Esihlokweni esilandelayo sizobheka i-aureport. Leli yithuluzi ikhiqiza imibiko efingqiwe yezingodo zohlelo zokucwaningwa kwamabhuku. Lo msebenzi ungasebenzisa futhi stdin inqobo nje uma okufakwayo kungulwazi lwe-log eluhlaza. Imibiko inelebula lekholomu phezulu ukusiza ekuchazeni imikhakha eyahlukahlukene. Ngaphandle kombiko oyisifinyezo oyinhloko, yonke imibiko inenombolo yomcimbi wokucwaningwa kwamabhuku.
Imibiko ekhishwe yi-aureport ingasetshenziswa njengezakhi zokwakha ukuhlaziywa okuyinkimbinkimbi. EMpumalanga akuwona umyalo onzima, kulula kakhulu ukuwusebenzisa. Ekupheleni kwalokhu okuthunyelwe ngicabanga ukuthi sonke sizokwazi okuncane mayelana nezindlela lo myalo ongasetshenziswa ngazo khiqiza imibiko evela ohlelweni lwethu.
Ukufakwa kwe-aureport
Ukufaka leli thuluzi ku-Ubuntu bethu, sizodinga ukufaka i-auditd. Le yingxenye yesikhala somsebenzisi yohlelo lokuhlolwa kwe-Gnu / Linux. Ngemuva kokufakwa sizokwazi buka izingodo nge-ausearch noma izinsiza ze-aureport. I-daemon ye-auditd ivumela umphathi wohlelo lwe-Gnu / Linux ukuthola imininingwane yokuhlolwa kokuphepha eyenziwe i-kernel, ayihlunge, futhi ayigcine kumafayela.
Ukwenza ukufakwa, uku Ngizokwenza lesi sibonelo ku-Ubuntu 17.10, kuzofanele sithayiphe kuphela ukuphela (Ctrl + Alt + T) umyalo olandelayo:
sudo apt install auditd
Ngalokhu sizoba nakho konke esikudingayo okufakiwe futhi sizokwazi ukusebenzisa leli thuluzi ku-terminal. Uma ungasebenzisi i-akhawunti yezimpande, kuzofanela engeza iSudo kuwo wonke umyalo.
Usebenzisa i-aureport
Qalisa umbiko ofingqiwe osinike wona inani lezinto eziyinhloko zombiko. Khumbula ukuthi akuyona yonke imibiko enesifinyezo esizokwazi ukusetshenziswa. Uma sifuna ukuthola umbiko ofingqiwe ongasinikezwa i-aureport, kuzofanele senze umyalo olandelayo ku-terminal (Ctrl + Alt + T). Umbiko ofingqiwe wenziwa ngenxa yalokho:
aureport
Uma kwenzeka ufuna khiqiza umbiko wokufakazela ubuqiniso, kuzofanele senze umyalo sisebenzisa ifayela le- inketho au. Ku-terminal kuzofanele siyibhale ngokulandelayo:
aureport -au
Umyalo ungasikhombisa ne umbiko wokusebenza kohlelo lwethu. Ukuthola lo mbiko kuzofanele senze umyalo nge inketho x esigungwini sethu:
aureport -x
Ukukhetha ifayela le- imicimbi ehlulekile ukucubungulwa emibikweni, kuzofanele sengeze inketho yehlulekile. Okuzenzakalelayo kuyimicimbi ephumelele futhi ehlulekile yomibili. Kuzofanele sibhale umyalo njengoba kukhonjisiwe ngezansi:
aureport --failed
Uma lokho esifuna ukukubona kungukuthi umbiko wokungena ngemvume, kuzofanele senze umyalo sisebenzisa ifayela le- inketho l njengoba kubonakala ku-skrini elandelayo:
aureport -l
Bheka Umbiko we-crypto Kungenzeka futhi uma sisebenzisa umyalo nge cr inketho, njengoba ubona ngezansi:
aureport -cr
Futhi singaqinisekisa eyethu umbiko wokuguqulwa kwe-akhawunti. Kuzofanele sengeze kuphela inketho m. Umyalo kufanele wenziwe ngokulandelayo:
aureport -m
Ukubona Umbiko we-PID, kuzofanele sengeze kuphela inketho p kumyalo njengoba kukhonjisiwe ngezansi:
aureport -p
Ngaphezu kwalokho, sizokwazi ukubona i- umbiko wocingo lwesistimu (Syscall) usebenzisa i- inketho s. Singawenza umyalo sisebenzisa indlela elandelayo:
aureport -s
Ukubuka umbiko we ukusebenza ngempumelelo, kuzofanele senze kuphela umyalo wokungeza ifayela le- inketho yempumelelo kulo myalo:
aureport --success
Ukuqeda, sizokwazi bona izinketho ezitholakalayo zalo myalo. Mane nje ungeze inketho yosizo kumyalo we-aureport. Kuzofanele siyibhale esigungwini njengoba kukhonjisiwe ngezansi:
aureport --help
Khipha
Ukususa leli thuluzi ohlelweni lwethu, kufanele uvule ukuphela (Ctrl + Alt + T) bese ubhala kulo:
sudo apt remove auditd && sudo apt autoremove
Ngalokhu sesivele sinombono ojwayelekile wokumbozwa nokusetshenziswa komyalo we-aureport, yize lokhu kuyisampula kuphela. Ngubani oyidingayo, angayithola usizo kusuka ekhasini esingakuthola emaphandleni. Lapho sizothola imininingwane efanayo esizoyikhonjiswa uhlelo lwethu lapho sisebenzisa i- usizo lomuntu kumyalo we-aureport.