Linux操作审计

发表于 | 分类于

linux 增加审计功能

方法1 重新编译bash

Build Rpm

1
已经验证支持, centos6,7 .

Create Build User

1
useradd rpmbuilder

Set Topdir And Directory

1
2
3
4
5
6
7
su -  rpmbuilder

cat > .rpmmacros << 'EOF'
%_topdir   /home/rpmbuilder/rpmbuild
EOF

mkdir -p  ~/rpmbuild/{BUILD,RPMS,SOURCES,SPECS,SRPMS}

Builder Bash Rpm

Down Source File

1
2
cd  ~/rpmbuild/SOURCES
wget https://ftp.gnu.org/gnu/bash/bash-4.3.30.tar.gz

Change Source File

1 修改源码包(增加记录功能)

cd /usr/local/src/bash-4.3.30
vim bashhist.c

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
#########change##############
#if defined (SYSLOG_HISTORY)
#define SYSLOG_MAXLEN 600

void
bash_syslog_history (line)
     const char *line;
{
  char trunc[SYSLOG_MAXLEN];

  if (strlen(line) < SYSLOG_MAXLEN)
    syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PID=%d UID=%d %s", getpid(), current_user.uid, line);
  else
    {
      strncpy (trunc, line, SYSLOG_MAXLEN);
      trunc[SYSLOG_MAXLEN - 1] = '\0';
      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PID=%d UID=%d %s", getpid(), current_user.uid, trunc);
    }
}
#endif

########## to  ###########
#if defined (SYSLOG_HISTORY)
#define SYSLOG_MAXLEN 600

void
bash_syslog_history (line)
     const char *line;
{
  char trunc[SYSLOG_MAXLEN];

  if (strlen(line) < SYSLOG_MAXLEN)
      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY: PPID=%d PID=%d SID=%d UID=%d User=%s CMD=%s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, line);
  else
    {
      strncpy (trunc, line, SYSLOG_MAXLEN);
      trunc[SYSLOG_MAXLEN - 1] = '\0';
      syslog (SYSLOG_FACILITY|SYSLOG_LEVEL, "HISTORY (TRUNCATED): PPID=%d PID=%d SID=%d UID=%d User=%s %s", getppid(), getpid(), getsid(getpid()), current_user.uid, current_user.user_name, trunc);
    }
}
#endif

vim config-top.h

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
#######  change #########

/* Define if you want each line saved to the history list in bashhist.c:
   bash_add_history() to be sent to syslog(). */
/* #define SYSLOG_HISTORY */
#if defined (SYSLOG_HISTORY)
#  define SYSLOG_FACILITY LOG_USER
#  defin

#######  to #############
/* Define if you want each line saved to the history list in bashhist.c:
   bash_add_history() to be sent to syslog(). */
#define SYSLOG_HISTORY 
#if defined (SYSLOG_HISTORY)
#  define SYSLOG_FACILITY LOG_USER
#  defin

2 重新压缩成 tar 包

1
2
3
cd /home/rpmbuilder/rpmbuild/SOURCES
rm -rf bash-4.3.30.tar.gz
tar -zcvf bash-4.3.30.tar.gz bash-4.3.30

Create Spec File

rpmbuild命令根据spec文件来制作合适的rpm包,spec文件一般包括以下几个处理阶段

Introduction Section
Prep Section
Build Section
Install Section
Clean Section

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
Name:           bash
Version:        4.3.30
Release:        4%{?dist}
Summary:        bash with recod command

Group:          System Environment/Base
License:        GPLv2
URL:            https://ftp.gnu.org/gnu/bash/bash-4.3.30.tar.gz
Source0:        %{name}-%{version}.tar.gz
BuildRoot:      %_topdir/BUILDROOT 

BuildRequires:  gcc,make
#Requires:       

%description
编译 bash 带记录 user command 

%prep
%setup -q


%build
./configure

make %{?_smp_mflags}


%install
rm -rf %{buildroot}
make install DESTDIR=%{buildroot}

%pre 

%post 
   %{__mv} /bin/bash /bin/bashbak 2> /dev/null 
   %{__cp} -f /usr/local/bin/bash /bin/bash 2> /dev/null 

%preun 
    %{__rm}  /bin/bash 2> /dev/null
    %{__mv} /bin/bashbak /bin/bash 2> /dev/null

%postun

%clean
rm -rf %{buildroot}


%files
%defattr(-,root,root,-)
/usr/local/



%changelog
*  Fri Dec 30 2015 Junun  <470499989@qq.com> - 4.3.30-4
-  change 
*  Fri Dec 29 2015 Junun  <470499989@qq.com> - 4.3.30-3
-  add  ln  bash
*  Fri Dec 29 2015 Junun  <470499989@qq.com> - 4.3.30-2
- change not install 
*  Fri Dec 29 2015 Junun  <470499989@qq.com> - 4.3.30-1 
- Initial version

Build RPM

1
rpmbuild -ba  SPECS/bash.spec
1
rpm -ivh bash-4.3.30-4.el7.centos.x86_64.rpm

Bash 操作收集和分析

1
通过日志收集客户端把 bash 执行命令放到日志系统, 如 splunk 或者 ELK, 分析和告警等其他操作.

方法2 定义bash脚本

1
2
3
4
5
6
7
8
9
10
11
12
13
# vim /etc/profile.d/bash.sh
export HISTTIMEFORMAT="[`whoami`] [`who am i 2>/dev/null | awk '{print $NF}'|sed -e 's/[()]//g'`] "
export PROMPT_COMMAND='\
if [ -z "$OLD_PWD" ];then
        export OLD_PWD=$PWD;
fi;
if [ ! -z "$LAST_CMD" ] && [ "$(history 1)" != "$LAST_CMD" ]; then
        logger -t shell_cmd "[$OLD_PWD]$(history 1)";
fi;
export LAST_CMD="$(history 1)";
export OLD_PWD=$PWD;'

# source /etc/profile.d/bash.sh