Centos
如何使用 audisp-remote 發送審計日誌並使用 netcat 接收它們
我正在嘗試配置在 VirtualBox 中執行的 CentOS 7,以將其審核日誌發送到 FreeBSD 10.3 主機。理想情況下,我希望接收帶有 FreeBSD 的日誌,
auditdistd(8)但現在我只想能夠使用 netcat 來實現。我的問題是 netcat 沒有得到任何數據。
細節
- 當我執行時,
service auditd status我得到以下結果:Redirecting to /bin/systemctl status auditd.service auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2016-08-19 11:35:42 CEST; 3s ago Process: 2216 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Main PID: 2215 (auditd) CGroup: /system.slice/auditd.service ├─2215 /sbin/auditd -n └─2218 /sbin/audispd Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote has exceeded max_restarts Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted設置
網路設置
- CentOS 和 FreeBSD 連接在僅主機網路上。我為他們分配了以下 IP:
- CentOS:192,168,56,101
- FreeBSD:192.168.56.1
FreeBSD 設置
- 我有 netcat 在埠 60 上監聽:
nc -lk 60連接有效。我可以
nc 192.168.56.1 60在 CentOS 上使用將數據發送到 FreeBSD。CentOS 設置
- 核心版本為:
4.7.0-1.el7.elrepo.x86_64 #1 SMP Sun Jul 24 18:15:29 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux.- Linux Audit 使用者空間的版本是 2.6.6。
- auditd 正在執行並主動登錄到
/var/log/audit.log.- 中的審計規則
/etc/audit/rules.d/配置良好。- 的配置
/etc/audisp/audisp-remote.conf如下所示:remote-server = 192.168.56.1 port = 60 local_port = any transport = tcp mode = immediate
- 我在
/etc/audisp/plugins.d/:中有兩個預設文件,syslog.conf並且af_unix.conf它們都沒有啟動。我添加了af-remote.conf,它看起來像這樣:# This file controls the audispd data path to the # remote event logger. This plugin will send events to # a remote machine (Central Logger). active = yes direction = out path = /sbin/audisp-remote type = always #args = format = string這是來自官方儲存庫(連結)的修改範例。
- 以下是 的內容
/etc/audisp/audispd.conf:q_depth = 150 overflow_action = SYSLOG priority_boost = 4 max_restarts = 10 name_format = HOSTNAME如果需要,我很樂意提供更多詳細資訊。
我不確定這裡的一切是否都需要成功。儘管如此,這是一個有效的配置,因此我能夠在 FreeBSD 上使用 netcat 接收 Linux 審計日誌。
- 中央作業系統
/etc/audisp/audisp-remote.conf::remote_server = 192.168.56.1 port = 60 local_port = 60 transport = tcp mode = immediate queue_depth = 200 format = managed
- 中央作業系統
/etc/audisp/plugins.d/au-remote.conf::active = yes direction = out path = /sbin/audisp-remote type = always args = /etc/audisp/audisp-remote.conf format = string
- 中央作業系統
/etc/audit/auditd.conf::local_events = yes log_file = /var/log/audit/audit.log # Send logs to the server. Don't save them. write_logs = no log_format = RAW log_group = root priority_boost = 8 num_logs = 5 disp_qos = lossy dispatcher = /sbin/audispd name_format = hostname max_log_file = 6 max_log_file_action = ROTATE action_mail_acct = root space_left = 75 space_left_action = SYSLOG admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 use_libwrap = yes ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no
- 自由BSD:
/etc/hosts.allow:ALL : ALL : allow我不知道是否需要這個 + 這可能是一個壞主意。
就是這樣。現在您只需
nc -lk 60在 FreeBSD 和service auditd restartCentOS 上執行即可。然而,就我而言,netcat 似乎至少兩次接收/列印每條記錄,這似乎很不尋常。