audit审计
audit子系统提供了一种纪录系统安全方面信息的方法,同时能为系统管理员在用户违反系统安全法则或者存在违反的潜在可能时,提供及时的警告信息,这些audit子系统所收集的信息包括:可被审计的事件名称,事件状态(成功或失败),别的安全相关信息。可被审计的事件,通常,这些事件都是定义在系统调用级别的。
审计的软件包默认已经安装,
[root@localhost ~]# ps aux | grep audit root 99 0.0 0.0 0 0 ? S 07:54 0:00 [kauditd] root 680 0.0 0.0 55508 876 ? S<sl 07:54 0:00 /sbin/auditd root 1258 0.1 1.8 338396 34784 tty1 Ssl+ 07:54 0:07 /usr/bin/X :0 -background none -noreset -audit 4 -ver bose -auth /run/gdm/auth-for-gdm-BYMFG9/database -seat seat0 -nolisten tcp vt1root 5058 0.0 0.0 112724 984 pts/2 S+ 09:28 0:00 grep --color=auto audit [root@localhost ~]# ^C [root@localhost ~]# ps aux | grep auditd root 99 0.0 0.0 0 0 ? S 07:54 0:00 [kauditd] root 680 0.0 0.0 55508 876 ? S<sl 07:54 0:00 /sbin/auditd [root@localhost ~]#
而且服务一般默认就已经是启动状态
[root@localhost ~]# service auditd status Redirecting to /bin/systemctl status auditd.service ● auditd.service - Security Auditing Service Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled) Active: active (running) since 二 2018-11-20 10:24:54 CST; 6 days ago Docs: man:auditd(8) https://github.com/linux-audit/audit-documentation Process: 686 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS) Process: 673 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS) Main PID: 680 (auditd) Tasks: 5 CGroup: /system.slice/auditd.service ├─680 /sbin/auditd ├─682 /sbin/audispd └─684 /usr/sbin/sedispatch 11月 20 10:24:54 localhost.localdomain augenrules[686]: lost 0 11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog 0 11月 20 10:24:54 localhost.localdomain augenrules[686]: enabled 1 11月 20 10:24:54 localhost.localdomain augenrules[686]: failure 1 11月 20 10:24:54 localhost.localdomain augenrules[686]: pid 680 11月 20 10:24:54 localhost.localdomain augenrules[686]: rate_limit 0 11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog_limit 8192 11月 20 10:24:54 localhost.localdomain augenrules[686]: lost 0 11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog 1 11月 20 10:24:54 localhost.localdomain systemd[1]: Started Security Auditing Service. [root@localhost ~]#
查看audit状态,enabled=1开启审计
[root@localhost ~]# auditctl -s enabled 1 failure 1 pid 680 rate_limit 0 backlog_limit 8192 lost 0 backlog 0 loginuid_immutable 0 unlocked [root@localhost ~]#
如何设置审计策略可以看帮助手册
[root@localhost ~]# man auditctl [root@localhost ~]#
一个实例
EXAMPLES To see all syscalls made by a specific program: auditctl -a always,exit -S all -F pid=1005 To see files opened by a specific user: auditctl -a always,exit -S openat -F auid=510 To see unsuccessful openat calls: auditctl -a always,exit -S openat -F success=0 To watch a file for changes (2 ways to express): auditctl -w /etc/shadow -p wa auditctl -a always,exit -F path=/etc/shadow -F perm=wa To recursively watch a directory for changes (2 ways to express): auditctl -w /etc/ -p wa auditctl -a always,exit -F dir=/etc/ -F perm=wa To see if an admin is accessing other user's files: auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
[root@localhost ~]# auditctl -w /tmp/ -p rwxa -k "TEST" [root@localhost ~]# auditctl -l -w /tmp -p rwxa -k TEST [root@localhost ~]#
auditctl -l 查看所有
auditctl -D 删除清空
开启一个新的终端,使用某个用户进行测试
[root@localhost ~]# su user1 [user1@localhost root]$ ls /tmp/ passwd.des ssh-rmcshGoCa91Y systemd-private-dd46fe14386d4ab7afb92188413fd241-chronyd.service-RGcgLp systemd-private-dd46fe14386d4ab7afb92188413fd241-colord.service-wutL8A systemd-private-dd46fe14386d4ab7afb92188413fd241-cups.service-RT6X1Q systemd-private-dd46fe14386d4ab7afb92188413fd241-rtkit-daemon.service-SSh4Qs tracker-extract-files.1000 user1.key vmware-root yum_save_tx.2018-11-13.14-35.1CMzyw.yumtx yum_save_tx.2018-11-15.11-01.WjmHL_.yumtx yum_save_tx.2018-11-19.16-33.Ivy05k.yumtx yum_save_tx.2018-11-20.09-33.OpWMe_.yumtx
切换会管理员终端,查看审计信息。
[user1@localhost root]$ su root 密码: [root@localhost ~]# ausearch -k "TEST" ---- time->Tue Nov 27 09:33:09 2018 type=CONFIG_CHANGE msg=audit(1543282389.729:278): auid=0 ses=13 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1 023 op=add_rule key="TEST" list=4 res=1---- time->Tue Nov 27 09:34:53 2018 type=PROCTITLE msg=audit(1543282493.461:285): proctitle="bash" type=PATH msg=audit(1543282493.461:285): item=1 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.461:285): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:285): cwd="/root" type=SYSCALL msg=audit(1543282493.461:285): arch=c000003e syscall=2 success=yes exit=3 a0=1506580 a1=2c1 a2=180 a3=7ffc a7383fa0 items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:53 2018 type=PROCTITLE msg=audit(1543282493.461:286): proctitle="bash" type=PATH msg=audit(1543282493.461:286): item=0 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:286): cwd="/root" type=SYSCALL msg=audit(1543282493.461:286): arch=c000003e syscall=2 success=yes exit=4 a0=1506580 a1=0 a2=180 a3=7ffca7 383fe0 items=1 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:53 2018 type=PROCTITLE msg=audit(1543282493.461:287): proctitle="bash" type=PATH msg=audit(1543282493.461:287): item=1 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.461:287): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:287): cwd="/root" type=SYSCALL msg=audit(1543282493.461:287): arch=c000003e syscall=87 success=yes exit=0 a0=1506580 a1=0 a2=180 a3=7ffca 7383fe0 items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:53 2018 type=PROCTITLE msg=audit(1543282493.462:288): proctitle="bash" type=PATH msg=audit(1543282493.462:288): item=1 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.462:288): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:288): cwd="/root" type=SYSCALL msg=audit(1543282493.462:288): arch=c000003e syscall=2 success=yes exit=3 a0=1506580 a1=2c1 a2=180 a3=63 i tems=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:53 2018 type=PROCTITLE msg=audit(1543282493.462:289): proctitle="bash" type=PATH msg=audit(1543282493.462:289): item=0 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:289): cwd="/root" type=SYSCALL msg=audit(1543282493.462:289): arch=c000003e syscall=2 success=yes exit=4 a0=1506580 a1=0 a2=180 a3=ffffff ff items=1 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:53 2018 type=PROCTITLE msg=audit(1543282493.462:290): proctitle="bash" type=PATH msg=audit(1543282493.462:290): item=1 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.462:290): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:290): cwd="/root" type=SYSCALL msg=audit(1543282493.462:290): arch=c000003e syscall=87 success=yes exit=0 a0=1506580 a1=0 a2=180 a3=fffff fff items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:56 2018 type=PROCTITLE msg=audit(1543282496.004:292): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F type=PATH msg=audit(1543282496.004:292): item=0 name="/tmp/yum_save_tx.2018-11-20.09-33.OpWMe_.yumtx" inode=17303205 de v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.004:292): cwd="/root" type=SYSCALL msg=audit(1543282496.004:292): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1 14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:56 2018 type=PROCTITLE msg=audit(1543282496.006:293): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F type=PATH msg=audit(1543282496.006:293): item=0 name="/tmp/yum_save_tx.2018-11-13.14-35.1CMzyw.yumtx" inode=17406228 de v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.006:293): cwd="/root" type=SYSCALL msg=audit(1543282496.006:293): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1 14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:56 2018 type=PROCTITLE msg=audit(1543282496.007:294): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F type=PATH msg=audit(1543282496.007:294): item=0 name="/tmp/yum_save_tx.2018-11-15.11-01.WjmHL_.yumtx" inode=18340303 de v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:294): cwd="/root" type=SYSCALL msg=audit(1543282496.007:294): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1 14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:56 2018 type=PROCTITLE msg=audit(1543282496.007:295): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F type=PATH msg=audit(1543282496.007:295): item=0 name="/tmp/passwd.des" inode=16789654 dev=fd:00 mode=0100644 ouid=0 ogi d=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:295): cwd="/root" type=SYSCALL msg=audit(1543282496.007:295): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba780 a1=7f199012d1 14 a2=7ffda47ba740 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:56 2018 type=PROCTITLE msg=audit(1543282496.007:296): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F type=PATH msg=audit(1543282496.007:296): item=0 name="/tmp/user1.key" inode=18340335 dev=fd:00 mode=0100664 ouid=1004 o gid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:296): cwd="/root" type=SYSCALL msg=audit(1543282496.007:296): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba780 a1=7f199012d1 14 a2=7ffda47ba740 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:56 2018 type=PROCTITLE msg=audit(1543282496.007:297): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F type=PATH msg=audit(1543282496.007:297): item=0 name="/tmp/yum_save_tx.2018-11-19.16-33.Ivy05k.yumtx" inode=18340309 de v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:297): cwd="/root" type=SYSCALL msg=audit(1543282496.007:297): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1 14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"---- time->Tue Nov 27 09:34:56 2018 type=PROCTITLE msg=audit(1543282496.002:291): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F type=PATH msg=audit(1543282496.002:291): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00 :00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.002:291): cwd="/root" type=SYSCALL msg=audit(1543282496.002:291): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=10125b0 a2=90800 a3=0 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"[root@localhost ~]#
以下两个命令的效果是一致的
[root@localhost ~]# auditctl -w /tmp/ -p rwxa [root@localhost ~]# auditctl -a exit,always -F dir=/tmp -F perm=rwxa
-a exit;always exit;行为完成后记录审计(一般常用),always:总是记录审计
-F 规则字段
auid为初始登录ID,auid不为0,uid为0,表示登录系统的时候为非root用户,执行操作时却变为root,危险行为。
auditctl -a exit, always -F auit!=0 -F uid=0
uid不为0,euid为0,表示执行者是一个非root用户,但是执行过程中却是以root的身份执行的,是一个提权操作,危险行为。
auditctl -a exit, always -F uid!=0 -F euid=0
工作中常对/tmp/etc审计,攻击者常用/tmp 提权
aureport可以用来查看系统审计日志的汇总信息,例如aureport -l可以用来查看login信息