Splunk Forwarder-->监控/捕获特定事件?

Splunk Forwarder-->监控/捕获特定事件?

目前运行CentOS7。

我目前遇到了 Splunk 转发器的问题。我需要能够监控所有 Linux 机器的以下内容。以下一些内容可能仅适用于 Windows 机器(我也在监视,但仍在发布以查看是否可以完成)

  • auditd文件访问拒绝 - Google在这部分提到过?

  • 拒绝登录

  • 安全组更改 - 可能只是组更改

  • 启用/禁用(添加/删除)用户帐户

  • 文件/文件夹/和目录权限更改

  • 用户登录/用户注销

我知道我需要添加这些的行/opt/splunkforwarder/bin/splunk add monitor后面是特定日志的路径。我目前所拥有的是监视/var/log/(足够简单)来捕获其他所有内容。但如果你们有使用 Splunk Forwarders 的经验,请告诉我是否有更好的方法来监控此类活动

答案1

发现这可以通过配置audit.rules 文件来完成,/etc/audit/rules.d/audit.rules.我将发布配置文件,因为它可能对遇到相同问题的未来用户派上用场。我现在唯一需要做的就是配置 Splunk 转发器以捕获此信息。

#NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"

# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024

# Feel free to add below this line. See auditctl man page
#Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

#Record events that modify the network configuration
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale

#Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins

#Record process and session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session

#Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod

#Record unauthorized access attempts to files unsuccessful
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access

#Record information on exporting to Media (successful)
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export

#Record files deletion events by User (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
-F auid!=4294967295 -k delete

#Record system administrator actions
-w /etc/sudoers -p wa -k actions

#Record information on kernel module loading and unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules

相关内容