Configuring and auditing Linux systems with Audit daemonThe Linux Audi terjemahan - Configuring and auditing Linux systems with Audit daemonThe Linux Audi Bahasa Indonesia Bagaimana mengatakan

Configuring and auditing Linux syst

Configuring and auditing Linux systems with Audit daemon
The Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing.

Auditing goals
By using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:

Audit file access and modification
See who changed a particular file
Detect unauthorized changes
Monitoring of system calls and functions
Detect anomalies like crashing processes
Set tripwires for intrusion detection purposes
Record commands used by individual users
Components
The framework itself has several components:

Kernel:

audit: hooks into the kernel to capture events and deliver them to auditd
Binaries:

auditd: daemon to capture events and store them (log file)
auditctl: client tool to configure auditd
audispd: daemon to multiplex events
aureport: reporting tool which reads from log file (auditd.log)
ausearch: event viewer (auditd.log)
autrace: using audit component in kernel to trace binaries
aulast: similar to last, but instaed using audit framework
aulastlog: similar to lastlog, also using audit framework instead
ausyscall: map syscall ID and name
auvirt: displaying audit information regarding virtual machines
Files:

audit.rules: used by auditctl to read what rules need to be used
auditd.conf: configuration file of auditd
Installation
Debian/Ubuntu: apt-get install auditd audispd-plugins

Red Hat/CentOS/Fedora: usually already installed (package: audit and audit-libs)

Configuration
The configuration of the audit daemon is arranged by two files, one for the daemon itself (auditd.conf) and one for the rules used by the auditctl tool (audit.rules).

auditd.conf
The file auditd.conf configures the Linux audit daemon (auditd) with focus on where and how it should log events. It also defines how to deal with full disks, log rotation and the number of logs to keep. Usually the default configuration will be appropriate for most systems.

audit.rules
To configure what events should be audited, the audit framework uses a rules file named audit.rules.

As with most things, use a clean start and without any loaded rules. Active rules can be determined by running auditctl with the -l parameter.

[root@host ~]# auditctl -l
No rules

In case any rules are loaded, remove them with auditctl and the -D parameter.

Time to start with monitoring something, let’s say the /etc/passwd file. We put a ‘watch’ on the file by defining the path and permissions to look for:

auditctl -a exit,always -F path=/etc/passwd -F perm=wa

By defining the path option, we instruct the audit framework what directory or file to watch for. The permissions determine what kind of access will trigger an event. Although these look similar to file permissions, note that there is a important difference between the two. The four options are:

r = read
w = write
x = execute
a = attribute change
Finding the related event or access to the file can be quickly traced by using the ausearch tool.

[root@host audit]# ausearch -f /etc/passwd

time->Tue Mar 18 15:17:25 2014
type=PATH msg=audit(1395152245.230:533): item=0 name=”/etc/passwd” inode=137627 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMAL
type=CWD msg=audit(1395152245.230:533): cwd=”/etc/audit”
type=SYSCALL msg=audit(1395152245.230:533): arch=c000003e syscall=188 success=yes exit=0 a0=d14410 a1=7f66eec38db7 a2=d4ea60 a3=1c items=1 ppid=1109 pid=4900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm=”vi” exe=”/bin/vi” subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

Some highlights of this output are:

The time of the event and the name of the object, the current working path (cwd), related syscall, audit user ID (auid) and the binary (exe) performing the action upon the file. Please note that the auid defines the original user during log-in. The other user ID fields might indicate a different user, depending on the effective user being used while triggering an event.

Converting system calls

Syscalls are logged by an numeric value. Since there will be an overlap in these values between different architectures, the active architecture is also logged.

By using uname -m we can determine the architecture and use ausyscall to determine what numeric call 188 represents.

[root@host audit]# ausyscall x86_64 188
setxattr

We now know it was a change in attribute, which makes sense as we defined our watch to trigger an event on an attribute change (perm=a).

Used a temporary rule and want to use the old rules again? Refresh the audit rules from a file:

auditctl -R /etc/audit/audit.rules

Auditing of processes under Linux
Similiar to using strace, the audit framework has a tool named autrace. It uses the audit framework and adds the right rules to capture information and log it.
5000/5000
Dari: Inggris
Ke: Bahasa Indonesia
Hasil (Bahasa Indonesia) 1: [Salinan]
Disalin!
Configuring and auditing Linux systems with Audit daemonThe Linux Audit Daemon is a framework to allow auditing events on a Linux system. Within this article we will have a look at installation, configuration and using the framework to perform Linux system and security auditing.Auditing goalsBy using a powerful audit framework, the system can track many event types to monitor and audit the system. Examples include:Audit file access and modificationSee who changed a particular fileDetect unauthorized changesMonitoring of system calls and functionsDetect anomalies like crashing processesSet tripwires for intrusion detection purposesRecord commands used by individual usersComponentsThe framework itself has several components:Kernel:audit: hooks into the kernel to capture events and deliver them to auditdBinaries:auditd: daemon to capture events and store them (log file)auditctl: client tool to configure auditdaudispd: daemon to multiplex eventsaureport: reporting tool which reads from log file (auditd.log)ausearch: event viewer (auditd.log)autrace: using audit component in kernel to trace binariesaulast: similar to last, but instaed using audit frameworkaulastlog: similar to lastlog, also using audit framework insteadausyscall: map syscall ID and nameauvirt: displaying audit information regarding virtual machinesFiles:audit.rules: used by auditctl to read what rules need to be usedauditd.conf: configuration file of auditdInstallationDebian/Ubuntu: apt-get install auditd audispd-pluginsRed Hat/CentOS/Fedora: usually already installed (package: audit and audit-libs)ConfigurationThe configuration of the audit daemon is arranged by two files, one for the daemon itself (auditd.conf) and one for the rules used by the auditctl tool (audit.rules).auditd.confThe file auditd.conf configures the Linux audit daemon (auditd) with focus on where and how it should log events. It also defines how to deal with full disks, log rotation and the number of logs to keep. Usually the default configuration will be appropriate for most systems.audit.rulesTo configure what events should be audited, the audit framework uses a rules file named audit.rules.As with most things, use a clean start and without any loaded rules. Active rules can be determined by running auditctl with the -l parameter.[root@host ~]# auditctl -lNo rulesIn case any rules are loaded, remove them with auditctl and the -D parameter.Time to start with monitoring something, let’s say the /etc/passwd file. We put a ‘watch’ on the file by defining the path and permissions to look for:auditctl -a exit,always -F path=/etc/passwd -F perm=waBy defining the path option, we instruct the audit framework what directory or file to watch for. The permissions determine what kind of access will trigger an event. Although these look similar to file permissions, note that there is a important difference between the two. The four options are:r = readw = writex = executea = attribute changeFinding the related event or access to the file can be quickly traced by using the ausearch tool.[root@host audit]# ausearch -f /etc/passwdtime->Tue Mar 18 15:17:25 2014type=PATH msg=audit(1395152245.230:533): item=0 name=”/etc/passwd” inode=137627 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 nametype=NORMALtype=CWD msg=audit(1395152245.230:533): cwd=”/etc/audit”type=SYSCALL msg=audit(1395152245.230:533): arch=c000003e syscall=188 success=yes exit=0 a0=d14410 a1=7f66eec38db7 a2=d4ea60 a3=1c items=1 ppid=1109 pid=4900 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm=”vi” exe=”/bin/vi” subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)Some highlights of this output are:The time of the event and the name of the object, the current working path (cwd), related syscall, audit user ID (auid) and the binary (exe) performing the action upon the file. Please note that the auid defines the original user during log-in. The other user ID fields might indicate a different user, depending on the effective user being used while triggering an event.Converting system callsSyscalls are logged by an numeric value. Since there will be an overlap in these values between different architectures, the active architecture is also logged.By using uname -m we can determine the architecture and use ausyscall to determine what numeric call 188 represents.[root@host audit]# ausyscall x86_64 188setxattrWe now know it was a change in attribute, which makes sense as we defined our watch to trigger an event on an attribute change (perm=a).Used a temporary rule and want to use the old rules again? Refresh the audit rules from a file:auditctl -R /etc/audit/audit.rulesAuditing of processes under LinuxSimiliar to using strace, the audit framework has a tool named autrace. It uses the audit framework and adds the right rules to capture information and log it.
Sedang diterjemahkan, harap tunggu..
Hasil (Bahasa Indonesia) 2:[Salinan]
Disalin!
Konfigurasi dan sistem audit Linux dengan Audit daemon
Linux Audit Daemon adalah kerangka untuk memungkinkan peristiwa audit pada sistem Linux. Dalam artikel ini kita akan melihat pada instalasi, konfigurasi dan menggunakan kerangka kerja untuk melakukan sistem Linux dan audit keamanan.

Gol Auditing
Dengan menggunakan kerangka audit yang kuat, sistem dapat melacak banyak jenis acara untuk memantau dan mengaudit sistem. Contohnya termasuk:

akses file Audit dan modifikasi
Lihat yang mengubah file tertentu
Mendeteksi tidak sah perubahan
Pemantauan panggilan sistem dan fungsi
Deteksi anomali seperti menabrak proses
tripwires Set untuk tujuan deteksi intrusi
perintah Rekam digunakan oleh pengguna individu
Komponen
Kerangka itu sendiri memiliki beberapa komponen:

Kernel:

Audit: kait ke kernel untuk menangkap peristiwa dan mengantarkan mereka ke auditd
Binari:

auditd: daemon untuk menangkap peristiwa dan menyimpannya (file log)
auditctl: alat klien untuk mengkonfigurasi auditd
audispd: daemon multipleks peristiwa
aureport: alat pelaporan yang berbunyi dari log mengajukan (auditd.log)
ausearch: event viewer (auditd.log)
autrace: menggunakan komponen audit kernel untuk melacak binari
aulast: mirip dengan bertahan, tapi instaed menggunakan pemeriksaan kerangka
aulastlog: mirip dengan lastlog, juga menggunakan kerangka audit yang bukan
ausyscall: peta syscall ID dan nama
auvirt: menampilkan informasi audit mengenai mesin virtual
Files:

audit.rules: digunakan oleh auditctl untuk membaca apa aturan perlu digunakan
auditd.conf: file konfigurasi dari auditd
Instalasi
Debian / Ubuntu: apt-get install auditd audispd-plugin

Red Hat / CentOS / Fedora: biasanya sudah terinstal (paket: audit dan audit libs)

konfigurasi
konfigurasi dari daemon audit diatur oleh dua file, satu untuk daemon sendiri (auditd.conf) dan satu untuk aturan yang digunakan oleh alat auditctl (audit.rules).

auditd.conf
File auditd.conf mengkonfigurasi audit daemon Linux (auditd) dengan fokus pada di mana dan bagaimana harus log peristiwa. Hal ini juga mendefinisikan bagaimana menghadapi disk penuh, rotasi log dan jumlah log untuk menjaga. Biasanya konfigurasi default akan sesuai untuk kebanyakan sistem.

Audit.rules
Untuk mengkonfigurasi peristiwa apa yang harus diaudit, kerangka audit yang menggunakan file aturan bernama audit.rules.

Seperti kebanyakan hal, menggunakan awal yang bersih dan tanpa aturan dimuat. Aturan aktif dapat ditentukan dengan menjalankan auditctl dengan parameter -l.

[Root @ host ~] # auditctl -l
ada aturan

Dalam kasus apapun peraturan tersebut dimuat, menghapusnya dengan auditctl dan parameter -D.

Waktu untuk memulai dengan pemantauan sesuatu, katakanlah / etc / passwd. Kami menempatkan 'menonton' pada file dengan mendefinisikan jalan dan izin untuk mencari:

auditctl -a keluar, selalu -F path = / etc / passwd F perm = wa

Dengan mendefinisikan opsi jalan, kita menginstruksikan kerangka pemeriksaan apa direktori atau file untuk menonton. Izin menentukan jenis akses akan memicu suatu peristiwa. Meskipun ini terlihat mirip dengan hak akses file, diketahui bahwa ada perbedaan penting antara keduanya. Keempat opsi tersebut adalah:

r = membaca
w = menulis
x = mengeksekusi
a = atribut mengubah
. Menemukan acara terkait atau akses ke file tersebut dapat cepat dilacak dengan menggunakan alat ausearch

[root @ host Audit] # ausearch -f / etc / passwd

waktu-> Tue 18 Maret 15:17:25 2014
Jenis = PATH msg = Audit (1395152245,230: 533): item = 0 name = "/ etc / passwd" inode = 137.627 dev = fd: 00 mode = 0.100.644 ouid = 0 ogid = 0 rdev = 00: 00 obj = system_u: object_r: etc_t: s0 nametype = NORMAL
type = CWD msg = Audit (1395152245,230: 533): = cwd "/ etc / audit"
type = SYSCALL msg = Audit (1395152245,230: 533 ): lengkungan = c000003e syscall = 188 keberhasilan = yes exit = 0 a0 = d14410 a1 = 7f66eec38db7 a2 = d4ea60 a3 = 1c item = 1 ppid = 1109 pid = 4900 auid = 0 uid = 0 gid = 0 EUID = 0 SUID = 0 fsuid = 0 EGID = 0 SGID = 0 fsgid = 0 tty = pts0 ses = 2 comm = "vi" exe = "/ bin / vi" Subj = unconfined_u: unconfined_r: unconfined_t: s0-s0: c0.c1023 key = (null )

Beberapa highlights dari output ini adalah:

waktu acara dan nama objek, jalur saat kerja (cwd), syscall terkait, audit pengguna ID (auid) dan biner (exe) melakukan tindakan pada file. Harap dicatat bahwa auid mendefinisikan pengguna asli selama log-in. Bidang ID pengguna lain mungkin menunjukkan pengguna yang berbeda, tergantung pada pengguna yang efektif yang digunakan saat memicu suatu peristiwa.

Sistem Konversi panggilan

syscalls dicatat oleh nilai numerik. Karena akan ada tumpang tindih dalam nilai-nilai ini antara arsitektur yang berbeda, arsitektur aktif juga dicatat.

Dengan menggunakan -m uname kita dapat menentukan arsitektur dan menggunakan ausyscall untuk menentukan apa panggilan numerik 188 mewakili.

[Root @ host Audit] # ausyscall x86_64 188
setxattr

sekarang kami tahu itu perubahan atribut, yang masuk akal karena kita mendefinisikan menonton kami untuk memicu sebuah acara pada perubahan atribut (perm = a).

digunakan aturan sementara dan ingin menggunakan aturan lama lagi? Refresh aturan audit file:

auditctl -R /etc/audit/audit.rules

Audit proses di Linux
Serupa dengan menggunakan strace, kerangka audit yang memiliki alat bernama autrace. Ia menggunakan kerangka audit dan menambahkan aturan yang tepat untuk menangkap informasi dan log itu.
Sedang diterjemahkan, harap tunggu..
 
Bahasa lainnya
Dukungan alat penerjemahan: Afrikans, Albania, Amhara, Arab, Armenia, Azerbaijan, Bahasa Indonesia, Basque, Belanda, Belarussia, Bengali, Bosnia, Bulgaria, Burma, Cebuano, Ceko, Chichewa, China, Cina Tradisional, Denmark, Deteksi bahasa, Esperanto, Estonia, Farsi, Finlandia, Frisia, Gaelig, Gaelik Skotlandia, Galisia, Georgia, Gujarati, Hausa, Hawaii, Hindi, Hmong, Ibrani, Igbo, Inggris, Islan, Italia, Jawa, Jepang, Jerman, Kannada, Katala, Kazak, Khmer, Kinyarwanda, Kirghiz, Klingon, Korea, Korsika, Kreol Haiti, Kroat, Kurdi, Laos, Latin, Latvia, Lituania, Luksemburg, Magyar, Makedonia, Malagasi, Malayalam, Malta, Maori, Marathi, Melayu, Mongol, Nepal, Norsk, Odia (Oriya), Pashto, Polandia, Portugis, Prancis, Punjabi, Rumania, Rusia, Samoa, Serb, Sesotho, Shona, Sindhi, Sinhala, Slovakia, Slovenia, Somali, Spanyol, Sunda, Swahili, Swensk, Tagalog, Tajik, Tamil, Tatar, Telugu, Thai, Turki, Turkmen, Ukraina, Urdu, Uyghur, Uzbek, Vietnam, Wales, Xhosa, Yiddi, Yoruba, Yunani, Zulu, Bahasa terjemahan.

Copyright ©2025 I Love Translation. All reserved.

E-mail: ilovetranslation@live.com