Linux审计日志

  最近在Linux日志中发现有如下信息:

vi /var/log/messages

type=CRYPTO_KEY_USER msg=audit(1448528863.866:163): user pid=7735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=df:d3:ff:1f:0b:11:d7:ce:e6:00:be:28:cc:4a:16:40 direction=? spid=7735 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1448528863.873:164): user pid=7735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=60:ec:35:76:1e:f2:1e:6e:0c:3b:62:52:78:23:38:4c direction=? spid=7735 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1448528864.026:165): user pid=9719 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.111 addr=192.168.1.111 terminal=ssh res=success'
type=CRED_DISP msg=audit(1448528864.027:166): user pid=9719 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.111 addr=192.168.1.111 terminal=ssh res=success'
type=USER_END msg=audit(1448528864.042:167): user pid=9719 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/1 res=success'

仔细发现原来是Linux系统的审计日志,本来审计日志应该是写到如下文件中:

/var/log/audit/audit.log 


Linux的审计服务为auditd

[root@marmot ~]# service auditd status
auditd is stopped

发现审计服务已经停止了,此时会把审计信息写到message中

我们把审计服务启动,则审计日志便写到原来的日志文件中了

[root@marmot ~]# service auditd start
Starting auditd:                                           [  OK  ]


vi /var/log/audit/audit.log

type=USER_END msg=audit(1472701553.949:20): user pid=4438 uid=0 auid=0 ses=7 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_LOGOUT msg=audit(1472701553.949:21): user pid=4438 uid=0 auid=0 ses=7 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/3 res=success'
type=USER_END msg=audit(1472701553.951:22): user pid=4438 uid=0 auid=0 ses=7 msg='op=PAM:session_close acct="root" exe="/usr/sbin/sshd" hostname=192.168.137.1 addr=192.168.137.1 terminal=ssh res=success'
type=CRED_DISP msg=audit(1472701553.951:23): user pid=4438 uid=0 auid=0 ses=7 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.137.1 addr=192.168.137.1 terminal=ssh res=success'
type=CRYPTO_KEY_USER msg=audit(1472701553.952:24): user pid=4438 uid=0 auid=0 ses=7 msg='op=destroy kind=session fp=? direction=both spid=4438 suid=0 rport=57507 laddr=192.168.137.10 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.137.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1472701553.952:25): user pid=4438 uid=0 auid=0 ses=7 msg='op=destroy kind=server fp=df:d3:ff:1f:0b:11:d7:ce:e6:00:be:28:cc:4a:16:40 direction=? spid=4438 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.137.1 terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1472701553.953:26): user pid=4438 uid=0 auid=0 ses=7 msg='op=destroy kind=server fp=60:ec:35:76:1e:f2:1e:6e:0c:3b:62:52:78:23:38:4c direction=? spid=4438 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.137.1 terminal=? res=success'

原来审计关闭,需要在grub文件中添加 audit=0,再关闭audit服务才可以

关闭audit可以更改如下文件内容


vi /etc/audit/auditd.conf

#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

写日志时要使用的格式。当设置为RAW时,数据会以从内核中检索到的格式写到日志文件中。
当设置为NOLOG时,数据不会写到日志文件中,但是如果用dispatcher选项指定了一个,
则数据仍然会发送到审计事件调度程序中


以下是网上找到的图片,实线代表数据流,虚线代表控制



你可能感兴趣的:(Linux)