Shulou(Shulou.com)06/03 Report--

Safety-- how to trace back to the source

Some people say that safety, what security is, how to do it and how to do it well, is actually a never-ending topic.

Let's talk about those methods in our work:

1. All operations must be streamlined and controllable.

2. Assessment mechanism.

3. Corresponding technical means to raise the threshold of safety.

4. Active defense.

5. Detection technology.

6. Alarm response mechanism.

7. Investigate the cause of the alarm.

Let's talk about how to achieve it:

Schematic diagram

How to monitor malicious behavior

If you want to do good work, you must sharpen its tools first.

How to monitor Windows server server configuration security-advanced audit policy, how to configure, please listen to me slowly.

An example is as follows: "various logs can be taken according to the production environment, and the following is just an example."

Account login events (events in this category help the document domain attempt to authenticate account data, domain controller, or local security account manager (SAM). Unlike login and logout events, which track attempts to access special computers, events in this category report the account database in use.) Credential verification

Audit events generated by validation tests for user account login credentials. Success and failure Kerberos authentication service

Audit events generated by Kerberos service ticket requests. Failed, successful Kerberos service ticket operation

Audit events generated in response to credential requests (non-credential authentication or Kerberos tickets) submitted for user account login. Success and failure other account login events

Audit events generated by an Kerberos Authentication ticket Grant ticket (TGT) request. Success and failure account management events (you can use the settings in this category to monitor changes to user and computer accounts and groups.) User account management

Review changes to the user account. Success and failure computer account management

Audit events generated by changes to a computer account, such as when a computer account is created, changed, or deleted. Security group management for success and failure

Audit events generated by changes to the security group. Successful and failed distribution group management

Review events generated by changes to the distribution group. Note: only events in this subcategory are logged on the domain controller. Successful and failed application group management

Audit events generated by changes to the application group. Success and failure other account management events

Review events generated by changes to other user accounts that are not involved in this category. Success and failure

A log will be generated locally. How to send the log to the remote log server is indicated in the simple picture and sent to the designated log server using evtsys.exe.

Linux server enables audit policy

1.1 Command timestamp recording

Add the following line to the / etc/bashrc file

Export HISTTIMEFORMAT= "F T"

2.1 Log audit policy configuration

/ etc/audit/audit.rules

Implement to monitor the login behavior of all users, including all user actions and commands in shell scripts

-an exit,always-F arch=b64-S execve-k exec

-an exit,always-Farch=b32-S execve-k exec

2.2 implement monitoring of key configuration files (add additional file list according to actual application)

-w / etc/crontab-p wa-kcrontab

-w / etc/hosts-p wa-khosts

-w / etc/hosts.allow-p wa-k hosts-allow

-w / etc/hosts.deny-p wa-k hosts-deny

-w / etc/fstab-p wa-k fstab

-w / etc/passwd-p wa-k passwd

-w / etc/shadow-p wa-k shadow

-w / etc/group-p wa-k group

3.1

Configure audit logs, and audit log files are automatically saved in the / var/log/audit/ directory.

Num_logs = 4 # number

Max_log_file = 50 # size (MB)

4.1 add useless log filtering rules:

Add the audit_filter.conf file to the / etc/rsyslog.d/ directory and add the following to the file:

: msg, ereregex, "(bin | sbin | sa)\ / (ping | top | mpstat | iostat | iotop | vmstat | sar | sadc | sh)\"~

: msg, ereregex, "(sbin | udev)\ / (fstab_import | udisks-part-id | path_id | edd_id | scsi_id)\"~

: msg, ereregex, "(bin | sbin)\ / (tr | sort | wc | cut | awk | gawk | grep | fgrep | egrep | sed | head | tail | tailf)\"~

: msg, ereregex, "(bin | sbin)\ / (sleep | ls | expr | nohup | date | cat | du | dirname | tar | gzip | df | sg_persist | ip)\"~

: msg, ereregex, "(bin | sbin)\ / (basename | hostname | readlink | bc | touch | dmesg)\"~

: msg, ereregex, "(bin | sbin)\ / (consoletype | blkid | lsblk)\"~

: msg, ereregex, "\" (ping | top | mpstat | iostat | iotop | vmstat | sar | sadc | sh)\ "" ~

: msg, ereregex, "\" (fstab_import | udisks-part-id | path_id | edd_id | scsi_id)\ "" ~

: msg, ereregex, "\" (tr | sort | wc | cut | awk | gawk | grep | fgrep | egrep | sed | head | tail | tailf)\ "" ~

: msg, ereregex, "\" (sleep | ls | expr | nohup | date | cat | du | dirname | tar | gzip | df | sg_persist | ip)\ "" ~

: msg, ereregex, "\" (basename | hostname | readlink | bc | touch | dmesg)\ "" ~

: msg, ereregex, "\" (consoletype | blkid | lsblk)\ "" ~

Msg, ereregex, "(type=PATH)" ~

: msg, ereregex, "(key=\" exec\ "| type=EXECVE)" @ x.x.x.x:514

Start the service

# service auditd start

# service rsyslog start

5.1 attach a script for batch deployment

#! / bin/bash## Description: Linux audit and syslog/rsyslog autoconfig Scripts.## Author: ldyhj # # ver 1.thanks-OS_VERSION= "" uname-r | | grep el5 > / dev/null & & OS_VERSION=el5uname-r | grep el6 > / dev/null & & OS_VERSION=el6uname-r | grep el7 > / dev/null & & OS_VERSION=el7if ["$OS_VERSION" = "el7"-o "$OS_VERSION" = "el6"] | Then FILENAME=/etc/rsyslog.conf SERVER=rsyslogelif ["$OS_VERSION" = "el5"]; then FILENAME=/etc/syslog.conf SERVER=syslog fiunset retret= `egrep ^ active [[: space:]] * = / etc/audisp/plugins.d/syslog.conf 2 > / dev/null | wc-l`if ["$ret"-eq 0]; then echo "active = yes" > > / etc/audisp/plugins.d/syslog.conf service auditd restartelif ["$ret"-eq 1] Then ret1= `egrep ^ active [[: space:]] * = / etc/audisp/plugins.d/syslog.conf | awk-gsub'{print $NF}'| awk 'gsub (/ ^ * | * $/, ")' `if [" $ret1 "! =" yes "] Then sed-I's / ^\ (active [[: space:]] * =\). * /\ 1 yes/g' / etc/audisp/plugins.d/syslog.conf service auditd restart fielif ["$ret"-gt 1] Then sed-I's / ^\ (active [[: space:]] * =. *\) / #\ 1Accord g' / etc/audisp/plugins.d/syslog.conf echo "active = yes" > > / etc/audisp/plugins.d/syslog.conf service auditd restartfiegrep ^ active [[: space:]] * = / etc/audisp/plugins.d/syslog.confunset retunset ret1ret= `egrep "^\ *\. [[: space:]] * @" $FILENAME 2 > / dev/null | wc-l`if ["$ret"-eq 0] Then echo "*. * @ x.x.x.x:514" > > $FILENAME service $SERVER restartelif ["$ret"-eq 1]; then ret1= `egrep "^\ *\.\ * [: space:]] * @" $FILENAME | awk-Fairchild'{print $2}'| awk 'gsub (/ ^ * | * $/, ") `if [" $ret1 "! =" x.x.x.x:514 "] Then sed-I's / ^\ (\ *\.\ * [[: space:]] * @\). * /\ x.x.xpur514max g'$FILENAME service $SERVER restart fielif ["$ret"-gt 0] Then sed-I's / ^\ (\ *\.\ * [[: space:]] * @. *\) / #\ 1eq g'$FILENAME echo "*. * @ x.x.x.x:514" > > $FILENAME service $SERVER restartfi egrep "\ *\ .info [[: space:]] * @" $FILENAME > / dev/nullif [$?-eq 0] Then sed-I's / ^\ (\ *\ .info [[: space:]] * @. *\) / #\ 1 g'$FILENAME service $SERVER restartfiegrep "^\ *\.\ * [[: space:]] * @" $FILENAME

6.1 linux rsyslog server configuration

/ etc/rsyslog.conf

Configuration template

$templatepipeformat, "% TIMESTAMP%% fromhost-ip%%syslogtag%%msg:::drop-last-lf%\ n"

Templateevtsysformat, "% TIMESTAMP%% fromhost-ip%% pri-text%% FROMHOST%%fromhost-ip%% syslogtag%%msg:::drop-last-lf%\ n"

$templateruncmdformat, "% TIMESTAMP%% HOSTNAME%% fromhost-ip%%msg:::drop-last-lf%\ n"

Pick the template storage location according to the demand.

If$fromhost-ip = = 'IP' or $fromhost-ip==' receive from client IP' or $fromhost-ip== 'receive IP' or $fromhost-ip==' receive client IP' then | / var/tmp/log

After the configuration is complete, check the syntax rsyslogd-N1

Restart the service

With the data, you need to explore what kind of alarm you want to achieve.

At present, I use TV screen display, plus event risk level to do alarm SMS alarm, because the use of a fixed rsyslog template, you can use AWK python to take what you want as parameters, so that who operates the server and what is done is clear at a glance.

Attachments, attached documents that need to be designed this time, and software

Attachment: http://down.51cto.com/data/2366760

Welcome to subscribe "Shulou Technology Information " to get latest news, interesting things and hot topics in the IT industry, and controls the hottest and latest Internet news, technology news and IT industry trends.