银河麒麟 V10 三员账户权限验证脚本

#!/bin/bash

# 银河麒麟 V10 三员账户权限验证脚本

# 运行方式: sudo ./verify_three_roles.sh

# 特点:精准验证权限边界、检测越权风险、生成合规报告

LOG_FILE="/var/log/three_roles_verify.log"

exec > >(tee -a "$LOG_FILE") 2>&1

echo "=============================================="

echo "[$(date)] 三员账户权限验证开始"

echo "=============================================="

PASS=0; FAIL=0; SKIP=0

log() { echo "[$(date +%T)] $*"; }

pass() { log "[OK] $*"; ((PASS++)); }

fail() { log "[FAIL] $*"; ((FAIL++)); }

skip() { log "[SKIP] $*"; ((SKIP++)); }

# ========== 基础校验 ==========

if [ "$(id -u)" -ne 0 ]; then

    echo "[ERROR] 必须以 root 身份运行(需切换用户测试)"

    exit 1

fi

# 检查三员账户是否存在

for user in sysadmin secadmin auditadmin; do

    if ! id "$user" &>/dev/null; then

        fail "三员账户缺失: $user 不存在"

        echo "请先运行 create_three_roles.sh 创建账户"

        exit 1

    fi

done

# ========== 校验结束 ==========

# ========== 验证函数 ==========

verify_sudo_perm() {

    local user="$1"

    local cmd="$2"

    local desc="$3"

    local expect_success="$4"  # true/false

    # 执行命令(通过 su 模拟真实环境)

    if su - "$user" -c "timeout 5 $cmd" >/dev/null 2>&1; then

        if [ "$expect_success" = "true" ]; then

            pass "$desc (预期: 允许)"

        else

            fail "$desc (预期: 禁止但实际允许!越权风险)"

        fi

    else

        if [ "$expect_success" = "false" ]; then

            pass "$desc (预期: 禁止)"

        else

            fail "$desc (预期: 允许但实际拒绝)"

        fi

    fi

}

# ========== 1. 系统管理员 (sysadmin) 验证 ==========

log "→ 验证 sysadmin 权限..."

# 应允许的操作

verify_sudo_perm sysadmin "sudo systemctl status sshd" "sysadmin 可管理系统服务" true

verify_sudo_perm sysadmin "sudo useradd test_verify_user" "sysadmin 可创建用户" true

su - sysadmin -c "sudo userdel -r test_verify_user" >/dev/null 2>&1  # 清理测试用户

# 应禁止的操作(安全/审计功能)

verify_sudo_perm sysadmin "sudo firewall-cmd --list-all" "sysadmin 禁止操作防火墙" false

verify_sudo_perm sysadmin "sudo ausearch -m USER_LOGIN" "sysadmin 禁止查询审计日志" false

# ========== 2. 安全管理员 (secadmin) 验证 ==========

log "→ 验证 secadmin 权限..."

# 应允许的操作

#verify_sudo_perm secadmin "sudo firewall-cmd --list-all" "secadmin 可管理防火墙" true

verify_sudo_perm secadmin "sudo auditctl -l" "secadmin 可查看审计规则" true

# 应禁止的操作(系统管理/审计查询)

verify_sudo_perm secadmin "sudo systemctl stop sshd" "secadmin 禁止停止系统服务" false

verify_sudo_perm secadmin "sudo ausearch -k password" "secadmin 禁止查询审计日志" false

# ========== 3. 审计管理员 (auditadmin) 验证 ==========

log "→ 验证 auditadmin 权限..."

# 应允许的操作(只读审计)

if [ -f /var/log/audit/audit.log ]; then

    verify_sudo_perm auditadmin "sudo cat /var/log/audit/audit.log | head -1" "auditadmin 可读审计日志" true

else

    skip "audit.log 不存在,跳过日志读取测试"

fi

verify_sudo_perm auditadmin "sudo ausearch -m USER_LOGIN --start today" "auditadmin 可查询登录事件" true

# 【关键】应严格禁止的操作(写操作/系统修改)

verify_sudo_perm auditadmin "sudo vi /etc/passwd" "auditadmin 禁止编辑系统文件" false

verify_sudo_perm auditadmin "sudo rm /tmp" "auditadmin 禁止删除文件" false

verify_sudo_perm auditadmin "sudo useradd test_audit" "auditadmin 禁止创建用户" false

verify_sudo_perm auditadmin "sudo systemctl restart auditd" "auditadmin 禁止重启服务" false

# ========== 4. 组权限验证 ==========

log "→ 验证组权限..."

if groups auditadmin | grep -qw "adm"; then

    pass "auditadmin 属于 adm 组(审计日志访问基础)"

else

    fail "auditadmin 未加入 adm 组(无法读取审计日志)"

fi

# ========== 5. sudoers 配置验证 ==========

log "→ 验证 sudoers 配置..."

for user in sysadmin secadmin auditadmin; do

    file="/etc/sudoers.d/$user"

    if [ ! -f "$file" ]; then

        fail "sudo 配置缺失: $file 不存在"

        continue

    fi

    

    # 检查权限最小化(无 ALL 权限)

    if grep -q "ALL.*NOPASSWD:.*ALL" "$file" 2>/dev/null; then

        fail "sudo 配置违规: $user 拥有 ALL 权限(违反最小权限原则)"

    else

        pass "sudo 配置合规: $user 权限已最小化"

    fi

    

    # 检查 auditadmin 是否禁用危险命令

    if [ "$user" = "auditadmin" ] && ! grep -q "!/usr/bin/vi\|!/usr/bin/rm" "$file" 2>/dev/null; then

        warn "auditadmin 未显式禁止写操作(建议加固)"

    fi

done

# ========== 结果汇总 ==========

echo "=============================================="

echo "三员权限验证完成!结果统计:"

echo "  [OK]    : $PASS 项"

echo "  [FAIL]  : $FAIL 项"

echo "  [SKIP]  : $SKIP 项"

echo "详细日志: $LOG_FILE"

echo "=============================================="

if [ $FAIL -eq 0 ]; then

    echo "[SUCCESS] 三员权限配置完全符合等保 2.0 三权分立要求!"

    exit 0

else

    echo "[CRITICAL] 发现 $FAIL 项权限配置错误,请立即修复:"

    echo "  • 系统管理员不应拥有安全/审计权限"

    echo "  • 安全管理员不应拥有系统管理/审计查询权限"

    echo "  • 审计管理员必须仅具备只读审计权限(无任何写操作)"

    exit 1

fi