AIX 下audit实战
本文利用audit实现AIX下系统密码修改和文件执行的监控1. 创建cron定时任务
root下执行crontab -e 并加入如下内容
# 定于每天早上执行 /usr/javaF.org/systemMonitor.sh
30 7 * * * /usr/javaF.org/systemMonitor.sh
2. 编辑/usr/javaF.org/systemMonitor.sh
#!/bin/sh
LOG_PATH=/usr/javaF.org/logs/systemMonitor`date +%Y%m%d`.txt
/usr/sbin/audit shutdown > /dev/null
echo @@systemMonitor@@ SKIP LINES >> $LOG_PATH
/usr/sbin/auditselect -e “event == PASSWORD_Change || event == WAS_STARTSERVER || event == WAS_STOPSERVER || event == WAS_JAVA” /audit/trail|/usr/sbin/auditpr -h elcrdR -v >> $LOG_PATH
rm -rf /audit/*
/usr/sbin/audit start > /dev/null
3. 编辑/etc/security/audit/config
在objects = 加入下行
WAS_STARTSERVER,WAS_STOPSERVER
4. 编辑/etc/security/audit/objects
加入:
/usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/startServer.sh:
x = “WAS_STARTSERVER”
/usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/stopServer.sh:
x = “WAS_STOPSERVER”
5 编辑/etc/security/audit/events
在* objects (files)下加入:
* /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/startServer.sh
WAS_STARTSERVER = printf “%s”
* /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/stopServer.sh
WAS_STOPSERVER = printf “%s”
6.启动audit
/usr/sbin/audit start
7. 附java解析日志代码
package org.javaf.system.monitor;import java.text.DateFormat;import java.text.SimpleDateFormat;import java.util.Locale;import org.javaf.common.utils.ReadTextFile;import org.javaf.common.utils.WriteTextFile;public class AixServerMonitor extends AbstractCommonMonitor {public static DateFormat aixDateFormat = new SimpleDateFormat("dd MMM yyyy",Locale.US);protected void getReport(ReadTextFile rt ,WriteTextFile wtm,WriteTextFile wtd){String line;while((line = rt.readLine()) != null) {if(line.startsWith("@@systemMonitor@@ SKIP LINES")) {this.skipLine(rt, 2);continue;}line = line.replaceAll("\\s+", " ");String contents[] = line.split(" ");if(contents.length < 9)continue;String dStr = this.dateStr;//String user = contents;try {//new SimpleDateFormat("dd MMM yyyy",Locale.US).parse(contents + " "+ contents+" "+ contents);dStr = DEFAULT_FORMATE.format(aixDateFormat.parse(contents + " "+ contents+" "+ contents));}catch(Exception e) {e.printStackTrace();}String outline = dStr + "|"+ip;if("PASSWORD_Change".equals(contents)) {outline += "|修改" + rt.readLine().trim()+"密码|"+contents+"|1";wtm.println(outline);}else if("WAS_STARTSERVER".equals(contents)) {outline += "|启动应用服务器|"+contents+"|1";rt.readLine();wtm.println(outline);wtd.println(outline);}else if("WAS_STOPSERVER".equals(contents)) {outline += "|停止应用服务器|"+contents+"|1";rt.readLine();wtm.println(outline);wtd.println(outline);} }}}
页:
[1]