脚本优化及bug修复

# 问题概述
1. 正则表达式不够严谨：如1.50扫描脚本中的`grep -Eqi '^\s*x11forwarding\s+no' /etc/ssh/sshd_config`。能够匹配`no`开头的所有参数值，导致不合规参数仍可通过检查。
2. 对缺省参数的支持不足：如1.13规则中，`loglevel`参数的值默认为`info`，可缺省配置。但按当前扫描脚本如缺省则无法通过检查。检测脚本需增加这方面的支持。
3. 对数值参数的比较不够严谨，如出现非数字参数则会产生报错，需优化数值截取和比较代码。
4. 1.21规则中`logingracetime`支持xm的配置方法，(如2m则表示2分钟)，且配置文件内默认的参考即为`LoginGraceTime 2m`。需增加对这种配置方法的支持
5. 1.24规则中，`maxstartups 10:30:60`，第三个参数不可小于第一个参数，否则应用时将报错。需增加参数之间的大小判断，benchmark也需同步更新。
6. 1.20的修复脚本中ClientAliveInterval参数的值，前后不一致，需修复。

## benchmarks
- 1.13 修改检测脚本正则表达式，增加`\b`锚点，修复参数后跟不合规字符仍能通过的问题，使检查更加严谨
- 1.15 修改检测脚本正则表达式，增加`\b`锚点，修复参数后跟不合规字符仍能通过的问题，使检查更加严谨
- 1.16 修改检测脚本正则表达式，增加`\b`锚点，修复参数后跟不合规字符仍能通过的问题，使检查更加严谨
- 1.18 修复检测输出描述错误；修改检测脚本正则表达式，增加`\b`锚点，修复参数后跟不合规字符仍能通过的问题，使检查更加严谨
- 1.19 修复检测输出描述错误；修改检测脚本正则表达式，增加`\b`锚点，修复参数后跟不合规字符仍能通过的问题，使检查更加严谨
- 1.24 增加参数描述；修改检测脚本，使检查更加严谨
- 1.41 修改检测脚本，使检查更加严谨
- 1.50 修改检测脚本正则表达式，增加`\b`锚点，修复参数后跟不合规字符仍能通过的问题，使检查更加严谨

## remediation-kits
- 1.20 修复数值BUG

## scanners
- 1.13 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.14 重写检测脚本：优化数值比对代码；兼容缺省、空配置、错误配置等多种情况
- 1.15 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.16 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.17 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.18 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.19 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.20 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.21 重写检测脚本：支持参数分钟 xm 的配置形式；优化数值比对代码；兼容缺省、空配置、错误配置等多种情况
- 1.22 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.23 重写检测脚本：兼容缺省、空配置、错误配置等多种情况
- 1.24 重写检测脚本：增加对非法参数的判断（参数3不可小于参数1）；优化数值比对代码；兼容缺省、空配置、错误配置等多种情况
- 1.25 重写检测脚本：优化数值比对代码；兼容缺省、空配置、错误配置等多种情况
- 1.41 重写检测脚本：优化数值比对代码
- 1.47 重写检测脚本：优化数值比对代码；兼容缺省、空配置、错误配置等多种情况
- 1.50 重写检测脚本：兼容缺省、空配置、错误配置等多种情况

## benchmark
- benchmarks/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.md
修改检测脚本正则表达式，增加\b锚点，使检查更加严谨
- benchmarks/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.md
修复描述错误
- benchmarks/system-configurations/4.66-ensure-system-histsize-as-100-or-other.md
1. 添加描述信息，说明该规则的含义
2. 更新查询脚本，使查询更加严谨
3. 更新规则要求，由原等于100 改为 小于100，使规则更加合理
- benchmarks/system-configurations/4.67-ensure-system-histfilesize-100.md
1. 添加描述信息，说明该规则的含义
2. 更新查询脚本，使查询更加严谨
3. 更新规则要求，由原等于100 改为 小于100，使规则更加合理
4. 修复加固脚本中的bug：`echo -e "export HISTFILESIZE=100" >> /etc/profile`   -->   `echo -e "HISTFILESIZE=100" >> /etc/profile`

## 扫描脚本

### 增加 grep -q 参数
- scanners/access-and-control/1.12-ensure-permissions-on-ssh-public-host-key-files-are-configured.sh

### 更新grep 查询语句，使查询更加严谨
- scanners/access-and-control/1.26-ensure-system-wide-crypto-policy-is-not-over-ridden.sh
- scanners/access-and-control/1.30-ensure-password-hashing-algorithm-is-sha-512.sh
- scanners/access-and-control/1.37-ensure-default-user-shell-timeout-is-900-seconds-or-less.sh
- scanners/access-and-control/1.42-ensure-that-the-password-expires-between-30-and-90-days.sh
- scanners/access-and-control/1.43-ensure-that-the-minimum-password-change-between-7-and-14-days.sh
- scanners/access-and-control/1.46-ensure-default-user-shell-timeout-is-between-600-and-1800-seconds.sh
- scanners/access-and-control/1.51-ensure-mounting-of-udf-filesystems-is-disabled.sh
- scanners/access-and-control/1.52-ensure-mounting-of-cramfs-filesystems-is-disabled.sh
- scanners/access-and-control/1.53-ensure-mounting-of-squashfs-filesystems-is-disabled.sh
- scanners/logging-and-auditing/2.26-ensure-the-running-and-on-disk-configuration-is-the-same.sh
- scanners/services/3.27-ensure-time-synchronization-is-installed.sh

### 重写脚本，使检查更加严谨
- scanners/access-and-control/1.28-ensure-lockout-for-failed-password-attempts-is-configured.sh
- scanners/access-and-control/1.31-ensure-password-expiration-is-365-days-or-less.sh
- scanners/access-and-control/1.32-ensure-minimum-days-between-password-changes-is-7-or-more.sh
- scanners/access-and-control/1.33-ensure-password-expiration-warning-days-is-7-or-more.sh
- scanners/access-and-control/1.34-ensure-inactive-password-lock-is-30-days-or-less.sh
- scanners/access-and-control/1.49-lock-or-delete-the-shutdown-and-halt-users.sh
- scanners/access-and-control/1.54-lock-the-bin-and-adm-users.sh
- scanners/system-configurations/4.66-ensure-system-histsize-as-100-or-other.sh
- scanners/system-configurations/4.67-ensure-system-histfilesize-100.sh

### 优化代码格式及逻辑
- scanners/logging-and-auditing/2.11-ensure-cryptographic-mechanisms-are-used-to-protect-the-integrity-of-audit-tools.sh

### 修复bug
#### -a --> -e
- scanners/logging-and-auditing/2.15-ensure-rsyslog-is-configured-to-send-logs-to-a-remote-log-host.sh
- scanners/logging-and-auditing/2.16-ensure-journald-is-configured-to-send-logs-to-rsyslog.sh
- scanners/logging-and-auditing/2.17-ensure-journald-is-configured-to-compress-large-log-files.sh
- scanners/logging-and-auditing/2.18-ensure-journald-is-configured-to-write-logfiles-to-persistent-disk.sh
#### 判断逻辑
- scanners/logging-and-auditing/2.20-ensure-audit-service-is-enabled.sh

### 判断语句[] --> [[]]
- scanners/mandatory-access-control/5.1-ensure-selinux-is-installed.sh
- scanners/mandatory-access-control/5.2-ensure-selinux-policy-is-configured.sh
- scanners/mandatory-access-control/5.4-ensure-the-selinux-mode-is-enforcing.sh
- scanners/mandatory-access-control/5.9-ensure-setroubleshoot-is-not-installed.sh
- scanners/services/3.1-disable-http-server.sh
- scanners/services/3.10-disable-rsync-server.sh
- scanners/services/3.11-disable-avahi-server.sh
- scanners/services/3.12-disable-snmp-server.sh
- scanners/services/3.13-disable-http-proxy-server.sh
- scanners/services/3.14-disable-samba.sh
- scanners/services/3.15-disable-imap-and-pop3-server.sh
- scanners/services/3.16-disable-smtp-protocol.sh
- scanners/services/3.17-disable-or-uninstall-the-telnet.sh
- scanners/services/3.18-uninstall-the-avahi-server.sh
- scanners/services/3.19-uninstall-the-kexec-tools.sh
- scanners/services/3.2-disable-ftp-server.sh
- scanners/services/3.20-uninstall-the-firstboot.sh
- scanners/services/3.21-uninstall-the-wpa_supplicant.sh
- scanners/services/3.22-ensure-NIS-Client-is-not-installed.sh
- scanners/services/3.23-disable-rsh.sh
- scanners/services/3.24-disable-ntalk.sh
- scanners/services/3.25-ensure-xinetd-is-not-installed.sh
- scanners/services/3.26-disable-usb-storage.sh
- scanners/services/3.3-disable-dns-server.sh
- scanners/services/3.4-disable-nfs.sh
- scanners/services/3.5-disable-rpc.sh
- scanners/services/3.6-disable-ldap-server.sh
- scanners/services/3.7-disable-dhcp-server.sh
- scanners/services/3.8-disable-cups.sh
- scanners/services/3.9-disable-nis-server.sh
- scanners/system-configurations/4.1-ensure-message-of-the-day-is-configured-properly.sh
- scanners/system-configurations/4.10-ensure-bootloader-password-is-set.sh
- scanners/system-configurations/4.12-ensure-authentication-required-for-single-user-mode.sh
- scanners/system-configurations/4.13-ensure-core-dumps-are-restricted.sh
- scanners/system-configurations/4.14-ensure-address-space-layout-randomization-(ASLR)-is-enabled.sh
- scanners/system-configurations/4.15-ensure-system-wide-crypto-policy-is-not-legacy.sh
- scanners/system-configurations/4.16-ensure-sticky-bit-is-set-on-all-world-writable-directories.sh
- scanners/system-configurations/4.17-ensure-permissions-on-etc-passwd-are-configured.sh
- scanners/system-configurations/4.18-ensure-permissions-on-etc-shadow-are-configured.sh
- scanners/system-configurations/4.19-ensure-permissions-on-etc-group-are-configured.sh
- scanners/system-configurations/4.2-ensure-local-login-warning-banner-is-configured-properly.sh
- scanners/system-configurations/4.20-ensure-permissions-on-etc-gshadow-are-configured.sh
- scanners/system-configurations/4.21-ensure-permissions-on-etc-passwd--are-configured.sh
- scanners/system-configurations/4.22-ensure-permissions-on-etc-shadow--are-configured.sh
- scanners/system-configurations/4.23-ensure-permissions-on-etc-group--are-configured.sh
- scanners/system-configurations/4.24-ensure-permissions-on-etc-gshadow--are-configured.sh
- scanners/system-configurations/4.25-ensure-no-world-writable-files-exist.sh
- scanners/system-configurations/4.26-ensure-no-unowned-files-or-directories-exist.sh
- scanners/system-configurations/4.27-ensure-no-ungrouped-files-or-directories-exist.sh
- scanners/system-configurations/4.28-ensure-no-password-fields-are-not-empty.sh
- scanners/system-configurations/4.29-ensure-root-path-integrity.sh
- scanners/system-configurations/4.3-ensure-remote-login-warning-banner-is-configured-properly.sh
- scanners/system-configurations/4.30-ensure-root-is-the-only-uid-0-account.sh
- scanners/system-configurations/4.31-ensure-users-home-directories-permissions-are-750-or-more-restrictive.sh
- scanners/system-configurations/4.32-ensure-users-own-their-home-directories.sh
- scanners/system-configurations/4.33-ensure-users-dot-files-are-not-group-or-world-writable.sh
- scanners/system-configurations/4.34-ensure-no-users-have-.forward-files.sh
- scanners/system-configurations/4.35-ensure-no-users-have-.netrc-files.sh
- scanners/system-configurations/4.36-ensure-users-.netrc-files-are-not-group-or-world-accessible.sh
- scanners/system-configurations/4.37-ensure-no-users-have-.rhosts-files.sh
- scanners/system-configurations/4.38-ensure-all-groups-in-etc-passwd-exist-in-etc-group.sh
- scanners/system-configurations/4.39-ensure-no-duplicate-uids-exist.sh
- scanners/system-configurations/4.4-ensure-permissions-on-etc-motd-are-configured.sh
- scanners/system-configurations/4.40-ensure-no-duplicate-gids-exist.sh
- scanners/system-configurations/4.41-ensure-no-duplicate-user-names-exist.sh
- scanners/system-configurations/4.42-ensure-no-duplicate-group-names-exist.sh
- scanners/system-configurations/4.43-ensure-all-users-home-directories-exist.sh
- scanners/system-configurations/4.44-ensure-sctp-is-disabled.sh
- scanners/system-configurations/4.45-ensure-dccp-is-disabled.sh
- scanners/system-configurations/4.46-ensure-wireless-interfaces-are-disabled.sh
- scanners/system-configurations/4.47-ensure-ip-forwarding-is-disabled.sh
- scanners/system-configurations/4.48-ensure-packet-redirect-sending-is-disabled.sh
- scanners/system-configurations/4.49-ensure-source-routed-packets-are-not-accepted.sh
- scanners/system-configurations/4.5-ensure-permissions-on-etc-issue-are-configured.sh
- scanners/system-configurations/4.50-ensure-icmp-redirects-are-not-accepted.sh
- scanners/system-configurations/4.51-ensure-secure-icmp-redirects-are-not-accepted.sh
- scanners/system-configurations/4.52-ensure-suspicious-packets-are-logged.sh
- scanners/system-configurations/4.53-ensure-broadcast-icmp-requests-are-ignored.sh
- scanners/system-configurations/4.54-ensure-bogus-icmp-responses-are-ignored.sh
- scanners/system-configurations/4.55-ensure-reverse-path-filtering-is-enabled.sh
- scanners/system-configurations/4.56-ensure-tcp-syn-cookies-is-enabled.sh
- scanners/system-configurations/4.57-ensure-ipv6-router-advertisements-are-not-accepted.sh
- scanners/system-configurations/4.58-ensure-a-firewall-package-is-installed.sh
- scanners/system-configurations/4.59-ensure-firewalld-service-is-enabled-and-running.sh
- scanners/system-configurations/4.6-ensure-permissions-on-etc-issue.net-are-configured.sh
- scanners/system-configurations/4.60-ensure-iptables-is-not-enabled.sh
- scanners/system-configurations/4.61-ensure-nftables-is-not-enabled.sh
- scanners/system-configurations/4.62-ensure-nftables-service-is-enabled.sh
- scanners/system-configurations/4.63-ensure-iptables-packages-are-installed.sh
- scanners/system-configurations/4.64-ensure-nftables-is-not-installed.sh
- scanners/system-configurations/4.65-ensure-firewalld-is-not-installed-or-stopped-and-masked.sh
- scanners/system-configurations/4.68-ensure-permissions-TMP-is-correct.sh
- scanners/system-configurations/4.70-ensure-xdmcp-is-not-enabled.sh
- scanners/system-configurations/4.8-ensure-aide-is-installed.sh
- scanners/system-configurations/4.9-ensure-filesystem-integrity-is-regularly-checked.sh

anolis/security-benchmark

内容风险标识

评论 (0)

anolis/security-benchmark .gitee-modal { width: 500px !important; }

内容风险标识