Linux 系統中敏感檔案操作之即時監控與日誌規則的動態設定機制
No Thumbnail Available
Date
2025
Authors
Journal Title
Journal ISSN
Volume Title
Publisher
Abstract
Linux系統在使用auditd監控敏感檔案操作時,採用預先指定監控路徑與系統呼叫的方式設定日誌規則(以下簡稱靜態式日誌規則)。然而,面對具備長潛伏週期且行為碎片化的進階持續性威脅(Advanced Persistent Threat, APT),這類靜態式日誌規則常無法涵蓋完整攻擊鏈,導致監控記錄出現節點斷裂與資料流追蹤中斷。為彌補靜態式日誌監控系統監控範圍固定的限制,本研究設計並實作了一套針對敏感檔案操作的即時監控與日誌規則動態設定機制,透過行為解析與條件判斷,強化日誌系統對敏感檔案操作產生之資料流向的追蹤能力,並且當可疑操作發生時自動擴展日誌監控範圍,改善靜態式日誌系統監控的不足。系統以auditd為基礎,結合事件聚合、指令解碼、行為辨識與條件觸發等模組,建構出即時監控架構,可持續讀取日誌檔案內容,依據event_id聚合SYSCALL、PATH、PROCTITLE與EXECVE等紀錄,還原原始執行的指令及其相關的檔案路徑。當偵測敏感檔案發生潛在資料移動時,系統會自動將新產生的目標檔案納入監控範圍,持續擴展資料追蹤能力,並且當實驗系統關於異常事態所訂的條件被觸發時,系統中的條件式觸發機制將動態載入額外日誌規則,即時擴大日誌系統的監控範圍,落實以行為為驅動的監控策略,提升資料流追蹤的即時性與完整性。
operations, but these rules often miss fragmented, long-dormant APT activity, resulting in gaps and incomplete data flow tracking. To mitigate this gap, we implemented a real-time monitoring system that aggregates events (SYSCALL, PATH, PROCTITLE, EXECVE) by event_id, decodes commands, and uses behavior analysis with conditional triggers to dynamically configure audit rules. When suspicious operations on sensitive files are detected, the system automatically adds new target paths and, when suspicious behavior triggers conditional mechanisms, dynamically loads additional rules to broaden auditd's coverage of potential exfiltration channels, enhancing both the completeness and timeliness of data flow tracking.
operations, but these rules often miss fragmented, long-dormant APT activity, resulting in gaps and incomplete data flow tracking. To mitigate this gap, we implemented a real-time monitoring system that aggregates events (SYSCALL, PATH, PROCTITLE, EXECVE) by event_id, decodes commands, and uses behavior analysis with conditional triggers to dynamically configure audit rules. When suspicious operations on sensitive files are detected, the system automatically adds new target paths and, when suspicious behavior triggers conditional mechanisms, dynamically loads additional rules to broaden auditd's coverage of potential exfiltration channels, enhancing both the completeness and timeliness of data flow tracking.
Description
Keywords
敏感檔案操作, 日誌規則, 條件式觸發機制, 溯源圖, Linux, auditd, Linux, auditd, sensitive file operations, conditional triggering mechanism, provenance graph, audit rules