写在前面的话: 最近公司在做等保,其中有审计的内容,因为第一次接触,所以在此粘贴在网上查找的各种资料,以作记录.
目录
一、用户空间审计系统简介
二、auditd配置文件
三、配置审计规则
四、审计日志内容
五、使用ausearch搜索审计日志
六、使用aureport查看审计报告
Linux 内核有用日志记录事件的能力,包括记录系统调用和文件访问。管理员可以检查这些日志,确定是否存在安全漏洞(如多次失败的登录尝试,或者用户对系统文件不成功的访问)。
Linux 用户空间审计系统由 auditd、audispd、auditctl、autrace、ausearch 和 aureport 等应用程序组成。下面依次说明:
audit和syslog日志系统的关系
audit 主要用来记录安全信息,用于对系统安全事件的追溯,而 syslog 用来记录系统信息,如硬件警报和软件日志等。syslog 属于应用层,没办法记录太多信息,audit 用来记录内核信息,包括文件的读写,权限的改变等。
vi /etc/audit/auditd.conf
# 是否记录本地事件,如果设为no,只记录来自网络的事件
local_events = yes
write_logs = yes
# 日志文件
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
# 日志文件刷新方式,可选的选项有:
# NONE:不做特别处理
# INCREMENTAL:用freq选项的值确定多长时间发生一次向磁盘的刷新
# DATA:审计数据和日志文件是同步的
# SYNC:写日志文件时,数据和元数据是同步的
flush = INCREMENTAL_ASYNC
freq = 50
# 日志文件最大8MB
max_log_file = 8
# 日志文件数量
num_logs = 5
# 进程优先级(-4),ps axl | grep auditd 可查
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
# 当log文件达到max_log_file设定大小后的动作。可选的动作有:
# IGNORE:忽略max_log_file设置的限制,继续写log文件
# SYSLOG:向syslog中写入一条warning
# SUSPEND:auditd不再写log文件,但是auditd继续运行
# ROTATE:分多个log文件,一个log文件达到上限后在创建一个新的不同名字的log文件
max_log_file_action = ROTATE
# log_file文件所在的分区空闲空间少于这个设定的值时,触发相应的动作,单位是MB
space_left = 75
# space_left设定被触发时的动作。可选动作有:
# IGNORE, SYSLOG, SUSPEND:与前面max_log_file_action相似
# SINGLE:audit进程会将系统模式变为单用户模式
# HALT:audit进程将会触发系统关机
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
# 磁盘满后触发的动作
disk_full_action = SUSPEND
# 磁盘错误触发的动作
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
auditctl命令可以控制审计系统的基本功能、设定规则等,但为了定义重启后一直有效的审计规则,需要把规则定义到/etc/audit/rules.d/
目录下,重启auditd时,/etc/audit/rules.d/
目录下所有文件的规则会合并到/etc/audit/audit.rules
。
预配置规则文件
在/usr/share/doc/audit-{version}/rules/
目录下,audit根据不同的标准提供了一组预配置规则文件:
如配置为nispom规则:
cp /usr/share/doc/audit-2.8.4/rules/10-base-config.rules /usr/share/doc/audit-2.8.4/rules/30-nispom.rules /usr/share/doc/audit-2.8.4/rules/99-finalize.rules /etc/audit/rules.d/
重启auditd:
service auditd restart
type=SYSCALL msg=audit(1557427974.683:2260): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=e61320 a2=90800 a3=0 items=1 ppid=31275 pid=4114 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=113 comm="bash" exe="/usr/bin/bash" key="audit-logs"
type=CWD msg=audit(1557427974.683:2260): cwd="/etc/audit"
type=PATH msg=audit(1557427974.683:2260): item=0 name="/var/log/audit/" inode=101477489 dev=fc:00 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1557427974.683:2260): proctitle="bash"
事件分析:
记录类型,可以到RedHat网站查询所有类型和说明:
B.2. AUDIT RECORD TYPES
Table B.2, “Record Types” lists all currently-supported types of Audit records. The event type is specified in the
type=
field at the beginning of every Audit record.Table B.2. Record Types
Event Type Explanation ADD_GROUP
Triggered when a user-space group is added. ADD_USER
Triggered when a user-space user account is added. ANOM_ABEND
[a]Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled). ANOM_ACCESS_FS
[a]Triggered when a file or a directory access ends abnormally. ANOM_ADD_ACCT
[a]Triggered when a user-space account addition ends abnormally. ANOM_AMTU_FAIL
[a]Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected. ANOM_CRYPTO_FAIL
[a]Triggered when a failure in the cryptographic system is detected. ANOM_DEL_ACCT
[a]Triggered when a user-space account deletion ends abnormally. ANOM_EXEC
[a]Triggered when an execution of a file ends abnormally. ANOM_LOGIN_ACCT
[a]Triggered when an account login attempt ends abnormally. ANOM_LOGIN_FAILURES
[a]Triggered when the limit of failed login attempts is reached. ANOM_LOGIN_LOCATION
[a]Triggered when a login attempt is made from a forbidden location. ANOM_LOGIN_SESSIONS
[a]Triggered when a login attempt reaches the maximum amount of concurrent sessions. ANOM_LOGIN_TIME
[a]Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time
.ANOM_MAX_DAC
[a]Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached. ANOM_MAX_MAC
[a]Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached. ANOM_MK_EXEC
[a]Triggered when a file is made executable. ANOM_MOD_ACCT
[a]Triggered when a user-space account modification ends abnormally. ANOM_PROMISCUOUS
[a]Triggered when a device enables or disables promiscuous mode. ANOM_RBAC_FAIL
[a]Triggered when a Role-Based Access Control (RBAC) self-test failure is detected. ANOM_RBAC_INTEGRITY_FAIL
[a]Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected. ANOM_ROOT_TRANS
[a]Triggered when a user becomes root. AVC
Triggered to record an SELinux permission check. AVC_PATH
Triggered to record the dentry
andvfsmount
pair when an SELinux permission check occurs.BPRM_FCAPS
Triggered when a user executes a program with a file system capability. CAPSET
Triggered to record any changes in process-based capabilities. CHGRP_ID
Triggered when a user-space group ID is changed. CHUSER_ID
Triggered when a user-space user ID is changed. CONFIG_CHANGE
Triggered when the Audit system configuration is modified. CRED_ACQ
Triggered when a user acquires user-space credentials. CRED_DISP
Triggered when a user disposes of user-space credentials. CRED_REFR
Triggered when a user refreshes their user-space credentials. CRYPTO_FAILURE_USER
Triggered when a decrypt, encrypt, or randomize cryptographic operation fails. CRYPTO_KEY_USER
Triggered to record the cryptographic key identifier used for cryptographic purposes. CRYPTO_LOGIN
Triggered when a cryptographic officer login attempt is detected. CRYPTO_LOGOUT
Triggered when a crypto officer logout attempt is detected. CRYPTO_PARAM_CHANGE_USER
Triggered when a change in a cryptographic parameter is detected. CRYPTO_REPLAY_USER
Triggered when a replay attack is detected. CRYPTO_SESSION
Triggered to record parameters set during a TLS session establishment. CRYPTO_TEST_USER
Triggered to record cryptographic test results as required by the FIPS-140 standard. CWD
Triggered to record the current working directory. DAC_CHECK
Triggered to record DAC check results. DAEMON_ABORT
Triggered when a daemon is stopped due to an error. DAEMON_ACCEPT
Triggered when the auditd
daemon accepts a remote connection.DAEMON_CLOSE
Triggered when the auditd
daemon closes a remote connection.DAEMON_CONFIG
Triggered when a daemon configuration change is detected. DAEMON_END
Triggered when a daemon is successfully stopped. DAEMON_RESUME
Triggered when the auditd
daemon resumes logging.DAEMON_ROTATE
Triggered when the auditd
daemon rotates the Audit log files.DAEMON_START
Triggered when the auditd
daemon is started.DEL_GROUP
Triggered when a user-space group is deleted DEL_USER
Triggered when a user-space user is deleted DEV_ALLOC
Triggered when a device is allocated. DEV_DEALLOC
Triggered when a device is deallocated. EOE
Triggered to record the end of a multi-record event. EXECVE
Triggered to record arguments of the execve(2)
system call.FD_PAIR
Triggered to record the use of the pipe
andsocketpair
system calls.FS_RELABEL
Triggered when a file system relabel operation is detected. GRP_AUTH
Triggered when a group password is used to authenticate against a user-space group. INTEGRITY_DATA
[b]Triggered to record a data integrity verification event run by the kernel. INTEGRITY_HASH
[b]Triggered to record a hash type integrity verification event run by the kernel. INTEGRITY_METADATA
[b]Triggered to record a metadata integrity verification event run by the kernel. INTEGRITY_PCR
[b]Triggered to record Platform Configuration Register (PCR) invalidation messages. INTEGRITY_RULE
[b]Triggered to record a policy rule. INTEGRITY_STATUS
[b]Triggered to record the status of integrity verification. IPC
Triggered to record information about a Inter-Process Communication object referenced by a system call. IPC_SET_PERM
Triggered to record information about new values set by an IPC_SET
control operation on an IPC object.KERNEL
Triggered to record the initialization of the Audit system. KERNEL_OTHER
Triggered to record information from third-party kernel modules. LABEL_LEVEL_CHANGE
Triggered when an object's level label is modified. LABEL_OVERRIDE
Triggered when an administrator overrides an object's level label. LOGIN
Triggered to record relevant login information when a user log in to access the system. MAC_CIPSOV4_ADD
Triggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel. MAC_CIPSOV4_DEL
Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel. MAC_CONFIG_CHANGE
Triggered when an SELinux Boolean value is changed. MAC_IPSEC_EVENT
Triggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes. MAC_MAP_ADD
Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. MAC_MAP_DEL
Triggered when an existing LSM domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel. MAC_POLICY_LOAD
Triggered when a SELinux policy file is loaded. MAC_STATUS
Triggered when the SELinux mode (enforcing, permissive, off) is changed. MAC_UNLBL_ALLOW
Triggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel. MAC_UNLBL_STCADD
Triggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel. MAC_UNLBL_STCDEL
Triggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel. MMAP
Triggered to record a file descriptor and flags of the mmap(2)
system call.MQ_GETSETATTR
Triggered to record the mq_getattr(3)
andmq_setattr(3)
message queue attributes.MQ_NOTIFY
Triggered to record arguments of the mq_notify(3)
system call.MQ_OPEN
Triggered to record arguments of the mq_open(3)
system call.MQ_SENDRECV
Triggered to record arguments of the mq_send(3)
andmq_receive(3)
system calls.NETFILTER_CFG
Triggered when Netfilter chain modifications are detected. NETFILTER_PKT
Triggered to record packets traversing Netfilter chains. OBJ_PID
Triggered to record information about a process to which a signal is sent. PATH
Triggered to record file name path information. RESP_ACCT_LOCK
[c]Triggered when a user account is locked. RESP_ACCT_LOCK_TIMED
[c]Triggered when a user account is locked for a specified period of time. RESP_ACCT_REMOTE
[c]Triggered when a user account is locked from a remote session. RESP_ACCT_UNLOCK_TIMED
[c]Triggered when a user account is unlocked after a configured period of time. RESP_ALERT
[c]Triggered when an alert email is sent. RESP_ANOMALY
[c]Triggered when an anomaly was not acted upon. RESP_EXEC
[c]Triggered when an intrusion detection program responds to a threat originating from the execution of a program. RESP_HALT
[c]Triggered when the system is shut down. RESP_KILL_PROC
[c]Triggered when a process is terminated. RESP_SEBOOL
[c]Triggered when an SELinux Boolean value is set. RESP_SINGLE
[c]Triggered when the system is put into single-user mode. RESP_TERM_ACCESS
[c]Triggered when a session is terminated. RESP_TERM_LOCK
[c]Triggered when a terminal is locked. ROLE_ASSIGN
Triggered when an administrator assigns a user to an SELinux role. ROLE_MODIFY
Triggered when an administrator modifies an SELinux role. ROLE_REMOVE
Triggered when an administrator removes a user from an SELinux role. SELINUX_ERR
Triggered when an internal SELinux error is detected. SERVICE_START
Triggered when a service is started. SERVICE_STOP
Triggered when a service is stopped. SOCKADDR
Triggered to record a socket address. SOCKETCALL
Triggered to record arguments of the sys_socketcall
system call (used to multiplex many socket-related system calls).SYSCALL
Triggered to record a system call to the kernel. SYSTEM_BOOT
Triggered when the system is booted up. SYSTEM_RUNLEVEL
Triggered when the system's run level is changed. SYSTEM_SHUTDOWN
Triggered when the system is shut down. TEST
Triggered to record the success value of a test message. TRUSTED_APP
The record of this type can be used by third party application that require auditing. TTY
Triggered when TTY input was sent to an administrative process. USER_ACCT
Triggered when a user-space user account is modified. USER_AUTH
Triggered when a user-space authentication attempt is detected. USER_AVC
Triggered when a user-space AVC message is generated. USER_CHAUTHTOK
Triggered when a user account attribute is modified. USER_CMD
Triggered when a user-space shell command is executed. USER_END
Triggered when a user-space session is terminated. USER_ERR
Triggered when a user account state error is detected. USER_LABELED_EXPORT
Triggered when an object is exported with an SELinux label. USER_LOGIN
Triggered when a user logs in. USER_LOGOUT
Triggered when a user logs out. USER_MAC_POLICY_LOAD
Triggered when a user-space daemon loads an SELinux policy. USER_MGMT
Triggered to record user-space management data. USER_ROLE_CHANGE
Triggered when a user's SELinux role is changed. USER_SELINUX_ERR
Triggered when a user-space SELinux error is detected. USER_START
Triggered when a user-space session is started. USER_TTY
Triggered when an explanatory message about TTY input to an administrative process is sent from user-space. USER_UNLABELED_EXPORT
Triggered when an object is exported without SELinux label. USYS_CONFIG
Triggered when a user-space system configuration change is detected. VIRT_CONTROL
Triggered when a virtual machine is started, paused, or stopped. VIRT_MACHINE_ID
Triggered to record the binding of a label to a virtual machine. VIRT_RESOURCE
Triggered to record resource assignment of a virtual machine. [a] All Audit event types prepended with
ANOM
are intended to be processed by an intrusion detection program.[b] This event type is related to the Integrity Measurement Architecture (IMA), which functions best with a Trusted Platform Module (TPM) chip.
[c] All Audit event types prepended with
RESP
are intended responses of an intrusion detection system in case it detects malicious activity on the system.
括号中为时间缀和特殊ID,如果多种记录生成为相同审核事件的一部分,那么它们可以共享相同的时间戳和ID。
如:搜索登录失败的日志信息:
ausearch --message USER_LOGIN --success no --interpret
搜索内容如下:
----
type=USER_LOGIN msg=audit(2019年05月09日 09:58:07.647:537) : pid=6772 uid=root auid=unset ses=unset msg='op=login acct=root exe=/usr/sbin/sshd hostname=? addr=192.168.9.165 terminal=ssh res=failed'
----
type=USER_LOGIN msg=audit(2019年05月10日 03:06:53.549:2317) : pid=5003 uid=root auid=unset ses=unset msg='op=login acct=root exe=/usr/sbin/sshd hostname=? addr=192.168.9.166 terminal=ssh res=failed'
可以直接使用aureport
命令生成概要报告,内容如下:
Summary Report
======================
Range of time in logs: 1970年01月01日 08:00:00.000 - 2019年05月10日 03:11:46.045
Selected time for report: 1970年01月01日 08:00:00 - 2019年05月10日 03:11:46.045
Number of changes in configuration: 79
Number of changes to accounts, groups, or roles: 0
Number of logins: 2
Number of failed logins: 3
Number of authentications: 7
Number of failed authentications: 16
Number of users: 3
Number of terminals: 8
Number of host names: 4
Number of executables: 14
Number of commands: 10
Number of files: 13
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 812
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 55
Number of integrity events: 0
Number of virt events: 0
Number of keys: 9
Number of process IDs: 950
Number of events: 1935
可以通过传入参数生成不同类型的报告。
复制于(http://blog.gopersist.com/2019/05/10/centos7-audit/index.html)