ubuntu22.04 部署 审计工具 Auditd

安装 Auditd

# apt -y install auditd

auditd.conf

#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log     # 指定日志文件
log_group = adm
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8                        # 日志文件的最大大小(兆字节)
num_logs = 5                            # 指定的日志文件数 [max_log_file_action=ROTATE]
priority_boost = 4
name_format = NONE                      # 日志文件中的主机名 有效值:NONE、HOSTNAME、FQD、NUMERIC、USER
##name = mydomain                       # [name_format=USER]
max_log_file_action = ROTATE            # 指定日志文件大小超过限制时的操作 有效值:IGNORE、SYSLOG、SUSPEND、ROTATE、KEEP_LOGS
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2

Audit Rules

显示当前规则(默认情况下没有规则如下)

# auditctl -l
No rules

参数说明

usage: auditctl [options]
    -a <l,a>                          Append rule to end of <l>ist with <a>ction
    -A <l,a>                          Add rule at beginning of <l>ist with <a>ction
    -b <backlog>                      Set max number of outstanding audit buffers
                                      allowed Default=64
    -c                                Continue through errors in rules
    -C f=f                            Compare collected fields if available:
                                      Field name, operator(=,!=), field name
    -d <l,a>                          Delete rule from <l>ist with <a>ction
                                      l=task,exit,user,exclude,filesystem
                                      a=never,always
    -D                                Delete all rules and watches
    -e [0..2]                         Set enabled flag
    -f [0..2]                         Set failure flag
                                      0=silent 1=printk 2=panic
    -F f=v                            构建规则:字段名, operator(=,!=,<,>,<=,
                                      >=,&,&=) value
    -h                                Help
    -i                                Ignore errors when reading rules from file
    -k <key>                          设置用于搜索日志的关键字
    -l                                List rules
    -m text                           Send a user-space message
    -p [r|w|x|a]                      指定审计的目标操作
                                      r=read, w=write, x=execute, a=attribute
    -q <mount,subtree>                make subtree part of mount point's dir watches
    -r <rate>                         Set limit in messages/sec (0=none)
    -R <file>                         read rules from file
    -s                                Report status
    -S syscall                        构建规则:系统调用名称或编号
    --signal <signal>                 Send the specified signal to the daemon
    -t                                Trim directory watches
    -v                                Version
    -w <path>                         Insert watch at <path>
    -W <path>                         Remove watch at <path>
    --loginuid-immutable              Make loginuids unchangeable once set
    --backlog_wait_time               Set the kernel backlog_wait_time
    --reset-lost                      Reset the lost record counter
    --reset_backlog_wait_time_actual  Reset the actual backlog wait time counter

将审计规则(读取)设置为 [/etc/hosts]

设置规则

# auditctl -w /etc/hosts -p wa -k hosts_change

查看规则

# auditctl -l
-w /etc/hosts -p wa -k hosts_change

修改hosts文件

# echo "127.0.0.1    172-16-18-31" >> /etc/hosts

查看日志

# ausearch -k hosts_change | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/04/2023 12:45:42 /etc/hosts~ rename yes /usr/bin/vim.basic ubuntu 82
2. 04/04/2023 12:45:42 /etc/hosts openat yes /usr/bin/vim.basic ubuntu 83
3. 04/04/2023 12:45:42 (null) fchown yes /usr/bin/vim.basic ubuntu 84
4. 04/04/2023 12:45:42 (null) fchown yes /usr/bin/vim.basic ubuntu 85
5. 04/04/2023 12:45:42 (null) fchmod yes /usr/bin/vim.basic ubuntu 86
6. 04/04/2023 12:45:42 /etc/hosts setxattr yes /usr/bin/vim.basic ubuntu 87

将审计规则(读取)设置为 [/opt/test/]

设置规则

# auditctl -w /opt/test -p r -k testdir_audit

查看规则

# auditctl -l
-w /etc/hosts -p wa -k hosts_change
-w /opt/test -p r -k testdir_audit

操作 /opt/test

# ls -l /opt/test/test1/
total 0

查看日志

# ausearch -k testdir_audit | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/04/2023 12:54:56 /opt/test sendto yes /usr/sbin/auditctl ubuntu 88
...
13. 04/04/2023 13:17:09 /opt/test/test1/ lgetxattr no /usr/bin/ls ubuntu 122
14. 04/04/2023 13:17:09 /opt/test/test1/ getxattr no /usr/bin/ls ubuntu 123
15. 04/04/2023 13:17:09 /opt/test/test1/ getxattr no /usr/bin/ls ubuntu 124
16. 04/04/2023 13:17:09 /opt/test/test1/ openat yes /usr/bin/ls ubuntu 125

设置审计规则来监控 UID 超过 1000 的用户删除的文件

设置规则

# auditctl -a always,exit -F arch=b64 -S unlink,unlinkat -F 'auid>=1000' -F 'auid!=-1' -F key=delete_audit

操作记录

$ id
uid=1000(ubuntu) gid=1000(ubuntu) groups=1000(ubuntu),4(adm),24(cdrom),27(sudo),30(dip),46(plugdev),110(lxd)
$ rm -rf 1.txt

查看日志

# ausearch -k delete_audit | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 04/04/2023 13:11:33 1.txt unlinkat yes /usr/bin/rm ubuntu 111

规则持久化

# auditctl -l >> /etc/audit/rules.d/additional.rules

查看auditd日志

audit.log

# tail -f /var/log/audit/audit.log
type=PROCTITLE msg=audit(1680578718.830:70): proctitle="su"
type=UNKNOWN[1420] msg=audit(1680578718.830:70): subj_apparmor=unconfined
type=CRED_ACQ msg=audit(1680578718.830:71): pid=58628 uid=0 auid=1000 ses=51 subj=? msg='op=PAM:setcred grantors=pam_rootok acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/5 res=success'UID="root" AUID="ubuntu"
type=SYSCALL msg=audit(1680578718.830:71): arch=c000003e syscall=44 success=yes exit=132 a0=3 a1=7ffefad9bf10 a2=84 a3=0 items=0 ppid=58627 pid=58628 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=51 comm="su" exe="/usr/bin/su" subj=? key=(null)ARCH=x86_64 SYSCALL=sendto AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1680578718.830:71): proctitle="su"
type=UNKNOWN[1420] msg=audit(1680578718.830:71): subj_apparmor=unconfined
type=USER_START msg=audit(1680578718.830:72): pid=58628 uid=0 auid=1000 ses=51 subj=? msg='op=PAM:session_open grantors=pam_env,pam_env,pam_mail,pam_limits,pam_permit,pam_umask,pam_unix,pam_systemd acct="root" exe="/usr/bin/su" hostname=? addr=? terminal=/dev/pts/5 res=success'UID="root" AUID="ubuntu"
type=SYSCALL msg=audit(1680578718.830:72): arch=c000003e syscall=44 success=yes exit=204 a0=4 a1=7ffefad9bf10 a2=cc a3=0 items=0 ppid=58627 pid=58628 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts5 ses=51 comm="su" exe="/usr/bin/su" subj=? key=(null)ARCH=x86_64 SYSCALL=sendto AUID="ubuntu" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1680578718.830:72): proctitle="su"
type=UNKNOWN[1420] msg=audit(1680578718.830:72): subj_apparmor=unconfined

搜索 USER_LOGIN 相关日志

# ausearch --message USER_LOGIN --interpret
----
type=USER_LOGIN msg=audit(04/04/2023 11:24:50.830:62) : pid=58555 uid=root auid=ubuntu ses=51 subj=? msg='op=login id=ubuntu exe=/usr/sbin/sshd hostname=172.16.3.213 addr=172.16.3.213 terminal=/dev/pts/4 res=success' 

通过用户 ID 1000 搜索 sudo 操作

# ausearch -x sudo -ua 1000
----
time->Tue Apr  4 11:25:16 2023
type=USER_ACCT msg=audit(1680578716.738:63): pid=58625 uid=1000 auid=1000 ses=51 subj=? msg='op=PAM:accounting grantors=pam_permit acct="ubuntu" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'
----
time->Tue Apr  4 11:25:16 2023
type=UNKNOWN[1420] msg=audit(1680578716.738:63): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1680578716.738:63): proctitle=7375646F0073
type=SYSCALL msg=audit(1680578716.738:63): arch=c000003e syscall=44 success=yes exit=140 a0=6 a1=7ffc2bea29d0 a2=8c a3=0 items=0 ppid=58615 pid=58625 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=51 comm="sudo" exe="/usr/bin/sudo" subj=? key=(null)
----
time->Tue Apr  4 11:25:16 2023
type=USER_CMD msg=audit(1680578716.738:64): pid=58625 uid=1000 auid=1000 ses=51 subj=? msg='cwd="/home/ubuntu" cmd="s" exe="/usr/bin/sudo" terminal=pts/4 res=failed'
----
time->Tue Apr  4 11:25:16 2023
type=UNKNOWN[1420] msg=audit(1680578716.738:64): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1680578716.738:64): proctitle=7375646F0073
type=SYSCALL msg=audit(1680578716.738:64): arch=c000003e syscall=44 success=yes exit=92 a0=6 a1=7ffc2be9ea60 a2=5c a3=0 items=0 ppid=58615 pid=58625 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=51 comm="sudo" exe="/usr/bin/sudo" subj=? key=(null)
----

搜索从 2023/01/19 到 2023/04/04 登录用户 ID 1000 的用户的日志

# ausearch --start 04/04/2023 --end 04/04/2023 -ul 1000
time->Tue Apr  4 11:25:18 2023
type=UNKNOWN[1420] msg=audit(1680578718.826:66): subj_apparmor=unconfined
type=PROCTITLE msg=audit(1680578718.826:66): proctitle=7375646F007375
type=SYSCALL msg=audit(1680578718.826:66): arch=c000003e syscall=44 success=yes exit=92 a0=6 a1=7fff96df32b0 a2=5c a3=0 items=0 ppid=58615 pid=58626 auid=1000 uid=1000 gid=1000 euid=0 suid=0 fsuid=0 egid=1000 sgid=1000 fsgid=1000 tty=pts4 ses=51 comm="sudo" exe="/usr/bin/sudo" subj=? key=(null)
----
time->Tue Apr  4 11:25:18 2023
type=CRED_REFR msg=audit(1680578718.826:67): pid=58626 uid=1000 auid=1000 ses=51 subj=? msg='op=PAM:setcred grantors=pam_permit,pam_cap acct="root" exe="/usr/bin/sudo" hostname=? addr=? terminal=/dev/pts/4 res=success'
----

aureport

显示没有参数的完整摘要

# aureport
总结报告
======================
日志中的时间范围: 04/04/2023 11:17:43.528 - 04/04/2023 12:17:01.477
选定报告时间: 04/04/2023 11:17:43 - 04/04/2023 12:17:01.477
配置更改次数:4
帐户、组或角色的更改次数:5
登录次数:10
登录失败次数:3
认证数量:14
认证失败次数:7
用户数:4
终端数量:6
主机名数量:3
可执行文件数量:10
命令数:12
文件数:0
AVC 的数量:0
MAC 事件数:0
失败的系统调用数:0
异常事件数:0
异常事件响应数:0
加密事件数:0
完整性事件数:0
虚拟事件数:0
键数:0
进程 ID 数:38
事件数:491

显示认证日志种类 

# aureport -au

鉴定报告
============================================
# 日期时间 acct host term exe 成功事件
============================================
1. 04/04/2023 11:25:18 root ? /dev/pts/5 /usr/bin/su yes 69

显示各种失败的认证日志

# aureport -au --failed --summary
失败的身份验证摘要报告
=============================
total  acct
=============================
3  debian
3  ubuntu
1  root

显示用户帐户日志的修改类型

# aureport -m -i
账户修改报告
=============================================== == 
# date time auid addr term exe acct 成功事件
====================================== =========== 
1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68
2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69
3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70
4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71
5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74

显示自本月以来用户帐户日志的修改类型

# aureport -m -i --start this-month
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
1. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 68
2. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 69
3. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/groupadd ? yes 70
4. 12/20/2022 11:30:47 root dlp.srv.world ttyS0 /usr/sbin/useradd ? yes 71
5. 12/20/2022 11:30:54 root dlp.srv.world ttyS0 /usr/bin/passwd debian yes 74

显示各种执行日志

# aureport -x -i
Executable Report
====================================
# date time exe term host auid event
====================================
1. 04/04/2023 11:17:43 /usr/sbin/auditctl (none) ? unset 37
2. 04/04/2023 11:17:43 /usr/sbin/auditctl (none) ? unset 38
3. 04/04/2023 11:17:43 /usr/sbin/auditctl (none) ? unset 39
4. 04/04/2023 11:17:43 /usr/lib/systemd/systemd ? ? unset 40
5. 04/04/2023 11:17:43 /usr/lib/systemd/systemd ? ? unset 43
...
69. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? unset 75
70. 04/04/2023 12:17:01 /usr/sbin/cron cron ? unset 76
71. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? unset 76
72. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 77
73. 04/04/2023 12:17:01 /usr/sbin/cron cron ? root 78
74. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 78
75. 04/04/2023 12:17:01 /usr/sbin/cron cron ? root 79
76. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 79
77. 04/04/2023 12:17:01 /usr/sbin/cron cron ? root 80
78. 04/04/2023 12:17:01 /usr/sbin/cron (none) ? root 80

显示从 2022/12/19 到 2022/12/20 的执行日志种类

# aureport -x -i --start 12/19/2022 --end 12/20/2022
Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 17
2. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 18
3. 12/20/2022 11:29:48 /usr/sbin/auditctl (none) ? unset 19
4. 12/20/2022 11:29:48 /usr/lib/systemd/systemd ? ? unset 20
5. 12/20/2022 11:30:29 /usr/bin/login /dev/ttyS0 dlp.srv.world root 23

通过 UserID 1000 搜索并显示 sudo 日志

# ausearch -x sudo -ua 1000 | aureport -au
Authentication Report
============================================
# date time acct host term exe success event
============================================
1. 12/20/2022 11:32:39 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo yes 191
2. 12/20/2022 11:34:22 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 277
3. 12/20/2022 11:34:26 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 278
4. 12/20/2022 11:34:28 ubuntu dlp.srv.world /dev/ttyS0 /usr/bin/sudo no 279

通过UserID 1000搜索并显示执行日志

# ausearch -ui 1001 | aureport -x -i

Executable Report
====================================
# date time exe term host auid event
====================================
1. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 252
2. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 252
3. 12/20/2022 11:33:56 /usr/bin/sudo /dev/ttyS0 dlp.srv.world debian 253
4. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 253
5. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254
6. 12/20/2022 11:33:56 /usr/bin/sudo ttyS0 ? debian 254
7. 12/20/2022 11:33:59 /usr/bin/su /dev/ttyS0 dlp.srv.world debian 255
8. 12/20/2022 11:33:59 /usr/bin/su ttyS0 ? debian 255

参考文档

https://www.server-world.info/en/note?os=Ubuntu_22.04&p=audit&f=1

posted @ 2023-04-04 13:19  小吉猫  阅读(2470)  评论(0编辑  收藏  举报