Auditd基本使用

1) 安装软件
[root@srv1 ~]# yum install audit -y

[root@srv1 ~]# service auditd start
[root@srv1 ~]# systemctl enable auditd

2) 配置Auditd
[root@srv1 ~]# vim /etc/audit/auditd.conf
# 修改第7行，指定日志位置
log_file = /var/log/audit/audit.log

# 第12行，定义日志最大尺寸(MB)
max_log_file = 8

# 修改第13行，指定日志转储个数
num_logs = 5

# 定义第17行，名称格式。有效值为(NONE, HOSTNAME, FQD, NUMERIC, USER)
name_format = USER

# 第18行，如果名称格式为USER,可以定义你的主机名
name = srv1.1000cc.net

# 第19行，当日志超过指定大小时，应做哪些动作
(有效值:IGNORE, SYSLOG, SUSPEND, ROTATE, KEEP_LOGS)
max_log_file_action = ROTATE

[root@srv1 ~]# service auditd restart

1) 配置远程服务器
[root@srv1 ~]# vim /etc/audit/auditd.conf
# 取消29行注释，远程服务器所监听的端口
tcp_listen_port = 60

[root@srv1 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

2) 配置客户端
[root@srv2 ~]# yum install audispd-plugins -y

[root@srv2 ~]# vim /etc/audisp/plugins.d/au-remote.conf
# 定义第6行，启用
active = yes

[root@srv2 ~]# vim /etc/audisp/audisp-remote.conf
# 定义第6行，指定远程服务器的IP/FQDN
remote_server = srv1.1000cc.net
# 定义第7行，指定远程服务器监听的端口
port = 60

[root@srv2 ~]# vim /etc/audit/auditd.conf
# 定义第9行，不在本地记录日志
log_format = NOLOG

[root@srv2 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

3) 在远程服务器上查看日志
[root@srv1~]# tail -5 /var/log/audit/audit.log
node=srv2.1000cc.net type=USER_START msg=audit(1456385789.273:101): pid=29288 uid=0 auid=0 ses=1 msg='op=.....
node=srv2.1000cc.ne type=USER_END msg=audit(1456385789.278:102): pid=29288 uid=0 auid=0 ses=1 msg='op=PA.....
node=srv2.1000cc.ne type=CRED_DISP msg=audit(1456385789.278:103): pid=29301 uid=0 auid=0 ses=1 msg='op=P.....
node=srv2.1000cc.ne type=USER_END msg=audit(1456385791.441:104): pid=29301 uid=0 auid=0 ses=1 msg='op=PA.....
node=srv2.1000cc.ne type=CRED_DISP msg=audit(1456385791.442:105): pid=29301 uid=0 auid=0 ses=1 msg='op=P.....

4) 如果存在TCP Wrapper应按如下配置
[root@srv1 ~]# vim /etc/audit/auditd.conf
......
......
......
......
......
......

# 于文档最后添加如下内容
use_libwrap = yes

[root@srv1 ~]# service auditd restart
Stopping logging:                                          [  OK  ]
Redirecting start to /bin/systemctl start auditd.service

[root@srv1 ~]# vim /etc/hosts.deny
......
......
......
......
......
......

# 于文档最后添加如下内容
auditd: ALL

[root@srv1 ~]# vim /etc/hosts.allow
......
......
......
......
......
......

# 于文档最后添加如下内容
auditd: 192.168.10.12

# 系统登录、修改用户帐户、Sudo操作等，都记录在/var/log/Audit/Audit.log日志中
1) 使用ausearch搜索USER_LOGIN信息
[root@srv1 ~]# ausearch --message USER_LOGIN --interpret
----
type=USER_LOGIN msg=audit(02/22/2020 17:44:22.773:122) : pid=1104 uid=root auid=root ses=1 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=base.1000cc.net addr=? terminal=tty1 res=success' 
----
type=USER_LOGIN msg=audit(02/22/2020 17:45:30.276:148) : pid=9750 uid=root auid=root ses=2 subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='op=login id=root exe=/usr/bin/login hostname=base.1000cc.net addr=? terminal=tty1 res=success' 
----
type=USER_LOGIN msg=audit(02/22/2020 17:52:18.517:64) : pid=1080 uid=root auid=root ses=2 msg='op=login id=root exe=/usr/bin/login hostname=base.1000cc.net addr=? terminal=tty1 res=success' 
----
type=USER_LOGIN msg=audit(02/22/2020 18:30:32.230:54) : pid=736 uid=root auid=root ses=1 msg='op=login id=root exe=/usr/bin/login hostname=base.1000cc.net addr=? terminal=tty1 res=success' 
----
type=USER_LOGIN msg=audit(02/22/2020 18:28:59.213:73) : pid=1300 uid=root auid=root ses=2 msg='op=login id=root exe=/usr/bin/login hostname=srv1.1000cc.net addr=? terminal=tty1 res=success' 
----
type=USER_LOGIN msg=audit(02/22/2020 18:40:36.898:79) : pid=1227 uid=root auid=root ses=3 msg='op=login id=root exe=/usr/sbin/sshd hostname=192.168.10.125 addr=192.168.10.125 terminal=/dev/pts/0 res=success' 
----
type=USER_LOGIN msg=audit(02/26/2020 23:59:48.160:129) : pid=28908 uid=root auid=root ses=10 msg='op=login id=root exe=/usr/sbin/sshd hostname=192.168.10.125 addr=192.168.10.125 terminal=/dev/pts/0 res=success' 

2) 使用ausearch搜索指定sudo且UID为1000的信息
[root@srv1 ~]# ausearch -x sudo -ua 1000
----
time->Thu Feb 27 01:05:12 2020
node=srv1.1000cc.net type=USER_AUTH msg=audit(1582736712.002:237): pid=29660 uid=1000 auid=0 ses=10 msg='op=PAM:authentication grantors=pam_unix acct="snow" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'
----
time->Thu Feb 27 01:05:12 2020
node=srv1.1000cc.net type=USER_ACCT msg=audit(1582736712.002:238): pid=29660 uid=1000 auid=0 ses=10 msg='op=PAM:accounting grantors=pam_unix,pam_localuser acct="snow" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/1 res=success'

3) 搜索srv1.1000cc.net上的故障/失败的日志(failure events)
[root@srv1 ~]# ausearch --node srv1.1000cc.net --success no
----
time->Thu Feb 27 01:05:12 2020
node=srv1.1000cc.net type=USER_CMD msg=audit(1582736712.002:239): pid=29660 uid=1000 auid=0 ses=10 msg='cwd="/home/snow" cmd=7375202D terminal=pts/1 res=failed'

4) 搜索UID为1001且搜索范围为2020/2/1-2020/2/27的日志
[root@srv1 ~]# ausearch --start 02/01/2020 --end 02/27/2020 -ul 1001
<no matches># 没有找到

1) 显示概要信息
[root@srv1 ~]# aureport
Summary Report
======================
Range of time in logs: 01/01/1970 08:00:00.000 - 02/27/2020 01:10:01.167
Selected time for report: 01/01/1970 08:00:00 - 02/27/2020 01:10:01.167
Number of changes in configuration: 114
Number of changes to accounts, groups, or roles: 0
Number of logins: 7
Number of failed logins: 0
Number of authentications: 11
Number of failed authentications: 0
Number of users: 2
Number of terminals: 9
Number of host names: 4
Number of executables: 11
Number of commands: 10
Number of files: 0
Number of AVC's: 0
Number of MAC events: 2
Number of failed syscalls: 0
Number of anomaly events: 1
Number of responses to anomaly events: 0
Number of crypto events: 33
Number of integrity events: 0
Number of virt events: 0
Number of keys: 0
Number of process IDs: 112
Number of events: 998

2) 显示身份认证类信息
[root@srv1 ~]# aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 02/22/2020 17:44:22 root base.1000cc.net tty1 /usr/bin/login yes 115
2. 02/22/2020 17:45:29 root base.1000cc.net tty1 /usr/bin/login yes 141
3. 02/22/2020 17:52:18 root base.1000cc.net tty1 /usr/bin/login yes 58
4. 02/22/2020 18:30:32 root base.1000cc.net tty1 /usr/bin/login yes 48
5. 02/22/2020 18:28:59 root srv1.1000cc.net tty1 /usr/bin/login yes 67
6. 02/22/2020 18:40:36 root 192.168.10.125 ssh /usr/sbin/sshd yes 69
7. 02/22/2020 18:40:36 root 192.168.10.125 ssh /usr/sbin/sshd yes 72
8. 02/26/2020 23:59:48 root 192.168.10.125 ssh /usr/sbin/sshd yes 119
9. 02/26/2020 23:59:48 root 192.168.10.125 ssh /usr/sbin/sshd yes 122
10. 02/27/2020 01:05:05 snow srv1.1000cc.net pts/1 /usr/bin/su yes 232
11. 02/27/2020 01:05:12 snow ? /dev/pts/1 /usr/bin/sudo yes 237

3) 显示身份认证失败类的信息
[root@srv1 ~]# aureport -au --failed --summary
Failed Authentication Summary Report
=============================
total  acct
=============================
<no events of interest were found>     # 没有找到

4) 显示用户账户修改类的信息
[root@srv1 ~]# aureport -m -i
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
<no events of interest were found>

5) 显示本月以来用户账户修改类的信息
[root@srv1 ~]# aureport -m -i --start this-month

6) 显示执行类的信息
[root@srv1 ~]# aureport -x -i
......
......
914. 02/27/2020 01:10:01 /usr/sbin/crond cron ? root 246
915. 02/27/2020 01:10:01 /usr/sbin/crond cron ? root 247
916. 02/27/2020 01:10:01 /usr/sbin/crond cron ? root 248
917. 02/27/2020 01:10:01 /usr/sbin/crond cron ? root 249

7) 结合使用ausearch显示相关信息及报告
(1) 在srv1.1000cc.net上搜索和显示身份验证日志
[root@srv1 ~]# ausearch --node srv1.1000cc.net | aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 02/27/2020 01:05:05 snow srv1.1000cc.net pts/1 /usr/bin/su yes 232
2. 02/27/2020 01:05:12 snow ? /dev/pts/1 /usr/bin/sudo yes 237

(2) 在srv1.1000cc.net上搜索和显示由UID 1000的账户执行操作的信息
[root@srv1 ~]# ausearch -ui 1000 | aureport -x -i
Executable Report
====================================
# date time exe term host auid event
====================================
1. 02/27/2020 01:05:12 /usr/bin/sudo /dev/pts/1 ? root 237
2. 02/27/2020 01:05:12 /usr/bin/sudo /dev/pts/1 ? root 238

1) 查看现有规则
[root@srv1 ~]# auditctl -l
No rules

2) 添加规则(临时添加，重启无效)
# 语法说明:
-p  指定审计的目标动作.动作有[r=读][w=写][x=执行][a=属性]
-k  关键字,此关键字主要用于日志搜索使用

[root@srv1 ~]# auditctl -w /etc/hosts -p wa -k hosts_change
[root@srv1 ~]# auditctl -l
-w /etc/hosts -p wa -k hosts_change

3) 添加规则(永久无效)
# 将当前规则加入至additional.rules文件中
[root@srv1 ~]# auditctl -l >> /etc/audit/rules.d/additional.rules
[root@srv1 ~]# cat /etc/audit/rules.d/additional.rules
-w /etc/hosts -p wa -k hosts_change

4) 设定目录访问的审计规则
# 一旦对目录进行审计，其审计行为将会递归至所有子目录及文件
[root@srv1 ~]# auditctl -w /home/snow/ -p r -k snow_audit
[root@srv1 ~]# auditctl -l
-w /etc/hosts -p wa -k hosts_change
-w /home/snow -p r -k snow_audit

[root@srv1 ~]# ausearch -k snow_audit | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 02/27/2020 01:28:27 . openat yes /usr/bin/ls root 259
2. 02/27/2020 01:28:30 . openat yes /usr/bin/ls root 260
3. 02/27/2020 01:28:30 .bash_logout getxattr no /usr/bin/ls root 261
4. 02/27/2020 01:28:30 .bash_profile getxattr no /usr/bin/ls root 262
5. 02/27/2020 01:28:30 .bashrc getxattr no /usr/bin/ls root 263
6. 02/27/2020 01:28:30 .bash_history getxattr no /usr/bin/ls root 264
7. 02/27/2020 01:28:35 . openat yes /usr/bin/ls root 265

5) 审计UID大于1000的账户对文件删除行为
[root@srv1 ~]# auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F \
'auid>=1000' -F 'auid!=-1' -F key=delete_audit

[root@srv1 ~]# auditctl -l
-w /etc/hosts -p wa -k hosts_change
-w /home/snow -p r -k snow_audit
-a always,exit -F arch=b64 -S unlink,unlinkat -F auid>=1000 -F auid!=-1 -F key=delete_audit

[root@srv1 ~]# ausearch -k delete_audit | aureport -f -i

6) 用普通账户登录(不要su过去。正常登录)

7) 查看

[root@srv1 ~]# ausearch -k delete_audit | aureport -f -i

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 03/10/2020 00:48:03 /run/user/1001/systemd/ unlink no /usr/lib/systemd/systemd gzliu 196
2. 03/10/2020 00:48:03 /run/user/1001/systemd/ unlink no /usr/lib/systemd/systemd gzliu 197
3. 03/10/2020 00:48:03 /tmp/sh-thd.CBROCS unlink yes /usr/bin/bash gzliu 202
4. 03/10/2020 00:48:23 /var/run/console/gzliu unlink yes /usr/bin/login gzliu 204
5. 03/10/2020 00:48:23 /var/run/console/console.lock unlink yes /usr/bin/login gzliu 205