Systems Audit
What is audit
- Based on pre-configured rules to generate log records events that may occur in the system
- Audit will not provide additional security for the system, but will detect and record security policy violations and their corresponding behavior
The audit log can record the contents:
- Dates and events, event results
- Users departure event
- Use any authentication mechanism can be recorded, such as ssh
- Modify the behavior of critical files and other data
Audit Case:
- Monitor file access
- Call monitoring system
- Record command run by the user
- Audit can monitor network access behavior
ausearch
Filtered according to the conditions audit logaureport
, Generate audit reports
yum -y install audit
systemctl start auditd
systemctl enable auditd
file | Explanation |
---|---|
/var/log/audit/audit.log |
Log Files |
/etc/audit/auditd.conf |
Profiles |
/etc/audit/rules.d/audit.rules |
Rules file |
auditctl -h # 查看帮助
auditctl -l # 查看规则
auditctl -s # 查看状态
auditctl -D # 删除所有规则
1) the definition of temporary rules
Definition File system rules, syntax:
auditctl -w path -p permission -k key_name
- path to file or directory to be audited
- Permissions may be r / w / x / a (a: a file or directory attribute change)
- key_name is optional, easy to distinguish what rules generate specific log entry
Example:
auditctl -w /etc/passwd -p wa -k passwd_change
auditctl -w /usr/sbin/fdisk -p x -k disk_part
auditctl -w /etc -p w -k etc_change
2) the definition of permanent rules
vim /etc/audit/rules.d/audit.rules # 规则文件
-w /etc/passwd -p wa -k passwd_change # 写到文件末尾
-w /usr/sbin/fdisk -p x -k disk_part
-w /etc -p w -k etc_change
- Log Query
ausearch -k KEY_NAME
ausearch -k passwd_change
ausearch -k disk_part
ausearch -k etc_change
查询结果解析:
1.执行的命令是什么 comm="fdisk" exe="/usr/sbin/fdisk"
2.谁执行的 uid=0
3.执行成功了吗 success=yes
4.什么时间执行的 time->Sat Feb 8 22:20:37 2020
Web Services Security
1)nginx:
1. Delete unnecessary modules
./configure --without-http_autoindex_module # 取消默认模块的安装
./configure --help # 查看默认安装的模块
/usr/local/nginx/sbin/nginx -V # 查看编译时的选项
2. Modify version information
vim /nginx-1.12.2/src/http/ngx_http_header_filter_module.c
49 static u_char ngx_http_server_string[] = "Server: tomcat" CRLF;
50 static u_char ngx_http_server_full_string[] = "Server: tomcat" NGINX_VER CRL F;
51 static u_char ngx_http_server_build_string[] = "Server: tomcat" NGINX_VER_BU ILD CRLF;
重新编译安装 ./configure && make && make install
vim /usr/local/nginx/conf/nginx.conf
38 server_tokens off;
curl -i IP # 测试
3. Limit concurrent
ngx_http_limit_req_module The module can reduce the risk of attack DDos (installed by default)
vim /usr/local/nginx/conf/nginx. conf
http{
....
limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; #
server {
listen 80;
server name localhost;
limit_req zone=one burst=5;
....
- 语法:limit_req_zone key zone=name:size rate=rate;
- The information stored in the client IP name for one of the shared memory space can store information for the 10M 1M 8,000 of IP's, 10M deposit 80,000 hosts
- Only accepts one request per second, the excess into the hopper
- The error funnel over 5
4. illegal request denied
- Common HTTP request method
HTTP defines a number of methods, practical applications are generally only requiredget
andpost
Request method | Functional Description |
---|---|
GET | Request page information specified, and returns the entity body |
HEAD | Similar to get request, but the response is not returned in the specific content, for obtaining the header |
POST | Submitting data to the processing request specified resource (e.g., file or upload submission form) |
DELETE | Requests the server to delete the specified page |
PUT | Upload information to the server-specific location |
vim /usr/local/nginx/conf/nginx.conf
server {
if ($request_method !~ ^(GET|POST)$) { # 除GET和POST以外的访问请求返回错误码444
return 444;
}
....
/usr/local/nginx/sbin/nginx -s reload
test:
curl -i -X GET 192.168.4.51 # 正常访问
curl -i -X HEAD 192.168.4.51 # 访问不到
5. To prevent buffer overflow
- Overflow preventing client requests
- Dos effectively reduce the risk of attack
vim /usr/local/nginx/conf/nginx.conf
http{
client_body_buffer_size 1K;
client_header_buffer_size 1k;
client_max_body_size 16k;
large_client_header_buffers 4 4k;
....
}
Database Security (mariadb)
] yum -y install mariadb mariadb-server
] systemctl start mariadb
] mysqladmin -uroot -p password 123456 # 设置密码,直接回车
] mysql_secure_installation # 安全优化脚本,根据提示输入选项
输入旧密码,配置新root密码
Remove anonymous users?(删除匿名账户)
Disallow root login remotely?(禁止root远程登录)
Remove test database(删除测试数据库)
Reload privilege(刷新权限)