CN107229977A

Movatterモバイル変換

Info

Publication number: CN107229977A
Application number: CN201610180521.9A
Authority: CN
Inventors: 岑春祥; 王升元; 苏文平; 郄威; 孟利青
Original assignee: China Mobile Group Inner Mongolia Co Ltd
Current assignee: China Mobile Group Inner Mongolia Co Ltd
Priority date: 2016-03-25
Filing date: 2016-03-25
Publication date: 2017-10-03

Abstract

The invention discloses a kind of automatic reinforcement means of Host Security baseline, including：Host Security baseline is set；Item is reinforced in selection, and sets selected item of reinforcing to distinguish corresponding security hardening function；Call the corresponding security hardening function pair of the reinforcing item to reinforce item to be reinforced, and obtain the currency for reinforcing item；Result is reinforced in the relation generation of baseline criteria value according to the currency of the reinforcing item with being included in the security hardening function.Meanwhile, the invention also discloses a kind of automatic hardened system of Host Security baseline.

Description

Translated fromChinese

一种主机安全基线自动加固方法及系统A method and system for automatically reinforcing host security baseline

技术领域technical field

本发明涉及计算机安全技术，尤其涉及一种主机安全基线自动加固方法及系统。The invention relates to computer security technology, in particular to a method and system for automatically strengthening the security baseline of a host computer.

背景技术Background technique

目前，主机安全已获得越来越多企业的重视与关注，许多企业特别是电信运营企业都会定期制定并颁布新的主机安全加固规范，对业务支撑系统使用的主机进行定期安全扫描和加固，确保业务系统运行在安全稳定的环境中。其中，安全基线检查和加固是主机安全检查和加固的主要内容。安全基线是设备和配置方面的基本安全要求，是信息系统的最小安全保证和最基本的、必须满足的安全要求。因此，为了保证整体安全水平，防止系统设备因为安全配置不到位而带来安全风险，有必要对系统设备的安全性进行检查和加固。若系统按照安全基线进行了检查和加固，则可以确保系统和设备安全符合性达到要求，杜绝大部分的安全隐患。At present, more and more enterprises have paid more and more attention to host security. Many enterprises, especially telecom operators, will regularly formulate and promulgate new host security hardening specifications, and conduct regular security scans and reinforcements on hosts used by business support systems to ensure The business system runs in a safe and stable environment. Among them, security baseline inspection and reinforcement are the main content of host security inspection and reinforcement. Security baselines are basic security requirements for equipment and configuration, and are the minimum security guarantees and the most basic security requirements that must be met for information systems. Therefore, in order to ensure the overall security level and prevent system equipment from bringing security risks due to inadequate security configuration, it is necessary to check and strengthen the security of system equipment. If the system is checked and reinforced according to the security baseline, it can ensure that the security compliance of the system and equipment meets the requirements and eliminate most of the security risks.

在现有的技术中，可以使用专业的安全基线检查工具对基线各个要求项进行自动化的基线检查，但是无法实现自动对主机安全基线进行加固。由于安全、资金、技术等方面的限制，实际工作环境中主机安全基线检查和加固基本都是通过人工操作完成的。然而，当所需加固的主机数量以及每台主机涉及的基线检查条目都较多、且需要周期性对主机基线进行检查时，依靠人工操作不仅需要耗费较多人力资源，而且效率较低；人工操作还容易造成人为误操作行为，从而对系统的正常运行造成影响；此外，对主机进行安全基线检查和加固需要维护人员具有较强的专业技术能力以及解决问题能力，然而，不同的维护人员通常对检查和加固方法理解不同，即：缺乏统一的基线检查和加固流程。In the existing technology, professional security baseline checking tools can be used to perform automatic baseline checks on various requirements of the baseline, but automatic reinforcement of the host security baseline cannot be realized. Due to limitations in security, funds, and technology, host security baseline checks and hardening are basically done manually in the actual working environment. However, when the number of hosts to be reinforced and the baseline check items involved in each host are large, and the host baseline needs to be checked periodically, relying on manual operations not only consumes more human resources, but also has low efficiency; The operation is also likely to cause human misoperation, which affects the normal operation of the system; in addition, the security baseline check and reinforcement of the host requires maintenance personnel to have strong professional technical ability and problem-solving ability. However, different maintenance personnel usually The understanding of inspection and reinforcement methods is different, that is, there is a lack of a unified baseline inspection and reinforcement process.

发明内容Contents of the invention

有鉴于此，本发明实施例期望提供一种主机安全基线自动加固方法及系统，能够实现对主机安全基线的自动检查与加固。In view of this, the embodiments of the present invention expect to provide a method and system for automatically strengthening the host security baseline, which can realize automatic checking and strengthening of the host security baseline.

为达到上述目的，本发明的技术方案是这样实现的：In order to achieve the above object, technical solution of the present invention is achieved in that way:

本发明提供了一种主机安全基线自动加固方法，所述方法包括：The present invention provides a method for automatically reinforcing the security baseline of a host, the method comprising:

设置主机安全基线；Set host security baseline;

选择加固项，并设置所选择加固项分别对应的安全加固函数；Select hardening items, and set the security hardening functions corresponding to the selected hardening items;

调用所述加固项对应的安全加固函数对加固项进行加固，并获取加固项的当前值；call the security hardening function corresponding to the hardened item to harden the hardened item, and obtain the current value of the hardened item;

根据所述加固项的当前值与所述安全加固函数中包含的基线标准值的关系生成加固结果。A hardening result is generated according to the relationship between the current value of the hardening item and the baseline standard value included in the security hardening function.

上述方案中，所述方法还包括：In the above scheme, the method also includes:

在设置主机安全基线之前，备份主机操作系统安全基线配置文件和/或主机操作系统。Before setting the host security baseline, back up the host OS security baseline configuration file and/or the host OS.

上述方案中，In the above scheme,

所述安全加固函数还包含：加固项的关键字；The security hardening function also includes: keywords of hardening items;

所述调用所述加固项对应的安全加固函数对加固项进行加固，包括：根据所述加固项中包含的关键字，搜索具有相同关键字的安全加固函数，并调用所述安全加固函数对加固项进行加固。The step of calling the security hardening function corresponding to the hardened item to harden the hardened item includes: searching for a security hardened function with the same keyword according to the keyword contained in the hardened item, and calling the security hardened function to harden the hardened item. Items are reinforced.

上述方案中，所述根据所述加固项的当前值与所述安全加固函数中包含的基线标准值的关系生成加固结果，包括：In the above solution, the generation of the hardening result according to the relationship between the current value of the hardening item and the baseline standard value contained in the security hardening function includes:

当加固项的当前值与安全加固函数中包含的基线标准值相同时，保留加固项的当前值；When the current value of the hardening item is the same as the baseline standard value included in the security hardening function, keep the current value of the hardening item;

当加固项的当前值与安全加固函数中包含的基线标准值不相同时，将加固项的当前值修复为基线标准值。When the current value of the hardening item is different from the baseline standard value included in the security hardening function, the current value of the hardening item is restored to the baseline standard value.

当对一个加固项进行加固的时间大于预置的阈值时，中止对该加固项进行加固，并发出告警；When the time for hardening a hardening item is greater than the preset threshold, stop hardening the hardening item and issue an alarm;

验证加固结果是否已生效，如果加固结果已生效，则加固完成；如果加固结果未生效，则发送告警提示。Verify whether the hardening result has taken effect. If the hardening result has taken effect, the hardening is complete; if the hardening result has not taken effect, an alarm will be sent.

本发明还提供了一种主机安全基线自动加固系统，所述系统包括：基线管理模块、基线检查模块、基线加固模块；其中，The present invention also provides a host security baseline automatic reinforcement system, the system includes: a baseline management module, a baseline inspection module, and a baseline reinforcement module; wherein,

所述基线管理模块，用于设置主机安全基线；选择加固项，并设置所选择加固项分别对应的安全加固函数；The baseline management module is used to set a host security baseline; select reinforcement items, and set security reinforcement functions corresponding to the selected reinforcement items;

所述基线检查模块，用于调用所述加固项对应的安全加固函数对加固项进行加固，并获取加固项的当前值；The baseline checking module is used to call the security hardening function corresponding to the hardened item to harden the hardened item, and obtain the current value of the hardened item;

所述基线加固模块，用于根据所述加固项的当前值与所述安全加固函数中包含的基线标准值的关系生成加固结果。The baseline hardening module is configured to generate a hardening result according to the relationship between the current value of the hardening item and the baseline standard value included in the security hardening function.

上述方案中，所述系统还包括：备份模块，用于在设置主机安全基线之前，备份主机操作系统安全基线配置文件和/或主机操作系统。In the solution above, the system further includes: a backup module, configured to back up the host operating system security baseline configuration file and/or the host operating system before setting the host security baseline.

上述方案中，所述基线管理模块设置的安全加固函数中还包含：加固项的关键字；In the above solution, the security hardening function set by the baseline management module also includes: keywords of hardening items;

所述基线检查模块调用所述加固项对应的安全加固函数对加固项进行加固，包括：根据所述加固项中包含的关键字，搜索具有相同关键字的安全加固函数，并调用所述安全加固函数对加固项进行加固。The baseline checking module calls the security hardening function corresponding to the hardening item to harden the hardening item, including: searching for a security hardening function with the same keyword according to the keyword contained in the hardening item, and calling the security hardening function Function to harden the hardened items.

上述方案中，所述基线加固模块，具体用于：In the above solution, the baseline reinforcement module is specifically used for:

上述方案中，所述系统还包括：告警模块和验证模块；其中，In the above solution, the system further includes: an alarm module and a verification module; wherein,

所述告警模块，用于当对一个加固项进行加固的时间大于预置的阈值时，中止对该加固项进行加固，并发出告警；接收验证模块发送的告警提示，并发出告警；The alarm module is configured to, when the time for hardening a hardening item is greater than a preset threshold, stop hardening the hardening item and issue an alarm; receive an alarm prompt sent by the verification module, and issue an alarm;

所述验证模块，用于验证加固结果是否已生效，如果加固结果已生效，则加固完成；如果加固结果未生效，则向告警模块发送告警提示。The verification module is used to verify whether the hardening result has taken effect. If the hardening result has taken effect, the hardening is completed; if the hardening result is not effective, an alarm prompt is sent to the alarm module.

本发明实施例提供的主机安全基线自动加固方法及系统，设置主机安全基线；选择加固项，并设置所选择加固项分别对应的安全加固函数；调用所述加固项对应的安全加固函数对加固项进行加固，并获取加固项的当前值；根据所述加固项的当前值与所述安全加固函数中包含的基线标准值的关系生成加固结果，并对加固结果进行验证。可见，本发明实施例通过预先设置主机安全基线、选择加固项以及设置安全加固函数，能够实现调用所选择的加固项的安全加固函数对加固项进行自动加固；如此，当所需加固的主机数量以及每台主机涉及的基线检查条目都较多、且需要周期性对主机基线进行安全检查时，不仅不需要耗费较多人力资源，而且还能够极大地提高工作效率；同时，还能够有效避免因人工操作造成的人为误操作行为，从而减少对业务系统的正常运行的影响；此外，根据检查要求制定统一的安全检查与加固流程，也能够有效的避免因维护人员缺乏统一的基线检查和加固流程而造成的资源浪费现象，且易于更新扩展。The method and system for automatically strengthening the host security baseline provided by the embodiments of the present invention set the host security baseline; select the reinforcement items, and set the security reinforcement functions corresponding to the selected reinforcement items; call the security reinforcement functions corresponding to the reinforcement items to the reinforcement items Perform hardening, and obtain the current value of the hardening item; generate a hardening result according to the relationship between the current value of the hardening item and the baseline standard value included in the security hardening function, and verify the hardening result. It can be seen that the embodiment of the present invention can automatically harden the hardening items by calling the security hardening functions of the selected hardening items by presetting the host security baseline, selecting the hardening items, and setting the security hardening functions; thus, when the number of hosts to be hardened And when there are many baseline check items involved in each host, and it is necessary to periodically check the host baseline security, not only does not need to consume more human resources, but also can greatly improve work efficiency; at the same time, it can also effectively avoid Human misoperation caused by manual operation can reduce the impact on the normal operation of the business system; in addition, formulating a unified security inspection and reinforcement process according to the inspection requirements can also effectively avoid the lack of a unified baseline inspection and reinforcement process due to maintenance personnel The resulting waste of resources, and easy to update and expand.

附图说明Description of drawings

图1为本发明实施例主机安全基线自动加固方法的实现流程示意图；FIG. 1 is a schematic diagram of the implementation process of a method for automatically reinforcing a host security baseline in an embodiment of the present invention;

图2为本发明实施例主机安全基线自动加固系统的组成结构示意图。FIG. 2 is a schematic diagram of the composition and structure of the system for automatically strengthening the security baseline of the host computer according to the embodiment of the present invention.

具体实施方式detailed description

下面结合附图及具体实施例对本发明再作进一步详细的说明。The present invention will be further described in detail below in conjunction with the accompanying drawings and specific embodiments.

实施例一Embodiment one

本发明实施例主机安全基线自动加固方法，如图1所示，该方法包括：The method for automatically strengthening the host security baseline in the embodiment of the present invention, as shown in Figure 1, the method includes:

步骤101：设置主机安全基线；Step 101: setting a host security baseline;

这里，所述主机安全基线可以根据用户预先设置的主机安全检查标准进行设置，也可以根据在不同环境下主机的实际运行情况进行设置。Here, the host security baseline can be set according to the host security check standard preset by the user, or can be set according to the actual running conditions of the host in different environments.

进一步的，在步骤101之前，所述方法还包括：备份主机操作系统安全基线配置文件和/或主机操作系统；Further, before step 101, the method further includes: backing up the host operating system security baseline configuration file and/or the host operating system;

这里，备份主机操作系统安全基线配置文件和/或主机操作系统的目的是防止在主机加固过程中由于突发意外事件，例如配置信息误操作，可能出现系统无法正常运行等情况时，可以利用已备份的配置文件和/或系统将主机恢复到加固之前的状态。Here, the purpose of backing up the security baseline configuration files of the host operating system and/or the host operating system is to prevent the system from operating normally due to unexpected events during the host hardening process, such as misoperation of configuration information, etc. Backed up configuration files and/or systems restore hosts to their pre-hardening state.

本发明实施例中，所述备份主机操作系统安全基线配置文件可以通过以下方式实现：通过if(-f/etc/inetd.conf)语句判断配置文件是否存在，当搜索到配置文件后，利用cp命令拷贝当前配置文件到/bak目录中进行备份，备份成功后打印输出“file|backup success”。In the embodiment of the present invention, the backup host operating system security baseline configuration file can be implemented in the following manner: judge whether the configuration file exists through the if (-f/etc/inetd.conf) statement, and when the configuration file is found, use cp The command copies the current configuration file to the /bak directory for backup, and prints out "file|backup success" after the backup is successful.

步骤102：选择加固项，并设置所选择加固项分别对应的安全加固函数；Step 102: Select hardening items, and set security hardening functions corresponding to the selected hardening items;

这里，用户可以预先根据主机安全检查标准建立一个基础加固项库，并根据在不同环境下主机的实际运行情况建立一个用户加固项库；进一步的，可根据实际需要对所述基础加固项库和用户加固项库进行更新操作，例如，删除不必要的加固项、修改已有的加固项、或增加新的加固项。Here, the user can pre-establish a basic reinforcement item library according to the host security inspection standard, and establish a user reinforcement item library according to the actual operation of the host in different environments; further, the basic reinforcement item library and the The user's reinforcement item library is updated, for example, deleting unnecessary reinforcement items, modifying existing reinforcement items, or adding new reinforcement items.

这里，所述选择加固项可以是单独从基础加固项库中选择一个或一个以上的加固项，也可以是单独从用户加固项库中选择一个或一个以上的加固项，还可以是分别从上述两个加固项库中选择一个或一个以上的加固项。当然，所述选择加固项也可以是用户直接根据主机安全检查标准和/或主机的实际运行情况来设置的加固项。Here, the selection of reinforcement items may be to select one or more reinforcement items from the base reinforcement item library, or to select one or more reinforcement items from the user reinforcement item library, or to select one or more reinforcement items from the above-mentioned Select one or more reinforcement items from the two reinforcement item libraries. Of course, the selected hardening item may also be a hardening item set by the user directly according to the host security inspection standard and/or the actual running condition of the host.

这里，所述安全加固函数中包含有加固项的基线标准值和加固项的关键字；所述基线标准值用于判断加固项是否正常，即比对加固项的当前值与基线标准值是否一致，若一致，则表明该加固项正常，否则，表明该加固项异常；所述关键字主要用于作为搜索标识，即当需要寻找加固项对应的安全加固函数时，可通过加固项中的关键字搜索得到与之匹配的安全加固函数。Here, the security hardening function includes the baseline standard value of the hardening item and the keyword of the hardening item; the baseline standard value is used to judge whether the hardening item is normal, that is, compare whether the current value of the hardening item is consistent with the baseline standard value , if they are consistent, it indicates that the hardening item is normal, otherwise, it indicates that the hardening item is abnormal; the keyword is mainly used as a search identifier, that is, when it is necessary to find the security hardening function corresponding to the hardening item, you can use the key in the hardening item Word search to get the matching security hardening function.

进一步的，在步骤102之前，所述方法还包括：对主机操作系统类型、操作系统版本号以及执行用户身份分别进行识别；Further, before step 102, the method further includes: identifying the type of the host operating system, the version number of the operating system, and the identity of the executing user;

具体的，不同的操作系统之间由于存在差异，针对相同的加固项可能需要设置不同的安全加固函数；不同的操作系统版本之间由于存在差异，针对相同的加固项也可能需要设置不同的安全加固函数。此外，对主机进行检查和加固将涉及主机操作的最高权限，例如账号锁定检查、密码修改策略检查等，这些操作存在较高的操作安全风险。因此，为了确保主机安全，对主机进行检查和加固只能够由主机默认的root用户执行，所以需要识别执行用户是否为root用户，如果执行用户不是root用户，则无法执行检查和加固操作。Specifically, due to differences between different operating systems, different security hardening functions may need to be set for the same hardening item; due to differences between different operating system versions, different security hardening functions may also need to be set for the same hardening item. reinforcement function. In addition, checking and hardening the host will involve the highest authority for host operations, such as account lock checks, password modification policy checks, etc. These operations have high operational security risks. Therefore, in order to ensure the security of the host, the check and hardening of the host can only be performed by the default root user of the host. Therefore, it is necessary to identify whether the execution user is the root user. If the execution user is not the root user, the check and hardening operations cannot be performed.

步骤103：调用所述加固项对应的安全加固函数对所述加固项进行加固，并获取加固项的当前值；Step 103: call the security hardening function corresponding to the hardened item to harden the hardened item, and obtain the current value of the hardened item;

具体的，根据所述加固项中包含的关键字，搜索具有相同关键字的安全加固函数，并调用所述安全加固函数对加固项进行检查和加固，获取并记录对所述加固项的检查结果，所述加固项的检查结果中包含有加固项的当前值。Specifically, according to the keyword contained in the hardening item, search for a security hardening function with the same keyword, and call the security hardening function to check and harden the hardening item, and obtain and record the checking result of the hardening item , the checking result of the hardening item includes the current value of the hardening item.

在实际应用中，获取的加固项的检查结果中可能还包含冗余信息，比如空格、注释等，因此，对于获取的加固项的检查结果可以先进行预处理，然后再从预处理后的加固项的检查结果中提取加固项的当前值。In practical applications, the obtained check results of hardened items may also contain redundant information, such as spaces, comments, etc. Therefore, the obtained check results of hardened items can be preprocessed first, and then the The current value of the hardened item is extracted from the check result of the item.

步骤104：根据所述加固项的当前值与所述安全加固函数中包含的基线标准值的关系生成加固结果；Step 104: Generate a hardening result according to the relationship between the current value of the hardening item and the baseline standard value included in the security hardening function;

具体的，根据从加固项的检查结果中提取的加固项的当前值，以及从加固项对应的安全加固函数中提取的加固项的基线标准值，比对所述加固项的当前值与基线标准值；当加固项的当前值与安全加固函数中包含的基线标准值相同时，表明该加固项正常，保留该加固项的当前值，并生成加固结果；当加固项的当前值与安全加固函数中包含的基线标准值不相同时，表明该加固项异常，需要将加固项的当前值修复为基线标准值，并生成加固结果。Specifically, according to the current value of the reinforcement item extracted from the inspection result of the reinforcement item and the baseline standard value of the reinforcement item extracted from the security hardening function corresponding to the reinforcement item, compare the current value of the reinforcement item with the baseline standard value; when the current value of the hardening item is the same as the baseline standard value included in the security hardening function, it indicates that the hardening item is normal, the current value of the hardening item is retained, and the hardening result is generated; when the current value of the hardening item is the same as the security hardening function If the baseline standard value contained in is different, it indicates that the hardening item is abnormal, and the current value of the hardening item needs to be restored to the baseline standard value, and a hardening result is generated.

这里，所述加固结果包含对加固项进行加固的过程、加固项在加固之前的值以及加固项在加固之后的值。Here, the hardening result includes the process of hardening the hardening item, the value of the hardening item before hardening, and the value of the hardening item after hardening.

进一步的，所述方法还包括：当对每个加固项进行加固时，记录对每个加固项的加固时间；当对一个加固项进行加固的时间大于预置的阈值时，中止对该加固项进行加固，并发出告警。Further, the method further includes: when each reinforcement item is reinforced, record the reinforcement time for each reinforcement item; when the time for reinforcement of a reinforcement item is greater than a preset threshold, stop the reinforcement of the item Reinforce and issue warnings.

进一步的，所述方法还包括：验证加固结果是否已生效，如果加固结果已生效，则加固完成；如果加固结果未生效，则发送告警提示。Further, the method further includes: verifying whether the hardening result has taken effect, and if the hardening result has taken effect, the hardening is completed; if the hardening result has not taken effect, sending an alarm prompt.

具体的，根据加固结果验证对加固项的加固是否已正常完成，如果加固项在加固之后的值与该加固项对应的安全加固函数中包含的基线标准值完全一致，则表明加固已正常完成，否则，表明加固存在异常。Specifically, verify whether the hardening of the hardening item has been completed normally according to the hardening result. If the value of the hardening item after hardening is exactly the same as the baseline standard value included in the security hardening function corresponding to the hardening item, it indicates that the hardening has been completed normally. Otherwise, it indicates that the hardening is abnormal.

例如，一个加固项在加固之前的值为1，而该加固项对应的安全加固函数中包含的基线标准值为2，执行加固后，如果加固结果中包含的该加固项在加固之后的值仍然为1，则表明对该加固项的加固存在异常；如果加固结果中包含的该加固项在加固之后的值为2，则表明已正常完成对该加固项的加固。For example, if a hardening item has a value of 1 before hardening, and the baseline standard value contained in the security hardening function corresponding to the hardening item is 2, after hardening, if the hardening result contains the value of the hardening item after hardening is still If it is 1, it means that there is an abnormality in the hardening of the hardening item; if the value of the hardening item included in the hardening result after hardening is 2, it means that the hardening of the hardening item has been completed normally.

本发明实施例中，所述加固结果可以通过日志进行记录，并可输出至主机屏幕进行显示。例如，可采用shell的FIFO管道功能，对日志进行记录并打印输出。FIFO类型文件因具有管道的特性，在进程中使用FIFO文件传输数据，可使得进程间通信更加持久稳定。在数据读出时，FIFO管道中的数据同时被清除。其中，利用FIFO管道功能对日志进行记录并打印输出的部分关键技术和代码如下：In the embodiment of the present invention, the hardening result can be recorded through a log, and can be output to the host screen for display. For example, the FIFO pipeline function of the shell can be used to record the log and print the output. Because FIFO files have the characteristics of pipelines, using FIFO files to transfer data in a process can make inter-process communication more durable and stable. When data is read out, the data in the FIFO pipeline is cleared at the same time. Among them, some key technologies and codes of using the FIFO pipeline function to record and print out logs are as follows:

log_file＝./$(date+％Y％m％d)/$(date+％Y％m％d％H％M％S).log--定义日志文件名称；log_file＝./$(date+%Y%m%d)/$(date+%Y%m%d%H%M%S).log--define the log file name;

fifofile＝./$(date+％Y％m％d)/$(date+％Y％m％d％H％M％S).fifo--定义管道文件名称；fifofile=./$(date+%Y%m%d)/$(date+%Y%m%d%H%M%S).fifo--define the pipeline file name;

touch$log_file--创建日志文件；touch $log_file -- create a log file;

mkfifo$fifofile--创建fifo管道文件；mkfifo $fifofile -- create fifo pipe file;

cat$fifofile|tee$log_file&exec 1>$fifofile 2>&1--使得执行日志通过FIFO管道文件将日志输出并打印在屏幕上，同时将输出的日志内容写入到日志文件中。cat$fifofile|tee$log_file&exec 1>$fifofile 2>&1--make the execution log output and print on the screen through the FIFO pipeline file, and write the output log content to the log file at the same time.

下面结合具体实施例对本申请方法进行详细描述。The method of the present application will be described in detail below in conjunction with specific embodiments.

假设主机安全检查包括口令策略、安全策略、日志审计、系统服务、安全补丁、访问控制、账号安全等七大领域，分别对所述检查领域设置有主机安全基线检查标准，即设置有主机安全基线。选择的加固项为口令策略领域中的FTP匿名登录，所述加固项对应的安全加固函数中包含的基线标准值为FTP已禁止匿名登录，适用对象为操作系统是HP-UX且版本号是11.11的主机。根据主机操作系统类型以及版本号，用户采用Shell和Perl语言中的Trap、Debug、pipe、Stream、Post等命令对主机安全基线标准进行解释和定义，形成执行脚本。所述执行脚本中包含有选择的加固项、加固项对应的安全加固函数，且所述执行脚本的适用对象为操作系统类型为HP-UX 11.11的主机、执行用户身份为root用户。Assume that the host security inspection includes seven major areas, including password policy, security policy, log audit, system service, security patch, access control, and account security, and set host security baseline inspection standards for each of the inspection areas, that is, host security baselines are set. . The selected hardening item is FTP anonymous login in the field of password policy. The baseline standard value contained in the security hardening function corresponding to the hardening item is that FTP has prohibited anonymous login. The applicable object is HP-UX and the version number is 11.11. the host. According to the type and version number of the host operating system, users use commands such as Trap, Debug, pipe, Stream, and Post in Shell and Perl languages to interpret and define host security baseline standards to form execution scripts. The execution script includes selected hardening items and security hardening functions corresponding to the hardening items, and the applicable object of the execution script is a host whose operating system type is HP-UX 11.11, and the execution user identity is root user.

利用上述执行脚本对操作系统类型为HP-UX 11.11的主机进行检查和加固。这里，当前主机执行脚本的用户身份为root用户，且该主机口令策略领域中的FTP没有禁止匿名登录。Use the above execution script to check and harden the hosts whose OS type is HP-UX 11.11. Here, the user identity of the current host to execute the script is the root user, and the FTP in the password policy field of the host does not prohibit anonymous login.

进入对主机的检查与加固过程之前，执行脚本会自动判断该主机的操作系统类型、操作系统的版本以及执行用户身份是否与脚本中设置的适用对象完全一致，由于该主机操作系统类型、操作系统的版本以及执行用户身份与脚本中设置的适用对象完全一致，则执行脚本进入备份阶段；在备份阶段，执行脚本会自动备份主机操作系统安全基线配置文件和/或主机操作系统，防止在主机安全基线加固过程中因出现配置信息等错误影响系统正常运行，从而可以利用已备份的文件将主机恢复至加固前的状态。Before entering the process of checking and hardening the host, the execution script will automatically judge whether the host’s operating system type, operating system version, and execution user identity are completely consistent with the applicable objects set in the script. Since the host’s operating system type, operating system If the version and execution user identity are exactly the same as the applicable objects set in the script, the execution script enters the backup phase; in the backup phase, the execution script will automatically back up the host operating system security baseline configuration file and/or the host operating system to prevent host security During the baseline hardening process, errors such as configuration information affect the normal operation of the system, so the backed up files can be used to restore the host to the state before hardening.

进入对主机的检查与加固过程后，首先，执行脚本检查是否已提前备份主机操作系统安全基线配置文件和/或主机操作系统，若没有，则发出告警提示；检查是否已提前定义加固项的安全加固函数，若没有，则发出告警提示；当出现上述这些告警提示后，用户可以选择退出对主机执行检查与加固，但这些告警提示不影响执行脚本的正常操作。然后，执行脚本根据加固项即口令策略领域中的FTP匿名登录中包含的关键字，搜索具有相同关键字的安全加固函数，并调用所述安全加固函数对FTP匿名登录进行检查和加固。由于该主机口令策略领域中的FTP没有禁止匿名登录，则检查结果显示加固项FTP匿名登录中没有禁止匿名登录，那么执行脚本会将加固项FTP匿名登录修复为FTP已禁止匿名登录。加固完成后，执行脚本会再次对该加固项的加固结果进行确认，判断加固结果是否已生效，若加固项在加固后显示已禁止匿名登录，则表明加固结果已生效。After entering the inspection and hardening process of the host, first, execute the script to check whether the host operating system security baseline configuration file and/or the host operating system have been backed up in advance, if not, an alarm prompt will be issued; check whether the security of the hardening item has been defined in advance If there is no hardening function, an alarm will be issued; when the above-mentioned warnings appear, the user can choose to quit the inspection and hardening of the host, but these warnings will not affect the normal operation of executing scripts. Then, the script is executed to search for a security hardening function with the same keyword according to the keywords contained in the hardening item, that is, the FTP anonymous login in the password policy field, and calls the security hardening function to check and harden the FTP anonymous login. Since the FTP in the password policy field of the host does not prohibit anonymous login, the check result shows that anonymous login is not prohibited in the reinforcement item FTP anonymous login, then executing the script will restore the reinforcement item FTP anonymous login to FTP disabled anonymous login. After the hardening is complete, the execution script will confirm the hardening result of the hardening item again to determine whether the hardening result has taken effect. If the hardening item shows that anonymous login is prohibited after hardening, it indicates that the hardening result has taken effect.

此外，该执行脚本可以在单台主机或多台主机上进行部署和加固。当在单台主机上进行加固时，用户可以将执行脚本通过FTP方式部署在服务器任意一个文件目录下，还可通过执行./security.sh命令更改执行脚本或增加执行用户数量。In addition, the execution script can be deployed and hardened on a single host or multiple hosts. When hardening is performed on a single host, the user can deploy the execution script to any file directory of the server through FTP, and can also execute the ./security.sh command to change the execution script or increase the number of execution users.

当需要在多台主机上同时进行加固时，用户可以将执行脚本通过FTP方式先部署在宿主主机上，并确保宿主主机与需要加固的目标主机可通过网络端口正常通信，再通过expect脚本实现自动登录、执行加固命令、记录日志等功能。所述expect脚本构成如下：When hardening needs to be performed on multiple hosts at the same time, the user can first deploy the execution script on the host host through FTP, and ensure that the host host and the target host to be hardened can communicate normally through the network port, and then use the expect script to realize automatic Log in, execute hardening commands, record logs and other functions. The expect script is composed as follows:

其中，config目录下存放批处理命令与hosts.txt服务器配置列表；log目录下存放运行的日志信息；ssh-key目录下存放ssh密钥文件；main-expect.sh是主执行程序，用于从hosts文件循环取值并调用expect脚本。Among them, the batch command and hosts.txt server configuration list are stored in the config directory; the running log information is stored in the log directory; the ssh key file is stored in the ssh-key directory; main-expect.sh is the main execution program for slave The hosts file loops through values and calls the expect script.

本发明实施例主机安全基线自动加固系统，如图2所示，该系统包括：基线管理模块22、基线检查模块23、基线加固模块24；其中，According to the embodiment of the present invention, the host security baseline automatic reinforcement system, as shown in FIG. 2, the system includes: a baseline management module 22, a baseline inspection module 23, and a baseline reinforcement module 24; wherein,

所述基线管理模块22，用于设置主机安全基线；The baseline management module 22 is configured to set a host security baseline;

所述系统还包括：备份模块21，用于在基线管理模块22设置主机安全基线之前，备份主机操作系统安全基线配置文件和/或主机操作系统；The system also includes: a backup module 21, configured to back up the host operating system security baseline configuration file and/or the host operating system before the baseline management module 22 sets the host security baseline;

其中，备份主机操作系统安全基线配置文件和/或主机操作系统的目的是防止在主机加固过程中由于突发意外事件，例如配置信息误操作，可能出现系统无法正常运行等情况时，可以利用已备份的配置文件和/或系统将主机恢复到加固之前的状态。Among them, the purpose of backing up the security baseline configuration files of the host operating system and/or the host operating system is to prevent unexpected events during the host hardening process, such as misuse of configuration information, when the system may not run normally, etc. Backed up configuration files and/or systems restore hosts to their pre-hardening state.

所述基线管理模块22，还用于选择加固项，并设置所选择加固项分别对应的安全加固函数；The baseline management module 22 is also used to select hardening items and set security hardening functions corresponding to the selected hardening items;

所述基线管理模块22，还用于对主机操作系统类型、操作系统版本号以及执行用户身份分别进行识别；The baseline management module 22 is also used to identify the type of the host operating system, the version number of the operating system, and the identity of the executing user;

具体的，不同的操作系统之间由于存在差异，针对相同的加固项可能需要设置不同的安全加固函数；不同的操作系统版本之间由于存在差异，针对相同的加固项也可能需要设置不同的安全加固函数。此外，对主机进行检查和加固将涉及主机操作的最高权限，例如账号锁定检查、密码修改策略检查等，这些操作存在较高的操作安全风险。因此，为了确保主机安全，对主机进行检查和加固只能够由主机默认的root用户执行，所以需要识别执行用户是否为root用户，如果不是，则无法执行检查和加固操作。Specifically, due to differences between different operating systems, different security hardening functions may need to be set for the same hardening item; due to differences between different operating system versions, different security hardening functions may also need to be set for the same hardening item. reinforcement function. In addition, checking and hardening the host will involve the highest authority for host operations, such as account lock checks, password modification policy checks, etc. These operations have high operational security risks. Therefore, in order to ensure the security of the host, the check and hardening of the host can only be performed by the default root user of the host. Therefore, it is necessary to identify whether the execution user is the root user. If not, the check and hardening operations cannot be performed.

所述基线检查模块23，用于调用所述加固项对应的安全加固函数对加固项进行加固，并获取加固项的当前值；The baseline checking module 23 is configured to call the security hardening function corresponding to the hardened item to harden the hardened item, and obtain the current value of the hardened item;

所述基线加固模块24，用于根据所述加固项的当前值与所述安全加固函数中包含的基线标准值的关系生成加固结果；The baseline hardening module 24 is configured to generate a hardening result according to the relationship between the current value of the hardening item and the baseline standard value contained in the security hardening function;

进一步的，所述系统还包括：告警模块25，用于当对每个加固项进行加固时，记录对每个加固项的加固时间；Further, the system also includes: an alarm module 25, configured to record the time of hardening each hardening item when hardening each hardening item;

所述告警模块25，还用于当对一个加固项进行加固的时间大于预置的阈值时，中止对该加固项进行加固，并发出告警。The warning module 25 is further configured to stop hardening the hardening item and issue an alarm when the hardening time for a hardening item is greater than a preset threshold.

进一步的，所述系统还包括：验证模块26，用于验证加固结果是否已生效，如果加固结果已生效，则加固完成；如果加固结果未生效，则向告警模块25发送告警提示。Further, the system further includes: a verification module 26, configured to verify whether the hardening result has taken effect, and if the hardening result has taken effect, the hardening is completed; if the hardening result is not effective, an alarm prompt is sent to the alarm module 25.

例如，一个加固项在加固之前的值为1，而该加固项对应的安全加固函数中包含的基线标准值为2，执行加固后，如果加固结果中包含的该加固项在加固之后的值仍然为1，则表明对该加固项的加固存在异常；如果加固结果中包含的该加固项在加固之后的值为2，则表明已正常完成对该加固项的加固。For example, if the value of a hardening item is 1 before hardening, and the baseline standard value included in the security hardening function corresponding to the hardening item is 2, after hardening, if the hardening result contains the value of the hardening item after hardening is still If it is 1, it means that there is an abnormality in the hardening of the hardening item; if the value of the hardening item included in the hardening result after hardening is 2, it means that the hardening of the hardening item has been completed normally.

进一步的，所述告警模块25，还用于接收验证模块26发送的告警提示，并发出告警。Further, the alarm module 25 is also configured to receive the alarm prompt sent by the verification module 26 and issue an alarm.

在实际应用中，所述备份模块21、基线管理模块22、基线检查模块23、基线加固模块24、告警模块25、验证模块26均可由位于终端的中央处理器(CPU)、微处理器(MPU)、数字信号处理器(DSP)、或现场可编程门阵列(FPGA)等实现。In practical applications, the backup module 21, the baseline management module 22, the baseline inspection module 23, the baseline reinforcement module 24, the alarm module 25, and the verification module 26 can all be controlled by the central processing unit (CPU), microprocessor (MPU) located at the terminal. ), Digital Signal Processor (DSP), or Field Programmable Gate Array (FPGA).

以上所述，仅为本发明的较佳实施例而已，并非用于限定本发明的保护范围。凡在本发明的精神和范围之内所作的任何修改、等同替换和改进等，均包含在本发明的保护范围之内。The above descriptions are only preferred embodiments of the present invention, and are not intended to limit the protection scope of the present invention. Any modifications, equivalent replacements and improvements made within the spirit and scope of the present invention are included in the protection scope of the present invention.

Claims

Translated fromChinese

1.一种主机安全基线自动加固方法，其特征在于，设置主机安全基线；所述方法还包括：1. A method for automatically reinforcing a host security baseline, characterized in that the host security baseline is set; the method also includes:

2.根据权利要求1所述的方法，其特征在于，所述方法还包括：在设置主机安全基线之前，备份主机操作系统安全基线配置文件和/或主机操作系统。2. The method according to claim 1, further comprising: before setting the host security baseline, backing up the host operating system security baseline configuration file and/or the host operating system.

3.根据权利要求1所述的方法，其特征在于，3. The method of claim 1, wherein,

所述调用所述加固项对应的安全加固函数对加固项进行加固，包括：根据所述加固项中包含的关键字，搜索具有相同关键字的安全加固函数，并调用所述安全加固函数对加固项进行加固。The calling the security hardening function corresponding to the hardened item to harden the hardened item includes: searching for a security hardened function with the same keyword according to the keyword contained in the hardened item, and calling the security hardened function to harden the hardened item. Items are reinforced.

4.根据权利要求1所述的方法，其特征在于，所述根据所述加固项的当前值与所述安全加固函数中包含的基线标准值的关系生成加固结果，包括：4. The method according to claim 1, wherein the generation of a hardening result according to the relationship between the current value of the hardening item and the baseline standard value included in the security hardening function comprises:

5.根据权利要求1至4任一项所述的方法，其特征在于，所述方法还包括：5. The method according to any one of claims 1 to 4, wherein the method further comprises:

6.一种主机安全基线自动加固系统，其特征在于，所述系统包括：基线管理模块、基线检查模块、基线加固模块；其中，6. A host security baseline automatic reinforcement system, characterized in that the system comprises: a baseline management module, a baseline inspection module, and a baseline reinforcement module; wherein,

7.根据权利要求6所述的系统，其特征在于，所述系统还包括：备份模块，用于在设置主机安全基线之前，备份主机操作系统安全基线配置文件和/或主机操作系统。7. The system according to claim 6, further comprising: a backup module, configured to back up the host operating system security baseline configuration file and/or the host operating system before setting the host security baseline.

8.根据权利要求6所述的系统，其特征在于，8. The system of claim 6, wherein:

所述基线管理模块设置的安全加固函数还包含：加固项的关键字；The security reinforcement function set by the baseline management module also includes: keywords of reinforcement items;

所述基线加固模块调用所述加固项对应的安全加固函数对加固项进行加固，包括：根据所述加固项中包含的关键字，搜索具有相同关键字的安全加固函数，并调用所述安全加固函数对加固项进行加固。The baseline hardening module calls the security hardening function corresponding to the hardening item to harden the hardening item, including: searching for a security hardening function with the same keyword according to the keywords contained in the hardening item, and calling the security hardening Function to harden the hardened items.

9.根据权利要求6所述的系统，其特征在于，所述基线加固模块，具体用于：9. The system according to claim 6, wherein the baseline reinforcement module is specifically used for:

10.根据权利要求6至9任一项所述的系统，其特征在于，所述系统还包括：告警模块和验证模块；其中，10. The system according to any one of claims 6 to 9, further comprising: an alarm module and a verification module; wherein,

所述告警模块，用于当对一个加固项进行加固的时间大于预置的阈值时，中止对该加固项进行加固，并发出告警；接收验证模块发送的告警提示，并发出告警；The alarm module is configured to stop hardening the hardened item and issue an alarm when the time for hardening the hardened item is greater than a preset threshold; receive an alarm prompt sent by the verification module, and issue an alarm;