linux审计工具audit,Linux audit 审计工具

centos 系统 audit 默认是安装的

查看状态:

[root@ecs-proxy ~]# service auditd status

[root@ecs-proxy ~]# auditctl -s

查看规则:

[root@ecs-proxy ~]# auditctl -l

删除规则:

[root@ecs-proxy ~]# auditctl -D

查看帮助:

[root@ecs-proxy ~]# auditctl -h

usage: auditctl [options]

-a Append rule to end of ist with ction

-A Add rule at beginning of ist with ction

-b Set max number of outstanding audit buffers

allowed Default=64

-c Continue through errors in rules

-C f=f Compare collected fields if available:

Field name, operator(=,!=), field name

-d Delete rule from ist with ction

l=task,exit,user,exclude

a=never,always

-D Delete all rules and watches

-e [0..2] Set enabled flag

-f [0..2] Set failure flag

0=silent 1=printk 2=panic

-F f=v Build rule: field name, operator(=,!=,,<=,

>=,&,&=) value

-h Help

-i Ignore errors when reading rules from file

-k Set filter key on audit rule

-l List rules

-m text Send a user-space message

-p [r|w|x|a] Set permissions filter on watch

r=read, w=write, x=execute, a=attribute

-q make subtree part of mount point's dir watches

-r Set limit in messages/sec (0=none)

-R read rules from file

-s Report status

-S syscall Build rule: syscall name or number

-t Trim directory watches

-v Version

-w Insert watch at

-W Remove watch at

--loginuid-immutable Make loginuids unchangeable once set

--reset-lost Reset the lost record counter

临时定义监视指令示例:

auditctl -w /目录/文件 -p 触发的权限 -k 规则名称

[root@ecs-proxy ~]# auditctl -w /etc/passwd -p wa -k passwd_changes

[root@ecs-proxy ~]# auditctl -l

-w /etc/passwd -p wa -k passwd_changes

-w path : 指定要监控的路径

-p : 指定触发审计的文件/目录的访问权限

-k 给当前这条监控规则起个名字,方便搜索过滤

rwxa : 指定的触发条件,r 读取权限,w 写入权限,x 执行权限,a 属性(attr)

永久定义需要修改配置文件,如:

[root@ecs-proxy ~]# vim /etc/audit/rules.d/audit.rules

-w /etc/passwd -p wa -k passwd_changes

-w /usr/sbin/fdisk -p x -k partition_disks

修改后重启服务

日志解读:

# type为类型

# msg为(time_stamp:ID),时间是date +%s(1970-1-1至今的秒数)

# arch=c000003e,代表x86_64(16进制)

# success=yes/no,事件是否成功

# a0-a3是程序调用时前4个参数,16进制编码了

# ppid父进程ID,如bash,pid进程ID,如cat命令

# auid是审核用户的id,su - test, 依然可以追踪su前的账户

# uid,gid用户与组

# tty:从哪个终端执行的命令

# comm="cat"         用户在命令行执行的指令

# exe="/bin/cat"        实际程序的路径

# key="sshd_config"    管理员定义的策略关键字key

# type=CWD        用来记录当前工作目录

# cwd="/home/username"

# type=PATH

# ouid(owner's user id)    对象所有者id

# guid(owner's groupid)    对象所有组id

搜索特定日志 ausearch

指定文件名搜索:

[root@ecs-proxy ~]# ausearch -f /etc/passwd

指定策略关键字搜索:

[root@ecs-proxy ~]# ausearch -k passwd_changes

生成简要的日志报告 aureport

[root@ecs-proxy ~]# aureport

来源:oschina

链接:https://my.oschina.net/u/4502772/blog/3553457

你可能感兴趣的:(linux审计工具audit)