audit是linux内核的特性,可以通过内核参数audit=1来启用。
/etc/audit/audit.rules是audit的规则文件,本文主要讲述如何利用audit来监视系统重要资源。
一、监控文件系统行为(依靠文件、目录的权限属性来识别)
规则格式:-w 路径 -p 权限 -k 关键字
其中权限动作分为四种
r 读取文件
w 写入文件
x 执行文件
a 修改文件属性
示例,监控/etc/passwd文件的修改行为(写,权限修改)
-w /etc/passwd -p wa
将上述内容加入到audit.rules中即可实现对该文件的监视。
同理,为了维护系统正常,下列资源也应该被监视。
-w /etc/at.allow
-w /etc/at.deny
-w /etc/inittab -p wa
-w /etc/init.d/
-w /etc/init.d/auditd -p wa
-w /etc/cron.d/ -p wa
-w /etc/cron.daily/ -p wa
-w /etc/cron.hourly/ -p wa
-w /etc/cron.monthly/ -p wa
-w /etc/cron.weekly/ -p wa
-w /etc/crontab -p wa
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow
-w /etc/sudoers -p wa
-w /etc/hosts -p wa
-w /etc/sysconfig/
-w /etc/sysctl.conf -p wa
-w /etc/modprobe.d/
-w /etc/aliases -p wa
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /var/log/lastlog
-w /var/log/yum.log
-w /etc/issue -p wa
-w /etc/issue.net -p wa
-w /usr/bin/ -p wa
-w /usr/sbin/ -p wa
-w /bin -p wa
-w /etc/ssh/sshd_config
注:如果没有-p选项,则默认监视所有动作rwxa
二、监控系统调用行为(依靠系统调用来识别)
规则:-a 一系列动作 -S 系统调用名称 -F 字段=值 -k 关键字
系统调用的种类见:
http://www.ibm.com/developerworks/cn/linux/kernel/syscall/part1/appendix.html
列举常见应该被监视的系统调用
-a exit,always -F 规则字段 none 不记 exit:行为完成后记录审计(一般常用) entry:行为刚开始时记录审计(某些规则要求)
监视文件权限变化,因为改变权限必须调用umask
-a entry,always -S umask -S chown #-a后面的规则:always总是记录审计;none不记录;exit行为完成后记录审计;entry行为刚刚开始 时记录审计
监视主机名变化,因为修改主机名必须调用sethostname
-a entry,always -S sethostname -S setdomainname
监视系统时间变化
-a entry,always -S adjtimex -S settimeofday -S stime
设置系统日期和时间
-a entry,always -S stime
监控用户和组ID变化
-a entry,always -S setuid -S seteuid -S setreuid
-a entry,always -S setgid -S setegid -S setregid
监控挂载
-a entry,always -S mount -S umount
注:请查阅系统调用列表后决定监控那种行为,系统调用是底层的、全局性的,监控不合适的调用,会给系统带来巨大负担。
audit.rules 样本
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -S umask -S chown -S chmod
-a exit,always -F arch=b64 -S unlink -S rmdir
-a exit,always -F arch=b64 -S setrlimit
-a exit,always -F arch=b64 -S setuid -S setreuid
-a exit,always -F arch=b64 -S setgid -S setregid
-a exit,always -F arch=b64 -S sethostname -S setdomainname
-a exit,always -F arch=b64 -S adjtimex -S settimeofday
-a exit,always -F arch=b64 -S mount -S _sysctl
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
-w /etc/ssh/sshd_config
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /etc/aliases -p wa
-w /etc/sysctl.conf -p wa
-w /var/log/lastlog
# Disable adding any additional rules - note that adding *new* rules will require a reboot
#-e 2
读取audit报告
aureport --start this-week
aureport --user
aureport --file
aureport --summary
审计日志时间转换脚本
time.pl:
s/(1\d{9})/localtime($1)/e
echo 1234567890|perl -p time.pl
转自:http://purplegrape.blog.51cto.com/1330104/1010148