auditlisted

# 安全审计 ## 概述 安全审计、漏洞扫描、合规检查技能。 ## auditd 审计系统 ### 安装与管理 ```bash # 安装 apt install auditd audispd-plugins # Debian/Ubuntu yum install audit # CentOS/RHEL # 服务管理 systemctl start auditd systemctl enable auditd systemctl status auditd ``` ### 审计规则 ```bash # 查看规则 auditctl -l # 添加规则 - 监控文件 auditctl -w /etc/passwd -p wa -k passwd_changes auditctl -w /etc/shadow -p wa -k shadow_changes auditctl -w /etc/sudoers -p wa -k sudoers_changes # 监控目录 auditctl -w /etc/ssh/ -p wa -k ssh_config # 监控系统调用 auditctl -a always,exit -F arch=b64 -S execve -k command_exec # 监控用户操作 auditctl -a always,exit -F arch=b64 -S open -F auid>=1000 -k user_file_access ``` ### 永久规则 ```bash # /etc/audit/rules.d/audit.rules -w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes -w /etc/sudoers -p wa -k sudoers_changes -w /var/log/lastlog -p wa -k logins -a always,exit -F arch=b64 -S execve -k commands # 重载规则 augenrules --load ``` ### 查看日志 ```bash # 搜索审计日志 ausearch -k passwd_changes ausearch -k commands -ts today ausearch -ua root -ts recent # 生成报告 aureport aureport --summary aureport --login aureport --file aureport --executable ``` ## 日志审计 ### 系统日志 ```bash # 查看认证日志 tail -f /var/log/auth.log # Debian/Ubuntu tail -f /var/log/secure # CentOS/RHEL # 查看登录记录 last lastb # 失败登录 lastlog # journalctl journalctl -u sshd journalctl --since "1 hour ago" journalctl -p err ``` ### 日志分析 ```bash # 统计 SSH 登录失败 grep "F