Shulou(Shulou.com)06/01 Report--

Server security audit

Industry requirements:

Whether the audit content of the server host includes: user addition and deletion, audit function startup and shutdown, audit policy adjustment, authority change, abnormal use of system resources, important system operations (such as user login, logout) and so on.

Server open condition:

It is not enabled by default, and security experts are required to evaluate which audit entries are enabled in order to configure the relevant audit features.

Windows

Microsoft KB 977519 describes in detail the various security and audit-related events recorded in the Windows operating system security log.

Basic audit function is enabled: group Policy Management-> Security Settings-> Local Policy-> Audit Policy

Advanced audit function is enabled: group Policy Management-> Security Settings-> Advanced Audit Policy configuration-> system Audit Policy-Local Group Policy object

The following configuration enables basic audit:

Linux

The Linux system needs to install the relevant audit package Auditd.

The Linux auditd tool can write audit records to a log file. This includes recording system calls and file access.

IBM developerWorks personal blog post: https://www.ibm.com/developerworks/cn/linux/l-lo-use-space-audit-tool/index.html

Systematic Audit of Red Hat official documents: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-defining_audit_rules_and_controls_in_the_audit.rules_file

Audit rules need to be configured as needed. In the / usr/share/doc/audit-version/ directory, the audit feature package provides some predefined audit rule files to meet different authentication standards:

Nispom.rules-Operation Manual for meeting National Industrial Safety procedures (National Industrial Security Program Operating Manual)

Capp.rules-Control access protection configuration set that meets common standard authentication (Common Criteria certification) (Controlled Access Protection Profile (CAPP))

Lspp.rules-identity Security configuration set that meets Common Standard Certification (Common Criteria certification) (Labeled Security Protection Profile (LSPP))

Stig.rules-meet the Security Technology execution Wizard (Security Technical Implementation Guides (STIG))

Whether anyone in the industry has opened the relevant rules can be given to / etc/audit/rules.d/audit.rules, or need to be evaluated and given audit rules by Linux security experts.

The following configuration enables basic audit:

# # user, group, password databases

-w / etc/group-p wa-k CFG_group

-w / etc/passwd-p wa-k CFG_passwd

-w / etc/gshadow-k CFG_gshadow

-w / etc/shadow-k CFG_shadow

-w / etc/security/opasswd-k CFG_opasswd

# # login configuration and information

-w / etc/login.defs-p wa-k CFG_login.defs

-w / etc/securetty-p wa-k CFG_securetty

-w / var/run/faillock/-p wa-k LOG_faillock

-w / var/log/lastlog-p wa-k LOG_lastlog

-w / var/log/tallylog-p wa-k LOG_tallylog

In order to write audit log to syslog, you need to configure

/ etc/audisp/plugins.d/syslog.conf

Set up active=yes

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.