How to set up system security auditing on Linux

How to set up system security auditing on Linux

In today's digital era, network security has become a major challenge we face. To protect our systems and data from unauthorized access and malicious attacks, we need to implement a series of security measures. One of them is to turn on system security auditing. This article will introduce you to how to set up system security auditing on Linux, with relevant code examples.

First of all, we need to understand what system security audit is. System security auditing is a method of monitoring and recording system activity in order to detect and analyze potential security risks and threats. It can record login and logout events, file and directory access, process activities and other system activity information. By analyzing this information, we can detect abnormal behaviors in time and take appropriate measures.

In Linux systems, we can use the Auditing subsystem (auditd) to implement system security auditing. First, make sure your system has the auditd package installed. If it is not installed, you can use the following command to install it:

sudo apt-get install auditd

After the installation is complete, we need to configure auditd to start recording system activities. Open the /etc/audit/auditd.conf file and make sure the following settings are enabled:

# 启用系统启动记录
#
# 当auditd服务启动时，会记录一条启动记录
#
# 可以通过`ausearch -m SYSTEM_BOOT`命令检查这条记录
#
# 默认值为no
#
# 将其设置为yes开启记录

AUDITD_ENABLED=yes

Next, we need to configure the audit rules to specify the types of system activity we wish to log. For example, the following rules will log login and logout events, file and directory access:

# 监控登录和注销事件
-a always,exit -F arch=b64 -S execve -k login_logout

# 监控文件和目录访问
-w /etc/passwd -p wa -k file_access
-w /etc/shadow -p wa -k file_access
-w /etc/group -p wa -k file_access

Add the above rules to the /etc/audit/rules.d/audit.rules file i.e. Can take effect. After saving the file, use the following command to reload the audit rules:

sudo auditctl -R /etc/audit/rules.d/audit.rules

In addition, we can also add, modify and delete runtime audit rules in real time through the auditctl command. For example, the following command will monitor a user's login and logout events:

sudo auditctl -a always,exit -F arch=b64 -S execve -k login_logout

To view logged system activity, we can use the ausearch command. For example, the following command will find records of all login and logout events:

ausearch -m SYSTEM_LOGIN,SYSTEM_LOGOUT

Finally, in order to facilitate the analysis and reporting of system activities, we can use the audit log parsing script provided by the auditd tool. These scripts can convert audit logs into a human-readable format and provide various filtering and statistical functions. For example, the following command will display the login and logout events in the last hour:

sudo aureport --start recent-hour -x --event login_logout

Through the above steps, we can set up system security auditing on the Linux system and improve the security of the system by monitoring and recording system activities sex. However, it is worth noting that system security audit is only one of the security measures, and other security measures need to be used comprehensively to establish a complete security protection system.

In summary, system security auditing is critical to protecting our systems and data from unauthorized access and malicious attacks. This article provides steps and code examples for setting up system security auditing on Linux. We hope it will be helpful to you.

Reference code:

/etc/audit/auditd.conf

AUDITD_ENABLED=yes

/etc/audit/rules.d/audit.rules

# 监控登录和注销事件
-a always,exit -F arch=b64 -S execve -k login_logout

# 监控文件和目录访问
-w /etc/passwd -p wa -k file_access
-w /etc/shadow -p wa -k file_access
-w /etc/group -p wa -k file_access

sudo auditctl -a always,exit -F arch=b64 -S execve -k login_logout

ausearch -m SYSTEM_LOGIN,SYSTEM_LOGOUT

sudo aureport --start recent-hour -x --event login_logout

The above is the detailed content of How to set up system security auditing on Linux. For more information, please follow other related articles on the PHP Chinese website!