{ "1": { "id": 1, "type": "file", "harm": "高", "repaired": "1", "level": "3", "name": "确保SSH MaxAuthTries 设置为3-6之间", "file": "/etc/ssh/sshd_config", "Suggestions": "加固建议 在/etc/ssh/sshd_config 中取消MaxAuthTries注释符号#, 设置最大密码尝试失败次数3-6 建议为4", "repair": "MaxAuthTries 4", "rule": [ { "re": "\nMaxAuthTries\\s*(\\d+)", "check": { "type": "number", "max": 7, "min": 3 } } ], "repair_loophole": [ { "re": "\n?#?MaxAuthTries\\s*(\\d+)", "check": "\nMaxAuthTries 4" } ] }, "2": { "id": 2, "repaired": "1", "type": "file", "harm": "高", "level": "3", "name": "SSHD 强制使用V2安全协议", "file": "/etc/ssh/sshd_config", "Suggestions": "加固建议 在/etc/ssh/sshd_config 文件按如相下设置参数", "repair": "Protocol 2", "rule": [ { "re": "\nProtocol\\s*(\\d+)", "check": { "type": "number", "max": 3, "min": 1 } } ], "repair_loophole": [ { "re": "\n?#?Protocol\\s*(\\d+)", "check": "\nProtocol 2" } ] }, "3": { "id": 3, "repaired": "1", "type": "file", "harm": "高", "level": "3", "name": "设置SSH空闲超时退出时间", "file": "/etc/ssh/sshd_config", "Suggestions": "加固建议 在/etc/ssh/sshd_config 将ClientAliveInterval设置为300到900,即5-15分钟,将ClientAliveCountMax设置为0-3", "repair": "ClientAliveInterval 600 ClientAliveCountMax 2", "rule": [ { "re": "\nClientAliveInterval\\s*(\\d+)", "check": { "type": "number", "max": 900, "min": 300 } } ], "repair_loophole": [ { "re": "\n?#?ClientAliveInterval\\s*(\\d+)", "check": "\nClientAliveInterval 600" } ] }, "4": { "id": 4, "repaired": "1", "type": "file", "harm": "高", "level": "3", "name": "确保SSH LogLevel 设置为INFO", "file": "/etc/ssh/sshd_config", "Suggestions": "加固建议 在/etc/ssh/sshd_config 文件以按如下方式设置参数(取消注释)", "repair": "LogLevel INFO", "rule": [ { "re": "\nLogLevel\\s*(\\w+)", "check": { "type": "string", "value": [ "INFO" ] } } ], "repair_loophole": [ { "re": "\n?#?LogLevel\\s*(\\w+)", "check": "\nLogLevel INFO" } ] }, "5": { "id": 5, "repaired": "1", "type": "file", "harm": "高", "level": "3", "name": "禁止SSH空密码用户登陆", "file": "/etc/ssh/sshd_config", "Suggestions": "加固建议 在/etc/ssh/sshd_config 将PermitEmptyPasswords配置为no", "repair": "PermitEmptyPasswords no", "rule": [ { "re": "\nPermitEmptyPasswords\\s*(\\w+)", "check": { "type": "string", "value": [ "no" ] } } ], "repair_loophole": [ { "re": "\n?#?PermitEmptyPasswords\\s*(\\w+)", "check": "\nPermitEmptyPasswords no" } ] }, "6": { "id": 6, "repaired": "1", "type": "file", "name": "SSH使用默认端口22", "harm": "高", "level": "3", "file": "/etc/ssh/sshd_config", "Suggestions": "加固建议 在/etc/ssh/sshd_config 将Port 设置为6000到65535随意一个, 例如", "repair": "Port 60151", "rule": [ { "re": "Port\\s*(\\d+)", "check": { "type": "number", "max": 65535, "min": 22 } } ], "repair_loophole": [ { "re": "\n?#?Port\\s*(\\d+)", "check": "\nPort 65531" } ] }, "13": { "id": 13, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/BTPanel", "name": "面板关键性文件权限错误" }, "14": { "id": 14, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "600", "user": "root", "group": "root", "file": "/www/server/panel/class", "name": "面板关键性文件权限错误" }, "15": { "id": 15, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "600", "user": "root", "group": "root", "file": "/www/server/panel/config", "name": "面板关键性文件权限错误" }, "16": { "id": 16, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "600", "user": "root", "group": "root", "file": "/www/server/panel/data", "name": "面板关键性文件权限错误" }, "17": { "id": 17, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/install", "name": "面板关键性文件权限错误" }, "18": { "id": 18, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/logs", "name": "面板关键性文件权限错误" }, "19": { "id": 19, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/package", "name": "面板关键性文件权限错误" }, "20": { "id": 20, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/plugin", "name": "面板关键性文件权限错误" }, "21": { "id": 21, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/rewrite", "name": "面板关键性文件权限错误" }, "22": { "id": 22, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/ssl", "name": "面板关键性文件权限错误" }, "23": { "id": 23, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/temp", "name": "面板关键性文件权限错误" }, "24": { "id": 24, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/www/server/panel/vhost", "name": "面板关键性文件权限错误" }, "25": { "id": 25, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 5.2 版本泄露 ", "file": "/www/server/php/52/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/52/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "26": { "id": 26, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 5.3 版本泄露", "file": "/www/server/php/53/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/53/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "27": { "id": 27, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 5.4 版本泄露", "file": "/www/server/php/54/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/54/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "28": { "id": 28, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 5.5 版本泄露", "file": "/www/server/php/55/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/55/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "29": { "id": 29, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 5.6 版本泄露", "file": "/www/server/php/56/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/56/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "30": { "id": 30, "type": "file", "repaired": "1", "harm": "中", "level": "2", "name": "PHP 7.0 版本泄露", "file": "/www/server/php/70/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/70/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "31": { "id": 31, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 7.1 版本泄露", "file": "/www/server/php/71/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/71/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "32": { "id": 32, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 7.2 版本泄露", "file": "/www/server/php/72/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/72/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "32.5": { "id": 32.5, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "PHP 7.3 版本泄露", "file": "/www/server/php/73/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/73/etc/php.ini expose_php的值修改为Off中修改", "repair": "expose_php = Off", "rule": [ { "re": "\nexpose_php\\s*=\\s*(\\w+)", "check": { "type": "string", "value": [ "Off" ] } } ], "repair_loophole": [ { "re": "\n?;?expose_php\\s*=\\s*(\\w+)", "check": "\nexpose_php = Off" } ] }, "33": { "id": 33, "repaired": "1", "type": "file", "harm": "严重", "level": "5", "name": "PHP 5.2 中存在危险函数未禁用", "file": "/www/server/php/52/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/52/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "34": { "id": 34, "repaired": "1", "type": "file", "harm": "严重", "level": "5", "name": "PHP 5.3 中存在危险函数未禁用", "file": "/www/server/php/53/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/53/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "35": { "id": 35, "repaired": "1", "type": "file", "harm": "严重", "level": "5", "name": "PHP 5.4 中存在危险函数未禁用", "file": "/www/server/php/54/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/54/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "36": { "id": 36, "repaired": "1", "type": "file", "harm": "严重", "level": "5", "name": "PHP 5.5 中存在危险函数未禁用", "file": "/www/server/php/55/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/55/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "37": { "id": 37, "repaired": "1", "type": "file", "harm": "严重", "level": "5", "name": "PHP 5.6 中存在危险函数未禁用", "file": "/www/server/php/56/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/56/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "38": { "id": 38, "repaired": "1", "type": "file", "harm": "严重", "level": "5", "name": "PHP 7.0 中存在危险函数未禁用", "file": "/www/server/php/70/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/70/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "39": { "id": 39, "type": "file", "harm": "严重", "repaired": "1", "level": "5", "name": "PHP 7.1 中存在危险函数未禁用", "file": "/www/server/php/71/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/71/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "40": { "id": 40, "type": "file", "repaired": "1", "harm": "严重", "level": "5", "name": "PHP 7.2 中存在危险函数未禁用", "file": "/www/server/php/72/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/72/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "40.5": { "id": 40.5, "repaired": "1", "type": "file", "harm": "严重", "level": "5", "name": "PHP 7.3 中存在危险函数未禁用", "file": "/www/server/php/73/etc/php.ini", "Suggestions": "加固建议, 在/www/server/php/73/etc/php.ini 中 disable_functions= 修改成如下:", "repair": "disable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv", "rule": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" ] } } ], "repair_loophole": [ { "re": "\ndisable_functions\\s?=\\s?(.+)", "check": "\ndisable_functions = passthru,exec,system,chroot,chgrp,chown,shell_exec,popen,proc_open,ini_alter,ini_restore,dl,openlog,syslog,readlink,symlink,popepassthru,putenv" } ] }, "41": { "id": 41, "repaired": "0", "type": "dir", "harm": "高", "level": "3", "name": "PHP 5.2 版本过旧", "file": "/www/server/php/52", "Suggestions": "加固建议:不再使用php5.2 ", "repair": "PHP 5.2 已经被淘汰建议升级更高的版本", "rule": [], "repair_loophole": [ { "re": "", "check": "" } ] }, "42": { "id": 42, "repaired": "0", "type": "file", "harm": "高", "level": "3", "name": "Redis 监听的地址为0.0.0.0", "check_file": "/www/server/redis", "file": "/www/server/redis/redis.conf", "Suggestions": "加固建议, 在/www/server/redis/redis.conf 中的监听IP设置为127.0.0.1 例如", "repair": "bind 127.0.0.1", "rule": [ { "re": "\nbind\\s*(.+)", "check": { "type": "string", "value": [ "0.0.0.0" ] } } ], "repair_loophole": [ { "re": "\nbind\\s*(.+)", "check": "\nbind 127.0.0.1" } ] }, "46": { "id": 46, "repaired": "0", "type": "file", "harm": "高", "level": "3", "name": "Memcache 监听IP为0.0.0.0", "check_file": "/usr/local/memcached", "file": "/etc/init.d/memcached", "Suggestions": "加固建议, 在/etc/init.d/memcached 中的监听IP设置为127.0.0.1 例如", "repair": "IP=127.0.0.1", "rule": [ { "re": "\nIP\\s?=\\s?(.+)", "check": { "type": "string", "value": [ "0.0.0.0" ] } } ], "repair_loophole": [ { "re": "\nIP\\s?=\\s?(.+)", "check": "\nIP=127.0.0.1" } ] }, "50": { "id": 50, "type": "file", "repaired": "1", "harm": "中", "level": "2", "name": "SSH 密码复杂度检查", "file": "/etc/security/pwquality.conf", "Suggestions": "加固建议/etc/security/pwquality.conf, 把minlen(密码最小长度)设置为9-32,把minclass(至少包含小写字母,大写字母,数字,特殊字符等3类或者4类)", "repair": "minlen=10 minclass=3", "rule": [ { "re": "minlen\\s*=\\s*(\\d+)", "check": { "type": "number", "max": 32, "min": 9 } } ], "repair_loophole": [ { "re": "minlen\\s*=\\s*(\\d+)", "check": "\nminlen=10" } ] }, "51": { "id": 51, "type": "file", "repaired": "1", "harm": "高", "level": "3", "name": "SSH 用户设置时间失效时间", "file": "/etc/login.defs", "Suggestions": "加固建议 使用非密码登陆方式密钥对。请忽略此项, 在/etc/login.defs 中将PASS_MAX_DAYS 参数设置为60-180之间", "repair": "PASS_MAX_DAYS 90 需同时执行命令设置root 密码失效时间 命令如下: chage --maxdays 90 root", "rule": [ { "re": "PASS_MAX_DAYS\\s*(\\d+)", "check": { "type": "number", "max": 180, "min": 60 } } ], "repair_loophole": [ { "re": "PASS_MAX_DAYS\\s*(\\d+)", "check": "\nPASS_MAX_DAYS 90" } ] }, "52": { "id": 52, "type": "file", "repaired": "1", "harm": "中", "level": "2", "name": "设置密码修改最小间隔时间", "file": "/etc/login.defs", "Suggestions": "加固建议 在/etc/login.defs PASS_MIN_DAYS 参数设置为7-14之间", "repair": "PASS_MIN_DAYS 7 需同时执行命令设置root 密码失效时间 命令如下: chage --mindays 7 root", "rule": [ { "re": "PASS_MIN_DAYS\\s*(\\d+)", "check": { "type": "number", "max": 14, "min": 6 } } ], "repair_loophole": [ { "re": "PASS_MIN_DAYS\\s*(\\d+)", "check": "\nPASS_MIN_DAYS 7" } ] }, "54": { "id": 54, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "开启地址空间布局随机化", "ps": "它将进程的内存空间地址随机化来增加入侵者预测目的地址难度, 从而减低进程成功入侵的风险", "file": "/proc/sys/kernel/randomize_va_space", "Suggestions": "加固建议:执行命令", "repair": "sysctl -w kernel.randomize_va_space=2", "rule": [ { "re": "\\d+", "check": { "type": "number", "max": 3, "min": 1 } } ], "repair_loophole": [ { "re": "\\d+", "check": "2" } ] }, "55": { "id": 55, "repaired": "1", "type": "file", "harm": "中", "level": "2", "name": "SSH 用户设置时间失效时间", "file": "/etc/login.defs", "Suggestions": "加固建议 在/etc/login.defs PASS_WARN_AGE 参数设置为7-14之间,建议为7", "repair": "PASS_WARN_AGE 7 同时执行命令使root用户设置生效 chage --warndays 7 root", "rule": [ { "re": "\nPASS_WARN_AGE\\s*(\\d+)", "check": { "type": "number", "max": 15, "min": 6 } } ], "repair_loophole": [ { "re": "\nPASS_WARN_AGE\\s*(\\d+)", "check": "\nPASS_WARN_AGE 7" } ] }, "57": { "id": 57, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/etc/passwd", "name": "系统关键性文件权限错误/etc/passwd" }, "58": { "id": 58, "harm": "高", "repaired": "1", "level": "3", "type": "chmod", "chmod": "400", "user": "root", "group": "root", "file": "/etc/shadow", "name": "系统关键性文件权限错误/etc/shadow" }, "59": { "id": 59, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/etc/group", "name": "系统关键性文件权限错误/etc/group" }, "60": { "id": 60, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "400", "user": "root", "group": "root", "file": "/etc/gshadow", "name": "系统关键性文件权限错误/etc/gshadow" }, "61": { "id": 61, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/etc/hosts.allow", "name": "系统关键性文件权限错误/etc/hosts.allow" }, "62": { "id": 62, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/etc/hosts.deny", "name": "系统关键性文件权限错误/etc/hosts.deny" }, "63": { "id": 63, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "755", "user": "root", "group": "root", "file": "/www", "name": "系统关键性文件权限错误/www" }, "64": { "id": 64, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "755", "user": "root", "group": "root", "file": "/www/server", "name": "系统关键性文件权限错误/www/server" }, "66": { "id": 66, "harm": "高", "repaired": "1", "level": "3", "type": "chmod", "chmod": "755", "user": "root", "group": "root", "file": "/www/wwwroot", "name": "系统关键性文件权限错误/www/wwwroot" }, "67": { "id": 67, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/etc/rc.local", "name": "系统关键性文件权限错误/etc/rc.local" }, "68": { "id": 68, "repaired": "1", "harm": "高", "level": "3", "type": "chmod", "chmod": "644", "user": "root", "group": "root", "file": "/etc/rc.d/rc.local", "name": "系统关键性文件权限错误/etc/rc.d/rc.local" }, "69": { "id": 69, "repaired": "1", "level": "3", "harm": "高", "type": "chmod", "chmod": "600", "user": "root", "group": "root", "file": "/var/spool/cron/root", "name": "系统关键性文件权限错误/var/spool/cron/root" } }