0 Overview
The Auditd tool can help operators audit Linux and analyze what happened in the system. The Linux kernel has the ability to log events, including logging system calls and file accesses. Administrators can examine these logs to determine if there is a security breach (such as multiple failed login attempts, or unsuccessful user access to system files).
1 installation
Centos7 has installed Audit by default.
Use the command service auditd status to check whether the service is enabled.
2 configuration files
In the /etc/audit path,
the auditd.conf file----audit tool configuration file
audit.rules file----audit rules, the file is generated by /etc/audit/rules.d
audit-stop.rules file ----Audit stop rules, this file defines the stop detection
rules.d directory----Defines the rules that need to be audited, and will be permanently effective after writing to the file
The following is auditd.conf, the audit tool configuration file. In this file, the corresponding parameter value explanation is added in Chinese. For detailed explanation, please refer to the official explanation: https://linux.die.net/man/8/auditd.conf
3 auditd tool
auditctl: auditd default operation command
aureport: generate and view audit rule files
ausearch: is a tool for searching various events
autrce: command for tracking process
3.1 auditctl command
auditctl –l 查看当前定义的规则
auditctl –a 添加一条检测规则(当前添加的规则临时有效,永久生效需要修改配置文件)
auditctl -a action,filter -S system_call -F field=value -k key_name
action and filter specify that an event is logged. Action can be always or never, filter specifies the corresponding matching filter, filter can be: task, exit, user, exclude.
system_call specifies the name of the system call, and several system calls can be written in one rule, such as -S xxx -S xxx. The names of the system calls can be found in the /usr/include/asm/unistd_64.h file. For specific explanations in the fields, refer to: https://blog.csdn.net/xiyangfan/article/details/5259258
field=value As an additional option, modify the rules to match events of specific architectures, GroupIDs, ProcessIDs, etc. For specific fields, please refer to https://linux.die.net/man/8/auditctl.
For example, if a file is deleted or renamed by a user with a user ID of 1000 or greater, and the audit record is recorded, the command is as follows:
auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete
auditctl -a always,exit -F path=/etc/shadow -F perm=wa
Equivalent to auditctl –w /etc/shadow –p wa
auditctl –d 删除一条规则
auditctl –D 删除所有规则
auditctl –w 指定要审计的文件或目录路径
auditctl –p[r|w|x|a] 和-w一起使用指定触发审计的文件/目录的访问权限
rwxa: Specified trigger condition, r read permission, w write permission, x execute permission, a attribute (change attributes in a file or directory)
auditctl –k 指定别名,方便下次审计时可以根据该名字进行调用,并查看相关的信息
auditctl –s 查看auditd服务状态
auditctl -e 设置使能标志
Set it to 0, turn off audit, set it to 1, turn on audit; when set to 2, it means lock, generally set it last after setting other rules to prevent others from modifying the rules; any behavior of modifying the rules will be rejected and recorded Audit log, this enable flag can only be modified after restarting the system.
3.2 aureport command
aureport generates summary records
-au 关于身份验证的报表
-c 关于配置更改的报表
-cr 关于加密事件的报表
-e 关于事件的报表
-f 关于文件的报表
-i 解释模式
-if<输入文件名> 使用文件作为输入
-h 关于主机的报表
-l 有关登录的报表
-k 关于key的报表
-m 关于账户修改的报表
-ma 关于强制访问控制(MAC)事件的报表
-p 关于进程的报表
-s 关于系统调用的报表
-tm 关于终端的报表
--node<节点名> 特定节点的事件
--success 在报表中只显示成功的事件
--failed 在报表中只显示失败的事件
-n 关于异常事件的报表
--summary 在报表中为主要对象排序总数
-r 关于异常事件响应的报表
-t 日志时间范围报表
-te<结束日期><结束时间> 报表结束时间
-ts<开始日期><开始时间> 报表起始时间
--tty 关于tty的报表
-u 关于用户的报表
-x 关于可执行文件的报表
3.3 ausearch command
ausearch -a 5207 搜寻当前audit服务中event ID等于5207的log
ausearch –k xx 按指定别名查看审计内容
ausearch –i 格式化输出
ausearch –f 根据指定的审计目录或文件查看审计内容
ausearch -m #按消息类型查找
ausearch -ul #按登陆ID查找
ausearch -ua #按uid和euid查找
ausearch -ui #按uid查找
ausearch -ue #按euid查找
ausearch -ga #按gid和egid查找
ausearch -gi #按gid查找
ausearch -ge #按egid查找
ausearch -c #按cmd查找
ausearch -x #按exe查找
ausearch -sc #按syscall查找
ausearch -p #按pid查找
ausearch -sv #按syscall的返回值查找(yes/no)
ausearch -f #按文件名查找
ausearch -tm #按连接终端查找(term/ssh/tty)
ausearch -hn #按主机名查找
ausearch -k #按特定的key值查找
ausearch -w #按在audit rule设定的字符串查找
3.4 other
In order to track whether the set rule has taken effect, we often track the specified process, and the log generated by autrace will be stored in /var/log/audit/audit.log. When using autrace to track a process, in order to avoid conflicts between autrace and the logs generated by the previous audit rule, use auditctl -D to stop all audit logs. After autrace ends, use systemctl restart auditd to restart the audit service.
autrace /usr/bin/less
4 Audit logs
4.1 Examples
Add the following two audit rules:
auditctl -w /root/chen/test.sh -p wxra -F uid=root -k auditest1
auditctl -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S mkdir -S rmdir -S creat -F uid!=root -F dir=/root/chen/test -k auditest2
After the addition is complete, use auditctl -l to view relevant information:
Use ausearch -k auditest1 -i and ausearch -k auditest2 -i to view the current audit log.
The content of the audit log shows that the current audit rules have been entered.
Use the root and non-root users to run the test.sh script, sh test.sh, and then View the audit log
At this point, you can use the command ausearch –k auditest1 -i to view the audit content. Only the commands executed by the root user are recorded in the audit log.
Also use root and non-root users to create files root and non-root in the /root/chen/test directory. chen directory
Use the command ausearch -k auditest2 –i –c mkdir, only non-root users create folders will be recorded
4.2 Analysis of audit log content
type=SYSCALL
Each record starts with type="keyword", and SYSCALL indicates that this record is triggered by a system call to the kernel. For more detailed type values and explanations, please refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-Audit_Record_Types
audit
In the audit(time_stamp:ID) format, the time stamp is recorded, from January 1, 1970 00:00:00 to the present time, and the ID is the unique ID in the record, and the IDs generated by the same event are the same.
arch=c000003e
Indicates the CPU architecture of the system, the hexadecimal representation "x86_64", use the command ausearch -i --arch c000003e to print out the explanation of the log in audit.log with this part of the content. It should be noted that when using ausearch to query, it is necessary to ensure that there are such log records in the audit log.
syscall=257
The type of system call to the kernel, the type value is 257, which is defined in /usr/include/asm/unistd_64.h, where 257 means openat, you can use the command ausyscall to query the system call name corresponding to different numbers. Or use the ausyscall --dump command to display all system calls.
success=yes
Indicates whether the system call was successful or not
exit=3
The return code at the end of the system call, you can use the following command to view the log explanation with a return value of 3. Different system calls have different return values
#ausearch --interpret --exit 3
a0=ffffffffffffff9c a1=21e0550 a2=90800 a3=0
The first four arguments of the system call, these arguments depend on the system call used, you can use ausearch to view the explanation (some parameters can print out the specific explanation of the value).
items=1
Indicates the number of supplementary records following the system call.
ppid=2354
Parent process ID, such as the ID of bash.
pid=30729
Process Id, which is the ID of the ls process. We query through ps, we can see that the bash process corresponds to the ppid
auid=0
auid records Audit user ID, that is the loginuid. auid is the ID of the login user, if it is root, the ID is 0.
uid=1001, gid=1001, euid=1001, suid=1001, fsuid=1001, egid=1001, sgid=1001, fsgid=1001 uid is the ID of the user who started the analysis process, that is, the user ID of the specific execution process
. The latter correspond to group ID group user ID, effective user ID effective user ID, set user ID set user ID, file system user ID file system user ID, effective group ID effective group user ID, set group ID set group user ID, file system group ID file system group ID
tty=pts0
Specifically in which terminal tty the operation is performed. For example, in which terminal is the operation of ls performed.
ses=10868
session ID, conversation ID.
comm=ls
What commands result in audit records.
exe=“/usr/bin/ls”
Record the specific path of the executable file
type=CWD
The value of type is CWD, that is, current working directory. Records the location of the current process
inode=99213313
inode indicates the inode number of this file or directory, you can use the following command to query the file corresponding to the current inode
find / -inum 99213313 -print
dev=08:11
The dev field indicates the minor and major IDs of the device.
mode=040755
The mode field indicates the permissions of the file or path.
ouid=0
Object owner's ID
ogid=0
The ID of the owner of the object.
4.3 Audit log report
Use the aureport command to generate log reports
aureport –au 生成关于身份验证的报告
aureport –k –i 按之前设置的关键字生成报表
aureport –s 按系统调用生成报表
aureport –ts 02/02/2021 00:00:00 –te today 按指定时间生成报表
aureport -p –i 按进程的pid生成报表
aureport –t 按时间查看日志
aureport –if <文件名> 按文件名生成报表