npx machina-cli add skill chaterm/terminal-skills/audit --openclaw安全审计
概述
安全审计、漏洞扫描、合规检查技能。
auditd 审计系统
安装与管理
# 安装
apt install auditd audispd-plugins # Debian/Ubuntu
yum install audit # CentOS/RHEL
# 服务管理
systemctl start auditd
systemctl enable auditd
systemctl status auditd
审计规则
# 查看规则
auditctl -l
# 添加规则 - 监控文件
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -w /etc/sudoers -p wa -k sudoers_changes
# 监控目录
auditctl -w /etc/ssh/ -p wa -k ssh_config
# 监控系统调用
auditctl -a always,exit -F arch=b64 -S execve -k command_exec
# 监控用户操作
auditctl -a always,exit -F arch=b64 -S open -F auid>=1000 -k user_file_access
永久规则
# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /var/log/lastlog -p wa -k logins
-a always,exit -F arch=b64 -S execve -k commands
# 重载规则
augenrules --load
查看日志
# 搜索审计日志
ausearch -k passwd_changes
ausearch -k commands -ts today
ausearch -ua root -ts recent
# 生成报告
aureport
aureport --summary
aureport --login
aureport --file
aureport --executable
日志审计
系统日志
# 查看认证日志
tail -f /var/log/auth.log # Debian/Ubuntu
tail -f /var/log/secure # CentOS/RHEL
# 查看登录记录
last
lastb # 失败登录
lastlog
# journalctl
journalctl -u sshd
journalctl --since "1 hour ago"
journalctl -p err
日志分析
# 统计 SSH 登录失败
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn
# 统计 sudo 使用
grep "sudo:" /var/log/auth.log | tail -20
# 查找异常登录
grep "Accepted" /var/log/auth.log | grep -v "192.168"
漏洞扫描
Lynis
# 安装
apt install lynis
# 系统审计
lynis audit system
# 查看报告
cat /var/log/lynis-report.dat
OpenSCAP
# 安装
yum install openscap-scanner scap-security-guide
# 扫描
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \
--results results.xml \
/usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml
# 生成报告
oscap xccdf generate report results.xml > report.html
Nmap 扫描
# 端口扫描
nmap -sV -sC target.com
# 漏洞扫描
nmap --script vuln target.com
# 全面扫描
nmap -A -T4 target.com
文件完整性
AIDE
# 安装
apt install aide
# 初始化数据库
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db
# 检查变更
aide --check
# 更新数据库
aide --update
Tripwire
# 初始化
tripwire --init
# 检查
tripwire --check
# 更新策略
tripwire --update-policy
常见场景
场景 1:监控特权操作
# /etc/audit/rules.d/privileged.rules
# 监控 sudo
-w /usr/bin/sudo -p x -k privileged_sudo
-w /etc/sudoers -p wa -k sudoers_edit
# 监控用户管理
-w /usr/sbin/useradd -p x -k user_add
-w /usr/sbin/userdel -p x -k user_del
-w /usr/sbin/usermod -p x -k user_mod
# 监控网络配置
-w /etc/hosts -p wa -k hosts_edit
-w /etc/network/ -p wa -k network_config
场景 2:合规检查脚本
#!/bin/bash
echo "=== 安全合规检查 ==="
# 检查空密码账户
echo "空密码账户:"
awk -F: '($2 == "") {print $1}' /etc/shadow
# 检查 UID 为 0 的账户
echo "UID=0 账户:"
awk -F: '($3 == 0) {print $1}' /etc/passwd
# 检查 SSH 配置
echo "SSH 配置:"
grep -E "^(PermitRootLogin|PasswordAuthentication)" /etc/ssh/sshd_config
# 检查开放端口
echo "监听端口:"
ss -tlnp
场景 3:登录告警
#!/bin/bash
# /etc/profile.d/login-alert.sh
if [ -n "$SSH_CLIENT" ]; then
IP=$(echo $SSH_CLIENT | awk '{print $1}')
echo "SSH 登录告警: 用户 $USER 从 $IP 登录 $(hostname)" | \
mail -s "SSH Login Alert" admin@example.com
fi
故障排查
| 问题 | 排查方法 |
|---|---|
| 审计日志过大 | 配置日志轮转、过滤规则 |
| 性能影响 | 减少审计规则、优化过滤 |
| 规则不生效 | 检查语法、重载规则 |
# 检查 auditd 状态
auditctl -s
# 查看丢失事件
aureport --summary | grep lost
# 日志轮转配置
# /etc/audit/auditd.conf
max_log_file = 50
num_logs = 5
max_log_file_action = ROTATE
Source
git clone https://github.com/chaterm/terminal-skills/blob/main/security/audit/SKILL.mdView on GitHub Overview
你可以使用 audit 功能对 Linux 系统进行端到端的安全审计,包括审计规则配置、日志分析、漏洞扫描与合规检查。通过结合 auditd、日志工具、以及 Lynis/OpenSCAP 等漏洞与基线工具,你能够从规则设计到报告产出形成一套可落地的运维流程,帮助持续合规并快速定位异常。
How This Skill Works
该技能通过将底层系统工具组合在一起实现自动化审计与安全评估:核心是 auditd,负责收集和写入审计日志;你通过 auditctl/augenrules 设置规则(监控文件、目录及系统调用),再以 ausearch/aureport 提取与聚合日志信息。你还会结合 Lynis、OpenSCAP、Nmap、AIDE、Tripwire 等工具执行漏洞与完整性检查,产出可审阅的报告并将关键事件打上标签(-k)。
When to Use It
- 需要对敏感文件或关键配置进行变更监控(如 /etc/passwd、/etc/shadow、/etc/sudoers、ssh 配置等)
- 需要建立或维护合规基线并生成可审计的报告(例如 CIS、DISA STIG 等基线)
- 进行漏洞评估和系统安全检查(Lynis、OpenSCAP、Nmap 等工具的集成使用)
- 需要检测并告警异常的登录与特权操作(如 sudo、用户增删改)
- 需要对审计日志容量与轮转进行管理,避免丢失事件并确保可追溯性
Quick Start
- 1. 安装并启动审计后台: ```bash # 安装 apt install auditd audispd-plugins # Debian/Ubuntu # 或者: yum install audit # CentOS/RHEL # 启动并设为开机自启 systemctl start auditd systemctl enable auditd ```
- 2. 查看并添加基础审计规则: ```bash # 查看当前规则 auditctl -l # 监控关键文件 auditctl -w /etc/passwd -p wa -k passwd_changes auditctl -w /etc/shadow -p wa -k shadow_changes auditctl -w /etc/sudoers -p wa -k sudoers_changes # 监控目录与系统调用 auditctl -w /etc/ssh/ -p wa -k ssh_config auditctl -a always,exit -F arch=b64 -S execve -k command_exec ```
- 3. 将规则永久化并加载: ```bash # 将规则写入持久路径 # /etc/audit/rules.d/audit.rules -w /etc/passwd -p wa -k passwd_changes -w /etc/shadow -p wa -k shadow_changes -w /etc/sudoers -p wa -k sudoers_changes -w /var/log/lastlog -p wa -k logins -a always,exit -F arch=b64 -S execve -k commands # 重载规则 augenrules --load ```
- 4. 开始分析日志并生成初步报告: ```bash # 搜索特定事件 ausearch -k passwd_changes ausearch -k commands -ts today # 生成报告 aureport --summary aureport --login ```
Best Practices
- 以最小化规则集为起点,逐步扩展到关键对象与关键系统调用,避免噪声日志;为每条规则打上唯一的 -k 标签,便于后续检索。
- 将审计规则放在 /etc/audit/rules.d 并通过 augenrules 加载,以确保重启后仍然生效。
- 配置日志轮转,避免审计日志占用过多磁盘;常用设置包括 max_log_file、num_logs、max_log_file_action。
- 将审计日志输出与 SIEM 集成:通过 syslog/journald 转发,或导出 JSON 再进入日志分析管道。
- 定期运行基线检查(如 Lynis/OpenSCAP)与漏洞扫描,并将结果与审计日志关联,形成可追溯的安全态势。
Example Use Cases
- 场景 1:监控特权操作 ```bash # /etc/audit/rules.d/privileged.rules -w /usr/bin/sudo -p x -k privileged_sudo -w /etc/sudoers -p wa -k sudoers_edit -w /usr/sbin/useradd -p x -k user_add -w /usr/sbin/userdel -p x -k user_del -w /usr/sbin/usermod -p x -k user_mod -w /etc/hosts -p wa -k hosts_edit -w /etc/network/ -p wa -k network_config ``` 场景 2:合规检查脚本 ```bash #!/bin/bash echo "=== 安全合规检查 ===" # 检查空密码账户 echo "空密码账户:" awk -F: '($2 == "") {print $1}' /etc/shadow # 检查 UID 为 0 的账户 echo "UID=0 账户:" awk -F: '($3 == 0) {print $1}' /etc/passwd # 检查 SSH 配置 echo "SSH 配置:" grep -E "^(PermitRootLogin|PasswordAuthentication)" /etc/ssh/sshd_config # 检查开放端口 echo "监听端口:" ss -tlnp ``` 场景 3:登录告警 ```bash #!/bin/bash # /etc/profile.d/login-alert.sh if [ -n "$SSH_CLIENT" ]; then IP=$(echo $SSH_CLIENT | awk '{print $1}') echo "SSH 登录告警: 用户 $USER 从 $IP 登录 $(hostname)" | \ mail -s "SSH Login Alert" admin@example.com fi ``` 场景 4:漏洞扫描集成 ```bash # Lynis 基本用法 apt install lynis lynis audit system cat /var/log/lynis-report.dat # OpenSCAP 基线扫描 yum install openscap-scanner scap-security-guide oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \ --results results.xml \ /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml oscap xccdf generate report results.xml > report.html ```
Frequently Asked Questions
Related Skills
erpnext-permissions
OpenAEC-Foundation/ERPNext_Anthropic_Claude_Development_Skill_Package
Complete guide for Frappe/ERPNext permission system - roles, user permissions, perm levels, data masking, and permission hooks
SEO Audit
openclaw/skills
Full website SEO audit with parallel subagent delegation. Crawls up to 500 pages, detects business type, delegates to 6 specialists, generates health score.
SEO Technical
openclaw/skills
Technical SEO audit across 8 categories: crawlability, indexability, security, URL structure, mobile, Core Web Vitals, structured data, and JavaScript rendering.
seo-audit
coreyhaines31/marketingskills
When the user wants to audit, review, or diagnose SEO issues on their site. Also use when the user mentions "SEO audit," "technical SEO," "why am I not ranking," "SEO issues," "on-page SEO," "meta tags review," "SEO health check," "my traffic dropped," "lost rankings," "not showing up in Google," "site isn't ranking," "Google update hit me," "page speed," "core web vitals," "crawl errors," or "indexing issues." Use this even if the user just says something vague like "my SEO is bad" or "help with SEO" — start with an audit. For building pages at scale to target keywords, see programmatic-seo. For adding structured data, see schema-markup. For AI search optimization, see ai-seo.
Auto-Update Systems Expert
martinholovsky/claude-skills-generator
Expert in Tauri auto-update implementation with focus on signature verification, rollback mechanisms, staged rollouts, and secure update distribution
CI/CD Pipeline Security Expert
martinholovsky/claude-skills-generator
Expert in CI/CD pipeline design with focus on secret management, code signing, artifact security, and supply chain protection for desktop application builds
