1577 lines
117 KiB
HTML
1577 lines
117 KiB
HTML
<!DOCTYPE html>
|
||
<html xmlns="http://www.w3.org/1999/xhtml" lang="" xml:lang="">
|
||
<head>
|
||
<meta charset="utf-8" />
|
||
<meta name="generator" content="pandoc" />
|
||
<meta name="viewport" content="width=device-width, initial-scale=1.0, user-scalable=yes" />
|
||
<meta name="author" content="系统设计团队" />
|
||
<title>福建水务营收系统-安全设计</title>
|
||
<style>
|
||
code{white-space: pre-wrap;}
|
||
span.smallcaps{font-variant: small-caps;}
|
||
div.columns{display: flex; gap: min(4vw, 1.5em);}
|
||
div.column{flex: auto; overflow-x: auto;}
|
||
div.hanging-indent{margin-left: 1.5em; text-indent: -1.5em;}
|
||
/* The extra [class] is a hack that increases specificity enough to
|
||
override a similar rule in reveal.js */
|
||
ul.task-list[class]{list-style: none;}
|
||
ul.task-list li input[type="checkbox"] {
|
||
font-size: inherit;
|
||
width: 0.8em;
|
||
margin: 0 0.8em 0.2em -1.6em;
|
||
vertical-align: middle;
|
||
}
|
||
.display.math{display: block; text-align: center; margin: 0.5rem auto;}
|
||
/* CSS for syntax highlighting */
|
||
pre > code.sourceCode { white-space: pre; position: relative; }
|
||
pre > code.sourceCode > span { line-height: 1.25; }
|
||
pre > code.sourceCode > span:empty { height: 1.2em; }
|
||
.sourceCode { overflow: visible; }
|
||
code.sourceCode > span { color: inherit; text-decoration: inherit; }
|
||
div.sourceCode { margin: 1em 0; }
|
||
pre.sourceCode { margin: 0; }
|
||
@media screen {
|
||
div.sourceCode { overflow: auto; }
|
||
}
|
||
@media print {
|
||
pre > code.sourceCode { white-space: pre-wrap; }
|
||
pre > code.sourceCode > span { display: inline-block; text-indent: -5em; padding-left: 5em; }
|
||
}
|
||
pre.numberSource code
|
||
{ counter-reset: source-line 0; }
|
||
pre.numberSource code > span
|
||
{ position: relative; left: -4em; counter-increment: source-line; }
|
||
pre.numberSource code > span > a:first-child::before
|
||
{ content: counter(source-line);
|
||
position: relative; left: -1em; text-align: right; vertical-align: baseline;
|
||
border: none; display: inline-block;
|
||
-webkit-touch-callout: none; -webkit-user-select: none;
|
||
-khtml-user-select: none; -moz-user-select: none;
|
||
-ms-user-select: none; user-select: none;
|
||
padding: 0 4px; width: 4em;
|
||
color: #aaaaaa;
|
||
}
|
||
pre.numberSource { margin-left: 3em; border-left: 1px solid #aaaaaa; padding-left: 4px; }
|
||
div.sourceCode
|
||
{ background-color: #f8f8f8; }
|
||
@media screen {
|
||
pre > code.sourceCode > span > a:first-child::before { text-decoration: underline; }
|
||
}
|
||
code span.al { color: #ef2929; } /* Alert */
|
||
code span.an { color: #8f5902; font-weight: bold; font-style: italic; } /* Annotation */
|
||
code span.at { color: #204a87; } /* Attribute */
|
||
code span.bn { color: #0000cf; } /* BaseN */
|
||
code span.cf { color: #204a87; font-weight: bold; } /* ControlFlow */
|
||
code span.ch { color: #4e9a06; } /* Char */
|
||
code span.cn { color: #8f5902; } /* Constant */
|
||
code span.co { color: #8f5902; font-style: italic; } /* Comment */
|
||
code span.cv { color: #8f5902; font-weight: bold; font-style: italic; } /* CommentVar */
|
||
code span.do { color: #8f5902; font-weight: bold; font-style: italic; } /* Documentation */
|
||
code span.dt { color: #204a87; } /* DataType */
|
||
code span.dv { color: #0000cf; } /* DecVal */
|
||
code span.er { color: #a40000; font-weight: bold; } /* Error */
|
||
code span.ex { } /* Extension */
|
||
code span.fl { color: #0000cf; } /* Float */
|
||
code span.fu { color: #204a87; font-weight: bold; } /* Function */
|
||
code span.im { } /* Import */
|
||
code span.in { color: #8f5902; font-weight: bold; font-style: italic; } /* Information */
|
||
code span.kw { color: #204a87; font-weight: bold; } /* Keyword */
|
||
code span.op { color: #ce5c00; font-weight: bold; } /* Operator */
|
||
code span.ot { color: #8f5902; } /* Other */
|
||
code span.pp { color: #8f5902; font-style: italic; } /* Preprocessor */
|
||
code span.sc { color: #ce5c00; font-weight: bold; } /* SpecialChar */
|
||
code span.ss { color: #4e9a06; } /* SpecialString */
|
||
code span.st { color: #4e9a06; } /* String */
|
||
code span.va { color: #000000; } /* Variable */
|
||
code span.vs { color: #4e9a06; } /* VerbatimString */
|
||
code span.wa { color: #8f5902; font-weight: bold; font-style: italic; } /* Warning */
|
||
</style>
|
||
<link rel="stylesheet" href="output/document_style.css" />
|
||
<meta charset="UTF-8"><meta name="viewport" content="width=device-width, initial-scale=1.0">
|
||
</head>
|
||
<body>
|
||
<header id="title-block-header">
|
||
<h1 class="title">福建水务营收系统-安全设计</h1>
|
||
<p class="author">系统设计团队</p>
|
||
<p class="date">2024年12月19日</p>
|
||
</header>
|
||
<nav id="TOC" role="doc-toc">
|
||
<ul>
|
||
<li><a href="#福建水务营收系统安全设计文档"
|
||
id="toc-福建水务营收系统安全设计文档"><span
|
||
class="toc-section-number">1</span> 福建水务营收系统安全设计文档</a>
|
||
<ul>
|
||
<li><a href="#文档信息" id="toc-文档信息"><span
|
||
class="toc-section-number">1.1</span> 文档信息</a></li>
|
||
<li><a href="#目录" id="toc-目录"><span
|
||
class="toc-section-number">1.2</span> 目录</a></li>
|
||
<li><a href="#一安全设计概述" id="toc-一安全设计概述"><span
|
||
class="toc-section-number">1.3</span> 一、安全设计概述</a>
|
||
<ul>
|
||
<li><a href="#安全目标" id="toc-安全目标"><span
|
||
class="toc-section-number">1.3.1</span> 1.1 安全目标</a></li>
|
||
<li><a href="#安全原则" id="toc-安全原则"><span
|
||
class="toc-section-number">1.3.2</span> 1.2 安全原则</a></li>
|
||
<li><a href="#总体安全架构" id="toc-总体安全架构"><span
|
||
class="toc-section-number">1.3.3</span> 1.3 总体安全架构</a></li>
|
||
</ul></li>
|
||
<li><a href="#二等级保护三级安全设计"
|
||
id="toc-二等级保护三级安全设计"><span
|
||
class="toc-section-number">1.4</span> 二、等级保护三级安全设计</a>
|
||
<ul>
|
||
<li><a href="#技术安全要求" id="toc-技术安全要求"><span
|
||
class="toc-section-number">1.4.1</span> 2.1 技术安全要求</a>
|
||
<ul>
|
||
<li><a href="#安全通信网络" id="toc-安全通信网络"><span
|
||
class="toc-section-number">1.4.1.1</span> 2.1.1 安全通信网络</a></li>
|
||
<li><a href="#安全区域边界" id="toc-安全区域边界"><span
|
||
class="toc-section-number">1.4.1.2</span> 2.1.2 安全区域边界</a></li>
|
||
<li><a href="#安全计算环境" id="toc-安全计算环境"><span
|
||
class="toc-section-number">1.4.1.3</span> 2.1.3 安全计算环境</a></li>
|
||
</ul></li>
|
||
<li><a href="#管理安全要求" id="toc-管理安全要求"><span
|
||
class="toc-section-number">1.4.2</span> 2.2 管理安全要求</a>
|
||
<ul>
|
||
<li><a href="#安全管理中心" id="toc-安全管理中心"><span
|
||
class="toc-section-number">1.4.2.1</span> 2.2.1 安全管理中心</a></li>
|
||
<li><a href="#安全管理制度" id="toc-安全管理制度"><span
|
||
class="toc-section-number">1.4.2.2</span> 2.2.2 安全管理制度</a></li>
|
||
</ul></li>
|
||
</ul></li>
|
||
<li><a href="#三opengauss数据库安全"
|
||
id="toc-三opengauss数据库安全"><span
|
||
class="toc-section-number">1.5</span> 三、OpenGauss数据库安全</a>
|
||
<ul>
|
||
<li><a href="#数据库安全架构" id="toc-数据库安全架构"><span
|
||
class="toc-section-number">1.5.1</span> 3.1 数据库安全架构</a></li>
|
||
<li><a href="#国产密码算法应用" id="toc-国产密码算法应用"><span
|
||
class="toc-section-number">1.5.2</span> 3.2 国产密码算法应用</a>
|
||
<ul>
|
||
<li><a href="#传输加密" id="toc-传输加密"><span
|
||
class="toc-section-number">1.5.2.1</span> 3.2.1 传输加密</a></li>
|
||
<li><a href="#透明数据加密" id="toc-透明数据加密"><span
|
||
class="toc-section-number">1.5.2.2</span> 3.2.2 透明数据加密</a></li>
|
||
</ul></li>
|
||
<li><a href="#行级安全策略" id="toc-行级安全策略"><span
|
||
class="toc-section-number">1.5.3</span> 3.3 行级安全策略</a></li>
|
||
<li><a href="#数据脱敏策略" id="toc-数据脱敏策略"><span
|
||
class="toc-section-number">1.5.4</span> 3.4 数据脱敏策略</a></li>
|
||
</ul></li>
|
||
<li><a href="#四应用系统安全" id="toc-四应用系统安全"><span
|
||
class="toc-section-number">1.6</span> 四、应用系统安全</a>
|
||
<ul>
|
||
<li><a href="#spring-security安全配置"
|
||
id="toc-spring-security安全配置"><span
|
||
class="toc-section-number">1.6.1</span> 4.1 Spring Security安全配置</a>
|
||
<ul>
|
||
<li><a href="#认证配置" id="toc-认证配置"><span
|
||
class="toc-section-number">1.6.1.1</span> 4.1.1 认证配置</a></li>
|
||
<li><a href="#多因素认证" id="toc-多因素认证"><span
|
||
class="toc-section-number">1.6.1.2</span> 4.1.2 多因素认证</a></li>
|
||
</ul></li>
|
||
<li><a href="#数据传输安全" id="toc-数据传输安全"><span
|
||
class="toc-section-number">1.6.2</span> 4.2 数据传输安全</a>
|
||
<ul>
|
||
<li><a href="#https配置" id="toc-https配置"><span
|
||
class="toc-section-number">1.6.2.1</span> 4.2.1 HTTPS配置</a></li>
|
||
<li><a href="#敏感数据加密" id="toc-敏感数据加密"><span
|
||
class="toc-section-number">1.6.2.2</span> 4.2.2 敏感数据加密</a></li>
|
||
</ul></li>
|
||
<li><a href="#接口安全防护" id="toc-接口安全防护"><span
|
||
class="toc-section-number">1.6.3</span> 4.3 接口安全防护</a>
|
||
<ul>
|
||
<li><a href="#接口签名验证" id="toc-接口签名验证"><span
|
||
class="toc-section-number">1.6.3.1</span> 4.3.1 接口签名验证</a></li>
|
||
<li><a href="#接口限流防护" id="toc-接口限流防护"><span
|
||
class="toc-section-number">1.6.3.2</span> 4.3.2 接口限流防护</a></li>
|
||
</ul></li>
|
||
</ul></li>
|
||
<li><a href="#五网络安全设计" id="toc-五网络安全设计"><span
|
||
class="toc-section-number">1.7</span> 五、网络安全设计</a>
|
||
<ul>
|
||
<li><a href="#网络拓扑安全" id="toc-网络拓扑安全"><span
|
||
class="toc-section-number">1.7.1</span> 5.1 网络拓扑安全</a></li>
|
||
<li><a href="#防火墙策略配置" id="toc-防火墙策略配置"><span
|
||
class="toc-section-number">1.7.2</span> 5.2 防火墙策略配置</a>
|
||
<ul>
|
||
<li><a href="#边界防火墙策略" id="toc-边界防火墙策略"><span
|
||
class="toc-section-number">1.7.2.1</span> 5.2.1 边界防火墙策略</a></li>
|
||
<li><a href="#应用层防火墙策略" id="toc-应用层防火墙策略"><span
|
||
class="toc-section-number">1.7.2.2</span> 5.2.2
|
||
应用层防火墙策略</a></li>
|
||
</ul></li>
|
||
<li><a href="#入侵检测与防护" id="toc-入侵检测与防护"><span
|
||
class="toc-section-number">1.7.3</span> 5.3 入侵检测与防护</a>
|
||
<ul>
|
||
<li><a href="#idsips规则配置" id="toc-idsips规则配置"><span
|
||
class="toc-section-number">1.7.3.1</span> 5.3.1 IDS/IPS规则配置</a></li>
|
||
</ul></li>
|
||
</ul></li>
|
||
<li><a href="#六数据安全设计" id="toc-六数据安全设计"><span
|
||
class="toc-section-number">1.8</span> 六、数据安全设计</a>
|
||
<ul>
|
||
<li><a href="#数据分类分级" id="toc-数据分类分级"><span
|
||
class="toc-section-number">1.8.1</span> 6.1 数据分类分级</a>
|
||
<ul>
|
||
<li><a href="#数据分类标准" id="toc-数据分类标准"><span
|
||
class="toc-section-number">1.8.1.1</span> 6.1.1 数据分类标准</a></li>
|
||
<li><a href="#数据保护策略" id="toc-数据保护策略"><span
|
||
class="toc-section-number">1.8.1.2</span> 6.1.2 数据保护策略</a></li>
|
||
</ul></li>
|
||
<li><a href="#数据备份与恢复安全" id="toc-数据备份与恢复安全"><span
|
||
class="toc-section-number">1.8.2</span> 6.2 数据备份与恢复安全</a>
|
||
<ul>
|
||
<li><a href="#备份加密策略" id="toc-备份加密策略"><span
|
||
class="toc-section-number">1.8.2.1</span> 6.2.1 备份加密策略</a></li>
|
||
<li><a href="#数据恢复流程" id="toc-数据恢复流程"><span
|
||
class="toc-section-number">1.8.2.2</span> 6.2.2 数据恢复流程</a></li>
|
||
</ul></li>
|
||
<li><a href="#数据销毁与清理" id="toc-数据销毁与清理"><span
|
||
class="toc-section-number">1.8.3</span> 6.3 数据销毁与清理</a>
|
||
<ul>
|
||
<li><a href="#安全数据销毁" id="toc-安全数据销毁"><span
|
||
class="toc-section-number">1.8.3.1</span> 6.3.1 安全数据销毁</a></li>
|
||
</ul></li>
|
||
</ul></li>
|
||
<li><a href="#七运维安全设计" id="toc-七运维安全设计"><span
|
||
class="toc-section-number">1.9</span> 七、运维安全设计</a>
|
||
<ul>
|
||
<li><a href="#安全监控体系" id="toc-安全监控体系"><span
|
||
class="toc-section-number">1.9.1</span> 7.1 安全监控体系</a>
|
||
<ul>
|
||
<li><a href="#安全监控架构" id="toc-安全监控架构"><span
|
||
class="toc-section-number">1.9.1.1</span> 7.1.1 安全监控架构</a></li>
|
||
<li><a href="#安全事件检测规则" id="toc-安全事件检测规则"><span
|
||
class="toc-section-number">1.9.1.2</span> 7.1.2
|
||
安全事件检测规则</a></li>
|
||
</ul></li>
|
||
<li><a href="#漏洞管理" id="toc-漏洞管理"><span
|
||
class="toc-section-number">1.9.2</span> 7.2 漏洞管理</a>
|
||
<ul>
|
||
<li><a href="#漏洞扫描策略" id="toc-漏洞扫描策略"><span
|
||
class="toc-section-number">1.9.2.1</span> 7.2.1 漏洞扫描策略</a></li>
|
||
<li><a href="#补丁管理流程" id="toc-补丁管理流程"><span
|
||
class="toc-section-number">1.9.2.2</span> 7.2.2 补丁管理流程</a></li>
|
||
</ul></li>
|
||
<li><a href="#应急响应预案" id="toc-应急响应预案"><span
|
||
class="toc-section-number">1.9.3</span> 7.3 应急响应预案</a>
|
||
<ul>
|
||
<li><a href="#安全事件分级" id="toc-安全事件分级"><span
|
||
class="toc-section-number">1.9.3.1</span> 7.3.1 安全事件分级</a></li>
|
||
<li><a href="#应急响应流程" id="toc-应急响应流程"><span
|
||
class="toc-section-number">1.9.3.2</span> 7.3.2 应急响应流程</a></li>
|
||
</ul></li>
|
||
</ul></li>
|
||
<li><a href="#八安全管理制度" id="toc-八安全管理制度"><span
|
||
class="toc-section-number">1.10</span> 八、安全管理制度</a>
|
||
<ul>
|
||
<li><a href="#安全组织架构" id="toc-安全组织架构"><span
|
||
class="toc-section-number">1.10.1</span> 8.1 安全组织架构</a>
|
||
<ul>
|
||
<li><a href="#安全管理组织" id="toc-安全管理组织"><span
|
||
class="toc-section-number">1.10.1.1</span> 8.1.1 安全管理组织</a></li>
|
||
</ul></li>
|
||
<li><a href="#安全管理制度-1" id="toc-安全管理制度-1"><span
|
||
class="toc-section-number">1.10.2</span> 8.2 安全管理制度</a>
|
||
<ul>
|
||
<li><a href="#人员安全管理" id="toc-人员安全管理"><span
|
||
class="toc-section-number">1.10.2.1</span> 8.2.1 人员安全管理</a></li>
|
||
<li><a href="#系统建设安全管理" id="toc-系统建设安全管理"><span
|
||
class="toc-section-number">1.10.2.2</span> 8.2.2
|
||
系统建设安全管理</a></li>
|
||
<li><a href="#系统运维安全管理" id="toc-系统运维安全管理"><span
|
||
class="toc-section-number">1.10.2.3</span> 8.2.3
|
||
系统运维安全管理</a></li>
|
||
</ul></li>
|
||
<li><a href="#合规管理" id="toc-合规管理"><span
|
||
class="toc-section-number">1.10.3</span> 8.3 合规管理</a>
|
||
<ul>
|
||
<li><a href="#法律法规合规" id="toc-法律法规合规"><span
|
||
class="toc-section-number">1.10.3.1</span> 8.3.1 法律法规合规</a></li>
|
||
<li><a href="#行业标准合规" id="toc-行业标准合规"><span
|
||
class="toc-section-number">1.10.3.2</span> 8.3.2 行业标准合规</a></li>
|
||
<li><a href="#合规检查清单" id="toc-合规检查清单"><span
|
||
class="toc-section-number">1.10.3.3</span> 8.3.3 合规检查清单</a></li>
|
||
</ul></li>
|
||
</ul></li>
|
||
<li><a href="#总结" id="toc-总结"><span
|
||
class="toc-section-number">1.11</span> 总结</a></li>
|
||
</ul></li>
|
||
</ul>
|
||
</nav>
|
||
<h1 data-number="1" id="福建水务营收系统安全设计文档"><span
|
||
class="header-section-number">1</span> 福建水务营收系统安全设计文档</h1>
|
||
<h2 data-number="1.1" id="文档信息"><span
|
||
class="header-section-number">1.1</span> 文档信息</h2>
|
||
<table>
|
||
<thead>
|
||
<tr>
|
||
<th>项目信息</th>
|
||
<th>详情</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td><strong>项目名称</strong></td>
|
||
<td>福建水务营收系统</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>文档类型</strong></td>
|
||
<td>安全设计文档</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>技术框架</strong></td>
|
||
<td>RuoYi-Vue-Pro + OpenGauss</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>文档版本</strong></td>
|
||
<td>v1.0</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>编写日期</strong></td>
|
||
<td>2024-12-19</td>
|
||
</tr>
|
||
<tr>
|
||
<td><strong>文档状态</strong></td>
|
||
<td>✅ 已完成</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h2 data-number="1.2" id="目录"><span
|
||
class="header-section-number">1.2</span> 目录</h2>
|
||
<ul>
|
||
<li><a href="#一安全设计概述">一、安全设计概述</a></li>
|
||
<li><a href="#二等级保护三级安全设计">二、等级保护三级安全设计</a></li>
|
||
<li><a href="#三opengauss数据库安全">三、OpenGauss数据库安全</a></li>
|
||
<li><a href="#四应用系统安全">四、应用系统安全</a></li>
|
||
<li><a href="#五网络安全设计">五、网络安全设计</a></li>
|
||
<li><a href="#六数据安全设计">六、数据安全设计</a></li>
|
||
<li><a href="#七运维安全设计">七、运维安全设计</a></li>
|
||
<li><a href="#八安全管理制度">八、安全管理制度</a></li>
|
||
</ul>
|
||
<h2 data-number="1.3" id="一安全设计概述"><span
|
||
class="header-section-number">1.3</span> 一、安全设计概述</h2>
|
||
<p>福建水务营收系统安全设计严格按照《网络安全等级保护基本要求》第三级标准,结合水务行业特点和国产化要求,构建全方位、多层次的安全防护体系。</p>
|
||
<h3 data-number="1.3.1" id="安全目标"><span
|
||
class="header-section-number">1.3.1</span> 1.1 安全目标</h3>
|
||
<ul>
|
||
<li><strong>机密性</strong>:确保敏感数据不被未授权访问</li>
|
||
<li><strong>完整性</strong>:防止数据被恶意篡改或损坏</li>
|
||
<li><strong>可用性</strong>:保障系统7×24小时稳定运行</li>
|
||
<li><strong>可审计性</strong>:完整记录系统操作审计轨迹</li>
|
||
<li><strong>合规性</strong>:满足等保三级和行业监管要求</li>
|
||
</ul>
|
||
<h3 data-number="1.3.2" id="安全原则"><span
|
||
class="header-section-number">1.3.2</span> 1.2 安全原则</h3>
|
||
<ul>
|
||
<li><strong>纵深防御</strong>:多层安全防护,避免单点故障</li>
|
||
<li><strong>最小权限</strong>:用户和应用仅具备必要的最小权限</li>
|
||
<li><strong>默认安全</strong>:系统默认采用最严格的安全配置</li>
|
||
<li><strong>持续监控</strong>:7×24小时安全监控和威胁检测</li>
|
||
<li><strong>国产化优先</strong>:优先采用国产安全产品和技术</li>
|
||
</ul>
|
||
<h3 data-number="1.3.3" id="总体安全架构"><span
|
||
class="header-section-number">1.3.3</span> 1.3 总体安全架构</h3>
|
||
<p><strong>图表 1</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_1.png"
|
||
alt="图表 1" />
|
||
<figcaption aria-hidden="true">图表 1</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
subgraph "外部威胁"
|
||
THREAT1[网络攻击]
|
||
THREAT2[恶意软件]
|
||
THREAT3[数据泄露]
|
||
THREAT4[内部威胁]
|
||
end
|
||
|
||
subgraph "安全防护层"
|
||
subgraph "边界安全"
|
||
WAF[Web应用防火墙]
|
||
FW[网络防火墙]
|
||
IPS[入侵防护系统]
|
||
VPN[VPN网关]
|
||
end
|
||
|
||
subgraph "应用安全"
|
||
AUTH[身份认证]
|
||
AUTHZ[访问控制]
|
||
AUDIT[操作审计]
|
||
ENCRYPT[数据加密]
|
||
end
|
||
|
||
subgraph "数据安全"
|
||
TDE[透明数据加密]
|
||
RLS[行级安全]
|
||
MASK[数据脱敏]
|
||
BACKUP[安全备份]
|
||
end
|
||
|
||
subgraph "运维安全"
|
||
MONITOR[安全监控]
|
||
LOG[日志分析]
|
||
ALERT[告警响应]
|
||
PATCH[安全更新]
|
||
end
|
||
end
|
||
|
||
subgraph "核心资产"
|
||
APP[水务营收系统]
|
||
DB[OpenGauss数据库]
|
||
FILE[文件存储]
|
||
API[接口服务]
|
||
end
|
||
|
||
THREAT1 --> WAF
|
||
THREAT2 --> FW
|
||
THREAT3 --> IPS
|
||
THREAT4 --> VPN
|
||
|
||
WAF --> AUTH
|
||
FW --> AUTHZ
|
||
IPS --> AUDIT
|
||
VPN --> ENCRYPT
|
||
|
||
AUTH --> TDE
|
||
AUTHZ --> RLS
|
||
AUDIT --> MASK
|
||
ENCRYPT --> BACKUP
|
||
|
||
TDE --> MONITOR
|
||
RLS --> LOG
|
||
MASK --> ALERT
|
||
BACKUP --> PATCH
|
||
|
||
MONITOR --> APP
|
||
LOG --> DB
|
||
ALERT --> FILE
|
||
PATCH --> API
|
||
</code></pre>
|
||
</details>
|
||
<h2 data-number="1.4" id="二等级保护三级安全设计"><span
|
||
class="header-section-number">1.4</span> 二、等级保护三级安全设计</h2>
|
||
<h3 data-number="1.4.1" id="技术安全要求"><span
|
||
class="header-section-number">1.4.1</span> 2.1 技术安全要求</h3>
|
||
<h4 data-number="1.4.1.1" id="安全通信网络"><span
|
||
class="header-section-number">1.4.1.1</span> 2.1.1 安全通信网络</h4>
|
||
<p><strong>网络架构安全</strong></p>
|
||
<p><strong>图表 2</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_2.png"
|
||
alt="图表 2" />
|
||
<figcaption aria-hidden="true">图表 2</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
subgraph "安全区域划分"
|
||
DMZ[DMZ区<br/>Web服务器]
|
||
APP_ZONE[应用区<br/>应用服务器]
|
||
DB_ZONE[数据区<br/>数据库服务器]
|
||
MGT_ZONE[管理区<br/>运维管理]
|
||
end
|
||
|
||
subgraph "边界防护"
|
||
INTERNET[互联网]
|
||
FW1[边界防火墙]
|
||
FW2[内部防火墙]
|
||
IDS[入侵检测系统]
|
||
end
|
||
|
||
subgraph "访问控制"
|
||
VPN[VPN接入]
|
||
JUMP[跳板机]
|
||
BASTION[堡垒机]
|
||
end
|
||
|
||
INTERNET --> FW1
|
||
FW1 --> DMZ
|
||
DMZ --> FW2
|
||
FW2 --> APP_ZONE
|
||
APP_ZONE --> DB_ZONE
|
||
|
||
VPN --> JUMP
|
||
JUMP --> BASTION
|
||
BASTION --> MGT_ZONE
|
||
|
||
IDS --> DMZ
|
||
IDS --> APP_ZONE
|
||
</code></pre>
|
||
</details>
|
||
<p><strong>网络安全措施</strong> - 网络边界部署防火墙,实现网络访问控制
|
||
- 重要网络设备和服务器前端部署网络入侵检测设备 -
|
||
网络分段部署,DMZ区、应用区、数据区物理隔离 -
|
||
关键网络设备提供双机热备功能 - 网络设备登录实现身份标识和鉴别</p>
|
||
<h4 data-number="1.4.1.2" id="安全区域边界"><span
|
||
class="header-section-number">1.4.1.2</span> 2.1.2 安全区域边界</h4>
|
||
<p><strong>区域边界防护</strong> -
|
||
在网络边界部署防火墙设备,设置访问控制策略 -
|
||
在网络边界部署入侵检测设备,监控网络攻击行为 -
|
||
在应用层部署Web应用防火墙,防护Web应用攻击 -
|
||
对进出网络的数据流进行过滤和监控 -
|
||
建立网络访问控制策略,限制不必要的网络连接</p>
|
||
<h4 data-number="1.4.1.3" id="安全计算环境"><span
|
||
class="header-section-number">1.4.1.3</span> 2.1.3 安全计算环境</h4>
|
||
<p><strong>身份鉴别</strong></p>
|
||
<p><strong>图表 3</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_3.png"
|
||
alt="图表 3" />
|
||
<figcaption aria-hidden="true">图表 3</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph LR
|
||
subgraph "多因素认证"
|
||
USER[用户] --> AUTH1[用户名密码]
|
||
AUTH1 --> AUTH2[短信验证码]
|
||
AUTH2 --> AUTH3[邮箱验证]
|
||
AUTH3 --> TOKEN[JWT Token]
|
||
end
|
||
|
||
subgraph "认证集成"
|
||
LDAP[LDAP认证]
|
||
SSO[单点登录]
|
||
OAUTH[OAuth2.0]
|
||
SAML[SAML认证]
|
||
end
|
||
|
||
TOKEN --> LDAP
|
||
TOKEN --> SSO
|
||
TOKEN --> OAUTH
|
||
TOKEN --> SAML
|
||
</code></pre>
|
||
</details>
|
||
<p><strong>访问控制设计</strong> - 实现基于角色的访问控制(RBAC) -
|
||
支持基于属性的访问控制(ABAC) - 实现最小权限原则 -
|
||
支持权限的动态调整和审批流程</p>
|
||
<h3 data-number="1.4.2" id="管理安全要求"><span
|
||
class="header-section-number">1.4.2</span> 2.2 管理安全要求</h3>
|
||
<h4 data-number="1.4.2.1" id="安全管理中心"><span
|
||
class="header-section-number">1.4.2.1</span> 2.2.1 安全管理中心</h4>
|
||
<ul>
|
||
<li>建立安全管理中心,统一管理安全策略</li>
|
||
<li>配置安全管理员角色,负责安全策略制定</li>
|
||
<li>建立安全事件响应机制</li>
|
||
<li>定期进行安全评估和风险分析</li>
|
||
</ul>
|
||
<h4 data-number="1.4.2.2" id="安全管理制度"><span
|
||
class="header-section-number">1.4.2.2</span> 2.2.2 安全管理制度</h4>
|
||
<ul>
|
||
<li>制定信息安全管理制度和操作规程</li>
|
||
<li>建立人员安全管理制度</li>
|
||
<li>制定系统建设管理制度</li>
|
||
<li>建立系统运维管理制度</li>
|
||
</ul>
|
||
<h2 data-number="1.5" id="三opengauss数据库安全"><span
|
||
class="header-section-number">1.5</span> 三、OpenGauss数据库安全</h2>
|
||
<h3 data-number="1.5.1" id="数据库安全架构"><span
|
||
class="header-section-number">1.5.1</span> 3.1 数据库安全架构</h3>
|
||
<p><strong>图表 4</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_4.png"
|
||
alt="图表 4" />
|
||
<figcaption aria-hidden="true">图表 4</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
subgraph "OpenGauss安全特性"
|
||
subgraph "身份认证"
|
||
PWD[密码认证]
|
||
CERT[证书认证]
|
||
LDAP_AUTH[LDAP认证]
|
||
KERBEROS[Kerberos认证]
|
||
end
|
||
|
||
subgraph "访问控制"
|
||
RBAC_DB[基于角色的访问控制]
|
||
RLS_DB[行级安全策略]
|
||
CLS_DB[列级访问控制]
|
||
SCHEMA[模式权限控制]
|
||
end
|
||
|
||
subgraph "数据加密"
|
||
TDE_SM4[TDE透明加密<br/>SM4国密算法]
|
||
SSL_SM[SSL传输加密<br/>SM2/SM3/SM4]
|
||
FIELD_ENC[字段级加密]
|
||
BACKUP_ENC[备份加密]
|
||
end
|
||
|
||
subgraph "审计监控"
|
||
AUDIT_LOG[操作审计日志]
|
||
LOGIN_LOG[登录审计]
|
||
DDL_LOG[DDL操作记录]
|
||
SECURITY_LOG[安全事件日志]
|
||
end
|
||
end
|
||
|
||
PWD --> RBAC_DB
|
||
CERT --> RLS_DB
|
||
LDAP_AUTH --> CLS_DB
|
||
KERBEROS --> SCHEMA
|
||
|
||
RBAC_DB --> TDE_SM4
|
||
RLS_DB --> SSL_SM
|
||
CLS_DB --> FIELD_ENC
|
||
SCHEMA --> BACKUP_ENC
|
||
|
||
TDE_SM4 --> AUDIT_LOG
|
||
SSL_SM --> LOGIN_LOG
|
||
FIELD_ENC --> DDL_LOG
|
||
BACKUP_ENC --> SECURITY_LOG
|
||
</code></pre>
|
||
</details>
|
||
<h3 data-number="1.5.2" id="国产密码算法应用"><span
|
||
class="header-section-number">1.5.2</span> 3.2 国产密码算法应用</h3>
|
||
<h4 data-number="1.5.2.1" id="传输加密"><span
|
||
class="header-section-number">1.5.2.1</span> 3.2.1 传输加密</h4>
|
||
<div class="sourceCode" id="cb5"><pre
|
||
class="sourceCode sql"><code class="sourceCode sql"><span id="cb5-1"><a href="#cb5-1" aria-hidden="true" tabindex="-1"></a><span class="co">-- 配置国密SSL连接</span></span>
|
||
<span id="cb5-2"><a href="#cb5-2" aria-hidden="true" tabindex="-1"></a><span class="kw">ALTER</span> <span class="kw">SYSTEM</span> <span class="kw">SET</span> ssl <span class="op">=</span> <span class="kw">on</span>;</span>
|
||
<span id="cb5-3"><a href="#cb5-3" aria-hidden="true" tabindex="-1"></a><span class="kw">ALTER</span> <span class="kw">SYSTEM</span> <span class="kw">SET</span> ssl_ciphers <span class="op">=</span> <span class="st">'SM4-GCM-SM3:SM4-CCM-SM3'</span>;</span>
|
||
<span id="cb5-4"><a href="#cb5-4" aria-hidden="true" tabindex="-1"></a><span class="kw">ALTER</span> <span class="kw">SYSTEM</span> <span class="kw">SET</span> ssl_cert_file <span class="op">=</span> <span class="st">'server-sm2.crt'</span>;</span>
|
||
<span id="cb5-5"><a href="#cb5-5" aria-hidden="true" tabindex="-1"></a><span class="kw">ALTER</span> <span class="kw">SYSTEM</span> <span class="kw">SET</span> ssl_key_file <span class="op">=</span> <span class="st">'server-sm2.key'</span>;</span></code></pre></div>
|
||
<h4 data-number="1.5.2.2" id="透明数据加密"><span
|
||
class="header-section-number">1.5.2.2</span> 3.2.2 透明数据加密</h4>
|
||
<div class="sourceCode" id="cb6"><pre
|
||
class="sourceCode sql"><code class="sourceCode sql"><span id="cb6-1"><a href="#cb6-1" aria-hidden="true" tabindex="-1"></a><span class="co">-- 启用TDE透明数据加密,使用SM4算法</span></span>
|
||
<span id="cb6-2"><a href="#cb6-2" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">KEY</span> ENCRYPTION <span class="kw">KEY</span> water_biz_kek </span>
|
||
<span id="cb6-3"><a href="#cb6-3" aria-hidden="true" tabindex="-1"></a><span class="kw">WITH</span> ALGORITHM <span class="op">=</span> <span class="st">'SM4-CTR'</span>, KEY_STORE <span class="op">=</span> <span class="st">'localkms'</span>;</span>
|
||
<span id="cb6-4"><a href="#cb6-4" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb6-5"><a href="#cb6-5" aria-hidden="true" tabindex="-1"></a><span class="co">-- 为敏感表启用加密</span></span>
|
||
<span id="cb6-6"><a href="#cb6-6" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">TABLE</span> water_customer (</span>
|
||
<span id="cb6-7"><a href="#cb6-7" aria-hidden="true" tabindex="-1"></a> <span class="kw">id</span> SERIAL <span class="kw">PRIMARY</span> <span class="kw">KEY</span>,</span>
|
||
<span id="cb6-8"><a href="#cb6-8" aria-hidden="true" tabindex="-1"></a> customer_name <span class="dt">VARCHAR</span>(<span class="dv">100</span>) ENCRYPTED <span class="kw">WITH</span> (</span>
|
||
<span id="cb6-9"><a href="#cb6-9" aria-hidden="true" tabindex="-1"></a> COLUMN_ENCRYPTION_KEY <span class="op">=</span> water_biz_kek,</span>
|
||
<span id="cb6-10"><a href="#cb6-10" aria-hidden="true" tabindex="-1"></a> ENCRYPTION_TYPE <span class="op">=</span> DETERMINISTIC,</span>
|
||
<span id="cb6-11"><a href="#cb6-11" aria-hidden="true" tabindex="-1"></a> ALGORITHM <span class="op">=</span> <span class="st">'SM4-CTR'</span></span>
|
||
<span id="cb6-12"><a href="#cb6-12" aria-hidden="true" tabindex="-1"></a> ),</span>
|
||
<span id="cb6-13"><a href="#cb6-13" aria-hidden="true" tabindex="-1"></a> id_card <span class="dt">VARCHAR</span>(<span class="dv">18</span>) ENCRYPTED <span class="kw">WITH</span> (</span>
|
||
<span id="cb6-14"><a href="#cb6-14" aria-hidden="true" tabindex="-1"></a> COLUMN_ENCRYPTION_KEY <span class="op">=</span> water_biz_kek,</span>
|
||
<span id="cb6-15"><a href="#cb6-15" aria-hidden="true" tabindex="-1"></a> ENCRYPTION_TYPE <span class="op">=</span> RANDOMIZED,</span>
|
||
<span id="cb6-16"><a href="#cb6-16" aria-hidden="true" tabindex="-1"></a> ALGORITHM <span class="op">=</span> <span class="st">'SM4-CTR'</span></span>
|
||
<span id="cb6-17"><a href="#cb6-17" aria-hidden="true" tabindex="-1"></a> )</span>
|
||
<span id="cb6-18"><a href="#cb6-18" aria-hidden="true" tabindex="-1"></a>);</span></code></pre></div>
|
||
<h3 data-number="1.5.3" id="行级安全策略"><span
|
||
class="header-section-number">1.5.3</span> 3.3 行级安全策略</h3>
|
||
<div class="sourceCode" id="cb7"><pre
|
||
class="sourceCode sql"><code class="sourceCode sql"><span id="cb7-1"><a href="#cb7-1" aria-hidden="true" tabindex="-1"></a><span class="co">-- 创建多租户行级安全策略</span></span>
|
||
<span id="cb7-2"><a href="#cb7-2" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">ROW</span> <span class="kw">LEVEL</span> SECURITY POLICY tenant_isolation_policy</span>
|
||
<span id="cb7-3"><a href="#cb7-3" aria-hidden="true" tabindex="-1"></a><span class="kw">ON</span> water_customer</span>
|
||
<span id="cb7-4"><a href="#cb7-4" aria-hidden="true" tabindex="-1"></a><span class="kw">USING</span> (tenant_id <span class="op">=</span> current_setting(<span class="st">'app.current_tenant_id'</span>):<span class="ch">:bigint</span>);</span>
|
||
<span id="cb7-5"><a href="#cb7-5" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb7-6"><a href="#cb7-6" aria-hidden="true" tabindex="-1"></a><span class="co">-- 启用行级安全</span></span>
|
||
<span id="cb7-7"><a href="#cb7-7" aria-hidden="true" tabindex="-1"></a><span class="kw">ALTER</span> <span class="kw">TABLE</span> water_customer <span class="kw">ENABLE</span> <span class="kw">ROW</span> <span class="kw">LEVEL</span> SECURITY;</span>
|
||
<span id="cb7-8"><a href="#cb7-8" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb7-9"><a href="#cb7-9" aria-hidden="true" tabindex="-1"></a><span class="co">-- 创建数据访问角色</span></span>
|
||
<span id="cb7-10"><a href="#cb7-10" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">ROLE</span> water_data_reader;</span>
|
||
<span id="cb7-11"><a href="#cb7-11" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">ROLE</span> water_data_writer;</span>
|
||
<span id="cb7-12"><a href="#cb7-12" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb7-13"><a href="#cb7-13" aria-hidden="true" tabindex="-1"></a><span class="co">-- 配置列级权限</span></span>
|
||
<span id="cb7-14"><a href="#cb7-14" aria-hidden="true" tabindex="-1"></a><span class="kw">GRANT</span> <span class="kw">SELECT</span> (<span class="kw">id</span>, customer_name, phone) <span class="kw">ON</span> water_customer <span class="kw">TO</span> water_data_reader;</span>
|
||
<span id="cb7-15"><a href="#cb7-15" aria-hidden="true" tabindex="-1"></a><span class="kw">GRANT</span> <span class="kw">ALL</span> <span class="kw">ON</span> water_customer <span class="kw">TO</span> water_data_writer;</span></code></pre></div>
|
||
<h3 data-number="1.5.4" id="数据脱敏策略"><span
|
||
class="header-section-number">1.5.4</span> 3.4 数据脱敏策略</h3>
|
||
<div class="sourceCode" id="cb8"><pre
|
||
class="sourceCode sql"><code class="sourceCode sql"><span id="cb8-1"><a href="#cb8-1" aria-hidden="true" tabindex="-1"></a><span class="co">-- 创建数据脱敏函数</span></span>
|
||
<span id="cb8-2"><a href="#cb8-2" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">OR</span> <span class="kw">REPLACE</span> <span class="kw">FUNCTION</span> mask_phone(phone_num TEXT) </span>
|
||
<span id="cb8-3"><a href="#cb8-3" aria-hidden="true" tabindex="-1"></a>RETURNS TEXT <span class="kw">AS</span> $$</span>
|
||
<span id="cb8-4"><a href="#cb8-4" aria-hidden="true" tabindex="-1"></a><span class="cf">BEGIN</span></span>
|
||
<span id="cb8-5"><a href="#cb8-5" aria-hidden="true" tabindex="-1"></a> <span class="kw">RETURN</span> SUBSTRING(phone_num, <span class="dv">1</span>, <span class="dv">3</span>) <span class="op">||</span> <span class="st">'****'</span> <span class="op">||</span> SUBSTRING(phone_num, <span class="dv">8</span>, <span class="dv">4</span>);</span>
|
||
<span id="cb8-6"><a href="#cb8-6" aria-hidden="true" tabindex="-1"></a><span class="cf">END</span>;</span>
|
||
<span id="cb8-7"><a href="#cb8-7" aria-hidden="true" tabindex="-1"></a>$$ LANGUAGE plpgsql;</span>
|
||
<span id="cb8-8"><a href="#cb8-8" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb8-9"><a href="#cb8-9" aria-hidden="true" tabindex="-1"></a><span class="co">-- 创建脱敏视图</span></span>
|
||
<span id="cb8-10"><a href="#cb8-10" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">VIEW</span> water_customer_masked <span class="kw">AS</span></span>
|
||
<span id="cb8-11"><a href="#cb8-11" aria-hidden="true" tabindex="-1"></a><span class="kw">SELECT</span> </span>
|
||
<span id="cb8-12"><a href="#cb8-12" aria-hidden="true" tabindex="-1"></a> <span class="kw">id</span>,</span>
|
||
<span id="cb8-13"><a href="#cb8-13" aria-hidden="true" tabindex="-1"></a> customer_name,</span>
|
||
<span id="cb8-14"><a href="#cb8-14" aria-hidden="true" tabindex="-1"></a> mask_phone(phone) <span class="kw">as</span> phone,</span>
|
||
<span id="cb8-15"><a href="#cb8-15" aria-hidden="true" tabindex="-1"></a> <span class="kw">LEFT</span>(id_card, <span class="dv">6</span>) <span class="op">||</span> <span class="st">'********'</span> <span class="op">||</span> <span class="kw">RIGHT</span>(id_card, <span class="dv">4</span>) <span class="kw">as</span> id_card_masked</span>
|
||
<span id="cb8-16"><a href="#cb8-16" aria-hidden="true" tabindex="-1"></a><span class="kw">FROM</span> water_customer;</span>
|
||
<span id="cb8-17"><a href="#cb8-17" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb8-18"><a href="#cb8-18" aria-hidden="true" tabindex="-1"></a><span class="co">-- 授权普通用户只能访问脱敏视图</span></span>
|
||
<span id="cb8-19"><a href="#cb8-19" aria-hidden="true" tabindex="-1"></a><span class="kw">GRANT</span> <span class="kw">SELECT</span> <span class="kw">ON</span> water_customer_masked <span class="kw">TO</span> water_normal_user;</span></code></pre></div>
|
||
<h2 data-number="1.6" id="四应用系统安全"><span
|
||
class="header-section-number">1.6</span> 四、应用系统安全</h2>
|
||
<h3 data-number="1.6.1" id="spring-security安全配置"><span
|
||
class="header-section-number">1.6.1</span> 4.1 Spring
|
||
Security安全配置</h3>
|
||
<h4 data-number="1.6.1.1" id="认证配置"><span
|
||
class="header-section-number">1.6.1.1</span> 4.1.1 认证配置</h4>
|
||
<div class="sourceCode" id="cb9"><pre
|
||
class="sourceCode java"><code class="sourceCode java"><span id="cb9-1"><a href="#cb9-1" aria-hidden="true" tabindex="-1"></a><span class="at">@Configuration</span></span>
|
||
<span id="cb9-2"><a href="#cb9-2" aria-hidden="true" tabindex="-1"></a><span class="at">@EnableWebSecurity</span></span>
|
||
<span id="cb9-3"><a href="#cb9-3" aria-hidden="true" tabindex="-1"></a><span class="at">@EnableMethodSecurity</span><span class="op">(</span>prePostEnabled <span class="op">=</span> <span class="kw">true</span><span class="op">)</span></span>
|
||
<span id="cb9-4"><a href="#cb9-4" aria-hidden="true" tabindex="-1"></a><span class="kw">public</span> <span class="kw">class</span> SecurityConfig <span class="op">{</span></span>
|
||
<span id="cb9-5"><a href="#cb9-5" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb9-6"><a href="#cb9-6" aria-hidden="true" tabindex="-1"></a> <span class="at">@Bean</span></span>
|
||
<span id="cb9-7"><a href="#cb9-7" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> PasswordEncoder <span class="fu">passwordEncoder</span><span class="op">()</span> <span class="op">{</span></span>
|
||
<span id="cb9-8"><a href="#cb9-8" aria-hidden="true" tabindex="-1"></a> <span class="co">// 使用国密SM3哈希算法</span></span>
|
||
<span id="cb9-9"><a href="#cb9-9" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">new</span> <span class="fu">SM3PasswordEncoder</span><span class="op">();</span></span>
|
||
<span id="cb9-10"><a href="#cb9-10" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb9-11"><a href="#cb9-11" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb9-12"><a href="#cb9-12" aria-hidden="true" tabindex="-1"></a> <span class="at">@Bean</span></span>
|
||
<span id="cb9-13"><a href="#cb9-13" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> JwtAuthenticationTokenFilter <span class="fu">jwtAuthenticationTokenFilter</span><span class="op">()</span> <span class="op">{</span></span>
|
||
<span id="cb9-14"><a href="#cb9-14" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">new</span> <span class="fu">JwtAuthenticationTokenFilter</span><span class="op">();</span></span>
|
||
<span id="cb9-15"><a href="#cb9-15" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb9-16"><a href="#cb9-16" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb9-17"><a href="#cb9-17" aria-hidden="true" tabindex="-1"></a> <span class="at">@Bean</span></span>
|
||
<span id="cb9-18"><a href="#cb9-18" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> SecurityFilterChain <span class="fu">filterChain</span><span class="op">(</span>HttpSecurity http<span class="op">)</span> <span class="kw">throws</span> <span class="bu">Exception</span> <span class="op">{</span></span>
|
||
<span id="cb9-19"><a href="#cb9-19" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> http</span>
|
||
<span id="cb9-20"><a href="#cb9-20" aria-hidden="true" tabindex="-1"></a> <span class="co">// CSRF防护</span></span>
|
||
<span id="cb9-21"><a href="#cb9-21" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">csrf</span><span class="op">(</span>csrf <span class="op">-></span> csrf<span class="op">.</span><span class="fu">csrfTokenRepository</span><span class="op">(</span>CookieCsrfTokenRepository<span class="op">.</span><span class="fu">withHttpOnlyFalse</span><span class="op">()))</span></span>
|
||
<span id="cb9-22"><a href="#cb9-22" aria-hidden="true" tabindex="-1"></a> <span class="co">// 请求授权</span></span>
|
||
<span id="cb9-23"><a href="#cb9-23" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">authorizeHttpRequests</span><span class="op">(</span>auth <span class="op">-></span> auth</span>
|
||
<span id="cb9-24"><a href="#cb9-24" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">requestMatchers</span><span class="op">(</span><span class="st">"/api/login"</span><span class="op">,</span> <span class="st">"/api/register"</span><span class="op">).</span><span class="fu">permitAll</span><span class="op">()</span></span>
|
||
<span id="cb9-25"><a href="#cb9-25" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">requestMatchers</span><span class="op">(</span><span class="st">"/api/admin/**"</span><span class="op">).</span><span class="fu">hasRole</span><span class="op">(</span><span class="st">"ADMIN"</span><span class="op">)</span></span>
|
||
<span id="cb9-26"><a href="#cb9-26" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">anyRequest</span><span class="op">().</span><span class="fu">authenticated</span><span class="op">()</span></span>
|
||
<span id="cb9-27"><a href="#cb9-27" aria-hidden="true" tabindex="-1"></a> <span class="op">)</span></span>
|
||
<span id="cb9-28"><a href="#cb9-28" aria-hidden="true" tabindex="-1"></a> <span class="co">// JWT过滤器</span></span>
|
||
<span id="cb9-29"><a href="#cb9-29" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">addFilterBefore</span><span class="op">(</span><span class="fu">jwtAuthenticationTokenFilter</span><span class="op">(),</span> UsernamePasswordAuthenticationFilter<span class="op">.</span><span class="fu">class</span><span class="op">)</span></span>
|
||
<span id="cb9-30"><a href="#cb9-30" aria-hidden="true" tabindex="-1"></a> <span class="co">// 会话管理</span></span>
|
||
<span id="cb9-31"><a href="#cb9-31" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">sessionManagement</span><span class="op">(</span>session <span class="op">-></span> session<span class="op">.</span><span class="fu">sessionCreationPolicy</span><span class="op">(</span>SessionCreationPolicy<span class="op">.</span><span class="fu">STATELESS</span><span class="op">))</span></span>
|
||
<span id="cb9-32"><a href="#cb9-32" aria-hidden="true" tabindex="-1"></a> <span class="op">.</span><span class="fu">build</span><span class="op">();</span></span>
|
||
<span id="cb9-33"><a href="#cb9-33" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb9-34"><a href="#cb9-34" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
|
||
<h4 data-number="1.6.1.2" id="多因素认证"><span
|
||
class="header-section-number">1.6.1.2</span> 4.1.2 多因素认证</h4>
|
||
<div class="sourceCode" id="cb10"><pre
|
||
class="sourceCode java"><code class="sourceCode java"><span id="cb10-1"><a href="#cb10-1" aria-hidden="true" tabindex="-1"></a><span class="at">@Service</span></span>
|
||
<span id="cb10-2"><a href="#cb10-2" aria-hidden="true" tabindex="-1"></a><span class="kw">public</span> <span class="kw">class</span> MFAService <span class="op">{</span></span>
|
||
<span id="cb10-3"><a href="#cb10-3" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb10-4"><a href="#cb10-4" aria-hidden="true" tabindex="-1"></a> <span class="at">@Autowired</span></span>
|
||
<span id="cb10-5"><a href="#cb10-5" aria-hidden="true" tabindex="-1"></a> <span class="kw">private</span> SmsService smsService<span class="op">;</span></span>
|
||
<span id="cb10-6"><a href="#cb10-6" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb10-7"><a href="#cb10-7" aria-hidden="true" tabindex="-1"></a> <span class="at">@Autowired</span></span>
|
||
<span id="cb10-8"><a href="#cb10-8" aria-hidden="true" tabindex="-1"></a> <span class="kw">private</span> RedisTemplate<span class="op"><</span><span class="bu">String</span><span class="op">,</span> <span class="bu">String</span><span class="op">></span> redisTemplate<span class="op">;</span></span>
|
||
<span id="cb10-9"><a href="#cb10-9" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb10-10"><a href="#cb10-10" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> <span class="dt">boolean</span> <span class="fu">sendSmsCode</span><span class="op">(</span><span class="bu">String</span> phone<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb10-11"><a href="#cb10-11" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> code <span class="op">=</span> <span class="fu">generateRandomCode</span><span class="op">();</span></span>
|
||
<span id="cb10-12"><a href="#cb10-12" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> key <span class="op">=</span> <span class="st">"mfa:sms:"</span> <span class="op">+</span> phone<span class="op">;</span></span>
|
||
<span id="cb10-13"><a href="#cb10-13" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb10-14"><a href="#cb10-14" aria-hidden="true" tabindex="-1"></a> <span class="co">// 存储验证码,5分钟过期</span></span>
|
||
<span id="cb10-15"><a href="#cb10-15" aria-hidden="true" tabindex="-1"></a> redisTemplate<span class="op">.</span><span class="fu">opsForValue</span><span class="op">().</span><span class="fu">set</span><span class="op">(</span>key<span class="op">,</span> code<span class="op">,</span> <span class="bu">Duration</span><span class="op">.</span><span class="fu">ofMinutes</span><span class="op">(</span><span class="dv">5</span><span class="op">));</span></span>
|
||
<span id="cb10-16"><a href="#cb10-16" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb10-17"><a href="#cb10-17" aria-hidden="true" tabindex="-1"></a> <span class="co">// 发送短信</span></span>
|
||
<span id="cb10-18"><a href="#cb10-18" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> smsService<span class="op">.</span><span class="fu">send</span><span class="op">(</span>phone<span class="op">,</span> <span class="st">"您的验证码是:"</span> <span class="op">+</span> code <span class="op">+</span> <span class="st">",5分钟内有效。"</span><span class="op">);</span></span>
|
||
<span id="cb10-19"><a href="#cb10-19" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb10-20"><a href="#cb10-20" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb10-21"><a href="#cb10-21" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> <span class="dt">boolean</span> <span class="fu">verifySmsCode</span><span class="op">(</span><span class="bu">String</span> phone<span class="op">,</span> <span class="bu">String</span> code<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb10-22"><a href="#cb10-22" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> key <span class="op">=</span> <span class="st">"mfa:sms:"</span> <span class="op">+</span> phone<span class="op">;</span></span>
|
||
<span id="cb10-23"><a href="#cb10-23" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> storedCode <span class="op">=</span> redisTemplate<span class="op">.</span><span class="fu">opsForValue</span><span class="op">().</span><span class="fu">get</span><span class="op">(</span>key<span class="op">);</span></span>
|
||
<span id="cb10-24"><a href="#cb10-24" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb10-25"><a href="#cb10-25" aria-hidden="true" tabindex="-1"></a> <span class="cf">if</span> <span class="op">(</span>storedCode <span class="op">!=</span> <span class="kw">null</span> <span class="op">&&</span> storedCode<span class="op">.</span><span class="fu">equals</span><span class="op">(</span>code<span class="op">))</span> <span class="op">{</span></span>
|
||
<span id="cb10-26"><a href="#cb10-26" aria-hidden="true" tabindex="-1"></a> redisTemplate<span class="op">.</span><span class="fu">delete</span><span class="op">(</span>key<span class="op">);</span></span>
|
||
<span id="cb10-27"><a href="#cb10-27" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">true</span><span class="op">;</span></span>
|
||
<span id="cb10-28"><a href="#cb10-28" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb10-29"><a href="#cb10-29" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">false</span><span class="op">;</span></span>
|
||
<span id="cb10-30"><a href="#cb10-30" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb10-31"><a href="#cb10-31" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
|
||
<h3 data-number="1.6.2" id="数据传输安全"><span
|
||
class="header-section-number">1.6.2</span> 4.2 数据传输安全</h3>
|
||
<h4 data-number="1.6.2.1" id="https配置"><span
|
||
class="header-section-number">1.6.2.1</span> 4.2.1 HTTPS配置</h4>
|
||
<div class="sourceCode" id="cb11"><pre
|
||
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb11-1"><a href="#cb11-1" aria-hidden="true" tabindex="-1"></a><span class="fu">server</span><span class="kw">:</span></span>
|
||
<span id="cb11-2"><a href="#cb11-2" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">port</span><span class="kw">:</span><span class="at"> </span><span class="dv">8443</span></span>
|
||
<span id="cb11-3"><a href="#cb11-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">ssl</span><span class="kw">:</span></span>
|
||
<span id="cb11-4"><a href="#cb11-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">enabled</span><span class="kw">:</span><span class="at"> </span><span class="ch">true</span></span>
|
||
<span id="cb11-5"><a href="#cb11-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">key-store</span><span class="kw">:</span><span class="at"> classpath:keystore/server.p12</span></span>
|
||
<span id="cb11-6"><a href="#cb11-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">key-store-password</span><span class="kw">:</span><span class="at"> ${SSL_KEYSTORE_PASSWORD}</span></span>
|
||
<span id="cb11-7"><a href="#cb11-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">key-store-type</span><span class="kw">:</span><span class="at"> PKCS12</span></span>
|
||
<span id="cb11-8"><a href="#cb11-8" aria-hidden="true" tabindex="-1"></a><span class="co"> # 支持国密算法</span></span>
|
||
<span id="cb11-9"><a href="#cb11-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">ciphers</span><span class="kw">:</span><span class="at"> SM4-GCM-SM3,SM4-CCM-SM3,ECDHE-SM2-WITH-SM4-SM3</span></span>
|
||
<span id="cb11-10"><a href="#cb11-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">protocols</span><span class="kw">:</span><span class="at"> TLSv1.2,TLSv1.3</span></span></code></pre></div>
|
||
<h4 data-number="1.6.2.2" id="敏感数据加密"><span
|
||
class="header-section-number">1.6.2.2</span> 4.2.2 敏感数据加密</h4>
|
||
<div class="sourceCode" id="cb12"><pre
|
||
class="sourceCode java"><code class="sourceCode java"><span id="cb12-1"><a href="#cb12-1" aria-hidden="true" tabindex="-1"></a><span class="at">@Component</span></span>
|
||
<span id="cb12-2"><a href="#cb12-2" aria-hidden="true" tabindex="-1"></a><span class="kw">public</span> <span class="kw">class</span> DataEncryptionService <span class="op">{</span></span>
|
||
<span id="cb12-3"><a href="#cb12-3" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb12-4"><a href="#cb12-4" aria-hidden="true" tabindex="-1"></a> <span class="kw">private</span> <span class="dt">final</span> SM4Cipher sm4Cipher <span class="op">=</span> <span class="kw">new</span> <span class="fu">SM4Cipher</span><span class="op">();</span></span>
|
||
<span id="cb12-5"><a href="#cb12-5" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb12-6"><a href="#cb12-6" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> <span class="bu">String</span> <span class="fu">encryptSensitiveData</span><span class="op">(</span><span class="bu">String</span> plaintext<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb12-7"><a href="#cb12-7" aria-hidden="true" tabindex="-1"></a> <span class="cf">try</span> <span class="op">{</span></span>
|
||
<span id="cb12-8"><a href="#cb12-8" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> sm4Cipher<span class="op">.</span><span class="fu">encrypt</span><span class="op">(</span>plaintext<span class="op">);</span></span>
|
||
<span id="cb12-9"><a href="#cb12-9" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span> <span class="cf">catch</span> <span class="op">(</span><span class="bu">Exception</span> e<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb12-10"><a href="#cb12-10" aria-hidden="true" tabindex="-1"></a> <span class="cf">throw</span> <span class="kw">new</span> <span class="bu">SecurityException</span><span class="op">(</span><span class="st">"数据加密失败"</span><span class="op">,</span> e<span class="op">);</span></span>
|
||
<span id="cb12-11"><a href="#cb12-11" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb12-12"><a href="#cb12-12" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb12-13"><a href="#cb12-13" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb12-14"><a href="#cb12-14" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> <span class="bu">String</span> <span class="fu">decryptSensitiveData</span><span class="op">(</span><span class="bu">String</span> ciphertext<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb12-15"><a href="#cb12-15" aria-hidden="true" tabindex="-1"></a> <span class="cf">try</span> <span class="op">{</span></span>
|
||
<span id="cb12-16"><a href="#cb12-16" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> sm4Cipher<span class="op">.</span><span class="fu">decrypt</span><span class="op">(</span>ciphertext<span class="op">);</span></span>
|
||
<span id="cb12-17"><a href="#cb12-17" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span> <span class="cf">catch</span> <span class="op">(</span><span class="bu">Exception</span> e<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb12-18"><a href="#cb12-18" aria-hidden="true" tabindex="-1"></a> <span class="cf">throw</span> <span class="kw">new</span> <span class="bu">SecurityException</span><span class="op">(</span><span class="st">"数据解密失败"</span><span class="op">,</span> e<span class="op">);</span></span>
|
||
<span id="cb12-19"><a href="#cb12-19" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb12-20"><a href="#cb12-20" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb12-21"><a href="#cb12-21" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
|
||
<h3 data-number="1.6.3" id="接口安全防护"><span
|
||
class="header-section-number">1.6.3</span> 4.3 接口安全防护</h3>
|
||
<h4 data-number="1.6.3.1" id="接口签名验证"><span
|
||
class="header-section-number">1.6.3.1</span> 4.3.1 接口签名验证</h4>
|
||
<div class="sourceCode" id="cb13"><pre
|
||
class="sourceCode java"><code class="sourceCode java"><span id="cb13-1"><a href="#cb13-1" aria-hidden="true" tabindex="-1"></a><span class="at">@Component</span></span>
|
||
<span id="cb13-2"><a href="#cb13-2" aria-hidden="true" tabindex="-1"></a><span class="kw">public</span> <span class="kw">class</span> ApiSignatureValidator <span class="op">{</span></span>
|
||
<span id="cb13-3"><a href="#cb13-3" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb13-4"><a href="#cb13-4" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> <span class="dt">boolean</span> <span class="fu">validateSignature</span><span class="op">(</span>HttpServletRequest request<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb13-5"><a href="#cb13-5" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> timestamp <span class="op">=</span> request<span class="op">.</span><span class="fu">getHeader</span><span class="op">(</span><span class="st">"X-Timestamp"</span><span class="op">);</span></span>
|
||
<span id="cb13-6"><a href="#cb13-6" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> nonce <span class="op">=</span> request<span class="op">.</span><span class="fu">getHeader</span><span class="op">(</span><span class="st">"X-Nonce"</span><span class="op">);</span></span>
|
||
<span id="cb13-7"><a href="#cb13-7" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> signature <span class="op">=</span> request<span class="op">.</span><span class="fu">getHeader</span><span class="op">(</span><span class="st">"X-Signature"</span><span class="op">);</span></span>
|
||
<span id="cb13-8"><a href="#cb13-8" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> body <span class="op">=</span> <span class="fu">getRequestBody</span><span class="op">(</span>request<span class="op">);</span></span>
|
||
<span id="cb13-9"><a href="#cb13-9" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb13-10"><a href="#cb13-10" aria-hidden="true" tabindex="-1"></a> <span class="co">// 检查时间戳,防止重放攻击</span></span>
|
||
<span id="cb13-11"><a href="#cb13-11" aria-hidden="true" tabindex="-1"></a> <span class="cf">if</span> <span class="op">(</span><span class="fu">isTimestampExpired</span><span class="op">(</span>timestamp<span class="op">))</span> <span class="op">{</span></span>
|
||
<span id="cb13-12"><a href="#cb13-12" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">false</span><span class="op">;</span></span>
|
||
<span id="cb13-13"><a href="#cb13-13" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb13-14"><a href="#cb13-14" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb13-15"><a href="#cb13-15" aria-hidden="true" tabindex="-1"></a> <span class="co">// 生成签名</span></span>
|
||
<span id="cb13-16"><a href="#cb13-16" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> expectedSignature <span class="op">=</span> <span class="fu">generateSignature</span><span class="op">(</span>timestamp<span class="op">,</span> nonce<span class="op">,</span> body<span class="op">);</span></span>
|
||
<span id="cb13-17"><a href="#cb13-17" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb13-18"><a href="#cb13-18" aria-hidden="true" tabindex="-1"></a> <span class="co">// 验证签名</span></span>
|
||
<span id="cb13-19"><a href="#cb13-19" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> signature<span class="op">.</span><span class="fu">equals</span><span class="op">(</span>expectedSignature<span class="op">);</span></span>
|
||
<span id="cb13-20"><a href="#cb13-20" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb13-21"><a href="#cb13-21" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb13-22"><a href="#cb13-22" aria-hidden="true" tabindex="-1"></a> <span class="kw">private</span> <span class="bu">String</span> <span class="fu">generateSignature</span><span class="op">(</span><span class="bu">String</span> timestamp<span class="op">,</span> <span class="bu">String</span> nonce<span class="op">,</span> <span class="bu">String</span> body<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb13-23"><a href="#cb13-23" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> message <span class="op">=</span> timestamp <span class="op">+</span> nonce <span class="op">+</span> body<span class="op">;</span></span>
|
||
<span id="cb13-24"><a href="#cb13-24" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> SM3Utils<span class="op">.</span><span class="fu">hash</span><span class="op">(</span>message<span class="op">);</span></span>
|
||
<span id="cb13-25"><a href="#cb13-25" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb13-26"><a href="#cb13-26" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
|
||
<h4 data-number="1.6.3.2" id="接口限流防护"><span
|
||
class="header-section-number">1.6.3.2</span> 4.3.2 接口限流防护</h4>
|
||
<div class="sourceCode" id="cb14"><pre
|
||
class="sourceCode java"><code class="sourceCode java"><span id="cb14-1"><a href="#cb14-1" aria-hidden="true" tabindex="-1"></a><span class="at">@Component</span></span>
|
||
<span id="cb14-2"><a href="#cb14-2" aria-hidden="true" tabindex="-1"></a><span class="kw">public</span> <span class="kw">class</span> RateLimitService <span class="op">{</span></span>
|
||
<span id="cb14-3"><a href="#cb14-3" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb14-4"><a href="#cb14-4" aria-hidden="true" tabindex="-1"></a> <span class="at">@Autowired</span></span>
|
||
<span id="cb14-5"><a href="#cb14-5" aria-hidden="true" tabindex="-1"></a> <span class="kw">private</span> RedisTemplate<span class="op"><</span><span class="bu">String</span><span class="op">,</span> <span class="bu">String</span><span class="op">></span> redisTemplate<span class="op">;</span></span>
|
||
<span id="cb14-6"><a href="#cb14-6" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb14-7"><a href="#cb14-7" aria-hidden="true" tabindex="-1"></a> <span class="kw">public</span> <span class="dt">boolean</span> <span class="fu">isAllowed</span><span class="op">(</span><span class="bu">String</span> key<span class="op">,</span> <span class="dt">int</span> limit<span class="op">,</span> <span class="bu">Duration</span> window<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb14-8"><a href="#cb14-8" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> redisKey <span class="op">=</span> <span class="st">"rate_limit:"</span> <span class="op">+</span> key<span class="op">;</span></span>
|
||
<span id="cb14-9"><a href="#cb14-9" aria-hidden="true" tabindex="-1"></a> <span class="bu">String</span> current <span class="op">=</span> redisTemplate<span class="op">.</span><span class="fu">opsForValue</span><span class="op">().</span><span class="fu">get</span><span class="op">(</span>redisKey<span class="op">);</span></span>
|
||
<span id="cb14-10"><a href="#cb14-10" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb14-11"><a href="#cb14-11" aria-hidden="true" tabindex="-1"></a> <span class="cf">if</span> <span class="op">(</span>current <span class="op">==</span> <span class="kw">null</span><span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb14-12"><a href="#cb14-12" aria-hidden="true" tabindex="-1"></a> redisTemplate<span class="op">.</span><span class="fu">opsForValue</span><span class="op">().</span><span class="fu">set</span><span class="op">(</span>redisKey<span class="op">,</span> <span class="st">"1"</span><span class="op">,</span> window<span class="op">);</span></span>
|
||
<span id="cb14-13"><a href="#cb14-13" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">true</span><span class="op">;</span></span>
|
||
<span id="cb14-14"><a href="#cb14-14" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb14-15"><a href="#cb14-15" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb14-16"><a href="#cb14-16" aria-hidden="true" tabindex="-1"></a> <span class="dt">int</span> count <span class="op">=</span> <span class="bu">Integer</span><span class="op">.</span><span class="fu">parseInt</span><span class="op">(</span>current<span class="op">);</span></span>
|
||
<span id="cb14-17"><a href="#cb14-17" aria-hidden="true" tabindex="-1"></a> <span class="cf">if</span> <span class="op">(</span>count <span class="op"><</span> limit<span class="op">)</span> <span class="op">{</span></span>
|
||
<span id="cb14-18"><a href="#cb14-18" aria-hidden="true" tabindex="-1"></a> redisTemplate<span class="op">.</span><span class="fu">opsForValue</span><span class="op">().</span><span class="fu">increment</span><span class="op">(</span>redisKey<span class="op">);</span></span>
|
||
<span id="cb14-19"><a href="#cb14-19" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">true</span><span class="op">;</span></span>
|
||
<span id="cb14-20"><a href="#cb14-20" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb14-21"><a href="#cb14-21" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb14-22"><a href="#cb14-22" aria-hidden="true" tabindex="-1"></a> <span class="cf">return</span> <span class="kw">false</span><span class="op">;</span></span>
|
||
<span id="cb14-23"><a href="#cb14-23" aria-hidden="true" tabindex="-1"></a> <span class="op">}</span></span>
|
||
<span id="cb14-24"><a href="#cb14-24" aria-hidden="true" tabindex="-1"></a><span class="op">}</span></span></code></pre></div>
|
||
<h2 data-number="1.7" id="五网络安全设计"><span
|
||
class="header-section-number">1.7</span> 五、网络安全设计</h2>
|
||
<h3 data-number="1.7.1" id="网络拓扑安全"><span
|
||
class="header-section-number">1.7.1</span> 5.1 网络拓扑安全</h3>
|
||
<p><strong>图表 5</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_5.png"
|
||
alt="图表 5" />
|
||
<figcaption aria-hidden="true">图表 5</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
subgraph "外网区域"
|
||
INTERNET[互联网]
|
||
CDN[CDN加速]
|
||
DNS[DNS服务]
|
||
end
|
||
|
||
subgraph "边界防护"
|
||
WAF[Web应用防火墙<br/>国产WAF产品]
|
||
FW_BORDER[边界防火墙<br/>安全审计]
|
||
IPS[入侵防护系统<br/>威胁检测]
|
||
DPI[深度包检测<br/>流量分析]
|
||
end
|
||
|
||
subgraph "DMZ区域"
|
||
LB[负载均衡器<br/>SSL卸载]
|
||
WEB1[Web服务器1]
|
||
WEB2[Web服务器2]
|
||
PROXY[反向代理]
|
||
end
|
||
|
||
subgraph "内网安全"
|
||
FW_INTERNAL[内部防火墙]
|
||
VLAN_APP[应用VLAN]
|
||
VLAN_DB[数据库VLAN]
|
||
VLAN_MGT[管理VLAN]
|
||
end
|
||
|
||
subgraph "应用层"
|
||
APP1[应用服务器1]
|
||
APP2[应用服务器2]
|
||
APP3[应用服务器3]
|
||
end
|
||
|
||
subgraph "数据层"
|
||
DB_MASTER[OpenGauss主库]
|
||
DB_SLAVE[OpenGauss从库]
|
||
REDIS[Redis集群]
|
||
end
|
||
|
||
subgraph "管理层"
|
||
JUMP[跳板机]
|
||
MONITOR[监控服务器]
|
||
LOG[日志服务器]
|
||
end
|
||
|
||
INTERNET --> CDN
|
||
CDN --> DNS
|
||
DNS --> WAF
|
||
WAF --> FW_BORDER
|
||
FW_BORDER --> IPS
|
||
IPS --> DPI
|
||
DPI --> LB
|
||
|
||
LB --> WEB1
|
||
LB --> WEB2
|
||
WEB1 --> PROXY
|
||
WEB2 --> PROXY
|
||
|
||
PROXY --> FW_INTERNAL
|
||
FW_INTERNAL --> VLAN_APP
|
||
FW_INTERNAL --> VLAN_DB
|
||
FW_INTERNAL --> VLAN_MGT
|
||
|
||
VLAN_APP --> APP1
|
||
VLAN_APP --> APP2
|
||
VLAN_APP --> APP3
|
||
|
||
VLAN_DB --> DB_MASTER
|
||
VLAN_DB --> DB_SLAVE
|
||
VLAN_DB --> REDIS
|
||
|
||
VLAN_MGT --> JUMP
|
||
VLAN_MGT --> MONITOR
|
||
VLAN_MGT --> LOG
|
||
</code></pre>
|
||
</details>
|
||
<h3 data-number="1.7.2" id="防火墙策略配置"><span
|
||
class="header-section-number">1.7.2</span> 5.2 防火墙策略配置</h3>
|
||
<h4 data-number="1.7.2.1" id="边界防火墙策略"><span
|
||
class="header-section-number">1.7.2.1</span> 5.2.1 边界防火墙策略</h4>
|
||
<div class="sourceCode" id="cb16"><pre
|
||
class="sourceCode bash"><code class="sourceCode bash"><span id="cb16-1"><a href="#cb16-1" aria-hidden="true" tabindex="-1"></a><span class="co"># 允许HTTPS访问</span></span>
|
||
<span id="cb16-2"><a href="#cb16-2" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> INPUT <span class="at">-p</span> tcp <span class="at">--dport</span> 443 <span class="at">-j</span> ACCEPT</span>
|
||
<span id="cb16-3"><a href="#cb16-3" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb16-4"><a href="#cb16-4" aria-hidden="true" tabindex="-1"></a><span class="co"># 允许HTTP重定向到HTTPS</span></span>
|
||
<span id="cb16-5"><a href="#cb16-5" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> INPUT <span class="at">-p</span> tcp <span class="at">--dport</span> 80 <span class="at">-j</span> ACCEPT</span>
|
||
<span id="cb16-6"><a href="#cb16-6" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb16-7"><a href="#cb16-7" aria-hidden="true" tabindex="-1"></a><span class="co"># 禁止直接数据库访问</span></span>
|
||
<span id="cb16-8"><a href="#cb16-8" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> INPUT <span class="at">-p</span> tcp <span class="at">--dport</span> 5432 <span class="at">-s</span> ! 192.168.1.0/24 <span class="at">-j</span> DROP</span>
|
||
<span id="cb16-9"><a href="#cb16-9" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb16-10"><a href="#cb16-10" aria-hidden="true" tabindex="-1"></a><span class="co"># 允许内网SSH管理</span></span>
|
||
<span id="cb16-11"><a href="#cb16-11" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> INPUT <span class="at">-p</span> tcp <span class="at">--dport</span> 22 <span class="at">-s</span> 192.168.100.0/24 <span class="at">-j</span> ACCEPT</span>
|
||
<span id="cb16-12"><a href="#cb16-12" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb16-13"><a href="#cb16-13" aria-hidden="true" tabindex="-1"></a><span class="co"># 拒绝其他所有入站连接</span></span>
|
||
<span id="cb16-14"><a href="#cb16-14" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> INPUT <span class="at">-j</span> DROP</span></code></pre></div>
|
||
<h4 data-number="1.7.2.2" id="应用层防火墙策略"><span
|
||
class="header-section-number">1.7.2.2</span> 5.2.2 应用层防火墙策略</h4>
|
||
<div class="sourceCode" id="cb17"><pre
|
||
class="sourceCode bash"><code class="sourceCode bash"><span id="cb17-1"><a href="#cb17-1" aria-hidden="true" tabindex="-1"></a><span class="co"># 只允许来自DMZ区的连接</span></span>
|
||
<span id="cb17-2"><a href="#cb17-2" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> INPUT <span class="at">-s</span> 192.168.1.0/24 <span class="at">-j</span> ACCEPT</span>
|
||
<span id="cb17-3"><a href="#cb17-3" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb17-4"><a href="#cb17-4" aria-hidden="true" tabindex="-1"></a><span class="co"># 允许访问数据库</span></span>
|
||
<span id="cb17-5"><a href="#cb17-5" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> OUTPUT <span class="at">-d</span> 192.168.2.0/24 <span class="at">-p</span> tcp <span class="at">--dport</span> 5432 <span class="at">-j</span> ACCEPT</span>
|
||
<span id="cb17-6"><a href="#cb17-6" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb17-7"><a href="#cb17-7" aria-hidden="true" tabindex="-1"></a><span class="co"># 允许访问Redis</span></span>
|
||
<span id="cb17-8"><a href="#cb17-8" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> OUTPUT <span class="at">-d</span> 192.168.2.0/24 <span class="at">-p</span> tcp <span class="at">--dport</span> 6379 <span class="at">-j</span> ACCEPT</span>
|
||
<span id="cb17-9"><a href="#cb17-9" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb17-10"><a href="#cb17-10" aria-hidden="true" tabindex="-1"></a><span class="co"># 允许DNS查询</span></span>
|
||
<span id="cb17-11"><a href="#cb17-11" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> OUTPUT <span class="at">-p</span> udp <span class="at">--dport</span> 53 <span class="at">-j</span> ACCEPT</span>
|
||
<span id="cb17-12"><a href="#cb17-12" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb17-13"><a href="#cb17-13" aria-hidden="true" tabindex="-1"></a><span class="co"># 拒绝其他出站连接</span></span>
|
||
<span id="cb17-14"><a href="#cb17-14" aria-hidden="true" tabindex="-1"></a><span class="ex">iptables</span> <span class="at">-A</span> OUTPUT <span class="at">-j</span> DROP</span></code></pre></div>
|
||
<h3 data-number="1.7.3" id="入侵检测与防护"><span
|
||
class="header-section-number">1.7.3</span> 5.3 入侵检测与防护</h3>
|
||
<h4 data-number="1.7.3.1" id="idsips规则配置"><span
|
||
class="header-section-number">1.7.3.1</span> 5.3.1 IDS/IPS规则配置</h4>
|
||
<div class="sourceCode" id="cb18"><pre
|
||
class="sourceCode bash"><code class="sourceCode bash"><span id="cb18-1"><a href="#cb18-1" aria-hidden="true" tabindex="-1"></a><span class="co"># Suricata规则示例</span></span>
|
||
<span id="cb18-2"><a href="#cb18-2" aria-hidden="true" tabindex="-1"></a><span class="ex">alert</span> tcp any any <span class="at">-</span><span class="op">></span> <span class="va">$HOME_NET</span> 443 <span class="er">(</span><span class="ex">msg:</span><span class="st">"Suspicious HTTPS traffic"</span><span class="kw">;</span> <span class="dt">\</span></span>
|
||
<span id="cb18-3"><a href="#cb18-3" aria-hidden="true" tabindex="-1"></a> <span class="ex">content:</span><span class="st">"POST"</span><span class="kw">;</span> <span class="ex">http_method</span><span class="kw">;</span> <span class="ex">content:</span><span class="st">"/api/admin"</span><span class="kw">;</span> <span class="ex">http_uri</span><span class="kw">;</span> <span class="dt">\</span></span>
|
||
<span id="cb18-4"><a href="#cb18-4" aria-hidden="true" tabindex="-1"></a> <span class="ex">threshold:type</span> limit, track by_src, count 10, seconds 60<span class="kw">;</span> <span class="dt">\</span></span>
|
||
<span id="cb18-5"><a href="#cb18-5" aria-hidden="true" tabindex="-1"></a> <span class="ex">sid:10001</span><span class="kw">;</span> <span class="ex">rev:1</span><span class="kw">;)</span></span>
|
||
<span id="cb18-6"><a href="#cb18-6" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb18-7"><a href="#cb18-7" aria-hidden="true" tabindex="-1"></a><span class="ex">alert</span> tcp any any <span class="at">-</span><span class="op">></span> <span class="va">$HOME_NET</span> 5432 <span class="er">(</span><span class="ex">msg:</span><span class="st">"Direct database access attempt"</span><span class="kw">;</span> <span class="dt">\</span></span>
|
||
<span id="cb18-8"><a href="#cb18-8" aria-hidden="true" tabindex="-1"></a> <span class="ex">content:</span><span class="st">"SELECT"</span><span class="kw">;</span> <span class="ex">content:</span><span class="st">"FROM"</span><span class="kw">;</span> <span class="ex">distance:0</span><span class="kw">;</span> <span class="dt">\</span></span>
|
||
<span id="cb18-9"><a href="#cb18-9" aria-hidden="true" tabindex="-1"></a> <span class="ex">sid:10002</span><span class="kw">;</span> <span class="ex">rev:1</span><span class="kw">;)</span></span>
|
||
<span id="cb18-10"><a href="#cb18-10" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb18-11"><a href="#cb18-11" aria-hidden="true" tabindex="-1"></a><span class="ex">alert</span> tcp any any <span class="at">-</span><span class="op">></span> <span class="va">$HOME_NET</span> any <span class="er">(</span><span class="ex">msg:</span><span class="st">"Brute force attack detected"</span><span class="kw">;</span> <span class="dt">\</span></span>
|
||
<span id="cb18-12"><a href="#cb18-12" aria-hidden="true" tabindex="-1"></a> <span class="ex">flags:S</span><span class="kw">;</span> <span class="ex">threshold:type</span> threshold, track by_src, count 100, seconds 60<span class="kw">;</span> <span class="dt">\</span></span>
|
||
<span id="cb18-13"><a href="#cb18-13" aria-hidden="true" tabindex="-1"></a> <span class="ex">sid:10003</span><span class="kw">;</span> <span class="ex">rev:1</span><span class="kw">;)</span></span></code></pre></div>
|
||
<h2 data-number="1.8" id="六数据安全设计"><span
|
||
class="header-section-number">1.8</span> 六、数据安全设计</h2>
|
||
<h3 data-number="1.8.1" id="数据分类分级"><span
|
||
class="header-section-number">1.8.1</span> 6.1 数据分类分级</h3>
|
||
<h4 data-number="1.8.1.1" id="数据分类标准"><span
|
||
class="header-section-number">1.8.1.1</span> 6.1.1 数据分类标准</h4>
|
||
<p><strong>图表 6</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_6.png"
|
||
alt="图表 6" />
|
||
<figcaption aria-hidden="true">图表 6</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
subgraph "数据分类"
|
||
TOP_SECRET[绝密级<br/>核心商业机密]
|
||
SECRET[机密级<br/>重要业务数据]
|
||
INTERNAL[内部级<br/>一般业务数据]
|
||
PUBLIC[公开级<br/>公开业务数据]
|
||
end
|
||
|
||
subgraph "水务业务数据"
|
||
CUSTOMER[客户身份信息<br/>机密级]
|
||
METER[水表计量数据<br/>内部级]
|
||
BILLING[收费账务数据<br/>机密级]
|
||
REPORT[统计报表数据<br/>内部级]
|
||
CONFIG[系统配置数据<br/>内部级]
|
||
LOG[日志审计数据<br/>内部级]
|
||
end
|
||
|
||
subgraph "保护措施"
|
||
ENC_HIGH[强加密<br/>SM4+数字签名]
|
||
ENC_MID[加密存储<br/>SM4算法]
|
||
ENC_LOW[访问控制<br/>权限管理]
|
||
ENC_NONE[公开访问<br/>无特殊保护]
|
||
end
|
||
|
||
TOP_SECRET --> ENC_HIGH
|
||
SECRET --> ENC_MID
|
||
INTERNAL --> ENC_LOW
|
||
PUBLIC --> ENC_NONE
|
||
|
||
CUSTOMER --> SECRET
|
||
BILLING --> SECRET
|
||
METER --> INTERNAL
|
||
REPORT --> INTERNAL
|
||
CONFIG --> INTERNAL
|
||
LOG --> INTERNAL
|
||
</code></pre>
|
||
</details>
|
||
<h4 data-number="1.8.1.2" id="数据保护策略"><span
|
||
class="header-section-number">1.8.1.2</span> 6.1.2 数据保护策略</h4>
|
||
<div class="sourceCode" id="cb20"><pre
|
||
class="sourceCode sql"><code class="sourceCode sql"><span id="cb20-1"><a href="#cb20-1" aria-hidden="true" tabindex="-1"></a><span class="co">-- 客户敏感信息表(机密级)</span></span>
|
||
<span id="cb20-2"><a href="#cb20-2" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">TABLE</span> water_customer_sensitive (</span>
|
||
<span id="cb20-3"><a href="#cb20-3" aria-hidden="true" tabindex="-1"></a> <span class="kw">id</span> SERIAL <span class="kw">PRIMARY</span> <span class="kw">KEY</span>,</span>
|
||
<span id="cb20-4"><a href="#cb20-4" aria-hidden="true" tabindex="-1"></a> customer_id BIGINT <span class="kw">NOT</span> <span class="kw">NULL</span>,</span>
|
||
<span id="cb20-5"><a href="#cb20-5" aria-hidden="true" tabindex="-1"></a> <span class="co">-- 身份证号:强加密存储</span></span>
|
||
<span id="cb20-6"><a href="#cb20-6" aria-hidden="true" tabindex="-1"></a> id_card_encrypted <span class="dt">VARCHAR</span>(<span class="dv">200</span>) ENCRYPTED <span class="kw">WITH</span> (</span>
|
||
<span id="cb20-7"><a href="#cb20-7" aria-hidden="true" tabindex="-1"></a> COLUMN_ENCRYPTION_KEY <span class="op">=</span> customer_sensitive_key,</span>
|
||
<span id="cb20-8"><a href="#cb20-8" aria-hidden="true" tabindex="-1"></a> ENCRYPTION_TYPE <span class="op">=</span> RANDOMIZED,</span>
|
||
<span id="cb20-9"><a href="#cb20-9" aria-hidden="true" tabindex="-1"></a> ALGORITHM <span class="op">=</span> <span class="st">'SM4-CTR'</span></span>
|
||
<span id="cb20-10"><a href="#cb20-10" aria-hidden="true" tabindex="-1"></a> ),</span>
|
||
<span id="cb20-11"><a href="#cb20-11" aria-hidden="true" tabindex="-1"></a> <span class="co">-- 银行卡号:强加密存储</span></span>
|
||
<span id="cb20-12"><a href="#cb20-12" aria-hidden="true" tabindex="-1"></a> bank_account_encrypted <span class="dt">VARCHAR</span>(<span class="dv">200</span>) ENCRYPTED <span class="kw">WITH</span> (</span>
|
||
<span id="cb20-13"><a href="#cb20-13" aria-hidden="true" tabindex="-1"></a> COLUMN_ENCRYPTION_KEY <span class="op">=</span> customer_sensitive_key,</span>
|
||
<span id="cb20-14"><a href="#cb20-14" aria-hidden="true" tabindex="-1"></a> ENCRYPTION_TYPE <span class="op">=</span> RANDOMIZED,</span>
|
||
<span id="cb20-15"><a href="#cb20-15" aria-hidden="true" tabindex="-1"></a> ALGORITHM <span class="op">=</span> <span class="st">'SM4-CTR'</span></span>
|
||
<span id="cb20-16"><a href="#cb20-16" aria-hidden="true" tabindex="-1"></a> ),</span>
|
||
<span id="cb20-17"><a href="#cb20-17" aria-hidden="true" tabindex="-1"></a> <span class="co">-- 手机号:确定性加密,支持查询</span></span>
|
||
<span id="cb20-18"><a href="#cb20-18" aria-hidden="true" tabindex="-1"></a> phone_encrypted <span class="dt">VARCHAR</span>(<span class="dv">200</span>) ENCRYPTED <span class="kw">WITH</span> (</span>
|
||
<span id="cb20-19"><a href="#cb20-19" aria-hidden="true" tabindex="-1"></a> COLUMN_ENCRYPTION_KEY <span class="op">=</span> customer_sensitive_key,</span>
|
||
<span id="cb20-20"><a href="#cb20-20" aria-hidden="true" tabindex="-1"></a> ENCRYPTION_TYPE <span class="op">=</span> DETERMINISTIC,</span>
|
||
<span id="cb20-21"><a href="#cb20-21" aria-hidden="true" tabindex="-1"></a> ALGORITHM <span class="op">=</span> <span class="st">'SM4-CTR'</span></span>
|
||
<span id="cb20-22"><a href="#cb20-22" aria-hidden="true" tabindex="-1"></a> ),</span>
|
||
<span id="cb20-23"><a href="#cb20-23" aria-hidden="true" tabindex="-1"></a> created_at <span class="dt">TIMESTAMP</span> <span class="kw">DEFAULT</span> <span class="fu">CURRENT_TIMESTAMP</span>,</span>
|
||
<span id="cb20-24"><a href="#cb20-24" aria-hidden="true" tabindex="-1"></a> updated_at <span class="dt">TIMESTAMP</span> <span class="kw">DEFAULT</span> <span class="fu">CURRENT_TIMESTAMP</span></span>
|
||
<span id="cb20-25"><a href="#cb20-25" aria-hidden="true" tabindex="-1"></a>);</span>
|
||
<span id="cb20-26"><a href="#cb20-26" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb20-27"><a href="#cb20-27" aria-hidden="true" tabindex="-1"></a><span class="co">-- 创建行级安全策略</span></span>
|
||
<span id="cb20-28"><a href="#cb20-28" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> POLICY customer_sensitive_policy <span class="kw">ON</span> water_customer_sensitive</span>
|
||
<span id="cb20-29"><a href="#cb20-29" aria-hidden="true" tabindex="-1"></a><span class="cf">FOR</span> <span class="kw">ALL</span> <span class="kw">TO</span> water_customer_service_role</span>
|
||
<span id="cb20-30"><a href="#cb20-30" aria-hidden="true" tabindex="-1"></a><span class="kw">USING</span> (</span>
|
||
<span id="cb20-31"><a href="#cb20-31" aria-hidden="true" tabindex="-1"></a> customer_id <span class="kw">IN</span> (</span>
|
||
<span id="cb20-32"><a href="#cb20-32" aria-hidden="true" tabindex="-1"></a> <span class="kw">SELECT</span> customer_id <span class="kw">FROM</span> water_customer </span>
|
||
<span id="cb20-33"><a href="#cb20-33" aria-hidden="true" tabindex="-1"></a> <span class="kw">WHERE</span> tenant_id <span class="op">=</span> current_setting(<span class="st">'app.current_tenant_id'</span>):<span class="ch">:bigint</span></span>
|
||
<span id="cb20-34"><a href="#cb20-34" aria-hidden="true" tabindex="-1"></a> )</span>
|
||
<span id="cb20-35"><a href="#cb20-35" aria-hidden="true" tabindex="-1"></a>);</span></code></pre></div>
|
||
<h3 data-number="1.8.2" id="数据备份与恢复安全"><span
|
||
class="header-section-number">1.8.2</span> 6.2 数据备份与恢复安全</h3>
|
||
<h4 data-number="1.8.2.1" id="备份加密策略"><span
|
||
class="header-section-number">1.8.2.1</span> 6.2.1 备份加密策略</h4>
|
||
<div class="sourceCode" id="cb21"><pre
|
||
class="sourceCode bash"><code class="sourceCode bash"><span id="cb21-1"><a href="#cb21-1" aria-hidden="true" tabindex="-1"></a><span class="co">#!/bin/bash</span></span>
|
||
<span id="cb21-2"><a href="#cb21-2" aria-hidden="true" tabindex="-1"></a><span class="co"># OpenGauss安全备份脚本</span></span>
|
||
<span id="cb21-3"><a href="#cb21-3" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb21-4"><a href="#cb21-4" aria-hidden="true" tabindex="-1"></a><span class="co"># 设置备份参数</span></span>
|
||
<span id="cb21-5"><a href="#cb21-5" aria-hidden="true" tabindex="-1"></a><span class="va">BACKUP_DIR</span><span class="op">=</span><span class="st">"/backup/opengauss"</span></span>
|
||
<span id="cb21-6"><a href="#cb21-6" aria-hidden="true" tabindex="-1"></a><span class="va">DATE</span><span class="op">=</span><span class="va">$(</span><span class="fu">date</span> +%Y%m%d_%H%M%S<span class="va">)</span></span>
|
||
<span id="cb21-7"><a href="#cb21-7" aria-hidden="true" tabindex="-1"></a><span class="va">BACKUP_FILE</span><span class="op">=</span><span class="st">"water_biz_backup_</span><span class="va">${DATE}</span><span class="st">.tar.gz"</span></span>
|
||
<span id="cb21-8"><a href="#cb21-8" aria-hidden="true" tabindex="-1"></a><span class="va">ENCRYPT_KEY</span><span class="op">=</span><span class="st">"/etc/opengauss/backup_key.key"</span></span>
|
||
<span id="cb21-9"><a href="#cb21-9" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb21-10"><a href="#cb21-10" aria-hidden="true" tabindex="-1"></a><span class="co"># 创建加密备份</span></span>
|
||
<span id="cb21-11"><a href="#cb21-11" aria-hidden="true" tabindex="-1"></a><span class="ex">gs_backup</span> <span class="at">-D</span> <span class="va">$GAUSSDATA</span> <span class="at">-U</span> gaussdb <span class="dt">\</span></span>
|
||
<span id="cb21-12"><a href="#cb21-12" aria-hidden="true" tabindex="-1"></a> <span class="at">--encrypt</span> <span class="at">--encrypt-key-file</span><span class="op">=</span><span class="va">$ENCRYPT_KEY</span> <span class="dt">\</span></span>
|
||
<span id="cb21-13"><a href="#cb21-13" aria-hidden="true" tabindex="-1"></a> <span class="at">--backup-format</span><span class="op">=</span>tar <span class="dt">\</span></span>
|
||
<span id="cb21-14"><a href="#cb21-14" aria-hidden="true" tabindex="-1"></a> <span class="at">--backup-path</span><span class="op">=</span><span class="va">$BACKUP_DIR</span>/<span class="va">$BACKUP_FILE</span></span>
|
||
<span id="cb21-15"><a href="#cb21-15" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb21-16"><a href="#cb21-16" aria-hidden="true" tabindex="-1"></a><span class="co"># 验证备份完整性</span></span>
|
||
<span id="cb21-17"><a href="#cb21-17" aria-hidden="true" tabindex="-1"></a><span class="ex">openssl</span> dgst <span class="at">-sm3</span> <span class="va">$BACKUP_DIR</span>/<span class="va">$BACKUP_FILE</span> <span class="op">></span> <span class="va">$BACKUP_DIR</span>/<span class="va">$BACKUP_FILE</span>.sm3</span>
|
||
<span id="cb21-18"><a href="#cb21-18" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb21-19"><a href="#cb21-19" aria-hidden="true" tabindex="-1"></a><span class="co"># 安全传输到异地备份中心</span></span>
|
||
<span id="cb21-20"><a href="#cb21-20" aria-hidden="true" tabindex="-1"></a><span class="fu">rsync</span> <span class="at">-avz</span> <span class="at">--delete</span> <span class="va">$BACKUP_DIR</span>/ backup-server:/backup/remote/</span></code></pre></div>
|
||
<h4 data-number="1.8.2.2" id="数据恢复流程"><span
|
||
class="header-section-number">1.8.2.2</span> 6.2.2 数据恢复流程</h4>
|
||
<div class="sourceCode" id="cb22"><pre
|
||
class="sourceCode sql"><code class="sourceCode sql"><span id="cb22-1"><a href="#cb22-1" aria-hidden="true" tabindex="-1"></a><span class="co">-- 恢复前验证备份完整性</span></span>
|
||
<span id="cb22-2"><a href="#cb22-2" aria-hidden="true" tabindex="-1"></a><span class="co">-- 1. 验证SM3摘要</span></span>
|
||
<span id="cb22-3"><a href="#cb22-3" aria-hidden="true" tabindex="-1"></a><span class="co">-- 2. 解密备份文件</span></span>
|
||
<span id="cb22-4"><a href="#cb22-4" aria-hidden="true" tabindex="-1"></a><span class="co">-- 3. 验证数据库结构</span></span>
|
||
<span id="cb22-5"><a href="#cb22-5" aria-hidden="true" tabindex="-1"></a><span class="co">-- 4. 执行恢复操作</span></span>
|
||
<span id="cb22-6"><a href="#cb22-6" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb22-7"><a href="#cb22-7" aria-hidden="true" tabindex="-1"></a><span class="co">-- 创建恢复测试环境</span></span>
|
||
<span id="cb22-8"><a href="#cb22-8" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">DATABASE</span> water_biz_recovery_test;</span>
|
||
<span id="cb22-9"><a href="#cb22-9" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb22-10"><a href="#cb22-10" aria-hidden="true" tabindex="-1"></a><span class="co">-- 恢复数据到测试环境</span></span>
|
||
<span id="cb22-11"><a href="#cb22-11" aria-hidden="true" tabindex="-1"></a><span class="co">-- 执行恢复SQL脚本</span></span>
|
||
<span id="cb22-12"><a href="#cb22-12" aria-hidden="true" tabindex="-1"></a>\i <span class="op">/</span><span class="kw">backup</span><span class="op">/</span>water_biz_recovery.sql;</span>
|
||
<span id="cb22-13"><a href="#cb22-13" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb22-14"><a href="#cb22-14" aria-hidden="true" tabindex="-1"></a><span class="co">-- 验证数据完整性</span></span>
|
||
<span id="cb22-15"><a href="#cb22-15" aria-hidden="true" tabindex="-1"></a><span class="kw">SELECT</span> <span class="fu">COUNT</span>(<span class="op">*</span>) <span class="kw">FROM</span> water_customer;</span>
|
||
<span id="cb22-16"><a href="#cb22-16" aria-hidden="true" tabindex="-1"></a><span class="kw">SELECT</span> <span class="fu">COUNT</span>(<span class="op">*</span>) <span class="kw">FROM</span> water_meter_reading;</span>
|
||
<span id="cb22-17"><a href="#cb22-17" aria-hidden="true" tabindex="-1"></a><span class="kw">SELECT</span> <span class="fu">COUNT</span>(<span class="op">*</span>) <span class="kw">FROM</span> water_billing;</span>
|
||
<span id="cb22-18"><a href="#cb22-18" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb22-19"><a href="#cb22-19" aria-hidden="true" tabindex="-1"></a><span class="co">-- 验证加密数据</span></span>
|
||
<span id="cb22-20"><a href="#cb22-20" aria-hidden="true" tabindex="-1"></a><span class="kw">SELECT</span> <span class="kw">id</span>, </span>
|
||
<span id="cb22-21"><a href="#cb22-21" aria-hidden="true" tabindex="-1"></a> pgp_sym_decrypt(id_card_encrypted, <span class="st">'encryption_key'</span>) <span class="kw">as</span> id_card</span>
|
||
<span id="cb22-22"><a href="#cb22-22" aria-hidden="true" tabindex="-1"></a><span class="kw">FROM</span> water_customer_sensitive <span class="kw">LIMIT</span> <span class="dv">1</span>;</span></code></pre></div>
|
||
<h3 data-number="1.8.3" id="数据销毁与清理"><span
|
||
class="header-section-number">1.8.3</span> 6.3 数据销毁与清理</h3>
|
||
<h4 data-number="1.8.3.1" id="安全数据销毁"><span
|
||
class="header-section-number">1.8.3.1</span> 6.3.1 安全数据销毁</h4>
|
||
<div class="sourceCode" id="cb23"><pre
|
||
class="sourceCode sql"><code class="sourceCode sql"><span id="cb23-1"><a href="#cb23-1" aria-hidden="true" tabindex="-1"></a><span class="co">-- 创建安全数据销毁函数</span></span>
|
||
<span id="cb23-2"><a href="#cb23-2" aria-hidden="true" tabindex="-1"></a><span class="kw">CREATE</span> <span class="kw">OR</span> <span class="kw">REPLACE</span> <span class="kw">FUNCTION</span> secure_data_destroy(table_name TEXT, where_clause TEXT)</span>
|
||
<span id="cb23-3"><a href="#cb23-3" aria-hidden="true" tabindex="-1"></a>RETURNS <span class="dt">BOOLEAN</span> <span class="kw">AS</span> $$</span>
|
||
<span id="cb23-4"><a href="#cb23-4" aria-hidden="true" tabindex="-1"></a><span class="kw">DECLARE</span></span>
|
||
<span id="cb23-5"><a href="#cb23-5" aria-hidden="true" tabindex="-1"></a> sql_cmd TEXT;</span>
|
||
<span id="cb23-6"><a href="#cb23-6" aria-hidden="true" tabindex="-1"></a> affected_rows <span class="dt">INTEGER</span>;</span>
|
||
<span id="cb23-7"><a href="#cb23-7" aria-hidden="true" tabindex="-1"></a><span class="cf">BEGIN</span></span>
|
||
<span id="cb23-8"><a href="#cb23-8" aria-hidden="true" tabindex="-1"></a> <span class="co">-- 构建删除SQL</span></span>
|
||
<span id="cb23-9"><a href="#cb23-9" aria-hidden="true" tabindex="-1"></a> sql_cmd <span class="op">:=</span> <span class="st">'DELETE FROM '</span> <span class="op">||</span> table_name <span class="op">||</span> <span class="st">' WHERE '</span> <span class="op">||</span> where_clause;</span>
|
||
<span id="cb23-10"><a href="#cb23-10" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb23-11"><a href="#cb23-11" aria-hidden="true" tabindex="-1"></a> <span class="co">-- 执行删除</span></span>
|
||
<span id="cb23-12"><a href="#cb23-12" aria-hidden="true" tabindex="-1"></a> <span class="kw">EXECUTE</span> sql_cmd;</span>
|
||
<span id="cb23-13"><a href="#cb23-13" aria-hidden="true" tabindex="-1"></a> GET DIAGNOSTICS affected_rows <span class="op">=</span> ROW_COUNT;</span>
|
||
<span id="cb23-14"><a href="#cb23-14" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb23-15"><a href="#cb23-15" aria-hidden="true" tabindex="-1"></a> <span class="co">-- 记录审计日志</span></span>
|
||
<span id="cb23-16"><a href="#cb23-16" aria-hidden="true" tabindex="-1"></a> <span class="kw">INSERT</span> <span class="kw">INTO</span> data_destroy_audit (</span>
|
||
<span id="cb23-17"><a href="#cb23-17" aria-hidden="true" tabindex="-1"></a> table_name, where_clause, affected_rows, </span>
|
||
<span id="cb23-18"><a href="#cb23-18" aria-hidden="true" tabindex="-1"></a> <span class="kw">operator</span>, operation_time</span>
|
||
<span id="cb23-19"><a href="#cb23-19" aria-hidden="true" tabindex="-1"></a> ) <span class="kw">VALUES</span> (</span>
|
||
<span id="cb23-20"><a href="#cb23-20" aria-hidden="true" tabindex="-1"></a> table_name, where_clause, affected_rows,</span>
|
||
<span id="cb23-21"><a href="#cb23-21" aria-hidden="true" tabindex="-1"></a> current_user, <span class="fu">current_timestamp</span></span>
|
||
<span id="cb23-22"><a href="#cb23-22" aria-hidden="true" tabindex="-1"></a> );</span>
|
||
<span id="cb23-23"><a href="#cb23-23" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb23-24"><a href="#cb23-24" aria-hidden="true" tabindex="-1"></a> <span class="co">-- 执行VACUUM清理物理空间</span></span>
|
||
<span id="cb23-25"><a href="#cb23-25" aria-hidden="true" tabindex="-1"></a> <span class="kw">EXECUTE</span> <span class="st">'VACUUM FULL '</span> <span class="op">||</span> table_name;</span>
|
||
<span id="cb23-26"><a href="#cb23-26" aria-hidden="true" tabindex="-1"></a> </span>
|
||
<span id="cb23-27"><a href="#cb23-27" aria-hidden="true" tabindex="-1"></a> <span class="kw">RETURN</span> <span class="kw">TRUE</span>;</span>
|
||
<span id="cb23-28"><a href="#cb23-28" aria-hidden="true" tabindex="-1"></a><span class="kw">EXCEPTION</span></span>
|
||
<span id="cb23-29"><a href="#cb23-29" aria-hidden="true" tabindex="-1"></a> <span class="cf">WHEN</span> OTHERS <span class="cf">THEN</span></span>
|
||
<span id="cb23-30"><a href="#cb23-30" aria-hidden="true" tabindex="-1"></a> RAISE <span class="kw">EXCEPTION</span> <span class="st">'数据销毁失败: %'</span>, SQLERRM;</span>
|
||
<span id="cb23-31"><a href="#cb23-31" aria-hidden="true" tabindex="-1"></a> <span class="kw">RETURN</span> <span class="kw">FALSE</span>;</span>
|
||
<span id="cb23-32"><a href="#cb23-32" aria-hidden="true" tabindex="-1"></a><span class="cf">END</span>;</span>
|
||
<span id="cb23-33"><a href="#cb23-33" aria-hidden="true" tabindex="-1"></a>$$ LANGUAGE plpgsql;</span>
|
||
<span id="cb23-34"><a href="#cb23-34" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb23-35"><a href="#cb23-35" aria-hidden="true" tabindex="-1"></a><span class="co">-- 示例:销毁3年前的历史数据</span></span>
|
||
<span id="cb23-36"><a href="#cb23-36" aria-hidden="true" tabindex="-1"></a><span class="kw">SELECT</span> secure_data_destroy(</span>
|
||
<span id="cb23-37"><a href="#cb23-37" aria-hidden="true" tabindex="-1"></a> <span class="st">'water_meter_reading_history'</span>,</span>
|
||
<span id="cb23-38"><a href="#cb23-38" aria-hidden="true" tabindex="-1"></a> <span class="st">'reading_date < CURRENT_DATE - INTERVAL </span><span class="ch">''</span><span class="st">3 years</span><span class="ch">''</span><span class="st">'</span></span>
|
||
<span id="cb23-39"><a href="#cb23-39" aria-hidden="true" tabindex="-1"></a>);</span></code></pre></div>
|
||
<h2 data-number="1.9" id="七运维安全设计"><span
|
||
class="header-section-number">1.9</span> 七、运维安全设计</h2>
|
||
<h3 data-number="1.9.1" id="安全监控体系"><span
|
||
class="header-section-number">1.9.1</span> 7.1 安全监控体系</h3>
|
||
<h4 data-number="1.9.1.1" id="安全监控架构"><span
|
||
class="header-section-number">1.9.1.1</span> 7.1.1 安全监控架构</h4>
|
||
<p><strong>图表 7</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_7.png"
|
||
alt="图表 7" />
|
||
<figcaption aria-hidden="true">图表 7</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
subgraph "数据采集层"
|
||
AGENT1[系统日志采集]
|
||
AGENT2[应用日志采集]
|
||
AGENT3[数据库日志采集]
|
||
AGENT4[网络流量采集]
|
||
end
|
||
|
||
subgraph "数据处理层"
|
||
KAFKA[消息队列<br/>Kafka集群]
|
||
STREAM[流处理<br/>Flink/Storm]
|
||
ETL[数据清洗<br/>Logstash]
|
||
end
|
||
|
||
subgraph "存储分析层"
|
||
ES[Elasticsearch<br/>日志存储]
|
||
SIEM[安全信息事件管理<br/>SIEM平台]
|
||
AI[智能分析<br/>机器学习]
|
||
end
|
||
|
||
subgraph "可视化层"
|
||
DASHBOARD[监控仪表盘<br/>Grafana]
|
||
ALERT[告警系统<br/>AlertManager]
|
||
REPORT[安全报告<br/>自动生成]
|
||
end
|
||
|
||
AGENT1 --> KAFKA
|
||
AGENT2 --> KAFKA
|
||
AGENT3 --> KAFKA
|
||
AGENT4 --> KAFKA
|
||
|
||
KAFKA --> STREAM
|
||
STREAM --> ETL
|
||
ETL --> ES
|
||
|
||
ES --> SIEM
|
||
SIEM --> AI
|
||
AI --> DASHBOARD
|
||
|
||
DASHBOARD --> ALERT
|
||
ALERT --> REPORT
|
||
</code></pre>
|
||
</details>
|
||
<h4 data-number="1.9.1.2" id="安全事件检测规则"><span
|
||
class="header-section-number">1.9.1.2</span> 7.1.2 安全事件检测规则</h4>
|
||
<div class="sourceCode" id="cb25"><pre
|
||
class="sourceCode yaml"><code class="sourceCode yaml"><span id="cb25-1"><a href="#cb25-1" aria-hidden="true" tabindex="-1"></a><span class="co"># 安全事件检测规则配置</span></span>
|
||
<span id="cb25-2"><a href="#cb25-2" aria-hidden="true" tabindex="-1"></a><span class="fu">security_rules</span><span class="kw">:</span></span>
|
||
<span id="cb25-3"><a href="#cb25-3" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> </span><span class="st">"暴力破解检测"</span></span>
|
||
<span id="cb25-4"><a href="#cb25-4" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">type</span><span class="kw">:</span><span class="at"> </span><span class="st">"authentication"</span></span>
|
||
<span id="cb25-5"><a href="#cb25-5" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">condition</span><span class="kw">:</span><span class="at"> </span><span class="st">"failed_login_count > 5 in 5 minutes"</span></span>
|
||
<span id="cb25-6"><a href="#cb25-6" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">severity</span><span class="kw">:</span><span class="at"> </span><span class="st">"high"</span></span>
|
||
<span id="cb25-7"><a href="#cb25-7" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">action</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">"block_ip"</span><span class="kw">,</span><span class="at"> </span><span class="st">"send_alert"</span><span class="kw">]</span></span>
|
||
<span id="cb25-8"><a href="#cb25-8" aria-hidden="true" tabindex="-1"></a><span class="at"> </span></span>
|
||
<span id="cb25-9"><a href="#cb25-9" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> </span><span class="st">"异常数据访问"</span></span>
|
||
<span id="cb25-10"><a href="#cb25-10" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">type</span><span class="kw">:</span><span class="at"> </span><span class="st">"data_access"</span></span>
|
||
<span id="cb25-11"><a href="#cb25-11" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">condition</span><span class="kw">:</span><span class="at"> </span><span class="st">"query_count > 1000 in 1 minute"</span></span>
|
||
<span id="cb25-12"><a href="#cb25-12" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">severity</span><span class="kw">:</span><span class="at"> </span><span class="st">"medium"</span></span>
|
||
<span id="cb25-13"><a href="#cb25-13" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">action</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">"rate_limit"</span><span class="kw">,</span><span class="at"> </span><span class="st">"send_alert"</span><span class="kw">]</span></span>
|
||
<span id="cb25-14"><a href="#cb25-14" aria-hidden="true" tabindex="-1"></a><span class="at"> </span></span>
|
||
<span id="cb25-15"><a href="#cb25-15" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> </span><span class="st">"权限提升检测"</span></span>
|
||
<span id="cb25-16"><a href="#cb25-16" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">type</span><span class="kw">:</span><span class="at"> </span><span class="st">"privilege_escalation"</span></span>
|
||
<span id="cb25-17"><a href="#cb25-17" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">condition</span><span class="kw">:</span><span class="at"> </span><span class="st">"role_change to admin"</span></span>
|
||
<span id="cb25-18"><a href="#cb25-18" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">severity</span><span class="kw">:</span><span class="at"> </span><span class="st">"critical"</span></span>
|
||
<span id="cb25-19"><a href="#cb25-19" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">action</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">"block_user"</span><span class="kw">,</span><span class="at"> </span><span class="st">"send_alert"</span><span class="kw">,</span><span class="at"> </span><span class="st">"create_incident"</span><span class="kw">]</span></span>
|
||
<span id="cb25-20"><a href="#cb25-20" aria-hidden="true" tabindex="-1"></a><span class="at"> </span></span>
|
||
<span id="cb25-21"><a href="#cb25-21" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="kw">-</span><span class="at"> </span><span class="fu">name</span><span class="kw">:</span><span class="at"> </span><span class="st">"异常时间访问"</span></span>
|
||
<span id="cb25-22"><a href="#cb25-22" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">type</span><span class="kw">:</span><span class="at"> </span><span class="st">"abnormal_access"</span></span>
|
||
<span id="cb25-23"><a href="#cb25-23" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">condition</span><span class="kw">:</span><span class="at"> </span><span class="st">"access_time between 22:00 and 06:00"</span></span>
|
||
<span id="cb25-24"><a href="#cb25-24" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">severity</span><span class="kw">:</span><span class="at"> </span><span class="st">"medium"</span></span>
|
||
<span id="cb25-25"><a href="#cb25-25" aria-hidden="true" tabindex="-1"></a><span class="at"> </span><span class="fu">action</span><span class="kw">:</span><span class="at"> </span><span class="kw">[</span><span class="st">"log_event"</span><span class="kw">,</span><span class="at"> </span><span class="st">"send_alert"</span><span class="kw">]</span></span></code></pre></div>
|
||
<h3 data-number="1.9.2" id="漏洞管理"><span
|
||
class="header-section-number">1.9.2</span> 7.2 漏洞管理</h3>
|
||
<h4 data-number="1.9.2.1" id="漏洞扫描策略"><span
|
||
class="header-section-number">1.9.2.1</span> 7.2.1 漏洞扫描策略</h4>
|
||
<div class="sourceCode" id="cb26"><pre
|
||
class="sourceCode bash"><code class="sourceCode bash"><span id="cb26-1"><a href="#cb26-1" aria-hidden="true" tabindex="-1"></a><span class="co">#!/bin/bash</span></span>
|
||
<span id="cb26-2"><a href="#cb26-2" aria-hidden="true" tabindex="-1"></a><span class="co"># 系统漏洞扫描脚本</span></span>
|
||
<span id="cb26-3"><a href="#cb26-3" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb26-4"><a href="#cb26-4" aria-hidden="true" tabindex="-1"></a><span class="co"># 扫描操作系统漏洞</span></span>
|
||
<span id="cb26-5"><a href="#cb26-5" aria-hidden="true" tabindex="-1"></a><span class="fu">nmap</span> <span class="at">-sV</span> <span class="at">--script</span> vulners localhost</span>
|
||
<span id="cb26-6"><a href="#cb26-6" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb26-7"><a href="#cb26-7" aria-hidden="true" tabindex="-1"></a><span class="co"># 扫描Web应用漏洞</span></span>
|
||
<span id="cb26-8"><a href="#cb26-8" aria-hidden="true" tabindex="-1"></a><span class="ex">nikto</span> <span class="at">-h</span> https://water.example.com <span class="at">-ssl</span></span>
|
||
<span id="cb26-9"><a href="#cb26-9" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb26-10"><a href="#cb26-10" aria-hidden="true" tabindex="-1"></a><span class="co"># 扫描数据库漏洞</span></span>
|
||
<span id="cb26-11"><a href="#cb26-11" aria-hidden="true" tabindex="-1"></a><span class="fu">nmap</span> <span class="at">-p</span> 5432 <span class="at">--script</span> pgsql-brute,pgsql-databases localhost</span>
|
||
<span id="cb26-12"><a href="#cb26-12" aria-hidden="true" tabindex="-1"></a></span>
|
||
<span id="cb26-13"><a href="#cb26-13" aria-hidden="true" tabindex="-1"></a><span class="co"># 生成漏洞报告</span></span>
|
||
<span id="cb26-14"><a href="#cb26-14" aria-hidden="true" tabindex="-1"></a><span class="fu">cat</span> <span class="op">></span> vulnerability_report.html <span class="op"><< EOF</span></span>
|
||
<span id="cb26-15"><a href="#cb26-15" aria-hidden="true" tabindex="-1"></a><span class="st"><!DOCTYPE html></span></span>
|
||
<span id="cb26-16"><a href="#cb26-16" aria-hidden="true" tabindex="-1"></a><span class="st"><html></span></span>
|
||
<span id="cb26-17"><a href="#cb26-17" aria-hidden="true" tabindex="-1"></a><span class="st"><head></span></span>
|
||
<span id="cb26-18"><a href="#cb26-18" aria-hidden="true" tabindex="-1"></a><span class="st"> <title>安全漏洞扫描报告</title></span></span>
|
||
<span id="cb26-19"><a href="#cb26-19" aria-hidden="true" tabindex="-1"></a><span class="st"></head></span></span>
|
||
<span id="cb26-20"><a href="#cb26-20" aria-hidden="true" tabindex="-1"></a><span class="st"><body></span></span>
|
||
<span id="cb26-21"><a href="#cb26-21" aria-hidden="true" tabindex="-1"></a><span class="st"> <h1>福建水务营收系统漏洞扫描报告</h1></span></span>
|
||
<span id="cb26-22"><a href="#cb26-22" aria-hidden="true" tabindex="-1"></a><span class="st"> <p>扫描时间:</span><span class="va">$(</span><span class="fu">date</span><span class="va">)</span><span class="st"></p></span></span>
|
||
<span id="cb26-23"><a href="#cb26-23" aria-hidden="true" tabindex="-1"></a><span class="st"> <h2>高危漏洞</h2></span></span>
|
||
<span id="cb26-24"><a href="#cb26-24" aria-hidden="true" tabindex="-1"></a><span class="st"> <pre></span><span class="va">$(</span><span class="fu">grep</span> <span class="at">-i</span> <span class="st">"high\|critical"</span> scan_results.txt<span class="va">)</span><span class="st"></pre></span></span>
|
||
<span id="cb26-25"><a href="#cb26-25" aria-hidden="true" tabindex="-1"></a><span class="st"> <h2>中危漏洞</h2></span></span>
|
||
<span id="cb26-26"><a href="#cb26-26" aria-hidden="true" tabindex="-1"></a><span class="st"> <pre></span><span class="va">$(</span><span class="fu">grep</span> <span class="at">-i</span> <span class="st">"medium"</span> scan_results.txt<span class="va">)</span><span class="st"></pre></span></span>
|
||
<span id="cb26-27"><a href="#cb26-27" aria-hidden="true" tabindex="-1"></a><span class="st"></body></span></span>
|
||
<span id="cb26-28"><a href="#cb26-28" aria-hidden="true" tabindex="-1"></a><span class="st"></html></span></span>
|
||
<span id="cb26-29"><a href="#cb26-29" aria-hidden="true" tabindex="-1"></a><span class="op">EOF</span></span></code></pre></div>
|
||
<h4 data-number="1.9.2.2" id="补丁管理流程"><span
|
||
class="header-section-number">1.9.2.2</span> 7.2.2 补丁管理流程</h4>
|
||
<p><strong>图表 8</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_8.png"
|
||
alt="图表 8" />
|
||
<figcaption aria-hidden="true">图表 8</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph LR
|
||
DISCOVER[漏洞发现] --> ASSESS[风险评估]
|
||
ASSESS --> PLAN[补丁计划]
|
||
PLAN --> TEST[测试验证]
|
||
TEST --> DEPLOY[生产部署]
|
||
DEPLOY --> VERIFY[部署验证]
|
||
VERIFY --> DOCUMENT[文档记录]
|
||
|
||
subgraph "评估标准"
|
||
HIGH[高危<br/>24小时内]
|
||
MEDIUM[中危<br/>7天内]
|
||
LOW[低危<br/>30天内]
|
||
end
|
||
|
||
ASSESS --> HIGH
|
||
ASSESS --> MEDIUM
|
||
ASSESS --> LOW
|
||
</code></pre>
|
||
</details>
|
||
<h3 data-number="1.9.3" id="应急响应预案"><span
|
||
class="header-section-number">1.9.3</span> 7.3 应急响应预案</h3>
|
||
<h4 data-number="1.9.3.1" id="安全事件分级"><span
|
||
class="header-section-number">1.9.3.1</span> 7.3.1 安全事件分级</h4>
|
||
<table>
|
||
<colgroup>
|
||
<col style="width: 18%" />
|
||
<col style="width: 18%" />
|
||
<col style="width: 31%" />
|
||
<col style="width: 31%" />
|
||
</colgroup>
|
||
<thead>
|
||
<tr>
|
||
<th>级别</th>
|
||
<th>描述</th>
|
||
<th>响应时间</th>
|
||
<th>处理措施</th>
|
||
</tr>
|
||
</thead>
|
||
<tbody>
|
||
<tr>
|
||
<td>P0</td>
|
||
<td>系统完全不可用,数据泄露</td>
|
||
<td>15分钟</td>
|
||
<td>立即启动应急预案,通知管理层</td>
|
||
</tr>
|
||
<tr>
|
||
<td>P1</td>
|
||
<td>核心功能受影响,安全风险高</td>
|
||
<td>30分钟</td>
|
||
<td>启动应急预案,组建应急小组</td>
|
||
</tr>
|
||
<tr>
|
||
<td>P2</td>
|
||
<td>部分功能受影响,安全风险中等</td>
|
||
<td>2小时</td>
|
||
<td>安排专人处理,定期汇报</td>
|
||
</tr>
|
||
<tr>
|
||
<td>P3</td>
|
||
<td>轻微影响,安全风险较低</td>
|
||
<td>8小时</td>
|
||
<td>正常工作时间处理</td>
|
||
</tr>
|
||
</tbody>
|
||
</table>
|
||
<h4 data-number="1.9.3.2" id="应急响应流程"><span
|
||
class="header-section-number">1.9.3.2</span> 7.3.2 应急响应流程</h4>
|
||
<p><strong>图表 9</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_9.png"
|
||
alt="图表 9" />
|
||
<figcaption aria-hidden="true">图表 9</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
INCIDENT[安全事件发生] --> DETECT[事件检测]
|
||
DETECT --> REPORT[事件上报]
|
||
REPORT --> ASSESS[影响评估]
|
||
ASSESS --> RESPONSE[应急响应]
|
||
|
||
subgraph "应急响应措施"
|
||
ISOLATE[系统隔离]
|
||
PRESERVE[证据保全]
|
||
RECOVER[系统恢复]
|
||
INVESTIGATE[调查分析]
|
||
end
|
||
|
||
subgraph "后续处理"
|
||
LESSON[经验总结]
|
||
IMPROVE[流程改进]
|
||
TRAIN[培训加强]
|
||
DOC[文档更新]
|
||
end
|
||
|
||
RESPONSE --> ISOLATE
|
||
RESPONSE --> PRESERVE
|
||
RESPONSE --> RECOVER
|
||
RESPONSE --> INVESTIGATE
|
||
|
||
INVESTIGATE --> LESSON
|
||
LESSON --> IMPROVE
|
||
IMPROVE --> TRAIN
|
||
TRAIN --> DOC
|
||
</code></pre>
|
||
</details>
|
||
<h2 data-number="1.10" id="八安全管理制度"><span
|
||
class="header-section-number">1.10</span> 八、安全管理制度</h2>
|
||
<h3 data-number="1.10.1" id="安全组织架构"><span
|
||
class="header-section-number">1.10.1</span> 8.1 安全组织架构</h3>
|
||
<h4 data-number="1.10.1.1" id="安全管理组织"><span
|
||
class="header-section-number">1.10.1.1</span> 8.1.1 安全管理组织</h4>
|
||
<p><strong>图表 10</strong></p>
|
||
<figure>
|
||
<img src="temp_mermaid_water_biz_security_design_6403/diagram_10.png"
|
||
alt="图表 10" />
|
||
<figcaption aria-hidden="true">图表 10</figcaption>
|
||
</figure>
|
||
<details>
|
||
<summary>
|
||
查看图表源码
|
||
</summary>
|
||
<pre class="mermaid"><code>graph TB
|
||
CEO[总经理<br/>安全最高责任人]
|
||
CISO[信息安全负责人<br/>CISO]
|
||
|
||
subgraph "安全管理委员会"
|
||
IT_DIR[IT总监]
|
||
SECURITY_DIR[安全总监]
|
||
COMPLIANCE[合规负责人]
|
||
LEGAL[法务负责人]
|
||
end
|
||
|
||
subgraph "安全执行团队"
|
||
SEC_ADMIN[安全管理员]
|
||
SYS_ADMIN[系统管理员]
|
||
DBA[数据库管理员]
|
||
NET_ADMIN[网络管理员]
|
||
end
|
||
|
||
subgraph "业务安全责任人"
|
||
BUS_OWNER[业务负责人]
|
||
DATA_OWNER[数据负责人]
|
||
USER_ADMIN[用户管理员]
|
||
end
|
||
|
||
CEO --> CISO
|
||
CISO --> IT_DIR
|
||
CISO --> SECURITY_DIR
|
||
CISO --> COMPLIANCE
|
||
CISO --> LEGAL
|
||
|
||
IT_DIR --> SEC_ADMIN
|
||
IT_DIR --> SYS_ADMIN
|
||
IT_DIR --> DBA
|
||
IT_DIR --> NET_ADMIN
|
||
|
||
SECURITY_DIR --> BUS_OWNER
|
||
SECURITY_DIR --> DATA_OWNER
|
||
SECURITY_DIR --> USER_ADMIN
|
||
</code></pre>
|
||
</details>
|
||
<h3 data-number="1.10.2" id="安全管理制度-1"><span
|
||
class="header-section-number">1.10.2</span> 8.2 安全管理制度</h3>
|
||
<h4 data-number="1.10.2.1" id="人员安全管理"><span
|
||
class="header-section-number">1.10.2.1</span> 8.2.1 人员安全管理</h4>
|
||
<ul>
|
||
<li><strong>入职安全审查</strong>:对关键岗位人员进行背景调查</li>
|
||
<li><strong>安全培训</strong>:定期进行信息安全意识培训</li>
|
||
<li><strong>权限管理</strong>:建立权限申请、审批、回收流程</li>
|
||
<li><strong>离职管理</strong>:离职人员权限及时回收,签署保密协议</li>
|
||
</ul>
|
||
<h4 data-number="1.10.2.2" id="系统建设安全管理"><span
|
||
class="header-section-number">1.10.2.2</span> 8.2.2
|
||
系统建设安全管理</h4>
|
||
<ul>
|
||
<li><strong>安全需求分析</strong>:项目立项阶段进行安全需求分析</li>
|
||
<li><strong>安全设计评审</strong>:设计阶段进行安全架构评审</li>
|
||
<li><strong>安全测试</strong>:上线前进行安全渗透测试</li>
|
||
<li><strong>安全验收</strong>:系统上线前进行安全验收</li>
|
||
</ul>
|
||
<h4 data-number="1.10.2.3" id="系统运维安全管理"><span
|
||
class="header-section-number">1.10.2.3</span> 8.2.3
|
||
系统运维安全管理</h4>
|
||
<ul>
|
||
<li><strong>变更管理</strong>:所有系统变更都需要安全评估</li>
|
||
<li><strong>备份管理</strong>:定期备份,异地存储,加密保护</li>
|
||
<li><strong>监控管理</strong>:7×24小时安全监控</li>
|
||
<li><strong>应急管理</strong>:建立应急响应机制</li>
|
||
</ul>
|
||
<h3 data-number="1.10.3" id="合规管理"><span
|
||
class="header-section-number">1.10.3</span> 8.3 合规管理</h3>
|
||
<h4 data-number="1.10.3.1" id="法律法规合规"><span
|
||
class="header-section-number">1.10.3.1</span> 8.3.1 法律法规合规</h4>
|
||
<ul>
|
||
<li>《中华人民共和国网络安全法》</li>
|
||
<li>《中华人民共和国数据安全法》</li>
|
||
<li>《中华人民共和国个人信息保护法》</li>
|
||
<li>《关键信息基础设施安全保护条例》</li>
|
||
</ul>
|
||
<h4 data-number="1.10.3.2" id="行业标准合规"><span
|
||
class="header-section-number">1.10.3.2</span> 8.3.2 行业标准合规</h4>
|
||
<ul>
|
||
<li>GB/T 22239-2019《信息安全技术 网络安全等级保护基本要求》</li>
|
||
<li>GB/T 25070-2019《信息安全技术
|
||
网络安全等级保护安全设计技术要求》</li>
|
||
<li>GB/T 32918《信息安全技术 SM2椭圆曲线公钥密码算法》</li>
|
||
<li>GB/T 32905《信息安全技术 SM3密码杂凑算法》</li>
|
||
</ul>
|
||
<h4 data-number="1.10.3.3" id="合规检查清单"><span
|
||
class="header-section-number">1.10.3.3</span> 8.3.3 合规检查清单</h4>
|
||
<ul class="task-list">
|
||
<li><label><input type="checkbox" />等级保护三级备案完成</label></li>
|
||
<li><label><input type="checkbox" />年度安全评估报告</label></li>
|
||
<li><label><input type="checkbox" />安全管理制度建立</label></li>
|
||
<li><label><input type="checkbox" />安全技术措施落实</label></li>
|
||
<li><label><input type="checkbox" />安全培训记录完整</label></li>
|
||
<li><label><input type="checkbox" />应急预案演练记录</label></li>
|
||
<li><label><input type="checkbox" />安全事件处置记录</label></li>
|
||
<li><label><input type="checkbox" />第三方安全服务合同</label></li>
|
||
</ul>
|
||
<hr />
|
||
<h2 data-number="1.11" id="总结"><span
|
||
class="header-section-number">1.11</span> 总结</h2>
|
||
<p>福建水务营收系统安全设计严格按照等级保护三级要求,结合OpenGauss数据库的安全特性,建立了全方位、多层次的安全防护体系。通过技术防护、管理制度、人员培训等多重措施,确保系统安全稳定运行,满足水务行业的安全合规要求。</p>
|
||
<p>本安全设计方案的核心特点: 1.
|
||
<strong>国产化安全</strong>:采用OpenGauss数据库和国密算法 2.
|
||
<strong>纵深防御</strong>:网络、应用、数据多层安全防护 3.
|
||
<strong>合规导向</strong>:严格按照等保三级标准设计 4.
|
||
<strong>持续改进</strong>:建立安全监控和应急响应机制</p>
|
||
</body>
|
||
</html>
|