centos 系统 audit 默认是安装的
查看状态:
[root@ecs-proxy ~]# service auditd status
[root@ecs-proxy ~]# auditctl -s
查看规则:
[root@ecs-proxy ~]# auditctl -l
删除规则:
[root@ecs-proxy ~]# auditctl -D
查看帮助:
[root@ecs-proxy ~]# auditctl -h
usage: auditctl [options]
-a Append rule to end of ist with ction
-A Add rule at beginning of ist with ction
-b Set max number of outstanding audit buffers
allowed Default=64
-c Continue through errors in rules
-C f=f Compare collected fields if available:
Field name, operator(=,!=), field name
-d Delete rule from ist with ction
l=task,exit,user,exclude
a=never,always
-D Delete all rules and watches
-e [0..2] Set enabled flag
-f [0..2] Set failure flag
0=silent 1=printk 2=panic
-F f=v Build rule: field name, operator(=,!=,,<=,
>=,&,&=) value
-h Help
-i Ignore errors when reading rules from file
-k Set filter key on audit rule
-l List rules
-m text Send a user-space message
-p [r|w|x|a] Set permissions filter on watch
r=read, w=write, x=execute, a=attribute
-q make subtree part of mount point's dir watches
-r Set limit in messages/sec (0=none)
-R read rules from file
-s Report status
-S syscall Build rule: syscall name or number
-t Trim directory watches
-v Version
-w Insert watch at
-W Remove watch at
--loginuid-immutable Make loginuids unchangeable once set
--reset-lost Reset the lost record counter
临时定义监视指令示例:
auditctl -w /目录/文件 -p 触发的权限 -k 规则名称
[root@ecs-proxy ~]# auditctl -w /etc/passwd -p wa -k passwd_changes
[root@ecs-proxy ~]# auditctl -l
-w /etc/passwd -p wa -k passwd_changes
-w path : 指定要监控的路径
-p : 指定触发审计的文件/目录的访问权限
-k 给当前这条监控规则起个名字,方便搜索过滤
rwxa : 指定的触发条件,r 读取权限,w 写入权限,x 执行权限,a 属性(attr)
永久定义需要修改配置文件,如:
[root@ecs-proxy ~]# vim /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes
-w /usr/sbin/fdisk -p x -k partition_disks
修改后重启服务
日志解读:
# type为类型
# msg为(time_stamp:ID),时间是date +%s(1970-1-1至今的秒数)
# arch=c000003e,代表x86_64(16进制)
# success=yes/no,事件是否成功
# a0-a3是程序调用时前4个参数,16进制编码了
# ppid父进程ID,如bash,pid进程ID,如cat命令
# auid是审核用户的id,su - test, 依然可以追踪su前的账户
# uid,gid用户与组
# tty:从哪个终端执行的命令
# comm="cat" 用户在命令行执行的指令
# exe="/bin/cat" 实际程序的路径
# key="sshd_config" 管理员定义的策略关键字key
# type=CWD 用来记录当前工作目录
# cwd="/home/username"
# type=PATH
# ouid(owner's user id) 对象所有者id
# guid(owner's groupid) 对象所有组id
搜索特定日志 ausearch
指定文件名搜索:
[root@ecs-proxy ~]# ausearch -f /etc/passwd
指定策略关键字搜索:
[root@ecs-proxy ~]# ausearch -k passwd_changes
生成简要的日志报告 aureport
[root@ecs-proxy ~]# aureport
9427
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
