Linux audit tool auditd usage and log collection

0 Overview

The Auditd tool can help operators audit Linux and analyze what happened in the system. The Linux kernel has the ability to log events, including logging system calls and file accesses. Administrators can examine these logs to determine if there is a security breach (such as multiple failed login attempts, or unsuccessful user access to system files).

1 installation

Centos7 has installed Audit by default.

Use the command service auditd status to check whether the service is enabled.

2 configuration files

In the /etc/audit path,

the auditd.conf file----audit tool configuration file
audit.rules file----audit rules, the file is generated by /etc/audit/rules.d
audit-stop.rules file ----Audit stop rules, this file defines the stop detection
rules.d directory----Defines the rules that need to be audited, and will be permanently effective after writing to the file

The following is auditd.conf, the audit tool configuration file. In this file, the corresponding parameter value explanation is added in Chinese. For detailed explanation, please refer to the official explanation: https://linux.die.net/man/8/auditd.conf

3 auditd tool

 auditctl: auditd default operation command
 aureport: generate and view audit rule files
 ausearch: is a tool for searching various events
 autrce: command for tracking process

3.1 auditctl command

auditctl –l 查看当前定义的规则

auditctl –a 添加一条检测规则(当前添加的规则临时有效，永久生效需要修改配置文件)

auditctl -a action,filter -S system_call -F field=value -k key_name

action and filter specify that an event is logged. Action can be always or never, filter specifies the corresponding matching filter, filter can be: task, exit, user, exclude.
system_call specifies the name of the system call, and several system calls can be written in one rule, such as -S xxx -S xxx. The names of the system calls can be found in the /usr/include/asm/unistd_64.h file. For specific explanations in the fields, refer to: https://blog.csdn.net/xiyangfan/article/details/5259258
field=value As an additional option, modify the rules to match events of specific architectures, GroupIDs, ProcessIDs, etc. For specific fields, please refer to https://linux.die.net/man/8/auditctl.
For example, if a file is deleted or renamed by a user with a user ID of 1000 or greater, and the audit record is recorded, the command is as follows:

auditctl -a always,exit -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete

auditctl -a always,exit -F path=/etc/shadow -F perm=wa

Equivalent to auditctl –w /etc/shadow –p wa

auditctl –d 删除一条规则

auditctl –D 删除所有规则

auditctl –w 指定要审计的文件或目录路径

auditctl –p[r|w|x|a] 和-w一起使用指定触发审计的文件/目录的访问权限

rwxa: Specified trigger condition, r read permission, w write permission, x execute permission, a attribute (change attributes in a file or directory)

auditctl –k 指定别名，方便下次审计时可以根据该名字进行调用，并查看相关的信息

auditctl –s 查看auditd服务状态

auditctl -e  设置使能标志

Set it to 0, turn off audit, set it to 1, turn on audit; when set to 2, it means lock, generally set it last after setting other rules to prevent others from modifying the rules; any behavior of modifying the rules will be rejected and recorded Audit log, this enable flag can only be modified after restarting the system.

3.2 aureport command

aureport generates summary records

-au	关于身份验证的报表
-c	关于配置更改的报表
-cr	关于加密事件的报表
-e	关于事件的报表
-f	关于文件的报表
-i	解释模式
-if<输入文件名>	使用文件作为输入
-h	关于主机的报表
-l	有关登录的报表
-k	关于key的报表
-m	关于账户修改的报表
-ma	关于强制访问控制（MAC）事件的报表
-p	关于进程的报表
-s	关于系统调用的报表
-tm	关于终端的报表
--node<节点名>	特定节点的事件
--success	在报表中只显示成功的事件
--failed	在报表中只显示失败的事件
-n	关于异常事件的报表
--summary	在报表中为主要对象排序总数
-r	关于异常事件响应的报表
-t	日志时间范围报表
-te<结束日期><结束时间>	报表结束时间
-ts<开始日期><开始时间>	报表起始时间
--tty	关于tty的报表
-u	关于用户的报表
-x	关于可执行文件的报表

3.3 ausearch command

ausearch -a 5207   搜寻当前audit服务中event ID等于5207的log

ausearch –k xx 按指定别名查看审计内容

ausearch –i  格式化输出

ausearch –f  根据指定的审计目录或文件查看审计内容

ausearch -m    #按消息类型查找

ausearch -ul   #按登陆ID查找

ausearch -ua   #按uid和euid查找

ausearch -ui   #按uid查找

ausearch -ue   #按euid查找

ausearch -ga   #按gid和egid查找

ausearch -gi   #按gid查找

ausearch -ge   #按egid查找

ausearch -c    #按cmd查找

ausearch -x    #按exe查找

ausearch -sc   #按syscall查找

ausearch -p    #按pid查找

ausearch -sv   #按syscall的返回值查找（yes/no）

ausearch -f    #按文件名查找

ausearch -tm   #按连接终端查找(term/ssh/tty)

ausearch -hn   #按主机名查找

ausearch -k    #按特定的key值查找

ausearch -w    #按在audit rule设定的字符串查找

3.4 other

In order to track whether the set rule has taken effect, we often track the specified process, and the log generated by autrace will be stored in /var/log/audit/audit.log. When using autrace to track a process, in order to avoid conflicts between autrace and the logs generated by the previous audit rule, use auditctl -D to stop all audit logs. After autrace ends, use systemctl restart auditd to restart the audit service.

autrace /usr/bin/less

4 Audit logs

4.1 Examples

Add the following two audit rules:

auditctl -w /root/chen/test.sh -p wxra -F uid=root -k auditest1

auditctl -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -S mkdir -S rmdir -S creat -F uid!=root -F dir=/root/chen/test -k auditest2

After the addition is complete, use auditctl -l to view relevant information:

Use ausearch -k auditest1 -i and ausearch -k auditest2 -i to view the current audit log.

The content of the audit log shows that the current audit rules have been entered.
Use the root and non-root users to run the test.sh script, sh test.sh, and then View the audit log

At this point, you can use the command ausearch –k auditest1 -i to view the audit content. Only the commands executed by the root user are recorded in the audit log.

Also use root and non-root users to create files root and non-root in the /root/chen/test directory. chen directory

Use the command ausearch -k auditest2 –i –c mkdir, only non-root users create folders will be recorded

4.2 Analysis of audit log content

type=SYSCALL

Each record starts with type="keyword", and SYSCALL indicates that this record is triggered by a system call to the kernel. For more detailed type values ​​and explanations, please refer to: https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-Audit_Record_Types

audit

In the audit(time_stamp:ID) format, the time stamp is recorded, from January 1, 1970 00:00:00 to the present time, and the ID is the unique ID in the record, and the IDs generated by the same event are the same.

arch=c000003e

Indicates the CPU architecture of the system, the hexadecimal representation "x86_64", use the command ausearch -i --arch c000003e to print out the explanation of the log in audit.log with this part of the content. It should be noted that when using ausearch to query, it is necessary to ensure that there are such log records in the audit log.

syscall=257

The type of system call to the kernel, the type value is 257, which is defined in /usr/include/asm/unistd_64.h, where 257 means openat, you can use the command ausyscall to query the system call name corresponding to different numbers. Or use the ausyscall --dump command to display all system calls.

success=yes

Indicates whether the system call was successful or not

exit=3

The return code at the end of the system call, you can use the following command to view the log explanation with a return value of 3. Different system calls have different return values

#ausearch --interpret --exit 3
a0=ffffffffffffff9c a1=21e0550 a2=90800 a3=0

The first four arguments of the system call, these arguments depend on the system call used, you can use ausearch to view the explanation (some parameters can print out the specific explanation of the value).

items=1

Indicates the number of supplementary records following the system call.

ppid=2354

Parent process ID, such as the ID of bash.

pid=30729

Process Id, which is the ID of the ls process. We query through ps, we can see that the bash process corresponds to the ppid

auid=0

auid records Audit user ID, that is the loginuid. auid is the ID of the login user, if it is root, the ID is 0.
uid=1001, gid=1001, euid=1001, suid=1001, fsuid=1001, egid=1001, sgid=1001, fsgid=1001 uid is the ID of the user who started the analysis process, that is, the user ID of the specific execution process
. The latter correspond to group ID group user ID, effective user ID effective user ID, set user ID set user ID, file system user ID file system user ID, effective group ID effective group user ID, set group ID set group user ID, file system group ID file system group ID

tty=pts0

Specifically in which terminal tty the operation is performed. For example, in which terminal is the operation of ls performed.

ses=10868　　

session ID, conversation ID.

comm=ls

What commands result in audit records.

exe=“/usr/bin/ls”

Record the specific path of the executable file

type=CWD

The value of type is CWD, that is, current working directory. Records the location of the current process

inode=99213313 

inode indicates the inode number of this file or directory, you can use the following command to query the file corresponding to the current inode

find / -inum 99213313 -print

dev=08:11

The dev field indicates the minor and major IDs of the device.

mode=040755

The mode field indicates the permissions of the file or path.

ouid=0

Object owner's ID

ogid=0

The ID of the owner of the object.

4.3 Audit log report

Use the aureport command to generate log reports

aureport –au 生成关于身份验证的报告

aureport –k –i 按之前设置的关键字生成报表 

aureport –s 按系统调用生成报表

aureport –ts 02/02/2021 00:00:00 –te today 按指定时间生成报表

aureport -p –i 按进程的pid生成报表

aureport –t 按时间查看日志

aureport –if <文件名> 按文件名生成报表