ÔõÑùʹÓÃCentOSϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾ÊÚȨ»á¼û
ÔõÑùʹÓÃcentosϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾ÊÚȨ»á¼û
Ëæ×Å»¥ÁªÍøµÄÉú³¤£¬ÍøÂçÇå¾²ÎÊÌâÒ²ÈÕÒæ͹ÏÔ£¬Ðí¶àϵͳÖÎÀíÔ±¹ØÓÚϵͳµÄÇå¾²ÐÔÔ½À´Ô½ÖØÊÓ¡£¶øCentOS×÷Ϊһ¿î³£ÓõĿªÔ´²Ù×÷ϵͳ£¬ÆäÉó¼Æ¹¦Ð§¿ÉÒÔ×ÊÖúϵͳÖÎÀíÔ±¼à²âϵͳµÄÇå¾²ÐÔ£¬ÓÈÆäÊǹØÓÚδ¾ÊÚȨµÄ»á¼û¡£±¾ÎĽ«ÏÈÈÝÔõÑùʹÓÃcentosϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾ÊÚȨ»á¼û£¬²¢Ìṩ´úÂëʾÀý¡£
Ò»¡¢¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§
ҪʹÓÃCentOSϵͳµÄÉó¼ÆÈÕÖ¾¹¦Ð§£¬Ê×ÏÈÐèҪȷ±£¸Ã¹¦Ð§ÒѾ¿ªÆô¡£ÔÚCentOSϵͳÖУ¬¿ÉÒÔͨ¹ýÐÞ¸Ä/etc/audit/auditd.confÎļþÀ´¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§¡£¿ÉÒÔʹÓÃÒÔÏÂÏÂÁî·¿ª¸ÃÎļþ£º
sudo vi /etc/audit/auditd.conf
µÇ¼ºó¸´ÖÆ
ÔÚ¸ÃÎļþÖУ¬ÕÒµ½ÒÔÏÂÁ½ÐдúÂ룺
#local_events = yes #write_logs = yes
µÇ¼ºó¸´ÖÆ
½«ÕâÁ½ÐдúÂëÇ°µÄ×¢ÊÍ·ûºÅ#È¥µô£¬ÐÞ¸ÄΪÒÔÏÂÐÎʽ£º
local_events = yes write_logs = yes
µÇ¼ºó¸´ÖÆ
ÉúÑIJ¢Í˳öÎļþ¡£È»ºóͨ¹ýÒÔÏÂÏÂÁîÖØÆôÉó¼ÆЧÀÍ£º
sudo service auditd restart
µÇ¼ºó¸´ÖÆ
¶þ¡¢ÉèÖÃÉó¼Æ¹æÔò
¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§ºó£¬½ÓÏÂÀ´ÐèÒªÉèÖÃÉó¼Æ¹æÔò£¬ÒÔ±ã¼à²âδ¾ÊÚȨµÄ»á¼û¡£¿ÉÒÔͨ¹ýÐÞ¸Ä/etc/audit/audit.rulesÎļþÀ´ÉèÖÃÉó¼Æ¹æÔò¡£¿ÉÒÔʹÓÃÒÔÏÂÏÂÁî·¿ª¸ÃÎļþ£º
sudo vi /etc/audit/audit.rules
µÇ¼ºó¸´ÖÆ
ÔÚ¸ÃÎļþÖУ¬¿ÉÒÔÌí¼ÓÒÔÏÂÄÚÈÝ×÷ΪÉó¼Æ¹æÔò£º
-a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve
µÇ¼ºó¸´ÖÆ
ÕâÁ½ÐйæÔò½«¼à²âËùÓеÄÖ´ÐвÙ×÷¡£ÈôÊÇÖ»Ïë¼à²âÌض¨µÄÖ´ÐвÙ×÷£¬¿ÉÒÔʹÓÃÒÔÏÂÏÂÁ
-a exit,always -F arch=b64 -S specific_execve_syscall
µÇ¼ºó¸´ÖÆ
ÆäÖÐspecific_execve_syscallΪÌض¨µÄÖ´ÐвÙ×÷µÄϵͳŲÓÃÃû³Æ¡£¿ÉÒÔƾ֤ÏêϸÐèÇóÐ޸ĸÃÃû³Æ¡£Ìí¼ÓÍê¹æÔòºó£¬ÉúÑIJ¢Í˳öÎļþ¡£
Èý¡¢Éó²éÉó¼ÆÈÕÖ¾
µ±ÏµÍ³ÊÕµ½Î´¾ÊÚȨµÄ»á¼ûʱ£¬Ïà¹ØµÄÐÅÏ¢½«»á±»¼Í¼ÔÚÉó¼ÆÈÕÖ¾ÖС£¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÉó²éÉó¼ÆÈÕÖ¾£º
sudo ausearch -ui 1000
µÇ¼ºó¸´ÖÆ
ÆäÖÐ1000ΪÓû§ID£¬¿ÉÒÔƾ֤ÏêϸÇéÐÎÐ޸ġ£Í¨¹ý¸ÃÏÂÁî¿ÉÒÔÉó²éÌض¨Óû§µÄÉó¼ÆÈÕÖ¾¡£Ò²¿ÉÒÔʹÓÃÒÔÏÂÏÂÁîÉó²éËùÓеÄÉó¼ÆÈÕÖ¾£º
sudo ausearch
µÇ¼ºó¸´ÖÆ
ÒÔÉÏÏÂÁÏÔʾËùÓеÄÉó¼ÆÈÕÖ¾¡£
ËÄ¡¢ÔöÇ¿Éó¼ÆÈÕÖ¾¹¦Ð§
ΪÁ˸üºÃµØ¼à²âδ¾ÊÚȨµÄ»á¼û£¬»¹¿ÉÒÔ½øÒ»²½ÔöÇ¿Éó¼ÆÈÕÖ¾¹¦Ð§¡£¿ÉÒÔͨ¹ýÐÞ¸Ä/etc/audit/audit.rulesÎļþÀ´ÉèÖøü¶àµÄÉó¼Æ¹æÔò¡£ÒÔÏÂÊÇһЩ³£ÓõÄÉó¼Æ¹æÔò£º
¼à²âµÇ¼ºÍ×¢ÏúÊÂÎñ£º
-w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session
µÇ¼ºó¸´ÖÆ
¼à²âÎļþºÍĿ¼µÄ±ä»»ÊÂÎñ£º
-w /etc/passwd -p wa -k identity_changes -w /etc/shadow -p wa -k identity_changes -w /etc/group -p wa -k identity_changes -w /etc/gshadow -p wa -k identity_changes -w /etc/sudoers -p wa -k identity_changes -w /etc/securetty -p wa -k identity_changes -w /var/log/messages -p wa -k logfiles
µÇ¼ºó¸´ÖÆ
¼à²âÃô¸ÐÎļþµÄ¶ÁÈ¡ÊÂÎñ£º
-w /etc/passwd -p rwa -k sensitive_files -w /etc/shadow -p rwa -k sensitive_files -w /etc/group -p rwa -k sensitive_files -w /etc/gshadow -p rwa -k sensitive_files -w /etc/sudoers -p rwa -k sensitive_files -w /etc/securetty -p rwa -k sensitive_files
µÇ¼ºó¸´ÖÆ
ËÄ¡¢×ܽá
±¾ÎÄÏÈÈÝÁËÔõÑùʹÓÃcentosϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾ÊÚȨ»á¼û£¬²¢ÌṩÁËÏà¹ØµÄ´úÂëʾÀý¡£Í¨¹ý¿ªÆôÉó¼ÆÈÕÖ¾¹¦Ð§¡¢ÉèÖÃÉó¼Æ¹æÔòºÍÉó²éÉó¼ÆÈÕÖ¾£¬¿ÉÒÔ¸üºÃµØ¼à²âϵͳµÄÇå¾²ÐÔ£¬±ÜÃâδ¾ÊÚȨµÄ»á¼ûÊÂÎñµÄ±¬·¢¡£Í¬Ê±£¬Í¨¹ýÔöÇ¿Éó¼ÆÈÕÖ¾¹¦Ð§£¬»¹¿ÉÒÔ½øÒ»²½Ìá¸ßϵͳµÄÇå¾²ÐÔ¡£ÏµÍ³ÖÎÀíÔ±¿ÉÒÔƾ֤ÏêϸÐèÇóÀ´Ñ¡ÔñÊʺÏ×Ô¼ºÏµÍ³µÄÉó¼Æ¹æÔò£¬²¢°´ÆÚÉó²éÉó¼ÆÈÕÖ¾£¬ÊµÊ±·¢Ã÷²¢´¦Àíδ¾ÊÚȨµÄ»á¼ûÊÂÎñ£¬±£»¤ÏµÍ³µÄÇå¾²¡£
ÒÔÉϾÍÊÇÔõÑùʹÓÃCentOSϵͳµÄÉó¼ÆÈÕÖ¾À´¼à²â¶ÔϵͳµÄδ¾ÊÚȨ»á¼ûµÄÏêϸÄÚÈÝ£¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡