安装 Auditd
# apt -y install auditdauditd.conf
#
# This file controls the configuration of the audit daemon
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log # 指定日志文件
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8 # 日志文件的最大大小(兆字节)
num_logs = 5 # 指定的日志文件数 [max_log_file_action=ROTATE]
priority_boost = 4
name_format = NONE # 日志文件中的主机名 有效值:NONE、HOSTNAME、FQD、NUMERIC、USER
##name = mydomain # [name_format=USER]
max_log_file_action = ROTATE # 指定日志文件大小超过限制时的操作 有效值:IGNORE、SYSLOG、SUSPEND、ROTATE、KEEP_LOGS
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2Audit Rules
显示当前规则(默认情况下没有规则如下)
# auditctl -lNo rules参数说明
usage: auditctl [options]
-a <l,a> Append rule to end of <l>ist with <a>ction
-A <l,a> Add rule at beginning of <l>ist with <a>ction
-b <backlog> Set max number of outstanding audit buffers
allowed Default=64
-c Continue through errors in rules
-C f=f Compare collected fields if available:
Field name, operator(=,!=), field name
-d <l,a> Delete rule from <l>ist with <a>ction
l=task,exit,user,exclude,filesystem
a=never,always
-D Delete all rules and watches
-e [0..2] Set enabled flag
-f [0..2] Set failure flag
0=silent 1=printk 2=panic
-F f=v 构建规则:字段名, operator(=,!=,<,>,<=,
>=,&,&=) value
-h Help
-i Ignore errors when reading rules from file
-k <key> 设置用于搜索日志的关键字
-l List rules
-m text Send a user-space message
-p [r|w|x|a] 指定审计的目标操作
r=read, w=write, x=execute, a=attribute
-q <mount,subtree> make subtree part of mount point's dir watches
-r <rate> Set limit in messages/sec (0=none)
-R <file> read rules from file
-s Report status
-S syscall 构建规则:系统调用名称或编号
--signal <signal> Send the specified signal to the daemon
-t Trim directory watches
-v Version
-w <path> Insert watch at <path>
-W <path> Remove watch at <path>
--loginuid-immutable Make loginuids unchangeable once set
--backlog_wait_time Set the kernel backlog_wait_time
--reset-lost Reset the lost record counter
--reset_backlog_wait_time_actual Reset the actual backlog wait time counter将审计规则(读取)设置为 [/etc/hosts]
设置规则
# auditctl -w /etc/hosts -p wa -k hosts_change查看规则
# auditctl -l
-w /etc/hosts -p wa -k hosts_change修改hosts文件
# echo "127.0.0.1 172-16-18-31" >> /etc/hosts查看日志
# ausearch -k hosts_change | aureport -f -iFile Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/04/2023 12:45:42 /etc/hosts~ rename yes /usr/bin/vim.basic ubuntu 82
2. 04/04/2023 12:45:42 /etc/hosts openat yes /usr/bin/vim.basic ubuntu 83
3. 04/04/2023 12:45:42 (null) fchown yes /usr/bin/vim.basic ubuntu 84
4. 04/04/2023 12:45:42 (null) fchown yes /usr/bin/vim.basic ubuntu 85
5. 04/04/2023 12:45:42 (null) fchmod yes /usr/bin/vim.basic ubuntu 86
6. 04/04/2023 12:45:42 /etc/hosts setxattr yes /usr/bin/vim.basic ubuntu 87将审计规则(读取)设置为 [/opt/test/]
设置规则
# auditctl -w /opt/test -p r -k testdir_audit查看规则
# auditctl -l
-w /etc/hosts -p wa -k hosts_change
-w /opt/test -p r -k testdir_audit操作 /opt/test
# ls -l /opt/test/test1/
total 0查看日志
# ausearch -k testdir_audit | aureport -f -iFile Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/04/2023 12:54:56 /opt/test sendto yes /usr/sbin/auditctl ubuntu 88
...
13. 04/04/2023 13:17:09 /opt/test/test1/ lgetxattr no /usr/bin/ls ubuntu 122
14. 04/04/2023 13:17:09 /opt/test/test1/ getxattr no /usr/bin/ls ubuntu 123
15. 04/04/2023 13:17:09 /opt/test/test1/ getxattr no /usr/bin/ls ubuntu 124
16. 04/04/2023 13:17:09 /opt/test/test1/ openat yes /usr/bin/ls ubuntu 125设置审计规则来监控 UID 超过 1000 的用户删除的文件
设置规则
# auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit操作记录
$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)
$ rm -rf 1.txt查看日志
# ausearch -k delete_audit | aureport -f -iFile Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/04/2023 13:11:33 1.txt unlinkat yes /usr/bin/rm ubuntu 111规则持久化
# auditctl -l >> /etc/audit/rules.d/additional.rules查看auditd日志
audit.log
# tail -f /var/log/audit/audit.logtype=PROCTITLE msg=audit(1680578718.830:70): proctitle="su"
type=UNKNOWN[1420] msg=audit(1680578718.830:70): subj_apparmor=unconfined
type=CRED_ACQ msg=audit(1680578718.830:71): pid=58628 uid=0 auid=1000 ses=51 subj=? msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/5 res=success'UID="root" AUID="ubuntu"
type=SYSCALL msg=audit(1680578718.830:71): arch=c000003e syscall=44 success=yes exit=132 a0=3 a1=7ffefad9bf10 a2=84 a3=0 items=0 ppid=58627 pid=58628 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=51 comm="su" exe="/usr/bin/su" subj=? key=(null)ARCH=x86_64 SYSCALL=sendto AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1680578718.830:71): proctitle="su"
type=UNKNOWN[1420] msg=audit(1680578718.830:71): subj_apparmor=unconfined
type=USER_START msg=audit(1680578718.830:72): pid=58628 uid=0 auid=1000 ses=51 subj=? msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_umask,pam_unix,pam_systemd acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/5 res=success'UID="root" AUID="ubuntu"
type=SYSCALL msg=audit(1680578718.830:72): arch=c000003e syscall=44 success=yes exit=204 a0=4 a1=7ffefad9bf10 a2=cc a3=0 items=0 ppid=58627 pid=58628 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=51 comm="su" exe="/usr/bin/su" subj=? key=(null)ARCH=x86_64 SYSCALL=sendto AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1680578718.830:72): proctitle="su"
type=UNKNOWN[1420] msg=audit(1680578718.830:72): subj_apparmor=unconfined搜索 USER_LOGIN 相关日志
# ausearch --message USER_LOGIN --interpret----
type=USER_LOGIN msg=audit(04/04/2023 11:24:50.830:62) : pid=58555 uid=root auid=ubuntu ses=51 subj=? msg='op=login id=ubuntu exe=/usr/sbin/sshd hostname=172.16.3.213 addr=172.16.3.213 terminal=/dev/pts/4 res=success' 通过用户 ID 1000 搜索 sudo 操作
# ausearch -x sudo -ua 1000----
time->Tue Apr 4 11:25:16 2023
type=USER_ACCT msg=audit(1680578716.738:63): pid=58625 uid=1000 auid=1000 ses=51 subj=? msg='op=PAM:accounting grantors=pam_permit acct="ubuntu" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'
----
time->Tue Apr 4 11:25:16 2023
type=UNKNOWN[1420] msg=audit(1680578716.738:63): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1680578716.738:63): proctitle=7375646F0073
type=SYSCALL msg=audit(1680578716.738:63): arch=c000003e syscall=44 success=yes exit=140 a0=6 a1=7ffc2bea29d0 a2=8c a3=0 items=0 ppid=58615 pid=58625 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=51 comm="sudo" exe="/usr/bin/sudo" subj=? key=(null)
----
time->Tue Apr 4 11:25:16 2023
type=USER_CMD msg=audit(1680578716.738:64): pid=58625 uid=1000 auid=1000 ses=51 subj=? msg='cwd="/home/ubuntu" cmd="s" exe="/usr/bin/sudo" terminal=pts/4 res=failed'
----
time->Tue Apr 4 11:25:16 2023
type=UNKNOWN[1420] msg=audit(1680578716.738:64): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1680578716.738:64): proctitle=7375646F0073
type=SYSCALL msg=audit(1680578716.738:64): arch=c000003e syscall=44 success=yes exit=92 a0=6 a1=7ffc2be9ea60 a2=5c a3=0 items=0 ppid=58615 pid=58625 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=51 comm="sudo" exe="/usr/bin/sudo" subj=? key=(null)
----搜索从 2023/01/19 到 2023/04/04 登录用户 ID 1000 的用户的日志
# ausearch --start 04/04/2023 --end 04/04/2023 -ul 1000time->Tue Apr 4 11:25:18 2023
type=UNKNOWN[1420] msg=audit(1680578718.826:66): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1680578718.826:66): proctitle=7375646F007375
type=SYSCALL msg=audit(1680578718.826:66): arch=c000003e syscall=44 success=yes exit=92 a0=6 a1=7fff96df32b0 a2=5c a3=0 items=0 ppid=58615 pid=58626 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=51 comm="sudo" exe="/usr/bin/sudo" subj=? key=(null)
----
time->Tue Apr 4 11:25:18 2023
type=CRED_REFR msg=audit(1680578718.826:67): pid=58626 uid=1000 auid=1000 ses=51 subj=? msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'
----aureport
显示没有参数的完整摘要
# aureport总结报告
======================
日志中的时间范围: 04/04/2023 11:17:43.528 - 04/04/2023 12:17:01.477
选定报告时间: 04/04/2023 11:17:43 - 04/04/2023 12:17:01.477
配置更改次数:4
帐户、组或角色的更改次数:5
登录次数:10
登录失败次数:3
认证数量:14
认证失败次数:7
用户数:4
终端数量:6
主机名数量:3
可执行文件数量:10
命令数:12
文件数:0
AVC 的数量:0
MAC 事件数:0
失败的系统调用数:0
异常事件数:0
异常事件响应数:0
加密事件数:0
完整性事件数:0
虚拟事件数:0
键数:0
进程 ID 数:38
事件数:491显示认证日志种类
# aureport -au
鉴定报告
============================================
# 日期时间 acct host term exe 成功事件
============================================
1. 04/04/2023 11:25:18 root ? /dev/pts/5 /usr/bin/su yes 69显示各种失败的认证日志
# aureport -au --failed --summary失败的身份验证摘要报告
=============================
total acct
=============================
3 debian
3 ubuntu
1 root显示用户帐户日志的修改类型
# aureport -m -i账户修改报告
=============================================== ==
# date time auid addr term exe acct 成功事件
====================================== ===========
1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68
2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69
3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70
4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71
5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74显示自本月以来用户帐户日志的修改类型
# aureport -m -i --start this-monthAccount Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68
2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69
3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70
4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71
5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74显示各种执行日志
# aureport -x -iExecutable Report
====================================
# date time exe term host auid event
====================================
1. 04/04/2023 11:17:43 /usr/sbin/auditctl (none) ? unset 37
2. 04/04/2023 11:17:43 /usr/sbin/auditctl (none) ? unset 38
3. 04/04/2023 11:17:43 /usr/sbin/auditctl (none) ? unset 39
4. 04/04/2023 11:17:43 /usr/lib/systemd/systemd ? ? unset 40
5. 04/04/2023 11:17:43 /usr/lib/systemd/systemd ? ? unset 43
...
69. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? unset 75
70. 04/04/2023 12:17:01 /usr/sbin/cron cron ? unset 76
71. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? unset 76
72. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 77
73. 04/04/2023 12:17:01 /usr/sbin/cron cron ? root 78
74. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 78
75. 04/04/2023 12:17:01 /usr/sbin/cron cron ? root 79
76. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 79
77. 04/04/2023 12:17:01 /usr/sbin/cron cron ? root 80
78. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 80显示从 2022/12/19 到 2022/12/20 的执行日志种类
# aureport -x -i --start 12/19/2022 --end 12/20/2022Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 17
2. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 18
3. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 19
4. 12/20/2022 11:29:48 /usr/lib/systemd/systemd ? ? unset 20
5. 12/20/2022 11:30:29 /usr/bin/login /dev/ttyS0 dlp.srv.world root 23通过 UserID 1000 搜索并显示 sudo 日志
# ausearch -x sudo -ua 1000 | aureport -auAuthentication Report
============================================
# date time acct host term exe success event
============================================
1. 12/20/2022 11:32:39 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 191
2. 12/20/2022 11:34:22 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 277
3. 12/20/2022 11:34:26 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 278
4. 12/20/2022 11:34:28 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 279通过UserID 1000搜索并显示执行日志
# ausearch -ui 1001 | aureport -x -i
Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 252
2. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 252
3. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 253
4. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 253
5. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254
6. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254
7. 12/20/2022 11:33:59 /usr/bin/su /dev/ttyS0 dlp.srv.world debian 255
8. 12/20/2022 11:33:59 /usr/bin/su ttyS0 ? debian 255参考文档
https://www.server-world.info/en/note?os=Ubuntu_22.04&p=audit&f=1