How to set up system security auditing on Linux

王林
Release: 2023-07-07 16:47:17
Original
3339 people have browsed it

How to set up system security auditing on Linux

In today's digital era, network security has become a major challenge we face. To protect our systems and data from unauthorized access and malicious attacks, we need to implement a series of security measures. One of them is to turn on system security auditing. This article will introduce you to how to set up system security auditing on Linux, with relevant code examples.

First of all, we need to understand what system security audit is. System security auditing is a method of monitoring and recording system activity in order to detect and analyze potential security risks and threats. It can record login and logout events, file and directory access, process activities and other system activity information. By analyzing this information, we can detect abnormal behaviors in time and take appropriate measures.

In Linux systems, we can use the Auditing subsystem (auditd) to implement system security auditing. First, make sure your system has the auditd package installed. If it is not installed, you can use the following command to install it:

sudo apt-get install auditd
Copy after login

After the installation is complete, we need to configure auditd to start recording system activities. Open the/etc/audit/auditd.conffile and make sure the following settings are enabled:

# 启用系统启动记录 # # 当auditd服务启动时,会记录一条启动记录 # # 可以通过`ausearch -m SYSTEM_BOOT`命令检查这条记录 # # 默认值为no # # 将其设置为yes开启记录 AUDITD_ENABLED=yes
Copy after login

Next, we need to configure the audit rules to specify the types of system activity we wish to log. For example, the following rules will log login and logout events, file and directory access:

# 监控登录和注销事件 -a always,exit -F arch=b64 -S execve -k login_logout # 监控文件和目录访问 -w /etc/passwd -p wa -k file_access -w /etc/shadow -p wa -k file_access -w /etc/group -p wa -k file_access
Copy after login
Copy after login

Add the above rules to the/etc/audit/rules.d/audit.rulesfile i.e. Can take effect. After saving the file, use the following command to reload the audit rules:

sudo auditctl -R /etc/audit/rules.d/audit.rules
Copy after login

In addition, we can also add, modify and delete runtime audit rules in real time through the auditctl command. For example, the following command will monitor a user's login and logout events:

sudo auditctl -a always,exit -F arch=b64 -S execve -k login_logout
Copy after login

To view logged system activity, we can use the ausearch command. For example, the following command will find records of all login and logout events:

ausearch -m SYSTEM_LOGIN,SYSTEM_LOGOUT
Copy after login

Finally, in order to facilitate the analysis and reporting of system activities, we can use the audit log parsing script provided by the auditd tool. These scripts can convert audit logs into a human-readable format and provide various filtering and statistical functions. For example, the following command will display the login and logout events in the last hour:

sudo aureport --start recent-hour -x --event login_logout
Copy after login

Through the above steps, we can set up system security auditing on the Linux system and improve the security of the system by monitoring and recording system activities sex. However, it is worth noting that system security audit is only one of the security measures, and other security measures need to be used comprehensively to establish a complete security protection system.

In summary, system security auditing is critical to protecting our systems and data from unauthorized access and malicious attacks. This article provides steps and code examples for setting up system security auditing on Linux. We hope it will be helpful to you.

Reference code:

/etc/audit/auditd.conf

AUDITD_ENABLED=yes
Copy after login

/etc/audit/rules.d/audit.rules

# 监控登录和注销事件 -a always,exit -F arch=b64 -S execve -k login_logout # 监控文件和目录访问 -w /etc/passwd -p wa -k file_access -w /etc/shadow -p wa -k file_access -w /etc/group -p wa -k file_access
Copy after login
Copy after login

sudo auditctl -a always,exit -F arch=b64 -S execve -k login_logout

ausearch -m SYSTEM_LOGIN,SYSTEM_LOGOUT

sudo aureport --start recent-hour -x --event login_logout

The above is the detailed content of How to set up system security auditing on Linux. For more information, please follow other related articles on the PHP Chinese website!

source:php.cn
Statement of this Website
The content of this article is voluntarily contributed by netizens, and the copyright belongs to the original author. This site does not assume corresponding legal responsibility. If you find any content suspected of plagiarism or infringement, please contact admin@php.cn
Latest Downloads
More>
Web Effects
Website Source Code
Website Materials
Front End Template
About us Disclaimer Sitemap
php.cn:Public welfare online PHP training,Help PHP learners grow quickly!