AIX 下audit实战

本文利用audit实现AIX下系统密码修改和文件执行的监控


1. 创建cron定时任务

root下执行crontab -e 并加入如下内容
# 定于每天早上执行 /usr/javaF.org/systemMonitor.sh
30 7 * * * /usr/javaF.org/systemMonitor.sh


2. 编辑/usr/javaF.org/systemMonitor.sh



#!/bin/sh
LOG_PATH=/usr/javaF.org/logs/systemMonitor`date +%Y%m%d`.txt
/usr/sbin/audit shutdown > /dev/null
echo @@systemMonitor@@ SKIP LINES >> $LOG_PATH
/usr/sbin/auditselect -e “event == PASSWORD_Change || event == WAS_STARTSERVER || event == WAS_STOPSERVER || event == WAS_JAVA”  /audit/trail|/usr/sbin/auditpr -h elcrdR -v  >> $LOG_PATH
rm -rf /audit/*
/usr/sbin/audit start > /dev/null
3. 编辑/etc/security/audit/config

  在objects = 加入下行 
    WAS_STARTSERVER,WAS_STOPSERVER    


4. 编辑/etc/security/audit/objects

  加入：

  /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/startServer.sh:
          x = “WAS_STARTSERVER”

  /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/stopServer.sh:
          x = “WAS_STOPSERVER”


5 编辑/etc/security/audit/events

  在* objects (files)下加入：

  *       /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/startServer.sh
          WAS_STARTSERVER = printf “%s”

  *       /usr/IBM/WebSphere/AppServer/profiles/AppSvr01/bin/stopServer.sh
          WAS_STOPSERVER = printf “%s”
6.启动audit

/usr/sbin/audit start


7. 附java解析日志代码

 

package org.javaf.system.monitor;

import java.text.DateFormat;
import java.text.SimpleDateFormat;
import java.util.Locale;

import org.javaf.common.utils.ReadTextFile;
import org.javaf.common.utils.WriteTextFile;

public class AixServerMonitor extends AbstractCommonMonitor {
	public static DateFormat aixDateFormat = new SimpleDateFormat("dd MMM yyyy",Locale.US);
	protected void getReport(ReadTextFile rt ,WriteTextFile wtm,WriteTextFile wtd){
		String line;
		while((line = rt.readLine()) != null) {
			if(line.startsWith("@@systemMonitor@@ SKIP LINES")) {
				this.skipLine(rt, 2);
				continue;
			}
			line = line.replaceAll("\\s+", " ");
			String contents[] = line.split(" ");
			if(contents.length < 9)
				continue;
			String dStr = this.dateStr;
//			String user = contents[3];
			try {
				//new SimpleDateFormat("dd MMM yyyy",Locale.US).parse(contents[4] + " "+ contents[5]+" "+ contents[6]);
				dStr = DEFAULT_FORMATE.format(aixDateFormat.parse(contents[4] + " "+ contents[5]+" "+ contents[6]));
			}
			catch(Exception e) {
				e.printStackTrace();
			}
			String outline = dStr + "|"+ip;
			if("PASSWORD_Change".equals(contents[0])) {
				outline += "|修改" + rt.readLine().trim()+"密码|"+contents[3]+"|1";
				wtm.println(outline);
			}
			else if("WAS_STARTSERVER".equals(contents[0])) {
				outline += "|启动应用服务器|"+contents[3]+"|1";
				rt.readLine();
				wtm.println(outline);
				wtd.println(outline);
			}
			else if("WAS_STOPSERVER".equals(contents[0])) {
				outline += "|停止应用服务器|"+contents[3]+"|1";
				rt.readLine();
				wtm.println(outline);
				wtd.println(outline);
			} 
		}
	}

}