# 配置命令历史审计
[root@fgedu-audit ~]# cat >> /etc/profile << 'EOF' # 命令审计配置 export HISTSIZE=10000 export HISTFILESIZE=20000 export HISTTIMEFORMAT="%F %T $(whoami) " export HISTFILE=/var/log/history/.history_$(whoami)_$(date +%Y%m%d) # 记录命令执行 PROMPT_COMMAND='history -a; history -n; logger -p local0.notice "USER=$(whoami) PID=$$ CMD=$(history 1 | sed "s/^[ ]*[0-9]\+[ ]*//")"' EOF # 创建历史日志目录 [root@fgedu-audit ~]# mkdir -p /var/log/history [root@fgedu-audit ~]# chmod 777 /var/log/history # 配置rsyslog记录 [root@fgedu-audit ~]# cat > /etc/rsyslog.d/history.conf << 'EOF' local0.notice /var/log/history.log EOF [root@fgedu-audit ~]# systemctl restart rsyslog # 查看命令历史 [root@fgedu-audit ~]# cat /var/log/history.log Apr 4 23:00:00 fgedu-audit root: USER=root PID=12345 CMD=ls -la Apr 4 23:00:05 fgedu-audit root: USER=root PID=12345 CMD=cat /etc/passwd Apr 4 23:00:10 fgedu-audit root: USER=root PID=12345 CMD=systemctl status nginx

# 配置Audit审计规则
[root@fgedu-audit ~]# cat > /etc/audit/rules.d/file-audit.rules << 'EOF' ## 敏感文件监控 -w /etc/passwd -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/sudoers -p wa -k privilege -w /etc/ssh/sshd_config -p wa -k ssh ## 关键目录监控 -w /etc/ -p wa -k config_change -w /var/log/ -p wa -k log_access -w /home/ -p wa -k home_access ## 可执行文件监控 -w /usr/bin/ -p wa -k binary_change -w /usr/sbin/ -p wa -k binary_change -w /bin/ -p wa -k binary_change -w /sbin/ -p wa -k binary_change ## 系统调用监控 -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=unset -k file_delete
-a always,exit -F arch=b64 -S openat -F exit=-EACCES -F auid>=1000 -F auid!=unset -k access_denied
EOF

# 重启auditd
[root@fgedu-audit ~]# service auditd restart
Stopping logging: [ OK ]
Redirecting start to systemctl
Starting logging: [ OK ]

# 查看审计日志
[root@fgedu-audit ~]# ausearch -k identity | tail -10
—-
time->Sat Apr 4 23:00:00 2026
type=PROCTITLE msg=audit(1712246400.123:456): proctitle=636174002F6574632F706173737764
type=PATH msg=audit(1712246400.123:456): item=0 name=”/etc/passwd” inode=123456 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1712246400.123:456): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffd12345678 a2=0 a3=0 items=1 ppid=1234 pid=5678 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=1 comm=”cat” exe=”/usr/bin/cat” key=”identity”

# 安装网络审计工具
[root@fgedu-audit ~]# yum install -y iptables-services conntrack-tools

# 配置iptables日志
[root@fgedu-audit ~]# cat > /etc/sysconfig/iptables << 'EOF' *filter :INPUT ACCEPT [0:0] :FORWARD ACCEPT [0:0] :OUTPUT ACCEPT [0:0] # 记录新连接 -A INPUT -m state --state NEW -j LOG --log-prefix "IPTables-Input: " --log-level 4 -A OUTPUT -m state --state NEW -j LOG --log-prefix "IPTables-Output: " --log-level 4 # 记录SSH连接 -A INPUT -p tcp --dport 22 -m state --state NEW -j LOG --log-prefix "SSH-Connection: " # 记录异常流量 -A INPUT -p tcp --tcp-flags ALL NONE -j LOG --log-prefix "NULL-Scan: " -A INPUT -p tcp --tcp-flags ALL ALL -j LOG --log-prefix "XMAS-Scan: " COMMIT EOF [root@fgedu-audit ~]# systemctl restart iptables # 创建网络审计脚本 [root@fgedu-audit ~]# cat > /usr/local/bin/network-audit.sh << 'EOF' #!/bin/bash # network-audit.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn echo "=== 网络审计报告 ===" echo "审计时间: $(date)" echo "" echo "1. 活跃网络连接" echo "----------------------------------------" ss -tuln | head -20 echo "" echo "2. 外部连接统计" echo "----------------------------------------" ss -tn | awk '{print $5}' | cut -d: -f1 | sort | uniq -c | sort -rn | head -10 echo "" echo "3. 可疑连接" echo "----------------------------------------" ss -tn state established | awk '{print $5学习交流加群风哥微信: itpux-com}' | grep -v "127.0.0.1\|192.168.1" | head -10 echo "" echo "4. 端口扫描检测" echo "----------------------------------------" grep "Scan:" /var/log/messages | tail -5 echo "" echo "5. SSH登录统计" echo "----------------------------------------" grep "Accepted" /var/log/secure | awk '{print $11}' | sort | uniq -c | sort -rn | head -5 echo "" echo "=== 审计完成 ===" EOF [root@fgedu-audit ~]# chmod +x /usr/local/bin/network-audit.sh

# 创建审计报告脚本
[root@fgedu-audit ~]# cat > /usr/local/bin/audit-report.sh << 'EOF' #!/bin/bash # audit-report.sh # from:www.itpux.com.qq113257174.wx:itpux-com # web: http://www.fgedu.net.cn REPORT_FILE="/var/log/audit-report-$(date +%Y%m%d).txt" echo "=== 系统安全审计报告 ===" > $REPORT_FILE
echo “生成时间: $(date)” >> $REPORT_FILE
echo “” >> $REPORT_FILE

echo “1. 用户登录审计” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
echo “成功登录:” >> $REPORT_FILE
grep “Accepted” /var/log/secure | tail -10 >> $REPORT_FILE
echo “” >> $REPORT_FILE
echo “失败登录:” >> $REPORT_FILE
grep “Failed” /var/log/secure | tail -10 >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “2. 特权命令使用” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
ausearch -k privilege 2>/dev/null | tail -10 >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “3. 文件访问异常” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
ausearch -k access_denied 2>/dev/null | tail -10 >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “4. 配置变更记录” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
ausearch -k config_change 2>/dev/null | tail -10 >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “5. 系统安全检查” >> $REPORT_FILE
echo “—————————————-” >> $REPORT_FILE
echo “SUID文件:” >> $REPORT_FILE
find / -perm -4000 -type f 2>/dev/null | wc -l >> $REPORT_FILE
echo “SGID文件:” >> $REPORT_FILE
find / -perm -2000 -type f 2>/dev/null | wc -l >> $REPORT_FILE
echo “空密码账户:” >> $REPORT_FILE
awk -F: ‘($2 == “”) {print $1}’ /etc/shadow | wc -l >> $REPORT_FILE

echo “” >> $REPORT_FILE
echo “=== 报告结束 ===” >> $REPORT_FILE

echo “审计报告已生成: $REPORT_FILE”
EOF

[root@fgedu-audit ~]# chmod +x /usr/local/bin/audit-report.sh

# 执行审计报告
[root@fgedu-audit ~]# /usr/local/bin/audit-report.sh
审计报告已生成: /var/log/audit-report-20260404.txt

# 配置定时审计
[root@fgedu-audit ~]# cat >> /etc/crontab << 'EOF' 0 6 * * * root /usr/local/bin/audit-report.sh EOF