Koyi Binciken Tsarin Linux tare da Kayan Auditd akan CentOS/RHEL

Binciken tsarin kawai yana nufin zurfafa bincike na takamaiman tsarin da aka yi niyya: ana yin binciken ne ta hanyar nazarin sassa daban-daban waɗanda suka ƙunshi wannan tsarin, tare da ƙima mai mahimmanci (da gwaji idan an buƙata) a fannoni daban-daban na sha'awa.

Ɗaya daga cikin mahimman tsarin tsarin RHEL/CentOS na tsarin duba Linux wanda aka fi sani da auditd. Yana aiwatar da hanyar bibiyar bayanai masu dacewa da tsaro akan tsarin: yana amfani da ƙa'idodin da aka riga aka tsara don tattara bayanai masu yawa game da abubuwan da ke faruwa akan tsarin, kuma suna rubuta su a cikin fayil ɗin log, don haka ƙirƙirar gwaji na dubawa.

Yana iya rikodin bayanai kamar kwanan wata da lokaci, nau'in, da sakamakon wani abu; masu amfani waɗanda suka haifar da taron, duk wani gyare-gyare da aka yi zuwa fayiloli/ma'ajin bayanai; amfani da hanyoyin tantance tsarin, kamar PAM, LDAP, SSH, da sauransu.

Hakanan Auditd yana yin rajistar duk wani canje-canje da aka yi ga fayilolin daidaitawa na tantancewa ko duk wani ƙoƙarin samun damar fayilolin log ɗin duba, da duk wani ƙoƙarin shigo da bayanai ko fitarwa cikin ko daga tsarin tare da sauran bayanai masu alaƙa da tsaro.

  1. Ba ya buƙatar wasu shirye-shirye ko matakai na waje don gudanar da shi akan tsarin sa ya zama mai dogaro da kansa.
  2. Yana iya daidaita shi sosai don haka yana ba ku damar duba kowane tsarin aiki (s) da kuke so.
  3. Yana taimakawa wajen ganowa ko nazarin yuwuwar daidaitawar tsarin.
  4. Yana iya aiki azaman tsarin ganowa mai zaman kansa.
  5. Zai iya aiki tare da Tsarin Gano Kutse don ba da damar gano kutse.
  6. Kayan aiki ne mai mahimmanci don duba binciken bincike.

Tsarin tantancewa yana da manyan abubuwa guda biyu, wato:

  • Aikace-aikacen sarari mai amfani da kayan aiki/kayan aiki, da
    • sarrafa tsarin kira na gefen kernel - wannan yana karɓar kiran tsarin daga aikace-aikacen sararin samaniya kuma yana wuce su ta nau'ikan tacewa guda uku, wato: mai amfani, ɗawainiya, fita, ko cirewa.

Mafi mahimmancin sashi shine mai binciken sararin samaniya daemon (auditd) wanda ke tattara bayanai dangane da ƙa'idodin da aka riga aka tsara, daga kernel kuma yana haifar da shigarwa cikin fayil ɗin log: tsoho log shine /var/log/audit/audit.log.

Bugu da ƙari, audispd (audit dispatcher daemon) wani taron multiplexor ne wanda ke hulɗa tare da tantancewa kuma yana aika abubuwan da suka faru zuwa wasu shirye-shiryen da ke son aiwatar da aiwatar da taron na ainihin lokaci.

Akwai kayan aikin sarari da yawa don sarrafawa da dawo da bayanai daga tsarin tantancewa:

  • auditctl – kayan aiki don sarrafa tsarin tantance kwaya.
  • ausearch – kayan aiki don bincika fayilolin log log don takamaiman abubuwan da suka faru.
  • aureport – kayan aiki don ƙirƙirar rahotannin abubuwan da aka yi rikodi.

Yadda ake Sanyawa da Sanya Kayan Audit a RHEL/CentOS/Fedora

Da farko tabbatar da tabbatar da cewa an shigar da kayan aikin duba akan tsarin ku ta amfani da grep mai amfani kamar haka:

# rpm -qa | grep audit

Idan ba ku shigar da fakitin da ke sama ba, gudanar da wannan umarni azaman tushen mai amfani don shigar da su.

# yum install audit

Na gaba, duba idan an kunna duba kuma yana gudana, ba da umarnin systemctl da ke ƙasa akan tashar.

--------------- On CentOS/RHEL 7 --------------- 
# systemctl is-enabled auditd
# systemctl status auditd
# systemctl start auditd   [Start]
# systemctl enable auditd  [Enable]

--------------- On CentOS/RHEL 6 --------------- 
# service auditd status
# service auditd start     [Start]
# chkconfig auditd on      [Enable]

Yanzu za mu ga yadda za a daidaita auditd ta amfani da babban fayil ɗin sanyi /etc/audit/auditd.conf. Matsaloli a nan suna ba ku damar sarrafa yadda sabis ɗin ke gudana, kamar ayyana wurin fayil ɗin log ɗin, matsakaicin adadin fayilolin log, tsarin log, yadda ake mu'amala da cikakkun faifai, jujjuya log ɗin da sauran zaɓuɓɓuka masu yawa.

# vi /etc/audit/auditd.conf

Daga samfurin samfurin da ke ƙasa, sigogi suna bayyana kansu.

Fahimtar Dokokin Bincike

Kamar yadda muka ambata a baya, auditd yana amfani da dokoki don tattara takamaiman bayanai daga kernel. Waɗannan ƙa'idodin su ne ainihin zaɓuɓɓukan auditctl (duba shafin mutum) waɗanda za ku iya tsara dokoki a cikin fayil /etc/audit/rules.d/audit.rules (Akan CentOS 6, yi amfani da fayil /etc/audit/audit.rules) , ta yadda za a loda su a farawa.

Akwai ka'idojin tantancewa iri uku da zaku iya ayyana:

  • Dokokin sarrafawa - waɗannan suna ba da damar gyare-gyaren halayen tsarin dubawa da kaɗan daga cikin saitunan sa.
  • Dokokin tsarin fayil (kuma ana kiranta da agogon fayil) - ba da damar duba damar shiga wani fayil ko kundin adireshi.
  • Dokokin kiran tsarin - yana ba da izinin shiga tsarin kiran da kowane shiri yayi.

Yanzu buɗe babban fayil ɗin sanyi don gyarawa:

# vi /etc/audit/rules.d/audit.rules

Lura cewa sashin farko na wannan fayil dole ne ya ƙunshi dokokin sarrafawa. Sannan ƙara ka'idodin binciken ku (file watch watch da tsarin kiran tsarin) a cikin sashin tsakiya, kuma a ƙarshe sashin ƙarshe ya ƙunshi saitunan rashin iya canzawa waɗanda suma dokoki ne na sarrafawa.

-D		#removes all previous rules
-b  3074	#define buffer size
-f 4		#panic on failure 
-r 120		#create at most 120 audit messages per second

Kuna iya ayyana agogon fayil ta amfani da wannan haɗin gwiwa:

-w /path/to/file/or/directory -p permissions -k key_name

Inda zaɓi:

  • w - ana amfani dashi don tantance fayil ko kundin adireshi don dubawa.
  • p – izinin shiga, r – don samun damar karantawa, w – don samun damar rubutawa, x – don aiwatar da shiga da kuma – don canjin fayil ko sifa.
  • -k - yana ba ku damar saita saitin zaɓi na zaɓi don gano wane ƙa'ida (ko saitin ƙa'idodi) ya ƙirƙiri takamaiman shigarwar log.

Waɗannan dokokin suna ba da damar dubawa don kallon abubuwan da ke yin canje-canje ga waɗannan mahimman fayilolin tsarin.

-w /etc/passwd -p wa -k passwd_changes
-w /etc/group -p wa -k group_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes

Kuna iya saita ƙa'idar kiran tsarin ta amfani da fom ɗin da ke ƙasa:

-a action,filter -S system_call -F field=value -k key_name

inda:

  • aiki - yana da ƙima biyu masu yuwuwa: ko da yaushe ko ba a taɓa ba.
  • tace - yana ƙayyade ƙa'idar kernel-matching filter (aiki, fita, mai amfani da keɓe) ana amfani da shi ga taron.
  • Kiran tsarin – sunan tsarin kira.
  • filin - yana ƙayyade ƙarin zaɓuɓɓuka kamar gine-gine, PID, GID da sauransu don gyara ƙa'ida.

Ga wasu dokoki da zaku iya ayyana.

-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time_change
-a always,exit -S sethostname -S setdomainname -k system_locale

Sannan a ƙarshe ƙara saitunan rashin canzawa a ƙarshen fayil ɗin, misali:

-e 1	#enable auditing
-e 2	#make the configuration immutable -- reboot is required to change audit rules

Yadda Ake Saita Dokokin Auditd Ta Amfani da Auditl Utility

A madadin, aika da zaɓuɓɓukan don tantancewa yayin da yake gudana, ta amfani da auditctl kamar yadda a cikin misalai masu zuwa. Waɗannan umarni na iya soke dokoki a cikin fayil ɗin daidaitawa.

Don jera duk ƙa'idodin binciken da aka ɗora a halin yanzu, wuce alamar -l:

# auditctl -l

Na gaba, gwada ƙara wasu dokoki:

# auditctl -w /etc/passwd -p wa -k passwd_changes
# auditctl -w /etc/group -p wa -k group_changes
# auditctl -w /etc/sudoers -p wa -k sudoers_changes
# auditctl -l

Ana yin rikodin duk saƙonnin dubawa a cikin /var/log/audit/audit.log fayil ta tsohuwa. Don fahimtar tsarin shigar da log ɗin, za mu ɗora doka kuma mu bincika shigarwar log ɗin da aka samar bayan wani taron da ya dace da ƙa'idar.

Tsammanin muna da kundin adireshi na sirri, wannan dokar duba za ta shigar da duk wani yunƙuri na samun dama ko gyara wannan littafin:

# auditctl -w /backups/secret_files/ -p rwa -k secret_backup

Yanzu, ta amfani da wani asusun tsarin, gwada matsawa cikin kundin adireshi da ke sama kuma gudanar da umarnin ls:

$ cd /backups/secret_files/
$ ls

Shigar log ɗin zai yi kama da haka.

Lamarin da ke sama ya ƙunshi nau'ikan bayanan tantancewa guda uku. Na farko shine nau'in=SYSCALL:

type=SYSCALL msg=audit(1505784331.849:444): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=8ad5c0 a2=90800 a3=0 items=1 ppid=2191 pid=2680 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=3 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="secret_backup"

Na biyu shine nau'in=CWD.

type=CWD msg=audit(1505784331.849:444):  cwd="/backups/secret_files"

Kuma na karshe shine type=PATH:

type=PATH msg=audit(1505784331.849:444): item=0 name="." inode=261635 dev=08:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:default_t:s0 objtype=NORMAL

Kuna iya samun cikakken jerin duk filayen taron (kamar msg, baka, ses da sauransu..) da ma'anarsu a cikin Tsarin Tsarin Audit.

Shi ke nan a yanzu. A cikin kasida ta gaba, za mu kalli yadda ake amfani da ausearch don bincika fayilolin log log: za mu yi bayanin yadda ake nemo takamaiman bayanai daga rajistan ayyukan tantancewa. Idan kuna da wasu tambayoyi, da fatan za a tuntuɓe mu ta sashin sharhin da ke ƙasa.