尊龙凯时人生就是博

ÔõÑùÔÚLinuxÉÏÉèÖÃÍøÂçÇå¾²Éó¼Æ

ÔõÑùÔÚlinuxÉÏÉèÖÃÍøÂçÇå¾²Éó¼Æ

ÍøÂçÇå¾²Éó¼ÆÊÇÈ·±£ÍøÂçϵͳµÄÇå¾²ÐÔºÍÎȹÌÐÔµÄÖ÷ÒªÁ÷³Ì¡£ÔÚLinuxϵͳÉϾÙÐÐÍøÂçÇå¾²Éó¼Æ¿ÉÒÔ×ÊÖúÖÎÀíÔ±¼à¿ØÍøÂçÔ˶¯¡¢·¢Ã÷DZÔÚµÄÇå¾²ÎÊÌâºÍʵʱ½ÓÄɲ½·¥¡£±¾ÎĽ«ÏÈÈÝÔõÑùÔÚlinuxÉÏÉèÖÃÍøÂçÇå¾²Éó¼Æ £¬²¢Ìṩ´úÂëʾÀý×ÊÖú¶ÁÕ߸üºÃµØÃ÷È·¡£

Ò»¡¢×°ÖÃAuditd

Auditd ÊÇLinuxϵͳĬÈϵÄÇå¾²Éó¼Æ¿ò¼Ü¡£ÎÒÃÇÊ×ÏÈÐèҪװÖà Auditd¡£

ÔÚUbuntuϵͳÉÏ £¬¿Éͨ¹ýÒÔÏÂÏÂÁî¾ÙÐÐ×°Öãº

sudo apt-get install auditd

µÇ¼ºó¸´ÖÆ

ÔÚCentOSϵͳÉÏ £¬¿Éͨ¹ýÒÔÏÂÏÂÁî¾ÙÐÐ×°Öãº

sudo yum install audit

µÇ¼ºó¸´ÖÆ

¶þ¡¢ÉèÖÃAuditd

×°ÖÃÍê³Éºó £¬ÎÒÃÇÐèÒª¶Ô Auditd ¾ÙÐÐһЩ»ù±¾µÄÉèÖá£Ö÷ÒªµÄÉèÖÃÎļþÊÇ /etc/audit/auditd.conf¡£±à¼­¸ÃÎļþ £¬¿ÉÒÔµ÷½âһЩÉèÖÃÑ¡Ïî¡£

ÒÔÏÂÊÇÒ»¸öʾÀýÉèÖÃÎļþµÄÄÚÈÝ£º

# /etc/auditd.conf
# ×¢ÖØÕâÀïµÄ·¾¶¿ÉÄÜÒò²î±ðϵͳ¶øÓÐËù²î±ð

# ÍâµØÈÕÖ¾Îļþ´æ´¢µÄ·¾¶
log_file = /var/log/audit/audit.log

# ×î´óÈÕÖ¾Îļþ¾Þϸ
max_log_file = 50

# ×î´óÈÕÖ¾´æ´¢Ê±¼ä
max_log_file_action = keep_logs

# ÈÕÖ¾±£´æµÄÌìÊý
num_days = 30

# ¿ÕÏÐʱ¼ä£¨Ã룩
idletime = 600

# ·¢Ã÷¹ÊÕϺó×Ô¶¯×èÖ¹
space_left_action = email

# ·¢Ã÷¹ÊÕϺóʵʱ֪ͨµÄÓÊÏäµØµã
admin_space_left_action = root@localhost

# É趨Éó¼ÆϵͳʱÌØÊâÌí¼ÓµÄÏîÄ¿
# ÒÔÏÂÊÇÒ»¸öʾÀýÉèÖÃ£¬Æ¾Ö¤ÐèÒª¿É×ÔÐе÷½â
# -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at,openat2 -F exit=-EACCES -F auid>=1000 -F auid!=-1 -k access

µÇ¼ºó¸´ÖÆ

×¢ÖØ £¬ÄãÐèҪƾ֤ϵͳºÍÐèÇó×ÔÐе÷½âÉèÖá£ÔÚÍê³ÉÉèÖúó £¬ÉúÑÄÎļþ²¢ÖØÐÂÆô¶¯ auditd ЧÀÍ¡£

sudo systemctl restart auditd

µÇ¼ºó¸´ÖÆ

Èý¡¢³£ÓÃAuditdÏÂÁî

ÉèÖÃÍê³Éºó £¬ÎÒÃÇ¿ÉÒÔʹÓÃһЩ³£ÓÃµÄ Auditd ÏÂÁîÀ´¼à¿ØÍøÂçÔ˶¯ºÍÉó¼ÆÈÕÖ¾¡£

audispd-plugins ²å¼þ

audispd-plugins ÊÇÒ»¸ö Auditd µÄ²å¼þ £¬¿ÉÒÔ½« Auditd ÈÕ־ת·¢µ½ÆäËû¹¤¾ß £¬Èç Syslog »ò Elasticsearch µÈ¡£

ÔÚUbuntuϵͳÉÏ £¬¿Éͨ¹ýÒÔÏÂÏÂÁî¾ÙÐÐ×°Öãº

sudo apt-get install audispd-plugins

µÇ¼ºó¸´ÖÆ

ÔÚCentOSϵͳÉÏ £¬¿Éͨ¹ýÒÔÏÂÏÂÁî¾ÙÐÐ×°Öãº

sudo yum install audispd-plugins

µÇ¼ºó¸´ÖÆ

ÔÚÉèÖÃÎļþ /etc/audisp/plugins.d/syslog.conf ÖÐ £¬Äã¿ÉÒÔÖ¸¶¨ÈÕ־ת·¢µÄÄ¿µÄ¡£ÔÚÒÔÏÂʾÀýÖÐ £¬ÎÒÃǽ«ÈÕ־ת·¢µ½ Syslog£º

active = yes
direction = out
path = /sbin/audispd-in_syslog
type = builtin
args = LOG_INFO
format = string

µÇ¼ºó¸´ÖÆ

ausearch

ausearch ÊÇÒ»¸ö Auditd µÄÏÂÁîÐй¤¾ß £¬¿ÉÒÔÅÌÎÊ Audit ÈÕÖ¾¡£ÒÔÏÂÊǼ¸¸ö³£ÓõÄÏÂÁîʾÀý£º

# ÅÌÎÊËùÓÐÊÂÎñ
sudo ausearch -m all

# ÅÌÎÊָ׼ʱ¼ä¶ÎµÄÈÕÖ¾
sudo ausearch --start "10 minutes ago" --end "now"

# ƾ֤Óû§ÅÌÎÊÈÕÖ¾
sudo ausearch -ua username

# ƾ֤Îļþ·¾¶ÅÌÎÊÈÕÖ¾
sudo ausearch -f /path/to/file

# ƾ֤ϵͳŲÓÃÅÌÎÊÈÕÖ¾
sudo ausearch -sc open

µÇ¼ºó¸´ÖÆ

aureport

aureport ÊÇÒ»¸ö Auditd µÄ±¨¸æ¹¤¾ß £¬¿ÉÒÔÌìÉúÖÖÖÖ±¨¸æ¡£ÒÔÏÂÊǼ¸¸ö³£ÓõÄÏÂÁîʾÀý£º

# ÌìÉúËùÓеÄÊÂÎñ±¨¸æ
sudo aureport

# ÌìÉúÎļþÏà¹ØµÄÊÂÎñ±¨¸æ
sudo aureport -f

# ÌìÉúÓû§Ïà¹ØµÄÊÂÎñ±¨¸æ
sudo aureport -i

# ÌìÉúϵͳŲÓõÄÊÂÎñ±¨¸æ
sudo aureport -c

µÇ¼ºó¸´ÖÆ

ËÄ¡¢Òªº¦ÉèÖÃʾÀý

ÒÔÏÂÊÇÒ»¸öʾÀýÉèÖà £¬ÓÃÓÚÉó¼ÆÓû§µÄµÇ¼ºÍÏÂÁîÖ´ÐУº

sudo auditctl -a always,exit -F arch=b64 -S execve -k command
sudo auditctl -a always,exit -F arch=b64 -S execveat -k command
sudo auditctl -a always,exit -F arch=b32 -S execve -k command
sudo auditctl -a always,exit -F arch=b32 -S execveat -k command
sudo auditctl -a always,exit -F arch=b64 -S sendto -F auid>=500 -F auid!=4294967295 -k connect

µÇ¼ºó¸´ÖÆ

ÒÔÉÏÉèÖûá¼Í¼ËùÓÐÓû§Ö´ÐеÄÏÂÁîÒÔ¼°·¢Ë͵ÄÍøÂçÁ÷Á¿¡£

Îå¡¢×ܽá

ÔÚLinuxϵͳÉÏÉèÖÃÍøÂçÇå¾²Éó¼ÆÊÇ°ü¹ÜϵͳÇå¾²ÐÔµÄÖ÷ÒªÒ»»·¡£Í¨¹ý×°ÖÃÉèÖÃAuditd £¬¿ÉÒÔ¶ÔÍøÂçÔ˶¯¾ÙÐмà¿Ø²¢·¢Ã÷DZÔÚµÄÇå¾²ÎÊÌâ¡£±¾ÎÄÏÈÈÝÁË×°ÖÃAuditd¡¢»ù±¾ÉèÖᢳ£ÓÃÏÂÁîºÍÒªº¦ÉèÖÃʾÀý £¬²¢ÌṩÁËʾÀý´úÂë×ÊÖú¶ÁÕ߸üºÃµØÃ÷È·¡£

Ï£Íû±¾ÎÄÄܹ»×ÊÖúÄãÔÚLinuxϵͳÉϾÙÐÐÍøÂçÇå¾²Éó¼Æ¡£ÈôÊÇÄúÉÐÓÐÆäËûÎÊÌâ £¬ÇëËæʱÏòÎÒÃÇÌáÎÊ¡£

ÒÔÉϾÍÊÇÔõÑùÔÚLinuxÉÏÉèÖÃÍøÂçÇå¾²Éó¼ÆµÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í尊龙凯时人生就是博ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ尊龙凯时人生就是博ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ尊龙凯时人生就是博

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
sitemap¡¢ÍøÕ¾µØͼ