2017年9月7日 星期四

Ubuntu 16.04 LTS Audit 設定


 auditctl    (控制系統核心的稽核功能,其中包含新增與刪除稽核項目)
 ausearch  (條件式查詢稽核的記錄內容)
 aureport  (稽核報告清單檢視)

# apt-get install auditd audispd-plugins
# auditctl -l
No rules 

# useradd kitty
# passwd kitty
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully

# ausearch -f /etc/passwd


# cat /etc/passwd | grep kitty
kitty:x:1001:1001::/home/kitty:

設定特定User kitty 存取的audit
# auditctl -a exit,always -F arch=x86_64 -S open -F auid=1001

# auditctl -l
-w /etc/passwd -p wa
-a always,exit -F arch=b64 -S open -F auid=1001

以帳號kitty登入,並執行下列指令
$ mkdir 123
$ top

ausearch --start today --loginuid 1001 > /tmp/kitty.audit
# vi /tmp/kitty.audit




監控特定目錄/var/www/html/public
-w /var/www/html/public/ -p wa -k WebPageChange

在/usr/share/doc/auditd/examples目錄下有幾個國際規範範例
capp.rules.gz
lspp.rules.gz
nispom.rules.gz
stig.rules.gz

以設定CAPP規範為例
# cp /usr/share/doc/auditd/examples/capp.rules.gz /etc/audit
# gzip -d  /etc/audit/capp.rules.gz


# auditctl -R /etc/audit/capp.rules
或是
# cp /etc/audit/capp.rules  audit.ruels
# systemctl restart auditd                       重啟auditd服務
## auditctl -l
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale

Audit Report的簡單使用
# ausearch -ua 1001 -i                                                     在Audit Log上屬於uid 1001的User紀錄
# aureport --start 12/22/2018 00:00:00 --end 12/28/2018 00:00:00      一段時間內的Summary Report


沒有留言:

張貼留言