https://pastein.ru/t/84y
Загрузка данных
#!/bin/bash
# setup_mp10_client.sh - автоматическая настройка клиента для отправки логов в MP10 Agent (10.8.10.25)
set -e
MP10_AGENT_IP="10.8.10.25"
echo "=== Настройка клиента для отправки логов в MP10 Agent $MP10_AGENT_IP ==="
BACKUP_SUFFIX=".backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/audit/auditd.conf "/etc/audit/auditd.conf$BACKUP_SUFFIX" 2>/dev/null || true
cp /etc/audisp/plugins.d/syslog.conf "/etc/audisp/plugins.d/syslog.conf$BACKUP_SUFFIX" 2>/dev/null || true
cp /etc/syslog-ng/conf.d/10-siem.conf "/etc/syslog-ng/conf.d/10-siem.conf$BACKUP_SUFFIX" 2>/dev/null || true
cat > /etc/audit/auditd.conf <<'EOF'
local_events = yes
write_logs = no
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = HOSTNAME
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
tcp_listen_queue = 5
tcp_max_per_addr = 1
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
distribute_network = no
EOF
cat > /etc/audit/rules.d/00-siem.rules <<'EOF'
# ignore errors
-i
# delete all rules
-D
# for busy systems
-b 8192
# disable kprint
-f 0
--backlog_wait_time 1
##############################
# Excludes #
##############################
# exclude paths
-a never,exit -F arch=b64 -S open,openat -F path=/proc/filesystems
-a never,exit -F arch=b32 -S open,openat -F path=/proc/filesystems
# These executable files may produce a large amount of events.
# exclude bins (x64)
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/bin/vmtoolsd
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/haproxy
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/cron
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-logind
-a never,exit -F arch=b64 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,accept,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-logind
-a never,exit -F arch=b64 -S socket,connect,accept,open,openat -F exe=/usr/bin/zabbix_agentd
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/ps
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/top
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/htop
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/bin/find
-a never,exit -F arch=b64 -S open,openat -F exe=/usr/lib/systemd/systemd
# exclude bins (x32)
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/bin/vmtoolsd
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/haproxy
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/sbin/cron
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-timesyncd
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/usr/lib/systemd/systemd-logind
-a never,exit -F arch=b32 -S capset,setxattr,lsetxattr,fsetxattr,settimeofday,adjtimex,clock_settime,socket,connect,accept4,listen,execve,execveat,ptrace,setuid,setgid,setreuid,setregid -F exe=/lib/systemd/systemd-logind
-a never,exit -F arch=b32 -S socket,connect,accept4,open,openat -F exe=/usr/bin/zabbix_agentd
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/ps
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/top
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/htop
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/bin/find
-a never,exit -F arch=b32 -S open,openat -F exe=/usr/lib/systemd/systemd
##############################
# x64 syscalls #
##############################
# execute
-a always,exit -F arch=b64 -S execve,execveat -k pt_siem_execve
# network activities
-a always,exit -F arch=b64 -S socket -F a0=0x2 -F a1=0x3 -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0xA -F a1=0x3 -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0x2 -F a1=0xA -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0xA -F a1=0xA -k pt_siem_api_socket
-a always,exit -F arch=b64 -S socket -F a0=0x11 -k pt_siem_api_socket
-a always,exit -F arch=b64 -S connect -F a2=0x10 -k pt_siem_api_connect
-a always,exit -F arch=b64 -S connect -F a2=0x1C -k pt_siem_api_connect
#-a always,exit -F arch=b64 -S accept4 -k pt_siem_api_accept
#-a always,exit -F arch=b64 -S accept -k pt_siem_api_accept
-a always,exit -F arch=b64 -S listen -k pt_siem_api_listen
# file monitoring
-a always,exit -S all -F path=/etc/shadow -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/gshadow -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/passwd -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/group -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/security/opasswd -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/master.passwd -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/spwd.db -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F path=/etc/sudoers -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F dir=/etc/sudoers.d -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F dir=/etc/pam.d -F perm=r -F auid!=-1 -k pt_siem_etc_read
-a always,exit -S all -F dir=/var/log -F perm=wa -F auid!=-1 -k pt_siem_var_log_access
-a always,exit -S all -F dir=/home -F perm=rwa -F auid!=-1 -F auid>=1000 -C auid!=obj_uid -k pt_siem_home_access
-a always,exit -S open,openat -F dir=/proc -F filetype=file -F perm=r -F auid!=-1 -F key=pt_siem_proc
-w /etc -p wa -k pt_siem_etc_modify
-w /root -p rwa -k pt_siem_root_home_access
-w /var/www -p wa -k pt_siem_www_home_access
-w /var/spool/cron -p wa -k pt_siem_cron_modify
-w /var/spool/at -p wa -k pt_siem_cron_modify
-w /bin -p wa -k pt_siem_bin_modify
-w /usr/bin -p wa -k pt_siem_bin_modify
-w /sbin -p wa -k pt_siem_bin_modify
-w /usr/sbin -p wa -k pt_siem_bin_modify
-w /usr/local/bin -p wa -k pt_siem_bin_modify
-w /usr/local/sbin -p wa -k pt_siem_bin_modify
-w /usr/libexec -p wa -k pt_siem_bin_modify
-w /lib -p wa -k pt_siem_lib_modify
-w /lib64 -p wa -k pt_siem_lib_modify
-w /usr/lib -p wa -k pt_siem_lib_modify
-w /usr/lib64 -p wa -k pt_siem_lib_modify
-w /boot -p wa -k pt_siem_boot_modify
# capabilities, xattr, time change
-a always,exit -F arch=b64 -S capset -k pt_siem_api_caps
-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr -k pt_siem_api_xattr
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime -k pt_siem_api_time
# kernel modules, process trace, special permissions
-a always,exit -F arch=b64 -S init_module,delete_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b64 -S finit_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b64 -S ptrace -F a0=0x0 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x5 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x6 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0xd -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0xf -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x10 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x11 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x13 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4203 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4205 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4206 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S ptrace -F a0=0x4207 -k pt_siem_api_ptrace
-a always,exit -F arch=b64 -S setuid,setgid,setreuid,setregid -k pt_siem_api_setuid
##############################
# x32 syscalls #
##############################
# execute
-a always,exit -F arch=b32 -S execve,execveat -k pt_siem_execve
# capabilities, xattr, time change
-a always,exit -F arch=b32 -S capset -k pt_siem_api_caps
-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr -k pt_siem_api_xattr
-a always,exit -F arch=b32 -S adjtimex,settimeofday,clock_settime -k pt_siem_api_time
# kernel modules, process trace, special permissions
-a always,exit -F arch=b32 -S init_module,delete_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b32 -S finit_module -F auid!=-1 -k pt_siem_api_kernel_mods
-a always,exit -F arch=b32 -S ptrace -F a0=0x0 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x5 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x6 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0xd -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0xf -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x10 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x11 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x13 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4203 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4205 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4206 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S ptrace -F a0=0x4207 -k pt_siem_api_ptrace
-a always,exit -F arch=b32 -S setuid,setgid,setreuid,setregid -k pt_siem_api_setuid
EOF
cat > /etc/audisp/plugins.d/syslog.conf <<EOF
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
EOF
systemctl disable --now systemd-journald-audit.socket 2>/dev/null || true
systemctl mask systemd-journald-audit.socket 2>/dev/null || true
systemctl restart systemd-journald
systemctl restart auditd
cat > /etc/syslog-ng/conf.d/10-siem.conf <<EOF
@define allow-config-dups 1
filter f_audit {
program("audit")
or program("audispd")
or program("audisp-syslog");
};
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news)
and not filter(f_audit);
};
filter f_syslog3 {
not facility(auth, authpriv, mail)
and not filter(f_debug)
and not filter(f_audit);
};
filter pt_siem_filter {
(facility(local6) or priority(info))
and not facility(mail, lpr, news, uucp, cron);
};
destination siem_agent_udp {
udp("$MP10_AGENT_IP" port(514));
};
log {
source(s_src);
filter(pt_siem_filter);
destination(siem_agent_udp);
};
EOF
systemctl restart syslog-ng
echo "=== Настройка завершена. Auditd и syslog-ng перезапущены. ==="
echo "Проверьте статус: systemctl status auditd syslog-ng"
echo "Логи отправляются на $MP10_AGENT_IP:514 (UDP)."