auditd 只能监控比它后启动的进程,恶意软件如果比它先启动则无法被其监控
在这一行里:
GRUB_CMDLINE_LINUX="......"添加:
GRUB_CMDLINE_LINUX="...... audit=1"# grub2-mkconfig -o /boot/grub2/grub.cfghttps://access.redhat.com/solutions/971883
# vim /etc/ssh/sshd_config添加以下内容:
Host 192.168.0.1,192.168.0.2,192.168.0.3
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521(补充:这里以让 IP 地址为 192.168.0.1、192.168.0.2 和 192.168.0.3 的客户端只能使用 ecdh-sha2-nistp256、ecdh-sha2-nistp384 和 ecdh-sha2-nistp521 算法 (algorithm) 才能访问为例)
# vim /etc/ssh/sshd_config添加以下内容:
Host *
KexAlgorithms ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256(补充:这里以让所有客户端只能使用 ecdh-sha2-nistp256、ecdh-sha2-nistp384 和 ecdh-sha2-nistp521 算法 (algorithm) 才能访问为例)
# cd ~/.ssh/# vim config创建以下内容:
Host jump_machine
HostName 192.168.1.1
User mingyuzhu
IdentityFile ~/.ssh/jump_machine
Host remote_srv_machine
HostName 192.168.1.100
ProxyCommand ssh jump_machine -W %h:%p
User mingyuzhu(补充:这里以将IP 地址为 192.168.1.1 的服务器作为跳板机连接到 IP 地址为 192.168.1.100 的服务器为例)
/etc/at.allow/etc/at.deny/etc/cron.allow/etc/cron.deny$ who -b
system boot 2024-09-16 17:52$ last | grep "reboot" | head -1
reboot system boot 6.8.0-44-generic Mon Sep 16 17:52 still running或者:
$ last reboot | head -1
reboot system boot 6.8.0-44-generic Mon Sep 16 17:52 still running或者:
$ last reboot -n 1
reboot system boot 6.8.0-44-generic Mon Sep 16 17:52 still running
wtmp begins Wed Aug 14 10:01:22 2024$ last reboot -F
reboot system boot 6.8.0-44-generic Mon Sep 16 17:52:25 2024 still running
reboot system boot 6.8.0-41-generic Fri Sep 6 21:53:12 2024 - Mon Sep 16 17:52:18 2024 (9+19:59)
wtmp begins Wed Aug 14 10:01:22 2024$ uptime -s
2024-09-16 17:52:23$ uptime
15:16:17 up 14 days, 21:23, 3 users, load average: 0.15, 0.13, 0.06$ uptime -p
up 2 weeks, 21 hours, 24 minutes$ top -bn 1 | head -1
top - 15:40:47 up 14 days, 21:48, 3 users, load average: 0.02, 0.03, 0.01$ top
top - 15:42:19 up 14 days, 21:49, 3 users, load average: 0.00, 0.02, 0.00
Tasks: 289 total, 1 running, 287 sleeping, 0 stopped, 1 zombie
%Cpu(s): 2.2 us, 2.2 sy, 0.0 ni, 93.3 id, 0.0 wa, 0.0 hi, 2.2 si, 0.0 st
MiB Mem : 3915.3 total, 247.9 free, 2984.8 used, 985.0 buff/cache
MiB Swap: 256.0 total, 0.0 free, 256.0 used. 930.5 avail Mem
PID USER PR NI VIRT RES SHR S %CPU %MEM TIME+ COMMAND
1056592 mingyuz+ 0 -20 133764 38484 25292 S 18.2 1.0 0:35.55 nxcodec.bin
1 root 20 0 23132 12112 7376 S 0.0 0.3 1:39.97 systemd
2 root 20 0 0 0 0 S 0.0 0.0 0:00.27 kthreadd
3 root 20 0 0 0 0 S 0.0 0.0 0:00.00 pool_workque+
4 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/R-rc+
5 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/R-rc+
6 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/R-sl+
7 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/R-ne+
9 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/0:0H+
12 root 0 -20 0 0 0 I 0.0 0.0 0:00.00 kworker/R-mm+
13 root 20 0 0 0 0 I 0.0 0.0 0:00.00 rcu_tasks_kt+
14 root 20 0 0 0 0 I 0.0 0.0 0:00.00 rcu_tasks_ru+
15 root 20 0 0 0 0 I 0.0 0.0 0:00.00 rcu_tasks_tr+
16 root 20 0 0 0 0 S 0.0 0.0 0:08.00 ksoftirqd/0
17 root 20 0 0 0 0 I 0.0 0.0 30:45.37 rcu_preempt
18 root rt 0 0 0 0 S 0.0 0.0 0:04.93 migration/0
......$ journalctl --list-boot
IDX BOOT ID FIRST ENTRY LAST ENTRY >
-17 d842be174b26429c84b6c21d8c457ca0 Wed 2024-08-14 10:01:22 CST Wed 2024-08-14>
-16 76b3d204a98d4004809d34add8838c3f Wed 2024-08-14 10:02:14 CST Wed 2024-08-14>
-15 50f754cd41af43119d88d9ca13306d09 Wed 2024-08-14 11:11:42 CST Wed 2024-08-14>
lines 1-19/19 (END)
......(补充:从这里可以看出最后一次系统重启的 BOOT ID 是 d842be174b26429c84b6c21d8c457ca0)
$ journalctl -b d842be174b26429c84b6c21d8c457ca0
Aug 14 10:01:22 linux-template kernel: Linux version 6.8.0-35-generic (buildd@lcy02->
Aug 14 10:01:22 linux-template kernel: Command line: BOOT_IMAGE=/boot/vmlinuz-6.8.0->
Aug 14 10:01:22 linux-template kernel: KERNEL supported cpus:
Aug 14 10:01:22 linux-template kernel: Intel GenuineIntel
Aug 14 10:01:22 linux-template kernel: AMD AuthenticAMD
Aug 14 10:01:22 linux-template kernel: Hygon HygonGenuine
Aug 14 10:01:22 linux-template kernel: Centaur CentaurHauls
Aug 14 10:01:22 linux-template kernel: zhaoxin Shanghai
Aug 14 10:01:22 linux-template kernel: BIOS-provided physical RAM map:
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x0000000000000000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x000000000009fc00-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x00000000000f0000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x0000000000100000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x000000007ffd4000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x00000000b0000000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x00000000fed1c000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x00000000feffc000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x00000000fffc0000-0x00000000>
Aug 14 10:01:22 linux-template kernel: BIOS-e820: [mem 0x0000000100000000-0x00000001>
Aug 14 10:01:22 linux-template kernel: NX (Execute Disable) protection: active
Aug 14 10:01:22 linux-template kernel: APIC: Static calls initialized
Aug 14 10:01:22 linux-template kernel: SMBIOS 2.8 present.
......(补充:这里查看的 BOOT ID 是 d842be174b26429c84b6c21d8c457ca0)
https://www.sysgeek.cn/linux-reboot-history