;#查看是否对sel,upd,del,ins操作进行了审计select sel,upd,del,ins from DBA_OBJ_AUDIT_OPTS;#查看针对权限的审计规则配置情况select * from DBA_PRIV_AUDIT_OPTS; ##入侵防范#设定信任IP集cat $ORACLE_HOME/network/admin/sqlnet.ora   1.限制超级管理员远程登录检查方法:使用sqlplus检查参数设置。SQL> show parameter REMOTE_LOGIN_PASSWORDFILE,参数REMOTE_LOGIN_PASSWORDFILE设置为NONE; 修订算法:SQL> alter system set remote_login_passwordfile=none scope=spfile;SQL> shutdown immediateSQL> startup 2.用户属性控制检查方法:查询视图dba_profiles和dba_users来检查profile是否创建。SQL> Select profile from dba_profiles;SQL> Select profile from dba_users;存在default以外的profile即可 修订算法:SQL> create profile maintenance limit  PASSWORD_VERIFY_FUNCTION F_PASSWORD_VERIFYPASSWORD_REUSE_MAX 5PASSWORD_GRACE_TIME 60FAILED_LOGIN_ATTEMPTS 6PASSWORD_LIFE_TIME 90; 3.数据字典访问权限检查方法:使用sqlplus检查参数,SQL> show parameter O7_DICTIONARY_ACCESSIBILITY参数O7_DICTIONARY_ACCESSIBILITY设置为FALSE 修订算法:SQL> alter system set O7_DICTIONARY_ACCESSIBILITY=FALSE scope=spfile;SQL> shutdown immediateSQL> startup 4.账户口令的生存期检查方法:执行select dba_profiles.profile,resource_name, limit from dba_profiles, dba_users where dba_profiles.profile = dba_users.profile  and dba_users.account_status='OPEN'  and resource_name='PASSWORD_GRACE_TIME';查询结果中PASSWORD_GRACE_TIME小于等于90。 修订算法:SQL> alter profile default limit PASSWORD_GRACE_TIME 60; 5.重复口令使用检查方法:执行select dba_profiles.profile,resource_name, limit from dba_profiles, dba_users where dba_profiles.profile = dba_users.profile  and dba_users.account_status='OPEN'  and resource_name='PASSWORD_REUSE_MAX';查询结果中PASSWORD_REUSE_MAX大于等于5。 修订算法:SQL> alter profile default limit PASSWORD_REUSE_MAX 5; 6.认证控制检查方法:执行select dba_profiles.profile,resource_name, limit from dba_profiles, dba_users where dba_profiles.profile = dba_users.profile  and dba_users.account_status='OPEN'  and resource_name='FAILED_LOGIN_ATTEMPTS';查询结果中FAILED_LOGIN_ATTEMPTS等于6。 修订算法:SQL>alter profile default limit FAILED_LOGIN_ATTEMPTS 6; 7.更改默认帐户密码检查方法:sqlplus '/as sysdba'conn system/systemconn system/manager conn sys/sysconn sys/cHAnge_on_install conn scott/scottconn scott/tigerconn dbsnmp/dbsnmp conn rman/rmanconn xdb/xdb以上均不能成功登录 修订算法:不要有空口令和弱口令 8.密码更改策略检查方法:执行select profile,limit from dba_profiles where resource_name='PASSWORD_LIFE_TIME'  and profile in (select profile from dba_users where account_status='OPEN');查询结果中PASSWORD_LIFE_TIME小于等于90。 修订算法:SQL> alter profile default limit PASSWORD_LIFE_TIME 90; 9.密码复杂度策略检查方法:执行select limit from dba_profiles where resource_name = 'PASSWORD_VERIFY_FUNCTION' and profile in (select profile from dba_users where account_status = 'OPEN');select text from dba_source where name='PASSWORD_VERIFY_FUNCTION';查询结果中不为“NULL”且策略为口令长度至少8位,并包括数字、小写字母、大写字母和特殊符号4类中至少3类 修订算法:创建复杂度策略使用 sys 用户登录,执行如下脚本:D:\app\administrator\product\11.2.0\dbhome_1\RDBMS\ADMIN\utlpwdmg.sqloracle 10g, 必须使用sys用户登录,oracle 11g,可以使用 system创建; 然后执行如下脚本:ALTER PROFILE DEFAULT LIMITPASSWORD_LIFE_TIME 90PASSWORD_GRACE_TIME 60PASSWORD_REUSE_TIME UNLIMITEDPASSWORD_REUSE_MAX 5FAILED_LOGIN_ATTEMPTS 6PASSWORD_LOCK_TIME 1PASSWORD_VERIFY_FUNCTION verify_function;10.数据库审计策略检查方法:1.使用参数设置,SQL> show parameter audit_trail参数audit_trail不为NONE。检查dba_audit_trail视图中或$ORACLE_BASE/admin/adump目录下是否有数据。2.查看审计表,检查是否有用户登录、操作记录select * from LOGON_AUDIT.LOGON_AUDIT; 修订算法:SQL> alter system set audit_trail=os scope=spfile;SQL> shutdown immediateSQL> startup 11.设置监听器密码检查方法:检查$ORACLE_HOME/network/admin/listener.ora文件中是否设置参数PASSWORDS_LISTENER。 修订算法:$ ps -ef|grep tns$ lsnrctlLSNRCTL> set current_listener listener LSNRCTL> change_passwordLSNRCTL> save_configLSNRCTL> set password LSNRCTL> exit 12.限制用户数量检查方法:检查文件/etc/group,确认除oracle安装用户无其它用户在DBA组中。 修订算法: 13.使用数据库角色(ROLE)来管理对象的权限检查方法:检查应用用户未授予dba角色:select * from dba_role_privs where granted_role='DBA'; 修订算法:create rolegrant 角色 to username; revoke DBA from username;  14.连接超时设置检查方法:检查sqlnet.ora文件:$ cat $ORACLE_HOME/network/admin/sqlnet.ora查看文件中设置参数SQLNET.EXPIRE_TIME=15。 修订算法:$ vi sqlnet.oraSQLNET.EXPIRE_TIME=10 15.安全补丁检查方法:查看oracle补丁是否为最新,$ opatch lsinventory 修订算法:升级为最新补丁,需要Oracle Metalink 帐号下载安全补丁。 16.可信IP地址访问控制检查方法:1.检查sqlnet.ora中是否设置tcp.validnode_checking = yes,tcp.invited_nodes :$ cat $ORACLE_HOME/network/admin/sqlnet.ora 修订算法:$ vi sqlnet.oratcp.validnode_checking = yes tcp.invited_nodes = (ip1,ip2…)  17.资源控制检查方法:查看空闲超时设置:select profile,limit from dba_profiles where profile='DEFAULT' and resource_name='IDLE_TIME'; 修订算法:IDLE_TIME返回结果应大于0 18.重要信息资源设置敏感标记检查方法:1、询问数据库管理员是否对重要数据设置了敏感标记2、检查是否安装Oracle Label Security 模块:select username from dba_users;3、查看是否创建策略:select policy_name,status from dba_sa_policies;4、查看是否创建级别:select * from dba_sa_levels order by level_num;5、查看标签创建情况:select * from dba_sa_labels;6、询问重要数据存储表格名称7、查看策略与模式、表对应关系:select * from dba_sa_table_policies;判断是否针对重要信息资源设置敏感标签。 修订算法:1、安装了Oracle Label Security模块2、可以查询到Oracle Label Security对象的用户LBACSYS3、创建了相应的策略4、创建了相应的级别5、创建了标签6、针对重要数据设置了敏感标记

附一个作者收集的Oracle自动化基线检测脚本,大家可以进一步优化。

 #!/bin/bash #version 2.1 此脚本在rhel,centos,oel系统均已测试通过,适用于9i 10g 11g。但未在aix,solaris,unix测试,如果遇到问题请自行微调。 #Author: jn#Date: 2016.8HOSTNAME=`hostname`echo $HOSTNAME > orack.res.lstSQLPLUS=$ORACLE_HOME/bin/sqlplus $SQLPLUS "/ as sysdba" << EOF-------  设置行宽、叶宽  ----------set line 150set pagesize 1000set feed offspool orack.res.lst-------  脚本开始运行的时间  ------------select 'Started On ' || to_char(sysdate,'yyyy-mm-dd hh24:mi:ss') started_time from dual;-------  Oracle的版本  ------------select banner from v\$version;#select banner from v$version;------- 查看Oracle登录认证方式 ----------show parameter remote_login_passwordfile------- 查看 oracle 用户密码HASH值 -----------select name,password from user\$;select name,password from user\$ where name in ( select username from dba_users where account_status='OPEN');-------  查看出于Active状态的帐号  ------------col username for a20col profile for a20select username,profile from dba_users where account_status='OPEN';set line 150set pagesize 1000col profile for a20col resource_name for a30col resource for a25col limit for a30select * from dba_profiles;select * from dba_profiles where profile='DEFAULT';-------  查看是否开启了资源限制  ------------show parameter resource_limit-------查看审计开启情况-----show parameter audit-------  查看密码方面的限制  ------------col resource_name for a40col limit for a20col profile for a40select resource_name,limit,profile from dba_profiles where resource_type='PASSWORD';------- 查看哪些用户具有DBA权限  ---------------col grantee for a15col granted_role for a15col admin_option for a15col default_role for a15select * from dba_role_privs where grantee in ( select username from dba_users where account_status='OPEN') and granted_role='DBA' order by grantee;------- 查询视图dba_tab_privs被授予了public角色和执行权限表的数量 -------select count(*) table_name from dba_tab_privs where grantee='PUBLIC' and privilege='EXECUTE' and table_name in ('UTL_FILE', 'UTL_TCP', 'UTL_HTTP', 'UTL_SMTP', 'DBMS_LOB', 'DBMS_SYS_SQL', 'DBMS_JOB');------- 查看激活用户的配置情况 -------select * from dba_profiles where profile in (select profile from dba_users where account_status='OPEN') and  limit NOT IN('DEFAULT','UNLIMITED','NULL');------- 查看第三方审计工具的安装情况 -------SELECT * FROM V\$OPTION WHERE PARAMETER = 'Oracle Database Vault';#SELECT * FROM V$OPTION WHERE PARAMETER = 'Oracle Database Vault';------- 查看oracle最大连接数-------show parameter processes;------- 查看非系统用户角色被授予dba的用户的数量 -------select count(a.username) from  dba_users a left join dba_role_privs b on a.username = b.grantee where granted_role = 'DBA' and a.username not in ('SYS','SYSMAN','SYSTEM');------- 查看数据库会话 -------show parameter sessions;------- 当sql92_security被设置成TRUE时,对表执行UPDATE/DELETE操作时会检查当前用户是否具备相应表的SELECT权限 --------show parameter sql92_security;------- O7_DICTIONARY_ACCESSIBILITY参数控制对数据字典的访问.设置为true,如果用户被授予了如select any table等any table权限,用户即使不是dba或sysdba用户也可以访问数据字典,建议为false -------show parameter O7_DICTIONARY_ACCESSIBILITY;spool offEOF# Oracle Port Numberecho -e "\n\n" >> orack.res.lstecho "----------Port 1521 in listener.ora----------" >> orack.res.lstecho "" >> orack.res.lstLISTEN_ORA=$ORACLE_HOME/network/admin/listener.oraSQLNET_ORA=$ORACLE_HOME/network/admin/sqlnet.oraif [ -f $LISTEN_ORA ];then grep 1521 $LISTEN_ORA >> orack.res.lstelse echo "File $LISTEN_ORA Is Not Exists!!!" >> orack.res.lstfi # Listener Passwordecho -e "\n" >> orack.res.lstecho "----------Listener Password in listener.ora----------" >> orack.res.lstecho "" >> orack.res.lstif [ -f $LISTEN_ORA ];then grep -i PASSWORDS_LISTENER $LISTEN_ORA >> orack.res.lstelse echo "File $LISTEN_ORA Is Not Exists!!!" >> orack.res.lstfi # SQLNET TIMEOUTecho -e "\n" >> orack.res.lstecho "----------sqlnet timeout in sqlnet.ora----------" >> orack.res.lstecho "" >> orack.res.lstif [ -f $SQLNET_ORA ];then grep -i SQLNET.EXPIRE_TIME $SQLNET_ORA >> orack.res.lstelse echo "File $SQLNET_ORA Is Not Exists!!!" >> orack.res.lstfi # SQLNET Trusted IP echo -e "\n" >> orack.res.lstecho "----------sqlnet trusted IP in sqlnet.ora----------" >> orack.res.lstecho "" >> orack.res.lstif [ -f $SQLNET_ORA ];then egrep -i "tcp.validnode_checking|tcp.invited_nodes|tcp.excluded_nodes" $SQLNET_ORA >> orack.res.lstelse echo "File $SQLNET_ORA Is Not Exists!!!" >> orack.res.lstfi echo -e "\n\n" >> orack.res.lstecho "==========================  End On `date`  ==========================" >> orack.res.lst

服务热线

400-1021-996

产品和特性

价格和优惠

安徽灵狐网络公众号

微信公众号