CentOS7日誌審計

寫在前面的話: 最近公司在做等保,其中有審計的內容,因爲第一次接觸,所以在此粘貼在網上查找的各種資料,以作記錄.

目錄

一、用戶空間審計系統簡介

二、auditd配置文件

三、配置審計規則

四、審計日誌內容

五、使用ausearch搜索審計日誌

六、使用aureport查看審計報告

---

一、用戶空間審計系統簡介

Linux 內核有用日誌記錄事件的能力，包括記錄系統調用和文件訪問。管理員可以檢查這些日誌，確定是否存在安全漏洞（如多次失敗的登錄嘗試，或者用戶對系統文件不成功的訪問）。

Linux 用戶空間審計系統由 auditd、audispd、auditctl、autrace、ausearch 和 aureport 等應用程序組成。下面依次說明：

• auditctl：即時控制審計守護進程的行爲的工具，如添加規則等。
• auditd：audit 守護進程負責把內核產生的信息寫入到硬盤上，這些信息由應用程序和系統活動觸發產生。用戶空間審計系統通過 auditd 後臺進程接收內核審計系統傳送來的審計信息，將信息寫入到 /var/log/audit/audit.log。
• aureport：查看和生成審計報告的工具。
• ausearch：查找審計事件的工具
• auditspd：轉發事件通知給其他應用程序，而不是寫入到審計日誌文件中。
• autrace：一個用於跟蹤進程的命令。

audit和syslog日誌系統的關係

audit 主要用來記錄安全信息，用於對系統安全事件的追溯，而 syslog 用來記錄系統信息，如硬件警報和軟件日誌等。syslog 屬於應用層，沒辦法記錄太多信息，audit 用來記錄內核信息，包括文件的讀寫，權限的改變等。

二、auditd配置文件

vi /etc/audit/auditd.conf

# 是否記錄本地事件，如果設爲no，只記錄來自網絡的事件
local_events = yes
write_logs = yes
# 日誌文件
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
# 日誌文件刷新方式，可選的選項有：
# NONE：不做特別處理
# INCREMENTAL：用freq選項的值確定多長時間發生一次向磁盤的刷新
# DATA：審計數據和日誌文件是同步的
# SYNC：寫日誌文件時，數據和元數據是同步的
flush = INCREMENTAL_ASYNC
freq = 50
# 日誌文件最大8MB
max_log_file = 8
# 日誌文件數量
num_logs = 5
# 進程優先級（-4），ps axl | grep auditd 可查
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
# 當log文件達到max_log_file設定大小後的動作。可選的動作有：
# IGNORE：忽略max_log_file設置的限制，繼續寫log文件
# SYSLOG：向syslog中寫入一條warning
# SUSPEND：auditd不再寫log文件，但是auditd繼續運行
# ROTATE：分多個log文件，一個log文件達到上限後在創建一個新的不同名字的log文件
max_log_file_action = ROTATE
# log_file文件所在的分區空閒空間少於這個設定的值時，觸發相應的動作，單位是MB
space_left = 75
# space_left設定被觸發時的動作。可選動作有：
# IGNORE, SYSLOG, SUSPEND：與前面max_log_file_action相似
# SINGLE：audit進程會將系統模式變爲單用戶模式
# HALT：audit進程將會觸發系統關機
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
# 磁盤滿後觸發的動作
disk_full_action = SUSPEND
# 磁盤錯誤觸發的動作
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

三、配置審計規則

auditctl命令可以控制審計系統的基本功能、設定規則等，但爲了定義重啓後一直有效的審計規則，需要把規則定義到/etc/audit/rules.d/目錄下，重啓auditd時，/etc/audit/rules.d/目錄下所有文件的規則會合併到/etc/audit/audit.rules。

預配置規則文件

在/usr/share/doc/audit-{version}/rules/目錄下，audit根據不同的標準提供了一組預配置規則文件：

• nispom.rules — 審計規則配置符合《國家行業安全程序操作運行指南》的第八章中詳細說明的要求。
• pci-dss-v31.rules - 審計規則配置滿足第三方支付行業所設定的要求。
• stig.rules — 審計規則配置滿足由STIG（安全技術實施指南）所設定的要求。

如配置爲nispom規則：

cp /usr/share/doc/audit-2.8.4/rules/10-base-config.rules /usr/share/doc/audit-2.8.4/rules/30-nispom.rules /usr/share/doc/audit-2.8.4/rules/99-finalize.rules /etc/audit/rules.d/

重啓auditd：

service auditd restart

四、審計日誌內容

type=SYSCALL msg=audit(1557427974.683:2260): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=e61320 a2=90800 a3=0 items=1 ppid=31275 pid=4114 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=113 comm="bash" exe="/usr/bin/bash" key="audit-logs"
type=CWD msg=audit(1557427974.683:2260): cwd="/etc/audit"
type=PATH msg=audit(1557427974.683:2260): item=0 name="/var/log/audit/" inode=101477489 dev=fc:00 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1557427974.683:2260): proctitle="bash"

事件分析：

• type=SYSCALL

記錄類型，可以到RedHat網站查詢所有類型和說明：

B.2. AUDIT RECORD TYPES

Table B.2, “Record Types” lists all currently-supported types of Audit records. The event type is specified in the type= field at the beginning of every Audit record.

Table B.2. Record Types

Event Type	Explanation
ADD_GROUP	Triggered when a user-space group is added.
ADD_USER	Triggered when a user-space user account is added.
ANOM_ABEND[a]	Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled).
ANOM_ACCESS_FS[a]	Triggered when a file or a directory access ends abnormally.
ANOM_ADD_ACCT[a]	Triggered when a user-space account addition ends abnormally.
ANOM_AMTU_FAIL[a]	Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected.
ANOM_CRYPTO_FAIL[a]	Triggered when a failure in the cryptographic system is detected.
ANOM_DEL_ACCT[a]	Triggered when a user-space account deletion ends abnormally.
ANOM_EXEC[a]	Triggered when an execution of a file ends abnormally.
ANOM_LOGIN_ACCT[a]	Triggered when an account login attempt ends abnormally.
ANOM_LOGIN_FAILURES[a]	Triggered when the limit of failed login attempts is reached.
ANOM_LOGIN_LOCATION[a]	Triggered when a login attempt is made from a forbidden location.
ANOM_LOGIN_SESSIONS[a]	Triggered when a login attempt reaches the maximum amount of concurrent sessions.
ANOM_LOGIN_TIME[a]	Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time.
ANOM_MAX_DAC[a]	Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached.
ANOM_MAX_MAC[a]	Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached.
ANOM_MK_EXEC[a]	Triggered when a file is made executable.
ANOM_MOD_ACCT[a]	Triggered when a user-space account modification ends abnormally.
ANOM_PROMISCUOUS[a]	Triggered when a device enables or disables promiscuous mode.
ANOM_RBAC_FAIL[a]	Triggered when a Role-Based Access Control (RBAC) self-test failure is detected.
ANOM_RBAC_INTEGRITY_FAIL[a]	Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected.
ANOM_ROOT_TRANS[a]	Triggered when a user becomes root.
AVC	Triggered to record an SELinux permission check.
AVC_PATH	Triggered to record the dentry and vfsmount pair when an SELinux permission check occurs.
BPRM_FCAPS	Triggered when a user executes a program with a file system capability.
CAPSET	Triggered to record any changes in process-based capabilities.
CHGRP_ID	Triggered when a user-space group ID is changed.
CHUSER_ID	Triggered when a user-space user ID is changed.
CONFIG_CHANGE	Triggered when the Audit system configuration is modified.
CRED_ACQ	Triggered when a user acquires user-space credentials.
CRED_DISP	Triggered when a user disposes of user-space credentials.
CRED_REFR	Triggered when a user refreshes their user-space credentials.
CRYPTO_FAILURE_USER	Triggered when a decrypt, encrypt, or randomize cryptographic operation fails.
CRYPTO_KEY_USER	Triggered to record the cryptographic key identifier used for cryptographic purposes.
CRYPTO_LOGIN	Triggered when a cryptographic officer login attempt is detected.
CRYPTO_LOGOUT	Triggered when a crypto officer logout attempt is detected.
CRYPTO_PARAM_CHANGE_USER	Triggered when a change in a cryptographic parameter is detected.
CRYPTO_REPLAY_USER	Triggered when a replay attack is detected.
CRYPTO_SESSION	Triggered to record parameters set during a TLS session establishment.
CRYPTO_TEST_USER	Triggered to record cryptographic test results as required by the FIPS-140 standard.
CWD	Triggered to record the current working directory.
DAC_CHECK	Triggered to record DAC check results.
DAEMON_ABORT	Triggered when a daemon is stopped due to an error.
DAEMON_ACCEPT	Triggered when the auditd daemon accepts a remote connection.
DAEMON_CLOSE	Triggered when the auditd daemon closes a remote connection.
DAEMON_CONFIG	Triggered when a daemon configuration change is detected.
DAEMON_END	Triggered when a daemon is successfully stopped.
DAEMON_RESUME	Triggered when the auditd daemon resumes logging.
DAEMON_ROTATE	Triggered when the auditd daemon rotates the Audit log files.
DAEMON_START	Triggered when the auditd daemon is started.
DEL_GROUP	Triggered when a user-space group is deleted
DEL_USER	Triggered when a user-space user is deleted
DEV_ALLOC	Triggered when a device is allocated.
DEV_DEALLOC	Triggered when a device is deallocated.
EOE	Triggered to record the end of a multi-record event.
EXECVE	Triggered to record arguments of the execve(2) system call.
FD_PAIR	Triggered to record the use of the pipe and socketpair system calls.
FS_RELABEL	Triggered when a file system relabel operation is detected.
GRP_AUTH	Triggered when a group password is used to authenticate against a user-space group.
INTEGRITY_DATA[b]	Triggered to record a data integrity verification event run by the kernel.
INTEGRITY_HASH[b]	Triggered to record a hash type integrity verification event run by the kernel.
INTEGRITY_METADATA[b]	Triggered to record a metadata integrity verification event run by the kernel.
INTEGRITY_PCR[b]	Triggered to record Platform Configuration Register (PCR) invalidation messages.
INTEGRITY_RULE[b]	Triggered to record a policy rule.
INTEGRITY_STATUS[b]	Triggered to record the status of integrity verification.
IPC	Triggered to record information about a Inter-Process Communication object referenced by a system call.
IPC_SET_PERM	Triggered to record information about new values set by an IPC_SET control operation on an IPC object.
KERNEL	Triggered to record the initialization of the Audit system.
KERNEL_OTHER	Triggered to record information from third-party kernel modules.
LABEL_LEVEL_CHANGE	Triggered when an object's level label is modified.
LABEL_OVERRIDE	Triggered when an administrator overrides an object's level label.
LOGIN	Triggered to record relevant login information when a user log in to access the system.
MAC_CIPSOV4_ADD	Triggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CIPSOV4_DEL	Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_CONFIG_CHANGE	Triggered when an SELinux Boolean value is changed.
MAC_IPSEC_EVENT	Triggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes.
MAC_MAP_ADD	Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_MAP_DEL	Triggered when an existing LSM domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
MAC_POLICY_LOAD	Triggered when a SELinux policy file is loaded.
MAC_STATUS	Triggered when the SELinux mode (enforcing, permissive, off) is changed.
MAC_UNLBL_ALLOW	Triggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCADD	Triggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel.
MAC_UNLBL_STCDEL	Triggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel.
MMAP	Triggered to record a file descriptor and flags of the mmap(2)system call.
MQ_GETSETATTR	Triggered to record the mq_getattr(3) and mq_setattr(3)message queue attributes.
MQ_NOTIFY	Triggered to record arguments of the mq_notify(3) system call.
MQ_OPEN	Triggered to record arguments of the mq_open(3) system call.
MQ_SENDRECV	Triggered to record arguments of the mq_send(3) and mq_receive(3) system calls.
NETFILTER_CFG	Triggered when Netfilter chain modifications are detected.
NETFILTER_PKT	Triggered to record packets traversing Netfilter chains.
OBJ_PID	Triggered to record information about a process to which a signal is sent.
PATH	Triggered to record file name path information.
RESP_ACCT_LOCK[c]	Triggered when a user account is locked.
RESP_ACCT_LOCK_TIMED[c]	Triggered when a user account is locked for a specified period of time.
RESP_ACCT_REMOTE[c]	Triggered when a user account is locked from a remote session.
RESP_ACCT_UNLOCK_TIMED[c]	Triggered when a user account is unlocked after a configured period of time.
RESP_ALERT[c]	Triggered when an alert email is sent.
RESP_ANOMALY[c]	Triggered when an anomaly was not acted upon.
RESP_EXEC[c]	Triggered when an intrusion detection program responds to a threat originating from the execution of a program.
RESP_HALT[c]	Triggered when the system is shut down.
RESP_KILL_PROC[c]	Triggered when a process is terminated.
RESP_SEBOOL[c]	Triggered when an SELinux Boolean value is set.
RESP_SINGLE[c]	Triggered when the system is put into single-user mode.
RESP_TERM_ACCESS[c]	Triggered when a session is terminated.
RESP_TERM_LOCK[c]	Triggered when a terminal is locked.
ROLE_ASSIGN	Triggered when an administrator assigns a user to an SELinux role.
ROLE_MODIFY	Triggered when an administrator modifies an SELinux role.
ROLE_REMOVE	Triggered when an administrator removes a user from an SELinux role.
SELINUX_ERR	Triggered when an internal SELinux error is detected.
SERVICE_START	Triggered when a service is started.
SERVICE_STOP	Triggered when a service is stopped.
SOCKADDR	Triggered to record a socket address.
SOCKETCALL	Triggered to record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).
SYSCALL	Triggered to record a system call to the kernel.
SYSTEM_BOOT	Triggered when the system is booted up.
SYSTEM_RUNLEVEL	Triggered when the system's run level is changed.
SYSTEM_SHUTDOWN	Triggered when the system is shut down.
TEST	Triggered to record the success value of a test message.
TRUSTED_APP	The record of this type can be used by third party application that require auditing.
TTY	Triggered when TTY input was sent to an administrative process.
USER_ACCT	Triggered when a user-space user account is modified.
USER_AUTH	Triggered when a user-space authentication attempt is detected.
USER_AVC	Triggered when a user-space AVC message is generated.
USER_CHAUTHTOK	Triggered when a user account attribute is modified.
USER_CMD	Triggered when a user-space shell command is executed.
USER_END	Triggered when a user-space session is terminated.
USER_ERR	Triggered when a user account state error is detected.
USER_LABELED_EXPORT	Triggered when an object is exported with an SELinux label.
USER_LOGIN	Triggered when a user logs in.
USER_LOGOUT	Triggered when a user logs out.
USER_MAC_POLICY_LOAD	Triggered when a user-space daemon loads an SELinux policy.
USER_MGMT	Triggered to record user-space management data.
USER_ROLE_CHANGE	Triggered when a user's SELinux role is changed.
USER_SELINUX_ERR	Triggered when a user-space SELinux error is detected.
USER_START	Triggered when a user-space session is started.
USER_TTY	Triggered when an explanatory message about TTY input to an administrative process is sent from user-space.
USER_UNLABELED_EXPORT	Triggered when an object is exported without SELinux label.
USYS_CONFIG	Triggered when a user-space system configuration change is detected.
VIRT_CONTROL	Triggered when a virtual machine is started, paused, or stopped.
VIRT_MACHINE_ID	Triggered to record the binding of a label to a virtual machine.
VIRT_RESOURCE	Triggered to record resource assignment of a virtual machine.
[a] All Audit event types prepended with ANOM are intended to be processed by an intrusion detection program. [b] This event type is related to the Integrity Measurement Architecture (IMA), which functions best with a Trusted Platform Module (TPM) chip. [c] All Audit event types prepended with RESP are intended responses of an intrusion detection system in case it detects malicious activity on the system.

• msg=audit(1557427974.683:2260)

括號中爲時間綴和特殊ID，如果多種記錄生成爲相同審覈事件的一部分，那麼它們可以共享相同的時間戳和ID。

• 後面爲Kernel或用戶空間提供的不同事件（name=value組）。

五、使用ausearch搜索審計日誌

如：搜索登錄失敗的日誌信息：

ausearch --message USER_LOGIN --success no --interpret

搜索內容如下：

----
type=USER_LOGIN msg=audit(2019年05月09日 09:58:07.647:537) : pid=6772 uid=root auid=unset ses=unset msg='op=login acct=root exe=/usr/sbin/sshd hostname=? addr=192.168.9.165 terminal=ssh res=failed'
----
type=USER_LOGIN msg=audit(2019年05月10日 03:06:53.549:2317) : pid=5003 uid=root auid=unset ses=unset msg='op=login acct=root exe=/usr/sbin/sshd hostname=? addr=192.168.9.166 terminal=ssh res=failed'

六、使用aureport查看審計報告

可以直接使用aureport命令生成概要報告，內容如下：

Summary Report
======================
Range of time in logs: 1970年01月01日 08:00:00.000 - 2019年05月10日 03:11:46.045
Selected time for report: 1970年01月01日 08:00:00 - 2019年05月10日 03:11:46.045
Number of changes in configuration: 79
Number of changes to accounts, groups, or roles: 0
Number of logins: 2
Number of failed logins: 3
Number of authentications: 7
Number of failed authentications: 16
Number of users: 3
Number of terminals: 8
Number of host names: 4
Number of executables: 14
Number of commands: 10
Number of files: 13
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 812
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 55
Number of integrity events: 0
Number of virt events: 0
Number of keys: 9
Number of process IDs: 950
Number of events: 1935

可以通過傳入參數生成不同類型的報告。

 

複製於(http://blog.gopersist.com/2019/05/10/centos7-audit/index.html)