本文共 15197 字,大约阅读时间需要 50 分钟。
只能记录不能限制违反的行为
通常对命令、目录、文件做审计
介绍
基于事先配置的规则生成日志,记录可能发生在系统上的事件
审计不会为系统提供额外的安全保护,但她会发现并记录违反安全策略的人及其对应的行为
审计能够记录的日志内容:
- 日期与事件、事件结果
- 触发事件的用户
- 所有认证机制的使用都可以被记录,如ssh等
- 对关键数据文件的修改行为等
监控文件的访问
监控系统调用
记录用户运行的命令
审计可以监控网络访问行为
ausearch工具,可以根据条件过滤审计日志
aureport工具,可以生成审计报告
RHEL7自带了audit软件
root@host53 ~]# yum -y install audit-libs
[root@host53 ~]# grep -n "log_file" /etc/audit/auditd.conf 7:log_file = /var/log/audit/audit.log #日志文件12:max_log_file = 819:max_log_file_action = ROTATE[root@host53 ~]# wc -l /var/log/audit/audit.log
20881 /var/log/audit/audit.log[root@host53 ~]# systemctl start auditd
[root@host53 ~]# systemctl status auditd
[root@host53 ~]# auditctl --help
[root@host53 ~]# auditctl -l #查看规则 No rules [root@host53 ~]# auditctl -s #查询状态
命令行定义规则(临时)
格式:auditctl -w path -p permission(rwxa) -k key_name
path为需审计的文件或目录
权限可以是r,w,x,a(a:文件或目录的属性发生变化)
key_name 为可选项,方便识别哪些规则生成特定的日志项
[root@host53 ~]# auditctl -w /etc/passwd(被审计的目标) -p wa -k plj_passwd(审计日志) #设置规则对passwd文件写,属性修改操作都会被记录到审计日志 [root@host53 ~]# auditctl -w /etc/selinux -p wa -k plj_selinux #设置规则,监控该目录 [root@host53 ~]# auditctl -w /usr/sbin/fdisk -p x -k plj_fdisk #设置规则,监控fdisk程序 [root@host53 ~]# auditctl -l # #查看规则-w /etc/passwd -p wa -k plj_passwd -w /etc/selinux -p wa -k plj_selinux -w /usr/sbin/fdisk -p x -k plj_fdisk
配置永久规则(系统重启依然有效)
[root@host53 ~]# vim /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k plj_passwd -w /etc/selinux -p wa -k plj_selinux -w /usr/sbin/fdisk -p x -k plj_fdisk
[root@host53 ~]# ls /usr/share/doc/audit-2.7.6/rules/ #系统提供的参考模板
type为类型
msg为(time_stamp:ID),时间是date+%s
arch=c000003e,代表x86_64(16进制)
success=yes/no,事件是否成功
a0-a3是程序调用时前4个参数,16进制编码了
ppid父进程IP,如bash,pid进程ID,如cat命令
auid是审计用户的id,su - test,依然可以追踪su前的账户
uid,gid用户和组
tty:从哪个终端执行的命令
comm="cat" 用户在命令行执行的指令
exe="/bin/cat" #实际程序的路径
key="sshd_config" #管理员定义的策略关键字key
type=CWD #用来记录当前工作目录
--cwd="/home/username"
type=PATH
---ouid(owner's user id) 对象所有者id
--giud(owner's groupid) 对象所有者id
[root@host53 ~]# ausearch -k plj_passwd #搜索日志(可加-i交互式操作)
[root@host53 ~]# fdisk -l
[root@host53 ~]# useradd kenji0 [root@host53 ~]# ausearch -k plj_passwd [root@host53 ~]# ausearch -k plj_fdisktime 日志生成时间
comm 命令名
exec 命令的绝对路径
uid 用户名
exit 返回值0为成功
nginx(php)
tomcat(java)
新虚拟机做实验
[root@host50 ~]# yum -y install gcc pcre-devel openssl-devel zlib-devel
[root@host50 ~]# tar -xf nginx-1.12.2.tar.gz [root@host50 nginx-1.12.2]# cd nginx-1.12.2/ [root@host50 nginx-1.12.2]# ./configure [root@host50 nginx-1.12.2]# make && make install #编译安装 [root@host50 nginx-1.12.2]# echo BBBB > /usr/local/nginx/html/b.html #编写网站 [root@host50 nginx-1.12.2]# echo CCCC > /usr/local/nginx/html/c.html [root@host50 nginx-1.12.2]# echo DDDDD > /usr/local/nginx/html/d.html [root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx #启动服务 其他客户机访问192.168.4.50/b.html /c.html /d.html #查看网页是否正常[root@host50 nginx-1.12.2]# ./configure --help | grep -i without #不支持(禁用模块)
[root@host50 nginx-1.12.2]# ./configure --help | grep -i with #支持(加载模块)[root@host50 nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
server {
autoindex on; listen 80; server_name localhost;[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -t
[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s stop [root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx[root@host50 nginx-1.12.2]# mkdir /usr/local/nginx/html/game
[root@host50 nginx-1.12.2]# echo "afafa" > /usr/local/nginx/html/game/a.html [root@host50 nginx-1.12.2]# echo "xxxxx" > /usr/local/nginx/html/game/b.html 此时访问/game目录,就会列出了目录下的所有网页文件
[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s stop
[root@host50 nginx-1.12.2]# ./configure --help | grep -i auto --without-http_autoindex_module disable ngx_http_autoindex_module[root@host50 nginx-1.12.2]# ./configure --without-http_autoindex_module
[root@host50 nginx-1.12.2]# make && make install [root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx nginx: [emerg] unknown directive "autoindex" in /usr/local/nginx/conf/nginx.conf:36 #此时启不来服务,报错未知autoindex(配置安装时已禁用) [root@host50 nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.confserver {
#autoindex on; #需把此项注释或去掉即可启服务 listen 80; server_name localhost;[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx
再访问该目录网站时可以访问目录下的网页文件()
[root@host50 nginx-1.12.2]# curl -I(大写i) http://192.168.4.50/
HTTP/1.1 200 OK Server: nginx/1.12.2 Date: Wed, 29 May 2019 07:50:44 GMT Content-Type: text/html Content-Length: 7 Last-Modified: Wed, 29 May 2019 07:19:15 GMT Connection: keep-alive ETag: "5cee3273-7" Accept-Ranges: bytes[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s stop
[root@host50 nginx-1.12.2]# vim +48 src/http/ngx_http_header_filter_module.cstatic u_char ngx_http_server_string[] = "Server: IIS" CRLF;
static u_char ngx_http_server_full_string[] = "Server: IIS" CRLF; static u_char ngx_http_server_build_string[] = "Server: IIS" CRLF;[root@host50 nginx-1.12.2]# ./configure --without-http_autoindex_module && make && make install
[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx 客户机再访问[root@host50 nginx-1.12.2]# curl -I http://192.168.4.50/
HTTP/1.1 200 OK Server: IIS Date: Wed, 29 May 2019 08:00:15 GMT Content-Type: text/html Content-Length: 7 Last-Modified: Wed, 29 May 2019 07:19:15 GMT Connection: keep-alive ETag: "5cee3273-7" Accept-Ranges: bytes
[root@host50 nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
server {
#autoindex on; listen 80; server_name localhost; server_tokens off; #隐藏版本号,报错页面也不显示 #charset koi8-r; [root@host501 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload [root@host501 nginx-1.12.2]# curl http://192.168.4.50/abc
语法:limit_req_zone key zone=name:size rate=rate;
[root@host50 nginx-1.12.2]# ./configure --help | grep -i limit
--without-http_limit_conn_module disable ngx_http_limit_conn_module --without-http_limit_req_module disable ngx_http_limit_req_module --without-stream_limit_conn_module disable ngx_stream_limit_conn_module[root@host50 nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf
http {
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; #1秒只处理一个 ......server {
#autoindex on; limit_req zone=one burst=5; #[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -t [root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s reload将客户端ip信息存储名称为one的共享内存,空间为10M
1M可以存储8千个ip信息,10M存8万个主机状态
每秒中仅接收1个请求,多余的放入漏斗
漏斗超过5个则报错
真机测试并发
[root@root ~]# ab -c 10 -n 10 http://192.168.4.50/
Server Software: IIS
Server Hostname: 192.168.4.50 Server Port: 80Document Path: /
Document Length: 7 bytesConcurrency Level: 10
Time taken for tests: 5.002 seconds Complete requests: 10Failed requests: 4 #处理失败次数[root@root ~]# ab -c 100 -n 100 http://192.168.4.50/
Failed requests: 94
常见HTTP请求方法()
[root@host50 nginx-1.12.2]# /usr/local/nginx/sbin/nginx -s stop [root@host50 nginx-1.12.2]# vim /usr/local/nginx/conf/nginx.conf server { #autoindex on; limit_req zone=one burst=5; listen 80; server_name localhost; server_tokens off; if ($request_method !~ ^(GET|POST)$) { return 444; } #禁用其他方法,仅允许GET|POST[root@host501 nginx-1.12.2]# /usr/local/nginx/sbin/nginx |
[root@root ~]# curl -i -X HEAD http://192.168.4.50
curl: (52) Empty reply from server [root@root ~]# curl -i -X GET http://192.168.4.50 HTTP/1.1 200 OK Server: IIS Date: Wed, 29 May 2019 09:03:16 GMT Content-Type: text/html Content-Length: 7 Last-Modified: Wed, 29 May 2019 07:19:15 GMT Connection: keep-alive ETag: "5cee3273-7" Accept-Ranges: bytes
防止客户端请求数据溢出
有效降低机器Dos攻击风险
[root@host50 ~]# vim /usr/local/nginx/conf/nginx.conf http { client_body_buffer_size 1K; client_header_buffer_size 1K; client_max_body_size 16K; large_client_header_buffers 4 4K;... } |
Mariadb
[root@host50 nginx-1.12.2]# yum -y install mariadb(提供管理命令) mariadb-server(提供服务)
[root@host50 nginx-1.12.2]# systemctl start mariadb
[root@host50 nginx-1.12.2]# netstat -nutlpa | grep 3306 tcp 0 0 0.0.0.0:3306 0.0.0.0:* LISTEN 14942/mysqld[root@host501 nginx-1.12.2]# mysql
MariaDB [(none)]> show grants;
+---------------------------------------------------------------------------------------------------------------+ | Grants for root@localhost | +---------------------------------------------------------------------------------------------------------------+ | GRANT ALL PRIVILEGES ON *.* TO 'root'@'localhost' WITH GRANT OPTION | | GRANT PROXY ON ''@'' TO 'root'@'localhost' WITH GRANT OPTION | +----------------------------------------------------------------------------------------------------------------+ 2 rows in set (0.00 sec)缺点:管理登陆没有密码,任何用户都可以登陆数据库
[root@host50 nginx-1.12.2]# mysql_secure_installation #初始化设置
nter current password for root (enter for none): #提示输入root密阿,无则回车
Set root password? [Y/n] Y #该密码New password: #无密码策略,随便写
Re-enter new password: #再次输入Remove anonymous users? [Y/n] Y #删除匿名用户
Disallow root login remotely? [Y/n] Y #禁止root远程登陆Remove test database and access to it? [Y/n] Y #删除测试数据库
Reload privilege tables now? [Y/n] Y #刷新权限[root@host501 nginx-1.12.2]# mysql -uroot -p123456 #此时需密码登陆
命令行下改密码
[root@host50 nginx-1.12.2]# mysqladmin -uroot -p123456 password 654321
数据库内改密码
MariaDB[none]>set password for root@'localhost'=password('123456')
MariaDB[none]>select user,host,password from mysql.user
binlog日志里有明文密阿(5.6版本后修复了)
cat .bash_history
[root@host50 ~]# ls .mysql_history
.mysql_history[root@host50 ~]# rm -rf .mysql_history
管理好自己的历史记录,不使用明文登陆,选择合适的版本
日志,行为审计
防火墙从TCP层设置ACL(禁止外网接触数据库)
备份
[root@host50 ~]# mysqldump -uroot -p123456 mysql table > table.sql
[root@host50 ~]# mysqldump -uroot -p123456 mysql > mysql.sql[root@host50 ~]# mysqldump -uroot -p123456 -A > all.sql
还原
[root@host50 ~]# mysql -uroot -p123456 mydb < table.sql #还原表
[root@host50 ~]# mysql -uroot -p123456 mydb < mysql.sql #还原库 [root@host50 ~]# mysql -uroot -p123456 mydb < all.sql #还原所有
mysql不是加密传输的
web脚本响应用户的请求。web加密传给用户,
创建可以远程登陆的账户
grant all on *.* to tom@"%" identified by "123456";
使用tcpdump抓包
tcpdump -w log -i eth0 src or dst port 3306
客户端远程登陆数据库,查看抓包数据
mysql -utom -p123456 -h 192.168.4.50
select * from mysql.user;
]#tcpdump -a -r log
解决:使用SSL或SSH加密数据传输
装java包
tar -xf apache-tomcat-8.0.30.tar.gz
rpm -qa | grep jdk'java -version
mv apache-tomcat-8.0.30/ /usr/local/tmocat
cd /usr/local/tmocat/webapps/
echo "YaYa " > ROOT/a.html
/usr/local/tmocat/bin/startup.sh
netstat -nutlpa | grep 8080
[root@root ~]# curl -I http://192.168.4.50:8080/a.html
HTTP/1.1 200 OK Server: Apache-Coyote/1.1 Accept-Ranges: bytes ETag: W/"6-1559123995000" Last-Modified: Wed, 29 May 2019 09:59:55 GMT Content-Type: text/html Content-Length: 6 Date: Thu, 30 May 2019 01:23:04 GMT
[root@host50 ~]# /usr/local/tmocat/bin/shutdown.sh
[root@host50 ~]# yum -y install java-1.8.0-openjdk-devel [root@host50 tmocat]# cd /usr/local/tmocat/lib/ [root@host50 lib]# jar -xf catalina.jar[root@host50 lib]# ls
META-INF org[root@host50 lib]# vim +64 org/apache/catalina/util/ServerInfo.properties
server.info=Apache server.number=1.12.0 server.built=Dec 1 2015 22:30:46 UTC
[root@host50 lib]# vim +71 /usr/local/tmocat/conf/server.xml
<Connector port="8080" protocol="HTTP/1.1"
connectionTimeout="20000" redirectPort="8443" server="Apache" />[root@host50 lib]# /usr/local/tmocat/bin/startup.sh
[root@host50 lib]# netstat -nutlpa | grep 8080
[root@host50 lib]# curl -I http://192.168.4.50:8080
HTTP/1.1 200 OK Content-Type: text/html;charset=UTF-8 Transfer-Encoding: chunked Date: Thu, 30 May 2019 01:41:46 GMT Server: Apache[root@host50 lib]# curl -I http://192.168.4.50:8080/abc.html
HTTP/1.1 404 Not Found Content-Type: text/html;charset=utf-8 Content-Language: en Content-Length: 982 Date: Thu, 30 May 2019 01:42:04 GMT Server: Apache [root@host50 ~]# curl http://192.168.4.50:8080/a2.html
[root@host50 ~]# ps aux | grep -i java #root启的进程,该进程的所有者为root
root 15188 0.3 7.5 2297008 77124 ? Sl 09:19 0:05 /usr/bin/java -Djava.util.logging.config.file=/usr/local/tomcat/conf/logging.properties -Djava.util.logging.manager=org.apache.juli.ClassLoaderLogManager -Djava.endorsed.dirs=/usr/local/tomcat/endorsed -classpath /usr/local/tomcat/bin/bootstrap.jar:/usr/local/tomcat/bin/tomcat-juli.jar -Dcatalina.base=/usr/local/tomcat -Dcatalina.home=/usr/local/tomcat -Djava.io.tmpdir=/usr/local/tomcat/temp org.apache.catalina.startup.Bootstrap start[root@host50 lib]# /usr/local/tmocat/bin/shutdown.sh
[root@host50 lib]# ps aux | grep java #tomcat的进程名是java端口8080
[root@host50 lib]# netstat -nutlpa | grep 8080
[root@host50 lib]# useradd tomcat[root@host50 lib]# chown -R tomcat:tomcat /usr/local/tmocat/
[root@host50 lib]# su - -c "/usr/local/tmocat/bin/startup.sh" tomcat #使用tomcat用户启服务 [root@host50 lib]# netstat -nutlpa | grep 8080root@host50 lib]# ps aux | grep java
tomcat 28737 3.9 7.3 2297008 74388 ? Sl 09:56 0:02 //bin/java -具体命令
开机启动
[root@host50 lib]# chmod +x /etc/rc.local
[root@host50 lib]# vim /etc/rc.localsu - -c "/usr/local/tmocat/bin/startup.sh" tomcat
[root@host50 webapps]# rm -rf /usr/local/tmocat/webapps/*
diff逐行比较,告诉我们怎么修改第一个文件后能得到第二个文件
选项
-u 输出统一内容的头部信息(打补丁使用)
-r 递归对比目录中的所有资源(可以对比目录)
-a 所有文件视为文本(包括二进制程序)
-N 无文件视为空文件(空文件怎么变成第二个文件)
A木伦下没有txt文件,B目录下有txt文件
diff比较两个目录时,默认会提示txt仅在B目录有(无法根据补丁修复A缺失的文件)
diff比较时使用N选项,则diff会拿B下的txt与A下的空文件对比
补丁信息会明确说明如何从空文件修复后变成txt文件,打补丁即可成功
A]#
[root@host50 ~]# mkdir /code ; cd /code
[root@host50 code]# vim instalpc.sh#!bin/bash
echo "Hello World"B]#
[root@host53 ~]# mkdir /code
A]#
[root@host50 code]# scp instalpc.sh root@192.168.4.53:/code
B]#
[root@host53 code]# cat instalpc.sh
A]#
[root@host50 code]# cp instalpc.sh instalpc_1.sh
[root@host50 code]# vim instalpc_1.sh#!bin/bash
echo "Hello World" echo "Hello World" echo "Hello World" echo "Hello World"[root@host50 code]# diff -u instalpc.sh instalpc_1.sh #比较差异,仅提示
[root@host50 code]# diff -u instalpc.sh instalpc_1.sh > instalpc.patch
root@host50 ~]# mkdir /demo [root@host50 ~]# cd /demo [root@host50 demo]# mkdir {source1,source2} [root@host50 demo]# ls source1 source2 [root@host50 demo]# echo "hello word " > source1/test.sh [root@host50 demo]# echo "Hello The Word " > source2/test.sh [root@host50 demo]# echo "Test " > source2/tmp.txt [root@host50 demo]# cp /bin/find source1/ [root@host50 demo]# cp /bin/find source2/ [root@host50 demo]# echo 1 > source2/find [root@host50 demo]# scp source1/* root@192.168.4.53:/demo/source1/
B]#
[root@host53 code]# mkdir -p /demo/source1
[root@host53 code]# ls /demo/source1A]#
[root@host50 demo]# ls source1
find test.sh [root@host50 demo]# ls source2 find test.sh tmp.txt [root@host50 demo]# diff -uraN /demo/source1 /demo/source2 [root@host50 demo]# diff -uraN /demo/source1 /demo/source2 > /root/all.patch[root@host50 demo]# cat /root/all.patch
[root@host50 demo]# scp /root/all.patch root@192.168.4.53:/tmp/B]#
[root@host53 source1]# ls /tmp
all.patch打补丁格式:patch -p数字 < 补丁文件撤销补丁: patch -RE < 补丁文件
[root@host53 source1]# yum -y install patch
[root@host53 source1]# patch -p3 < /tmp/all.patch patching file find patching file test.sh patching file tmp.txt
[root@host53 source1]# ls
find test.sh tmp.txt [root@host53 source1]# cat tmp.txt[root@host53 source1]# cat test.sh
[root@host53 source1]# patch -RE < /tmp/all.patch #要进入补丁所在目录下里才能撤销
[root@host53 source1]# ls find test.sh
转载地址:http://vriqi.baihongyu.com/