最后防线:Linux系统服务检测
在主机入侵检测系统里,建立系统服务基线和检测系统服务进程行为,是检测恶意服务和恶意进程的关键。 只在使用systemd的Linux系统使用
建立系统服务基线
系统服务基线的建立,需要做的事情有如下几样:
- 获取所有安装的系统服务
- 获取当前系统运行级别
- 获取当前系统运行级别默认启动的服务
在主机入侵检测系统里,也可以通过system, popen, fork/execv之类的函数调用如下命令实现上面目的
systemctl list-unit-files --type=service #获取所有安装的服务
systemctl get-default #获取当前系统运行级别
systemctl list-unit-files --type=service| grep enabled #获取所有默认启动的服务,不只是当前运行级别调用命令却有如下风险:
- 调用命令的隐患:任何一个命令在启动时,都要加载一大堆依赖的so,如果某些so不存在,命令是执行不了。如果命令执行完之后出现异常,成为僵尸进程,就会消耗大量系统句柄,导致后面一些业务进程无法启动。
- 错误的处理:由于是调用命令,命令获取数据是否异常,无法得知,对这种错误无法处理,也会导致有大量无效数据。
按照Unix哲学”一切皆文件“,上面目的完全可以通过opendir/readdir/closedir, open/read/close, readlink/realpath之类的API来实现。
- 获取所有安装的系统:
systemd获取所有安装的系统服务,是按顺序遍历service文件。
/etc/systemd/system
/run/systemd/system
/usr/local/lib/systemd/system
/usr/lib/systemd/system列举一下这些目录的内容:
[root@bogon-agent ~]# ls /etc/systemd/system/*.service
/etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service /etc/systemd/system/display-manager.service /etc/systemd/system/kibana.service /etc/systemd/system/wazuh-agent.service
[root@bogon-agent ~]# ls /run/systemd/system/*.service
ls: cannot access /run/systemd/system/*.service: No such file or directory
[root@bogon-agent ~]# ls /usr/local/lib/systemd/system/*.service
ls: cannot access /usr/local/lib/systemd/system/*.service: No such file or directory
[root@bogon-agent ~]# ls /usr/lib/systemd/system/*.service
/usr/lib/systemd/system/abrt-ccpp.service /usr/lib/systemd/system/ipsec.service /usr/lib/systemd/system/systemd-backlight@.service
/usr/lib/systemd/system/abrtd.service /usr/lib/systemd/system/irqbalance.service /usr/lib/systemd/system/systemd-binfmt.service
/usr/lib/systemd/system/abrt-oops.service /usr/lib/systemd/system/kdump.service /usr/lib/systemd/system/systemd-bootchart.service
/usr/lib/systemd/system/abrt-pstoreoops.service /usr/lib/systemd/system/kmod-static-nodes.service /usr/lib/systemd/system/systemd-firstboot.service
/usr/lib/systemd/system/abrt-vmcore.service /usr/lib/systemd/system/lightdm.service /usr/lib/systemd/system/systemd-fsck-root.service
/usr/lib/systemd/system/abrt-xorg.service /usr/lib/systemd/system/lvm2-lvmetad.service /usr/lib/systemd/system/systemd-fsck@.service
/usr/lib/systemd/system/accounts-daemon.service /usr/lib/systemd/system/lvm2-lvmpolld.service /usr/lib/systemd/system/systemd-halt.service
/usr/lib/systemd/system/alsa-restore.service /usr/lib/systemd/system/lvm2-monitor.service /usr/lib/systemd/system/systemd-hibernate-resume@.service
/usr/lib/systemd/system/alsa-state.service /usr/lib/systemd/system/lvm2-pvscan@.service /usr/lib/systemd/system/systemd-hibernate.service
/usr/lib/systemd/system/arp-ethers.service /usr/lib/systemd/system/mdadm-grow-continue@.service /usr/lib/systemd/system/systemd-hostnamed.service
/usr/lib/systemd/system/atd.service /usr/lib/systemd/system/mdadm-last-resort@.service /usr/lib/systemd/system/systemd-hwdb-update.service
/usr/lib/systemd/system/auditd.service /usr/lib/systemd/system/mdcheck_continue.service /usr/lib/systemd/system/systemd-hybrid-sleep.service
/usr/lib/systemd/system/autovt@.service /usr/lib/systemd/system/mdcheck_start.service /usr/lib/systemd/system/systemd-importd.service
/usr/lib/systemd/system/blk-availability.service /usr/lib/systemd/system/mdmonitor-oneshot.service /usr/lib/systemd/system/systemd-initctl.service
/usr/lib/systemd/system/brandbot.service /usr/lib/systemd/system/mdmonitor.service /usr/lib/systemd/system/systemd-journal-catalog-update.service
/usr/lib/systemd/system/canberra-system-bootup.service /usr/lib/systemd/system/mdmon@.service /usr/lib/systemd/system/systemd-journald.service
/usr/lib/systemd/system/canberra-system-shutdown-reboot.service /usr/lib/systemd/system/messagebus.service /usr/lib/systemd/system/systemd-journal-flush.service
/usr/lib/systemd/system/canberra-system-shutdown.service /usr/lib/systemd/system/microcode.service /usr/lib/systemd/system/systemd-kexec.service
/usr/lib/systemd/system/chrony-dnssrv@.service /usr/lib/systemd/system/mongod.service /usr/lib/systemd/system/systemd-localed.service
/usr/lib/systemd/system/chronyd.service /usr/lib/systemd/system/multipathd.service /usr/lib/systemd/system/systemd-logind.service
/usr/lib/systemd/system/chrony-wait.service /usr/lib/systemd/system/NetworkManager-dispatcher.service /usr/lib/systemd/system/systemd-machined.service
/usr/lib/systemd/system/clean-mount-point@.service /usr/lib/systemd/system/NetworkManager.service /usr/lib/systemd/system/systemd-machine-id-commit.service
/usr/lib/systemd/system/console-getty.service /usr/lib/systemd/system/NetworkManager-wait-online.service /usr/lib/systemd/system/systemd-modules-load.service
/usr/lib/systemd/system/console-shell.service /usr/lib/systemd/system/nginx.service /usr/lib/systemd/system/systemd-nspawn@.service
/usr/lib/systemd/system/containerd.service /usr/lib/systemd/system/openvpn-client@.service /usr/lib/systemd/system/systemd-poweroff.service
/usr/lib/systemd/system/container-getty@.service /usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/systemd-quotacheck.service
/usr/lib/systemd/system/cpupower.service /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/systemd-random-seed.service
/usr/lib/systemd/system/crond.service /usr/lib/systemd/system/plymouth-halt.service /usr/lib/systemd/system/systemd-readahead-collect.service
/usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service /usr/lib/systemd/system/plymouth-kexec.service /usr/lib/systemd/system/systemd-readahead-done.service
/usr/lib/systemd/system/dbus-org.freedesktop.import1.service /usr/lib/systemd/system/plymouth-poweroff.service /usr/lib/systemd/system/systemd-readahead-drop.service
/usr/lib/systemd/system/dbus-org.freedesktop.locale1.service /usr/lib/systemd/system/plymouth-quit.service /usr/lib/systemd/system/systemd-readahead-replay.service
/usr/lib/systemd/system/dbus-org.freedesktop.login1.service /usr/lib/systemd/system/plymouth-quit-wait.service /usr/lib/systemd/system/systemd-reboot.service
/usr/lib/systemd/system/dbus-org.freedesktop.machine1.service /usr/lib/systemd/system/plymouth-read-write.service /usr/lib/systemd/system/systemd-remount-fs.service
/usr/lib/systemd/system/dbus-org.freedesktop.timedate1.service /usr/lib/systemd/system/plymouth-reboot.service /usr/lib/systemd/system/systemd-rfkill@.service
/usr/lib/systemd/system/dbus.service /usr/lib/systemd/system/plymouth-start.service /usr/lib/systemd/system/systemd-shutdownd.service
/usr/lib/systemd/system/debug-shell.service /usr/lib/systemd/system/plymouth-switch-root.service /usr/lib/systemd/system/systemd-suspend.service
/usr/lib/systemd/system/dm-event.service /usr/lib/systemd/system/polkit.service /usr/lib/systemd/system/systemd-sysctl.service
/usr/lib/systemd/system/docker.service /usr/lib/systemd/system/postfix.service /usr/lib/systemd/system/systemd-timedated.service
/usr/lib/systemd/system/dracut-cmdline.service /usr/lib/systemd/system/quotaon.service /usr/lib/systemd/system/systemd-tmpfiles-clean.service
/usr/lib/systemd/system/dracut-initqueue.service /usr/lib/systemd/system/rc-local.service /usr/lib/systemd/system/systemd-tmpfiles-setup-dev.service
/usr/lib/systemd/system/dracut-mount.service /usr/lib/systemd/system/rdisc.service /usr/lib/systemd/system/systemd-tmpfiles-setup.service
/usr/lib/systemd/system/dracut-pre-mount.service /usr/lib/systemd/system/redis-sentinel.service /usr/lib/systemd/system/systemd-udevd.service
/usr/lib/systemd/system/dracut-pre-pivot.service /usr/lib/systemd/system/redis.service /usr/lib/systemd/system/systemd-udev-settle.service
/usr/lib/systemd/system/dracut-pre-trigger.service /usr/lib/systemd/system/rescue.service /usr/lib/systemd/system/systemd-udev-trigger.service
/usr/lib/systemd/system/dracut-pre-udev.service /usr/lib/systemd/system/rhel-autorelabel-mark.service /usr/lib/systemd/system/systemd-update-done.service
/usr/lib/systemd/system/dracut-shutdown.service /usr/lib/systemd/system/rhel-autorelabel.service /usr/lib/systemd/system/systemd-update-utmp-runlevel.service
/usr/lib/systemd/system/ebtables.service /usr/lib/systemd/system/rhel-configure.service /usr/lib/systemd/system/systemd-update-utmp.service
/usr/lib/systemd/system/elasticsearch.service /usr/lib/systemd/system/rhel-dmesg.service /usr/lib/systemd/system/systemd-user-sessions.service
/usr/lib/systemd/system/emergency.service /usr/lib/systemd/system/rhel-domainname.service /usr/lib/systemd/system/systemd-vconsole-setup.service
/usr/lib/systemd/system/firewalld.service /usr/lib/systemd/system/rhel-import-state.service /usr/lib/systemd/system/tcsd.service
/usr/lib/systemd/system/flatpak-system-helper.service /usr/lib/systemd/system/rhel-loadmodules.service /usr/lib/systemd/system/teamd@.service
/usr/lib/systemd/system/fstrim.service /usr/lib/systemd/system/rhel-readonly.service /usr/lib/systemd/system/trace-cmd.service
/usr/lib/systemd/system/geoclue.service /usr/lib/systemd/system/rsyslog.service /usr/lib/systemd/system/tuned.service
/usr/lib/systemd/system/getty@.service /usr/lib/systemd/system/selinux-policy-migrate-local-changes@.service /usr/lib/systemd/system/udisks2.service
/usr/lib/systemd/system/halt-local.service /usr/lib/systemd/system/serial-getty@.service /usr/lib/systemd/system/unbound-anchor.service
/usr/lib/systemd/system/initrd-cleanup.service /usr/lib/systemd/system/sshd-keygen.service /usr/lib/systemd/system/upower.service
/usr/lib/systemd/system/initrd-parse-etc.service /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/usbmuxd.service
/usr/lib/systemd/system/initrd-switch-root.service /usr/lib/systemd/system/sshd@.service /usr/lib/systemd/system/vgauthd.service
/usr/lib/systemd/system/initrd-udevadm-cleanup-db.service /usr/lib/systemd/system/svnserve.service /usr/lib/systemd/system/vmtoolsd.service
/usr/lib/systemd/system/iprdump.service /usr/lib/systemd/system/systemd-ask-password-console.service /usr/lib/systemd/system/wacom-inputattach@.service
/usr/lib/systemd/system/iprinit.service /usr/lib/systemd/system/systemd-ask-password-plymouth.service /usr/lib/systemd/system/wpa_supplicant.service
/usr/lib/systemd/system/iprupdate.service /usr/lib/systemd/system/systemd-ask-password-wall.service /usr/lib/systemd/system/xl2tpd.service检测系统服务进程行为
在建立服务基线后,就需要获取服务的动态情况,就是要看有多少服务在运行,每个服务下面有多少进程在运行。而且获取动作要定时执行,和上一次结果进行比对,从而发现异常。
剩余内容请关注本人公众号debugeeker, 链接为最后防线:Linux系统服务检测
本文参与 腾讯云自媒体同步曝光计划,分享自作者个人站点/博客。
原始发表:2021/02/09 ,如有侵权请联系 cloudcommunity@tencent.com 删除
评论
登录后参与评论
推荐阅读
目录
相关产品与服务
主机安全
主机安全(Cloud Workload Protection,CWP)基于腾讯安全积累的海量威胁数据,利用机器学习为用户提供资产管理、木马文件查杀、黑客入侵防御、漏洞风险预警及安全基线等安全防护服务,帮助企业构建服务器安全防护体系。现支持用户非腾讯云服务器统一进行安全防护,轻松共享腾讯云端安全情报,让私有数据中心拥有云上同等级别的安全体验。
腾讯云开发者
