centos 系統 audit 默認是安裝的vim
查看狀態:
[root@ecs-proxy ~]# service auditd statuscentos
[root@ecs-proxy ~]# auditctl -sbash
查看規則:
[root@ecs-proxy ~]# auditctl -lssh
刪除規則:
[root@ecs-proxy ~]# auditctl -Dui
查看幫助:
[root@ecs-proxy ~]# auditctl -h編碼
usage: auditctl [options]
-a <l,a> Append rule to end of <l>ist with <a>ction
-A <l,a> Add rule at beginning of <l>ist with <a>ction
-b <backlog> Set max number of outstanding audit buffers
allowed Default=64
-c Continue through errors in rules
-C f=f Compare collected fields if available:
Field name, operator(=,!=), field name
-d <l,a> Delete rule from <l>ist with <a>ction
l=task,exit,user,exclude
a=never,always
-D Delete all rules and watches
-e [0..2] Set enabled flag
-f [0..2] Set failure flag
0=silent 1=printk 2=panic
-F f=v Build rule: field name, operator(=,!=,<,>,<=,
>=,&,&=) value
-h Help
-i Ignore errors when reading rules from file
-k <key> Set filter key on audit rule
-l List rules
-m text Send a user-space message
-p [r|w|x|a] Set permissions filter on watch
r=read, w=write, x=execute, a=attribute
-q <mount,subtree> make subtree part of mount point's dir watches
-r <rate> Set limit in messages/sec (0=none)
-R <file> read rules from file
-s Report status
-S syscall Build rule: syscall name or number
-t Trim directory watches
-v Version
-w <path> Insert watch at <path>
-W <path> Remove watch at <path>
--loginuid-immutable Make loginuids unchangeable once set
--reset-lost Reset the lost record counter
臨時定義監視指令示例:
auditctl -w /目錄/文件 -p 觸發的權限 -k 規則名稱spa
[root@ecs-proxy ~]# auditctl -w /etc/passwd -p wa -k passwd_changes命令行
[root@ecs-proxy ~]# auditctl -l
-w /etc/passwd -p wa -k passwd_changes日誌
-w path : 指定要監控的路徑
-p : 指定觸發審計的文件/目錄的訪問權限
-k 給當前這條監控規則起個名字,方便搜索過濾
rwxa : 指定的觸發條件,r 讀取權限,w 寫入權限,x 執行權限,a 屬性(attr)code
永久定義須要修改配置文件,如:
[root@ecs-proxy ~]# vim /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes -w /usr/sbin/fdisk -p x -k partition_disks
修改後重啓服務
日誌解讀:
# type爲類型
# msg爲(time_stamp:ID),時間是date +%s(1970-1-1至今的秒數)
# arch=c000003e,表明x86_64(16進制)
# success=yes/no,事件是否成功
# a0-a3是程序調用時前4個參數,16進制編碼了
# ppid父進程ID,如bash,pid進程ID,如cat命令
# auid是審覈用戶的id,su - test, 依然能夠追蹤su前的帳戶
# uid,gid用戶與組
# tty:從哪一個終端執行的命令
# comm="cat" 用戶在命令行執行的指令
# exe="/bin/cat" 實際程序的路徑
# key="sshd_config" 管理員定義的策略關鍵字key
# type=CWD 用來記錄當前工做目錄
# cwd="/home/username"
# type=PATH
# ouid(owner's user id) 對象全部者id
# guid(owner's groupid) 對象全部組id
搜索特定日誌 ausearch
指定文件名搜索:
[root@ecs-proxy ~]# ausearch -f /etc/passwd
指定策略關鍵字搜索:
[root@ecs-proxy ~]# ausearch -k passwd_changes
生成簡要的日誌報告 aureport
[root@ecs-proxy ~]# aureport