linux audit审计服务audit.rules策略参数

audit是linux内核的特性,可以通过内核参数audit=1来启用。

/etc/audit/audit.rules是audit的规则文件,本文主要讲述如何利用audit来监视系统重要资源。

一、监控文件系统行为(依靠文件、目录的权限属性来识别)

规则格式:-w 路径 -p 权限 -k 关键字

其中权限动作分为四种

r 读取文件

w 写入文件

x 执行文件

a 修改文件属性

示例,监控/etc/passwd文件的修改行为(写,权限修改)

-w /etc/passwd -p wa

将上述内容加入到audit.rules中即可实现对该文件的监视。

同理,为了维护系统正常,下列资源也应该被监视。

-w /etc/at.allow

-w /etc/at.deny

-w /etc/inittab -p wa

-w /etc/init.d/

-w /etc/init.d/auditd -p wa

-w /etc/cron.d/ -p wa

-w /etc/cron.daily/ -p wa

-w /etc/cron.hourly/ -p wa

-w /etc/cron.monthly/ -p wa

-w /etc/cron.weekly/ -p wa

-w /etc/crontab -p wa

-w /etc/group -p wa

-w /etc/passwd -p wa

-w /etc/shadow

-w /etc/sudoers -p wa

-w /etc/hosts -p wa

-w /etc/sysconfig/

-w /etc/sysctl.conf -p wa

-w /etc/modprobe.d/

-w /etc/aliases -p wa

-w /etc/bashrc -p wa

-w /etc/profile -p wa

-w /etc/profile.d/

-w /var/log/lastlog

-w /var/log/yum.log

-w /etc/issue -p wa

-w /etc/issue.net -p wa

-w /usr/bin/ -p wa

-w /usr/sbin/ -p wa

-w /bin -p wa

-w /etc/ssh/sshd_config

注:如果没有-p选项,则默认监视所有动作rwxa

二、监控系统调用行为(依靠系统调用来识别)

规则:-a 一系列动作 -S 系统调用名称 -F 字段=值 -k 关键字

系统调用的种类见:

http://www.ibm.com/developerworks/cn/linux/kernel/syscall/part1/appendix.html

列举常见应该被监视的系统调用

监视文件权限变化,因为改变权限必须调用umask

-a entry,always -S umask -S chown

监视主机名变化,因为修改主机名必须调用sethostname

-a entry,always -S sethostname -S setdomainname

监视系统时间变化

-a entry,always -S adjtimex -S settimeofday -S stime

设置系统日期和时间

-a entry,always -S stime

监控用户和组ID变化

-a entry,always -S setuid -S seteuid -S setreuid

-a entry,always -S setgid -S setegid -S setregid

监控挂载

-a entry,always -S mount -S umount

注:请查阅系统调用列表后决定监控那种行为,系统调用是底层的、全局性的,监控不合适的调用,会给系统带来巨大负担。

audit.rules 样本

This file contains the auditctl rules that are loaded

whenever the audit daemon is started via the initscripts.

The rules are simply the parameters that would be passed

to auditctl.

First rule - delete all

-D

Increase the buffers to survive stress events.

Make this bigger for busy systems

-b 1024

Feel free to add below this line. See auditctl man page

-a exit,always -F arch=b64 -S umask -S chown -S chmod

-a exit,always -F arch=b64 -S unlink -S rmdir

-a exit,always -F arch=b64 -S setrlimit

-a exit,always -F arch=b64 -S setuid -S setreuid

-a exit,always -F arch=b64 -S setgid -S setregid

-a exit,always -F arch=b64 -S sethostname -S setdomainname

-a exit,always -F arch=b64 -S adjtimex -S settimeofday

-a exit,always -F arch=b64 -S mount -S _sysctl

-w /etc/group -p wa

-w /etc/passwd -p wa

-w /etc/shadow -p wa

-w /etc/sudoers -p wa

-w /etc/ssh/sshd_config

-w /etc/bashrc -p wa

-w /etc/profile -p wa

-w /etc/profile.d/

-w /etc/aliases -p wa

-w /etc/sysctl.conf -p wa

-w /var/log/lastlog

Disable adding any additional rules - note that adding new rules will require a reboot

#-e 2

读取audit报告

aureport --start this-week

aureport --user

aureport --file

aureport --summary

审计日志时间转换脚本

time.pl:
s/(1\d{9})/localtime($1)/e
echo 1234567890|perl -p time.pl

你可能感兴趣的:(Linux,linux)