热门标签
热门文章
- 1Vue3 前端配置代理解决跨域_vue3 跨域
- 2java 正则验证 数字,字母,下划线还有汉字的正则表达式和email_6到18位字母数字下划线两者组合 java
- 3PHP获得微信用户的OpenID,然后再通过OpenID和access_token查询用户信息_怎么查看openai_access_token
- 4【CSDN表情包大全】
- 5Mac中host设置方法
- 6Codeforces Round #737 (Div. 2) C.Moamen and XOR_codeforces round #737 (div. 2) c - moamen and xor
- 7【VScode】手把手教你如何搭建C/C++开发环境_vscode创建c++项目
- 8Ubuntu20.04 :Minimal BASH-like line editing 用Live CD/USB修复ubuntu_minial bash-like line editing
- 9如何在Ubuntu安装MySQL?_ubuntu下载mysql
- 10【Unity3D】sRGB伽马(gamma)空间和sRGB Frame Buffer线性空间的简单介绍_unity图片中的srgb是什么
当前位置: article > 正文
最后防线:Linux系统服务检测_[/usr/lib/systemd/system/mdcheck_start.timer:12] f
作者:不正经 | 2024-02-11 18:16:51
赞
踩
[/usr/lib/systemd/system/mdcheck_start.timer:12] failed to parse calendar sp
在主机入侵检测系统里,建立系统服务基线和检测系统服务进程行为,是检测恶意服务和恶意进程的关键。
只在使用systemd的Linux系统使用
建立系统服务基线
系统服务基线的建立,需要做的事情有如下几样:
-
获取所有安装的系统服务
-
获取当前系统运行级别
-
获取当前系统运行级别默认启动的服务
在主机入侵检测系统里,也可以通过system, popen, fork/execv之类的函数调用如下命令实现上面目的
- systemctl list-unit-files --type=service #获取所有安装的服务
- systemctl get-default #获取当前系统运行级别
- systemctl list-unit-files --type=service| grep enabled #获取所有默认启动的服务,不只是当前运行级别
调用命令却有如下风险:
-
调用命令的隐患:任何一个命令在启动时,都要加载一大堆依赖的so,如果某些so不存在,命令是执行不了。如果命令执行完之后出现异常,成为僵尸进程,就会消耗大量系统句柄,导致后面一些业务进程无法启动。
-
错误的处理:由于是调用命令,命令获取数据是否异常,无法得知,对这种错误无法处理,也会导致有大量无效数据。
按照Unix哲学”一切皆文件“,上面目的完全可以通过opendir/readdir/closedir, open/read/close, readlink/realpath之类的API来实现。
-
获取所有安装的系统:
systemd获取所有安装的系统服务,是按顺序遍历service文件。
- /etc/systemd/system
- /run/systemd/system
- /usr/local/lib/systemd/system
- /usr/lib/systemd/system
列举一下这些目录的内容:
- [root@bogon-agent ~]# ls /etc/systemd/system/*.service
- /etc/systemd/system/dbus-org.freedesktop.nm-dispatcher.service /etc/systemd/system/display-manager.service /etc/systemd/system/kibana.service /etc/systemd/system/wazuh-agent.service
- [root@bogon-agent ~]# ls /run/systemd/system/*.service
- ls: cannot access /run/systemd/system/*.service: No such file or directory
- [root@bogon-agent ~]# ls /usr/local/lib/systemd/system/*.service
- ls: cannot access /usr/local/lib/systemd/system/*.service: No such file or directory
- [root@bogon-agent ~]# ls /usr/lib/systemd/system/*.service
- /usr/lib/systemd/system/abrt-ccpp.service /usr/lib/systemd/system/ipsec.service /usr/lib/systemd/system/systemd-backlight@.service
- /usr/lib/systemd/system/abrtd.service /usr/lib/systemd/system/irqbalance.service /usr/lib/systemd/system/systemd-binfmt.service
- /usr/lib/systemd/system/abrt-oops.service /usr/lib/systemd/system/kdump.service /usr/lib/systemd/system/systemd-bootchart.service
- /usr/lib/systemd/system/abrt-pstoreoops.service /usr/lib/systemd/system/kmod-static-nodes.service /usr/lib/systemd/system/systemd-firstboot.service
- /usr/lib/systemd/system/abrt-vmcore.service /usr/lib/systemd/system/lightdm.service /usr/lib/systemd/system/systemd-fsck-root.service
- /usr/lib/systemd/system/abrt-xorg.service /usr/lib/systemd/system/lvm2-lvmetad.service /usr/lib/systemd/system/systemd-fsck@.service
- /usr/lib/systemd/system/accounts-daemon.service /usr/lib/systemd/system/lvm2-lvmpolld.service /usr/lib/systemd/system/systemd-halt.service
- /usr/lib/systemd/system/alsa-restore.service /usr/lib/systemd/system/lvm2-monitor.service /usr/lib/systemd/system/systemd-hibernate-resume@.service
- /usr/lib/systemd/system/alsa-state.service /usr/lib/systemd/system/lvm2-pvscan@.service /usr/lib/systemd/system/systemd-hibernate.service
- /usr/lib/systemd/system/arp-ethers.service /usr/lib/systemd/system/mdadm-grow-continue@.service /usr/lib/systemd/system/systemd-hostnamed.service
- /usr/lib/systemd/system/atd.service /usr/lib/systemd/system/mdadm-last-resort@.service /usr/lib/systemd/system/systemd-hwdb-update.service
- /usr/lib/systemd/system/auditd.service /usr/lib/systemd/system/mdcheck_continue.service /usr/lib/systemd/system/systemd-hybrid-sleep.service
- /usr/lib/systemd/system/autovt@.service /usr/lib/systemd/system/mdcheck_start.service /usr/lib/systemd/system/systemd-importd.service
- /usr/lib/systemd/system/blk-availability.service /usr/lib/systemd/system/mdmonitor-oneshot.service /usr/lib/systemd/system/systemd-initctl.service
- /usr/lib/systemd/system/brandbot.service /usr/lib/systemd/system/mdmonitor.service /usr/lib/systemd/system/systemd-journal-catalog-update.service
- /usr/lib/systemd/system/canberra-system-bootup.service /usr/lib/systemd/system/mdmon@.service /usr/lib/systemd/system/systemd-journald.service
- /usr/lib/systemd/system/canberra-system-shutdown-reboot.service /usr/lib/systemd/system/messagebus.service /usr/lib/systemd/system/systemd-journal-flush.service
- /usr/lib/systemd/system/canberra-system-shutdown.service /usr/lib/systemd/system/microcode.service /usr/lib/systemd/system/systemd-kexec.service
- /usr/lib/systemd/system/chrony-dnssrv@.service /usr/lib/systemd/system/mongod.service /usr/lib/systemd/system/systemd-localed.service
- /usr/lib/systemd/system/chronyd.service /usr/lib/systemd/system/multipathd.service /usr/lib/systemd/system/systemd-logind.service
- /usr/lib/systemd/system/chrony-wait.service /usr/lib/systemd/system/NetworkManager-dispatcher.service /usr/lib/systemd/system/systemd-machined.service
- /usr/lib/systemd/system/clean-mount-point@.service /usr/lib/systemd/system/NetworkManager.service /usr/lib/systemd/system/systemd-machine-id-commit.service
- /usr/lib/systemd/system/console-getty.service /usr/lib/systemd/system/NetworkManager-wait-online.service /usr/lib/systemd/system/systemd-modules-load.service
- /usr/lib/systemd/system/console-shell.service /usr/lib/systemd/system/nginx.service /usr/lib/systemd/system/systemd-nspawn@.service
- /usr/lib/systemd/system/containerd.service /usr/lib/systemd/system/openvpn-client@.service /usr/lib/systemd/system/systemd-poweroff.service
- /usr/lib/systemd/system/container-getty@.service /usr/lib/systemd/system/openvpn-server@.service /usr/lib/systemd/system/systemd-quotacheck.service
- /usr/lib/systemd/system/cpupower.service /usr/lib/systemd/system/openvpn@.service /usr/lib/systemd/system/systemd-random-seed.service
- /usr/lib/systemd/system/crond.service /usr/lib/systemd/system/plymouth-halt.service /usr/lib/systemd/system/systemd-readahead-collect.service
- /usr/lib/systemd/system/dbus-org.freedesktop.hostname1.service /usr/lib/systemd/system/plymouth-kexec.service /usr/lib/systemd/system/systemd-readahead-done.service
- /usr/lib/systemd/system/dbus-org.freedesktop.import1.service /usr/lib/systemd/system/plymouth-poweroff.service /usr/lib/systemd/system/systemd-readahead-drop.service
- /usr/lib/systemd/system/dbus-org.freedesktop.locale1.service /usr/lib/systemd/system/plymouth-quit.service /usr/lib/systemd/system/systemd-readahead-replay.service
- /usr/lib/systemd/system/dbus-org.freedesktop.login1.service /usr/lib/systemd/system/plymouth-quit-wait.service /usr/lib/systemd/system/systemd-reboot.service
- /usr/lib/systemd/system/dbus-org.freedesktop.machine1.service /usr/lib/systemd/system/plymouth-read-write.service /usr/lib/systemd/system/systemd-remount-fs.service
- /usr/lib/systemd/system/dbus-org.freedesktop.timedate1.service /usr/lib/systemd/system/plymouth-reboot.service /usr/lib/systemd/system/systemd-rfkill@.service
- /usr/lib/systemd/system/dbus.service /usr/lib/systemd/system/plymouth-start.service /usr/lib/systemd/system/systemd-shutdownd.service
- /usr/lib/systemd/system/debug-shell.service /usr/lib/systemd/system/plymouth-switch-root.service /usr/lib/systemd/system/systemd-suspend.service
- /usr/lib/systemd/system/dm-event.service /usr/lib/systemd/system/polkit.service /usr/lib/systemd/system/systemd-sysctl.service
- /usr/lib/systemd/system/docker.service /usr/lib/systemd/system/postfix.service /usr/lib/systemd/system/systemd-timedated.service
- /usr/lib/systemd/system/dracut-cmdline.service /usr/lib/systemd/system/quotaon.service /usr/lib/systemd/system/systemd-tmpfiles-clean.service
- /usr/lib/systemd/system/dracut-initqueue.service /usr/lib/systemd/system/rc-local.service /usr/lib/systemd/system/systemd-tmpfiles-setup-dev.service
- /usr/lib/systemd/system/dracut-mount.service /usr/lib/systemd/system/rdisc.service /usr/lib/systemd/system/systemd-tmpfiles-setup.service
- /usr/lib/systemd/system/dracut-pre-mount.service /usr/lib/systemd/system/redis-sentinel.service /usr/lib/systemd/system/systemd-udevd.service
- /usr/lib/systemd/system/dracut-pre-pivot.service /usr/lib/systemd/system/redis.service /usr/lib/systemd/system/systemd-udev-settle.service
- /usr/lib/systemd/system/dracut-pre-trigger.service /usr/lib/systemd/system/rescue.service /usr/lib/systemd/system/systemd-udev-trigger.service
- /usr/lib/systemd/system/dracut-pre-udev.service /usr/lib/systemd/system/rhel-autorelabel-mark.service /usr/lib/systemd/system/systemd-update-done.service
- /usr/lib/systemd/system/dracut-shutdown.service /usr/lib/systemd/system/rhel-autorelabel.service /usr/lib/systemd/system/systemd-update-utmp-runlevel.service
- /usr/lib/systemd/system/ebtables.service /usr/lib/systemd/system/rhel-configure.service /usr/lib/systemd/system/systemd-update-utmp.service
- /usr/lib/systemd/system/elasticsearch.service /usr/lib/systemd/system/rhel-dmesg.service /usr/lib/systemd/system/systemd-user-sessions.service
- /usr/lib/systemd/system/emergency.service /usr/lib/systemd/system/rhel-domainname.service /usr/lib/systemd/system/systemd-vconsole-setup.service
- /usr/lib/systemd/system/firewalld.service /usr/lib/systemd/system/rhel-import-state.service /usr/lib/systemd/system/tcsd.service
- /usr/lib/systemd/system/flatpak-system-helper.service /usr/lib/systemd/system/rhel-loadmodules.service /usr/lib/systemd/system/teamd@.service
- /usr/lib/systemd/system/fstrim.service /usr/lib/systemd/system/rhel-readonly.service /usr/lib/systemd/system/trace-cmd.service
- /usr/lib/systemd/system/geoclue.service /usr/lib/systemd/system/rsyslog.service /usr/lib/systemd/system/tuned.service
- /usr/lib/systemd/system/getty@.service /usr/lib/systemd/system/selinux-policy-migrate-local-changes@.service /usr/lib/systemd/system/udisks2.service
- /usr/lib/systemd/system/halt-local.service /usr/lib/systemd/system/serial-getty@.service /usr/lib/systemd/system/unbound-anchor.service
- /usr/lib/systemd/system/initrd-cleanup.service /usr/lib/systemd/system/sshd-keygen.service /usr/lib/systemd/system/upower.service
- /usr/lib/systemd/system/initrd-parse-etc.service /usr/lib/systemd/system/sshd.service /usr/lib/systemd/system/usbmuxd.service
- /usr/lib/systemd/system/initrd-switch-root.service /usr/lib/systemd/system/sshd@.service /usr/lib/systemd/system/vgauthd.service
- /usr/lib/systemd/system/initrd-udevadm-cleanup-db.service /usr/lib/systemd/system/svnserve.service /usr/lib/systemd/system/vmtoolsd.service
- /usr/lib/systemd/system/iprdump.service /usr/lib/systemd/system/systemd-ask-password-console.service /usr/lib/systemd/system/wacom-inputattach@.service
- /usr/lib/systemd/system/iprinit.service /usr/lib/systemd/system/systemd-ask-password-plymouth.service /usr/lib/systemd/system/wpa_supplicant.service
- /usr/lib/systemd/system/iprupdate.service /usr/lib/systemd/system/systemd-ask-password-wall.service /usr/lib/systemd/system/xl2tpd.service
-
获取当前系统运行级别:
systemd是通过软链接获取真实的运行级别,优先级由上到下- /etc/systemd/system/default.target
- /run/systemd/system/default.target
- /usr/local/lib/systemd/system/default.target
- /usr/lib/systemd/system/default.target
通过
systemctl获取当前系统级别- [root@bogon-agent ~]# systemctl get-default
- multi-user.target
通过软链接获取当前系统级别,可见结果是相符的,而且优先级确实如上所述
- [root@bogon-agent ~]# ls -l /etc/systemd/system/default.target
- lrwxrwxrwx. 1 root root 41 Mar 31 2020 /etc/systemd/system/default.target -> /usr/lib/systemd/system/multi-user.target
- [root@bogon-agent ~]# ls -l /usr/lib/systemd/system/default.target
- lrwxrwxrwx. 1 root root 16 Nov 27 17:11 /usr/lib/systemd/system/default.target -> graphical.target
-
获取当前系统运行级别默认启动的服务:采用下面步骤,可以获取精确的结果
- root@bogon-agent ~]# cat /etc/systemd/system/default.target
- # This file is part of systemd.
- #
- # systemd is free software; you can redistribute it and/or modify it
- # under the terms of the GNU Lesser General Public License as published by
- # the Free Software Foundation; either version 2.1 of the License, or
- # (at your option) any later version.
- [Unit]
- Description=Multi-User System
- Documentation=man:systemd.special(7)
- Requires=basic.target
- Conflicts=rescue.service rescue.target
- After=basic.target rescue.service rescue.target
- AllowIsolate=yes
-
获取实际
target文件对应的target.wants目录,如目前是multi-user.target,那么相应目录是multi-user.target.wants。这些目录里软链接指向的service文件,就是默认启动的系统服务。- root@bogon-agent ~]# ls -l /etc/systemd/system/multi-user.target.wants/
- total 0
- lrwxrwxrwx. 1 root root 41 Sep 30 2019 abrt-ccpp.service -> /usr/lib/systemd/system/abrt-ccpp.service
- lrwxrwxrwx. 1 root root 43 Sep 30 2019 abrt-vmcore.service -> /usr/lib/systemd/system/abrt-vmcore.service
- lrwxrwxrwx. 1 root root 38 Feb 3 17:46 docker.service -> /usr/lib/systemd/system/docker.service
- lrwxrwxrwx. 1 root root 42 Sep 30 2019 irqbalance.service -> /usr/lib/systemd/system/irqbalance.service
- lrwxrwxrwx. 1 root root 37 Sep 30 2019 kdump.service -> /usr/lib/systemd/system/kdump.service
- lrwxrwxrwx. 1 root root 41 Sep 30 2019 mdmonitor.service -> /usr/lib/systemd/system/mdmonitor.service
- lrwxrwxrwx. 1 root root 46 Sep 30 2019 NetworkManager.service -> /usr/lib/systemd/system/NetworkManager.service
- lrwxrwxrwx. 1 root root 39 Jun 17 2020 postfix.service -> /usr/lib/systemd/system/postfix.service
- lrwxrwxrwx. 1 root root 40 Sep 30 2019 remote-fs.target -> /usr/lib/systemd/system/remote-fs.target
- lrwxrwxrwx. 1 root root 46 Sep 30 2019 rhel-configure.service -> /usr/lib/systemd/system/rhel-configure.service
- lrwxrwxrwx. 1 root root 39 Sep 30 2019 rsyslog.service -> /usr/lib/systemd/system/rsyslog.service
- lrwxrwxrwx. 1 root root 36 Sep 30 2019 sshd.service -> /usr/lib/systemd/system/sshd.service
- lrwxrwxrwx. 1 root root 37 Sep 30 2019 tuned.service -> /usr/lib/systemd/system/tuned.service
- lrwxrwxrwx. 1 root root 40 Sep 30 2019 vmtoolsd.service -> /usr/lib/systemd/system/vmtoolsd.service
- lrwxrwxrwx. 1 root root 39 Apr 22 2020 wazuh-agent.service -> /etc/systemd/system/wazuh-agent.service
- [root@bogon-agent ~]# ls -l /usr/lib/systemd/system/multi-user.target.wants/
- total 0
- lrwxrwxrwx. 1 root root 15 Nov 27 17:11 dbus.service -> ../dbus.service
- lrwxrwxrwx. 1 root root 15 Nov 27 17:11 getty.target -> ../getty.target
- lrwxrwxrwx. 1 root root 24 Nov 27 17:11 plymouth-quit.service -> ../plymouth-quit.service
- lrwxrwxrwx. 1 root root 29 Nov 27 17:11 plymouth-quit-wait.service -> ../plymouth-quit-wait.service
- lrwxrwxrwx. 1 root root 33 Nov 27 17:11 systemd-ask-password-wall.path -> ../systemd-ask-password-wall.path
- lrwxrwxrwx. 1 root root 25 Nov 27 17:11 systemd-logind.service -> ../systemd-logind.service
- lrwxrwxrwx. 1 root root 39 Nov 27 17:11 systemd-update-utmp-runlevel.service -> ../systemd-update-utmp-runlevel.service
- lrwxrwxrwx. 1 root root 32 Nov 27 17:11 systemd-user-sessions.service -> ../systemd-user-sessions.service
-
根据
target文件内容,找出它所依赖的其它target,不断重复第1,2步,直到获取所有的service文件(看Requires和Wants字段)
检测系统服务进程行为
在建立服务基线后,就需要获取服务的动态情况,就是要看有多少服务在运行,每个服务下面有多少进程在运行。而且获取动作要定时执行,和上一次结果进行比对,从而发现异常。
剩余内容请关注本人公众号debugeeker, 链接为最后防线:Linux系统服务检测
声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/不正经/article/detail/76477
推荐阅读
相关标签
