所选语种没有对应资源,请选择:

本站点使用Cookies,继续浏览表示您同意我们使用Cookies。Cookies和隐私政策>

提示

尊敬的用户,您的IE浏览器版本过低,为获取更好的浏览体验,请升级您的IE浏览器。

升级

eSight V300R009C00 维护指南 11

评分并提供意见反馈 :
华为采用机器翻译与人工审校相结合的方式将此文档翻译成不同语言,希望能帮助您更容易理解此文档的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 华为对于翻译的准确性不承担任何责任,并建议您参考英文文档(已提供链接)。
开启Linux操作系统审计

开启Linux操作系统审计

如果对操作系统有审计要求,请在Linux操作系统上设置审计规则并执行审计操作。需要在每台服务器上执行此操作。

背景信息

  • 审计操作的对象是操作系统,执行审计操作后,系统在审计日志中记录操作系统用户的所有操作。审计日志依次写入“audit.log”、“audit.log.1”、“audit.log.2”、“audit.log.3”。“audit.log”的日志是最新的,“audit.log.3”的日志是最早的。
  • 审计日志的存放位置由“/etc/audit/auditd.conf”文件的“log_file”参数指定,默认为“/var/log/audit/audit.log”。
  • 如果更换审计日志保存目录,则需保证有10GB的空闲空间。
  • 必须定期手动备份审计日志(只需对audit.log.N文件进行备份),备份周期根据实际审计日志的生成速度而定,建议每周至少备份一次。
  • 开启操作系统日志审计后,日志会记录用户执行命令及所有参数,可能会包括敏感数据,为保证安全性,请妥善保存日志文件。

操作步骤

  1. ossuser用户登录服务器。

    双机场景下,此操作需要在主备服务器上均执行。

  2. 执行以下命令,切换到root用户。

    > su - root

  3. 检查SUSE系统是否已经安装Audit Framework和相关libs文件。

    # rpm -qa|grep audit

    • 如果返回结果中存在类似“audit-1.8-0.30.1”的文件,则当前系统已经安装Audit Framework。
    • 如果返回结果中存在类似“audit-libs-32bit-1.8-0.30.1”和“audit-libs-1.8-0.30.1”的文件,则当前系统已经安装libs文件。

    如果SUSE系统未安装Audit Framework和相关libs文件,请联系华为技术支持工程师。

  4. 设置“/etc/sysconfig/auditd”文件的参数。

    # vi /etc/sysconfig/auditd

    • 将“AUDITD_LANG”设置为“en_US”。
    • 将“AUDITD_DISABLE_CONTEXTS”设置为“no”。
      AUDITD_LANG="en_US" 
      AUDITD_DISABLE_CONTEXTS="no"
  5. 按“Esc”,执行:wq命令,保存并退出编辑模式。
  6. 设置“/etc/audit/auditd.conf”文件的参数。

    # vi /etc/audit/auditd.conf

    • 将“max_log_file”设置为“1000”。
    • 将“space_left”设置为“1000”。
    • 将“admin_space_left”设置为“100”。
    • 将“admin_space_left_action”设置为“SYSLOG”。
    • 将“max_log_file_action”设置为“rotate”。
      max_log_file = 1000 
      space_left = 1000 
      admin_space_left = 100 
      admin_space_left_action = SYSLOG 
      max_log_file_action = rotate

    可以使用man auditd.conf命令查看“auditd.conf”各参数的说明。

  7. 按“Esc”,执行:wq命令,保存并退出编辑模式。
  8. 检查“/etc/pam.d”目录下的“login”、“sshd”、“crond”、“atd”文件,确保每个文件中都有如下内容。如果没有,请手动添加。

    # vi /etc/pam.d/文件名

    session    required    pam_loginuid.so 
    session    include    common-session
  9. 按“Esc”,执行:wq命令,保存并退出编辑模式。
  10. 更新配置文件“/boot/grub/menu.lst”。

    在以kernel关键字开头的行末尾增加audit=1规则,中间用空格分隔。

    # vi /boot/grub/menu.lst

    password --md5 $1$cvv5E$RzImhAv6QIa/57cbAyxAS0 
    # Modified by YaST2. Last modification on Mon May 11 19:09:47 CST 2015 
    default 0 
    timeout 8 
    ##YaST - generic_mbr 
    gfxmenu (hd0,1)/boot/message 
    ##YaST - activate 
     
    ###Don't change this comment - YaST2 identifier: Original name: linux### 
    title SUSE Linux Enterprise Server 11 SP3 - 4.4.59–92.24 
        root (hd0,1) 
        kernel /boot/vmlinuz-4.4.59–92.24-default root=/dev/disk/by-id/scsi-35000        c500712b918b-part2 System resume=/dev/sda1 splash=silent crashkernel=256M-:128M         showoptsode=dvd  console=ttyS0,115200 console=tty0 audit=1 
        initrd /boot/initrd-4.4.59–92.24-default 
     
    ###Don't change this comment - YaST2 identifier: Original name: failsafe### 
    title Failsafe -- SUSE Linux Enterprise Server 11 SP3 - 4.4.59–92.24 
        root (hd0,1) 
        kernel /boot/vmlinuz-4.4.59–92.24-default root=/dev/disk/by-id/scsi-35000        c500712b918b-part2 showopts ide=nodma apm=off noresume edd=off powersaved=off no        hz=off highres=off processor.max_cstate=1 nomodeset x11failsafe vga=0x314 audit=1 
        initrd /boot/initrd-4.4.59–92.24-default 
     
     
    ###Don't change this comment - YaST2 identifier: Original name: linux### 
    title SUSE Linux Enterprise Server 11 SP3 - 3.0.76-0.11 (default) 
        root (hd0,1) 
        kernel /boot/vmlinuz-3.0.76-0.11-default root=/dev/disk/by-id/scsi-35000c500        712b918b-part2 System resume=/dev/sda1 splash=silent crashkernel=256M-:128M show        optsode=dvd  showopts vga=0x314 audit=1 
        initrd /boot/initrd-3.0.76-0.11-default 
     
     
    ###Don't change this comment - YaST2 identifier: Original name: failsafe### 
    title Failsafe -- SUSE Linux Enterprise Server 11 SP3 - 3.0.76-0.11 
        root (hd0,1) 
        kernel /boot/vmlinuz-3.0.76-0.11-default root=/dev/disk/by-id/scsi-35000c500        712b918b-part2 showopts ide=nodma apm=off noresume edd=off powersaved=off nohz=o        ff highres=off processor.max_cstate=1 nomodeset x11failsafe vga=0x314 audit=1 
        initrd /boot/initrd-3.0.76-0.11-default
  11. 按“Esc”,执行:wq命令,保存并退出编辑模式。
  12. 更新配置文件“/etc/audit/audit.rules”。

    将以下所有内容复制到系统中执行。执行完成后,配置文件“/etc/audit/audit.rules”会有相应的更新。

    echo "# # This file contains the auditctl rules that are loaded 
    # whenever the audit daemon is started via the initscripts. 
    # The rules are simply the parameters that would be passed 
    # to auditctl. 
     
    # First rule - delete all 
    -D 
     
    # Increase the buffers to survive stress events. 
    # Make this bigger for busy systems 
    -b 25600 
     
    #  Enable the audit subsystem. 
    -e 1 
     
    # Set the failure flag to use when the kernel needs to handle critical errors.  
    # Possible values are 0 (silent), 1 (printk, print a failure message),  
    # and 2 (panic, halt the system). 
    -f 1 
     
    # Feel free to add below this line. See auditctl man page 
     
    # Set watches on the at and cron configuration and the scheduled jobs  
    # and assign labels to these events. 
    -w /var/spool/at -k Cron_cfg 
    -w /etc/at.allow -k Cron_cfg 
    -w /etc/at.deny -k Cron_cfg 
    -w /etc/cron.allow -p wa -k Cron_cfg 
    -w /etc/cron.deny -p wa -k Cron_cfg 
    -w /etc/cron.d/ -p wa -k Cron_cfg 
    -w /etc/cron.daily/ -p wa -k Cron_cfg 
    -w /etc/cron.hourly/ -p wa -k Cron_cfg 
    -w /etc/cron.monthly/ -p wa -k Cron_cfg 
    -w /etc/cron.weekly/ -p wa -k Cron_cfg 
    -w /etc/crontab -p wa -k Cron_cfg 
    -w /var/spool/cron/root -k Cron_cfg 
     
    # Set watches on the user, group, password, and login databases and logs 
    # and set labels to better identify any login-related events,  
    # such as failed login attempts. 
    -w /etc/group -p wa -k LoginFile_access 
    -w /etc/passwd -p wa -k LoginFile_access 
    -w /etc/shadow -k LoginFile_access 
    -w /etc/login.defs -p wa -k LoginFile_access 
    -w /etc/securetty -k LoginFile_access 
    -w /var/log/faillog -k LoginFile_access 
    -w /var/log/lastlog -k LoginFile_access 
     
    # Set a watch and a label on the static hostname configuration in /etc/hosts. 
    # Track changes to the system configuration directory, /etc/sysconfig. Enable 
    # per-file watches if you are interested in file events. Set watches and labels 
    # for changes to the boot configuration in /etc/inittab and the /etc/init.d 
    # directory. Enable per-file watches if you are interested in file events. Set 
    # watches and labels for any changes to the linker configuration  
    # in /etc/ld.so.conf. 
    # Set watches and a label for /etc/localtime. Set watches and labels for the 
    # kernel configuration files /etc/sysctl.conf, /etc/modprobe.d/, /etc/ 
    # modprobe.conf.local, and /etc/modprobe.conf. 
    -w /etc/hosts -p wa -k SysFile_mod 
    -w /etc/sysconfig/ -k SysDir_access 
    -w /etc/inittab -p wa -k SysFile_mod 
    -w /etc/init.d/ -k SysDir_access 
    -w /etc/init.d/auditd -p wa -k SysFile_mod 
    -w /etc/ld.so.conf -p wa -k SysFile_mod 
    -w /etc/localtime -p wa -k SysFile_mod 
    -w /etc/sysctl.conf -p wa -k SysFile_mod 
    -w /etc/modprobe.d/ -k SysDir_access 
    -w /etc/modprobe.conf.local -p wa -k SysFile_mod 
    -w /etc/modprobe.conf -p wa -k SysFile_mod 
    # Set watches on the PAM configuration directory.  
    # If you are interested in particular files below the directory level,  
    # add explicit watches to these files as well. 
    -w /etc/pam.d/ -k PamDir_access 
    # Set watches to the postfix configuration to log any write attempt or  
    # attribute change and use labels for better tracking in the logs. 
    -w /etc/aliases -p wa -k Aliases_cfg 
    -w /etc/postfix/ -p wa -k Postfix_cfg 
    # Set watches and labels on the ssh configuration files. 
    -w /etc/ssh/sshd_config -k SSH_cfg 
    # Perform an audit of the sethostname system call and set watches and labels  
    # on the system identification configuration in /etc/issue and /etc/issue.net. 
    -a exit,always -F arch=b64 -S sethostname -k SetHostName 
    -w /etc/issue -p wa -k IssueInf_mod 
    -w /etc/issue.net -p wa -k IssueInf_mod 
     
    -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change  
    -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change  
    -a always,exit -F arch=b64 -S clock_settime -k time-change  
    -a always,exit -F arch=b32 -S clock_settime -k time-change  
    -w /etc/localtime -p wa -k time-change  
     
    -w /etc/group -p wa -k identity  
    -w /etc/passwd -p wa -k identity  
    -w /etc/gshadow -p wa -k identity  
    -w /etc/shadow -p wa -k identity  
    -w /etc/security/opasswd -p wa -k identity 
     
    -a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale  
    -a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale  
    -w /etc/issue -p wa -k system-locale  
    -w /etc/issue.net -p wa -k system-locale 
    -w /etc/hosts -p wa -k system-locale  
    -w /etc/sysconfig/network -p wa -k system-locale  
     
    -w /var/log/faillog -p wa -k logins  
    -w /var/log/lastlog -p wa -k logins  
    -w /var/log/tallylog -p wa -k logins 
    -w /var/run/utmp -p wa -k session  
    -w /var/log/wtmp -p wa -k session  
    -w /var/log/btmp -p wa -k session  
     
    -a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/eject -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/bin/ping6 -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
    -a always,exit -F path=/sbin/unix2_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged 
     
     
    -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod 
    -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod  
    -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod   
    -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr  
     
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access  
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access  
    -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access  
    -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access  
     
    -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts  
    -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts  
     
    -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete  
    -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete  
     
    -w /etc/sudoers -p wa -k scope  
    -w /etc/selinux/ -p wa -k MAC-policy 
    -w /var/log/sudo.log -p wa -k actions  
     
    -w /sbin/insmod -p x -k modules  
    -w /sbin/rmmod -p x -k modules  
    -w /sbin/modprobe -p x -k modules  
    -a always,exit  -F arch=b64 -S init_module -S delete_module -k modules 
     
    # Set a watch on the directory where the audit log is located. Trigger an 
    # event for any type of access attempt to this directory.  
    -w /var/log/audit/ -k AuditDir_access 
    -w /var/log/audit/audit.log -k AuditLog_access 
    # Set a watch on an audit configuration file. Log all write and attribute 
    # change attempts to this file. 
    -w /etc/audit/auditd.conf -p wa -k Audit_cfg 
    -w /etc/audit/audit.rules -p wa -k Audit_cfg 
    -w /etc/libaudit.conf -p wa -k Audit_cfg 
    -w /etc/sysconfig/auditd -p wa -k Audit_cfg 
     
    # Enable an audit context for system calls related to changing  
    # file ownership and permissions. 
    -a entry,always -F arch=b64 -S chmod -S fchmod -S chown -S fchown -S lchown -k FileAttr_mod 
    # Enable an audit context for system calls related to file content modification. 
    # This will affect the performance greatly. 
    #-a entry,always -F arch=b64 -S creat -S open -S truncate -S ftruncate -k File_opr 
    # Enable an audit context for any directory operation,  
    # like creating or removing a directory. 
    -a entry,always -F arch=b64 -S mkdir -S rmdir -k Dir_opr 
    # Enable an audit context for any linking operation, 
    # such as symlink,link,unlink,or rename. 
    -a entry,always -F arch=b64 -S unlink -S rename -S link -S symlink -k Link_opr 
    # Enable an audit context for any operation related to  
    # extended file system attributes. 
    -a entry,always -F arch=b64 -S setxattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S lsetxattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S fsetxattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S removexattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S lremovexattr -k FS_Attr_opr 
    -a entry,always -F arch=b64 -S fremovexattr -k FS_Attr_opr 
    # Enable an audit context for the mknod system call,  
    # which creates special (device) files. 
    -a entry,always -F arch=b64 -S mknod -k MakeNode 
    # Enable an audit context for any mount or umount operation. 
    -a entry,always -F arch=b64 -S mount -S umount2 -k Mount_opr 
    # Track task creation. 
    -a entry,always -F arch=b64 -S clone -S fork -S vfork -k Task_create 
    # Add an audit context to the umask system call. 
    -a entry,always -F arch=b64 -S umask -k Umask 
    # setuid Operation 
    -a entry,always -F arch=b64 -S setuid -k Setuid_Opr 
    # setgid Operation 
    -a entry,always -F arch=b64 -S setgid -k Setgid_Opr 
    # Track attempts to change the system time. adjtimex can be used to  
    # skew the time. settimeofday sets the absolute time. 
    -a entry,always -F arch=b64 -S adjtimex -S settimeofday -k Time_mod 
    # execute program 
    -a entry,always -F arch=b64 -S execve -k Execute_program 
    # kill operation 
    -a entry,always -F arch=b64 -S kill -k Kill_opr 
    # reboot or enable/disable Ctrl-Alt -Del 
    -a entry,always -F arch=b64 -S reboot -k Reboot " > /etc/audit/audit.rules
  13. 加载审计规则。

    # auditctl -D

    No rules

    # dos2unix /etc/audit/audit.rules

    dos2unix: converting file /etc/audit/audit.rules to UNIX format ...

    # auditctl -R /etc/audit/audit.rules

    系统回显类似如下信息:

    No rules 
    AUDIT_STATUS: enabled=0 flag=1 pid=5165 rate_limit=0 backlog_limit=25600 lost=8 backlog=0 
    AUDIT_STATUS: enabled=1 flag=1 pid=5165 rate_limit=0 backlog_limit=25600 lost=8 backlog=0 
    AUDIT_STATUS: enabled=1 flag=1 pid=5165 rate_limit=0 backlog_limit=25600 lost=8 backlog=1
  14. 重新启动审计服务。

    # rcauditd restart

    Shutting down auditd                                                 done 
    Starting auditd                                                      done
翻译
下载文档
更新时间:2019-11-22

文档编号:EDOC1100011879

浏览量:32270

下载量:264

平均得分:
本文档适用于这些产品

相关版本

相关文档

Share
上一页 下一页