目前运行CentOS7。
我目前遇到了 Splunk 转发器的问题。我需要能够监控所有 Linux 机器的以下内容。以下一些内容可能仅适用于 Windows 机器(我也在监视,但仍在发布以查看是否可以完成)
auditd
文件访问拒绝 - Google在这部分提到过?拒绝登录
安全组更改 - 可能只是组更改
启用/禁用(添加/删除)用户帐户
文件/文件夹/和目录权限更改
用户登录/用户注销
我知道我需要添加这些的行/opt/splunkforwarder/bin/splunk add monitor
后面是特定日志的路径。我目前所拥有的是监视/var/log/
(足够简单)来捕获其他所有内容。但如果你们有使用 Splunk Forwarders 的经验,请告诉我是否有更好的方法来监控此类活动
答案1
发现这可以通过配置audit.rules 文件来完成,/etc/audit/rules.d/audit.rules.
我将发布配置文件,因为它可能对遇到相同问题的未来用户派上用场。我现在唯一需要做的就是配置 Splunk 转发器以捕获此信息。
#NOTE-IF YOU HAVE A 32-BIT SYSTEM YOU MUST CHANGE b64->b32 USE "%s/b64/b32/"
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
# Feel free to add below this line. See auditctl man page
#Record events that modify account information
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
#Record events that modify the network configuration
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
#Record logon and logout Events
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
#Record process and session initiation information
-w /var/run/utmp -p wa -k session
-w /var/log/btmp -p wa -k session
-w /var/log/wtmp -p wa -k session
#Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record discretionary access control permission modification events
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
#Record unauthorized access attempts to files unsuccessful
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate \
-F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
#Record information on exporting to Media (successful)
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k export
#Record files deletion events by User (successful and unsuccessful)
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 \
-F auid!=4294967295 -k delete
#Record system administrator actions
-w /etc/sudoers -p wa -k actions
#Record information on kernel module loading and unloading
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -S init_module -S delete_module -k modules