第15章 配置系统审计
环境配置
1、RHEL6.4 SERVER 10.10.10.221
2、RHEL6.4 CLIENT 10.10.10.223
1、审计使用的服务
[root@teachers rsyslog-keys]# service auditd status
auditd (pid 2004) is running...
2、查看/var/log/audit/audit.log文件的时间命令
[root@student audit]# date [email protected]
Mon Jan 18 14:50:01 EST 2016
3、使用auditctl命令创建规则
[root@teachers ~]# auditctl -w /etc/passwd -p rx -F uid=500
[root@teachers ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/passwd perm=rx uid=500 (0x1f4)
4、查看/var/log/audit/audit.log
type=SYSCALL msg=audit(1453838986.588:30574): arch=c000003e syscall=2 success=yes exit=3 a0=7f3d9391f69a a1=80000 a2=1b6 a3=0 items=1 ppid=3001 pid=3002 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts1 ses=15 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1453838986.588:30574): cwd="/home/student"
type=PATH msg=audit(1453838986.588:30574): item=0 name="/etc/passwd" inode=2885884 dev=08:03 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0
5、删除审计使用参数“-D”
[root@student ~]# auditctl -D
No rules
6、创建带关键字的的审计,可以使用关键字进行搜索
[root@student ~]# auditctl -w /etc/passwd -p rx -F uid=500 -k zhongyaode
[root@student ~]# cat /var/log/audit/audit.log |grep zhongyaode
type=CONFIG_CHANGE msg=audit(1453839635.065:30611): auid=0 ses=2 subj=unconfined_u:unconfined_r:auditctl_t:s0-s0:c0.c1023 op="add rule" key="zhongyaode" list=4 res=1
type=SYSCALL msg=audit(1453839648.036:30616): arch=c000003e syscall=2 success=yes exit=3 a0=7f1fa1a0369a a1=80000 a2=1b6 a3=0 items=1 ppid=3093 pid=3094 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="bash" exe="/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="zhongyaode"
type=SYSCALL msg=audit(1453839648.038:30617): arch=c000003e syscall=2 success=yes exit=3 a0=7f90ba97169a a1=80000 a2=1b6 a3=0 items=1 ppid=3095 pid=3096 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="zhongyaode"
type=SYSCALL msg=audit(1453839648.046:30618): arch=c000003e syscall=2 success=yes exit=3 a0=7f77d45c669a a1=80000 a2=1b6 a3=0 items=1 ppid=3101 pid=3102 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="id" exe="/usr/bin/id" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="zhongyaode"
type=SYSCALL msg=audit(1453839654.179:30619): arch=c000003e syscall=2 success=yes exit=3 a0=7fffa90888d0 a1=0 a2=7fffa9086980 a3=a items=1 ppid=3094 pid=3117 auid=0 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=pts0 ses=2 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="zhongyaode"
7、通过ausearch 命令查询事件号
[root@student ~]# ausearch -i -a 30616
----
type=PATH msg=audit(01/26/2016 15:20:48.036:30616) : item=0 name=/etc/passwd inode=2885884 dev=08:03 mode=file,644 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:etc_t:s0
type=CWD msg=audit(01/26/2016 15:20:48.036:30616) : cwd=/home/student
type=SYSCALL msg=audit(01/26/2016 15:20:48.036:30616) : arch=x86_64 syscall=open success=yes exit=3 a0=7f1fa1a0369a a1=80000 a2=1b6 a3=0 items=1 ppid=3093 pid=3094 auid=root uid=student gid=student euid=student suid=student fsuid=student egid=student sgid=student fsgid=student tty=pts0 ses=2 comm=bash exe=/bin/bash subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=zhongyaode
8、追踪审计事件
[root@student ~]# autrace /bin/date
Waiting to execute: /bin/date
Tue Jan 26 15:39:33 EST 2016
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 3273'
[root@student ~]# ausearch -i -p 3273 | aureport --file -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 12/31/1969 19:00:01 (null) inode=664418 dev=08:03 mode=file,755 ouid=root ogid=root rdev=00:00 obj=system_u:object_r:ld_so_t:s0 ? yes ? root 0
9、编写自定义审计规则
[root@teachers ~]# cat /etc/audit/audit.rules |grep 500
-a exit,always -F path=/etc/passwd -F arch=64 -F uid=500 -S all -p rwxa -k zhongyaode
10、练习
1) 配置客户端/etc/rsyslog.conf
[root@student ~]# sed -e '/^#/d' /etc/rsyslog.conf
$ModLoad imuxsock # provides support for local system logging (e.g. via logger command)
$ModLoad imklog # provides kernel logging support (previously done by rklogd)
$ActionFileDefaultTemplate RSYSLOG_TraditionalFileFormat
$IncludeConfig /etc/rsyslog.d/*.conf
*.* @@10.10.10.221:514
$template SpiceTmpl,"%TIMESTAMP%.%TIMESTAMP:::date-subseconds% %syslogtag% %syslogseverity-text%:%msg:::sp-if-no-1st-sp%%msg:::drop-last-lf%\n"
:programname, startswith, "spice-vdagent" /var/log/spice-vdagent.log;SpiceTmpl
留下以上这几行其余都注释掉
2) 配置客户审计
[root@student ~]# sed -e '/^#/d' /etc/audit/audit.rules
-D
-b 320
-w /etc/passwd -p rwxa -k zhongyaode -F uid=500
3) 重启客户端服务
[root@student ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
4) 查看客户端审计配置
[root@student ~]# auditctl -l
LIST_RULES: exit,always watch=/etc/passwd perm=rwxa uid=500 (0x1f4) key=zhongyaode
5) 清除审计日志
[root@student ~]# > /var/log/audit/audit.log
6) 更改为远程端接收审计日志
[root@student ~]# cat /etc/audisp/plugins.d/syslog.conf
# This file controls the configuration of the syslog plugin.
# It simply takes events and writes them to syslog. The
# arguments provided can be the default priority that you
# want the events written with. And optionally, you can give
# a second argument indicating the facility that you want events
# logged to. Valid options are LOG_LOCAL0 through 7.
active = yes
direction = out
path = builtin_syslog
type = builtin
args = LOG_INFO
format = string
7) 重启审计服务和日志服务
[root@student ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
[root@student ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
8) 配置SERVER端/etc/rsyslog.conf 配置
$ModLoad imtcp
$InputTCPServerRun 514
打开TCP端口
9) 创建配置服务
[root@teachers ~]# vim /etc/rsyslog.d/audit.conf
:fromhost-ip,isequal,"10.10.10.223" /var/log/studentaudit.log
:fromhost-ip,isequal,"10.10.10.223" ~
10) 重启SERVER端rsyslog服务
[root@teachers ~]# service rsyslog restart
Shutting down system logger: [ OK ]
Starting system logger: [ OK ]
11) 查看SERVER端rsyslog端口是否启用
[root@teachers ~]# netstat -tunpl|grep :514
tcp 0 0 0.0.0.0:514 0.0.0.0:* LISTEN 4589/rsyslogd
tcp 0 0 :::514 :::* LISTEN 4589/rsyslogd
12) 在SERVER端使用实时跟踪命令跟踪远程审计发出的消息
[root@teachers ~]# tail -f /var/log/studentaudit.log
13) 在CLIENT端上执行命令
[root@student ~]# su - student
14) 在SERVER端上的/var/log/studentaudit.log日志出现信息
Jan 26 16:48:13 student.example.com #026#003#002#000V#001#000#000R#003#002V#02541HD#0241h#031'00#000$#0003#000E#0009#0000#026#0002#000D#0008#0000#023#000f#000/#000A#0005#000