From 00acb06e8f96081a2623b0c696936cda2d6d6469 Mon Sep 17 00:00:00 2001 From: "bt.cn" <287962566@qq.com> Date: Wed, 17 Jul 2019 17:24:26 +0800 Subject: [PATCH] 6.9.27 --- BTPanel/__init__.py | 2 +- BTPanel/static/js/public.js | 2 +- class/common.py | 6 +- class/jobs.py | 58 +- class/monitor.py | 30 +- class/panelLets.py | 38 +- class/panelTask.py | 7 +- class/public.py | 19 + class/san_baseline.py | 432 ++++++------- data/repair.json | 1136 +++++++++++++++++++++++++++++++++++ 10 files changed, 1489 insertions(+), 241 deletions(-) create mode 100644 data/repair.json diff --git a/BTPanel/__init__.py b/BTPanel/__init__.py index a01c9269..0777176c 100644 --- a/BTPanel/__init__.py +++ b/BTPanel/__init__.py @@ -332,7 +332,7 @@ def san_baseline(pdata=None): if comReturn: return comReturn import san_baseline dataObject = san_baseline.san_baseline() - defs = ('start', 'get_api_log', 'get_resut', 'get_ssh_errorlogin') + defs = ('start', 'get_api_log', 'get_resut', 'get_ssh_errorlogin','repair','repair_all') return publicObject(dataObject, defs, None, pdata) diff --git a/BTPanel/static/js/public.js b/BTPanel/static/js/public.js index 9a95b42b..ce4721b4 100644 --- a/BTPanel/static/js/public.js +++ b/BTPanel/static/js/public.js @@ -1631,7 +1631,7 @@ function ssh_login_def() { pdata_socket['data'] = {}; pdata_socket['data']['ssh_user'] = $("input[name='ssh_user']").val(); pdata_socket['data']['ssh_passwd'] = $("input[name='ssh_passwd']").val(); - if (!pdata_socket.ssh_user || !pdata_socket.ssh_passwd) { + if (!pdata_socket.data.ssh_user || !pdata_socket.data.ssh_passwd) { layer.msg('SSH用户名和密码不能为空!'); return; } diff --git a/class/common.py b/class/common.py index 35ac7ddb..6b505090 100644 --- a/class/common.py +++ b/class/common.py @@ -27,7 +27,7 @@ def init(self): if ua: ua = ua.lower(); if ua.find('spider') != -1 or ua.find('bot') != -1: return redirect('https://www.baidu.com'); - g.version = '6.9.26' + g.version = '6.9.27' g.title = public.GetConfigValue('title') g.uri = request.path session['version'] = g.version; @@ -61,7 +61,7 @@ def local(self): def checkAddressWhite(self): token = self.GetToken(); if not token: return redirect('/login'); - if not request.remote_addr in token['address']: return redirect('/login'); + if not public.GetClientIp() in token['address']: return redirect('/login'); #检查IP限制 @@ -70,7 +70,7 @@ def checkLimitIp(self): iplist = public.ReadFile('data/limitip.conf') if iplist: iplist = iplist.strip(); - if not request.remote_addr in iplist.split(','): return redirect('/login') + if not public.GetClientIp() in iplist.split(','): return redirect('/login') #设置基础Session def setSession(self): diff --git a/class/jobs.py b/class/jobs.py index 37d8ebaa..10e40b74 100644 --- a/class/jobs.py +++ b/class/jobs.py @@ -6,7 +6,7 @@ # +------------------------------------------------------------------- # | Author: 黄文良 <287962566@qq.com> # +------------------------------------------------------------------- -import system,psutil,time,public,db,os,sys,json,py_compile +import system,psutil,time,public,db,os,sys,json,py_compile,re os.chdir('/www/server/panel') sm = system.system(); taskConfig = json.loads(public.ReadFile('config/task.json')) @@ -61,9 +61,61 @@ def control_init(): public.ExecShell("chmod -R 600 /www/server/cron/*.log") public.ExecShell("chown -R root:root /www/server/panel/data") public.ExecShell("chown -R root:root /www/server/panel/config") - - + disable_putenv('putenv') clean_session() + set_crond() + +#默认禁用指定PHP函数 +def disable_putenv(fun_name): + try: + is_set_disable = '/www/server/panel/data/disable_%s' % fun_name + if os.path.exists(is_set_disable): return True + php_vs = ('52','53','54','55','56','70','71','72','73','74') + php_ini = "/www/server/php/{0}/etc/php.ini" + rep = "disable_functions\s*=\s*.*" + for pv in php_vs: + php_ini_path = php_ini.format(pv) + if not os.path.exists(php_ini_path): continue + php_ini_body = public.readFile(php_ini_path) + tmp = re.search(rep,php_ini_body) + if not tmp: continue + disable_functions = tmp.group() + if disable_functions.find(fun_name) != -1: continue + print(disable_functions) + php_ini_body = php_ini_body.replace(disable_functions,disable_functions+',%s' % fun_name) + php_ini_body.find(fun_name) + public.writeFile(php_ini_path,php_ini_body) + public.phpReload(pv) + public.writeFile(is_set_disable,'True') + return True + except: return False + + +#创建计划任务 +def set_crond(): + try: + echo = public.md5(public.md5('renew_lets_ssl_bt')) + cron_id = public.M('crontab').where('echo=?',(echo,)).getField('id') + + import crontab + args_obj = public.dict_obj() + if not cron_id: + cronPath = public.GetConfigValue('setup_path') + '/cron/' + echo + shell = 'python /www/server/panel/class/panelLets.py renew_lets_ssl' + public.writeFile(cronPath,shell) + args_obj.id = public.M('crontab').add('name,type,where1,where_hour,where_minute,echo,addtime,status,save,backupTo,sType,sName,sBody,urladdress',("续签Let's Encrypt证书",'day','','0','10',echo,time.strftime('%Y-%m-%d %X',time.localtime()),0,'','localhost','toShell','',shell,'')) + crontab.crontab().set_cron_status(args_obj) + else: + cron_path = public.get_cron_path() + if os.path.exists(cron_path): + cron_s = public.readFile(cron_path) + if cron_s.find(echo) == -1: + public.M('crontab').where('echo=?',(echo,)).setField('status',0) + args_obj.id = cron_id + crontab.crontab().set_cron_status(args_obj) + except: + print(public.get_error_info()) + #清理多余的session文件 def clean_session(): diff --git a/class/monitor.py b/class/monitor.py index e17960f4..7da5152d 100644 --- a/class/monitor.py +++ b/class/monitor.py @@ -1,5 +1,11 @@ -#!/usr/bin/python #coding: utf-8 +# +------------------------------------------------------------------- +# | 宝塔Linux面板 +# +------------------------------------------------------------------- +# | Copyright (c) 2015-2099 宝塔软件(http://bt.cn) All rights reserved. +# +------------------------------------------------------------------- +# | Author: 王张杰 <750755014@qq.com> +# +------------------------------------------------------------------- import os import json @@ -21,6 +27,14 @@ def __get_file_json(self, filename): except: return {} + def __get_file_nums(self, filepath): + if not os.path.exists(filepath): return 0 + + count = 0 + for index, line in enumerate(open(filepath, 'r')): + count += 1 + return count + def _get_site_list(self): sites = public.M('sites').where('status=?', (1,)).field('name').get() return sites @@ -120,14 +134,14 @@ def _php_count(self, args): # 获取攻击数 def _get_attack_nums(self, args): - file_name = '/www/server/btwaf/total.json' - if not os.path.exists(file_name): return 0 + today = time.strftime('%Y-%m-%d', time.localtime()) + sites = self._get_site_list() - try: - file_body = json.loads(public.readFile(file_name)) - return int(file_body['total']) - except: - return 0 + count = 0 + for site in sites: + file_path = '/www/wwwlogs/btwaf/{0}_{1}.log'.format(site['name'], today) + count += self.__get_file_nums(file_path) + return count def get_exception(self, args): data = {'mysql_slow': self._get_slow_log_nums(args), 'php_slow': self._php_count(args), 'attack_num': self._get_attack_nums(args)} diff --git a/class/panelLets.py b/class/panelLets.py index 8978895e..50768480 100644 --- a/class/panelLets.py +++ b/class/panelLets.py @@ -15,7 +15,8 @@ try: requests.packages.urllib3.disable_warnings() except:pass -import BTPanel +if __name__ != '__main__': + import BTPanel try: import dns.resolver except: @@ -248,19 +249,32 @@ def apple_lest_cert(self,get): public.writeFile(path + "/README","let") #计划任务续签 - echo = public.md5(public.md5('renew_lets_ssl_bt')) - crontab = public.M('crontab').where('echo=?',(echo,)).find() - if not crontab: - cronPath = public.GetConfigValue('setup_path') + '/cron/' + echo - shell = 'python %s/panel/class/panelLets.py renew_lets_ssl ' % (self.setupPath) - public.writeFile(cronPath,shell) - public.M('crontab').add('name,type,where1,where_hour,where_minute,echo,addtime,status,save,backupTo,sType,sName,sBody,urladdress',("续签Let's Encrypt证书",'day','','0','10',echo,time.strftime('%Y-%m-%d %X',time.localtime()),1,'','localhost','toShell','',shell,'')) - + self.set_crond() return public.returnMsg(True, '申请成功.') - - - + #创建计划任务 + def set_crond(self): + try: + echo = public.md5(public.md5('renew_lets_ssl_bt')) + cron_id = public.M('crontab').where('echo=?',(echo,)).getField('id') + + import crontab + args_obj = public.dict_obj() + if not cron_id: + cronPath = public.GetConfigValue('setup_path') + '/cron/' + echo + shell = 'python %s/panel/class/panelLets.py renew_lets_ssl ' % (self.setupPath) + public.writeFile(cronPath,shell) + args_obj.id = public.M('crontab').add('name,type,where1,where_hour,where_minute,echo,addtime,status,save,backupTo,sType,sName,sBody,urladdress',("续签Let's Encrypt证书",'day','','0','10',echo,time.strftime('%Y-%m-%d %X',time.localtime()),0,'','localhost','toShell','',shell,'')) + crontab.crontab().set_cron_status(args_obj) + else: + cron_path = public.get_cron_path() + if os.path.exists(cron_path): + cron_s = public.readFile(cron_path) + if cron_s.find(echo) == -1: + public.M('crontab').where('echo=?',(echo,)).setField('status',0) + args_obj.id = cron_id + crontab.crontab().set_cron_status(args_obj) + except:pass #手动解析 def crate_let_by_oper(self,data): diff --git a/class/panelTask.py b/class/panelTask.py index 5a833d87..6299ee2f 100644 --- a/class/panelTask.py +++ b/class/panelTask.py @@ -199,12 +199,17 @@ def get_task_log(self,id,task_type,num=5): #清理任务日志 def clean_log(self): + import shutil s_time = int(time.time()) timeout = 86400 for f in os.listdir(self.__task_path): filename = self.__task_path + f c_time = os.stat(filename).st_ctime - if s_time - c_time > timeout: os.remove(filename) + if s_time - c_time > timeout: + if os.path.isdir(filename): + shutil.rmtree(filename) + else: + os.remove(filename) return True #文件压缩 diff --git a/class/public.py b/class/public.py index b9e0f0b0..e023f013 100644 --- a/class/public.py +++ b/class/public.py @@ -1307,3 +1307,22 @@ def de_punycode(domain): newdomain += dkey + '.' return newdomain[0:-1]; +#取计划任务文件路径 +def get_cron_path(): + u_file = '/var/spool/cron/crontabs/root' + if not os.path.exists(u_file): + file='/var/spool/cron/root' + else: + file=u_file + return file + +#取通用对象 +class dict_obj: + def __contains__(self, key): + return getattr(self,key,None) + def __setitem__(self, key, value): setattr(self,key,value) + def __getitem__(self, key): return getattr(self,key,None) + def __delitem__(self,key): delattr(self,key) + def __delattr__(self, key): delattr(self,key) + def get_items(self): return self + diff --git a/class/san_baseline.py b/class/san_baseline.py index 2fc31185..c667901e 100644 --- a/class/san_baseline.py +++ b/class/san_baseline.py @@ -19,6 +19,8 @@ class san_baseline: logPath = '/www/server/panel/data/san_baseline.log' _Speed = None config = '/www/server/panel/data/result.log' + repair_json='/www/server/panel/data/repair.json' + __repair=None def __init__(self): @@ -28,97 +30,28 @@ def __init__(self): if not os.path.exists(self.config): resutl = {} public.WriteFile(self.config, json.dumps(resutl)) - + if os.path.exists(self.repair_json): + self.__repair=json.loads(public.ReadFile(self.repair_json)) # SSH 安全扫描 def ssh_security(self): # 确保SSH MaxAuthTries 设置为3-6之间 result = [] - ssh_maxauth = { - "type": "file", - "harm": "高", - "name": "确保SSH MaxAuthTries 设置为3-6之间", - "file": "/etc/ssh/sshd_config", - "Suggestions": "加固建议 在/etc/ssh/sshd_config 中取消MaxAuthTries注释符号#, 设置最大密码尝试失败次数3-6 建议为4", - "repair": "MaxAuthTries 4", - "rule": [ - {"re": "\nMaxAuthTries\s*(\d+)", "check": {"type": "number", "max": 7, "min": 3}}] - } - ret = self.check_san_baseline(ssh_maxauth) - if not ret: result.append(ssh_maxauth) - # SSHD强制使用V2安全协议 - sshd_v2 = { - "type": "file", - "harm": "高", - "name": "SSHD 强制使用V2安全协议", - "file": "/etc/ssh/sshd_config", - "Suggestions": "加固建议 在/etc/ssh/sshd_config 文件按如相下设置参数", - "repair": "Protocol 2", - "rule": [ - {"re": "\nProtocol\s*(\d+)", "check": {"type": "number", "max": 3, "min": 1}}] - } - ret = self.check_san_baseline(sshd_v2) - - if not ret: result.append(sshd_v2) - # 设置SSH空闲超时退出时间 - set_ssh_timetout = { - "type": "file", - "harm": "高", - "name": "设置SSH空闲超时退出时间", - "file": "/etc/ssh/sshd_config", - "Suggestions": "加固建议 在/etc/ssh/sshd_config 将ClientAliveInterval设置为300到900,即5-15分钟,将ClientAliveCountMax设置为0-3", - "repair": "ClientAliveInterval 600 ClientAliveCountMax 2", - "rule": [ - {"re": "\nClientAliveInterval\s*(\d+)", "check": {"type": "number", "max": 900, "min": 300}}] - } - ret = self.check_san_baseline(set_ssh_timetout) - if not ret: result.append(set_ssh_timetout) - # 确保SSH LogLevel 设置为INFO - ssh_log_evel = { - "type": "file", - "harm": "高", - "name": "确保SSH LogLevel 设置为INFO", - "file": "/etc/ssh/sshd_config", - "Suggestions": "加固建议 在/etc/ssh/sshd_config 文件以按如下方式设置参数(取消注释)", - "repair": "LogLevel INFO", - "rule": [ - {"re": "\nLogLevel\s*(\w+)", "check": {"type": "string", "value": ['INFO']}}] - } - ret = self.check_san_baseline(ssh_log_evel) - - if not ret: result.append(ssh_log_evel) - - # 禁止SSH空密码用户登陆 - ssh_not_pass = { - "type": "file", - "harm": "高", - "name": "禁止SSH空密码用户登陆", - "file": "/etc/ssh/sshd_config", - "Suggestions": "加固建议 在/etc/ssh/sshd_config 将PermitEmptyPasswords配置为no", - "repair": "PermitEmptyPasswords no", - "rule": [ - {"re": "\nPermitEmptyPasswords\s*(\w+)", "check": {"type": "string", "value": ['no']}}] - } - ret = self.check_san_baseline(ssh_not_pass) - if not ret: result.append(ssh_not_pass) - - # 端口非默认 - ssh_port_default = { - "type": "file", - "name": "SSH使用默认端口22", - "harm": "高", - "file": "/etc/ssh/sshd_config", - "Suggestions": "加固建议 在/etc/ssh/sshd_config 将Port 设置为6000到65535随意一个, 例如", - "repair": "Port 60151", - "rule": [ - {"re": "Port\s*(\d+)", "check": {"type": "number", "max": 65535, "min": 22}}] - } - ret = self.check_san_baseline(ssh_port_default) - if not ret: result.append(ssh_port_default) + ret = self.check_san_baseline(self.__repair['1']) + if not ret: result.append(self.__repair['1']) + ret = self.check_san_baseline(self.__repair['2']) + if not ret: result.append(self.__repair['2']) + ret = self.check_san_baseline(self.__repair['3']) + if not ret: result.append(self.__repair['3']) + ret = self.check_san_baseline(self.__repair['4']) + if not ret: result.append(self.__repair['4']) + ret = self.check_san_baseline(self.__repair['5']) + if not ret: result.append(self.__repair['5']) + ret = self.check_san_baseline(self.__repair['6']) + if not ret: result.append(self.__repair['6']) return result ######面板安全监测########################## - # 监测是否开启IP限制登陆 def get_limitip(self): if os.path.exists('/www/server/panel/data/limitip.conf'): @@ -184,7 +117,9 @@ def panel_security(self): result = [] if not self.get_limitip(): ret1 = { + 'id': 7, "harm": "中", + "level": "2", "type": "file", "name": "宝塔面板登陆未开启(授权IP)限制登陆", "Suggestions": "加固建议 :如果你的IP存在固定IP建议添加到面板的授权IP", @@ -195,7 +130,9 @@ def panel_security(self): get_port_default = self.get_port() if not get_port_default: ret1 = { + 'id': 8, "harm": "中", + "level": "2", "type": "file", "name": "宝塔面板登陆端口未修改", "Suggestions": "加固建议 : 修改默认端口,例如8989或56641", @@ -205,7 +142,9 @@ def panel_security(self): get_admin_path = self.get_admin_path() if not get_admin_path: ret1 = { + 'id': 9, "harm": "高", + "level": "3", "type": "file", "name": "宝塔面板登陆未开启安全入口", "Suggestions": "加固建议 : 修改安全入口例如 /123456789", @@ -215,7 +154,9 @@ def panel_security(self): get_api_open = self.get_api_open() if not get_api_open: ret1 = { + 'id': 10, "harm": "中", + "level": "2", "type": "file", "name": "面板已经开启API(请注意是否需要开启API或者API的白名单IP是否是授权IP)", "Suggestions": "加固建议 : 不必要使用时刻建议关闭", @@ -225,7 +166,9 @@ def panel_security(self): get_username = self.get_username() if not get_username: ret1 = { + 'id': 11, "harm": "高", + "level": "3", "type": "file", "name": "面板用户名过于简单", "Suggestions": "加固建议 : 修改为强用户名", @@ -236,7 +179,9 @@ def panel_security(self): get_secite = self.get_secite() if not get_secite: ret1 = { + 'id': 12, "harm": "高", + "level": "3", "type": "file", "name": "存在国家不允许的翻墙插件", "Suggestions": "加固建议 : 建议删除SS插件", @@ -245,75 +190,87 @@ def panel_security(self): result.append(ret1) panel_chome = [ { + 'id': 13, "type": "chmod", "file": "/www/server/panel/BTPanel", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] }, { + 'id': 14, "type": "chmod", "file": "/www/server/panel/class", "chmod": [600], "user": ['root'], 'group': ['root'] }, { + 'id': 15, "type": "chmod", "file": "/www/server/panel/config", "chmod": [600], "user": ['root'], 'group': ['root'] }, { + 'id': 16, "type": "chmod", "file": "/www/server/panel/data", "chmod": [600], "user": ['root'], 'group': ['root'] }, { + 'id': 17, "type": "chmod", "file": "/www/server/panel/install", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] }, { + 'id': 18, "type": "chmod", "file": "/www/server/panel/logs", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] }, { + 'id': 19, "type": "chmod", "file": "/www/server/panel/package", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] }, { + 'id': 20, "type": "chmod", "file": "/www/server/panel/plugin", - "chmod": [600], + "chmod": [644, 600], "user": ['root'], 'group': ['root'] }, { + 'id': 21, "type": "chmod", "file": "/www/server/panel/rewrite", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] }, { + 'id': 22, "type": "chmod", "file": "/www/server/panel/ssl", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] }, { + 'id': 23, "type": "chmod", "file": "/www/server/panel/temp", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] }, { + 'id': 24, "type": "chmod", "file": "/www/server/panel/vhost", - "chmod": [600], + "chmod": [600, 644], "user": ['root'], 'group': ['root'] } @@ -321,7 +278,9 @@ def panel_security(self): for i in panel_chome: if not self.check_san_baseline(i): ret1 = { + 'id': i['id'], "harm": "高", + "level": "3", "type": "file", "name": "面板关键性文件权限错误%s" % i['file'], "Suggestions": "加固建议 : %s 权限改为%s 所属用户为%s" % (i['file'], i['chmod'], i['user']), @@ -331,6 +290,27 @@ def panel_security(self): return result + def php_id(self,php=None,php_2=None): + if php=='52':id =25;return id + if php == '53': id = 26;return id + if php == '54': id = 27;return id + if php == '55': id = 28;return id + if php == '56': id = 29;return id + if php == '70': id = 30;return id + if php == '71': id = 31;return id + if php == '72': id = 32;return id + if php == '73': id = 32.5;return id + + if php_2=='52':id =33;return id + if php_2 == '53': id = 34;return id + if php_2 == '54': id = 35;return id + if php_2 == '55': id = 36;return id + if php_2 == '56': id = 37;return id + if php_2 == '70': id = 38;return id + if php_2 == '71': id = 39;return id + if php_2 == '72': id = 40;return id + if php == '73': id = 40.5;return id + # php版本泄露 def php_version_info(self): ret = [] @@ -341,8 +321,10 @@ def php_version_info(self): if os.path.isdir(php_path + i): if os.path.exists(php_path + i + '/etc/php.ini'): php_data = { + 'id': self.php_id(i), "type": "file", "harm": "中", + "level": "2", "name": "PHP 版本泄露", "file": php_path + i + '/etc/php.ini', "Suggestions": "加固建议, 在%s expose_php的值修改为Off中修改" % (php_path + i + '/etc/php.ini'), @@ -354,6 +336,7 @@ def php_version_info(self): ret.append(php_data) return ret + # PHP 危险函数 def php_error_funcation(self): ret = [] @@ -364,15 +347,17 @@ def php_error_funcation(self): if os.path.isdir(php_path + i): if os.path.exists(php_path + i + '/etc/php.ini'): php_data = { + 'id': self.php_id(php='1',php_2=i), "type": "diff", "harm": "严重", + "level": "5", "name": "PHP%s 中存在危险函数未禁用" % i, "file": php_path + i + '/etc/php.ini', "Suggestions": "加固建议, 在%s 中 disable_functions= 修改成如下:" % (php_path + i + '/etc/php.ini'), - "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ {"re": "\ndisable_functions\s?=\s?(.+)", "check": {"type": "string", "value": [ - 'passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru']}}] + 'passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv']}}] } if not self.check_san_baseline(php_data): ret.append(php_data) @@ -381,8 +366,10 @@ def php_error_funcation(self): # 版本过旧 def php_dir(self): php_version_dir = { + 'id':41, "type": "dir", "harm": "高", + "level": "3", "name": "PHP 5.2 版本过旧", "file": '/www/server/php/52', "Suggestions": "加固建议:不再使用php5.2 ", @@ -395,6 +382,7 @@ def php_dir(self): # php配置安全 + def php_security(self): ret = [] php_path = '/www/server/php/' @@ -404,8 +392,10 @@ def php_security(self): if os.path.isdir(php_path + i): if os.path.exists(php_path + i + '/etc/php.ini'): php_data = { + 'id': self.php_id(i), "type": "file", "harm": "中", + "level": "2", "name": "PHP%s 版本泄露" % i, "file": php_path + i + '/etc/php.ini', "Suggestions": "加固建议, 在%s expose_php的值修改为Off中修改" % (php_path + i + '/etc/php.ini'), @@ -421,22 +411,26 @@ def php_security(self): if os.path.isdir(php_path + i): if os.path.exists(php_path + i + '/etc/php.ini'): php_data = { + 'id': self.php_id(php='1', php_2=i), "type": "diff", "harm": "严重", + "level": "5", "name": "PHP%s 中存在危险函数未禁用" % i, "file": php_path + i + '/etc/php.ini', "Suggestions": "加固建议, 在%s 中 disable_functions= 修改成如下:" % (php_path + i + '/etc/php.ini'), - "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ {"re": "\ndisable_functions\s?=\s?(.+)", "check": {"type": "string", "value": [ - 'passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru']}}] + 'passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv']}}] } if not self.check_san_baseline(php_data): ret.append(php_data) php_version_dir = { + 'id': 41, "type": "dir", "harm": "高", + "level": "3", "name": "PHP 5.2 版本过旧", "file": '/www/server/php/52', "Suggestions": "加固建议:不再使用php5.2 ", @@ -452,8 +446,10 @@ def redis_security(self): ret = [] # 查看redis 是否监听的是0.0.0.0 返回True 代表高危 redis_server_ip = { + 'id': 42, "type": "file", "harm": "高", + "level": "3", "name": "Redis 监听的地址为0.0.0.0", "file": '/www/server/redis/redis.conf', "Suggestions": "加固建议, 在%s 中的监听IP设置为127.0.0.1 例如" % ('/www/server/redis/redis.conf'), @@ -466,12 +462,14 @@ def redis_security(self): # 查看redis是否设置密码 redis_server_not_pass = { + 'id': 43, "type": "password", "harm": "高", + "level": "3", "name": "Redis 查看是否设置密码", "file": '/www/server/redis/redis.conf', - "Suggestions": "加固建议, 在%s 中的监听IP设置为127.0.0.1 例如" % ('/www/server/redis/redis.conf'), - "repair": "bind 127.0.0.1", + "Suggestions": "加固建议, 在%s 中的为未设置密码 例如" % ('/www/server/redis/redis.conf'), + "repair": "requirepass requirepass@#$$%#@%#@!!", "rule": [ {"re": "\nrequirepass\s*(.+)", "check": {"type": "string", "value": []}}] } @@ -480,12 +478,14 @@ def redis_security(self): # 查看redis 是否是弱密码 redis_server_pass = { + 'id': 44, "type": "password", "harm": "高", + "level": "3", "name": "Redis 存在弱密码", "file": '/www/server/redis/redis.conf', "Suggestions": "加固建议, 在%s 中requirepass 设置为强密码" % ('/www/server/redis/redis.conf'), - "repair": "例如:Ad@#$#@A1545132..", + "repair": "requirepass requirepass@#$$%#@%#@!!", "rule": [ {"re": "\nrequirepass\s*(.+)", "check": {"type": "string", "value": ['123456', 'admin', 'damin888']}}] } @@ -496,8 +496,10 @@ def redis_security(self): re2t = public.ReadFile('/www/server/redis/version.pl') if re2t != '5.0.3': ret2 = { + 'id': 45, "type": "password", "harm": "高", + "level": "3", "name": "Redis 版本低于最新版本", "file": '/www/server/redis/redis.conf', "Suggestions": "加固建议,升级到最新版的redis", @@ -509,18 +511,8 @@ def redis_security(self): # memcached 配置安全 def memcache_security(self): ret = [] - memcache_bind = { - "type": "file", - "harm": "高", - "name": "Memcache 监听IP为0.0.0.0", - "file": '/etc/init.d/memcached', - "Suggestions": "加固建议, 在%s 中的监听IP设置为127.0.0.1 例如" % ('/etc/init.d/memcached'), - "repair": "IP=127.0.0.1", - "rule": [ - {"re": "\nIP\s?=\s?(.+)", "check": {"type": "string", "value": ['0.0.0.0']}}] - } - if self.check_san_baseline(memcache_bind): - ret.append(memcache_bind) + if self.check_san_baseline(self.__repair['46']): + ret.append(self.__repair['46']) return ret # 查看是否是弱密码 @@ -548,8 +540,10 @@ def mysql_security(self): result = [] if not self.get_root_pass(): ret = { + 'id': 47, "type": "password", "harm": "高", + "level": "3", "name": "Mysql root密码为弱密码", "file": '/etc/init.d/memcached', "Suggestions": "加固建议: 使用强密码", @@ -559,8 +553,10 @@ def mysql_security(self): if public.M('firewall').where('port=?', ('3306',)).count(): ret = { + 'id': 48, "type": "password", "harm": "高", + "level": "3", "name": "3306 端口对外开放", "file": '/etc/init.d/memcached', "Suggestions": "加固建议: 建议3306不对外开放,如果是特殊需求可以忽略这次记录", @@ -571,8 +567,10 @@ def mysql_security(self): if not self.chekc_mysql_user(): e = '''select User,Host from mysql.user where host='%' ''' ret = { + 'id': 49, "type": "password", "harm": "高", + "level": "3", "name": "Mysql 存在外部连接用户", "file": '/etc/init.d/memcached', "Suggestions": "加固建议: 进入数据库查看mysql用户表", @@ -584,52 +582,21 @@ def mysql_security(self): # 系统用户 安全 def user_security(self): result = [] - # 密码复杂度检查 - pass_fuza = { - "type": "file", - "harm": "中", - "name": "SSH 密码复杂度检查", - "file": "/etc/security/pwquality.conf", - "Suggestions": "加固建议/etc/security/pwquality.conf, 把minlen(密码最小长度)设置为9-32,把minclass(至少包含小写字母,大写字母,数字,特殊字符等3类或者4类)", - "repair": "minlen=10 minclass=3", - "rule": [ - {"re": "minlen\s*=\s*(\d+)", "check": {"type": "number", "max": 32, "min": 9}}] - } - if not self.check_san_baseline(pass_fuza): - result.append(pass_fuza) - - # 设置时间失效时间 - set_time_out = { - "type": "file", - "harm": "高", - "name": "SSH 用户设置时间失效时间", - "file": "/etc/login.defs", - "Suggestions": "加固建议 使用非密码登陆方式密钥对。请忽略此项, 在/etc/login.defs 中将PASS_MAX_DAYS 参数设置为60-180之间", - "repair": "PASS_MAX_DAYS 90 需同时执行命令设置root 密码失效时间 命令如下: chage --maxdays 90 root", - "rule": [ - {"re": "PASS_MAX_DAYS\s*(\d+)", "check": {"type": "number", "max": 180, "min": 60}}] - } - if not self.check_san_baseline(set_time_out): - result.append(set_time_out) - - # 设置密码修改最小间隔时间 - set_pass_time_out = { - "type": "file", - "harm": "中", - "name": "设置密码修改最小间隔时间", - "file": "/etc/login.defs", - "Suggestions": "加固建议 在/etc/login.defs PASS_MIN_DAYS 参数设置为7-14之间", - "repair": "PASS_MIN_DAYS 7 需同时执行命令设置root 密码失效时间 命令如下: chage --mindays 7 root", - "rule": [ - {"re": "PASS_MIN_DAYS\s*(\d+)", "check": {"type": "number", "max": 14, "min": 7}}] - } - if not self.check_san_baseline(set_pass_time_out): - result.append(set_pass_time_out) + if not self.check_san_baseline(self.__repair['50']): + result.append(self.__repair['50']) + if not self.check_san_baseline(self.__repair['51']): + result.append(self.__repair['51']) + if not self.check_san_baseline(self.__repair['52']): + result.append(self.__repair['52']) # 存在非root 的管理员用户(危险) get_root_0 = { + 'id': 53, + "Suggestions":"加固建议:删除其他的UID为的0用户", + "repair":"除root以为的其他的UID为0的用户的应该删除。或者为其分配新的UID", "type": "shell", "harm": "紧急", + "level": "5", "name": "存在非root 的管理员用户(危险)", "ps": "除root以为的其他的UID为0的用户的应该删除。或者为其分配新的UID", "cmd": '''cat /etc/passwd | awk -F: '($3 == 0) { print $1 }'|grep -v '^root$' ''', @@ -637,42 +604,18 @@ def user_security(self): } if not self.check_san_baseline(get_root_0): result.append(get_root_0) - - # 开启地址空间布局随机化 - set_kerner_space = { - "type": "file", - "harm": "中", - "name": "开启地址空间布局随机化", - "ps": "它将进程的内存空间地址随机化来增加入侵者预测目的地址难度, 从而减低进程成功入侵的风险", - "file": "/proc/sys/kernel/randomize_va_space", - "Suggestions": "加固建议:执行命令", - "repair": "sysctl -w kernel.randomize_va_space=2", - "rule": [ - {"re": "\d+", "check": {"type": "number", "max": 3, "min": 1}}] - } - if not self.check_san_baseline(set_kerner_space): - result.append(set_kerner_space) - - # 确保密码到期警告天数为7或更多 - pass_warndays = { - "type": "file", - "harm": "中", - "name": "SSH 用户设置时间失效时间", - "file": "/etc/login.defs ", - "Suggestions": "加固建议 在/etc/login.defs PASS_WARN_AGE 参数设置为7-14之间,建议为7", - "repair": "PASS_WARN_AGE 7 同时执行命令使root用户设置生效 chage --warndays 7 root", - "rule": [ - {"re": "PASS_WARN_AGE\s*(\d+)", "check": {"type": "number", "max": 15, "min": 6}}] - } - - if not self.check_san_baseline(pass_warndays): - result.append(pass_warndays) + if not self.check_san_baseline(self.__repair['54']): + result.append(self.__repair['54']) + if not self.check_san_baseline(self.__repair['55']): + result.append(self.__repair['55']) # 查看用户是否空密码的用户 if len(self.user_not_password()) >= 1: user_len = { + 'id': 56, "type": "file", "harm": "中", + "level": "2", "name": "系统存在空密码的用户", "file": "/etc/login.defs ", "Suggestions": "加固建议 为如下%s这些用户添加密码" % self.user_not_password(), @@ -710,6 +653,7 @@ def tasks_security(self): ret = [] f = open('/var/spool/cron/root', 'r') for i in f.readlines(): + if not i: continue; i2 = i i = i.strip().split() @@ -719,12 +663,14 @@ def tasks_security(self): if '/www/server/' not in i[5]: if '/root/.acme.sh' not in i[5]: if 'wget' in i or 'curl' in i or 'bash' or 'http://' in i or 'https://' in i: - task = {} - task['name'] = '异常计划任务' - task["harm"] = "高", - task["repair"] = "请排查是否是异常下载", - task['Suggestions'] = '请排查是否是异常下载' - task['list'] = i2 + task ={ + 'name': "异常计划任务", + "harm": "高", + "level": 3, + "repair": "排查清楚计划任务是否非正常", + "Suggestions":"加固建议:请排查是否是异常下载", + 'list': i2 + } ret.append(task) return ret @@ -734,78 +680,91 @@ def system_dir_security(self): result = [] user_config_chmoe = [ { + 'id': 57, "type": "chmod", "file": "/etc/passwd", "chmod": [644], "user": ['root'], 'group': ['root'] }, { + 'id': 58, "type": "chmod", "file": "/etc/shadow", "chmod": [400], "user": ['root'], 'group': ['root'] }, { + 'id': 59, "type": "chmod", "file": "/etc/group", "chmod": [644], "user": ['root'], 'group': ['root'] }, { + 'id': 60, "type": "chmod", "file": "/etc/gshadow", "chmod": [400], "user": ['root'], 'group': ['root'] }, { + 'id': 61, "type": "chmod", "file": "/etc/hosts.allow", "chmod": [644], "user": ['root'], 'group': ['root'] }, { + 'id': 62, "type": "chmod", "file": "/etc/hosts.deny", "chmod": [644], "user": ['root'], 'group': ['root'] }, { + 'id': 63, "type": "chmod", "file": "/www", "chmod": [755], "user": ['root'], 'group': ['root'] }, { + 'id': 64, "type": "chmod", "file": "/www/server", "chmod": [755], "user": ['root'], 'group': ['root'] }, { + 'id': 65, "type": "chmod", "file": "/www/wwwroot", "chmod": [755], "user": ['root'], 'group': ['root'] }, { + 'id': 66, "type": "chmod", "file": "/etc/rc.d", "chmod": [755], "user": ['root'], 'group': ['root'] }, { + 'id': 67, "type": "chmod", "file": "/etc/rc.local", "chmod": [644], "user": ['root'], 'group': ['root'] }, { + 'id': 68, "type": "chmod", "file": "/etc/rc.d/rc.local", "chmod": [644], "user": ['root'], 'group': ['root'] }, { + 'id': 69, "type": "chmod", "file": "/var/spool/cron/root", "chmod": [600], @@ -816,6 +775,7 @@ def system_dir_security(self): for i in user_config_chmoe: if not self.check_san_baseline(i): ret1 = { + 'id':i['id'], "harm": "高", "type": "file", "name": "系统关键性文件权限错误%s" % i['file'], @@ -876,39 +836,50 @@ def site_security(self): site_secr = [] site_lists = public.M('sites').field('name,path').select() for i in site_lists: + path = i['path'] + '/.user.ini' ssl = self.GetSSL(i['name']) tls = [] if ssl: tls = self.get_ssl_tls(i['name']) - if not os.path.exists(path): - site = {} - site['user_ini'] = False - site['name'] = '%s该站点未启用SSL' % i['name'] - - site['ssl'] = ssl - site['tls'] = tls + site = { + "user_ini":False, + "level":1, + "name":'%s该站点未启用SSL' % i['name'], + "ssl":ssl, + "tls":tls, + "harm":"警告", + } if not ssl: - site['harm'] = "低", + site['Suggestions']='加固建议使用https为访问方式' + site['repair']='https 强制模式' site['ps'] = '%s该站点未启用SSL' % i['name'] else: if tls: - site['harm'] = "中", + site['Suggestions'] = '加固建议: 建议使用TLS1.2及以上的安全协议' + site['repair']='TLS1.2 或者TLS1.3' + site['name']='%s该站点启用了不安全的SSL协议LSv1 或者LSv1.1' % i['name'] site['ps'] = '%s该站点启用了不安全的SSL协议LSv1 或者LSv1.1' % i['name'] site_secr.append(site) else: - site = {} - site['user_ini'] = True - site['name'] = '%s该站点未启用SSL' % i['name'] - site['ssl'] = ssl - site['tls'] = tls + site = { + "user_ini": True, + "level": 1, + "name": '%s该站点未启用SSL' % i['name'], + "ssl": ssl, + "tls": tls, + "harm": "警告", + } if not ssl: - site['harm'] = "低", + site['Suggestions']='加固建议使用https为访问方式' + site['repair']='https 强制模式' site['ps'] = '%s该站点未启用SSL' % i['name'] else: if tls: - site['harm'] = "中", + site['Suggestions'] = '加固建议: 建议使用TLS1.2及以上的安全协议' + site['repair']='TLS1.2 或者TLS1.3' + site['name']='%s该站点启用了不安全的SSL协议LSv1 或者LSv1.1' % i['name'] site['ps'] = '%s该站点启用了不安全的SSL协议LSv1 或者LSv1.1' % i['name'] site_secr.append(site) resutl['site_list'] = site_secr @@ -993,8 +964,10 @@ def check_san_baseline(self, base_json): return True elif base_json['type'] == 'chmod': + #@print(base_json) if os.path.exists(base_json['file']): ret = self.GetFileAccess(base_json['file']) + print(base_json['chmod']) if ret['chown'] in base_json['user'] and int(ret['chmod']) in base_json['chmod'] and ret['group'] in \ base_json['group']: return True @@ -1035,7 +1008,8 @@ def site_curl_security(self): ret_status = { "type": "site", "name": "%s站点通过本机访问失败" % i['nane'], - "harm": "高", + "harm": "警告", + 'level':"1", "file": "%s站点通过本机访问失败" % i['name'], "Suggestions": "加固建议, 检查是否是绑定了当前服务器的IP", "repair": "检查是否是绑定了当前服务器的IP" @@ -1050,11 +1024,13 @@ def site_curl_security(self): def Nginx_Apache_security(self): ret = [] Nginx_Get_version = { + 'id': 70, "type": "file", "name": "Nginx 版本泄露", - "harm": "高", + "harm": "低", + 'level': "1", "file": '/www/server/nginx/conf/nginx.conf', - "Suggestions": "加固建议, 在%s expose_php的值修改为Off中修改" % ('/www/server/php/56/etc/php.ini'), + "Suggestions": "加固建议, 在%s expose_php的值修改为Off中修改" % ('/www/server/nginx/conf/nginx.conf'), "repair": "expose_php = Off", "rule": [ {"re": "server_tokens\s*(.+)", "check": {"type": "string", "value": ['off;']}}] @@ -1065,9 +1041,11 @@ def Nginx_Apache_security(self): ret2 = public.ReadFile('/www/server/nginx/version.pl') if ret2 == '1.8': Nginx_Get_version = { + 'id': 71, "type": "file", + 'level': "1", "name": "Nginx 版本过低", - "harm": "高", + "harm": "低", "file": '/www/server/nginx/conf/nginx.conf', "Suggestions": "加固建议, 升级至最新版的Nginx 软件", "repair": "例如:Nignx1.17 或者Nginx1.16", @@ -1234,13 +1212,9 @@ def get_ssh_errorlogin(self, get): day_count+=1 else: continue - - #data['intrusion'].append(l); - #data['intrusion_total'] += 1; elif l.find('Accepted') != -1: if len(data['success']) > limit: del (data['success'][0]); data['success'].append(l); - # data['success_total'] += 1; l = fp.readline(); data['intrusion_total'] = day_count months = {'Jan': '01', 'Feb': '02', 'Mar': '03', 'Apr': '04', 'May': '05', 'Jun': '06', 'Jul': '07', 'Aug': '08', 'Sep': '09', 'Oct': '10', 'Nov': '11', 'Dec': '12'} @@ -1258,6 +1232,40 @@ def get_ssh_errorlogin(self, get): return data; + + # 修复的主函数 + def repair_san_baseline(self, base_json): + if base_json['type'] == 'file': + if os.path.exists(base_json['file']): + ret = public.ReadFile(base_json['file']) + for i in base_json['repair_loophole']: + valuse = re.search(i['re'], ret) + if valuse: + data2=re.sub(i['re'],i['check'],ret) + public.WriteFile(base_json['file'],data2) + return True + else: + return False + if base_json['type'] == 'chmod': + if os.path.exists(base_json['file']): + os.system('chown %s:%s %s'%(base_json['user'],base_json['group'],base_json['file'])) + os.system('chmod %s %s'%(base_json['chmod'],base_json['file'])) + return True + + # 修复 + def repair(self,get): + id=get.id + if id in self.__repair: + return self.repair_san_baseline(self.__repair[id]) + else: + return False + + # 修复全部 + def repair_all(self,get): + for i in self.__repair: + self.repair_san_baseline(self.__repair[i]) + return True + if __name__ == '__main__': my_api = san_baseline() r_data = my_api.San_Entrance() \ No newline at end of file diff --git a/data/repair.json b/data/repair.json new file mode 100644 index 00000000..b96cf082 --- /dev/null +++ b/data/repair.json @@ -0,0 +1,1136 @@ +{ + "1": { + "id": 1, + "type": "file", + "harm": "高", + "level": "3", + "name": "确保SSH MaxAuthTries 设置为3-6之间", + "file": "/etc/ssh/sshd_config", + "Suggestions": "加固建议 在/etc/ssh/sshd_config 中取消MaxAuthTries注释符号#, 设置最大密码尝试失败次数3-6 建议为4", + "repair": "MaxAuthTries 4", + "rule": [ + { + "re": "\nMaxAuthTries\\s*(\\d+)", + "check": { + "type": "number", + "max": 7, + "min": 3 + } + } + ], + "repair_loophole": [ + { + "re": "\n?#?MaxAuthTries\\s*(\\d+)", + "check": "\nMaxAuthTries 4" + } + ] + }, + "2": { + "id": 2, + "type": "file", + "harm": "高", + "level": "3", + "name": "SSHD 强制使用V2安全协议", + "file": "/etc/ssh/sshd_config", + "Suggestions": "加固建议 在/etc/ssh/sshd_config 文件按如相下设置参数", + "repair": "Protocol 2", + "rule": [ + { + "re": "\nProtocol\\s*(\\d+)", + "check": { + "type": "number", + "max": 3, + "min": 1 + } + } + ], + "repair_loophole": [ + { + "re": "\n?#?Protocol\\s*(\\d+)", + "check": "\nProtocol 2" + } + ] + }, + "3": { + "id": 3, + "type": "file", + "harm": "高", + "level": "3", + "name": "设置SSH空闲超时退出时间", + "file": "/etc/ssh/sshd_config", + "Suggestions": "加固建议 在/etc/ssh/sshd_config 将ClientAliveInterval设置为300到900,即5-15分钟,将ClientAliveCountMax设置为0-3", + "repair": "ClientAliveInterval 600 ClientAliveCountMax 2", + "rule": [ + { + "re": "\nClientAliveInterval\\s*(\\d+)", + "check": { + "type": "number", + "max": 900, + "min": 300 + } + } + ], + "repair_loophole": [ + { + "re": "\n?#?ClientAliveInterval\\s*(\\d+)", + "check": "\nClientAliveInterval 600" + } + ] + }, + "4": { + "id": 4, + "type": "file", + "harm": "高", + "level": "3", + "name": "确保SSH LogLevel 设置为INFO", + "file": "/etc/ssh/sshd_config", + "Suggestions": "加固建议 在/etc/ssh/sshd_config 文件以按如下方式设置参数(取消注释)", + "repair": "LogLevel INFO", + "rule": [ + { + "re": "\nLogLevel\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "INFO" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?#?LogLevel\\s*(\\w+)", + "check": "\nLogLevel INFO" + } + ] + }, + "5": { + "id": 5, + "type": "file", + "harm": "高", + "level": "3", + "name": "禁止SSH空密码用户登陆", + "file": "/etc/ssh/sshd_config", + "Suggestions": "加固建议 在/etc/ssh/sshd_config 将PermitEmptyPasswords配置为no", + "repair": "PermitEmptyPasswords no", + "rule": [ + { + "re": "\nPermitEmptyPasswords\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "no" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?#?PermitEmptyPasswords\\s*(\\w+)", + "check": "\nPermitEmptyPasswords no" + } + ] + }, + "6": { + "id": 6, + "type": "file", + "name": "SSH使用默认端口22", + "harm": "高", + "level": "3", + "file": "/etc/ssh/sshd_config", + "Suggestions": "加固建议 在/etc/ssh/sshd_config 将Port 设置为6000到65535随意一个, 例如", + "repair": "Port 60151", + "rule": [ + { + "re": "Port\\s*(\\d+)", + "check": { + "type": "number", + "max": 65535, + "min": 22 + } + } + ], + "repair_loophole": [ + { + "re": "\n?#?Port\\s*(\\d+)", + "check": "\nPort 65531" + } + ] + }, + "13": { + "id": 13, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/BTPanel", + "name": "面板关键性文件权限错误" + }, + "14": { + "id": 14, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "600", + "user": "root", + "group": "root", + "file": "/www/server/panel/class", + "name": "面板关键性文件权限错误" + }, + "15": { + "id": 15, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "600", + "user": "root", + "group": "root", + "file": "/www/server/panel/config", + "name": "面板关键性文件权限错误" + }, + "16": { + "id": 16, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "600", + "user": "root", + "group": "root", + "file": "/www/server/panel/data", + "name": "面板关键性文件权限错误" + }, + "17": { + "id": 17, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/install", + "name": "面板关键性文件权限错误" + }, + "18": { + "id": 18, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/logs", + "name": "面板关键性文件权限错误" + }, + "19": { + "id": 19, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/package", + "name": "面板关键性文件权限错误" + }, + "20": { + "id": 20, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/plugin", + "name": "面板关键性文件权限错误" + }, + "21": { + "id": 21, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/rewrite", + "name": "面板关键性文件权限错误" + }, + "22": { + "id": 22, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/ssl", + "name": "面板关键性文件权限错误" + }, + "23": { + "id": 23, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/temp", + "name": "面板关键性文件权限错误" + }, + "24": { + "id": 24, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/www/server/panel/vhost", + "name": "面板关键性文件权限错误" + }, + "25": { + "id": 25, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 5.2 版本泄露 ", + "file": "/www/server/php/52/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/52/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "26": { + "id": 26, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 5.3 版本泄露", + "file": "/www/server/php/53/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/53/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "27": { + "id": 27, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 5.4 版本泄露", + "file": "/www/server/php/54/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/54/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "28": { + "id": 28, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 5.5 版本泄露", + "file": "/www/server/php/55/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/55/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "29": { + "id": 29, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 5.6 版本泄露", + "file": "/www/server/php/56/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/56/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "30": { + "id": 30, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 7.0 版本泄露", + "file": "/www/server/php/70/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/70/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "31": { + "id": 31, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 7.1 版本泄露", + "file": "/www/server/php/71/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/71/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "32": { + "id": 32, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 7.2 版本泄露", + "file": "/www/server/php/72/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/72/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "32.5": { + "id": 32.5, + "type": "file", + "harm": "中", + "level": "2", + "name": "PHP 7.3 版本泄露", + "file": "/www/server/php/73/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/73/etc/php.ini expose_php的值修改为Off中修改", + "repair": "expose_php = Off", + "rule": [ + { + "re": "\nexpose_php\\s*=\\s*(\\w+)", + "check": { + "type": "string", + "value": [ "Off" ] + } + } + ], + "repair_loophole": [ + { + "re": "\n?;?expose_php\\s*=\\s*(\\w+)", + "check": "\nexpose_php = Off" + } + ] + }, + "33": { + "id": 33, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 5.2 中存在危险函数未禁用", + "file": "/www/server/php/52/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/52/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "34": { + "id": 34, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 5.3 中存在危险函数未禁用", + "file": "/www/server/php/53/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/53/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "35": { + "id": 35, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 5.4 中存在危险函数未禁用", + "file": "/www/server/php/54/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/54/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "36": { + "id": 36, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 5.5 中存在危险函数未禁用", + "file": "/www/server/php/55/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/55/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "37": { + "id": 37, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 5.6 中存在危险函数未禁用", + "file": "/www/server/php/56/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/56/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "38": { + "id": 38, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 7.0 中存在危险函数未禁用", + "file": "/www/server/php/70/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/70/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "39": { + "id": 39, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 7.1 中存在危险函数未禁用", + "file": "/www/server/php/71/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/71/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "40": { + "id": 40, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 7.2 中存在危险函数未禁用", + "file": "/www/server/php/72/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/72/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "40.5": { + "id": 40.5, + "type": "file", + "harm": "严重", + "level": "5", + "name": "PHP 7.3 中存在危险函数未禁用", + "file": "/www/server/php/73/etc/php.ini", + "Suggestions": "加固建议, 在/www/server/php/73/etc/php.ini 中 disable_functions= 修改成如下:", + "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", + "rule": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ + "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + ] + } + } + ], + "repair_loophole": [ + { + "re": "\ndisable_functions\\s?=\\s?(.+)", + "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" + } + ] + }, + "41": { + "id": 41, + "type": "dir", + "harm": "高", + "level": "3", + "name": "PHP 5.2 版本过旧", + "file": "/www/server/php/52", + "Suggestions": "加固建议:不再使用php5.2 ", + "repair": "PHP 5.2 已经被淘汰建议升级更高的版本", + "rule": [], + "repair_loophole": [ + { + "re": "", + "check": "" + } + ] + }, + "42": { + "id": 42, + "type": "file", + "harm": "高", + "level": "3", + "name": "Redis 监听的地址为0.0.0.0", + "file": "/www/server/redis/redis.conf", + "Suggestions": "加固建议, 在/www/server/redis/redis.conf 中的监听IP设置为127.0.0.1 例如", + "repair": "bind 127.0.0.1", + "rule": [ + { + "re": "\nbind\\s*(.+)", + "check": { + "type": "string", + "value": [ "0.0.0.0" ] + } + } + ], + "repair_loophole": [ + { + "re": "\nbind\\s*(.+)", + "check": "\nbind 127.0.0.1" + } + ] + }, + "43": { + "id": 43, + "type": "file", + "harm": "高", + "level": "3", + "name": "Redis 查看是否设置密码", + "file": "/www/server/redis/redis.conf", + "Suggestions": "加固建议, 在/www/server/redis/redis.conf 中的监听IP设置为127.0.0.1 例如", + "repair": "bind 127.0.0.1", + "rule": [ + { + "re": "\nrequirepass\\s*(.+)", + "check": { + "type": "string", + "value": [] + } + } + ], + "repair_loophole": [ + { + "re": "\nrequirepass\\s*(.+)", + "check": "\nrequirepass requirepass@#$$%#@%#@!!" + } + ] + }, + "44": { + "id": 44, + "type": "file", + "harm": "高", + "level": "3", + "name": "Redis 是否是弱密码", + "file": "/www/server/redis/redis.conf", + "Suggestions": "加固建议, 在/www/server/redis/redis.conf 中的监听IP设置为127.0.0.1 例如", + "repair": "bind 127.0.0.1", + "rule": [ + { + "re": "\nrequirepass\\s*(.+)", + "check": { + "type": "string", + "value": [ "123456", "admin", "damin888" ] + } + } + ], + "repair_loophole": [ + { + "re": "\nrequirepass\\s*(.+)", + "check": "\nrequirepass requirepass@#$$%#@%#@!!" + } + ] + }, + "46": { + "id": 46, + "type": "file", + "harm": "高", + "level": "3", + "name": "Memcache 监听IP为0.0.0.0", + "file": "/etc/init.d/memcached", + "Suggestions": "加固建议, 在/etc/init.d/memcached 中的监听IP设置为127.0.0.1 例如", + "repair": "IP=127.0.0.1", + "rule": [ + { + "re": "\nIP\\s?=\\s?(.+)", + "check": { + "type": "string", + "value": [ "0.0.0.0" ] + } + } + ], + "repair_loophole": [ + { + "re": "\nIP\\s?=\\s?(.+)", + "check": "\nIP=127.0.0.1" + } + ] + }, + "50": { + "id": 50, + "type": "file", + "harm": "中", + "level": "2", + "name": "SSH 密码复杂度检查", + "file": "/etc/security/pwquality.conf", + "Suggestions": "加固建议/etc/security/pwquality.conf, 把minlen(密码最小长度)设置为9-32,把minclass(至少包含小写字母,大写字母,数字,特殊字符等3类或者4类)", + "repair": "minlen=10 minclass=3", + "rule": [ + { + "re": "minlen\\s*=\\s*(\\d+)", + "check": { + "type": "number", + "max": 32, + "min": 9 + } + } + ], + "repair_loophole": [ + { + "re": "minlen\\s*=\\s*(\\d+)", + "check": "\nminlen=10" + } + ] + }, + "51": { + "id": 51, + "type": "file", + "harm": "高", + "level": "3", + "name": "SSH 用户设置时间失效时间", + "file": "/etc/login.defs", + "Suggestions": "加固建议 使用非密码登陆方式密钥对。请忽略此项, 在/etc/login.defs 中将PASS_MAX_DAYS 参数设置为60-180之间", + "repair": "PASS_MAX_DAYS 90 需同时执行命令设置root 密码失效时间 命令如下: chage --maxdays 90 root", + "rule": [ + { + "re": "PASS_MAX_DAYS\\s*(\\d+)", + "check": { + "type": "number", + "max": 180, + "min": 60 + } + } + ], + "repair_loophole": [ + { + "re": "PASS_MAX_DAYS\\s*(\\d+)", + "check": "\nPASS_MAX_DAYS 90" + } + ] + }, + "52": { + "id": 52, + "type": "file", + "harm": "中", + "level": "2", + "name": "设置密码修改最小间隔时间", + "file": "/etc/login.defs", + "Suggestions": "加固建议 在/etc/login.defs PASS_MIN_DAYS 参数设置为7-14之间", + "repair": "PASS_MIN_DAYS 7 需同时执行命令设置root 密码失效时间 命令如下: chage --mindays 7 root", + "rule": [ + { + "re": "PASS_MIN_DAYS\\s*(\\d+)", + "check": { + "type": "number", + "max": 14, + "min": 6 + } + } + ], + "repair_loophole": [ + { + "re": "PASS_MIN_DAYS\\s*(\\d+)", + "check": "\nPASS_MIN_DAYS 7" + } + ] + }, + "54": { + "id": 54, + "type": "file", + "harm": "中", + "level": "2", + "name": "开启地址空间布局随机化", + "ps": "它将进程的内存空间地址随机化来增加入侵者预测目的地址难度, 从而减低进程成功入侵的风险", + "file": "/proc/sys/kernel/randomize_va_space", + "Suggestions": "加固建议:执行命令", + "repair": "sysctl -w kernel.randomize_va_space=2", + "rule": [ + { + "re": "\\d+", + "check": { + "type": "number", + "max": 3, + "min": 1 + } + } + ], + "repair_loophole": [ + { + "re": "\\d+", + "check": "2" + } + ] + }, + "55": { + "id": 55, + "type": "file", + "harm": "中", + "level": "2", + "name": "SSH 用户设置时间失效时间", + "file": "/etc/login.defs", + "Suggestions": "加固建议 在/etc/login.defs PASS_WARN_AGE 参数设置为7-14之间,建议为7", + "repair": "PASS_WARN_AGE 7 同时执行命令使root用户设置生效 chage --warndays 7 root", + "rule": [ + { + "re": "\nPASS_WARN_AGE\\s*(\\d+)", + "check": { + "type": "number", + "max": 15, + "min": 6 + } + } + ], + "repair_loophole": [ + { + "re": "\nPASS_WARN_AGE\\s*(\\d+)", + "check": "\nPASS_WARN_AGE 7" + } + ] + }, + "57": { + "id": 57, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/etc/passwd", + "name": "系统关键性文件权限错误/etc/passwd" + }, + "58": { + "id": 58, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "400", + "user": "root", + "group": "root", + "file": "/etc/shadow", + "name": "系统关键性文件权限错误/etc/shadow" + }, + "59": { + "id": 59, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/etc/group", + "name": "系统关键性文件权限错误/etc/group" + }, + "60": { + "id": 60, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "400", + "user": "root", + "group": "root", + "file": "/etc/gshadow", + "name": "系统关键性文件权限错误/etc/gshadow" + }, + "61": { + "id": 61, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/etc/hosts.allow", + "name": "系统关键性文件权限错误/etc/hosts.allow" + }, + "62": { + "id": 62, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/etc/hosts.deny", + "name": "系统关键性文件权限错误/etc/hosts.deny" + }, + "63": { + "id": 63, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "755", + "user": "root", + "group": "root", + "file": "/www", + "name": "系统关键性文件权限错误/www" + }, + "64": { + "id": 64, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "755", + "user": "root", + "group": "root", + "file": "/www/server", + "name": "系统关键性文件权限错误/www/server" + }, + "66": { + "id": 66, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "755", + "user": "root", + "group": "root", + "file": "/etc/rc.d", + "name": "系统关键性文件权限错误/www/wwwroot" + }, + "67": { + "id": 67, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/etc/rc.local", + "name": "系统关键性文件权限错误/etc/rc.local" + }, + "68": { + "id": 68, + "harm": "高", + "level": "3", + "type": "chmod", + "chmod": "644", + "user": "root", + "group": "root", + "file": "/etc/rc.d/rc.local", + "name": "系统关键性文件权限错误/etc/rc.d/rc.local" + }, + "69": { + "id": 69, + "level": "3", + "harm": "高", + "type": "chmod", + "chmod": "600", + "user": "root", + "group": "root", + "file": "/var/spool/cron/root", + "name": "系统关键性文件权限错误/var/spool/cron/root" + } +} \ No newline at end of file