Linux應急響應及隱患排查思路

1、Linux應急響應及隱患排查思路、排查思路思路參考：什么時間？什么現(xiàn)象？確認事件是否屬實？LINUX發(fā)行版？命令是否被替換？系統(tǒng)命令完整性檢測？做過什么處理？當前狀態(tài)？受影響主機范圍？該現(xiàn)象可能產生的原因？可能留下的痕跡？是否部署安全設備/產品？有無相關記錄？網(wǎng)絡環(huán)境架構？是否提供賬號密碼可登陸受影響主 機？是否存在過某些漏洞/弱口令/數(shù)據(jù)庫/中間件/高危端口？二、排查項目.賬戶異常賬戶cat /etc/passwd cat /etc/shadow注意文件修改時間，UID和GID為0的賬戶：grep 0 /etc/passwdLroot(3vultr Is /tc/passwd /etc/sh

2、adow-rw-r-r- 1 rrtdt r&ot 961 |Jul 22：411 /ete/pa&swd 1 bM 5631Jul 22( HYPERLINK mailto:rootvul.tr rootvul.tr -)# id ro&tuid-O(root) gid=O(root) qroups=O(root)特權用戶awk -F: $3=0 print $1 /etc/passwdROOT/SUDO SU 權限用戶raotfvultr nore /etc/sudoers | grep -v| grep *ALL-(ALJL)rootALL=(ALL)ALJL為whg 自 1 ALL=(

3、ALL)ALJL遠程登陸用戶awk /$1|$6/print $1 /etc/shadow空口令帳戶awk -F: length($2)=0 print $1 /etc/shadow?查看當前登錄用戶的信息：who?查看當前已登錄用戶列表、系統(tǒng)信息、執(zhí)行命令： w?查看當前用戶數(shù)、登錄時長、負載信息：uptime?查看與當前有效用戶ID關聯(lián)的用戶名：whoami?查看所有用戶最后一次登錄的時間：lastlog?查看所有用戶的登錄注銷信息及系統(tǒng)的啟動、重啟及關機事件：last?查看用戶錯誤的登錄列表：lastbrootgvultr 7# whcami root |rootigvuLtr whoa

4、mi -helpUsage: whoami OPTION.Print the user name j&sociat&d with the current effective user ID. Same as id -un.-help display this help and exit-version output version infarmation and exitGMU coreutils online help： Far ccirplet documentationr run ： Iroatjgvultr whoJiinfo co r&utils hwhoami. invocatio

5、n1root pts/O2019-07-3405: 55rootevultr who am iroot pts/Q2019-07-2406:35rootevultr -# who - -tielpUsage： who I OPTION.,. FILE | ARG1 m2 IPrintinfomatianabout users vrfio are currently logged in. b. drH-1,-all-boot-dead-heading-login-lookupsane as-b -d -login -p . -t -T-process-count-runlavel-sho rt-

6、timeM - -mesg-UEers-message-writable-hel p-versiontrue of last system boot print dead processes print line d colunn headings p rint systan login p roc esses attampt to canonicalize hostnames only hostname and user associated print active processes spanned byvia DN5 with stdin in itall login names an

7、d nun her of users logged on pTint current runlevelprint only print last users list users same as -T same as -Tnanj, line, and time (d&fault) system clock changemessage status as +, - or ? logged indisplay this help and e?citQiitpirt version information and exitIf FILE is not specified( use /varfrun

8、/utmp. /var/log/wtnip as FILE is ctxnman If Afifil ARS2 given, -m presumed： am i cr *mom likes1 are usjdI.GMU coreutils online help： chttp ：/www. gnu .rg/5oftware/coreuti.ls/ For complete documentation, run： info coreutils Fwho invocaticmb rootvultr T# uptimeIfl7:16:51 u口 _3 days, 2:41. 1 use， load

9、aeqe: 口制，S.80* 日.68rootvultr 二/訶07；16；56 up 3 daysT 20；41r 1 user, load average； O.&O, 0.00, 0.00LOGI臃IDLEJCPUPCPU WHAT06:359.GOs Or04s 日.。西 wUSEDTTYFROMrootpts/erooivulG Tsr .rootvultr l峭# lastlagUsernamePortFromrootpts/9bin daemon a dm lp sync shutdown halt mail operator ga(n? ftp nobody systemd-n

10、etwork dbus polkitd ntp sshd postfix chrony clamupd3te rootvultr log* lastLatMtwed Jul24 98:19:59 鈍朧。2019Neverloggedin*Naverlaggedin*Neverloggedin*-Neve rlaggedin*H&verloggedin*loggedin*M9vwrloggedin*1根色srloggedin*ki&verlaggedin*,KMeverloggedin*卡卡Nuvfloggedirt”Meverloggedin*Neverloggedin*Wvelaggedin

11、*Neverlaggedin*NeveLaggedin*loggednn*Neverloggedin*Naverloggedin*Naverlaggedin*logged in(61:44)(eo；oi)(00:02)(00:37)(0G；43)(U:03)(15:33)(00:20)(02:15)(fil:55J(OQ;O3)(3+23;39)(00:12)(00:00)(00:04)(QG:24)i GO: Q0)19430953274 7 ll33 字3一 12,3231866-213354SG0OGQQ1100B-15:14-dam-10:21-10:20-19:24-20:119 5

12、3&2S 15868 0 & 52169 0 13335s 5 141Q 4 3322111 8 6-6651 G2333200OGQQ0 00&O0 0O00O0 1111112 44444443222 10-0000032-22222 2-22222 222222 n null 111 H1L1L1111 uuuuuuuuuuuuuuuuuu-u ddddddd e n nn nttttttd 幗愧wewewewe幅孔的Mcwosu百為sa%aowerootpts/Orootpts/OQOtpt5/0rootpts/0rootpts/Orootpts/Orootpts/Orootpts/O

13、rootpts/1rootpts/Irootpts/OroDtpts，Orootpts/Orebootsystenbootrootpts/0rootpts/Ora&tpts/Orebooteye tenboatrebootsystembootwtmp begins Wed Jul 3 20:10:51 2Q19rootvultr log |.端口/進程/網(wǎng)絡連接查看端口及網(wǎng)絡連接情況netstat -anltp | grep pid/port/stringrootgYultr n&tstai; -husage： net st at -uWe*enWcCF |J retstat -V| - -v

14、ersion | -h | - helpnetstat -yWriNcaeoli .netstat -vWeenNac -I! | C-veenNac -i | C-cnNe) -M | -s 6tuw ) delay，r,-routedisplay routing table工-interfaces=display interT己匚e table far -ip-interfacesdisplay interface tableF，-qroupsdisplay mult工匚己5t group meniberships0-statisticsdisplay networking statist

15、ics like SMF)M* masqueradedisplay masqueraded comeettons-v,-verbose-w,-widedont truncate IP addresses-n.-nuTiericdont resolve names-numeric-hostsdont resolve host names-numeric-portsdont resolve port names-num eric-usersdont resolve user names-M-symbolicresolve hardware names-%-extenddisplay ather/m

16、ore infrmationtP-progiransdisplay PID/Prog ran name for sockets-O,-timers五沖T球timers*ct* -continuouscontinuous listing-17-listeningdisplay listening server sockets-a Jmildisplay all sockets (default; connected J-Ff-fibdisplay Forwarding Infornation Base (default).C,-tachedisplay routing cache instead

17、 of FIB-T,-contextdisplay SELinux security context for socketsSoc.ket?=( -t | -tcp -u | -udp) -U| -udplite) -S| - -sctp -w | - - ra -T| -unix -ax25 -ipx -netromAFsHJse 1 -61 -4 q, -A b or 1 -; default; iretList of possible address families (wtiich support routing;inet (OiRPA Internet) inet6 (IPv6) a

18、x25 (AMPR AX.25)查看異常進程ps aux | grep PIDps -ef | grep PIDrootgvultr ps - - help allUsage：ps optionsBasic options：口女二-eall processesall vith tty, except sessian leadersamlL withincluding other users刁all except session Leadersn&gate sel&ctiofionly running proeessesall processes gn this terminalprocesse

19、s without ctritrolling ttysSelection by list:-C Ycomig品coinniand name-G,T-Group -group p. 一pid -ppid q, -quick-pid real g roup id o r namesession or effective group nameprocess idparent process idprocess id (quick mode)-sid session id-t. tj -tty terminal二U4 二-u5B_U1g effective user id or name-Uf -Us

20、er real user id ar nameTh& selection options take 白言 a comma - separated list e.g. w blank-separated list e.q.th&ir argunnt either： - root,nobody or Jp 123 45&71Output formats:Fextra fullI -ffuLL-foriwatr including cowiartd lines匕 -for&stascii a rt process treeHshow process hierarchyjjobs formatjBSD

21、 job control formatilong formatIBSD long famatM, Zadd 5ecuii：y data (forSELinux)O yfonnatpreloaded with defaulttolunins0 雞-Oj with BSD personalityQ* Q, *-forniat user-defined fflrmatssignal formatuuser-oriented formatvvi rtu iremo ry Join atX register f口里d Jydo not show flags* show rss vs* addr (use

22、d with -I)-contextdisplay security context(forSELinux)-headersrepeat header lines,oneperpm9c-no-heaJers do not print header at all-cols -columns, -width set sc reen width* - rows. liries set screen heightShowH-L m, -Tthreads：ms if they werv proce-sses possibly with LWP and NLWP columnspossibly with

23、SPID columnMLSteUaneous options ：show scheduling class with -1 option show true command nametop13：4?：4S up 2 days.23:0Sr1 userr loadaverage： G.DG, 0.0QjO.OQTasks：! Wtotal.1 running,ggsleeping,ft stopped,S zombieCpu(s): f卜刀U5rsyRni,孫將id.fl.6網(wǎng)6,ehi, Q4 e)i.f 6.6 StMiB Mem :982,9total.free.1L5Z.5 used,

24、730.8 buff/cadieMiB Staap:fhRtotal.6-0freei0,0 used640.9 avail MemPIPu詢PRN工VST1SHRS為 CPU 討1EMT工匣十COMMAFT1roat209 10052250046196sG.G0.9D： 13.31systemd2root200e。0s0.00.00:90.05kth readd3root-2D000I0.00.0Q:OG.00cu_gp4root*20000I0.0G.G0:00.00cu_pj_gp6root00&0Io.eO.G0:00.00kwo rker/O：DH-kblockdQroot0e001

25、0.00.00:00.00mm_percpu_wq9root20905o.eo.ea：02.4Sksoftirqd/910root2Q0000Ie.o0:03,24rcu_sched11rootrt0000sG.C0*00:00,87miqration/O12root51000so.cQ.O0:00.00idle_inject/014root2000&0G0.00.00：00.0Gcpuhp/Q15root20909SG.GO.G：00.09kdvtmpfsroot0-29e0I0.00.00.00:90.00netns：7root200eDs0.09:00.00rcu_tasks_kthre

26、18root2000Ds0.00.G0：0D.00kauditd_9root200eDs0.0G.O0:01.15khiungtaskd20root20Qe0soTeo.eD: 00.0Qom_ reaper21root-20e&I0,0oeQ:00.QOwriteback22root20Q0&0s0.00.00:00.09kzmp/td。23roat2550&0s0.00*0Q；00,QOksmdroot3919000sO.QO.G0:00.00khugepaged25root0-20000I0.00.00：90.00cryptoroot0-20o00I0.00.0 I 00.OQkin t

27、egrityd27root0-2060Io.e0.00:06,00kblockd28root0-20eDI0.00.00:00.00tpm_dev_wq29root0-20G日0Io.ee.e0:00.00ata_stt3Groot0-20000I0.00.00:90.00md31root0-200白010.00.6:00.00edac-poller32root0-se0geIG.e用0:00.00devf四一wqtop - MM -以內存占用率大小的順序排列進程列表top - NN -以PID的大小的順序排列表示進程列表top - PP -以CPU占用率大小的順序排列進程列表top - hH

28、elp -for In teractive Corwnands - procps - no 2.2. 15WindowCumulative mode Qf+* 型1上卻：Delay 3.S wet弓；Secure mode Off tZrB,E,eGlobal:1 colors;B* bold: E17 eb suimary/task memory scalel,t.uiToggle Summary! blload avg: *t task/cpu stats: n niemary info0,1,3.3,1Toggle：-fl1 zeros：j/2/T cpus or nuna nu加 vi

29、ews： 111 Irix modef,F.XFields：f/ F add/re(nav?/Drder/sDrt: *X increase fixed-widthL.&,v,a . Locate: Lfind/again; Move sort column:leftiqhtRpH,VtJ.Toggle: RSort; H Threads; Forest view; J Num justifyc,i,S,j,Toggle: 1b.Toggle； z1CQlor/mcnor 1 b bld/reverse (onlyif 耳1 中 y)u.U.o.O.Filter by；u/ U efectiv

30、e/any u?er? o / Oother c ntenan.#O . Set： 1 n/rf max tasks displayed； Show： Ctrl+ O other filter(s) CToggle scroll coo rdinatK msq for： up down. I 電ft, right .home,力ndk,rManipulstetasks： Fkkill：rraiicedors Set updateintervalW.Y Write configuration 十譏8W ; Inspect other output Y qQuit commands shown w

31、ith_1requireavisible task display window Press ar ?1 for help with Hindoor Typeor to continue |top - f卜PID=Process IdnDRT Dirty Paqes Count* USERm Effective User NmeWCHAN三 Sleeping in Function* PR-PriorityFlags-Task Flags *NI=Nice ValueCGROUPS=Control. Croups出 VIRT=Virtual Irege (KiB)SUPGIDS=Supp Gr

32、oups IDs在RES=Resident Size (KiB)SUPGRPS=Supp &roupg Names卜=Shar&d Meriory (KiB)TGID=Thread Group Td* S=Process StatusOOFIa=OOFCM Adjustment*=er hundredthsvMj=Major Faults delta，COHNAND=Cofwiand Wame/Li_ne=Hinnr Faults deltaPPID=Parent Proems pidUSED=Res十Swap Size KiB)UID=Effective User IdnsIPC=IPC n

33、amespace InodeRUID-Real User IdnslIMT-MMT namespace InodeRJSER=Real User Nam。nsFET-hET names paca InodoSUID=Saved User IdH6PI0=PID namespace InodsSUSER=Saved User MamensLSER=USER nam電印me白 InodeGID=Group IdnsUTS=LTSI FeGROUP* 6口叩 NameLXC-LXC conUiner narrePGRP=Process Group IdRSan-RES Anonymous (KiBE

34、-Controlling TtyRSfd-RES File-based KiB)TPGID=Tty Process Grp IdRSlk=RES Locked (KiB)SID=Session IdRsh=RES Shared KiB)nTH=r,jrt-=r 口十1/匚百：二占gj陽e=Control Group namePTIME SWAP CODE DATA nMaj nMin=Last Used 卬u (SbP) =CPU Time=Swapped Size K16J m code Si;e (KiB) =Data+Stack KiB =Major P叫曰 Faults =Minor

35、P叫曰 FaultsNU=Last Used NUMA node查看下PID所對應的進程文件路徑ls -la /proc/PID/exefile /proc/PID/exePratoRecv-QSenti-Q Local AddressForeign AddressStatePID/Pro gramtcp000.0.0,0:555550.0, 8例*LISTEN331S/pythcntcpD6:229L0,9.0J*LISTFN3239/sshdtcpa0127.0.0,1:250.D.0.0;: *LISTEN3496/mastertcpa0:55555203ESTABLISHED331S/

36、pythoitcpQG;Z2191ESTABLISHED21354/sshd;tcpQ0;55553Q28ESTA3LI5任。331&/pythoitcpQ0;38360:443ESTABLISHED33U/pythontcp00:469765；443ESTABLISHED3316/pythcntcp1302：22:22311FIN WAIT1一tcp00：55555115ESTABLISbtD3316/pythontcpa1；2296:57877LASTACK-tcp012BG:55744ESTABLISHED21583/sshd：tcpD0;2644D:443ESTABLISHED33U/

37、pythonrflotvultr retstat -alnltpActive Internet connectiors (servers and establishMlroot(3vijltr 充 file /proc/331&/exe/proc/3316/ex?： synbolic link to 1/usr/bin/pythcn2.7,raotgvultr 3# Is -I /proc/3316/exeiFxzxrvfx 1 root root 0 Jul 24 ： 1 ：33 /pro /usr/bin/python?.7namerooiact查看隱藏進程ps -ef | awk pri

38、nt | sort -n | uniq 1Is /proc | sort -n |uniq 2diff 1 2查看進程打開的文件lsof -p PID10raot k LISTEN144L2/apache2tcpGG0:6B0fl:;*LISTEN2527/aria2ctcp600;:22 LISTEN714/55hdtcp&Q0:l:501G，一*LISTEN1470S/55hd： roottcp60 ,Q_Ut6980i r tLISTEN2627/aria2croatvultr:lsof -p 1A679COMMM PID USERFDTfPEDEVICESIZE/OFFMODE IWE

39、ssserver 1367g rootedDIR252,10261946 /root/shadows(jcks-master (deletedssserver 1867g rootrtdDIR257 J40952 /ssse-rver 19679 roottxtREG253136gl的 B91364 /usr/bin/pyth&n2.7ssserver 19B79 rootmomREG252,1351203496 /usr/lib/x86_64-linux:gnu/litffi,oesserver 19679 rootmemREG252,1148136257172 /usr/lib/pyth

40、nn2.7/lib-dynlaad/jctypcssserver 18&79 rootmemREG252.15&55tl481398 /usr/lib/x86_64-1Pinux-gnu/libssl .su. 1ssserver 18&79 rootmemREG25九1292546881397 /usr/lib/x8&_54-linux-gnu/libcrypto.sssserver 13579 rootmenREG252(1746893457 /usr/lib/x86_&400HOME/roothistory:可輸出金與記錄忌數(shù).服務、啟動項查看系統(tǒng)服務：12service -status

41、-all ps auxnetstat -anlpcd /etc/init.dIs -altrootgvultr # ed /ete/init.d rootvultr init.d# Is -la tQt磯 52drwxr xr-x 2root root4096Jut 26 1Q;24 .drwxr-xr-x. 10root root4CMJul 23 09:46 ,. rw-r* r-. 1root root162&1Aug 24 201S functions-rrfxr-xr-x. 1root root45&9Aug 24 2015 netconsole-rwxr-xr-x. 1root r

42、oot7923Aug 24 2018 network-rw-r-r- 1noot rootll&QApr 25 17:19 READrtrwxr xr-x 1root root2037Jul 20 10:24 5hdd0W5(Hk5yum install ntsysvntsysv*表示開機自啟chkconfig -list13rootvultr chkconfig -list | grep shadowsocksNote; This output shows SysV services only and does not include native systemd services. Sys

43、V configuration data might be overridden by ratine syatond confxguration.I-f you want to list systend services use systenc-tl list-unit-files Jo see services enabled on particular target u9e systemctl List-dependencies ta rget.Iiadowsock 0：of f l：of f 2 :on 3：on 4： on 5:on 6：offrDotgvultr 7。chkconfi

44、g -helpcikconfig version 1.7.4 - Copyright （） 1997-2QOO Red Hat. Inc.This nay be freely redistributed under the terms of the GNU Public License.usage； chkconfig -list -type namechkcoirfig - - add chkcon+ig -delcW_L-type raot4vultr # ctikconfig listNot自：This output shows SysV services only and does n

45、ot include native syatand services. SysY configuration data might be Dverndden by rative syst印d configuration-If you want to list systend services use systemctl list-unit-files,. Jo see- services enabled on particular target use hsystanetl List-dependencies ta rget1.運行級Name （含義）別0Halt （關機）Single-use

46、r mode（單用戶模式）Multi-user mode（多用戶模式）Multi-user mode with networking（存在網(wǎng)絡連接的多用戶模式）Description（描述）Shuts down the system （關閉系統(tǒng)）Mode for administrative tasks （管理 模式，類比Windows安全模式）Does not configure network interfaces and does not export networks services （未配置網(wǎng)絡接口 且不提供網(wǎng)絡服務）Starts the system normally（正常啟動系

47、統(tǒng)）14netc onsole0：of fl：of fa：ff3：of f4： off5:off6：offnetwo rk6:of fl:off2: on3:cn4: on5:on6:off寫had。*q匚k與O:of fl:aff2; on3:on4: on5:oi6:off查看運行級別命令：runlevel運行級別Name （含義）Description（描述）Not used/user-definable （不可用 /用戶可定義）Start the system normally with appropriate display manager （withGUI）（具有圖形界面且存在網(wǎng)絡

48、連 接的多用戶模式）Reboot （重啟）For special purposes（用于特殊需求 /目的）Same as runlevel 3 + display manager （運行級別3+圖形界面）Reboots the system（重新啟動操作系統(tǒng)）開機啟動配置文件:/etc/rc.local/etc/rc.d/rc.local/etc/rc.d/rc06.drootvuLtr -# cd /etcrootvultr etc# find -iname rc.1 / rc, d/rclouml7/rc Jocsl（rootevuUtr etc# cd （/rc,drootvultr r

49、cinit,d rcB,d rcl.d rcZ.d r3.d rcfl d rc5.d rcti,d rc,local查看開機啟動項：chkconfig -list | grep 3:on|5:on5.計劃任務crontab -u root -lcat /etc/crontab ls /etc/cron.*15rootuultr -# crontab -hlp crontab： invalid option - crontab： usage error: unrecognised option Usage:crontab options filecrontab optionsC rortab

50、n hostnameOpt ionf;-u define- user-eedit users crontab-Ilist userscron tabrdelete- users c rontabiprompt before deletingn set host in cluster tarunuserscrontabscget host in cluster torunuserscrontabssselinux contextx enable debuggingDefault operation is replace, per 1093.2Irootvultr crontab -u root

51、-I no c rontab for rotat |I HYPERLINK mailto:rootvu1.tr rootvu1.tr -# cat /etc/crontab5bELL=/bin/bashPATH=/sbin：/bin：/usr/shin：Zusr/binMAILTO=rCKitFor details see 4 crpntbsExample of job definition：.-(Q - 59)鞋I.hour(0 * 23)|.dayof month (1 - 31)I I | .一morth (1 - 12) OR jdn.feb.mar.apr ，I|day of wee

52、k (0 6) (Sunday=Oor 7) OR sun,mo n t tue, wedL thu, f ri, sat#11111if * * * * * user name command to be executedrootgvuLtr Is /etc/crpn F */etc/cron, deny/etc/cn)n.d!Mu 1rly clamv-update/etc/cron. daily ;logrot3te nrar)-db.cro(i/etc/cron,hourly:Oanac rcn/etc/cron.monthly；/etc/cron, weekly:6.異常文件、目錄1

53、6查看/tmp/目錄文件、中是否異常ls勺lt /tmp/查找cron文件中是否存在惡意腳本/var/spool/cron/*/etc/crontab/etc/cron.d/*/etc/cron.daily/*/etc/cron.hourly/*/etc/cron.monthly/*/etc/cron.weekly/etc/anacrontab/var/spool/anacron/*查找某段時間內被修改/訪問的系統(tǒng)文件更改：find /etc/ /usr/bin/ /usr/sbin/ /bin/ /usr/local/bin/ -type f -mtime 0訪問:find /tmp -in

54、ame * -atime 1 -type f-type 參數(shù)f普通文件:l符號連接d目錄c字符設備b塊設備s套接字p Fifomodify time -mtime 值：修改文件內容，mtime/ctime/atime 變更;change time -ctime 值：修改文件屬性/權限，ctime/atime 變更； access time -atime 值：命令/應用程序讀取/訪問文件，atime變更 -mtime 0 :返回24小時內修改過的文件-mtime 1 :返回48-24小時內修改過的文件-mtime 2 :返回72-48小時內修改過的文件stat可顯示文件的狀態(tài)信息17etgvui

55、tr：-# stat - helpU&age： stat OPTION,FILE.Display file or file system status.Mandatory arguments to long options are mandatory for short options too.L -dereferencefollow links-file-system-formaT=FORMAT-pin t f=FURM/VT-tersedisplay file system status instead of file status use the specified FORMAT ins

56、tead of the default：output a newline after each use of FORMATlike -format, but interpret backslash escapesJand do not output a mandatory trailing newline； if you want w na/lin3. include n in FORMATprint the infomation in te3 form-help display this help mnd exit-version output version information and

57、 exitrootvultr:t stat /usr/local/bifi/File： /usr/loeal/tin/Size： 4096Blacks ： 8Device： fcOlh/64513dIntDd?! 4423Access I (0755/drwxr-x:r-x) Uid:( 叼10 Block： 4996Links ： 2 root) Gid:(directory9/ root)Access： 2019-08-05 05:53:10.463265712 +削)00Modify： 2019085 0:52:49.771220913 +OCO0Change： 2019-08-05 O

58、S:S249,771220913 +0000Birth：-查看是否有命令文件被替換按時間進行排序，結合 RPM。ls -alt /usr/bin /usr/sbin /bin /usr/local/binrpm -Va rpm.log查看文件屬性是否改變lsattr命令用于顯示文件屬性chattr命令用于改變文件屬性查看某個文件屬性：lsattr 目錄/文件用chattr命令防止系統(tǒng)中某個關鍵文件被修改：chattr +i 目錄/文件，此時命令操作該文件所得結果提示為Operation not permitted , VIM 編輯該文件時會提示W(wǎng)10: Warning:Changing a r

59、eadonly file 錯誤。要想修改此文件就要把i屬性去掉：chattr -i 目錄/文件設置某個文件只能往里面追加數(shù)據(jù)，但不能刪除，適用于各種日志文件：chattr +a 目錄/文件6.漏洞18弱口令、未授權訪問漏洞、7.日志日志/var/log/syslog/var/log/messages/var/log/auth.log/var/log/secure/var/log/boot.log/var/log/maillog var/log/mail.log/var/log/kern/var/log/dmesg/var/log/faillog/var/log/cron/var/log/dae

60、mon.log/var/log/btmp/var/log/utmp/var/log/wtmp/var/log/lastlog/var/log/yum.log/var/log/httpd/var/log/mysqld.log/var/log/mysql.log/var/log/pure HYPERLINK ftp:/ftp.log ftp.log/var/log/spooler/var/log/xferlogWeb漏洞、系統(tǒng)漏洞說明顯示有關系統(tǒng)的常規(guī)消息和信息保留成功或失敗登錄以及身份驗證過程的身份驗證日志啟動消息和啟動信息用于郵件服務器日志，方便用于服務器上運行的postfix , smtpd