-
Notifications
You must be signed in to change notification settings - Fork 9
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
- Loading branch information
chaoming.meng
committed
Apr 8, 2024
1 parent
3cc699e
commit a5504ae
Showing
386 changed files
with
13,393 additions
and
50 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,127 @@ | ||
| 木兰宽松许可证, 第2版 | ||
|
|
||
| 木兰宽松许可证, 第2版 | ||
| 2020年1月 http://license.coscl.org.cn/MulanPSL2 | ||
|
|
||
|
|
||
| 您对“软件”的复制、使用、修改及分发受木兰宽松许可证,第2版(“本许可证”)的如下条款的约束: | ||
|
|
||
| 0. 定义 | ||
|
|
||
| “软件”是指由“贡献”构成的许可在“本许可证”下的程序和相关文档的集合。 | ||
|
|
||
| “贡献”是指由任一“贡献者”许可在“本许可证”下的受版权法保护的作品。 | ||
|
|
||
| “贡献者”是指将受版权法保护的作品许可在“本许可证”下的自然人或“法人实体”。 | ||
|
|
||
| “法人实体”是指提交贡献的机构及其“关联实体”。 | ||
|
|
||
| “关联实体”是指,对“本许可证”下的行为方而言,控制、受控制或与其共同受控制的机构,此处的控制是指有受控方或共同受控方至少50%直接或间接的投票权、资金或其他有价证券。 | ||
|
|
||
| 1. 授予版权许可 | ||
|
|
||
| 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的版权许可,您可以复制、使用、修改、分发其“贡献”,不论修改与否。 | ||
|
|
||
| 2. 授予专利许可 | ||
|
|
||
| 每个“贡献者”根据“本许可证”授予您永久性的、全球性的、免费的、非独占的、不可撤销的(根据本条规定撤销除外)专利许可,供您制造、委托制造、使用、许诺销售、销售、进口其“贡献”或以其他方式转移其“贡献”。前述专利许可仅限于“贡献者”现在或将来拥有或控制的其“贡献”本身或其“贡献”与许可“贡献”时的“软件”结合而将必然会侵犯的专利权利要求,不包括对“贡献”的修改或包含“贡献”的其他结合。如果您或您的“关联实体”直接或间接地,就“软件”或其中的“贡献”对任何人发起专利侵权诉讼(包括反诉或交叉诉讼)或其他专利维权行动,指控其侵犯专利权,则“本许可证”授予您对“软件”的专利许可自您提起诉讼或发起维权行动之日终止。 | ||
|
|
||
| 3. 无商标许可 | ||
|
|
||
| “本许可证”不提供对“贡献者”的商品名称、商标、服务标志或产品名称的商标许可,但您为满足第4条规定的声明义务而必须使用除外。 | ||
|
|
||
| 4. 分发限制 | ||
|
|
||
| 您可以在任何媒介中将“软件”以源程序形式或可执行形式重新分发,不论修改与否,但您必须向接收者提供“本许可证”的副本,并保留“软件”中的版权、商标、专利及免责声明。 | ||
|
|
||
| 5. 免责声明与责任限制 | ||
|
|
||
| “软件”及其中的“贡献”在提供时不带任何明示或默示的担保。在任何情况下,“贡献者”或版权所有者不对任何人因使用“软件”或其中的“贡献”而引发的任何直接或间接损失承担责任,不论因何种原因导致或者基于何种法律理论,即使其曾被建议有此种损失的可能性。 | ||
|
|
||
| 6. 语言 | ||
| “本许可证”以中英文双语表述,中英文版本具有同等法律效力。如果中英文版本存在任何冲突不一致,以中文版为准。 | ||
|
|
||
| 条款结束 | ||
|
|
||
| 如何将木兰宽松许可证,第2版,应用到您的软件 | ||
|
|
||
| 如果您希望将木兰宽松许可证,第2版,应用到您的新软件,为了方便接收者查阅,建议您完成如下三步: | ||
|
|
||
| 1, 请您补充如下声明中的空白,包括软件名、软件的首次发表年份以及您作为版权人的名字; | ||
|
|
||
| 2, 请您在软件包的一级目录下创建以“LICENSE”为名的文件,将整个许可证文本放入该文件中; | ||
|
|
||
| 3, 请将如下声明文本放入每个源文件的头部注释中。 | ||
|
|
||
| Copyright (c) [Year] [name of copyright holder] | ||
| [Software Name] is licensed under Mulan PSL v2. | ||
| You can use this software according to the terms and conditions of the Mulan PSL v2. | ||
| You may obtain a copy of Mulan PSL v2 at: | ||
| http://license.coscl.org.cn/MulanPSL2 | ||
| THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. | ||
| See the Mulan PSL v2 for more details. | ||
|
|
||
|
|
||
| Mulan Permissive Software License,Version 2 | ||
|
|
||
| Mulan Permissive Software License,Version 2 (Mulan PSL v2) | ||
| January 2020 http://license.coscl.org.cn/MulanPSL2 | ||
|
|
||
| Your reproduction, use, modification and distribution of the Software shall be subject to Mulan PSL v2 (this License) with the following terms and conditions: | ||
|
|
||
| 0. Definition | ||
|
|
||
| Software means the program and related documents which are licensed under this License and comprise all Contribution(s). | ||
|
|
||
| Contribution means the copyrightable work licensed by a particular Contributor under this License. | ||
|
|
||
| Contributor means the Individual or Legal Entity who licenses its copyrightable work under this License. | ||
|
|
||
| Legal Entity means the entity making a Contribution and all its Affiliates. | ||
|
|
||
| Affiliates means entities that control, are controlled by, or are under common control with the acting entity under this License, ‘control’ means direct or indirect ownership of at least fifty percent (50%) of the voting power, capital or other securities of controlled or commonly controlled entity. | ||
|
|
||
| 1. Grant of Copyright License | ||
|
|
||
| Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable copyright license to reproduce, use, modify, or distribute its Contribution, with modification or not. | ||
|
|
||
| 2. Grant of Patent License | ||
|
|
||
| Subject to the terms and conditions of this License, each Contributor hereby grants to you a perpetual, worldwide, royalty-free, non-exclusive, irrevocable (except for revocation under this Section) patent license to make, have made, use, offer for sale, sell, import or otherwise transfer its Contribution, where such patent license is only limited to the patent claims owned or controlled by such Contributor now or in future which will be necessarily infringed by its Contribution alone, or by combination of the Contribution with the Software to which the Contribution was contributed. The patent license shall not apply to any modification of the Contribution, and any other combination which includes the Contribution. If you or your Affiliates directly or indirectly institute patent litigation (including a cross claim or counterclaim in a litigation) or other patent enforcement activities against any individual or entity by alleging that the Software or any Contribution in it infringes patents, then any patent license granted to you under this License for the Software shall terminate as of the date such litigation or activity is filed or taken. | ||
|
|
||
| 3. No Trademark License | ||
|
|
||
| No trademark license is granted to use the trade names, trademarks, service marks, or product names of Contributor, except as required to fulfill notice requirements in Section 4. | ||
|
|
||
| 4. Distribution Restriction | ||
|
|
||
| You may distribute the Software in any medium with or without modification, whether in source or executable forms, provided that you provide recipients with a copy of this License and retain copyright, patent, trademark and disclaimer statements in the Software. | ||
|
|
||
| 5. Disclaimer of Warranty and Limitation of Liability | ||
|
|
||
| THE SOFTWARE AND CONTRIBUTION IN IT ARE PROVIDED WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED. IN NO EVENT SHALL ANY CONTRIBUTOR OR COPYRIGHT HOLDER BE LIABLE TO YOU FOR ANY DAMAGES, INCLUDING, BUT NOT LIMITED TO ANY DIRECT, OR INDIRECT, SPECIAL OR CONSEQUENTIAL DAMAGES ARISING FROM YOUR USE OR INABILITY TO USE THE SOFTWARE OR THE CONTRIBUTION IN IT, NO MATTER HOW IT’S CAUSED OR BASED ON WHICH LEGAL THEORY, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. | ||
|
|
||
| 6. Language | ||
|
|
||
| THIS LICENSE IS WRITTEN IN BOTH CHINESE AND ENGLISH, AND THE CHINESE VERSION AND ENGLISH VERSION SHALL HAVE THE SAME LEGAL EFFECT. IN THE CASE OF DIVERGENCE BETWEEN THE CHINESE AND ENGLISH VERSIONS, THE CHINESE VERSION SHALL PREVAIL. | ||
|
|
||
| END OF THE TERMS AND CONDITIONS | ||
|
|
||
| How to Apply the Mulan Permissive Software License,Version 2 (Mulan PSL v2) to Your Software | ||
|
|
||
| To apply the Mulan PSL v2 to your work, for easy identification by recipients, you are suggested to complete following three steps: | ||
|
|
||
| i Fill in the blanks in following statement, including insert your software name, the year of the first publication of your software, and your name identified as the copyright owner; | ||
|
|
||
| ii Create a file named “LICENSE” which contains the whole context of this License in the first directory of your software package; | ||
|
|
||
| iii Attach the statement to the appropriate annotated syntax at the beginning of each source file. | ||
|
|
||
|
|
||
| Copyright (c) [Year] [name of copyright holder] | ||
| [Software Name] is licensed under Mulan PSL v2. | ||
| You can use this software according to the terms and conditions of the Mulan PSL v2. | ||
| You may obtain a copy of Mulan PSL v2 at: | ||
| http://license.coscl.org.cn/MulanPSL2 | ||
| THIS SOFTWARE IS PROVIDED ON AN "AS IS" BASIS, WITHOUT WARRANTIES OF ANY KIND, EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO NON-INFRINGEMENT, MERCHANTABILITY OR FIT FOR A PARTICULAR PURPOSE. | ||
| See the Mulan PSL v2 for more details. |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,36 +1,63 @@ | ||
| # secureguardian | ||
| # SecureGuardian User Guide | ||
|
|
||
| #### Description | ||
| Enhancing system security through evaluations and fixes. | ||
| SecureGuardian is a Linux system security check tool developed based on the "openEuler Security Configuration Baseline", aimed at helping system administrators evaluate and improve the security of their systems. | ||
|
|
||
| #### Software Architecture | ||
| Software architecture description | ||
| ## Architectural Design | ||
|
|
||
| #### Installation | ||
| The architecture of SecureGuardian is designed to systematically assess the security of Linux system configurations. It operates through a modular script approach, allowing for extensive customization and expansion. The main components include: | ||
|
|
||
| 1. xxxx | ||
| 2. xxxx | ||
| 3. xxxx | ||
| - **Check Scripts**: Individual scripts provided for each security check, easy to update to adapt to new standards or findings. | ||
| - **Configuration Files**: Define which checks to execute, their parameters, and manage exceptions, allowing assessments to be tailored to different environments. | ||
| - **Execution Engine**: Coordinates the running of check scripts, collects results, and manages output formats, supporting detailed reports for analysis and summaries for quick overviews. | ||
| - **User Interface**: Command-line based, allowing users to specify checks, view reports, and configure settings. | ||
|
|
||
| #### Instructions | ||
| This structure supports a flexible and expandable security auditing method, adaptable to a wide range of system environments and security requirements. | ||
|
|
||
| 1. xxxx | ||
| 2. xxxx | ||
| 3. xxxx | ||
| ## Features | ||
|
|
||
| #### Contribution | ||
| - Supports flexible configurations, allowing specific checks to be enabled or disabled as needed. | ||
| - Provides detailed security check reports, including successful checks, failed items and reasons for failure. | ||
| - Automatically generates HTML reports for easy viewing in web browsers. | ||
| - Supports specifying a particular configuration file for checking through command-line parameters. | ||
| - The results of check scripts are stored in JSON files and used to generate HTML reports. | ||
|
|
||
| 1. Fork the repository | ||
| 2. Create Feat_xxx branch | ||
| 3. Commit your code | ||
| 4. Create Pull Request | ||
| ## Installation | ||
|
|
||
| You can install it with the following commands: | ||
|
|
||
| ```sh | ||
| sudo yum install jq | ||
| sudo rpm -i secureguardian-<version>.rpm | ||
| ``` | ||
|
|
||
| ## Usage | ||
|
|
||
| - **To execute all checks**: Running the command without any parameters | ||
|
|
||
| ```sh | ||
| run_checks | ||
| ``` | ||
| will perform all checks enabled in the configuration file and generate a report. | ||
|
|
||
| - **To specify a configuration file for the check: Use the -c or --config parameter to specify a particular configuration file for the check. | ||
|
|
||
| ```sh | ||
| run_checks -c <configuration file name> | ||
| ``` | ||
|
|
||
| - **To only execute "required" checks: Use the -r parameter | ||
| ```sh | ||
| run_checks -r | ||
| ``` | ||
| ## Configuration Details | ||
|
|
||
| The configuration files are located in the /usr/local/secureguardian/conf directory, where you can edit these files to enable or disable specific checks. Check scripts are stored in the /usr/local/secureguardian/scripts/checks directory, organized into different subdirectories based on the different checks. | ||
|
|
||
| ## Viewing Reports | ||
|
|
||
| After the checks are completed, you can find the HTML format report files in the /usr/local/secureguardian/reports directory, which can be directly opened with a browser to view. | ||
|
|
||
| ## License | ||
| secureguardian is licensed under the Mulan PSL v2 protocol. | ||
|
|
||
| #### Gitee Feature | ||
|
|
||
| 1. You can use Readme\_XXX.md to support different languages, such as Readme\_en.md, Readme\_zh.md | ||
| 2. Gitee blog [blog.gitee.com](https://blog.gitee.com) | ||
| 3. Explore open source project [https://gitee.com/explore](https://gitee.com/explore) | ||
| 4. The most valuable open source project [GVP](https://gitee.com/gvp) | ||
| 5. The manual of Gitee [https://gitee.com/help](https://gitee.com/help) | ||
| 6. The most popular members [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -1,37 +1,63 @@ | ||
| # secureguardian | ||
| # secureguardian 使用说明 | ||
|
|
||
| #### 介绍 | ||
| Enhancing system security through evaluations and fixes. | ||
| secureguardian 是一款基于《openEuler 安全配置基线》开发的 Linux 系统安全检查工具,旨在帮助系统管理员评估和提高系统的安全性。 | ||
|
|
||
| #### 软件架构 | ||
| 软件架构说明 | ||
| ## 架构设计 | ||
|
|
||
| secureguardian的架构旨在针对Linux系统配置进行系统性的安全性评估。它通过模块化脚本方法操作,允许进行广泛的定制和扩展。主要组件包括: | ||
|
|
||
| #### 安装教程 | ||
| - 检查脚本:为每项安全检查提供的单独脚本,易于更新,以适应新标准或发现。 | ||
| - 配置文件:定义执行哪些检查,它们的参数,并管理异常,使得针对不同环境的评估能够量身定制。 | ||
| - 执行引擎:协调检查脚本的运行,收集结果,并管理输出格式,支持详细报告以便分析和摘要以便快速概览。 | ||
| - 用户界面:基于命令行,允许用户指定检查,查看报告和配置设置。 | ||
|
|
||
| 1. xxxx | ||
| 2. xxxx | ||
| 3. xxxx | ||
| 此结构支持灵活且可扩展的安全审计方法,适应广泛的系统环境和安全要求。 | ||
|
|
||
| #### 使用说明 | ||
| ## 功能特性 | ||
|
|
||
| 1. xxxx | ||
| 2. xxxx | ||
| 3. xxxx | ||
| - 支持灵活的配置,可以根据需要启用或禁用特定的检查项。 | ||
| - 提供详细的安全检查报告,包括检查成功、失败项及失败原因,以及对应的解决方案链接。 | ||
| - 自动生成 HTML 报告,方便在 Web 浏览器中查看。 | ||
| - 支持通过命令行参数指定特定的配置文件进行检查。 | ||
| - 检查脚本的执行结果会被存储在 JSON 文件中,并用于生成 HTML 报告。 | ||
|
|
||
| #### 参与贡献 | ||
| ## 安装 | ||
|
|
||
| 1. Fork 本仓库 | ||
| 2. 新建 Feat_xxx 分支 | ||
| 3. 提交代码 | ||
| 4. 新建 Pull Request | ||
| 可以通过以下命令安装: | ||
|
|
||
| ```sh | ||
| sudo yum install jq | ||
| sudo rpm -i secureguardian-<版本号>.rpm | ||
|
|
||
| ``` | ||
| ## 使用方法 | ||
|
|
||
| -执行所有检查:不带任何参数运行 | ||
| ```sh | ||
| run_checks | ||
| ``` | ||
| 命令将执行所有配置文件中启用的检查项,并生成报告。 | ||
| -指定配置文件执行检查:使用 -c 或 --config 参数可以指定一个特定的配置文件进行检查。 | ||
|
|
||
| ```sh | ||
| run_checks -c <配置文件名> | ||
| ``` | ||
| -只执行“要求”的检查项: -r 参数 | ||
|
|
||
| ```sh | ||
| run_checks -r | ||
| ``` | ||
|
|
||
| ## 配置说明 | ||
|
|
||
| 配置文件位于 /usr/local/secureguardian/conf 目录,您可以编辑这些文件来启用或禁用特定的检查项。 | ||
| 检查脚本存放在 /usr/local/secureguardian/scripts/checks 目录下,根据不同的检查项组织在不同的子目录中。 | ||
|
|
||
| ## 查看报告 | ||
|
|
||
| 检查完成后,可以在/usr/local/secureguardian/reports目录下找到HTML格式的报告文件,直接用浏览器打开即可查看。 | ||
|
|
||
| ## 许可 | ||
| SecureGuardian使用Mulan PSL v2协议 | ||
|
|
||
| #### 特技 | ||
|
|
||
| 1. 使用 Readme\_XXX.md 来支持不同的语言,例如 Readme\_en.md, Readme\_zh.md | ||
| 2. Gitee 官方博客 [blog.gitee.com](https://blog.gitee.com) | ||
| 3. 你可以 [https://gitee.com/explore](https://gitee.com/explore) 这个地址来了解 Gitee 上的优秀开源项目 | ||
| 4. [GVP](https://gitee.com/gvp) 全称是 Gitee 最有价值开源项目,是综合评定出的优秀开源项目 | ||
| 5. Gitee 官方提供的使用手册 [https://gitee.com/help](https://gitee.com/help) | ||
| 6. Gitee 封面人物是一档用来展示 Gitee 会员风采的栏目 [https://gitee.com/gitee-stars/](https://gitee.com/gitee-stars/) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,36 @@ | ||
| ### 1.1.10 确保无可执行文件的分区以noexec方式挂载 | ||
|
|
||
| **级别:** 要求 | ||
|
|
||
| **适用版本:** 全部 | ||
|
|
||
| **规则说明:** | ||
|
|
||
| 数据盘只是用于保存系统运行过程中的数据,并不需要在数据盘上执行相关命令,对于这种情况,该硬盘或分区必须以noexec方式挂载,提高安全性,减少攻击面。 | ||
|
|
||
| **规则影响:** | ||
|
|
||
| 硬盘或分区如果以noexec方式挂载,那么该挂载点目录下的可执行文件无法直接运行。 | ||
|
|
||
| **检查方法:** | ||
|
|
||
| 通过mount命令查看指定挂载点目录是否以noexec方式挂载: | ||
|
|
||
| ```bash | ||
| # mount | grep "\/root\/noexec" | grep "noexec" | ||
| /dev/vda on /root/noexec type ext4 (rw,noexec,relatime,seclabel) | ||
| ``` | ||
|
|
||
| **修复方法:** | ||
|
|
||
| ```bash | ||
| # umount /root/noexec | ||
| # mount -o noexec /dev/vda /root/noexec/ | ||
| ``` | ||
|
|
||
| * 如果硬盘或分区是通过/etc/fstab配置文件进行挂载的,那么通过修改该文件,为指定挂载点添加noexec挂载方式,如: | ||
|
|
||
| ```bash | ||
| # vim /etc/fstab | ||
| /dev/vda /root/noexec ext4 noexec 0 0 | ||
| ``` |
38 changes: 38 additions & 0 deletions
38
baseline/1_初始部署/1.1_文件系统/1.1.11_确保可移动设备分区以noexec、nodev方式挂载.md
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,38 @@ | ||
| ### 1.1.11 确保可移动设备分区以noexec、nodev方式挂载 | ||
|
|
||
| **级别:** 要求 | ||
|
|
||
| **适用版本:** 全部 | ||
|
|
||
| **规则说明:** | ||
|
|
||
| 可移动设备本身存在不确定性,来源、过往使用情况、运输过程等都无法保证绝对安全,因此可移动设备往往是病毒传播的主要宿主设备。所以针对可移动设备,要求必须以noexec、nodev方式挂载,提高安全性,减少攻击面。 | ||
|
|
||
| noexec可以防止可移动设备上文件被直接执行,如病毒文件,攻击脚本等; | ||
|
|
||
| nodev可以防止可移动设备上不正确的设备文件链接到服务器真实设备,从而导致攻击行为; | ||
|
|
||
| 常见的可移动设备如:CD/DVD/USB等。 | ||
|
|
||
| **规则影响:** | ||
|
|
||
| 可移动设备如果以noexec方式挂载,那么该挂载点目录下的可执行文件无法直接运行。 | ||
|
|
||
|
|
||
| **检查方法:** | ||
|
|
||
| 通过mount命令查看指定挂载点目录是否以noexec、nodev方式挂载,此处假设/dev/vda为可移动设备: | ||
|
|
||
| ```bash | ||
| # mount | grep "\/dev\/vda" | ||
| /dev/vda on /root/noexecdir type ext4 (rw,nodev,noexec,relatime,seclabel) | ||
| ``` | ||
|
|
||
| **修复方法:** | ||
|
|
||
| 卸载对应挂载点,重新以nodev、noexec方式挂载 | ||
|
|
||
| ```bash | ||
| # umount /root/noexecdir | ||
| # mount -o nodev,noexec /dev/vda /root/noexecdir | ||
| ``` |
Oops, something went wrong.