Chinaunix首页 | 论坛 | 博客

yepyang的ChinaUnix博客arch.blog.chinaunix.net

首页 |  博文目录 |  关于我

yepyang

  • 博客访问: 872765
  • 博文数量: 204
  • 博客积分: 2433
  • 博客等级: 大尉
  • 技术积分: 2205
  • 用 户 组: 普通用户
  • 注册时间: 2011-04-05 13:32
文章分类

全部博文(204)

推荐博文
相关博文
snoopy命令日志审计

分类: LINUX

2017-08-18 09:50:27

snoopy是一款可以记录用户执行命令并输出到文件的一款日志审计软件,它的安装也不复杂,可以支持syslog...etc,需要具体介绍请自行度娘。下面记录一下:
下载完snoopy,直接./configure --prefix=/opt/snoopy;make;make install
创建一个nologin的用户:useradd -s /sbin/nologin -M snoopy;
修改snoopy的配置文件snoopy.ini,修改内容如下:

点击(此处)折叠或打开

  1. ;;; REQUIRED Section
  2. ;
  3. [snoopy]
  7. ;;; Log Message Format specification
  8. ;
  9. ; May consist of:
  10. ; - arbitrary text, which is copied to log message as-is,
  11. ; - calls to data sources without arguments: %{datasourcename}
  12. ; - calls to data sources with argument : %{datasourcename:arg1}
  13. ; - calls to data sources with arguments: %{datasourcename:arg1,arg2} <--- if data source supports it
  14. ;
  15. ; List of available data sources:
  16. ; - %{cmdline} ; (available=yes) Full command line, with arguments
  17. ; - %{cwd} ; (available=yes) Current working directory
  18. ; - %{datetime} ; (available=yes) Date and time in ISO 8601 format
  19. ; - %{domain} ; (available=yes) Domain of current system
  20. ; - %{egid} ; (available=yes) Effective gid that executed the command
  21. ; - %{egroup} ; (available=yes) Effective group name that executed the command
  22. ; - %{env:VAR} ; (available=yes) Environmental variable named 'VAR'
  23. ; - %{env_all} ; (available=yes) All environmental varibles, comma separated
  24. ; - %{euid} ; (available=yes) Effective uid that executed the command
  25. ; - %{eusername} ; (available=yes) Effective username that executed the command
  26. ; - %{filename} ; (available=yes) Full path to executable
  27. ; - %{gid} ; (available=yes) Group id that executed the command
  28. ; - %{group} ; (available=yes) Group name that executed the command
  29. ; - %{hostname} ; (available=yes) Hostname of current system
  30. ; - %{login} ; (available=yes) Login name (tries getlogin_r() first, then SUDO_USER env variabe, and LOGNAME env as last resort)
  31. ; - %{pid} ; (available=yes) ID of process that executed the command
  32. ; - %{ppid} ; (available=yes) Parent process ID of process that executed the command
  33. ; - %{rpname} ; (available=yes) Root process name of process that executed the command
  34. ; - %{sid} ; (available=yes) Process id of session group process leader
  35. ; - %{snoopy_threads} ; (available=yes) Number of threads that Snoopy currently is configured for
  36. ; - %{snoopy_version} ; (available=yes) Snoopy version
  37. ; - %{snoopy_literal:arg} ; (available=yes) Dummy data source, only returns its argument literally
  38. ; - %{tid} ; (available=yes) Thread ID of process that executed the command
  39. ; - %{tid_kernel} ; (available=yes) Thread ID of process that executed the command, as returned by Linux kernel
  40. ; - %{timestamp} ; (available=yes) Current Unix timestamp
  41. ; - %{timestamp_ms} ; (available=yes) Millisecond part of current Unix timestamp
  42. ; - %{timestamp_us} ; (available=yes) Microsecond part of current Unix timestamp
  43. ; - %{tty} ; (available=yes) Which TTY the command was run on
  44. ; - %{tty_uid} ; (available=yes) TTY uid
  45. ; - %{tty_username} ; (available=yes) TTY username
  46. ; - %{uid} ; (available=yes) User id that executed the command
  47. ; - %{username} ; (available=yes) Username that executed the command
  48. ;
  49. ; Availability (yes/no):
  50. ; This flag signifies whether this build of Snoopy has particular data source
  51. ; built-in or not. If particular data source is not available and its use is
  52. ; desired, then Snoopy must be rebuilt with flags that enable given data
  53. ; source.
  54. ;
  55. ; Default value:
  56. ; "[uid:%{uid} sid:%{sid} tty:%{tty} cwd:%{cwd} filename:%{filename}]: %{cmdline}"
  57. ;
  58. ; Examples:
  59. ;message_format = "useless static log entry that gets logged on every program execution"
  60. ;message_format = "uid=%{uid}" ; <--- this would only log uids who execute programs, nothing else;
  61. ;message_format = "uid=%{uid} tty=%{tty} cmdline=%{cmdline}" ; <--- logs uid + tty + command that is executed
  62. message_format = "datetime:%{datetime} login:%{login} username:%{username} cmdline:%{cmdline} cwd:%{cwd}"
  65. ;;; Filter Chain specification
  66. ;
  67. ; Must comply with the following rules:
  68. ; - one or more filters may be specified, separated by semicolon,
  69. ; - each filter may contain argument that follows the colon,
  70. ; - filter may accept multiple arguments, separated by comma,
  71. ; - filter chain must not contain any spaces (allowed in filter arguments, but generally discouraged).
  72. ;
  73. ; List of available filters:
  74. ; - exclude_spawns_of ; (available=yes) Exclude log entries that occur in specified process trees
  75. ; - exclude_uid ; (available=yes) Exclude these UIDs from logging
  76. ; - only_root ; (available=yes) Only log root commands
  77. ; - only_tty ; (available=yes) Only log commands associated with a TTY
  78. ; - only_uid ; (available=yes) Only log commands executed by these UIDs
  79. ;
  80. ; Availability (yes/no):
  81. ; This flag signifies whether this build of Snoopy has particular filter
  82. ; built-in or not. If particular filter is not available and its use is
  83. ; desired, then Snoopy must be rebuilt with flags that enable given filter.
  84. ;
  85. ; Sample definitions with explanations:
  86. ; - filter_chain = "exclude_uid:0" # Log all commands, except the ones executed by root
  87. ; - filter_chain = "exclude_uid:1,2,3" # Log all commands, except those executed by users with UIDs 1, 2 and 3
  88. ; - filter_chain = "only_uid:0" # Log only root commands
  89. ; - filter_chain = "exclude_spawns_of:cron,my_daemon" # Do not log commands spawned by cron or my_daemon
  90. ; - filter_chain = "filter1:arg11;filter2:arg21,arg22;filter3:arg31,32,33"
  91. ;
  92. ; Default value:
  93. ; "" (empty string)
  94. ;
  95. ; Examples:
  96. ;filter_chain = ""
  97. ;filter_chain = "only_uid:0"
  98. ;filter_chain = "only_uid:10000"
  99. ;filter_chain = "exclude_uid:0"
  100. filter_chain = ""
  102. ;;; Output
  103. ;
  104. ; Where messages get sent to
  105. ;
  106. ; List of available outputs:
  107. ; - devlog ; (available=yes) Default, writes directly to /dev/log.
  108. ; - devnull ; (available=yes) Black hole.
  109. ; - devtty ; (available=yes) Write to current tty via /dev/tty.
  110. ; - file ; (available=yes) Write directly to file. (NOTICE: Make sure file has proper permissions set for non-root users.)
  111. ; - socket ; (available=yes) Built-in output. As argument it requires an absolute path of socket to write to.
  112. ; - stderr ; (available=yes) Write to STDERR. Mainly useful for debugging purposes.
  113. ; - stdout ; (available=yes) Write to STDOUT. Mainly useful for debugging purposes.
  114. ; - syslog ; (available=no) Previuosly-default (WARNING: DO NOT USE syslog OUTPUT WITH systemd - IT WILL HANG YOUR SYSTEM ON BOOT)
  115. ;
  116. ; Availability (yes/no):
  117. ; This flag signifies whether this build of Snoopy has particular output
  118. ; built-in or not. If particular output is not available and its use is
  119. ; desired, then Snoopy must be rebuilt with flags that enable given output.
  120. ;
  121. ; List of outputs pending implementation (patches welcome!):
  122. ; - console ; TODO
  123. ; - journald ; TODO
  124. ;
  125. ; Default value:
  126. ; devlog
  127. ; (previously 'syslog' was default value, but due to systemd issues default was changed)
  128. ; (to raw device writing as syslogd blocks syslog() calls if journald is not running)
  129. ;
  130. ; Example:
  131. ;output = console
  132. ;output = devlog
  133. ;output = file:/var/log/snoopy.log
  134. ;output = socket:/var/run/socket-for-snoopy.sock
  135. output = file:/var/log/snoopy
  138. ;;; Error Logging
  139. ;
  140. ; Whether to log error messages or not.
  141. ; This should generally be disabled, as it may generate lots of error logs.
  142. ;
  143. ; The most appropriate usage of this parameter is when:
  144. ; - you are developing new data source
  145. ; - you are trying to configure message format and are having problems with it
  146. ;
  147. ; Default value:
  148. ; no (unless changed by ./configure --enable-error-logging to yes)
  149. ;
  150. ; Example:
  151. ;error_logging = yes
  152. ;error_logging = yes
  155. ;;; Syslog Facility
  156. ;
  157. ; What syslog facility to use. Can be prefixed with 'LOG_'.
  158. ;
  159. ; Possible values:
  160. ; One of AUTH|AUTHPRIV|CRON|DAEMON|FTP|KERN|LOCAL[0-7]|LPR|MAIL|NEWS|SYSLOG|USER|UUCP
  161. ;
  162. ; Default value:
  163. ; LOG_AUTHPRIV (unless changed by ./configure --with-syslog-facility=FACILITY)
  164. ;
  165. ; Example:
  166. ;syslog_facility = LOG_AUTHPRIV
  170. ;;; Syslog Ident
  171. ;
  172. ; What syslog ident (program name) to use.
  173. ;
  174. ; Possible values:
  175. ; Any non-spaced string.
  176. ;
  177. ; Default value:
  178. ; "snoopy" (unless changed by ./configure --with-syslog-ident="other")
  179. ;
  180. ; Example:
  181. ;syslog_ident = "my-ident-string"
  185. ;;; Syslog Level
  186. ;
  187. ; What syslog level to use. Can be prefixed with 'LOG_'.
  188. ;
  189. ; Possible values:
  190. ; One of EMERG|ALERT|CRIT|ERR|WARNING|NOTICE|INFO|DEBUG
  191. ;
  192. ; Default value:
  193. ; LOG_INFO (unless changed by ./configure --with-syslog-level=LEVEL)
  194. ;
  195. ; Example:
  196. ;syslog_level = LOG_INFO
在/var/log/目录创建snoopy文件,修改拥有者,chown snoopy.snoopy /var/log/snoopy;chmod o+w /var/log/snoopy
启动snoopy,snoopy-enable,此时snoopy会在/etc/ld.so.preload添加/opt/snoopy/lib/libsnoopy.so,这个是语句是将snoopy自身的so预加载,已达到监控系统的exec调用
关于/opt/snoopy目录的权限,组和其他人需要有x权限,不然当其他用户登录的时候,会出现"ERROR:ld.so: object '/opt/snoopy/lib/libsnoopy.so' from /etc/ld.so.preload cannot be preloaded: ignored。
阅读(3492) | 评论(0) | 转发(0) |
0

上一篇:docker的安装

下一篇:hbase的启动命令

给主人留下些什么吧!~~
关于我们 | 关于IT168 | 联系方式 | 广告合作 | 法律声明 | 免费注册

Copyright 2001-2010 ChinaUnix.net All Rights Reserved 北京皓辰网域网络信息技术有限公司. 版权所有

感谢所有关心和支持过ChinaUnix的朋友们

16024965号-6