centos 系统 audit 默认是安装的vim
查看状态:
[root@ecs-proxy ~]# service auditd statuscentos
[root@ecs-proxy ~]# auditctl -sbash
查看规则:
[root@ecs-proxy ~]# auditctl -lssh
删除规则:
[root@ecs-proxy ~]# auditctl -Dui
查看帮助:
[root@ecs-proxy ~]# auditctl -h编码
usage: auditctl [options]
-a <l,a> Append rule to end of <l>ist with <a>ction
-A <l,a> Add rule at beginning of <l>ist with <a>ction
-b <backlog> Set max number of outstanding audit buffers
allowed Default=64
-c Continue through errors in rules
-C f=f Compare collected fields if available:
Field name, operator(=,!=), field name
-d <l,a> Delete rule from <l>ist with <a>ction
l=task,exit,user,exclude
a=never,always
-D Delete all rules and watches
-e [0..2] Set enabled flag
-f [0..2] Set failure flag
0=silent 1=printk 2=panic
-F f=v Build rule: field name, operator(=,!=,<,>,<=,
>=,&,&=) value
-h Help
-i Ignore errors when reading rules from file
-k <key> Set filter key on audit rule
-l List rules
-m text Send a user-space message
-p [r|w|x|a] Set permissions filter on watch
r=read, w=write, x=execute, a=attribute
-q <mount,subtree> make subtree part of mount point's dir watches
-r <rate> Set limit in messages/sec (0=none)
-R <file> read rules from file
-s Report status
-S syscall Build rule: syscall name or number
-t Trim directory watches
-v Version
-w <path> Insert watch at <path>
-W <path> Remove watch at <path>
--loginuid-immutable Make loginuids unchangeable once set
--reset-lost Reset the lost record counter
临时定义监视指令示例:
auditctl -w /目录/文件 -p 触发的权限 -k 规则名称spa
[root@ecs-proxy ~]# auditctl -w /etc/passwd -p wa -k passwd_changes命令行
[root@ecs-proxy ~]# auditctl -l
-w /etc/passwd -p wa -k passwd_changes日志
-w path : 指定要监控的路径
-p : 指定触发审计的文件/目录的访问权限
-k 给当前这条监控规则起个名字,方便搜索过滤
rwxa : 指定的触发条件,r 读取权限,w 写入权限,x 执行权限,a 属性(attr)code
永久定义须要修改配置文件,如:
[root@ecs-proxy ~]# vim /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes -w /usr/sbin/fdisk -p x -k partition_disks
修改后重启服务
日志解读:
# type为类型
# msg为(time_stamp:ID),时间是date +%s(1970-1-1至今的秒数)
# arch=c000003e,表明x86_64(16进制)
# success=yes/no,事件是否成功
# a0-a3是程序调用时前4个参数,16进制编码了
# ppid父进程ID,如bash,pid进程ID,如cat命令
# auid是审核用户的id,su - test, 依然能够追踪su前的帐户
# uid,gid用户与组
# tty:从哪一个终端执行的命令
# comm="cat" 用户在命令行执行的指令
# exe="/bin/cat" 实际程序的路径
# key="sshd_config" 管理员定义的策略关键字key
# type=CWD 用来记录当前工做目录
# cwd="/home/username"
# type=PATH
# ouid(owner's user id) 对象全部者id
# guid(owner's groupid) 对象全部组id
搜索特定日志 ausearch
指定文件名搜索:
[root@ecs-proxy ~]# ausearch -f /etc/passwd
指定策略关键字搜索:
[root@ecs-proxy ~]# ausearch -k passwd_changes
生成简要的日志报告 aureport
[root@ecs-proxy ~]# aureport