Linux应急响应及隐患排查思路_第1页
Linux应急响应及隐患排查思路_第2页
Linux应急响应及隐患排查思路_第3页
Linux应急响应及隐患排查思路_第4页
Linux应急响应及隐患排查思路_第5页
已阅读5页,还剩32页未读 继续免费阅读

下载本文档

版权说明:本文档由用户提供并上传,收益归属内容提供方,若内容存在侵权,请进行举报或认领

文档简介

1、Linux应急响应及隐患排查思路、排查思路思路参考:什么时间?什么现象?确认事件是否属实?LINUX发行版?命令是否被替换?系统命令完整性检测?做过什么处理?当前状态?受影响主机范围?该现象可能产生的原因?可能留下的痕迹?是否部署安全设备/产品?有无相关记录?网络环境架构?是否提供账号密码可登陆受影响主 机?是否存在过某些漏洞/弱口令/数据库/中间件/高危端口?二、排查项目.账户异常账户cat /etc/passwd cat /etc/shadow注意文件修改时间,UID和GID为0的账户:grep 0 /etc/passwdLroot(3vultr Is /tc/passwd /etc/sh

2、adow-rw-r-r- 1 rrtdt r&ot 961 |Jul 22:411 /ete/pa&swd 1 bM 5631Jul 22( HYPERLINK mailto:rootvul.tr rootvul.tr -)# id ro&tuid-O(root) gid=O(root) qroups=O(root)特权用户awk -F: $3=0 print $1 /etc/passwdROOT/SUDO SU 权限用户raotfvultr nore /etc/sudoers | grep -v| grep *ALL-(ALJL)rootALL=(ALL)ALJL为whg 自 1 ALL=(

3、ALL)ALJL远程登陆用户awk /$1|$6/print $1 /etc/shadow空口令帐户awk -F: length($2)=0 print $1 /etc/shadow?查看当前登录用户的信息:who?查看当前已登录用户列表、系统信息、执行命令: w?查看当前用户数、登录时长、负载信息:uptime?查看与当前有效用户ID关联的用户名:whoami?查看所有用户最后一次登录的时间:lastlog?查看所有用户的登录注销信息及系统的启动、重启及关机事件:last?查看用户错误的登录列表:lastbrootgvultr 7# whcami root |rootigvuLtr whoa

4、mi -helpUsage: whoami OPTION.Print the user name j&sociat&d with the current effective user ID. Same as id -un.-help display this help and exit-version output version infarmation and exitGMU coreutils online help: Far ccirplet documentationr run : Iroatjgvultr whoJiinfo co r&utils hwhoami. invocatio

5、n1root pts/O2019-07-3405: 55rootevultr who am iroot pts/Q2019-07-2406:35rootevultr -# who - -tielpUsage: who I OPTION.,. FILE | ARG1 m2 IPrintinfomatianabout users vrfio are currently logged in. b. drH-1,-all-boot-dead-heading-login-lookupsane as-b -d -login -p . -t -T-process-count-runlavel-sho rt-

6、timeM - -mesg-UEers-message-writable-hel p-versiontrue of last system boot print dead processes print line d colunn headings p rint systan login p roc esses attampt to canonicalize hostnames only hostname and user associated print active processes spanned byvia DN5 with stdin in itall login names an

7、d nun her of users logged on pTint current runlevelprint only print last users list users same as -T same as -Tnanj, line, and time (d&fault) system clock changemessage status as +, - or ? logged indisplay this help and e?citQiitpirt version information and exitIf FILE is not specified( use /varfrun

8、/utmp. /var/log/wtnip as FILE is ctxnman If Afifil ARS2 given, -m presumed: am i cr *mom likes1 are usjdI.GMU coreutils online help: chttp :/www. gnu .rg/5oftware/coreuti.ls/ For complete documentation, run: info coreutils Fwho invocaticmb rootvultr T# uptimeIfl7:16:51 u口 _3 days, 2:41. 1 use, load

9、aeqe: 口制,S.80* 日.68rootvultr 二/诃07;16;56 up 3 daysT 20;41r 1 user, load average; O.&O, 0.00, 0.00LOGI臃IDLEJCPUPCPU WHAT06:359.GOs Or04s 日.。西 wUSEDTTYFROMrootpts/erooivulG Tsr .rootvultr l峭# lastlagUsernamePortFromrootpts/9bin daemon a dm lp sync shutdown halt mail operator ga(n? ftp nobody systemd-n

10、etwork dbus polkitd ntp sshd postfix chrony clamupd3te rootvultr log* lastLatMtwed Jul24 98:19:59 钝胧。2019Neverloggedin*Naverlaggedin*Neverloggedin*-Neve rlaggedin*H&verloggedin*loggedin*M9vwrloggedin*1根色srloggedin*ki&verlaggedin*,KMeverloggedin*卡卡Nuvfloggedirt”Meverloggedin*Neverloggedin*Wvelaggedin

11、*Neverlaggedin*NeveLaggedin*loggednn*Neverloggedin*Naverloggedin*Naverlaggedin*logged in(61:44)(eo;oi)(00:02)(00:37)(0G;43)(U:03)(15:33)(00:20)(02:15)(fil:55J(OQ;O3)(3+23;39)(00:12)(00:00)(00:04)(QG:24)i GO: Q0)19430953274 7 ll33 字3一 12,3231866-213354SG0OGQQ1100B-15:14-dam-10:21-10:20-19:24-20:119 5

12、3&2S 15868 0 & 52169 0 13335s 5 141Q 4 3322111 8 6-6651 G2333200OGQQ0 00&O0 0O00O0 1111112 44444443222 10-0000032-22222 2-22222 222222 n null 111 H1L1L1111 uuuuuuuuuuuuuuuuuu-u ddddddd e n nn nttttttd 帼愧wewewewe幅孔的Mcwosu百为sa%aowerootpts/Orootpts/OQOtpt5/0rootpts/0rootpts/Orootpts/Orootpts/Orootpts/O

13、rootpts/1rootpts/Irootpts/OroDtpts,Orootpts/Orebootsystenbootrootpts/0rootpts/Ora&tpts/Orebooteye tenboatrebootsystembootwtmp begins Wed Jul 3 20:10:51 2Q19rootvultr log |.端口/进程/网络连接查看端口及网络连接情况netstat -anltp | grep pid/port/stringrootgYultr n&tstai; -husage: net st at -uWe*enWcCF |J retstat -V| - -v

14、ersion | -h | - helpnetstat -yWriNcaeoli .netstat -vWeenNac -I! | C-veenNac -i | C-cnNe) -M | -s 6tuw ) delay,r,-routedisplay routing table工-interfaces=display interT己匚e table far -ip-interfacesdisplay interface tableF,-qroupsdisplay mult工匚己5t group meniberships0-statisticsdisplay networking statist

15、ics like SMF)M* masqueradedisplay masqueraded comeettons-v,-verbose-w,-widedont truncate IP addresses-n.-nuTiericdont resolve names-numeric-hostsdont resolve host names-numeric-portsdont resolve port names-num eric-usersdont resolve user names-M-symbolicresolve hardware names-%-extenddisplay ather/m

16、ore infrmationtP-progiransdisplay PID/Prog ran name for sockets-O,-timers五冲T球timers*ct* -continuouscontinuous listing-17-listeningdisplay listening server sockets-a Jmildisplay all sockets (default; connected J-Ff-fibdisplay Forwarding Infornation Base (default).C,-tachedisplay routing cache instead

17、 of FIB-T,-contextdisplay SELinux security context for socketsSoc.ket?=( -t | -tcp -u | -udp) -U| -udplite) -S| - -sctp -w | - - ra -T| -unix -ax25 -ipx -netromAFsHJse 1 -61 -4 q, -A b or 1 -; default; iretList of possible address families (wtiich support routing;inet (OiRPA Internet) inet6 (IPv6) a

18、x25 (AMPR AX.25)查看异常进程ps aux | grep PIDps -ef | grep PIDrootgvultr ps - - help allUsage:ps optionsBasic options:口女二-eall processesall vith tty, except sessian leadersamlL withincluding other users刁all except session Leadersn&gate sel&ctiofionly running proeessesall processes gn this terminalprocesse

19、s without ctritrolling ttysSelection by list:-C Ycomig品coinniand name-G,T-Group -group p. 一pid -ppid q, -quick-pid real g roup id o r namesession or effective group nameprocess idparent process idprocess id (quick mode)-sid session id-t. tj -tty terminal二U4 二-u5B_U1g effective user id or name-Uf -Us

20、er real user id ar nameTh& selection options take 白言 a comma - separated list e.g. w blank-separated list e.q.th&ir argunnt either: - root,nobody or Jp 123 45&71Output formats:Fextra fullI -ffuLL-foriwatr including cowiartd lines匕 -for&stascii a rt process treeHshow process hierarchyjjobs formatjBSD

21、 job control formatilong formatIBSD long famatM, Zadd 5ecuii:y data (forSELinux)O yfonnatpreloaded with defaulttolunins0 鸡-Oj with BSD personalityQ* Q, *-forniat user-defined fflrmatssignal formatuuser-oriented formatvvi rtu iremo ry Join atX register f口里d Jydo not show flags* show rss vs* addr (use

22、d with -I)-contextdisplay security context(forSELinux)-headersrepeat header lines,oneperpm9c-no-heaJers do not print header at all-cols -columns, -width set sc reen width* - rows. liries set screen heightShowH-L m, -Tthreads:ms if they werv proce-sses possibly with LWP and NLWP columnspossibly with

23、SPID columnMLSteUaneous options :show scheduling class with -1 option show true command nametop13:4?:4S up 2 days.23:0Sr1 userr loadaverage: G.DG, 0.0QjO.OQTasks:! Wtotal.1 running,ggsleeping,ft stopped,S zombieCpu(s): f卜刀U5rsyRni,孙将id.fl.6网6,ehi, Q4 e)i.f 6.6 StMiB Mem :982,9total.free.1L5Z.5 used,

24、730.8 buff/cadieMiB Staap:fhRtotal.6-0freei0,0 used640.9 avail MemPIPu询PRN工VST1SHRS为 CPU 讨1EMT工匣十COMMAFT1roat209 10052250046196sG.G0.9D: 13.31systemd2root200e。0s0.00.00:90.05kth readd3root-2D000I0.00.0Q:OG.00cu_gp4root*20000I0.0G.G0:00.00cu_pj_gp6root00&0Io.eO.G0:00.00kwo rker/O:DH-kblockdQroot0e001

25、0.00.00:00.00mm_percpu_wq9root20905o.eo.ea:02.4Sksoftirqd/910root2Q0000Ie.o0:03,24rcu_sched11rootrt0000sG.C0*00:00,87miqration/O12root51000so.cQ.O0:00.00idle_inject/014root2000&0G0.00.00:00.0Gcpuhp/Q15root20909SG.GO.G:00.09kdvtmpfsroot0-29e0I0.00.00.00:90.00netns:7root200eDs0.09:00.00rcu_tasks_kthre

26、18root2000Ds0.00.G0:0D.00kauditd_9root200eDs0.0G.O0:01.15khiungtaskd20root20Qe0soTeo.eD: 00.0Qom_ reaper21root-20e&I0,0oeQ:00.QOwriteback22root20Q0&0s0.00.00:00.09kzmp/td。23roat2550&0s0.00*0Q;00,QOksmdroot3919000sO.QO.G0:00.00khugepaged25root0-20000I0.00.00:90.00cryptoroot0-20o00I0.00.0 I 00.OQkin t

27、egrityd27root0-2060Io.e0.00:06,00kblockd28root0-20eDI0.00.00:00.00tpm_dev_wq29root0-20G日0Io.ee.e0:00.00ata_stt3Groot0-20000I0.00.00:90.00md31root0-200白010.00.6:00.00edac-poller32root0-se0geIG.e用0:00.00devf四一wqtop - MM -以内存占用率大小的顺序排列进程列表top - NN -以PID的大小的顺序排列表示进程列表top - PP -以CPU占用率大小的顺序排列进程列表top - hH

28、elp -for In teractive Corwnands - procps - no 2.2. 15WindowCumulative mode Qf+* 型1上却:Delay 3.S wet弓;Secure mode Off tZrB,E,eGlobal:1 colors;B* bold: E17 eb suimary/task memory scalel,t.uiToggle Summary! blload avg: *t task/cpu stats: n niemary info0,1,3.3,1Toggle:-fl1 zeros:j/2/T cpus or nuna nu加 vi

29、ews: 111 Irix modef,F.XFields:f/ F add/re(nav?/Drder/sDrt: *X increase fixed-widthL.&,v,a . Locate: Lfind/again; Move sort column:leftiqhtRpH,VtJ.Toggle: RSort; H Threads; Forest view; J Num justifyc,i,S,j,Toggle: 1b.Toggle; z1CQlor/mcnor 1 b bld/reverse (onlyif 耳1 中 y)u.U.o.O.Filter by;u/ U efectiv

30、e/any u?er? o / Oother c ntenan.#O . Set: 1 n/rf max tasks displayed; Show: Ctrl+ O other filter(s) CToggle scroll coo rdinatK msq for: up down. I 电ft, right .home,力ndk,rManipulstetasks: Fkkill:rraiicedors Set updateintervalW.Y Write configuration 十讥8W ; Inspect other output Y qQuit commands shown w

31、ith_1requireavisible task display window Press ar ?1 for help with Hindoor Typeor to continue |top - f卜PID=Process IdnDRT Dirty Paqes Count* USERm Effective User NmeWCHAN三 Sleeping in Function* PR-PriorityFlags-Task Flags *NI=Nice ValueCGROUPS=Control. Croups出 VIRT=Virtual Irege (KiB)SUPGIDS=Supp Gr

32、oups IDs在RES=Resident Size (KiB)SUPGRPS=Supp &roupg Names卜=Shar&d Meriory (KiB)TGID=Thread Group Td* S=Process StatusOOFIa=OOFCM Adjustment*=er hundredthsvMj=Major Faults delta,COHNAND=Cofwiand Wame/Li_ne=Hinnr Faults deltaPPID=Parent Proems pidUSED=Res十Swap Size KiB)UID=Effective User IdnsIPC=IPC n

33、amespace InodeRUID-Real User IdnslIMT-MMT namespace InodeRJSER=Real User Nam。nsFET-hET names paca InodoSUID=Saved User IdH6PI0=PID namespace InodsSUSER=Saved User MamensLSER=USER nam电印me白 InodeGID=Group IdnsUTS=LTSI FeGROUP* 6口叩 NameLXC-LXC conUiner narrePGRP=Process Group IdRSan-RES Anonymous (KiBE

34、-Controlling TtyRSfd-RES File-based KiB)TPGID=Tty Process Grp IdRSlk=RES Locked (KiB)SID=Session IdRsh=RES Shared KiB)nTH=r,jrt-=r 口十1/匚百:二占gj阳e=Control Group namePTIME SWAP CODE DATA nMaj nMin=Last Used 卬u (SbP) =CPU Time=Swapped Size K16J m code Si;e (KiB) =Data+Stack KiB =Major P叫曰 Faults =Minor

35、P叫曰 FaultsNU=Last Used NUMA node查看下PID所对应的进程文件路径ls -la /proc/PID/exefile /proc/PID/exePratoRecv-QSenti-Q Local AddressForeign AddressStatePID/Pro gramtcp000.0.0,0:555550.0, 8例*LISTEN331S/pythcntcpD6:229L0,9.0J*LISTFN3239/sshdtcpa0127.0.0,1:250.D.0.0;: *LISTEN3496/mastertcpa0:55555203ESTABLISHED331S/

36、pythoitcpQG;Z2191ESTABLISHED21354/sshd;tcpQ0;55553Q28ESTA3LI5任。331&/pythoitcpQ0;38360:443ESTABLISHED33U/pythontcp00:469765;443ESTABLISHED3316/pythcntcp1302:22:22311FIN WAIT1一tcp00:55555115ESTABLISbtD3316/pythontcpa1;2296:57877LASTACK-tcp012BG:55744ESTABLISHED21583/sshd:tcpD0;2644D:443ESTABLISHED33U/

37、pythonrflotvultr retstat -alnltpActive Internet connectiors (servers and establishMlroot(3vijltr 充 file /proc/331&/exe/proc/3316/ex?: synbolic link to 1/usr/bin/pythcn2.7,raotgvultr 3# Is -I /proc/3316/exeiFxzxrvfx 1 root root 0 Jul 24 : 1 :33 /pro /usr/bin/python?.7namerooiact查看隐藏进程ps -ef | awk pri

38、nt | sort -n | uniq 1Is /proc | sort -n |uniq 2diff 1 2查看进程打开的文件lsof -p PID10raot k LISTEN144L2/apache2tcpGG0:6B0fl:;*LISTEN2527/aria2ctcp600;:22 LISTEN714/55hdtcp&Q0:l:501G,一*LISTEN1470S/55hd: roottcp60 ,Q_Ut6980i r tLISTEN2627/aria2croatvultr:lsof -p 1A679COMMM PID USERFDTfPEDEVICESIZE/OFFMODE IWE

39、ssserver 1367g rootedDIR252,10261946 /root/shadows(jcks-master (deletedssserver 1867g rootrtdDIR257 J40952 /ssse-rver 19679 roottxtREG253136gl的 B91364 /usr/bin/pyth&n2.7ssserver 19B79 rootmomREG252,1351203496 /usr/lib/x86_64-linux:gnu/litffi,oesserver 19679 rootmemREG252,1148136257172 /usr/lib/pyth

40、nn2.7/lib-dynlaad/jctypcssserver 18&79 rootmemREG252.15&55tl481398 /usr/lib/x86_64-1Pinux-gnu/libssl .su. 1ssserver 18&79 rootmemREG25九1292546881397 /usr/lib/x8&_54-linux-gnu/libcrypto.sssserver 13579 rootmenREG252(1746893457 /usr/lib/x86_&400HOME/roothistory:可输出金与记录忌数.服务、启动项查看系统服务:12service -status

41、-all ps auxnetstat -anlpcd /etc/init.dIs -altrootgvultr # ed /ete/init.d rootvultr init.d# Is -la tQt矶 52drwxr xr-x 2root root4096Jut 26 1Q;24 .drwxr-xr-x. 10root root4CMJul 23 09:46 ,. rw-r* r-. 1root root162&1Aug 24 201S functions-rrfxr-xr-x. 1root root45&9Aug 24 2015 netconsole-rwxr-xr-x. 1root r

42、oot7923Aug 24 2018 network-rw-r-r- 1noot rootll&QApr 25 17:19 READrtrwxr xr-x 1root root2037Jul 20 10:24 5hdd0W5(Hk5yum install ntsysvntsysv*表示开机自启chkconfig -list13rootvultr chkconfig -list | grep shadowsocksNote; This output shows SysV services only and does not include native systemd services. Sys

43、V configuration data might be overridden by ratine syatond confxguration.I-f you want to list systend services use systenc-tl list-unit-files Jo see services enabled on particular target u9e systemctl List-dependencies ta rget.Iiadowsock 0:of f l:of f 2 :on 3:on 4: on 5:on 6:offrDotgvultr 7。chkconfi

44、g -helpcikconfig version 1.7.4 - Copyright () 1997-2QOO Red Hat. Inc.This nay be freely redistributed under the terms of the GNU Public License.usage; chkconfig -list -type namechkcoirfig - - add chkcon+ig -delcW_L-type raot4vultr # ctikconfig listNot自:This output shows SysV services only and does n

45、ot include native syatand services. SysY configuration data might be Dverndden by rative syst印d configuration-If you want to list systend services use systemctl list-unit-files,. Jo see- services enabled on particular target use hsystanetl List-dependencies ta rget1.运行级Name (含义)别0Halt (关机)Single-use

46、r mode(单用户模式)Multi-user mode(多用户模式)Multi-user mode with networking(存在网络连接的多用户模式)Description(描述)Shuts down the system (关闭系统)Mode for administrative tasks (管理 模式,类比Windows安全模式)Does not configure network interfaces and does not export networks services (未配置网络接口 且不提供网络服务)Starts the system normally(正常启动系

47、统)14netc onsole0:of fl:of fa:ff3:of f4: off5:off6:offnetwo rk6:of fl:off2: on3:cn4: on5:on6:off写had。*q匚k与O:of fl:aff2; on3:on4: on5:oi6:off查看运行级别命令:runlevel运行级别Name (含义)Description(描述)Not used/user-definable (不可用 /用户可定义)Start the system normally with appropriate display manager (withGUI)(具有图形界面且存在网络

48、连 接的多用户模式)Reboot (重启)For special purposes(用于特殊需求 /目的)Same as runlevel 3 + display manager (运行级别3+图形界面)Reboots the system(重新启动操作系统)开机启动配置文件:/etc/rc.local/etc/rc.d/rc.local/etc/rc.d/rc06.drootvuLtr -# cd /etcrootvultr etc# find -iname rc.1 / rc, d/rclouml7/rc Jocsl(rootevuUtr etc# cd (/rc,drootvultr r

49、cinit,d rcB,d rcl.d rcZ.d r3.d rcfl d rc5.d rcti,d rc,local查看开机启动项:chkconfig -list | grep 3:on|5:on5.计划任务crontab -u root -lcat /etc/crontab ls /etc/cron.*15rootuultr -# crontab -hlp crontab: invalid option - crontab: usage error: unrecognised option Usage:crontab options filecrontab optionsC rortab

50、n hostnameOpt ionf;-u define- user-eedit users crontab-Ilist userscron tabrdelete- users c rontabiprompt before deletingn set host in cluster tarunuserscrontabscget host in cluster torunuserscrontabssselinux contextx enable debuggingDefault operation is replace, per 1093.2Irootvultr crontab -u root

51、-I no c rontab for rotat |I HYPERLINK mailto:rootvu1.tr rootvu1.tr -# cat /etc/crontab5bELL=/bin/bashPATH=/sbin:/bin:/usr/shin:Zusr/binMAILTO=rCKitFor details see 4 crpntbsExample of job definition:.-(Q - 59)鞋I.hour(0 * 23)|.dayof month (1 - 31)I I | .一morth (1 - 12) OR jdn.feb.mar.apr ,I|day of wee

52、k (0 6) (Sunday=Oor 7) OR sun,mo n t tue, wedL thu, f ri, sat#11111if * * * * * user name command to be executedrootgvuLtr Is /etc/crpn F */etc/cron, deny/etc/cn)n.d!Mu 1rly clamv-update/etc/cron. daily ;logrot3te nrar)-db.cro(i/etc/cron,hourly:Oanac rcn/etc/cron.monthly;/etc/cron, weekly:6.异常文件、目录1

53、6查看/tmp/目录文件、中是否异常ls勺lt /tmp/查找cron文件中是否存在恶意脚本/var/spool/cron/*/etc/crontab/etc/cron.d/*/etc/cron.daily/*/etc/cron.hourly/*/etc/cron.monthly/*/etc/cron.weekly/etc/anacrontab/var/spool/anacron/*查找某段时间内被修改/访问的系统文件更改:find /etc/ /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime 0访问:find /tmp -in

54、ame * -atime 1 -type f-type 参数f普通文件:l符号连接d目录c字符设备b块设备s套接字p Fifomodify time -mtime 值:修改文件内容,mtime/ctime/atime 变更;change time -ctime 值:修改文件属性/权限,ctime/atime 变更; access time -atime 值:命令/应用程序读取/访问文件,atime变更 -mtime 0 :返回24小时内修改过的文件-mtime 1 :返回48-24小时内修改过的文件-mtime 2 :返回72-48小时内修改过的文件stat可显示文件的状态信息17etgvui

55、tr:-# stat - helpU&age: stat OPTION,FILE.Display file or file system status.Mandatory arguments to long options are mandatory for short options too.L -dereferencefollow links-file-system-formaT=FORMAT-pin t f=FURM/VT-tersedisplay file system status instead of file status use the specified FORMAT ins

56、tead of the default:output a newline after each use of FORMATlike -format, but interpret backslash escapesJand do not output a mandatory trailing newline; if you want w na/lin3. include n in FORMATprint the infomation in te3 form-help display this help mnd exit-version output version information and

57、 exitrootvultr:t stat /usr/local/bifi/File: /usr/loeal/tin/Size: 4096Blacks : 8Device: fcOlh/64513dIntDd?! 4423Access I (0755/drwxr-x:r-x) Uid:( 叼10 Block: 4996Links : 2 root) Gid:(directory9/ root)Access: 2019-08-05 05:53:10.463265712 +削)00Modify: 2019085 0:52:49.771220913 +OCO0Change: 2019-08-05 O

58、S:S249,771220913 +0000Birth:-查看是否有命令文件被替换按时间进行排序,结合 RPM。ls -alt /usr/bin /usr/sbin /bin /usr/local/binrpm -Va rpm.log查看文件属性是否改变lsattr命令用于显示文件属性chattr命令用于改变文件属性查看某个文件属性:lsattr 目录/文件用chattr命令防止系统中某个关键文件被修改:chattr +i 目录/文件,此时命令操作该文件所得结果提示为Operation not permitted , VIM 编辑该文件时会提示W10: Warning:Changing a r

59、eadonly file 错误。要想修改此文件就要把i属性去掉:chattr -i 目录/文件设置某个文件只能往里面追加数据,但不能删除,适用于各种日志文件:chattr +a 目录/文件6.漏洞18弱口令、未授权访问漏洞、7.日志日志/var/log/syslog/var/log/messages/var/log/auth.log/var/log/secure/var/log/boot.log/var/log/maillog var/log/mail.log/var/log/kern/var/log/dmesg/var/log/faillog/var/log/cron/var/log/dae

60、mon.log/var/log/btmp/var/log/utmp/var/log/wtmp/var/log/lastlog/var/log/yum.log/var/log/httpd/var/log/mysqld.log/var/log/mysql.log/var/log/pure HYPERLINK ftp:/ftp.log ftp.log/var/log/spooler/var/log/xferlogWeb漏洞、系统漏洞说明显示有关系统的常规消息和信息保留成功或失败登录以及身份验证过程的身份验证日志启动消息和启动信息用于邮件服务器日志,方便用于服务器上运行的postfix , smtpd

人人文库> 全部分类> 行业资料 > 信息产业

温馨提示

  • 1. 本站所有资源如无特殊说明,都需要本地电脑安装OFFICE2007和PDF阅读器。图纸软件为CAD,CAXA,PROE,UG,SolidWorks等.压缩文件请下载最新的WinRAR软件解压。
  • 2. 本站的文档不包含任何第三方提供的附件图纸等,如果需要附件,请联系上传者。文件的所有权益归上传用户所有。
  • 3. 本站RAR压缩包中若带图纸,网页内容里面会有图纸预览,若没有图纸预览就没有图纸。
  • 4. 未经权益所有人同意不得将文件中的内容挪作商业或盈利用途。
  • 5. 人人文库网仅提供信息存储空间,仅对用户上传内容的表现方式做保护处理,对用户上传分享的文档内容本身不做任何修改或编辑,并不能对任何下载内容负责。
  • 6. 下载文件中如有侵权或不适当内容,请与我们联系,我们立即纠正。
  • 7. 本站不保证下载资源的准确性、安全性和完整性, 同时也不承担用户因使用这些下载资源对自己和他人造成任何形式的伤害或损失。

最新文档

评论

0/150

提交评论