系統安全-系統審計

audit審計

audit子系統提供了一種紀錄系統安全方面信息的方法，同時能爲系統管理員在用戶違反系統安全法則或者存在違反的潛在可能時，提供及時的警告信息，這些audit子系統所收集的信息包括：可被審計的事件名稱，事件狀態（成功或失敗），別的安全相關信息。可被審計的事件，一般，這些事件都是定義在系統調用級別的。

審計的軟件包默認已經安裝，

[root@localhost ~]# ps aux | grep audit
root         99  0.0  0.0      0     0 ?        S    07:54   0:00 [kauditd]
root        680  0.0  0.0  55508   876 ?        S<sl 07:54   0:00 /sbin/auditd
root       1258  0.1  1.8 338396 34784 tty1     Ssl+ 07:54   0:07 /usr/bin/X :0 -background none -noreset -audit 4 -ver
bose -auth /run/gdm/auth-for-gdm-BYMFG9/database -seat seat0 -nolisten tcp vt1root       5058  0.0  0.0 112724   984 pts/2    S+   09:28   0:00 grep --color=auto audit
[root@localhost ~]# ^C
[root@localhost ~]# ps aux | grep auditd
root         99  0.0  0.0      0     0 ?        S    07:54   0:00 [kauditd]
root        680  0.0  0.0  55508   876 ?        S<sl 07:54   0:00 /sbin/auditd
[root@localhost ~]# 

並且服務通常默認就已是啓動狀態

[root@localhost ~]# service auditd status
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since 二 2018-11-20 10:24:54 CST; 6 days ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 686 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 673 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 680 (auditd)
    Tasks: 5
   CGroup: /system.slice/auditd.service
           ├─680 /sbin/auditd
           ├─682 /sbin/audispd
           └─684 /usr/sbin/sedispatch

11月 20 10:24:54 localhost.localdomain augenrules[686]: lost 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: enabled 1
11月 20 10:24:54 localhost.localdomain augenrules[686]: failure 1
11月 20 10:24:54 localhost.localdomain augenrules[686]: pid 680
11月 20 10:24:54 localhost.localdomain augenrules[686]: rate_limit 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog_limit 8192
11月 20 10:24:54 localhost.localdomain augenrules[686]: lost 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog 1
11月 20 10:24:54 localhost.localdomain systemd[1]: Started Security Auditing Service.
[root@localhost ~]# 

查看audit狀態，enabled=1開啓審計

[root@localhost ~]# auditctl -s
enabled 1
failure 1
pid 680
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
loginuid_immutable 0 unlocked
[root@localhost ~]# 

如何設置審計策略能夠看幫助手冊

[root@localhost ~]# man auditctl
[root@localhost ~]# 

一個實例

EXAMPLES
       To see all syscalls made by a specific program:

       auditctl -a always,exit -S all -F pid=1005

       To see files opened by a specific user:

       auditctl -a always,exit -S openat -F auid=510

       To see unsuccessful openat calls:

       auditctl -a always,exit -S openat -F success=0

       To watch a file for changes (2 ways to express):

       auditctl -w /etc/shadow -p wa
       auditctl -a always,exit -F path=/etc/shadow -F perm=wa

       To recursively watch a directory for changes (2 ways to express):

       auditctl -w /etc/ -p wa
       auditctl -a always,exit -F dir=/etc/ -F perm=wa

       To see if an admin is accessing other user's files:

       auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid

[root@localhost ~]# auditctl -w /tmp/ -p rwxa -k "TEST"
[root@localhost ~]# auditctl -l
-w /tmp -p rwxa -k TEST
[root@localhost ~]# 

auditctl -l 查看全部

auditctl -D 刪除清空

開啓一個新的終端，使用某個用戶進行測試

[root@localhost ~]# su user1
[user1@localhost root]$ ls /tmp/
passwd.des
ssh-rmcshGoCa91Y
systemd-private-dd46fe14386d4ab7afb92188413fd241-chronyd.service-RGcgLp
systemd-private-dd46fe14386d4ab7afb92188413fd241-colord.service-wutL8A
systemd-private-dd46fe14386d4ab7afb92188413fd241-cups.service-RT6X1Q
systemd-private-dd46fe14386d4ab7afb92188413fd241-rtkit-daemon.service-SSh4Qs
tracker-extract-files.1000
user1.key
vmware-root
yum_save_tx.2018-11-13.14-35.1CMzyw.yumtx
yum_save_tx.2018-11-15.11-01.WjmHL_.yumtx
yum_save_tx.2018-11-19.16-33.Ivy05k.yumtx
yum_save_tx.2018-11-20.09-33.OpWMe_.yumtx

切換會管理員終端，查看審計信息。

[user1@localhost root]$ su root
密碼：
[root@localhost ~]# ausearch -k "TEST"
----
time->Tue Nov 27 09:33:09 2018
type=CONFIG_CHANGE msg=audit(1543282389.729:278): auid=0 ses=13 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023 op=add_rule key="TEST" list=4 res=1----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.461:285): proctitle="bash"
type=PATH msg=audit(1543282493.461:285): item=1 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.461:285): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:285):  cwd="/root"
type=SYSCALL msg=audit(1543282493.461:285): arch=c000003e syscall=2 success=yes exit=3 a0=1506580 a1=2c1 a2=180 a3=7ffc
a7383fa0 items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.461:286): proctitle="bash"
type=PATH msg=audit(1543282493.461:286): item=0 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:286):  cwd="/root"
type=SYSCALL msg=audit(1543282493.461:286): arch=c000003e syscall=2 success=yes exit=4 a0=1506580 a1=0 a2=180 a3=7ffca7
383fe0 items=1 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.461:287): proctitle="bash"
type=PATH msg=audit(1543282493.461:287): item=1 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.461:287): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:287):  cwd="/root"
type=SYSCALL msg=audit(1543282493.461:287): arch=c000003e syscall=87 success=yes exit=0 a0=1506580 a1=0 a2=180 a3=7ffca
7383fe0 items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.462:288): proctitle="bash"
type=PATH msg=audit(1543282493.462:288): item=1 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.462:288): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:288):  cwd="/root"
type=SYSCALL msg=audit(1543282493.462:288): arch=c000003e syscall=2 success=yes exit=3 a0=1506580 a1=2c1 a2=180 a3=63 i
tems=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.462:289): proctitle="bash"
type=PATH msg=audit(1543282493.462:289): item=0 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:289):  cwd="/root"
type=SYSCALL msg=audit(1543282493.462:289): arch=c000003e syscall=2 success=yes exit=4 a0=1506580 a1=0 a2=180 a3=ffffff
ff items=1 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.462:290): proctitle="bash"
type=PATH msg=audit(1543282493.462:290): item=1 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.462:290): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:290):  cwd="/root"
type=SYSCALL msg=audit(1543282493.462:290): arch=c000003e syscall=87 success=yes exit=0 a0=1506580 a1=0 a2=180 a3=fffff
fff items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.004:292): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.004:292): item=0 name="/tmp/yum_save_tx.2018-11-20.09-33.OpWMe_.yumtx" inode=17303205 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.004:292):  cwd="/root"
type=SYSCALL msg=audit(1543282496.004:292): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.006:293): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.006:293): item=0 name="/tmp/yum_save_tx.2018-11-13.14-35.1CMzyw.yumtx" inode=17406228 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.006:293):  cwd="/root"
type=SYSCALL msg=audit(1543282496.006:293): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:294): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:294): item=0 name="/tmp/yum_save_tx.2018-11-15.11-01.WjmHL_.yumtx" inode=18340303 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:294):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:294): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:295): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:295): item=0 name="/tmp/passwd.des" inode=16789654 dev=fd:00 mode=0100644 ouid=0 ogi
d=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:295):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:295): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba780 a1=7f199012d1
14 a2=7ffda47ba740 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:296): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:296): item=0 name="/tmp/user1.key" inode=18340335 dev=fd:00 mode=0100664 ouid=1004 o
gid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:296):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:296): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba780 a1=7f199012d1
14 a2=7ffda47ba740 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:297): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:297): item=0 name="/tmp/yum_save_tx.2018-11-19.16-33.Ivy05k.yumtx" inode=18340309 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:297):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:297): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.002:291): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.002:291): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.002:291):  cwd="/root"
type=SYSCALL msg=audit(1543282496.002:291): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=10125b0
 a2=90800 a3=0 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"[root@localhost ~]# 

如下兩個命令的效果是一致的

[root@localhost ~]# auditctl -w /tmp/ -p rwxa
[root@localhost ~]# auditctl -a exit,always -F dir=/tmp -F perm=rwxa

-a exit;always exit;行爲完成後記錄審計（通常經常使用），always：老是記錄審計

-F 規則字段

auid爲初始登陸ID，auid不爲0，uid爲0，表示登陸系統的時候爲非root用戶，執行操做時卻變爲root，危險行爲。

auditctl -a exit, always -F auit!=0 -F uid=0

uid不爲0，euid爲0，表示執行者是一個非root用戶，可是執行過程當中倒是以root的身份執行的，是一個提權操做，危險行爲。

auditctl -a exit, always -F uid!=0 -F euid=0 

工做中常對/tmp/etc審計，攻擊者經常使用/tmp 提權

aureport能夠用來查看系統審計日誌的彙總信息，例如aureport -l能夠用來查看login信息