I-Linux Audit Framework: Konke Mayelana ne-Auditd Command
Ezinsukwini ezimbalwa ezedlule, kusukela ngoFebhuwari, sagibela i- okuthunyelwe okukhethekile enkulu iqoqo lemiyalo ebalulekile (eyisisekelo nephakathi) itholakala ezinhlelweni zokusebenza eziningi zamahhala nezivulekile ezisuselwe ku-GNU/Linux. Ngenxa yalokho, amanye ayelula kakhulu, futhi okwakungashintshwa ngawo amafolda namafayela, futhi kuboniswe ulwazi kuwo. Ngenkathi ezinye zaziyinkimbinkimbi kakhulu, futhi yiziphi izilungiselelo nemingcele ezingaphathwa ngayo.
Kodwa, leli qoqo lihlanganisa kuphela okuzothile 60 imiyalo ye-linux. Futhi uma kubhekwa ukuthi, ngokwesilinganiso, kunamakhulu emiyalo etholakala ku-GNU/Linux Distribution eminingi, sekuyisikhathi, kancane kancane, sokubhekana neminye efanayo noma ebaluleke kakhulu, ethuthukisiwe noma ekhethekile. Njengokuthi, i I-Linux Auditd Command o "I-Linux Audit Framework", esizokhuluma ngayo namuhla kulokhu okuthunyelwe.
Imiyalo ye-Linux: Okubaluleke kakhulu ukuze ukwazi kahle ngonyaka ka-2023
Kodwa, ngaphambi kokuqala lokhu okuthunyelwe okuthakazelisayo mayelana I-Linux Auditd Command o "I-Linux Audit Framework", sincoma ukushicilelwa kwangaphambilini, ukuze kufundwe kamuva:
I-Linux Audit Framework: Imvelo yokuhlola ye-Linux enamandla
Iyini i-Auditd Command (Linux Audit Framework)?
Kafushane, singachaza wathi umyalo wokuhlola njengethuluzi lesoftware (uhlaka) ukuhlolwa kwe-Linux, okunikeza a Uhlelo lokuhlola oluthobela i-CAPP (Iphrofayili Yokuvikela Ukufinyelela Elawulwayo, ngesiNgisi, noma Iphrofayela Yokuvikela Ukufinyelela Okulawulwayo, nge-Spanish). Kunjalo ekwazi ukuqoqa ulwazi ngokwethembeka mayelana nanoma yimuphi umcimbi obalulekile (noma cha) wokuphepha ohlelweni lokusebenza lwe-Linux.
Ngakho-ke, kuhle ukusisekela lapho senza ukuqapha izenzo ezenziwa ku-OS. Ngale ndlela, umyalo we-Auditd noma i I-Linux Audit Framework (I-Linux Audit Framework noma i-LAF) iyakwazi ukusisiza silondoloze i-OS yethu evikeleke kakhulu, sibonga ukusinikeza izindlela ezidingekayo zokuhlaziya okwenzeka kuyo ngezinga elikhulu lemininingwane.
Nokho, futhi njengoba kufanele kuqondwe, ayinikezi ukuzethemba okwengeziwe, okungukuthi, ayivikeli i-OS yethu ekungasebenzini kahle kwekhodi noma kunoma yiluphi uhlobo lokuxhashazwa isofthiwe enonya noma ukuhlasela okuxakile. Kodwa, Kuwusizo ukulandelela izinkinga ezingaba khona ukuze kuhlaziywe futhi kulungiswe., ngaleyo ndlela, ukuthatha izinyathelo zokuphepha ezengeziwe ukuze banciphise futhi baze bazigweme. Okokugcina, yena UMTHETHO isebenza ngokulalela izehlakalo ezibikwe yi-kernel bese izifaka efayeleni lokungena ukuze ihlaziywe kamuva futhi ibike kumsebenzisi.
Ingamathuluzi esikhala somsebenzisi sokuhlolwa kwezokuphepha. Iphakethe lokucwaninga liqukethe izinsiza zezwe labasebenzisi ukugcina nokusesha amalogi okucwaninga akhiqizwe uhlelo oluncane lwe-Linux kernel audit, kusukela kunguqulo 2.6 kuye phambili. iphakethe le-auditd (ku-Debian)
Uwufaka futhi uwusebenzise kanjani umyalo we-Auditd?
Njengemiyalo eminingi, nge-Terminal (CLI), ingafakwa kalula nangokujwayelekile. usebenzisa isiphathi sephakeji esimisiwe noma esithandwayo se-GNU/Linux Distro yakho.
Isibonelo, ku I-Debian GNU / Linux nokuphuma kokunye kungaba:
sudo apt install auditdOkwamanje ku I-Fedora GNU/Linux ne-Red Hat, futhi okufanayo kuzoba:
sudo dnf install auditdsudo yum install auditFuthi ngokusetshenziswa kwayo okuyisisekelo nokuzenzakalelayo, kuyadingeka kuphela ukwenza imiyalo elandelayo yomyalo:
- Hlola isimo sokwenza
sudo systemctl status audit- Nika amandla isevisi yangemuva
sudo systemctl enable auditd- Buka imithetho emisiwe njengamanje
sudo auditctl -l- Ukwakhiwa kwemithetho yokubonisa (iwashi) noma isilawuli (syscall)
sudo auditctl -w /carpeta/archivo -p permisos-otorgadossudo auditctl -a action,filter -S syscall -F field=value -k keyword- Phatha yonke imithetho edaliwe
sudo vim /etc/audit/audit.rules- Faka kuhlu zonke izehlakalo ezihlobene nenqubo ethile ngokuya nge-PID yayo, igama elingukhiye elihlobene, indlela noma ifayela noma izingcingo zesistimu.
sudo ausearch -p PIDsudo ausearch -k keywordsudo ausearch -f rutasudo ausearch -sc syscall- Khiqiza imibiko yocwaningo
sudo aureport -nsudo aureport --summarysudo aureport -f --summarysudo aureport -l --summarysudo aureport --failed- Landelela ukwenziwa kwenqubo
sudo autracet /ruta/comandoNokho, ukufunda okwengeziwe ngayo Sincoma ukuhlola izixhumanisi ezilandelayo:
- I-Debian Manpages: Auditd
- Iwebhusayithi Esemthethweni
- Isigaba esisemthethweni ku-GitHub
- I-ArchLinux Wiki: Auditd
- I-Red Hat Linux Security Guide: Ukuhlola Isahluko Sesistimu
- Umhlahlandlela Wokuphepha we-SUSE: Isahluko I-Linux Audit Framework
- I-OpenSUSE Security and Hardening Guide: Isahluko I-Linux Framework Audit
Isifingqo
Kafushane, sithemba ukuthi lolu shicilelo luhlobene indawo yokuhlola enamandla ehlanganiswe ku-GNU/Linux waziwa ngo "I-Linux Audit Framework", ehlinzekwa nge- I-Linux Auditd Command, vumela abaningi, amandla cwaninga (hlola futhi uhlole) wonke umsebenzi wezinhlelo zayo zokusebenza zamahhala nezivulekile ezisuselwe ku-GNU/Linux. Ngakho-ke, angakwazi ukubona kalula futhi alungise noma yikuphi ukucushwa okungajwayelekile, okungalungile noma okuyingozi noma umsebenzi ngokushesha.
Okokugcina, ungakhohlwa ukunikeza umbono wakho ngesihloko sanamuhla, ngokuphawula. Futhi uma ukuthandile lokhu okuthunyelwe, ungayeki ukuwabelana nabanye. Futhi, khumbula vakashela ikhasi lethu lasekhaya en «KusukaLinux» ukuhlola izindaba eziningi, futhi ujoyine isiteshi sethu esisemthethweni se Yocingo kusuka ku-DesdeLinux, ENtshonalanga iqembu ukuze uthole ulwazi olwengeziwe ngesihloko sanamuhla.