在企业安全运维中,自动化审计能有效发现潜在风险。以下脚本实现系统安全配置审查:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47
| function Get-SecurityAudit { [CmdletBinding()] param( [ValidateSet('Basic','Advanced')] [string]$AuditLevel = 'Basic' )
$report = [PSCustomObject]@{ FailedLogins = @() OpenPorts = @() WeakPermissions = @() ComplianceScore = 0 }
try { $events = Get-WinEvent -FilterHashtable @{ LogName = 'Security' ID = 4625 StartTime = (Get-Date).AddDays(-7) } -MaxEvents 1000 $report.FailedLogins = $events | Select-Object -ExpandProperty Message
$report.OpenPorts = Get-NetTCPConnection | Where-Object State -eq 'Listen' | Select-Object LocalAddress,LocalPort
if($AuditLevel -eq 'Advanced') { $report.WeakPermissions = Get-ChildItem -Path $env:ProgramFiles -Recurse | Where-Object { $_.PSAccessControl.Access.IdentityReference -contains 'Everyone' } }
$totalChecks = 3 $passed = ([bool]!$report.FailedLogins.Count) + ([bool]!$report.OpenPorts.Count) + ([bool]!$report.WeakPermissions.Count) $report.ComplianceScore = [math]::Round(($passed / $totalChecks) * 100) } catch { Write-Warning "安全审计异常: $_" }
return $report }
|
实现原理:
- 通过Get-WinEvent查询安全事件日志,检测暴力破解行为
- 使用Get-NetTCPConnection发现异常监听端口
- 高级模式扫描程序目录权限配置
- 基于检测结果计算系统合规分数
使用示例:
1 2 3 4 5
| Get-SecurityAudit
Get-SecurityAudit -AuditLevel Advanced
|
最佳实践:
- 与SIEM系统集成实现集中告警
- 设置基线配置进行差异对比
- 定期生成PDF格式审计报告
- 实现自动修复高风险项功能
注意事项:
• 需要本地管理员权限执行
• 端口扫描可能触发安全告警
• 建议在维护窗口执行深度扫描