尊龙凯时人生就是搏

ÔõÑùʹÓÃCentOSϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾­ÊÚȨ»á¼û

ÔõÑùʹÓÃcentosϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾­ÊÚȨ»á¼û

Ëæ×Å»¥ÁªÍøµÄÉú³¤ £¬ÍøÂçÇå¾²ÎÊÌâÒ²ÈÕÒæ͹ÏÔ £¬Ðí¶àϵͳÖÎÀíÔ±¹ØÓÚϵͳµÄÇå¾²ÐÔÔ½À´Ô½ÖØÊÓ¡£¶øCentOS×÷Ϊһ¿î³£ÓõĿªÔ´²Ù×÷ϵͳ £¬ÆäÉó¼Æ¹¦Ð§¿ÉÒÔ×ÊÖúϵͳÖÎÀíÔ±¼à²âϵͳµÄÇå¾²ÐÔ £¬ÓÈÆäÊǹØÓÚδ¾­ÊÚȨµÄ»á¼û¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃcentosϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾­ÊÚȨ»á¼û £¬²¢Ìṩ´úÂëʾÀý¡£

Ò»¡¢¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§

ҪʹÓÃCentOSϵͳµÄÉó¼ÆÈÕÖ¾¹¦Ð§ £¬Ê×ÏÈÐèҪȷ±£¸Ã¹¦Ð§ÒѾ­¿ªÆô¡£ÔÚCentOSϵͳÖÐ £¬¿ÉÒÔͨ¹ýÐÞ¸Ä/etc/audit/auditd.confÎļþÀ´¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§¡£¿ÉÒÔʹÓÃÒÔÏÂÏÂÁî·­¿ª¸ÃÎļþ£º

sudo vi /etc/audit/auditd.conf

µÇ¼ºó¸´ÖÆ

ÔÚ¸ÃÎļþÖÐ £¬ÕÒµ½ÒÔÏÂÁ½ÐдúÂ룺

#local_events = yes
#write_logs = yes

µÇ¼ºó¸´ÖÆ

½«ÕâÁ½ÐдúÂëÇ°µÄ×¢ÊÍ·ûºÅ#È¥µô £¬ÐÞ¸ÄΪÒÔÏÂÐÎʽ£º

local_events = yes
write_logs = yes

µÇ¼ºó¸´ÖÆ

ÉúÑIJ¢Í˳öÎļþ¡£È»ºóͨ¹ýÒÔÏÂÏÂÁîÖØÆôÉó¼ÆЧÀÍ£º

sudo service auditd restart

µÇ¼ºó¸´ÖÆ

¶þ¡¢ÉèÖÃÉó¼Æ¹æÔò

¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§ºó £¬½ÓÏÂÀ´ÐèÒªÉèÖÃÉó¼Æ¹æÔò £¬ÒÔ±ã¼à²âδ¾­ÊÚȨµÄ»á¼û¡£¿ÉÒÔͨ¹ýÐÞ¸Ä/etc/audit/audit.rulesÎļþÀ´ÉèÖÃÉó¼Æ¹æÔò¡£¿ÉÒÔʹÓÃÒÔÏÂÏÂÁî·­¿ª¸ÃÎļþ£º

sudo vi /etc/audit/audit.rules

µÇ¼ºó¸´ÖÆ

ÔÚ¸ÃÎļþÖÐ £¬¿ÉÒÔÌí¼ÓÒÔÏÂÄÚÈÝ×÷ΪÉó¼Æ¹æÔò£º

-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve

µÇ¼ºó¸´ÖÆ

ÕâÁ½ÐйæÔò½«¼à²âËùÓеÄÖ´ÐвÙ×÷¡£ÈôÊÇÖ»Ïë¼à²âÌض¨µÄÖ´ÐвÙ×÷ £¬¿ÉÒÔʹÓÃÒÔÏÂÏÂÁ

-a exit,always -F arch=b64 -S specific_execve_syscall

µÇ¼ºó¸´ÖÆ

ÆäÖÐspecific_execve_syscallΪÌض¨µÄÖ´ÐвÙ×÷µÄϵͳŲÓÃÃû³Æ¡£¿ÉÒÔƾ֤ÏêϸÐèÇóÐ޸ĸÃÃû³Æ¡£Ìí¼ÓÍê¹æÔòºó £¬ÉúÑIJ¢Í˳öÎļþ¡£

Èý¡¢Éó²éÉó¼ÆÈÕÖ¾

µ±ÏµÍ³ÊÕµ½Î´¾­ÊÚȨµÄ»á¼ûʱ £¬Ïà¹ØµÄÐÅÏ¢½«»á±»¼Í¼ÔÚÉó¼ÆÈÕÖ¾ÖС£¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÉó²éÉó¼ÆÈÕÖ¾£º

sudo ausearch -ui 1000

µÇ¼ºó¸´ÖÆ

ÆäÖÐ1000ΪÓû§ID £¬¿ÉÒÔƾ֤ÏêϸÇéÐÎÐ޸ġ£Í¨¹ý¸ÃÏÂÁî¿ÉÒÔÉó²éÌض¨Óû§µÄÉó¼ÆÈÕÖ¾¡£Ò²¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÉó²éËùÓеÄÉó¼ÆÈÕÖ¾£º

sudo ausearch

µÇ¼ºó¸´ÖÆ

ÒÔÉÏÏÂÁÏÔʾËùÓеÄÉó¼ÆÈÕÖ¾¡£

ËÄ¡¢ÔöÇ¿Éó¼ÆÈÕÖ¾¹¦Ð§

ΪÁ˸üºÃµØ¼à²âδ¾­ÊÚȨµÄ»á¼û £¬»¹¿ÉÒÔ½øÒ»²½ÔöÇ¿Éó¼ÆÈÕÖ¾¹¦Ð§¡£¿ÉÒÔͨ¹ýÐÞ¸Ä/etc/audit/audit.rulesÎļþÀ´ÉèÖøü¶àµÄÉó¼Æ¹æÔò¡£ÒÔÏÂÊÇһЩ³£ÓõÄÉó¼Æ¹æÔò£º

¼à²âµÇ¼ºÍ×¢ÏúÊÂÎñ£º

-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session

µÇ¼ºó¸´ÖÆ

¼à²âÎļþºÍĿ¼µÄ±ä»»ÊÂÎñ£º

-w /etc/passwd -p wa -k identity_changes
-w /etc/shadow -p wa -k identity_changes
-w /etc/group -p wa -k identity_changes
-w /etc/gshadow -p wa -k identity_changes
-w /etc/sudoers -p wa -k identity_changes
-w /etc/securetty -p wa -k identity_changes
-w /var/log/messages -p wa -k logfiles

µÇ¼ºó¸´ÖÆ

¼à²âÃô¸ÐÎļþµÄ¶ÁÈ¡ÊÂÎñ£º

-w /etc/passwd -p rwa -k sensitive_files
-w /etc/shadow -p rwa -k sensitive_files
-w /etc/group -p rwa -k sensitive_files
-w /etc/gshadow -p rwa -k sensitive_files
-w /etc/sudoers -p rwa -k sensitive_files
-w /etc/securetty -p rwa -k sensitive_files

µÇ¼ºó¸´ÖÆ

ËÄ¡¢×ܽá

±¾ÎÄÏÈÈÝÁËÔõÑùʹÓÃcentosϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾­ÊÚȨ»á¼û £¬²¢ÌṩÁËÏà¹ØµÄ´úÂëʾÀý¡£Í¨¹ý¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§¡¢ÉèÖÃÉó¼Æ¹æÔòºÍÉó²éÉó¼ÆÈÕÖ¾ £¬¿ÉÒÔ¸üºÃµØ¼à²âϵͳµÄÇå¾²ÐÔ £¬±ÜÃâδ¾­ÊÚȨµÄ»á¼ûÊÂÎñµÄ±¬·¢¡£Í¬Ê± £¬Í¨¹ýÔöÇ¿Éó¼ÆÈÕÖ¾¹¦Ð§ £¬»¹¿ÉÒÔ½øÒ»²½Ìá¸ßϵͳµÄÇå¾²ÐÔ¡£ÏµÍ³ÖÎÀíÔ±¿ÉÒÔƾ֤ÏêϸÐèÇóÀ´Ñ¡ÔñÊʺÏ×Ô¼ºÏµÍ³µÄÉó¼Æ¹æÔò £¬²¢°´ÆÚÉó²éÉó¼ÆÈÕÖ¾ £¬ÊµÊ±·¢Ã÷²¢´¦Àíδ¾­ÊÚȨµÄ»á¼ûÊÂÎñ £¬±£»¤ÏµÍ³µÄÇå¾²¡£

ÒÔÉϾÍÊÇÔõÑùʹÓÃCentOSϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾­ÊÚȨ»á¼ûµÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í尊龙凯时人生就是搏ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ尊龙凯时人生就是搏ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ尊龙凯时人生就是搏

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
sitemap¡¢ÍøÕ¾µØͼ