1. 安装go语言
wget https://storage.googleapis.com/golang/go1.4.3.linux-amd64.tar.gz
tar -C /usr/local -xzf go1.4.3.linux-amd64.tar.gz
export PATH=$PATH:/usr/local/go/bin
2. 安装heka
依赖:cmake, protobuf, protobuf-c
git clone https://github.com/mozilla-services/heka
cd heka
source build.sh
ctest
make install
3. 修改/etc/rsyslog.conf
将审计log发送到heka server 增加如下配置,
|
$ModLoad imfile $InputFileName /var/log/audit/audit.log $InputFileTag tag_audit_log: $InputFileStateFile audit_log $InputFileSeverity info $InputFileFacility local6 $inputRunFileMonitor |
|---|
| local6.* @10.1.1.1 |
|---|
重启服务 service rsyslog restart
4. 配置audit审计规则
auditctl -a exit,always -F arch=b64 -S execve -k op_sec_cmd #记录所有命令执行 系统调用 /usr/include/asm/unistd_64.h 系统调用表
auditctl -a exit,always -F arch=b32 -S execve -k op_sec_cmd # 查看auditctl 的相关配置man auditctl
audit默认规则/usr/share/doc/audit-version/
audit 规则
-D
-b 8129
-f 2
-w /usr/bin/wget -p x -k op-sec-cmd-wget
-w /bin/uname -p x -k op-sec-cmd-uname
-w /home/ -p x -k op-sec-home-excute
-w /tmp/ -p x -k op-sec-dir-tmp-cmd
-w /usr/bin/gcc -p x -k op-sec-cmd-gcc
-w /usr/bin/lsb_release -p x -k op-sec-cmd-lsb_release
-w /usr/bin/adduser -p x -k op-sec-cmd-adduser
-w /usr/bin/useradd -p x -k op-sec-cmd-useradd
-w /etc/shadow -p w -k op-sec-passwd-w
-w /usr/bin/ -p a -k op-sec-cmd-attribe
#-e 2 #只有重启才能编辑配置文件 慎用
其它参考规则
auditctl -a always,exit -F path=/etc/shadow -F perm=wa
auditctl -w /etc/passwd -p rw -k op-sec-passwd-rw 监控密码文件被读取
auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete 删除文件操作
5. 审计log的记录 说明
6. heka 解析audit log 插件 及 /etc/hekad.toml
原文:http://www.cnblogs.com/iamlehaha/p/6596816.html