Mat*_*ski 7 freebsd logs centos netcat linux-audit
我正在尝试配置在 VirtualBox 中运行的 CentOS 7,以将其审核日志发送到 FreeBSD 10.3 主机。理想情况下,我希望通过 FreeBSD 接收日志,auditdistd(8)但现在我只想能够使用 netcat。
我的问题是 netcat 没有得到任何数据。
service auditd status我得到以下结果:Run Code Online (Sandbox Code Playgroud)Redirecting to /bin/systemctl status auditd.service auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since Fri 2016-08-19 11:35:42 CEST; 3s ago Process: 2216 ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE) Main PID: 2215 (auditd) CGroup: /system.slice/auditd.service ??2215 /sbin/auditd -n ??2218 /sbin/audispd Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote terminated unexpectedly Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote has exceeded max_restarts Aug 19 11:35:42 hephaistos audispd[2218]: plugin /sbin/audisp-remote was restarted
我有 netcat 在端口 60 上侦听:
nc -lk 60
连接有效。我可以nc 192.168.56.1 60在 CentOS 上使用将数据发送到 FreeBSD。
内核版本为:4.7.0-1.el7.elrepo.x86_64 #1 SMP Sun Jul 24 18:15:29 EDT 2016 x86_64 x86_64 x86_64 GNU/Linux.
Linux Audit 用户空间的版本是 2.6.6。
auditd 正在运行并主动登录到/var/log/audit.log.
中的审计规则/etc/audit/rules.d/配置良好。
的配置/etc/audisp/audisp-remote.conf看起来像这样:
remote-server = 192.168.56.1
port = 60
local_port = any
transport = tcp
mode = immediate
我在/etc/audisp/plugins.d/: 中有两个默认文件,syslog.conf并且af_unix.conf它们都不是活动的。我已经添加af-remote.conf,它看起来像这样:
# This file controls the audispd data path to the
# remote event logger. This plugin will send events to
# a remote machine (Central Logger).
active = yes
direction = out
path = /sbin/audisp-remote
type = always
#args =
format = string
它是来自官方存储库(链接)的修改示例。
以下是内容/etc/audisp/audispd.conf:
q_depth = 150
overflow_action = SYSLOG
priority_boost = 4
max_restarts = 10
name_format = HOSTNAME
如果需要,我很乐意提供更多详细信息。
我不确定这里是否需要一切才能成功。尽管如此,这是一个有效的配置,因此我能够在 FreeBSD 上使用 netcat 接收 Linux 审计日志。
CentOS: /etc/audisp/audisp-remote.conf:
remote_server = 192.168.56.1
port = 60
local_port = 60
transport = tcp
mode = immediate
queue_depth = 200
format = managed
CentOS: /etc/audisp/plugins.d/au-remote.conf:
active = yes
direction = out
path = /sbin/audisp-remote
type = always
args = /etc/audisp/audisp-remote.conf
format = string
CentOS: /etc/audit/auditd.conf:
local_events = yes
log_file = /var/log/audit/audit.log
# Send logs to the server. Don't save them.
write_logs = no
log_format = RAW
log_group = root
priority_boost = 8
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = hostname
max_log_file = 6
max_log_file_action = ROTATE
action_mail_acct = root
space_left = 75
space_left_action = SYSLOG
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
use_libwrap = yes
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
FreeBSD: /etc/hosts.allow:
ALL : ALL : allow
我不知道是否需要这个 + 这可能是一个坏主意。
就是这样。现在你只需要nc -lk 60在 FreeBSD 和service auditd restartCentOS 上运行。然而,就我而言,netcat 似乎至少两次接收/打印每条记录,这似乎很不寻常。