本文利用audit实现AIX下系统密码修改和文件执行的监控
1. 创建cron定时任务
root下执行crontab -e 并加入如下内容
# 定于每天早上执行 /usr/javaF.org/systemMonitor.sh
30 7 * * * /usr/javaF.org/systemMonitor.sh
2. 编辑/usr/javaF.org/systemMonitor.sh
#!/bin/sh
LOG_PATH=/usr/javaF.org/logs/systemMonitor`date +%Y%m%d`.txt
/usr/sbin/audit shutdown > /dev/null
echo @@systemMonitor@@ SKIP LINES >> $LOG_PATH
/usr/sbin/auditselect -e “event == PASSWORD_Change || event == WAS_STARTSERVER || event == WAS_STOPSERVER || event == WAS_JAVA” /audit/trail|/usr/sbin/auditpr -h elcrdR -v >> $LOG_PATH
rm -rf /audit/*
/usr/sbin/audit start > /dev/null
3. 编辑/etc/security/audit/config
在objects = 加入下行
WAS_STARTSERVER,WAS_STOPSERVER
4. 编辑/etc/security/audit/objects
加入:
/usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/startServer.sh:
x = “WAS_STARTSERVER”
/usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/stopServer.sh:
x = “WAS_STOPSERVER”
5 编辑/etc/security/audit/events
在* objects (files)下加入:
* /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/startServer.sh
WAS_STARTSERVER = printf “%s”
* /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/stopServer.sh
WAS_STOPSERVER = printf “%s”
6.启动audit
/usr/sbin/audit start
7. 附java解析日志代码
package org.javaf.system.monitor;
import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Locale;
import org.javaf.common.utils.ReadTextFile;
import org.javaf.common.utils.WriteTextFile;
public class AixServerMonitor extends AbstractCommonMonitor {
public static DateFormat aixDateFormat = new SimpleDateFormat("dd MMM yyyy",Locale.US);
protected void getReport(ReadTextFile rt ,WriteTextFile wtm,WriteTextFile wtd){
String line;
while((line = rt.readLine()) != null) {
if(line.startsWith("@@systemMonitor@@ SKIP LINES")) {
this.skipLine(rt, 2);
continue;
}
line = line.replaceAll("\\s+", " ");
String contents[] = line.split(" ");
if(contents.length < 9)
continue;
String dStr = this.dateStr;
// String user = contents[3];
try {
//new SimpleDateFormat("dd MMM yyyy",Locale.US).parse(contents[4] + " "+ contents[5]+" "+ contents[6]);
dStr = DEFAULT_FORMATE.format(aixDateFormat.parse(contents[4] + " "+ contents[5]+" "+ contents[6]));
}
catch(Exception e) {
e.printStackTrace();
}
String outline = dStr + "|"+ip;
if("PASSWORD_Change".equals(contents[0])) {
outline += "|修改" + rt.readLine().trim()+"密码|"+contents[3]+"|1";
wtm.println(outline);
}
else if("WAS_STARTSERVER".equals(contents[0])) {
outline += "|启动应用服务器|"+contents[3]+"|1";
rt.readLine();
wtm.println(outline);
wtd.println(outline);
}
else if("WAS_STOPSERVER".equals(contents[0])) {
outline += "|停止应用服务器|"+contents[3]+"|1";
rt.readLine();
wtm.println(outline);
wtd.println(outline);
}
}
}
}