Shulou(Shulou.com)06/01 Report--

At present, Linux server is the main application scenario of fortress machine, because most of the fortress machine manufacturers in the market started early, linux fortress machine development, construction, deployment and other technologies have been very mature. However, for the support of the increasingly popular Windows2012 server system, many fortress manufacturers who started early have a poor experience. This article first explains the important instruction audit function of Linux fortress machine, and the knowledge related to Windows fortress machine can be shared by other editors.

Linux fortress machine instruction audit function is divided into during and after the event, after the video audit, instruction retrieval function most of the fortress machine products are similar. Here we mainly talk about sensitive instruction audit, sensitive instruction blocking and interception are important features of security audit, which can effectively prevent team members from causing unnecessary losses to the company by illegal operation, sensitive operation and misoperation.

Taking Xingyun Housekeeping Fortress machine products as an example, the implementation of sensitive instruction audit requires three steps:

One: define the instruction rules of Linux fortress machine.

First of all, click "Policy Edit". By default, the list of instruction rules is empty, and users can add corresponding rules according to the business situation. When defining sensitive instructions, you also need to specify instruction matching rules and corresponding response actions. as long as the instructions executed in the key equipment are matched, the instruction audit strategy will be triggered and processed according to the response actions set by the user.

Define Linux fortress machine instruction rules

1. Xingyun Butler Linux Fortress machine currently supports the following three instruction matching methods:

[exact match]: suitable for all operations that match an instruction. All forms of execution of the instruction will be matched. For example, if the instruction rule is yum and the exact matching rule is used, then the user inputs yum, yum install, yum remove and other related instructions will be matched.

[regular expression]: fuzzy matching of regular expressions is supported, which is suitable for matching some parameters of an instruction. If you only need to match yum installation and uninstall operations, and the instruction rule is yum (install | remove), then the user input yum search will not be matched, but the input yum install and yum remove will be matched.

[wildcard]: fuzzy matching of wildcard characters is supported. The usage scenario is similar to regular expressions, but the syntax is slightly different, such as matching yum installation and uninstall operations. The instruction rule is yum {install,remove}.

2. Xingyun Butler Linux Fortress machine currently supports the following four response actions:

[instruction reminder]: for general sensitive instructions that team managers want team members to execute cautiously but with high timeliness, it can be set to "instruction reminder". During execution, it needs to be confirmed by the members themselves and then executed.

[instruction Review]: sensitive instructions that the team manager thinks will bring certain risks can be set to "instruction Review". When such instructions are executed, they will be temporarily blocked and can only be executed after the instruction is reviewed.

[instruction blocking]: sensitive instructions that team managers think are risky and do not want members to execute will be directly blocked and will not be allowed to be executed.

[interrupt session]: it is recommended to set to "interrupt session" for malicious instructions that the team manager thinks will bring great danger.

2: review of sensitive instructions of Linux fortress machine

When team members trigger five types of actions in the audit response of Linux fortress machine instructions, the relevant audit role members receive audit messages in two ways:

1. On-site audit message: members of the audit role will receive the message on the site, click to view and enter "Security Audit / sensitive instruction Review". All the current sensitive instruction applications to be approved will be listed in the "to be approved" tab. Just choose to agree to implement or refuse to execute according to the actual situation. To query the approval history, please switch to the "completed" tab.

2. Wechat audit message: if the account of the member of the audit role is bound to Wechat, its Wechat will receive the instruction approval information, and you can click directly to enter the approval operation.

It should be noted that the directive approval role in the team may have multiple members, each member will receive an approval message, the approval operation is in chronological order, and a request can only be approved once. Other members will no longer be allowed to approve the application.

Three: how to bypass the command blacklist of the Linux fortress machine to intercept

Once the blacklist of Linux fortress instructions is set, all team members (including team owners and team administrators) will perform corresponding response actions when the instructions executed are identified as sensitive instructions. However, in some special scenarios, if you need to give individual members higher permissions and are not affected by the instruction blacklist during the operation, you can give them the permission to temporarily disable the directive approval rules.

1. Enter "team / Rights Management / role Management", create a special role for such members, such as "disable directive approval role", and add the corresponding members to the role.

2. Go to "team / Rights Management / function Authorization", find "Security Audit / disable Directive approval rules", and add the role "disable Directive approval role" created in the previous step to the permission of this function.

3. When members of this role visit the session, you can see "instruction approval" in the session details. As long as the current host belongs to a key device and opens the instruction blacklist and whitelist, the instruction approval can be set to off. In this way, the instructions executed in the current session will not be affected by the operation and maintenance policy.

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.