├── README.md ├── osquery ├── osquery.conf └── secrity.conf └── pic ├── 1.png ├── 2.png ├── 5.png └── 6.png /README.md: -------------------------------------------------------------------------------- 1 | # HIDS 0.1 2 | 3 | HIDS运行依赖这样一个原理:一个成功的入侵者一般而言都会留下他们入侵的痕迹。本人更倾向于通过记录主机的重要信息变更来发现入侵者。 4 | 本项目由两部分组成:一部分osquery、另一部分监控脚本来补充osquery规则的不足; 5 | 本文是第一部分osquery规则部分,实现部分主机信息监控。 6 | 7 | ## Author ## 8 | 9 | 咚咚呛 10 | 11 | 如有其他建议,可联系微信280495355 12 | 13 | ## Support ## 14 | 15 | 满足如下安全需求 16 | 17 | 1、支持大部分Centos6-7、winodws系统等。 18 | 2、可记录主机的信息变更情况,如账户、进程、网络连接等等; 19 | 3、变更结果记录到日志中; 20 | 21 | 22 | 技术细节如下: 23 | 24 | 1、监控主机信息如下: 25 | 1)对公网访问的网络连接增加情况 26 | 2)进程增加情况 27 | 3)对外端口侦听增加情况 28 | 4)arp缓存变化情况 29 | 5)authorized_keys公钥差异变化 30 | 6)crontab定时任务差异变化 31 | 7)DNS映射表差异变化 32 | 8)etc_hosts信息差异变化 33 | 9)etc_services 差异变化 34 | 10)groups 本地系统组差异变化 35 | 11)iptables 防火墙差异变化 36 | 12)系统登录和登出差异变化 37 | 13)主机系统的主动路由表差异变化 38 | 14)应用程序和二进制文件设置为用户/登录启动项,差异变化 39 | 15)通过sudo作为其他用户运行命令的规则差异变化 40 | 16)主动插入主机系统的USB设备差异变化 41 | 17)本地系统用户组关系差异变化 42 | 18)系统用户差异变化 43 | 44 | 45 | ## Test Environment ## 46 | 47 | >centos 7、6 48 | 49 | ## Tree ## 50 | 51 | osquery 52 | ----osquery.conf #osquery系统配置文件 53 | ----secrity.conf #安全监控规则 54 | 55 | ## Deploy ## 56 | 57 | 1)根据系统同版本,下载osquery 58 | $ wget https://s3.amazonaws.com/osquery-packages/centos7/x86_64/osquery-2.4.6-1.linux.x86_64.rpm 59 | $ wget https://s3.amazonaws.com/osquery-packages/centos6/x86_64/osquery-2.4.6-1.linux.x86_64.rpm 60 | 2)根据系统版本,安装osquery 61 | $ sudo rpm -ivh centos6_osquery-2.4.6-1.linux.x86_64.rpm 62 | $ sudo rpm -ivh centos7_osquery-2.4.6-1.linux.x86_64.rpm 63 | 3)拷贝 osquery.conf 和 secrity.conf 到 /etc/osquery/目录下 64 | 4)启动osquery服务 65 | $ sudo /etc/init.d/osqueryd restart 66 | 67 | ## Config ## 68 | 69 | 安全监控规则在文件secrity.conf中,可自行修改,其中包含主要几项,query、interval、removed。 70 | query: 查询的SQL语句 71 | interval: 查询间隔,单位时间为秒 72 | removed: 是否生成减少的记录 73 | 如: 74 | "users": { 75 | "query" : "select * from users;", 76 | "interval" : 3600, 77 | "removed": false 78 | } 79 | 80 | 81 | 82 | ## Log ## 83 | 84 | 默认日志结果存储在/var/log/osquer/osqueryd.INFO,其中保存了主机差异变化信息 85 | 86 | ## Screenshot ## 87 | 88 | 安装完毕后,如下: 89 | 90 | ![Screenshot](pic/1.png) 91 | 92 | ![Screenshot](pic/2.png) 93 | 94 | 服务器启动后如下: 95 | 96 | ![Screenshot](pic/5.png) 97 | 98 | ![Screenshot](pic/6.png) 99 | -------------------------------------------------------------------------------- /osquery/osquery.conf: -------------------------------------------------------------------------------- 1 | { 2 | "options": { 3 | "config_plugin": "filesystem", 4 | 5 | "logger_plugin": "filesystem", 6 | 7 | "logger_path": "/var/log/osquery", 8 | 9 | "pidfile": "/var/osquery/osquery.pidfile", 10 | 11 | "worker_threads": "10", 12 | 13 | "enable_monitor": "true" 14 | }, 15 | 16 | "schedule": { 17 | }, 18 | 19 | "packs": { 20 | "secrity": "/etc/osquery/secrity.conf" 21 | //"hardware-monitoring": "/usr/share/osquery/packs/hardware-monitoring.conf" 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /osquery/secrity.conf: -------------------------------------------------------------------------------- 1 | { 2 | "queries": { 3 | ////////////////////////////////以下为5分钟循环执行一次////////////////// 4 | //process_open_sockets 在系统上打开网络套接字的进程差异变化,同时过滤掉内网、自身出现socket的变化, 5 | //由于W机组的网络连接大于10W,会造成cpu 飙升到99%,故打算单独拎出来磁条规则,通过写shell名ss -an来执行 6 | "process_open_sockets": { 7 | "query" : "select * from process_open_sockets where remote_address != '127.0.0.1' and remote_address != '' and remote_address != '::' and remote_address not like '10.%' and remote_address != '0.0.0.0' and remote_address not like '172.16.%' and remote_address not like '192.168.%';", 8 | "interval" : 300, 9 | "removed": false 10 | }, 11 | //processes 主机系统上的所有正在运行的进程差异变化, 12 | //同时过滤一下经常出现的进程 13 | "processes": { 14 | "query" : "select pid,name,path,cmdline,cwd,root,uid,gid,parent from processes where name != 'nginx' and name != 'php-fpm' and name not like 'zabbix%';", 15 | "interval" : 300, 16 | "removed": false 17 | }, 18 | /////////////////////////////////以下为1小时循环执行一次////////////////// 19 | //listening_ports 侦听(绑定)网络套接字/端口差异变化, 20 | //已过滤掉IPV6的侦听 21 | "listening_ports": { 22 | "query" : "select * from listening_ports where address != '::';", 23 | "interval" : 3600, 24 | "removed": false 25 | }, 26 | //arp缓存差异变化 27 | "arp_cache": { 28 | "query" : "select * from arp_cache;", 29 | "interval" : 3600, 30 | "removed": false 31 | }, 32 | //authorized_keys公钥差异变化 33 | "authorized_keys": { 34 | "query" : "select * from authorized_keys;", 35 | "interval" : 3600, 36 | "removed": false 37 | }, 38 | //crontab定时任务差异变化 39 | "crontab": { 40 | "query" : "select * from crontab;", 41 | "interval" : 3600, 42 | "removed": false 43 | }, 44 | //DNS映射表差异变化 45 | "dns_resolvers": { 46 | "query" : "select * from dns_resolvers;", 47 | "interval" : 3600, 48 | "removed": false 49 | }, 50 | //etc_hosts信息差异变化 51 | "etc_hosts": { 52 | "query" : "select * from etc_hosts;", 53 | "interval" : 3600, 54 | "removed": false 55 | }, 56 | //etc_services 差异变化 57 | "etc_services": { 58 | "query" : "select * from etc_services;", 59 | "interval" : 3600, 60 | "removed": false 61 | }, 62 | //groups 本地系统组差异变化 63 | "groups": { 64 | "query" : "select * from groups;", 65 | "interval" : 3600, 66 | "removed": false 67 | }, 68 | //iptables 防火墙差异变化 69 | "iptables": { 70 | "query" : "select * from iptables;", 71 | "interval" : 3600, 72 | "removed": false 73 | }, 74 | //last 系统登录和登出差异变化 75 | "last": { 76 | "query" : "select * from last where host != '' and username != '';", 77 | "interval" : 3600, 78 | "removed": true 79 | }, 80 | //routes 主机系统的主动路由表差异变化,去掉ipv6 81 | "routes": { 82 | "query" : "select * from routes where destination not like '%:%';", 83 | "interval" : 3600, 84 | "removed": false 85 | }, 86 | //startup_items 应用程序和二进制文件设置为用户/登录启动项,差异变化 87 | "startup_items": { 88 | "query" : "select * from startup_items;", 89 | "interval" : 3600, 90 | "removed": false 91 | }, 92 | //sudoers 通过sudo作为其他用户运行命令的规则差异变化 93 | "sudoers": { 94 | "query" : "select * from sudoers;", 95 | "interval" : 3600, 96 | "removed": false 97 | }, 98 | //usb_devices 主动插入主机系统的USB设备差异变化 99 | "usb_devices": { 100 | "query" : "select * from usb_devices;", 101 | "interval" : 3600, 102 | "removed": false 103 | }, 104 | //user_groups 本地系统用户组关系差异变化 105 | "user_groups": { 106 | "query" : "select * from user_groups;", 107 | "interval" : 3600, 108 | "removed": false 109 | }, 110 | //users 用户差异变化 111 | "users": { 112 | "query" : "select * from users;", 113 | "interval" : 3600, 114 | "removed": false 115 | } 116 | } 117 | } 118 | -------------------------------------------------------------------------------- /pic/1.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/grayddq/HIDS/289636e36753a1d0b4746865d2dde486259bc1e0/pic/1.png -------------------------------------------------------------------------------- /pic/2.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/grayddq/HIDS/289636e36753a1d0b4746865d2dde486259bc1e0/pic/2.png -------------------------------------------------------------------------------- /pic/5.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/grayddq/HIDS/289636e36753a1d0b4746865d2dde486259bc1e0/pic/5.png -------------------------------------------------------------------------------- /pic/6.png: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/grayddq/HIDS/289636e36753a1d0b4746865d2dde486259bc1e0/pic/6.png --------------------------------------------------------------------------------