Simple application of monitoring and SELinux

1. Basic concepts

   This is about two monitoring

   1. Port
   2. File

Simple Port view command netstat TULNP

Then the port corresponding service information is located in the file/etc/services

The file is monitored by installing the aide software and then etc under the aide.conf this configuration file, in the file to select the file to be monitored, and then a scan, the monitoring of the original data of the file memory, then when the monitoring of the file has changed, through two scans can be found. for processing.

View commands related to ports

RouterOS Internet Behavior Management

Netstate Network Status Monitoring

-T TCP

-L Listen

-P Pid/grogram Name

-A Show all connections

-U UDP

-N uIP

-e Extension

-S statistics

NETSTATE-TULNP Check Port

/etc/service record ports for all services on the computer

Related commands for monitoring files

Aide init scan (raw data for recording files)

Aide Check two scans (record data after changing the file)

Three types of SELinux states

Enforcing forced access not allowed

Permissive can be accessed once the validation is successful

Disabled Forbidden (does not enable SELinux functionality)

The first is the command netstat TULNP This command looks at the port opening situation

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/47/wKiom1SJdM2TMauqAAEIR5Db6bY215.jpg "/>

If you need to see whether the specific port is open, you can query, here is the port number 21st, is open

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/45/wKioL1SJdWXgbaRVAABegb-hWJU110.jpg "/>

If you turn it off, you'll see that there's no port 21st information.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/48/wKiom1SJdM2R_CgQAABqyRrh4Os375.jpg "/>

If you want to know the port-specific services, you can go to/etc/services to find

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/45/wKioL1SJdWXB3F-OAADxRGUwIss501.jpg "/>

2. Intrusion Detection test

Aide intrusion detection software

/etc/aide.conf configuration files for aide

Aide--init scan (Initialize database)

--check (check the complete data)

Next do intrusion detection, then you need to install a software aide

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/48/wKiom1SJdM6yze63AAIrux0w30A198.jpg "/>

After installation, a aide.conf file is generated in/etc, which is the configuration file of the aide software.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/45/wKioL1SJdWagRS3cAAAxKRtzgu4623.jpg "/>

After entering the/etc/aide.conf, you can see the following, these files can be monitored, if set to normal, the following files if they are hacked and can be detected by string change, here is the case of/boot

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/48/wKiom1SJdM7Al3XQAABKYcOSdUw346.jpg "/>

Here is an explanation of the normal, we can know the detection of something very detailed

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/45/wKioL1SJdWagLns8AAA5AcoxhZ8434.jpg "/>650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/48/wKiom1SJdNLggTj6AACtdlDzqdU633.jpg "/>

In the/var/lib/aide under the command aide--init to scan, note aide under a file aide.db.new.gz, which is the original data of the monitoring files, should be copied with a U disk, you need to check whether the monitoring of the file is changed, you can take it out

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/45/wKioL1SJdWqCpLH4AACMqSZb43M396.jpg "/>

Next, we'll simulate an intruder, create a file in/boot and want to destroy the/boot.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/48/wKiom1SJdNOSGdWRAAD5wnRxhbo299.jpg "/>

Under normal circumstances, we are not able to find, but the/boot is very important, so you must use monitoring to see

Then we only need to use the command aide--check to scan, we can see if there is something changed in/boot

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/45/wKioL1SJdWvCHzHKAAHMYeV2_5c171.jpg "/>650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/48/wKiom1SJdNOA-v8XAAGkD9TZzg4938.jpg "/>

1. Do SELinux experiments

/etc/sysconfig/config

/etc/selinux/config

Enforcing mandatory

Permissive warning only applies to judging whether the system is the service itself or the SELinux problem (this is the default selinux for the system)

Disable Disabled ()

Getenforce View current SELinux status

Setenforce 0 Set level to permissive

Setenforce 1 Set level to enforcing

Policycoreutils-gui installation Package

System-config-selinux Graphical Setup SELinux

Go into/etc/sysconfig/selinux and you can change selinux.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/45/wKioL1SJdWvgts9qAACp_jSUbwc006.jpg "/>

Then the command Getenforce is the view level, the following must be restarted after the system can not see

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M00/55/48/wKiom1SJdNOQOdYVAAAh7uduEsg600.jpg "/>

Next is the application of SELinux, which distinguishes SELinux from the permissive and enforcing states.

When SELinux is in the enforcing state, through the remote access to the host, the file under the FTP, found that the user login to the other side of the normal user can not see the users home directory files

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M01/55/45/wKioL1SJdWuT2paXAACjIhepG10671.jpg "/>

Then change SELinux to permissive

You can check it again.

650) this.width=650; "src=" http://s3.51cto.com/wyfs02/M02/55/45/wKioL1SJdW3BN8xnAACbaselet4315.jpg "/>

It can be seen that when SELinux is in enforcing, even if the login is successful, the file cannot be viewed.

When SELinux is in permissive, the login is successful and you can see the file.

So how to solve selinxu in enforcing, log on successfully after the issue of the file can be viewed? This needs to use the bool switch, this will be in the context value and the BOOL switch experiment report to solve!

Simple application of monitoring and SELinux