linux log audit audit

Others 2022-04-27 18:30:06 views: 0

The Linux kernel has the ability to log events, such as system calls and file accesses. Administrators can then review these logs to identify possible security breaches, such as failed login attempts or unsuccessful user access to system files. This feature, called the Linux Audit System, is already available in Red Hat Enterprise Linux 5.
  To use the Linux Auditing System, you can take the following steps:
  (1) Configure the auditing daemon.
  (2) Add audit rules and observers to collect the required data.
  (3) Start the daemon, which enables the Linux Auditing System in the kernel and starts logging.
  (4) Periodically analyze data by generating audit reports and searching logs.
 
Configuring the Auditing Daemon
  The Linux Auditing System in the Red Hat Enterprise Linux 5 kernel is disabled by default. This kernel feature is enabled when the audit daemon is started. To enable the Linux Auditing System at startup without the daemon auditd, simply boot with the audit=1 parameter. If this parameter is set to 1 and auditd is not running, the audit log will be written to /var/log/messages.
  To use auditd and utilities to generate log file reports, the audit RPM package must be installed. If not installed, see Chapter 3, "Operating System Updates" for instructions on package installation.
  With auditd, administrators can customize the audit log generated. The following are just a few of the custom configurations available:
● Set up a dedicated log file for audit messages
● Determine whether to recycle log files
● Warn if log file startup uses too much disk space
● Configure audit rules to log more detailed information
● Activate file and directory watchers
  These settings and more are located in the /etc/audit/auditd.conf file, which contains options that modify the behavior of the audit daemon. Each option should be on a separate line, followed by an equals sign (=) and the value of the option. Listing 25-1 shows the default configuration file.
  Listing 25-1 Default audit daemon parameters

     #
     # This file controls the configuration of the audit daemon
     #

     log_file = /var/log/audit/audit.log
     log_format = RAW
     priority_boost = 3
     flush = INCREMENTAL
     freq = 20
     num_logs = 4
     dispatcher = /sbin/audispd
     disp_qos = lossy
     max_log_file = 5
     max_log_file_action = ROTATE
     space_left = 75
     space_left_action = SYSLOG
     action_mail_acct = root
     admin_space_left = 50
     admin_space_left_action = SUSPEND
     disk_full_action = SUSPEND
     disk_error_action = SUSPEND

  The following options can be configured (see Listing 25-1 for default values):
log_file
The full path to the audit log file. If you configure the daemon to write log files to a directory other than the default /var/log/audit/, be sure to modify the file permissions on it so that only the root user has read, write, and execute permissions. All other users cannot access this directory or the log files in this directory.
log_format
The format to use when writing logs. When set to RAW, data is written to the log file in the format retrieved from the kernel. When set to NOLOG, data will not be written to the log file, but if one is specified with the dispatcher option, data will still be sent to the audit event dispatcher.
priority_boost
    audits what priority boost daemons should take. Must be non-negative. 0 means no change.
How often flush
writes data to the log file. The value can be one of NONE, INCREMENTAL, DATA, and SYNC. If set to NONE, no special effort is required to flush data to the log file. If set to INCREMENTAL, the value of the freq option determines how often flushes to disk occur. If set to DATA, audit data and log files are always synchronized. If set to SYNC, data and metadata are synchronized each time a log file is written.
freq
If flush is set to INCREMETNAL, the number of records the audit daemon receives from the kernel before writing to the log file.
num_logs
The number of log files to save when max_log_file_action is set to ROTATE. Must be a number between 0 and 99. If set to less than 2, the log will not be rotated. If the number of log files is incremented, it may be necessary to increment the kernel backlog setting in /etc/audit/audit.rules to allow time for log rotation. If the num_logs value is not set, it defaults to 0, which means the log files are never rotated.
The dispatcher
is automatically started by the audit daemon when this daemon is started. All daemons are passed to this program. It can be used to further customize reports or generate them in different formats compatible with your custom analyzers. Example code for a custom program can be found in /usr/share/doc/audit-/skeleton.c. Since the scheduler runs with root privileges, use this option with extreme care. This option is not required.
disp_qos
controls the type of communication between the scheduler and the audit daemon. Valid values ​​are lossy and lossless. If set to lossy, incoming events sent to the scheduler are discarded if the buffer between the audit daemon and the scheduler is full (buffer is 128 kilobytes). However, as long as log_format is not set to nolog, events will still be written to disk. If set to lossless, the scheduler waits for the buffer to have enough space before sending events to the scheduler and before writing the log to disk.
max_log_file
Maximum log file size in megabytes. When this capacity is reached, the action specified by max_log_file _action is executed.
max_log_file_action
Action to take when the log file size of max_log_file is reached. The value must be one of IGNORE, SYSLOG, SUSPEND, ROTATE, and KEEP_LOGS. If set to IGNORE, no action is taken after the log file reaches max_log_file. If set to SYSLOG, a warning is written to the syslog /var/log/messages when the file capacity is reached. If set to SUSPEND, no audit messages will be written to the log file when the file capacity is reached. If set to ROTATE, the log file will be rotated when the specified file capacity is reached, but only a certain number of old files will be saved, which is specified by the num_logs parameter. The filename of the old file will be audit.log.N, where N is a number. The higher the number, the older the file. If set to KEEP_LOGS, log files are rotated, but the num_logs parameter is ignored, so log files are not deleted.
space_left Amount
of disk space in megabytes. When this level is reached, the action in the space_left_action parameter is taken.
space_left_action
This action is taken when the amount of disk space reaches the value in space_left. Valid values ​​are IGNORE, SYSLOG, EMAIL, SUSPEND, SINGLE, and HALT. If set to IGNORE, no action is taken. If set to SYSLOG, write a warning message to the syslog /var/log/messages. If set to EMAIL, send an email to this address from action_mail_acct and write a warning message to /var/log/messages. If set to SUSPEND, no more warning messages are written to the audit log file. If set to SINGLE, the system will be in single-user mode. If set to SALT, the system will shut down.
action_mail_acct
Email address of the administrator responsible for maintaining the audit daemon and logs. If the address does not have a hostname, the hostname is assumed to be a local address, such as root. sendmail must be installed and configured to send email to the specified email address.
admin_space_left Amount
of disk space in megabytes. Use this option to set more proactive actions than space_left_action, in case space_left_action doesn't let the administrator free up any disk space. This value should be less than space_left_action. If this level is reached, the action specified by admin_space_left_action is taken.
admin_space_left_action
Take action when the amount of free disk space reaches the value specified by admin_space_left. Valid values ​​are IGNORE, SYSLOG, EMAIL, SUSPEND, SINGLE, and HALT. The actions associated with these values ​​are the same as in space_left_action.
disk_full_action
This action is taken if the partition containing this audit file is full. Possible values ​​are IGNORE, SYSLOG, SUSPEND, SINGLE, and HALT. The actions associated with these values ​​are the same as in space_left_action.
  Tip:
  If you do not rotate audit log files, the partition containing /var/log/audit/ may become full and cause system errors. Therefore, it is recommended to have /var/log/audit/ on a separate dedicated partition.
disk_error_action
Action to take if an error is detected while writing the audit log or circular log file. The value must be one of IGNORE, SYSLOG, SUSPEND, SINGLE, and HALT. The actions associated with these values ​​are the same as in space_left_action.
  The /etc/sysconfig/auditd file can be used to set command line options for auditd with the EXTRAOPTIONS parameter. The only command line option -f schedules the daemon in debug mode. If debug mode is enabled, the standard error message appears instead of the log file. The AUDITD_LANG setting can be used to modify the location of the daemon. If set to none, all location information is removed from the audit environment. If the AUDITD_CLEAN _STOP option is set to yes, the audit rules and watchers are removed when the daemon is stopped with the service auditd stop command. To learn more about audit rules, see the next section.
Writing Auditing Rules and
Watchers The   Linux Auditing System can be used to write rules for events, such as system calls, such as watching operations on files or directories with the auditctl command line utility. If auditd is started with an init script (with the service auditd start command), rules and watchers can be added to /etc/audit/audit.rules so that they are executed when the daemon is started. Only the root user can read or modify this file.
  Each rule and watcher in /etc/audit.audit.rules must be on a separate line, lines starting with # are ignored. Rules and observers are auditctl command-line options without the auditctl command preceding them. They read files from top to bottom. If one or more rules or observers conflict with each other, the first one found is used.
Writing Audit Rules
  To add audit rules, use the following syntax in the /etc/audit/audit.rules file:
-a ,
  Warning:
  If you add the rule /etc/audit/audit.rules while running the daemon, be sure to enable modification as root with the command service auditd restart. The service auditd reload command can also be used, but this method will not provide configuration file error messages.
  The list name must be one of the following.
task
A list of each task. Only used when creating a task. Only fields known at creation time (such as UIDs) can be used in this list.
entry
    system call entry list. Used when entering a system call to determine if an audit should be created.
The exit
    system call exits the list. Used when exiting a system call to determine if an audit should be created.
user
user message filter list. The kernel uses this list to filter user space events before passing them to the audit daemon. The only valid fields are uid, auid, gid and pid.
The exclude
event type exclude filter list. Used to filter events that administrators do not want to see. Use the msgtype field to specify messages that you do not want logged to the log.
  This action must be one of the following:
never
    Do not generate audit records.
always
allocate an audit context, always populate it in the syscall entry, and always write an audit record when the syscall exits.
  Can include one or more of the following options.
-s
Specify a system by name or number. To specify all system calls, use all as the system call name. If the program uses this system call, start an audit record. Multiple system calls can be specified for the same rule, each system call must be started with -S. Specifying multiple systems in the same rule, rather than listing individual rules, can lead to better performance because only one rule needs to be evaluated.
- F ,<=]value>
specifies a rule field. If multiple fields are specified for a rule, an audit record can only be initiated if all fields are true. Each rule must be started with -F, up to 64 rules can be specified. If username and group name are used as fields instead of UID and GID, they will be parsed as UID and GID for matching. The following are valid field names:
pid
      Process ID.       The process ID of the
ppid parent process. uid       User ID. euid       Effective user ID. suid       sets the user ID. fsuid       file system user ID. gid       group ID. egid       effective group ID. sgid       sets the group ID. fsgid       file system group ID. auid       Audit ID, or the original ID with which the user logged in.



















msgtype
      message type number. Applies only to exclude filter lists.
pers
      OS Personality Number. The processor architecture of the
arch system call.
Specify the exact architecture, such as i686 (which can be retrieved with the uname -m command) or b32 to use the 32-bit system call table, or b64 to use the 64-bit system call table.
devmajor
      Device Major Number.
devminor
      Device Minor Number.

     inode

      Inode Number.
exit
      exits the value from the system call.
The success value of the success
      system call. 1 means true/yes, 0 means false/no.
a0, a1, a2, a3
      respectively represent the first 4 parameters of the system call. Only numeric values ​​can be used.
key
sets the filter key used to mark the event's audit log event messages. See Listing 25-2 and Listing 25-3 for examples. When adding a watcher, similar to using the -k option. See "Writing Audit Rules and Observers" for details on the -k option.
SELinux user of the obj_user
      resource.
SELinux role for the obj_role
      resource.
SELinux type of obj_type
      resource.       SELinux low level for
obj_lev_low resources.       SELinux high level for obj_lev_high resource.       The SELinux role of the subj_role program.       SELinux type of the subj_type program.       SELinux sensitivity of the subj_sen program. subj_clr










      The program's SELinux security level (clearance).
  The -a option adds rules to the end of the list. To add a rule to the beginning of the list, replace -a with -A. Remove the rules with the same syntax, replace -a with -d. To delete all rules, specify the -D option. Listing 25-2 contains some example audit rules, such as /etc/audit/audit.rules.
  Listing 25-2 Example Audit Rule
#Record all file opens from user 501
#Use with caution since this can quickly
#produce a large quantity of records
-a exit,always -S open -F uid=501 -F key=501open
# Record file permission changes
-a entry,always -S chmod
  Hint:
  Additional examples are in *.rules files in the /usr/share/doc/audit-/ directory if the audit package is installed.
  When an action in a defined rule occurs, if there is a rule defined in /etc/audit/auditd.conf then it will be sent through the scheduler and a log message will be written to /var/log/audit/audit .log. For example, listing 25-3 contains the log entry for the first rule in listing 25-2, and the log file is opened from user 501. This rule includes a filter key that appears at the end of the log entry in Listing 25-3.
  Listing 25-3 Example audit rule log message
  

     type=SYSCALL msg=audit(1168206647.422:5227): arch=c000003e syscall=2 
     success=no exit=-2 a0=7fff37fc5a40 a1=0 a2=2aaaaaaab000 a3=0 items=1 
     ppid=26640 pid=2716 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 
     egid=501 sgid=501 fsgid=501 tty=pts5 comm="vim" exe="/usr/bin/vim" 
     key="501open"

Writing an audit
watcher The   Linux Auditing System also allows administrators to watch files and directories. If a watcher is placed on a file or directory, successful or failed actions, such as opening and executing the file or directory, are logged. To add a watcher, use the -w option followed by a file or directory to watch.
  Warning:
  If you add the watcher /etc/audit/audit.rules while the daemon is running, be sure to enable modification as root with the command service auditd restart. You can also use the service auditd reload command, but it will not notify you about configuration file errors.
  Listing 25-4 contains example rules included in the /etc/audit/audit.rules file. If the -k option is used in combination with -w, all records produced by the watcher will contain an alert word (limited to 31 bytes), so the watcher's records can be easily filtered out of the log file. To restrict a file or directory watcher to certain actions, use the -p option followed by one or more of the following options: r for watch read actions, w for watch write actions, x for watch execute actions, a for Add action at the end. To remove a watcher, use the -W option followed by a file or directory.
  Listing 25-4 Example Audit Watcher

     #Watch for changes to sysconfig files
     -w /etc/sysconfig -k SYSCONFIG
     #Watch for changes to audit config files
     -w /etc/audit/audit.rules -k AUDIT_RULES
     -w /etc/audit/auditd.conf -k AUDIT_CONF
     -w /var/log/audit/ -k LOG_AUDIT
     #Watch to see who tries to start the VPN client
     -w /usr/bin/vpnc -k VPNC -p x
     #Watch password files
     -w /etc/group -k PASSWD
     -w /etc/passwd -k PASSWD
     -w /etc/shadow -k PASSWD

  For example, Listing 25-4 includes a watcher on the password file for the key filter PASSWD. Listing 25-5 contains log entries in /var/log/audit/audit.log after deleting a user, which modifies the password files being observed. As in the example of the rule with filter key in Listing 25-3, this key is added to the end of the log entry, so it can be easily filtered out of the rest of the log entry.
  Listing 25-5 Example log entry for the audit watcher

     type=SYSCALL msg=audit(1168227741.656:17915): arch=c000003e syscall=82
     success=yes exit=0 a0=7fff00975dd0 a1=60a700 a2=0 a3=22 items=5 ppid=26575
     pid=4147 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
     tty=pts4 comm="userdel" exe="/usr/sbin/userdel" key="PASSWD"
   **定制auditctl**

  Command line options to configure audit system parameters can also be included in /etc/audit/audit.rules. Table 25-1 lists these options.
Table 25-1 auditctl options for configuring audit system parameters
Option
Description
-b
The maximum number of outstanding audit buffers allowed. The default value in the kernel is 64. If the buffer is full, the kernel refers to the failure flag set via the -f option to determine which action to take
-e[0,1]
Set to 0 to disable auditing, or set to 1 to enable auditing. Useful for temporarily disabling auditing for troubleshooting or other purposes
-f[0,1,2]
Sets the failure flag used to inform the kernel how to handle critical errors (such as audit buffer full or kernel running out of memory). Valid values ​​are 0 (no action), 1 (log messages to /var/log/messages with printk), and 2 (chaos). The default is 1, but 2 is safer.
-r
Rate limit in messages per second. If set to 0, there is no limit. If the rate limit is exceeded, the kernel consults the failure flag in the -f option to determine which action to take
-i
ignore errors when reading rules from a file.
  
  To verify that these options are set, use the auditctl -s command to view the status. The output looks like this:
AUDIT_STATUS: enabled=1 flag=1 pid=1954 rate_limit=0 backlog_limit=256
lost=0 backlog=0
start and stop the daemon
  When configuring the daemon and adding rules and watchers, you can start the daemon by executing the service auditd start command as root. To stop it, use the service auditd stop command. To make it automatically start at runtime, you should execute the chkconfig auditd on command as root.
  If the daemon is already running when you modify its configuration, you should enable the modification by executing the service auditd restart command as root. To verify that rules and watchers have been modified, the auditctl -1 command should be executed as root to list all active rules and watchers. For example, Listing 25-6 shows the auditctl -1 output for the rules and observers in Listings 25-2 and 25-4.
   Analysis logging
  If auditd is used, audit messages are written to /var/log/audit.log unless the filename is modified with the log_file parameter in /etc/audit/audtid.conf. Log files are text files that can be read by the less utility or a text editor such as Emacs or Vi. The format of the message is the format received from the kernel, and the order is also the order in which it was received. The aureport utility can be used to generate summary reports from log files. The ausearch utility can be used to search reports based on some criteria. These conditions can be: audit event ID, file name, UID or GID, message type and system call name, etc.
  The log files in /var/log/audit/ are never deleted unless the daemon is configured to rotate log files and old files are deleted as described in the previous section "Configuring the Audit Daemon". Administrators should check the logs frequently and delete old logs or move them to backup storage. If the logs are not deleted periodically, they can fill up the entire disk. For this reason, it is recommended to put /var/log/audit/ on a separate dedicated partition so that it will not interfere with writing other log files or cause other system errors.
  hint:
  To force an immediate rotation of the log files, the service auditd rotate command can be executed as root. The filename of the old log file will be audit.log.N, where N is a number. The higher the number, the older the log file.
Generating Reports
  To generate reports on audit messages, use aureport. For security, the /var/log/audit/ directory and all audit log files in it are readable only by the root user. Therefore, you must execute the aureport command as the root user. If aureport is executed without any options, the summary report shown in Listing 25-7 is displayed.
  Table 25-2 aureport options for generating specific reports
Option
Description
-a
reports messages about access vector cache (AVC)
-c
reports messages about configuration modifications
-cr
reports messages about crypto events
-e
reports messages about events message
-f
report message about file
-h
report message about host
-l
report message about login
-m
report message about account modification
-ma
report message about Mandatory Access Control (MAC) event
-p
report message about process
-s
report messages about system calls
-tm
report messages about terminals
  To produce results in a more readable format, such as replacing UIDs with the usernames they map to, also use the -i option:
aureport - -i
  to display each Log start and stop times, you can add the -t option:
aureport - -i -t
  To display events equal to or older than a specific time, add the -te option followed by the end date and end time. Represents the date and time of your location in numeric format and the time in 24-hour format. For example, for the place en_us.UTF-8, use the date format MM/DD/YY:
aureport - -i -te
  To display events equal to or later than a specific time, add the -ts option followed by the start date and time. Use the same date and time formatting rules as the -te option.
aureport - -i -ts
  To display only failed events, use - -failure, note that there are two dotted lines in front of this option instead of one:
aureport - -i --failed
  To display only successful events, use - -success, note this The option is preceded by two dashed lines instead of one:
aureport - -i --success
  Some reports can also be generated in summary format with the - -summary option; note that this option is prefixed with two dashed lines:
aureport - -i --summary
  to generate a summary For reports other than reports about a region, use the -r option:
aureport -r -i
  To generate a report from a log file instead of the default one, specify it with the -if option:
aureport - -i -if /var/log/audit/audit.log.1
Search for records
  In addition to generating event reports and summarizing them with aureport, Administrators can also search audit records with ausearch. Execute the ausearch command as root, followed by one or more of the options in Table 25-3. If multiple options are specified, the displayed results will match both requests. To retrieve criteria that match one option or the other, perform two different searches and combine the results yourself.
Using the Audit Trail Process
  The autrace utility can be used to generate audit records for a specific process. No other rules or observers can be enabled while autrace is running. For other audit utilities, autrace must be run as root. To audit trail a process, use the following steps:
  (1) Temporarily turn off all rules and watchers:
auditctl -D
  (2) (Optional) To isolate audit records from the process, force a log file rotation:
service The log of auditd rotate
  autrace will be placed in /var/log/audit/audit.log.
  (3) Execute autrace at the command line:
autrace
  (4) Wait until the process is complete. A message similar to the following will be displayed:
Trace complete. You can locate the records with 'ausearch -i -p 10773'
  (5) Restart the audit daemon to re-enable rules and watchers:
service auditd restart
  (6) Use ausearch to display detailed information about traces.

Guess you like

Origin http://43.154.161.224:23101/article/api/json?id=325788939&siteId=291194637
Recommended
Ranking
vue project automated build tools 1.0, support for multi-page build
JDBC add, update, delete data
SpringCloud combat service in response to the decline tutorial series (Chapter IV)
A segmentation fault (core dumped) error occurs when C+11 compiles and calls the PCL library
Django achieve websocket
Go语言并发之道--笔记1
Three-tier structure and application
Zhejiang data structure after-school exercise practice two 7-2 Reversing Linked List (25 points)
Front-end interview brushing day9 (updated daily high-frequency inspection points for front-end interviews)
The difference between the shell of the single and double quote
Daily
More
2024-05-02(0)
2024-05-01(4)
2024-04-30(36)
2024-04-29(5)
2024-04-28(12)
2024-04-27(29)
2024-04-26(22)
2024-04-25(32)
2024-04-24(30)
2024-04-23(30)

Code World

© 2018 codetd.com