文件完整性管理概述
什么是文件完整性管理
文件完整性管理功能可实时监控服务器上的关键文件和目录,对创建、修改、删除、移动文件或目录,以及修改文件或目录属性的操作进行告警并记录,有助于用户及时发现可能的攻击性更改。
文件完整性监控原理
通过比对上一次扫描的文件状态和当前文件状态,分析确定文件是否遭到可疑的更改。
文件完整性监控范围
不同操作系统的监控内容和范围如下:
Linux文件完整性监控支持以下两种监控模式:
- 关键文件完整性检测
实时监控系统关键文件(例如:ls、ps、login、top等),对修改文件内容的操作进行告警并记录,提醒用户关键文件可能被篡改。默认监控文件请参见表1。
- 关键文件目录变更检测
监控系统文件或目录,对创建、修改、删除、移动文件或目录,以及修改文件或目录属性的操作进行记录,提醒用户文件或目录可能被篡改。默认监控路径日常运营模式请参见表2,护网重保模式请参见表3。
如果您需要自定义添加或删除监控的文件、目录路径,可以修改“文件保护”策略中的“关键文件完整性检测”和“关键文件目录变更检测”部分的内容,详细操作请参考配置策略。
|
类型 |
监控文件 |
|---|---|
|
bin |
|
|
usr |
|
|
文件或目录路径 |
别名 |
监控类型 |
|||||
|---|---|---|---|---|---|---|---|
|
监控子目录 |
监控创建 |
监控修改属性 |
监控删除 |
监控移动 |
监控修改 |
||
|
/etc/rc.d/rc.local |
rx-local |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/crontab |
crontab |
× |
√ |
× |
√ |
√ |
√ |
|
/var/spool/cron/root |
spool-cron |
× |
√ |
× |
√ |
√ |
√ |
|
/var/spool/cron/crontabs/root |
spool-cron |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/cron.allow |
cron-allow |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/passwd |
passwd |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/profile.d/zzz_euleros_history.sh |
zzz_euleros_history_sh |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/profile |
profile |
× |
√ |
× |
√ |
√ |
√ |
|
/root/.bashrc |
bashrc |
× |
√ |
× |
√ |
√ |
√ |
|
/root/.bash_profile |
bash_profile |
× |
√ |
× |
√ |
√ |
√ |
|
/root/.cshrc |
cshrc |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/ld.so.preload |
so_preload |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/profile.d/sec_euleros_history.sh |
sec_euleros_history_sh |
× |
√ |
× |
√ |
√ |
√ |
|
/etc/shells |
shells |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/adduser |
usr_sbin_adduser |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/chkconfig |
usr_sbin_chkconfig |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/chroot |
usr_sbin_chroot |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/depmod |
usr_sbin_depmod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/fsck |
usr_sbin_fsck |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/fuser |
usr_sbin_fuser |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/groupadd |
usr_sbin_groupadd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/groupdel |
usr_sbin_groupdel |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/groupmod |
usr_sbin_groupmod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/grpck |
usr_sbin_grpck |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/ifconfig |
usr_sbin_ifconfig |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/ifdown |
usr_sbin_ifdown |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/ifup |
usr_sbin_ifup |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/init |
usr_sbin_init |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/insmod |
usr_sbin_insmod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/ip |
usr_sbin_ip |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/lsmod |
usr_sbin_lsmod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/lsof |
usr_sbin_lsof |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/modinfo |
usr_sbin_modinfo |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/modprobe |
usr_sbin_modprobe |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/nologin |
usr_sbin_nologin |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/pwck |
usr_sbin_pwck |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/rmmod |
usr_sbin_rmmod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/route |
usr_sbin_route |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/rsyslogd |
usr_sbin_rsyslogd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/runlevel |
usr_sbin_runlevel |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/sestatus |
usr_sbin_sestatus |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/sshd |
usr_sbin_sshd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/sulogin |
usr_sbin_sulogin |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/sysctl |
usr_sbin_sysctl |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/useradd |
usr_sbin_useradd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/userdel |
usr_sbin_userdel |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/usermod |
usr_sbin_usermod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/vipw |
usr_sbin_vipw |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/awk |
usr_bin_awk |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/basename |
usr_bin_basename |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/bash |
usr_bin_bash |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/cat |
usr_bin_cat |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/chattr |
usr_bin_chattr |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/chmod |
usr_bin_chmod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/chown |
usr_bin_chown |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/cp |
usr_bin_cp |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/curl |
usr_bin_curl |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/cut |
usr_bin_cut |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/date |
usr_bin_date |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/df |
usr_bin_df |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/diff |
usr_bin_diff |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/dirname |
usr_bin_dirname |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/dmesg |
usr_bin_dmesg |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/du |
usr_bin_du |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/echo |
usr_bin_echo |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/ed |
usr_bin_ed |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/egrep |
usr_bin_egrep |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/env |
usr_bin_env |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/fgrep |
usr_bin_fgrep |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/file |
usr_bin_file |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/find |
usr_bin_find |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/grep |
usr_bin_grep |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/groups |
usr_bin_groups |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/head |
usr_bin_head |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/id |
usr_bin_id |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/ipcs |
usr_bin_ipcs |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/kill |
usr_bin_kill |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/killall |
usr_bin_killall |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/last |
usr_bin_last |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/lastlog |
usr_bin_lastlog |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/ldd |
usr_bin_ldd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/less |
usr_bin_less |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/logger |
usr_bin_logger |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/login |
usr_bin_login |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/ls |
usr_bin_ls |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/lsattr |
usr_bin_lsattr |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/mail |
usr_bin_mail |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/md5sum |
usr_bin_md5sum |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/mktemp |
usr_bin_mktemp |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/more |
usr_bin_more |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/mount |
usr_bin_mount |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/mv |
usr_bin_mv |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/netstat |
usr_bin_netstat |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/newgrp |
usr_bin_newgrp |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/passwd |
usr_bin_passwd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/perl |
usr_bin_perl |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/pgrep |
usr_bin_pgrep |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/ping |
usr_bin_ping |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/pkill |
usr_bin_pkill |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/ps |
usr_bin_ps |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/pstree |
usr_bin_pstree |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/pwd |
usr_bin_pwd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/readlink |
usr_bin_readlink |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/rpm |
usr_bin_rpm |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/runcon |
usr_bin_runcon |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sed |
usr_bin_sed |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sh |
usr_bin_sh |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sha1sum |
usr_bin_sha1sum |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sha224sum |
usr_bin_sha224sum |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sha256sum |
usr_bin_sha256sum |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sha384sum |
usr_bin_sha384sum |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sha512sum |
usr_bin_sha512sum |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/size |
usr_bin_size |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sort |
usr_bin_sort |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/ssh |
usr_bin_ssh |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/stat |
usr_bin_stat |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/strace |
usr_bin_strace |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/strings |
usr_bin_strings |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/su |
usr_bin_su |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/sudo |
usr_bin_sudo |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/tail |
usr_bin_tail |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/test |
usr_bin_test |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/top |
usr_bin_top |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/touch |
usr_bin_touch |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/tr |
usr_bin_tr |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/uname |
usr_bin_uname |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/uniq |
usr_bin_uniq |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/users |
usr_bin_users |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/vmstat |
usr_bin_vmstat |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/w |
usr_bin_w |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/watch |
usr_bin_watch |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/wc |
usr_bin_wc |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/wget |
usr_bin_wget |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/whatis |
usr_bin_whatis |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/whereis |
usr_bin_whereis |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/which |
usr_bin_which |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/who |
usr_bin_who |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/whoami |
usr_bin_whoami |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/numfmt |
usr_bin_numfmt |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/kmod |
usr_bin_kmod |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/systemctl |
usr_bin_systemctl |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/gawk |
usr_bin_gawk |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/mailx |
usr_bin_mailx |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/lib/systemd/systemd |
usr_lib_systemd_systemd |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/nmcli |
usr_bin_nmcli |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/scp |
usr_bin_scp |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/tar |
usr_bin_tar |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/chfn |
usr_bin_chfn |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/chsh |
usr_bin_chsh |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/crontab |
usr_bin_crontab |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/pidof |
usr_sbin_pidof |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/slogin |
usr_bin_slogin |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/sendmail |
usr_sbin_sendmail |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/sbin/tcpdump |
usr_sbin_tcpdump |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/adduser |
sbin_adduser |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/chkconfig |
sbin_chkconfig |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/chroot |
sbin_chroot |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/depmod |
sbin_depmod |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/fsck |
sbin_fsck |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/fuser |
sbin_fuser |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/groupadd |
sbin_groupadd |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/groupdel |
sbin_groupdel |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/groupmod |
sbin_groupmod |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/grpck |
sbin_grpck |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/ifconfig |
sbin_ifconfig |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/ifdown |
sbin_ifdown |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/ifup |
sbin_ifup |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/init |
sbin_init |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/insmod |
sbin_insmod |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/ip |
sbin_ip |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/lsmod |
sbin_lsmod |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/lsof |
sbin_lsof |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/modinfo |
sbin_modinfo |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/modprobe |
sbin_modprobe |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/nologin |
sbin_nologin |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/pwck |
sbin_pwck |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/rmmod |
sbin_rmmod |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/route |
sbin_route |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/rsyslogd |
sbin_rsyslogd |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/runlevel |
sbin_runlevel |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/sestatus |
sbin_sestatus |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/sshd |
sbin_sshd |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/sulogin |
sbin_sulogin |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/sysctl |
sbin_sysctl |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/useradd |
sbin_useradd |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/userdel |
sbin_userdel |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/usermod |
sbin_usermod |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/vipw |
sbin_vipw |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/pidof |
sbin_pidof |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/sendmail |
sbin_sendmail |
× |
√ |
× |
√ |
√ |
√ |
|
/sbin/tcpdump |
sbin_tcpdump |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/vdir |
usr_bin_vdir |
× |
√ |
× |
√ |
√ |
√ |
|
/usr/bin/write |
usr_bin_write |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/awk |
bin_awk |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/basename |
bin_basename |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/bash |
bin_bash |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/cat |
bin_cat |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/chattr |
bin_chattr |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/chmod |
bin_chmod |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/chown |
bin_chown |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/cp |
bin_cp |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/curl |
bin_curl |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/cut |
bin_cut |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/date |
bin_date |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/df |
bin_df |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/diff |
bin_diff |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/dirname |
bin_dirname |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/dmesg |
bin_dmesg |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/du |
bin_du |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/echo |
bin_echo |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/ed |
bin_ed |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/egrep |
bin_egrep |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/env |
bin_env |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/fgrep |
bin_fgrep |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/file |
bin_file |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/find |
bin_find |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/grep |
bin_grep |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/groups |
bin_groups |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/head |
bin_head |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/id |
bin_id |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/ipcs |
bin_ipcs |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/kill |
bin_kill |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/killall |
bin_killall |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/last |
bin_last |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/lastlog |
bin_lastlog |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/ldd |
bin_ldd |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/less |
bin_less |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/logger |
bin_logger |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/login |
bin_login |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/ls |
bin_ls |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/lsattr |
bin_lsattr |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/mail |
bin_mail |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/md5sum |
bin_md5sum |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/mktemp |
bin_mktemp |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/more |
bin_more |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/mount |
bin_mount |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/mv |
bin_mv |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/netstat |
bin_netstat |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/newgrp |
bin_newgrp |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/passwd |
bin_passwd |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/perl |
bin_perl |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/pgrep |
bin_pgrep |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/ping |
bin_ping |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/pkill |
bin_pkill |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/ps |
bin_ps |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/pstree |
bin_pstree |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/pwd |
bin_pwd |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/readlink |
bin_readlink |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/rpm |
bin_rpm |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/runcon |
bin_runcon |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sed |
bin_sed |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sh |
bin_sh |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sha1sum |
bin_sha1sum |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sha224sum |
bin_sha224sum |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sha256sum |
bin_sha256sum |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sha384sum |
bin_sha384sum |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sha512sum |
bin_sha512sum |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/size |
bin_size |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sort |
bin_sort |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/ssh |
bin_ssh |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/stat |
bin_stat |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/strace |
bin_strace |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/strings |
bin_strings |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/su |
bin_su |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/sudo |
bin_sudo |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/tail |
bin_tail |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/test |
bin_test |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/top |
bin_top |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/touch |
bin_touch |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/tr |
bin_tr |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/uname |
bin_uname |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/uniq |
bin_uniq |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/users |
bin_users |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/vmstat |
bin_vmstat |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/w |
bin_w |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/watch |
bin_watch |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/wc |
bin_wc |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/wget |
bin_wget |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/whatis |
bin_whatis |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/whereis |
bin_whereis |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/which |
bin_which |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/who |
bin_who |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/whoami |
bin_whoami |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/numfmt |
bin_numfmt |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/kmod |
bin_kmod |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/systemctl |
bin_systemctl |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/gawk |
bin_gawk |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/mailx |
bin_mailx |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/nmcli |
bin_nmcli |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/scp |
bin_scp |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/tar |
bin_tar |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/chfn |
bin_chfn |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/chsh |
bin_chsh |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/crontab |
bin_crontab |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/slogin |
bin_slogin |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/vdir |
bin_vdir |
× |
√ |
× |
√ |
√ |
√ |
|
/bin/write |
bin_write |
× |
√ |
× |
√ |
√ |
√ |
|
文件或目录路径 |
别名 |
监控类型 |
|||||
|---|---|---|---|---|---|---|---|
|
监控子目录 |
监控创建 |
监控修改属性 |
监控删除 |
监控移动 |
监控修改 |
||
|
/etc/init.d |
startup |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/rc.d/init.d |
rc-startup |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/rc.d/rc.local |
rx-local |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/systemd/system |
system |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/systemd/user |
user |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/crontab |
crontab |
× |
√ |
√ |
√ |
√ |
√ |
|
/var/spool/cron |
spool-cron |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/cron.daily |
cron-daily |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/cron.hourly |
cron-hourly |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/cron.monthly |
cron.monthly |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/cron.weekly |
cron.weekly |
√ |
√ |
√ |
√ |
√ |
√ |
|
/etc/cron.allow |
cron.allow |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/passwd |
passwd |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/profile.d/zzz_euleros_history.sh |
zzz_euleros_history.sh |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/profile |
profile |
× |
√ |
√ |
√ |
√ |
√ |
|
/root/.bashrc |
bashrc |
× |
√ |
√ |
√ |
√ |
√ |
|
/root/.bash_profile |
bash_profile |
× |
√ |
√ |
√ |
√ |
√ |
|
/root/.cshrc |
cshrc |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/ld.so.preload |
so.preload |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/profile.d/sec_euleros_history.sh |
sec_euleros_history_sh |
× |
√ |
√ |
√ |
√ |
√ |
|
/etc/shells |
shells |
× |
√ |
√ |
√ |
√ |
√ |
|
/usr/bin |
bin |
× |
√ |
√ |
√ |
√ |
√ |
|
/bin |
bin |
× |
√ |
√ |
√ |
√ |
√ |
|
/usr/sbin |
sbin |
× |
√ |
√ |
√ |
√ |
√ |
|
/sbin |
sbin |
× |
√ |
√ |
√ |
√ |
√ |
|
/usr/lib |
lib |
× |
√ |
√ |
√ |
√ |
√ |
|
/lib |
lib |
× |
√ |
√ |
√ |
√ |
√ |
|
/usr/lib64 |
lib64 |
× |
√ |
√ |
√ |
√ |
√ |
|
/lib64 |
lib64 |
× |
√ |
√ |
√ |
√ |
√ |
Windows文件完整性监控对关键文件目录变更进行检测,监控系统文件或目录,对创建、修改、删除、移动文件或目录的操作进行记录,提醒用户文件或目录可能被篡改。默认监控路径请参见表4。
如果您需要自定义添加或删除监控的文件、目录路径,可以修改“文件保护”策略,详细操作请参考配置策略。
|
文件或目录路径 |
别名 |
监控类型 |
|||||
|---|---|---|---|---|---|---|---|
|
监控子目录 |
文件类型后缀 |
监控创建 |
监控删除 |
监控移动 |
监控修改 |
||
|
c:\Windows |
windows |
× |
exe、dll、ocx、sys、cmd、com、vbs、bat |
√ |
√ |
√ |
√ |
|
C:\Windows\System32 |
system32 |
× |
exe、dll、ocx、sys、cmd、com、vbs、bat |
√ |
√ |
√ |
√ |
|
C:\Windows\SysWOW64 |
SysWOW64 |
× |
exe、dll、ocx、sys、cmd、com、vbs、bat |
√ |
√ |
√ |
√ |
|
C:\Windows\System32\drivers |
drivers |
× |
sys |
√ |
√ |
√ |
√ |
|
C:\Windows\System32\drivers\etc |
etc |
× |
无 |
√ |
√ |
√ |
√ |
约束与限制
文件完整性管理功能仅企业主机安全专业版、企业版、旗舰版、网页防篡改版、容器版支持。购买和升级企业主机安全的操作,请参见购买主机安全防护配额和升级防护配额。
相关文档
文件完整性监控范围设置完成后,您可以定期查看是否存在文件变更事件,操作详情请参见查看文件变更事件。
