AIX 中audit 和syslog
安全審計包括兩部分:一是:audit 子系統,二是:日誌系統syslog, 他們的關係如下:
audit子系統專門用來記錄安全資訊,用於對系統安全事件的追溯;
syslog日誌系統用來記錄系統中的各種資訊,如安全、除錯、執行資訊等
如果audit沒有執行,linux核心就將安全審計資訊傳遞給syslog日誌系統。
一、 AIX 系統的安全審計介紹
/etc/security/audit/config audit的配置檔案
/etc/security/audit/events 對系統行為的審計
/etc/security/audit/objects 對系統物件的審計
相關介紹:
1.Mode
定義資訊採集的模式(二進位制/流),如:
2.Events
系統定義的行為,例如password_change等;
3.Classes
定義一個類,包括多個事件;
4.Objects
對檔案,監控檔案的讀寫,執行操作
1. /etc/security/audit/config 介紹
start:
binmode = on (開啟了二進位制模式)
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1 (二進位制模式下,審計log存放的位置)
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
stream:
cmds = /etc/security/audit/streamcmds(流模式)
classes: (classes: 定義的類,預定義的類有:general, objects, SRC, kernel, files, SVIPC, mail, cron和TCPIP)
general = USER_SU,PASSWORD_Change,FILE_Unlink,FILE_Link,FILE_Rename,FS_Chdir,FS_Chroot,PORT_Locked,PORT_Change,FS_Mkdir,FS_Rmdir
(/etc/security/audit/events中定義的事件被歸類為general)
objects = S_ENVIRON_WRITE,S_GROUP_WRITE,S_LIMITS_WRITE,S_LOGIN_WRITE,S_PASSWD_READ,S_PASSWD_WRITE,S_USER_WRITE,AUD_CONFIG_WR
(/etc/security/audit/objects中定義的事件歸類為objects)
SRC = SRC_Start,SRC_Stop,SRC_Addssys,SRC_Chssys,SRC_Delssys,SRC_Addserver,SRC_Chserver,SRC_Delserver
kernel = PROC_Create,PROC_Delete,PROC_Execute,PROC_RealUID,PROC_AuditID,PROC_RealGID,PROC_Environ,PROC_SetSignal,PROC_Limits,PROC_SetPri
files = FILE_Open,FILE_Read,FILE_Write,FILE_Close,FILE_Link,FILE_Unlink,FILE_Rename
svipc = MSG_Create,MSG_Read,MSG_Write,MSG_Delete,MSG_Owner,MSG_Mode,SEM_Create,SEM_Op,SEM_Delete,SEM_Owner,SEM_Mode,SHM_Create,SHM_Open,SHM_Close,SHM_Owner,SHM_Mode
mail = SENDMAIL_Config,SENDMAIL_ToFile
cron = AT_JobAdd,AT_JobRemove,CRON_JobAdd,CRON_JobRemove,CRON_Start,CRON_Finish
tcpip = TCPIP_config,TCPIP_host_id,TCPIP_route,TCPIP_connect,TCPIP_data_out,TCPIP_data_in,TCPIP_access,TCPIP_set_time,TCPIP_kconfig,TCPIP_kroute,TCPIP_kconnect,TCPIP_kdata_out,TCPIP_kdata_in,TCPIP_kcreate
ipsec = IPSEC_chtun,IPSEC_export,IPSEC_gentun,IPSEC_imptun,IPSEC_lstun,IPSEC_mktun,IPSEC_rmtun,IPSEC_chfilt,IPSEC_expfilt,IPSEC_genfilt,IPSEC_trcbuf,IPSEC_impfilt,IPSEC_lsfilt,IPSEC_mkfilt,IPSEC_mvfilt,IPSEC_rmfilt,IPSEC_unload,IPSEC_stat,IKE_tnl_creat,IKE_tnl_delet,IPSEC_p1_nego,IPSEC_p2_nego,IKE_activat_cmd,IKE_remove_cmd
lvm = LVM_AddLV,LVM_KDeleteLV,LVM_ExtendLV,LVM_ReduceLV,LVM_KChangeLV,LVM_AvoidLV,LVM_MissingPV,LVM_AddPV,LVM_AddMissPV,LVM_DeletePV,LVM_RemovePV,LVM_AddVGSA,LVM_DeleteVGSA,LVM_SetupVG,LVM_DefineVG,LVM_KDeleteVG,LVM_ChgQuorum,LVM_Chg1016,LVM_UnlockDisk,LVM_LockDisk,LVM_ChangeLV,LVM_ChangeVG,LVM_CreateLV,LVM_CreateVG,LVM_DeleteVG,LVM_DeleteLV,LVM_VaryoffVG,LVM_VaryonVG
ldapserver = LDAP_Bind,LDAP_Unbind,LDAP_Add,LDAP_Delete,LDAP_Modify,LDAP_Modifydn,LDAP_Search,LDAP_Compare
aacct=AACCT_On,AACCT_Off,AACCT_AddFile,AACCT_ResetFile,AACCT_RmFile,AACCT_SwtchFile,AACCT_TridOn,AACCT_TridOff,AACCT_SysIntOff,AACCT_SysIntSet,AACCT_PrIntOff,AACCT_PrIntSet,AACCT_SwtchProj,AACCT_AddProj,AACCT_RmProj,AACCT_PolLoad,AACCT_PolUnload,AACCT_NotChange,AACCT_NotifyOff
users: (該段中定義了使用類的使用者,使用者必須是可登入使用者或default使用者)
root = general(系統將會對root使用者發生的general事件做紀錄)
2./etc/security/audit/events介紹
events檔案包含了audit系統所有的事件定義,以及用auditpr命令輸出資訊中部分格式化內容;
事件類別:kernel proc events ,audit, file system events, SVIPC system events, TCPIP user level, TCPIP kernel level,commands, LVM events,objects (files), miscellaneous ,SecureWay Directory Server, Certificate Authentication Services, RTIPC system events, Advanced Accounting system events, IPSEC user level等幾個小類,審計內容很多,需要通過檔案 /etc/security/audit/config中 classes進行選擇要審計的事件。
3. /etc/security/audit/objects介紹
/etc/security/environ:
w = "S_ENVIRON_WRITE"
/etc/security/group:
w = "S_GROUP_WRITE"
/etc/security/limits:
w = "S_LIMITS_WRITE"
/etc/security/login.cfg:
w = "S_LOGIN_WRITE"
/etc/security/passwd:
r = "S_PASSWD_READ"
w = "S_PASSWD_WRITE"
/etc/security/user:
w = "S_USER_WRITE"
/etc/security/audit/config:
w = "AUD_CONFIG_WR"
4. 示例:
a. 分析
– 監控方法是長時間的監控,並且要求保留歷史資料,因此建議採用BIN的採集模式
– 要求監控su,passwd操作,對應到audit系統中的USER_SU,PASSWORD_Change 事件
– 要求監控/home/test/test.ini 檔案的讀寫操作,需要定義該物件的相關資訊
– 要求監控test 使用者刪除檔案操作,對應到audit系統的FILE_Unlink事件
– 要求啟動,關閉及備份操作,可以通過crontab配合實現
b.配置/etc/security/audit/config
確定/audit有足夠的空間,如果條件允許的話,為/audit單獨建立檔案系統修改採集模式,編輯config檔案的start和bin節內容
start:
binmode = on
streammode = off
bin:
trail = /audit/trail
bin1 = /audit/bin1
bin2 = /audit/bin2
binsize = 10240
cmds = /etc/security/audit/bincmds
freespace = 65536
c. 配置/etc/security/audit/objects增加:
/home/test/test.ini:
w = "TEST_FILE_WR"
r = "TEST_FILE_RD"
d.配置/etc/security/audit/eventsobjects(files)節,增加:
* /home/hebing/test.ini
TEST_FILE_WR = printf "%s"
TEST_FILE_RD = printf "%s"
e.配置/etc/security/audit/config中的審計事件,修改classes和users節
classes:
classone = USER_SU,PASSWORD_Change
classtwo = FILE_Unlink
objects = TEST_FILE_WR,TEST_FILE_RD
users:
test = classone,classtwo
default = classone
?解釋:
類classone包含USER_SU,PASSWORD _Change兩個事件,
類classtwo包含FILE_Unlink一個事件
當Audit系統啟動後,Audit會對test使用者的classone和classtwo類的事件進行監控,對別的使用者,監控classone類中的事件;
對於審計物件而言,包含TEST_FILE_WR,TEST_FILE_RD兩個,無論哪個使用者,包括root 使用者對它們的訪問都會被紀錄;
二、AIX中syslog的日誌介紹
1. /etc/syslog詳解
syslog日誌系統分為:系統日誌,安全日誌,任務日誌等
示例:
# example:
# "mail messages, at debug or higher, go to Log file. File must exist."
# "all facilities, at debug and higher, go to console"
# "all facilities, at crit or higher, go to all users"
# mail.debug /usr/spool/mqueue/syslog
# *.debug /dev/console
# *.crit *
# *.debug /tmp/syslog.out rotate size 100k files 4
# *.crit /tmp/syslog.out rotate time 1d
# HACMP/ES for AIX Critical Messages
local0.crit /dev/console
# HACMP/ES for AIX Informational Messages
local0.info /usr/es/adm/cluster.log
# HACMP/ES for AIX Messages from Cluster Scripts
user.notice /usr/es/adm/cluster.log
# HACMP/ES for AIX Messages from Cluster Daemons
daemon.notice /usr/es/adm/cluster.log
解釋:
# Log all kernel messages to the console.
# Logging much else clutters up the screen.
#kern.* /dev/console(核心日誌資訊)
# Log anything (except mail) of level info or higher.
# Don't log private authentication messages!
*.info;mail.none;news.none;authpriv.none;cron.none /var/log/messages(info級別的資訊)
# The authpriv file has restricted access.
authpriv.* /var/log/secure (記錄私有的安全管理日誌資訊)
# Log all the mail messages in one place.
mail.* -/var/log/maillog (記錄所有郵件資訊)
# Log cron stuff
cron.* /var/log/cron(記錄計劃任務)
# Everybody gets emergency messages
*.emerg *(記錄緊急訊息)
# Save news errors of level crit and higher in a special file.
uucp,news.crit /var/log/spooler(記錄UUCP和新聞等日誌資訊,系統中致命錯誤)
# Save boot messages also to boot.log
local7.* /var/log/boot.log(本地保留使用)
2. 所有Log 的功能
系統的引導日誌:/var/log/boot.log
核心啟動日誌:/var/log/dmesg
核心啟動日誌:/var/log/dmesg
kjournald starting. Commit interval 5 seconds
EXT3 FS on sda1, internal journal
EXT3-fs: mounted filesystem with ordered data mode.
Adding 4184892k swap on /dev/sda5. Priority:-1 extents:1 across:4184892k
系統報錯日誌:/var/log/messages(審計系統中出現的錯誤)
Jan 8 22:16:17 localhost dhclient: DHCPACK from 192.168.44.254
Jan 8 22:16:17 localhost dhclient: bound to 192.168.44.131 -- renewal in 877 seconds.
Jan 8 22:32:00 localhost dhclient: DHCPREQUEST on eth0 to 192.168.44.254 port 67
郵件系統日誌:/var/log/maillogFTP系統日誌:/var/log/xferlog
安全資訊和系統登入與網路連線的資訊:/var/log/secure(記錄ftp,sshd等網路連線資訊,審計記錄包括:事件日期與時間(Jan 8 23:25:12), 主體標識(主機名), 客體型別(sshd),具體操作(pam_unix(sshd:session): ),操作結果(session opened for user root by (uid=0)))
Jan 8 23:25:12 localhost sshd[19140]: Accepted password for root from 192.168.44.1 port 51992 ssh2
Jan 8 23:25:12 localhost sshd[19140]: pam_unix(sshd:session): session opened for user root by (uid=0)
Jan 9 00:14:00 localhost sshd[19140]: pam_unix(sshd:session): session closed for user root
Jan 9 00:14:18 localhost sshd[10355]: Accepted password for root from 192.168.44.1 port 52968 ssh2
Jan 9 00:14:18 localhost sshd[10355]: pam_unix(sshd:session): session opened for user root by (uid=0)
登入記錄:/var/log/wtmp 記錄登入者訊錄,二進位制檔案,須用last來讀取內容 who -u /var/log/wtmp 檢視資訊News日誌:/var/log/spooler
RPM軟體包:/var/log/rpmpkgs
XFree86日誌:/var/log/XFree86.0.log
cron(定製任務日誌)日誌:/var/log/cron
檔案 /var/run/utmp 記錄著現在登入的使用者。
檔案 /var/log/wtmp 記錄所有的登入和登出。
檔案 /var/log/lastlog 記錄每個使用者最後的登入資訊。
檔案 /var/log/btmp 記錄錯誤的登入嘗試。
綜上所述:
audit 審計所有系統與安全相關的事件,包括重要使用者行為(users), 重要系統命令的使用(如events,objects等),但是是否能審計系統資源的異常使用??
syslog 審計所有資訊,包括執行,安全等,也包括重要使用者行為,
來自 “ ITPUB部落格 ” ,連結:http://blog.itpub.net/28673746/viewspace-1152215/,如需轉載,請註明出處,否則將追究法律責任。
相關文章
- AIX系統中Audit系統的功能和概念,以及相關的命令AI
- Oracle 標準審計,設定AUDIT_SYSLOG _LEVEL引數Oracle
- 使用AUDIT_SYSLOG_LEVEL進行Sys使用者行為監控
- linux下的syslog和/var/logLinux
- 【AIX】AIX中級試題AI
- AIX中find命令和xargs命令介紹AI
- Database Audit and Audit trail purgingDatabaseAI
- FN_AUDIT - Name of security audit file
- Oracle FGA 的使用和cleanup audit trailsOracleAI
- Oracle Audit 功能的使用和說明Oracle
- AIX中YUM庫的配置和使用方法AI
- Linux--SysLogLinux
- ORACLE AUDITOracle
- 話說 Oracle Audit Vault 和Oracle DB VaultOracle
- Log4j2常見使用示例及Syslog/Syslog-ng
- Docker centos 安裝syslogDockerCentOS
- RHEL審計內容/etc/audit/audit.rules
- aix中的vi命令AI
- AIX中的limit值AIMIT
- aix中清告警燈AI
- audit by user by table
- Oracle Audit setupOracle
- audit審計
- oracle audit and securityOracle
- 審計--audit
- mysql-auditMySql
- mysqlalchemy audit extensionMySql
- 在AIX4.3.3 ; AIX5.1 和 AIX5.2上安裝OpenSSHAI
- AUD: Audit Commit Delay exceeded, written a copy to OS Audit TrailMITAI
- oracle10g_audit_solaris_利用audit_sys_operationsOracle
- AIX中怎麼看hdisk和儲存中LUN的對應關係AI
- 停止AIX中的pconsole和System Director Agents程式AI
- audit時的by session和by access選項的區別!Session
- Script to Show Audit Options/Audit Trail (Doc ID 1019552.6)AI
- ORALCE 的AUDIT 以及開啟AUDIT對REDO 的影響
- AIX中的裸裝置AI
- aix 中 topas命令解釋AI
- AIX中TOPAS命令詳解AI