AIX 管理技巧
遠端登入失敗的紀錄資安相關指令
# Login Failed
who /etc/security/failedlogin | tail -50
# Check the number of previous unsucessful logins for the account to confirm it is blocked
lsuser -a account_locked unsuccessful_login_count {ALL|user_name}
# Reset unsucessful login counter
chsec -f /etc/security/lastlog -a unsuccessful_login_count=0 -s {user_name}
# Unlock the locked account
chuser account_locked=false {user_name}
# Lock account
chuser account_locked=true {user_name}
監控 errpt
Sample #1
#!/usr/bin/env bash
#
# $0 = errptcheck_v3.sh
#
# Created: 05/16/2005 A-lang Hsu.
# Updated:
# - v4, 11/19/2015 A-Lang
# - v5, 11/17/2020 A-Lang
#
#
# This script will check the error log
# for new entries. Upon finding them, it will send an email to
# administrators containing a message indicating the change
# in errlog status, as well as the offending lines.
#
PATH=/bin:/sbin:/usr/bin:/usr/sbin:/usr/local/bin:/usr/es/sbin/cluster/utilities
tmpfile="errptcheck.$$"
trap "rm -f $tmpfile" EXIT
today="$(date +'%Y-%m-%d')"
nowtime="$(date +'%T')"
# Excluded identifier id
# 573790AA - The default log file has been changed.
# A3B02BE6 - sddsrv CAN'T WRITE ITS LOG FILE
#
#EXCLUDE_ID=" \
#573790AA \
#A3B02BE6 \
#"
EXCLUDE_ID=""
#
if $(which get_local_nodename >/dev/null 2>&1); then
my_hostname=`hostname`#`get_local_nodename`
else
my_hostname=`hostname`
fi
mail_subject="Warning:Hardware/Software error notification for host $my_hostname"
mail_to="alang@mycom.com"
#ec=`errpt -dH,S,U,O | grep -v "IDENTIFIER TIMESTAMP" | wc -l`
ERRGREP=""
n=0
for i in $EXCLUDE_ID;do
n=$(($n+1))
if [ "$n" -eq 1 ];then
ERRGREP="$i"
else
ERRGREP="$ERRGREP|$i"
fi
done
if [ -z "$ERRGREP" ]; then
ec=`errpt -dH,S,U,O | grep -v "IDENTIFIER TIMESTAMP" | wc -l`
else
ec=`errpt -dH,S,U,O | grep -v "IDENTIFIER TIMESTAMP" | grep -vE "$ERRGREP" | wc -l`
fi
if [ "$ec" -ne "0" ] ; then
ec=`echo $ec | bc`
cat <<EOF > $tmpfile
##############################################################
This message was generated automatically by host ${my_hostname}.
Please don't reply to this message.
##############################################################
The checked time is ${today} ${nowtime}
${ec} new errors have been found on $my_hostname.
EOF
errlogl=`errpt -dH,S,U,O -a`
cat <<EOF >> $tmpfile
Errlog details below:
${errlogl}
EOF
mail -s "$mail_subject" "$mail_to" < $tmpfile;
cat $tmpfile
fi
Sample #2
#! /bin/ksh
#
# $0 = errmon.sh
#
# Written 11/3/1998 Bill Verzal.
#
# This script will run every [interval] and check the error log
# for new entries. Upon finding them, it will send an email to
# administrators containing a message indicating the change
# in errlog status, as well as the offending lines.
#
if [ "$1" = "-v" ] ; then
set -x
fi
lc="NULL"
tc="$lc"
# lc="last count"
# tc="this count"
#interval=900
interval=300
# Divide interval by 60 to get number of minutes.
me="$0 - Hardware error monitoring"
myname=`hostname`
args="$*"
#mailto="root"
mailto="alert"
true=0
false=1
boj=`date`
echo "$me started.\nThis message goes to $mailto." | mail -s "Errlog monitoring for $myname" $mailto
logger "$0 started"
while [ "$true" != "$false" ] ; do
tc=`errpt -dH,S,U,O | wc -l`
if [ "$lc" = "NULL" ] ; then
lc="$tc"
fi
if [ "$lc" -ne "$tc" ] ; then
foo=`echo "$tc-$lc"|bc`
msg="$foo new errors have been found on $myname"
page_msg="$foo new errors have been found on $myname"
errlogl=`errpt -dH,S,U,O -a`
if [ "$tc" -eq "0" ] ; then
msg="$msg\n Errlog was cleared"
else
logger $msg
msg=" $msg \n Errlog details below:\n $errlogl \n"
echo "$msg" | mail -s "Errlog status change on host $myname" $mailto
fi
fi
lc="$tc"
sleep $interval
done