Operation and Maintenance
Linux Operation and Maintenance
How to use the audit log of a CentOS system to detect unauthorized access to the system
How to use the audit log of a CentOS system to detect unauthorized access to the system
How to use the audit log of the CentOS system to monitor unauthorized access to the system
With the development of the Internet, network security issues have become increasingly prominent, and many system administrators have become increasingly concerned about system security. Pay attention to. As a commonly used open source operating system, CentOS's audit function can help system administrators monitor system security, especially for unauthorized access. This article will introduce how to use the audit log of the CentOS system to monitor unauthorized access to the system and provide code examples.
1. Turn on the audit log function
To use the audit log function of the CentOS system, you first need to ensure that the function is turned on. In the CentOS system, you can enable the audit log function by modifying the /etc/audit/auditd.conf file. You can use the following command to open the file:
sudo vi /etc/audit/auditd.conf
In the file, find the following two lines of code:
#local_events = yes #write_logs = yes
Remove the comment symbols # before these two lines of code , modify it to the following form:
local_events = yes write_logs = yes
Save and exit the file. Then restart the audit service through the following command:
sudo service auditd restart
2. Configure audit rules
After turning on the audit log function, you need to configure audit rules to monitor unauthorized access. Audit rules can be configured by modifying the /etc/audit/audit.rules file. You can use the following command to open the file:
sudo vi /etc/audit/audit.rules
In this file, you can add the following content as audit rules:
-a exit,always -F arch=b64 -S execve -a exit,always -F arch=b32 -S execve
These two lines of rules will monitor all execution operations. If you only want to monitor a specific execution operation, you can use the following command:
-a exit,always -F arch=b64 -S specific_execve_syscall
where specific_execve_syscall is the system call name of the specific execution operation. This name can be modified according to specific needs. After adding the rules, save and exit the file.
3. View the audit log
When the system receives unauthorized access, the relevant information will be recorded in the audit log. You can use the following command to view the audit log:
sudo ausearch -ui 1000
where 1000 is the user ID, which can be modified according to the specific situation. You can use this command to view the audit log of a specific user. You can also use the following command to view all audit logs:
sudo ausearch
The above command will display all audit logs.
4. Enhance the audit log function
In order to better monitor unauthorized access, the audit log function can be further enhanced. You can configure more audit rules by modifying the /etc/audit/audit.rules file. The following are some commonly used audit rules:
- Monitoring login and logout events:
-w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session
- Monitoring file and directory change events:
-w /etc/passwd -p wa -k identity_changes -w /etc/shadow -p wa -k identity_changes -w /etc/group -p wa -k identity_changes -w /etc/gshadow -p wa -k identity_changes -w /etc/sudoers -p wa -k identity_changes -w /etc/securetty -p wa -k identity_changes -w /var/log/messages -p wa -k logfiles
- Monitor reading events of sensitive files:
-w /etc/passwd -p rwa -k sensitive_files -w /etc/shadow -p rwa -k sensitive_files -w /etc/group -p rwa -k sensitive_files -w /etc/gshadow -p rwa -k sensitive_files -w /etc/sudoers -p rwa -k sensitive_files -w /etc/securetty -p rwa -k sensitive_files
4. Summary
This article introduces how to use the audit log of the CentOS system to monitor unauthorized access to the system , and provides relevant code examples. By enabling the audit log function, configuring audit rules, and viewing audit logs, you can better monitor system security and prevent unauthorized access events. At the same time, by enhancing the audit log function, the security of the system can be further improved. System administrators can choose audit rules suitable for their own systems based on specific needs, and check audit logs regularly to detect and handle unauthorized access events in a timely manner to protect system security.
The above is the detailed content of How to use the audit log of a CentOS system to detect unauthorized access to the system. For more information, please follow other related articles on the PHP Chinese website!
Hot AI Tools
Undresser.AI Undress
AI-powered app for creating realistic nude photos
AI Clothes Remover
Online AI tool for removing clothes from photos.
Undress AI Tool
Undress images for free
Clothoff.io
AI clothes remover
AI Hentai Generator
Generate AI Hentai for free.
Hot Article
Hot Tools
Notepad++7.3.1
Easy-to-use and free code editor
SublimeText3 Chinese version
Chinese version, very easy to use
Zend Studio 13.0.1
Powerful PHP integrated development environment
Dreamweaver CS6
Visual web development tools
SublimeText3 Mac version
God-level code editing software (SublimeText3)
Hot Topics
1379
52
How to perform log management and auditing on Linux systems
Nov 07, 2023 am 10:30 AM
Overview of how to perform log management and auditing in Linux systems: In Linux systems, log management and auditing are very important. Through correct log management and auditing strategies, the operation of the system can be monitored in real time, problems can be discovered in a timely manner and corresponding measures can be taken. This article will introduce how to perform log management and auditing on Linux systems, and provide some specific code examples for reference. 1. Log management 1.1 Location and naming rules of log files In Linux systems, log files are usually located in the /var/log directory.
How to use the audit log of a CentOS system to detect unauthorized access to the system
Jul 05, 2023 pm 02:30 PM
How to use the audit log of the CentOS system to monitor unauthorized access to the system. With the development of the Internet, network security issues have become increasingly prominent, and many system administrators have paid more and more attention to the security of the system. As a commonly used open source operating system, CentOS's audit function can help system administrators monitor system security, especially for unauthorized access. This article will introduce how to use the audit log of the CentOS system to monitor unauthorized access to the system and provide code examples. 1. Start the audit day
CentOS 6.6 system installation and configuration full illustrated tutorial
Jan 12, 2024 pm 04:27 PM
The server-related settings are as follows: Operating system: CentOS6.6 64-bit IP address: 192.168.21.129 Gateway: 192.168.21.2 DNS: 8.8.8.88.8.4.4 Remarks: CentOS6.6 system image has two versions, 32-bit and 64-bit, and There is also a minimal version of the production server that is specially optimized for servers. If the production server has large memory (4G) 1. The computer memory on which CentOS6.6 system is installed must be equal to or greater than 628M (minimum memory 628M) before the graphical installation mode can be enabled; 2. CentOS6.6 The system installation methods are divided into: graphical installation mode and text installation mode.
How to set up your CentOS system to regularly update security patches
Jul 05, 2023 pm 04:17 PM
How to set up CentOS systems to regularly update security patches As network security risks continue to increase, regularly updating security patches for the operating system is crucial to protecting the security of servers and terminal devices. This article will introduce how to set up automatic and regular security patch updates on CentOS systems and provide corresponding code examples. Using the yum-cron tool CentOS system provides a tool called yum-cron, which can help us automatically update system software packages and security patches. Use the following command to install
How to protect CentOS servers from unauthorized access using an intrusion detection system (IDS)
Jul 05, 2023 am 11:37 AM
How to Protect CentOS Server from Unauthorized Access Using Intrusion Detection System (IDS) Introduction: As a server administrator, protecting the server from unauthorized access is a very important task. The Intrusion Detection System (IDS for short) can help us achieve this goal. This article will introduce how to install and configure Snort, a commonly used IDS tool, on a CentOS server to protect the server from unauthorized access. 1. An
How to use the logging function of CentOS system to analyze security events
Jul 05, 2023 pm 09:37 PM
How to use the logging function of CentOS system to analyze security events Introduction: In today's network environment, security events and attack behaviors are increasing day by day. In order to protect the security of the system, it becomes crucial to detect and respond to security threats in a timely manner. The CentOS system provides powerful logging functions that can help us analyze and monitor security events in the system. This article will introduce how to use the logging function of the CentOS system to analyze security events and provide relevant code examples. 1. Configuration log recording in CentOS system
How to identify and deal with security vulnerabilities in CentOS systems
Jul 05, 2023 pm 09:00 PM
How to identify and deal with security vulnerabilities in CentOS systems In the Internet era, security vulnerabilities are crucial to the protection of systems and data. As a popular Linux distribution, CentOS is also different from other operating systems in that it requires users to identify and repair security vulnerabilities in a timely manner. This article will introduce readers to how to identify and deal with security vulnerabilities in CentOS systems, and provide some code examples for vulnerability repair. 1. Vulnerability Identification Using Vulnerability Scanning Tools Vulnerability scanning tools are a common method for identifying security vulnerabilities existing in the system.
How to deal with the file system file log and audit log issues of concurrent files in Go language?
Oct 09, 2023 pm 11:57 PM
How to deal with the file system file log and audit log issues of concurrent files in Go language? In the Go language, dealing with file system file logs and audit log issues for concurrent files is a common requirement. The Go language provides a variety of mechanisms to handle concurrent file operations, such as lock mechanisms, pipes, coroutines, etc. This article will introduce how to handle file system file log and audit log issues in Go language, and provide specific code examples. First, we need to understand how to create and write files. In Go language, you can use the os package to make files
