本文討論如何將呼叫系統指令的禁止程序列入白名單。將禁止的進程列入白名單有助於防止未經授權存取敏感系統命令,從而減少安全漏洞和資料外洩。本文提供了
白名單禁止呼叫系統指令的進程
如何將禁止呼叫系統指令的進程列入白名單?
要將禁止呼叫系統命令的進程列入白名單,可以使用 auditd 工具建立允許特定進程執行某些命令的規則。具體操作方法如下:<code>auditd
tool to create a rule that allows specific processes to execute certain commands. Here's how you can do it:
/etc/audit/rules.d/whitelist.rules
with the following content:<code>-w /usr/bin/command -p x -c never</code>
In this rule, /usr/bin/command
is the command that you want to whitelist, -p x
specifies that the rule applies to processes with executable permission, and -c never
specifies that the rule should never be enforced. You can add multiple rules to the file, each on a separate line.
auditd
system by running the following command:<code>sudo auditctl -R /etc/audit/rules.d/whitelist.rules</code>
auditd
: To ensure that the rules are applied immediately, restart auditd
by running:<code>sudo systemctl restart auditd</code>
What are the benefits of whitelisting forbidden processes?
Whitelisting forbidden processes can help prevent unauthorized access to sensitive system commands. By restricting the ability of certain processes to execute specific commands, you can reduce the risk of security breaches and data leaks.
What are some examples of forbidden processes?
Forbidden processes are typically processes that are not essential for the operation of the system and that could be used to compromise the system if they were allowed to execute certain commands. Examples of forbidden processes include:
How can I audit forbidden processes?
You can audit forbidden processes by using the auditctl
tool. To do this, run the following command:
<code>sudo auditctl -w /usr/bin/command -p x -c id</code>
This command will create an audit rule that logs all attempts by processes with executable permission to execute the /usr/bin/command
/etc/audit/rules.d/whitelist.rules
的文件,其中包含以下內容:<code>sudo cat /var/log/audit/audit.log | grep /usr/bin/command</code>
/usr/bin/command
是您要加入白名單的命令,-p x
指定該規則適用於具有可執行權限的進程,並且-c never
指定永遠不應該強制執行該規則。您可以為文件新增多個規則,每個規則在單獨的行上。 🎜auditd
系統中下列指令:auditd
:🎜 若要確保立即套用規則,請重新啟動auditd
透過執行:auditctl
工具審核禁止的進程。為此,請執行以下命令:🎜rrreee🎜此命令將建立一個審核規則,記錄具有可執行權限的進程執行 /usr/bin/command
命令的所有嘗試。您可以透過執行以下命令來查看審核日誌:🎜rrreee以上是白名單禁止進程呼叫系統指令的詳細內容。更多資訊請關注PHP中文網其他相關文章!