尊龙凯时人生就是博

ÔõÑùÔÚLinuxÉÏÉèÖÃϵͳÇå¾²Éó¼Æ

ÔõÑùÔÚlinuxÉÏÉèÖÃϵͳÇå¾²Éó¼Æ

ÔÚµ±½ñÊý×Ö»¯Ê±´ú £¬ÍøÂçÇå¾²ÒѾ­³ÉΪÁËÎÒÃÇÃæÁÙµÄÒ»ÏîÖØ´óÌôÕ½¡£ÎªÁ˱£»¤ÎÒÃǵÄϵͳºÍÊý¾ÝÃâÊÜδ¾­ÊÚȨµÄ»á¼ûºÍ¶ñÒâ¹¥»÷ £¬ÎÒÃÇÐèҪʵÑéһϵÁÐÇå¾²²½·¥¡£ÆäÖÐÖ®Ò»¾ÍÊÇ¿ªÆôϵͳÇå¾²Éó¼Æ¡£±¾ÎĽ«ÎªÄúÏÈÈÝÔõÑùÔÚlinuxÉÏÉèÖÃϵͳÇå¾²Éó¼Æ £¬²¢¸½ÓÐÏà¹Ø´úÂëʾÀý¡£

Ê×ÏÈ £¬ÎÒÃÇÐèÒªÏàʶʲôÊÇϵͳÇå¾²Éó¼Æ¡£ÏµÍ³Çå¾²Éó¼ÆÊÇÒ»ÖÖ¼à¿ØºÍ¼Í¼ϵͳÔ˶¯µÄÒªÁì £¬ÒÔ±ã¼ì²âºÍÆÊÎöDZÔÚµÄÇ徲Σº¦ºÍÍþв¡£Ëü¿ÉÒԼͼµÇ¼ºÍ×¢ÏúÊÂÎñ¡¢ÎļþºÍĿ¼µÄ»á¼û¡¢Àú³ÌÔ˶¯µÈϵͳÔ˶¯ÐÅÏ¢¡£Í¨Ì«¹ýÎöÕâЩÐÅÏ¢ £¬ÎÒÃÇ¿ÉÒÔʵʱ·¢Ã÷Òì³£ÐÐΪ²¢½ÓÄÉÏìÓ¦µÄ²½·¥¡£

ÔÚLinuxϵͳÖÐ £¬ÎÒÃÇ¿ÉÒÔʹÓÃAuditing×Óϵͳ£¨auditd£©À´ÊµÏÖϵͳÇå¾²Éó¼Æ¡£Ê×ÏÈ £¬È·±£ÄúµÄϵͳÒѾ­×°ÖÃÁËauditdÈí¼þ°ü¡£ÈôÊÇûÓÐ×°Öà £¬¿ÉÒÔʹÓÃÒÔÏÂÏÂÁî×°Öãº

sudo apt-get install auditd

µÇ¼ºó¸´ÖÆ

×°ÖÃÍê³Éºó £¬ÎÒÃÇÐèÒªÉèÖÃauditdÒÔ×îÏȼͼϵͳÔ˶¯¡£·­¿ª/etc/audit/auditd.confÎļþ £¬²¢È·±£ÒÔÏÂÉèÖñ»ÆôÓãº

# ÆôÓÃϵͳÆô¶¯¼Í¼
#
# µ±auditdЧÀÍÆô¶¯Ê±£¬»á¼Í¼һÌõÆô¶¯¼Í¼
#
# ¿ÉÒÔͨ¹ý`ausearch -m SYSTEM_BOOT`ÏÂÁî¼ì²éÕâÌõ¼Í¼
#
# ĬÈÏֵΪno
#
# ½«ÆäÉèÖÃΪyes¿ªÆô¼Í¼

AUDITD_ENABLED=yes

µÇ¼ºó¸´ÖÆ

½ÓÏÂÀ´ £¬ÎÒÃÇÐèÒªÉèÖÃaudit¹æÔò £¬ÒÔÖ¸¶¨ÎÒÃÇÏ£Íû¼Í¼µÄϵͳÔ˶¯ÀàÐÍ¡£ÀýÈç £¬ÒÔϹæÔò½«¼Í¼µÇ¼ºÍ×¢ÏúÊÂÎñ¡¢ÎļþºÍĿ¼µÄ»á¼û£º

# ¼à¿ØµÇ¼ºÍ×¢ÏúÊÂÎñ
-a always,exit -F arch=b64 -S execve -k login_logout

# ¼à¿ØÎļþºÍĿ¼»á¼û
-w /etc/passwd -p wa -k file_access
-w /etc/shadow -p wa -k file_access
-w /etc/group -p wa -k file_access

µÇ¼ºó¸´ÖÆ µÇ¼ºó¸´ÖÆ

½«ÒÔÉϹæÔòÌí¼Óµ½/etc/audit/rules.d/audit.rulesÎļþÖм´¿ÉÉúЧ¡£ÉúÑÄÎļþºó £¬Ê¹ÓÃÒÔÏÂÏÂÁîÖØмÓÔØaudit¹æÔò£º

sudo auditctl -R /etc/audit/rules.d/audit.rules

µÇ¼ºó¸´ÖÆ

±ðµÄ £¬ÎÒÃÇ»¹¿ÉÒÔͨ¹ýauditctlÏÂÁîʵʱÌí¼Ó¡¢Ð޸ĺÍɾ³ýÔËÐÐʱµÄaudit¹æÔò¡£ÀýÈç £¬ÒÔÏÂÏÂÁ¼à¿ØÓû§µÄµÇ¼ºÍ×¢ÏúÊÂÎñ£º

sudo auditctl -a always,exit -F arch=b64 -S execve -k login_logout

µÇ¼ºó¸´ÖÆ

ÒªÉó²éÒѼͼµÄϵͳÔ˶¯ £¬ÎÒÃÇ¿ÉÒÔʹÓÃausearchÏÂÁî¡£ÀýÈç £¬ÒÔÏÂÏÂÁ²éÕÒËùÓеǼºÍ×¢ÏúÊÂÎñµÄ¼Í¼£º

ausearch -m SYSTEM_LOGIN,SYSTEM_LOGOUT

µÇ¼ºó¸´ÖÆ

×îºó £¬ÎªÁËÀû±ãÆÊÎöºÍ±¨¸æϵͳÔ˶¯ £¬ÎÒÃÇ¿ÉÒÔʹÓÃauditd¹¤¾ßÌṩµÄÉó¼ÆÈÕÖ¾ÆÊÎö¾ç±¾¡£ÕâЩ¾ç±¾¿ÉÒÔ½«Éó¼ÆÈÕ־ת»»³ÉÒ׶ÁµÄÃûÌà £¬²¢ÌṩÖÖÖÖ¹ýÂ˺Íͳ¼Æ¹¦Ð§¡£ÀýÈç £¬ÒÔÏÂÏÂÁÏÔʾ×î½üÒ»¸öСʱÄڵĵǼºÍ×¢ÏúÊÂÎñ£º

sudo aureport --start recent-hour -x --event login_logout

µÇ¼ºó¸´ÖÆ

ͨ¹ýÉÏÊö°ì·¨ £¬ÎÒÃÇ¿ÉÒÔÔÚLinuxϵͳÉÏÉèÖÃϵͳÇå¾²Éó¼Æ £¬²¢Í¨¹ý¼à¿ØºÍ¼Í¼ϵͳÔ˶¯À´Ìá¸ßϵͳµÄÇå¾²ÐÔ¡£È»¶ø £¬ÖµµÃ×¢ÖصÄÊÇ £¬ÏµÍ³Çå¾²Éó¼Æ½ö½öÊÇÇå¾²²½·¥Ö®Ò» £¬»¹ÐèÒª×ÛºÏʹÓÃÆäËûÇå¾²²½·¥À´½¨ÉèÒ»¸öÍêÕûµÄÇå¾²·À»¤ÏµÍ³¡£

×ÜÖ® £¬ÏµÍ³Çå¾²Éó¼Æ¹ØÓÚ±£»¤ÎÒÃǵÄϵͳºÍÊý¾ÝÃâÊÜδ¾­ÊÚȨµÄ»á¼ûºÍ¶ñÒâ¹¥»÷ÖÁ¹ØÖ÷Òª¡£±¾ÎÄÌṩÁËÔÚLinuxÉÏÉèÖÃϵͳÇå¾²Éó¼ÆµÄ°ì·¨ºÍ´úÂëʾÀý £¬Ï£ÍûÄܶÔÄúÓÐËù×ÊÖú¡£

²Î¿¼´úÂ룺

/etc/audit/auditd.conf

AUDITD_ENABLED=yes

µÇ¼ºó¸´ÖÆ

/etc/audit/rules.d/audit.rules

# ¼à¿ØµÇ¼ºÍ×¢ÏúÊÂÎñ
-a always,exit -F arch=b64 -S execve -k login_logout

# ¼à¿ØÎļþºÍĿ¼»á¼û
-w /etc/passwd -p wa -k file_access
-w /etc/shadow -p wa -k file_access
-w /etc/group -p wa -k file_access

µÇ¼ºó¸´ÖÆ µÇ¼ºó¸´ÖÆ

sudo auditctl -a always,exit -F arch=b64 -S execve -k login_logout

ausearch -m SYSTEM_LOGIN,SYSTEM_LOGOUT

sudo aureport –start recent-hour -x –event login_logout

ÒÔÉϾÍÊÇÔõÑùÔÚLinuxÉÏÉèÖÃϵͳÇå¾²Éó¼ÆµÄÏêϸÄÚÈÝ £¬¸ü¶àÇë¹Ø×¢±¾ÍøÄÚÆäËüÏà¹ØÎÄÕ£¡

ÃâÔð˵Ã÷£ºÒÔÉÏչʾÄÚÈÝȪԴÓÚÏàÖúýÌå¡¢ÆóÒµ»ú¹¹¡¢ÍøÓÑÌṩ»òÍøÂçÍøÂçÕûÀí £¬°æȨÕùÒéÓë±¾Õ¾ÎÞ¹Ø £¬ÎÄÕÂÉæ¼°¿´·¨Óë¿´·¨²»´ú±í尊龙凯时人生就是博ÂËÓÍ»úÍø¹Ù·½Ì¬¶È £¬Çë¶ÁÕß½ö×ö²Î¿¼¡£±¾ÎĽӴýתÔØ £¬×ªÔØÇë˵Ã÷À´ÓÉ¡£ÈôÄúÒÔΪ±¾ÎÄÇÖÕ¼ÁËÄúµÄ°æȨÐÅÏ¢ £¬»òÄú·¢Ã÷¸ÃÄÚÈÝÓÐÈκÎÉæ¼°ÓÐÎ¥¹«µÂ¡¢Ã°·¸Ö´·¨µÈÎ¥·¨ÐÅÏ¢ £¬ÇëÄúÁ¬Ã¦ÁªÏµ尊龙凯时人生就是博ʵʱÐÞÕý»òɾ³ý¡£

Ïà¹ØÐÂÎÅ

ÁªÏµ尊龙凯时人生就是博

18523999891

¿É΢ÐÅÔÚÏß×Éѯ

ÊÂÇéʱ¼ä£ºÖÜÒ»ÖÁÖÜÎå £¬9:30-18:30 £¬½ÚãåÈÕÐÝÏ¢

QR code
sitemap¡¢ÍøÕ¾µØͼ