我想监视在Linux服务器上对文件所做的所有修改
在一些研究中,我发现了我使用以下命令安装和配置的审计工具
yum install audit # installation
/etc/init.d/auditd start # started service
auditctl -w /root/file-name -p war -k password-file # configured rule to audit file
ausearch -f /root/file-name # Command to search modifications
它记录了对特定文件所做的所有修改
在我遇到以下情况之前,每件事情都很好
案例1:我使用以下命令删除了使用来自服务器的审计监视的文件
rm -rf /root/file-name
记录如下
type = SYSCALL msg = audit(1540222267.321:1057):arch = c000003e syscall = 2 success = yes exit = 3 a0 = 7ffe22abf91a a1 = 941 a2 = 1b6 a3 = 7ffe22abed70 items = 2 ppid = 21053 pid = 42458 auid = 14628 uid = 0 gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty = pts0 ses = 5 comm =“touch”exe =“/ bin / rm”key =“password-file”
案例2:我使用以下命令从远程服务器删除了文件
ssh cl14470 "echo 'rm -rf /root/chaithu'|sudo su - root"
记录如下
type = SYSCALL msg = audit(1540222588.196:1118):arch = c000003e syscall = 263 success = yes exit = 0 a0 = ffffffffffffff9c a1 = ce70c0 a2 = 0 a3 = 7fff52a6af40 items = 2 ppid = 42520 pid = 42533 auid = 14628 uid = 0 gid = 0 euid = 0 suid = 0 fsuid = 0 egid = 0 sgid = 0 fsgid = 0 tty =(none)ses = 9 comm =“rm”exe =“/ bin / rm”key =“password-file”
现在让我困惑的一点就是为什么当我远程执行命令时tty被记录为无
我已经在网上搜索了这个,但不幸的是我找不到任何可以解决我的困惑的事情
有人可以解释为什么在案例2中将其记录为tty =(none)
解决方法:
因为这是如何执行命令 – 没有任何控制tty.
您没有将任何-t选项传递给ssh,并且在使用参数调用时,ssh默认情况下不会分配伪终端,如您的情况. (ssh cl14470“echo …”).
这是ssh(1)联机帮助页中所述的默认行为:
When the user’s identity has been accepted by the server, the server
either executes the given command in a non-interactive session or, if no
command has been specified, logs into the machine and gives the user a
normal shell as an interactive session. All communication with the
remote command or shell will be automatically encrypted.If an interactive session is requested ssh by default will only request a
pseudo-terminal (pty) for interactive sessions when the client has one.
The flags -T and -t can be used to override this behaviour.
因此,如果a)在没有’command’参数的情况下运行,并且b)本地机器上的ssh客户端的stdin是tty,则ssh将仅默认在远程机器上分配伪终端.
-t选项强制ssh分配伪tty,而-T选项强制它不分配一个,不管其他因素如何.