auditd 缓存活动过滤?

auditd 缓存活动过滤?

有人能建议一种在 CentOS6 中从可审计事件中过滤浏览器缓存活动的策略吗?显然 el7 增加了过滤可执行文件的功能?但我们所有的工作站实例仍然在 6 上。我的要求阻止我直接删除产生流量的规则。

<86>1 2018-02-23T10:10:13.805049-08:00 xxxxxxxx2 audisp-graylog  - -  {"audit_category":"write","audit_summary":"Write: /home/joeblow/.cache/mozilla/firefox/udlgt3qa.default/safebrowsing-to_delete/test-phish-simple.pset","audit_hostname":"xxxxx.xxxx.xxxx.xxx","audit_timestamp":"2018-02-23T10:10:13-0800","audit_plugin":"audisp-graylog","audit_version":"1.0.0","audit":{"serial":"198286","rdev":"00:00","ogid":"995220534","ouid":"995220534","mode":"040700","dev":"fd:04","inode":"3678454","path":"/home/xxxxxx/.cache/mozilla/firefox/udlgt3qa.default/safebrowsing-to_delete/test-phish-simple.pset","serial":"198286","rdev":"00:00","ogid":"995220534","ouid":"995220534","mode":"040700","dev":"fd:04","inode":"3678454","path":"/home/xxxxxxx/.cache/mozilla/firefox/udlgt3qa.default/safebrowsing-to_delete/","serial":"198286","cwd":"/home/trwhite1","serial":"198286","session":"1","fsgid":"995220534","sgid":"995220534","egid":"995220534","fsuid":"995220534","suid":"995220534","euid":"995220534","gid":"995220534","pid":"3934","ppid":"1","process":"/usr/lib64/firefox/firefox","tty":"(none)","uid":"995220534","user":"xxxxxxx","originaluid":"995220534","originaluser":"xxxxxxx","parentprocess":"init","auditkey":"delete","processname":"55524C20436C6173736966696572","serial":"198286"}}

答案1

  1. 你可以使用收集器 Sidecar 来收集这些日志,http://docs.graylog.org/en/2.4/pages/collector_sidecar.html

  2. 然后通过管道规则进行解析(您可以根据需要编写规则)。

  3. 完成所有这些后,尝试使用 Quick Values 小部件来获得很酷的仪表板。

相关内容