#!/bin/bash
# 银河麒麟 V10 三员账户权限验证脚本
# 运行方式: sudo ./verify_three_roles.sh
# 特点:精准验证权限边界、检测越权风险、生成合规报告
LOG_FILE="/var/log/three_roles_verify.log"
exec > >(tee -a "$LOG_FILE") 2>&1
echo "=============================================="
echo "[$(date)] 三员账户权限验证开始"
echo "=============================================="
PASS=0; FAIL=0; SKIP=0
log() { echo "[$(date +%T)] $*"; }
pass() { log "[OK] $*"; ((PASS++)); }
fail() { log "[FAIL] $*"; ((FAIL++)); }
skip() { log "[SKIP] $*"; ((SKIP++)); }
# ========== 基础校验 ==========
if [ "$(id -u)" -ne 0 ]; then
echo "[ERROR] 必须以 root 身份运行(需切换用户测试)"
exit 1
fi
# 检查三员账户是否存在
for user in sysadmin secadmin auditadmin; do
if ! id "$user" &>/dev/null; then
fail "三员账户缺失: $user 不存在"
echo "请先运行 create_three_roles.sh 创建账户"
exit 1
fi
done
# ========== 校验结束 ==========
# ========== 验证函数 ==========
verify_sudo_perm() {
local user="$1"
local cmd="$2"
local desc="$3"
local expect_success="$4" # true/false
# 执行命令(通过 su 模拟真实环境)
if su - "$user" -c "timeout 5 $cmd" >/dev/null 2>&1; then
if [ "$expect_success" = "true" ]; then
pass "$desc (预期: 允许)"
else
fail "$desc (预期: 禁止但实际允许!越权风险)"
fi
else
if [ "$expect_success" = "false" ]; then
pass "$desc (预期: 禁止)"
else
fail "$desc (预期: 允许但实际拒绝)"
fi
fi
}
# ========== 1. 系统管理员 (sysadmin) 验证 ==========
log "→ 验证 sysadmin 权限..."
# 应允许的操作
verify_sudo_perm sysadmin "sudo systemctl status sshd" "sysadmin 可管理系统服务" true
verify_sudo_perm sysadmin "sudo useradd test_verify_user" "sysadmin 可创建用户" true
su - sysadmin -c "sudo userdel -r test_verify_user" >/dev/null 2>&1 # 清理测试用户
# 应禁止的操作(安全/审计功能)
verify_sudo_perm sysadmin "sudo firewall-cmd --list-all" "sysadmin 禁止操作防火墙" false
verify_sudo_perm sysadmin "sudo ausearch -m USER_LOGIN" "sysadmin 禁止查询审计日志" false
# ========== 2. 安全管理员 (secadmin) 验证 ==========
log "→ 验证 secadmin 权限..."
# 应允许的操作
#verify_sudo_perm secadmin "sudo firewall-cmd --list-all" "secadmin 可管理防火墙" true
verify_sudo_perm secadmin "sudo auditctl -l" "secadmin 可查看审计规则" true
# 应禁止的操作(系统管理/审计查询)
verify_sudo_perm secadmin "sudo systemctl stop sshd" "secadmin 禁止停止系统服务" false
verify_sudo_perm secadmin "sudo ausearch -k password" "secadmin 禁止查询审计日志" false
# ========== 3. 审计管理员 (auditadmin) 验证 ==========
log "→ 验证 auditadmin 权限..."
# 应允许的操作(只读审计)
if [ -f /var/log/audit/audit.log ]; then
verify_sudo_perm auditadmin "sudo cat /var/log/audit/audit.log | head -1" "auditadmin 可读审计日志" true
else
skip "audit.log 不存在,跳过日志读取测试"
fi
verify_sudo_perm auditadmin "sudo ausearch -m USER_LOGIN --start today" "auditadmin 可查询登录事件" true
# 【关键】应严格禁止的操作(写操作/系统修改)
verify_sudo_perm auditadmin "sudo vi /etc/passwd" "auditadmin 禁止编辑系统文件" false
verify_sudo_perm auditadmin "sudo rm /tmp" "auditadmin 禁止删除文件" false
verify_sudo_perm auditadmin "sudo useradd test_audit" "auditadmin 禁止创建用户" false
verify_sudo_perm auditadmin "sudo systemctl restart auditd" "auditadmin 禁止重启服务" false
# ========== 4. 组权限验证 ==========
log "→ 验证组权限..."
if groups auditadmin | grep -qw "adm"; then
pass "auditadmin 属于 adm 组(审计日志访问基础)"
else
fail "auditadmin 未加入 adm 组(无法读取审计日志)"
fi
# ========== 5. sudoers 配置验证 ==========
log "→ 验证 sudoers 配置..."
for user in sysadmin secadmin auditadmin; do
file="/etc/sudoers.d/$user"
if [ ! -f "$file" ]; then
fail "sudo 配置缺失: $file 不存在"
continue
fi
# 检查权限最小化(无 ALL 权限)
if grep -q "ALL.*NOPASSWD:.*ALL" "$file" 2>/dev/null; then
fail "sudo 配置违规: $user 拥有 ALL 权限(违反最小权限原则)"
else
pass "sudo 配置合规: $user 权限已最小化"
fi
# 检查 auditadmin 是否禁用危险命令
if [ "$user" = "auditadmin" ] && ! grep -q "!/usr/bin/vi\|!/usr/bin/rm" "$file" 2>/dev/null; then
warn "auditadmin 未显式禁止写操作(建议加固)"
fi
done
# ========== 结果汇总 ==========
echo "=============================================="
echo "三员权限验证完成!结果统计:"
echo " [OK] : $PASS 项"
echo " [FAIL] : $FAIL 项"
echo " [SKIP] : $SKIP 项"
echo "详细日志: $LOG_FILE"
echo "=============================================="
if [ $FAIL -eq 0 ]; then
echo "[SUCCESS] 三员权限配置完全符合等保 2.0 三权分立要求!"
exit 0
else
echo "[CRITICAL] 发现 $FAIL 项权限配置错误,请立即修复:"
echo " • 系统管理员不应拥有安全/审计权限"
echo " • 安全管理员不应拥有系统管理/审计查询权限"
echo " • 审计管理员必须仅具备只读审计权限(无任何写操作)"
exit 1
fi