Загрузка данных
Загрузка данных
#!/bin/bash
# setup_mp10_client.sh - настройка клиента для отправки логов auditd в MP10
set -e
if [ $# -lt 1 ]; then
echo "Usage: $0 <MP10_AGENT_IP> [<audit_rules_file>]"
exit 1
fi
AGENT_IP="$1"
RULES_FILE="$2"
echo "=== Настройка клиента для отправки логов в MP10 Agent $AGENT_IP ==="
# 1. Резервное копирование существующих конфигов
BACKUP_SUFFIX=".backup_$(date +%Y%m%d_%H%M%S)"
cp /etc/audit/auditd.conf "/etc/audit/auditd.conf$BACKUP_SUFFIX" 2>/dev/null || true
cp /etc/audisp/plugins.d/syslog.conf "/etc/audisp/plugins.d/syslog.conf$BACKUP_SUFFIX" 2>/dev/null || true
cp /etc/syslog-ng/conf.d/10-siem.conf "/etc/syslog-ng/conf.d/10-siem.conf$BACKUP_SUFFIX" 2>/dev/null || true
# 2. Настройка auditd.conf (полный рабочий конфиг)
echo "Настройка /etc/audit/auditd.conf..."
cat > /etc/audit/auditd.conf <<'EOF'
#
# This file controls the configuration of the audit daemon
#
local_events = yes
write_logs = no
log_file = /var/log/audit/audit.log
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossless
dispatcher = /sbin/audispd
name_format = HOSTNAME
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
EOF
# 3. Установка правил auditd
if [ -n "$RULES_FILE" ] && [ -f "$RULES_FILE" ]; then
echo "Копирование правил auditd из $RULES_FILE"
cp "$RULES_FILE" /etc/audit/rules.d/00-siem.rules
else
echo "Файл правил не указан. Создаю базовый набор правил (минимальный)."
cat > /etc/audit/rules.d/00-siem.rules <<'EOF'
# Базовые правила для MP10 (упрощённые)
-D
-b 8192
-a always,exit -F arch=b64 -S execve -k pt_siem_execve
-a always,exit -F arch=b64 -S open,openat -F path=/etc/shadow -F perm=r -k pt_siem_etc_read
-w /etc -p wa -k pt_siem_etc_modify
EOF
fi
# 4. Отключение systemd-journald-audit.socket
echo "Отключение systemd-journald-audit.socket..."
systemctl disable --now systemd-journald-audit.socket 2>/dev/null || true
systemctl mask systemd-journald-audit.socket 2>/dev/null || true
systemctl restart systemd-journald
systemctl restart auditd
# 5. Настройка audisp syslog plugin
echo "Настройка /etc/audisp/plugins.d/syslog.conf..."
cat > /etc/audisp/plugins.d/syslog.conf <<EOF
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_LOCAL6
format = string
EOF
# 6. Настройка syslog-ng
echo "Создание /etc/syslog-ng/conf.d/10-siem.conf с IP агента $AGENT_IP..."
cat > /etc/syslog-ng/conf.d/10-siem.conf <<EOF
@define allow-config-dups 1
filter f_audit {
program("audit")
or program("audispd")
or program("audisp-syslog");
};
filter f_messages {
level(info,notice,warn)
and not facility(auth,authpriv,cron,daemon,mail,news)
and not filter(f_audit);
};
filter f_syslog3 {
not facility(auth, authpriv, mail)
and not filter(f_debug)
and not filter(f_audit);
};
filter pt_siem_filter {
(facility(local6) or priority(info))
and not facility(mail, lpr, news, uucp, cron);
};
destination siem_agent_udp {
udp("$AGENT_IP" port(514));
};
log {
source(s_src);
filter(pt_siem_filter);
destination(siem_agent_udp);
};
EOF
# 7. Перезапуск служб
echo "Перезапуск auditd и syslog-ng..."
systemctl restart auditd
systemctl restart syslog-ng
echo "=== Настройка завершена. ==="
echo "Проверьте статус служб:"
echo " systemctl status auditd syslog-ng"
echo "Проверьте отправку логов:"
echo " journalctl -u syslog-ng -f | grep '$AGENT_IP'"