部署auditd对关键服务器上的操作进行审计
文章目录
安装auditd包
apt install auditd
编写针对aaa、bbb程序文件的执行、写入的auditd rules(审计规则)
编辑xxx.rules文件内容如下:
-w /home/huzhenwei/bin/aaa -p wx -k aaa
-w /home/huzhenwei/bin/bbb -p wx -k bbb
-w /usr/local/bin/aaa -p wx -k aaa
-w /usr/local/bin/bbb -p wx -k bbb
拷贝auditd rules到远程主机
将创建的xxx.rules拷贝到远程主机的/etc/audit/rules.d目录下
设置auditd服务开机自启动
sudo systemctl enable auditd
重启auditd服务
sudo systemctl restart auditd
相应ansible playbook及运行方式
auditd.yml的内容如下:
---
- hosts: "{{ group }}"
become: yes
become_user: root
become_method: sudo
tasks:
- name: "Install the package"
apt:
name: auditd
state: latest
- name: "Copy config file"
copy:
src: "{{ playbook_dir }}/files/audit/rules.d/xxx.rules"
dest: /etc/audit/rules.d/xxx.rules
- name: "Enable and Start service"
service:
name: auditd
enabled: yes
state: restarted
...
执行playbook:
sudo -H ansible-playbook /etc/ansible/playbooks/auditd.yml -K -e group=daemon