系统安全-系统审计

audit审计

audit子系统提供了一种纪录系统安全方面信息的方法,同时能为系统管理员在用户违反系统安全法则或者存在违反的潜在可能时,提供及时的警告信息,这些audit子系统所收集的信息包括:可被审计的事件名称,事件状态(成功或失败),别的安全相关信息。可被审计的事件,通常,这些事件都是定义在系统调用级别的。

审计的软件包默认已经安装,

[root@localhost ~]# ps aux | grep audit
root         99  0.0  0.0      0     0 ?        S    07:54   0:00 [kauditd]
root        680  0.0  0.0  55508   876 ?        S<sl 07:54   0:00 /sbin/auditd
root       1258  0.1  1.8 338396 34784 tty1     Ssl+ 07:54   0:07 /usr/bin/X :0 -background none -noreset -audit 4 -ver
bose -auth /run/gdm/auth-for-gdm-BYMFG9/database -seat seat0 -nolisten tcp vt1root       5058  0.0  0.0 112724   984 pts/2    S+   09:28   0:00 grep --color=auto audit
[root@localhost ~]# ^C
[root@localhost ~]# ps aux | grep auditd
root         99  0.0  0.0      0     0 ?        S    07:54   0:00 [kauditd]
root        680  0.0  0.0  55508   876 ?        S<sl 07:54   0:00 /sbin/auditd
[root@localhost ~]# 

而且服务一般默认就已经是启动状态

[root@localhost ~]# service auditd status
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since 二 2018-11-20 10:24:54 CST; 6 days ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 686 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 673 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 680 (auditd)
    Tasks: 5
   CGroup: /system.slice/auditd.service
           ├─680 /sbin/auditd
           ├─682 /sbin/audispd
           └─684 /usr/sbin/sedispatch

11月 20 10:24:54 localhost.localdomain augenrules[686]: lost 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: enabled 1
11月 20 10:24:54 localhost.localdomain augenrules[686]: failure 1
11月 20 10:24:54 localhost.localdomain augenrules[686]: pid 680
11月 20 10:24:54 localhost.localdomain augenrules[686]: rate_limit 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog_limit 8192
11月 20 10:24:54 localhost.localdomain augenrules[686]: lost 0
11月 20 10:24:54 localhost.localdomain augenrules[686]: backlog 1
11月 20 10:24:54 localhost.localdomain systemd[1]: Started Security Auditing Service.
[root@localhost ~]# 

查看audit状态,enabled=1开启审计

[root@localhost ~]# auditctl -s
enabled 1
failure 1
pid 680
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
loginuid_immutable 0 unlocked
[root@localhost ~]# 

如何设置审计策略可以看帮助手册

[root@localhost ~]# man auditctl
[root@localhost ~]# 

一个实例

EXAMPLES
       To see all syscalls made by a specific program:

       auditctl -a always,exit -S all -F pid=1005

       To see files opened by a specific user:

       auditctl -a always,exit -S openat -F auid=510

       To see unsuccessful openat calls:

       auditctl -a always,exit -S openat -F success=0

       To watch a file for changes (2 ways to express):

       auditctl -w /etc/shadow -p wa
       auditctl -a always,exit -F path=/etc/shadow -F perm=wa

       To recursively watch a directory for changes (2 ways to express):

       auditctl -w /etc/ -p wa
       auditctl -a always,exit -F dir=/etc/ -F perm=wa

       To see if an admin is accessing other user's files:

       auditctl -a always,exit -F dir=/home/ -F uid=0 -C auid!=obj_uid
[root@localhost ~]# auditctl -w /tmp/ -p rwxa -k "TEST"
[root@localhost ~]# auditctl -l
-w /tmp -p rwxa -k TEST
[root@localhost ~]# 

auditctl -l 查看所有

auditctl -D 删除清空

开启一个新的终端,使用某个用户进行测试

[root@localhost ~]# su user1
[user1@localhost root]$ ls /tmp/
passwd.des
ssh-rmcshGoCa91Y
systemd-private-dd46fe14386d4ab7afb92188413fd241-chronyd.service-RGcgLp
systemd-private-dd46fe14386d4ab7afb92188413fd241-colord.service-wutL8A
systemd-private-dd46fe14386d4ab7afb92188413fd241-cups.service-RT6X1Q
systemd-private-dd46fe14386d4ab7afb92188413fd241-rtkit-daemon.service-SSh4Qs
tracker-extract-files.1000
user1.key
vmware-root
yum_save_tx.2018-11-13.14-35.1CMzyw.yumtx
yum_save_tx.2018-11-15.11-01.WjmHL_.yumtx
yum_save_tx.2018-11-19.16-33.Ivy05k.yumtx
yum_save_tx.2018-11-20.09-33.OpWMe_.yumtx

切换会管理员终端,查看审计信息。

[user1@localhost root]$ su root
密码:
[root@localhost ~]# ausearch -k "TEST"
----
time->Tue Nov 27 09:33:09 2018
type=CONFIG_CHANGE msg=audit(1543282389.729:278): auid=0 ses=13 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1
023 op=add_rule key="TEST" list=4 res=1----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.461:285): proctitle="bash"
type=PATH msg=audit(1543282493.461:285): item=1 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.461:285): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:285):  cwd="/root"
type=SYSCALL msg=audit(1543282493.461:285): arch=c000003e syscall=2 success=yes exit=3 a0=1506580 a1=2c1 a2=180 a3=7ffc
a7383fa0 items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.461:286): proctitle="bash"
type=PATH msg=audit(1543282493.461:286): item=0 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:286):  cwd="/root"
type=SYSCALL msg=audit(1543282493.461:286): arch=c000003e syscall=2 success=yes exit=4 a0=1506580 a1=0 a2=180 a3=7ffca7
383fe0 items=1 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.461:287): proctitle="bash"
type=PATH msg=audit(1543282493.461:287): item=1 name="/tmp/sh-thd-1543285867" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.461:287): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.461:287):  cwd="/root"
type=SYSCALL msg=audit(1543282493.461:287): arch=c000003e syscall=87 success=yes exit=0 a0=1506580 a1=0 a2=180 a3=7ffca
7383fe0 items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.462:288): proctitle="bash"
type=PATH msg=audit(1543282493.462:288): item=1 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=CREATE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.462:288): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:288):  cwd="/root"
type=SYSCALL msg=audit(1543282493.462:288): arch=c000003e syscall=2 success=yes exit=3 a0=1506580 a1=2c1 a2=180 a3=63 i
tems=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.462:289): proctitle="bash"
type=PATH msg=audit(1543282493.462:289): item=0 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:289):  cwd="/root"
type=SYSCALL msg=audit(1543282493.462:289): arch=c000003e syscall=2 success=yes exit=4 a0=1506580 a1=0 a2=180 a3=ffffff
ff items=1 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:53 2018
type=PROCTITLE msg=audit(1543282493.462:290): proctitle="bash"
type=PATH msg=audit(1543282493.462:290): item=1 name="/tmp/sh-thd-3959805905" inode=18339887 dev=fd:00 mode=0100600 oui
d=1004 ogid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=DELETE cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=PATH msg=audit(1543282493.462:290): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282493.462:290):  cwd="/root"
type=SYSCALL msg=audit(1543282493.462:290): arch=c000003e syscall=87 success=yes exit=0 a0=1506580 a1=0 a2=180 a3=fffff
fff items=2 ppid=5238 pid=5239 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="bash" exe="/usr/bin/bash" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.004:292): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.004:292): item=0 name="/tmp/yum_save_tx.2018-11-20.09-33.OpWMe_.yumtx" inode=17303205 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.004:292):  cwd="/root"
type=SYSCALL msg=audit(1543282496.004:292): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.006:293): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.006:293): item=0 name="/tmp/yum_save_tx.2018-11-13.14-35.1CMzyw.yumtx" inode=17406228 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.006:293):  cwd="/root"
type=SYSCALL msg=audit(1543282496.006:293): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:294): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:294): item=0 name="/tmp/yum_save_tx.2018-11-15.11-01.WjmHL_.yumtx" inode=18340303 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:294):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:294): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:295): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:295): item=0 name="/tmp/passwd.des" inode=16789654 dev=fd:00 mode=0100644 ouid=0 ogi
d=0 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:295):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:295): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba780 a1=7f199012d1
14 a2=7ffda47ba740 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:296): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:296): item=0 name="/tmp/user1.key" inode=18340335 dev=fd:00 mode=0100664 ouid=1004 o
gid=1004 rdev=00:00 obj=unconfined_u:object_r:user_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:296):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:296): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba780 a1=7f199012d1
14 a2=7ffda47ba740 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.007:297): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.007:297): item=0 name="/tmp/yum_save_tx.2018-11-19.16-33.Ivy05k.yumtx" inode=18340309 de
v=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:rpm_tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.007:297):  cwd="/root"
type=SYSCALL msg=audit(1543282496.007:297): arch=c000003e syscall=191 success=no exit=-61 a0=7ffda47ba760 a1=7f199012d1
14 a2=7ffda47ba720 a3=14 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"----
time->Tue Nov 27 09:34:56 2018
type=PROCTITLE msg=audit(1543282496.002:291): proctitle=6C73002D2D636F6C6F723D6175746F002F746D702F
type=PATH msg=audit(1543282496.002:291): item=0 name="/tmp/" inode=16777288 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00
:00 obj=system_u:object_r:tmp_t:s0 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0type=CWD msg=audit(1543282496.002:291):  cwd="/root"
type=SYSCALL msg=audit(1543282496.002:291): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=10125b0
 a2=90800 a3=0 items=1 ppid=5239 pid=5289 auid=0 uid=1004 gid=1004 euid=1004 suid=1004 fsuid=1004 egid=1004 sgid=1004 fsgid=1004 tty=pts2 ses=13 comm="ls" exe="/usr/bin/ls" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="TEST"[root@localhost ~]# 

以下两个命令的效果是一致的

[root@localhost ~]# auditctl -w /tmp/ -p rwxa
[root@localhost ~]# auditctl -a exit,always -F dir=/tmp -F perm=rwxa

-a exit;always exit;行为完成后记录审计(一般常用),always:总是记录审计

-F 规则字段

auid为初始登录ID,auid不为0,uid为0,表示登录系统的时候为非root用户,执行操作时却变为root,危险行为。

auditctl -a exit, always -F auit!=0 -F uid=0

uid不为0,euid为0,表示执行者是一个非root用户,但是执行过程中却是以root的身份执行的,是一个提权操作,危险行为。

auditctl -a exit, always -F uid!=0 -F euid=0 

工作中常对/tmp/etc审计,攻击者常用/tmp 提权

aureport可以用来查看系统审计日志的汇总信息,例如aureport -l可以用来查看login信息

 

posted @ 2018-11-27 09:43 前方、有光 阅读(...) 评论(...) 编辑 收藏