为防止audit在不同系统上的不同,还是介绍下环境 centos 6.3 x64
直奔主题,审计系统是什么、重要性略!
audit是linux内核的特性,可以通过内核参数audit=1来启用。
/etc/audit/audit.rules是audit的规则文件,本文主要讲述如何利用audit来监视系统重要资源。
一、监控文件系统行为(依靠文件、目录的权限属性来识别)
规则格式:-w 路径 -p 权限 -k 关键字
其中权限动作分为四种
r 读取文件
w 写入文件
x 执行文件
a 修改文件属性
示例,监控/etc/passwd文件的修改行为(写,权限修改)
- -w /etc/passwd -p wa
将上述内容加入到audit.rules中即可实现对该文件的监视。
同理,为了维护系统正常,下列资源也应该被监视。
- -w /etc/at.allow
- -w /etc/at.deny
-
- -w /etc/inittab -p wa
- -w /etc/init.d/
- -w /etc/init.d/auditd -p wa
-
- -w /etc/cron.d/ -p wa
- -w /etc/cron.daily/ -p wa
- -w /etc/cron.hourly/ -p wa
- -w /etc/cron.monthly/ -p wa
- -w /etc/cron.weekly/ -p wa
- -w /etc/crontab -p wa
-
- -w /etc/group -p wa
- -w /etc/passwd -p wa
- -w /etc/shadow
- -w /etc/sudoers -p wa
-
- -w /etc/hosts -p wa
- -w /etc/sysconfig/
- -w /etc/sysctl.conf -p wa
-
- -w /etc/modprobe.d/
-
- -w /etc/aliases -p wa
-
- -w /etc/bashrc -p wa
- -w /etc/profile -p wa
- -w /etc/profile.d/
- -w /var/log/lastlog
- -w /var/log/yum.log
-
- -w /etc/issue -p wa
- -w /etc/issue.net -p wa
-
- -w /usr/bin/ -p wa
- -w /usr/sbin/ -p wa
- -w /bin -p wa
- -w /etc/ssh/sshd_config
注:如果没有-p选项,则默认监视所有动作rwxa
二、监控系统调用行为(依靠系统调用来识别)
规则:-a 一系列动作 -S 系统调用名称 -F 字段=值 -k 关键字
列举常见应该被监视的系统调用
- 监视文件权限变化,因为改变权限必须调用umask
- -a entry,always -S umask -S chown
-
- 监视主机名变化,因为修改主机名必须调用sethostname
- -a entry,always -S sethostname -S setdomainname
-
- 监视系统时间变化
- -a entry,always -S adjtimex -S settimeofday -S stime
-
- 设置系统日期和时间
- -a entry,always -S stime
-
- 监控用户和组ID变化
- -a entry,always -S setuid -S seteuid -S setreuid
- -a entry,always -S setgid -S setegid -S setregid
-
- 监控挂载
- -a entry,always -S mount -S umount
注:请查阅系统调用列表后决定监控那种行为,系统调用是底层的、全局性的,监控不合适的调用,会给系统带来巨大负担。
audit.rules 样本
- # This file contains the auditctl rules that are loaded
- # whenever the audit daemon is started via the initscripts.
- # The rules are simply the parameters that would be passed
- # to auditctl.
-
- # First rule - delete all
- -D
-
- # Increase the buffers to survive stress events.
- # Make this bigger for busy systems
- -b 1024
-
- # Feel free to add below this line. See auditctl man page
-
- -a exit,always -F arch=b64 -S umask -S chown -S chmod
- -a exit,always -F arch=b64 -S unlink -S rmdir
- -a exit,always -F arch=b64 -S setrlimit
-
- -a exit,always -F arch=b64 -S setuid -S setreuid
- -a exit,always -F arch=b64 -S setgid -S setregid
-
- -a exit,always -F arch=b64 -S sethostname -S setdomainname
- -a exit,always -F arch=b64 -S adjtimex -S settimeofday
-
- -a exit,always -F arch=b64 -S mount -S _sysctl
-
- -w /etc/group -p wa
- -w /etc/passwd -p wa
- -w /etc/shadow -p wa
- -w /etc/sudoers -p wa
-
- -w /etc/ssh/sshd_config
-
- -w /etc/bashrc -p wa
- -w /etc/profile -p wa
- -w /etc/profile.d/
- -w /etc/aliases -p wa
- -w /etc/sysctl.conf -p wa
-
- -w /var/log/lastlog
-
- # Disable adding any additional rules - note that adding *new* rules will require a reboot
- #-e 2
读取audit报告
- aureport --start this-week
-
- aureport --user
-
- aureport --file
-
- aureport --summary
-
-
- 详见man aureport
本文转自 紫色葡萄 51CTO博客,原文链接:http://blog.51cto.com/purplegrape/1010148,如需转载请自行联系原作者