Last week's release to the OSC to get a lot of users download, which gives us a very high power, we in the last five kinds of alarm (non-working hours access, non-work location access, password guessing, account guessing, account guessing success) on the basis of increased sensitive file operation alarm and high-risk command operation alarm content. For previous alarms, check out the previous article.
Sensitive file operations
sensitive file operation is generally a more dangerous operation, if the attacker successfully entered the system, in this case, the general thing is to clean the scene, Deleting a log increases the behavior of some configurations, so it is important to operate on sensitive files. The main feature of this type of alarm is that sensitive files are considered to be manipulated when the device's sensitive files are accessed or modified. Because to record the user's sensitive file operation behavior, first of all to obtain the user's action behavior, in the Linux system default is no such operation behavior, need to be configured, the following first describes the audit configuration.
1, modify the/etc/profile file in the Linux file. Add one line: export prompt_command= ' { msg=$ (History 1 | { read x y; echo $y; });logger " seciland user=$ (whoami)" client= $SSH _client path= ' pwd ' command: "$msg"; } ', this file will be required to execute . /etc/profile after the addition is completed.
2. Configure the Syslog send settings in/etc/rsyslog.conf: *.info;mail.none;authpriv.none;cron.none @IP address.
3. Restart the syslog service rsyslog restart.
After the above three steps, you can get the audit record of the user's operation behavior.
Verification process: First, the definition of sensitive files, see:
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174302_oRpd.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
In this configuration, the passwd file and the rsyslog.conf file are set as sensitive files, and subsequent additions if needed to add other sensitive files just need to be added here.
In the Linux console, edit the two files, vi/etc/rsyslog.conf;vi/etc/passwd.
View the logs in the Web management interface.
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174302_V7jZ.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
From there, you can see that two commands have been audited and then checked for alarms.
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174303_KwAn.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
As can be seen, has produced a sensitive file operation alarm, in view of the details of this alarm, the interface is as follows:
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174303_9BZH.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
High-risk command operations
High-risk command operations are generally more dangerous operations, if the attacker successfully entered the system, in this case, the general thing to do is to clean the scene, delete the log to add some configuration, etc., so the operation of sensitive files is very important. The main feature of this type of alarm is that sensitive files are considered to be manipulated when the device's sensitive files are accessed or modified. In order to record the user's sensitive file operation behavior, first of all to obtain the user's action behavior, in the Linux system default is no such operation behavior, need to be configured, the method of configuration and sensitive file operation, only need to configure once to take effect.
Verification process: First, the definition of sensitive files, see:
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174303_FQeh.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
In this configuration, passwd operations and RM-RF are set for high-risk operations, and additional high-risk operations need to be added here if necessary.
In the Linux console, execute the passwd command, create a new directory AA under Home, and then build a file test in the directory home to execute RM-RF AA.
View the logs in the Web management interface.
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174303_mqZN.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
In the log, see the user's procedure in detail, and then view the alarm:
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174304_0KwV.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
As can be seen, has produced a high-risk command operation Alarm, in view of the details of this alarm, the interface is as follows:
650) this.width=650; "src=" Http://static.oschina.net/uploads/img/201505/03174304_xB45.png "style=" padding:5px; margin:10px 0px;border:1px solid RGB (221,221,221); Background:rgb (244,247,249); "/>
:http://pan.baidu.com/s/1qWt7Hxi
This article is from the "Zhulinu blog" blog, make sure to keep this source http://zhulinu.blog.51cto.com/539189/1685061
Seci-log 1.01 Released, log analysis adds several alarms