Linux audit log分析工具---aureport、ausearch、autrace
Linux audit log分析工具---aureport、ausearch、autrace
一、概述
上一篇(理解Linux Audit Service.)我们主要解析了audit服务的结构,audit服务的配置以及如何阅读audit log各项所代表的意思。这一篇我们主要介绍如何利用audit提供的三个工具aureport、ausearch、autrace有针对性地去统计分析以及跟踪log日志。
二、aureport
RAW类型的audit log会存放在/var/log/audit目录下,这些log体量大而且比较难懂,用aureport可以轻易的统计量化日志报告:
aureport -if audit.log.2 #aureport 没带任何参数,仅用-if指定一个audit log文件, 统计出它的总体的log报告, 如何不指定文件,显示当前audit的统计。
Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:52:27.971
Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:52:27.971
Number of changes in configuration: 13
Number of changes to accounts, groups, or roles: 0
Number of logins: 6
Number of failed logins: 13
Number of authentications: 7
Number of failed authentications: 573
Number of users: 1
Number of terminals: 9
Number of host names: 4
Number of executables: 17
Number of files: 279
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 1211
Number of events: 5320
aureport -l
aureport -l -ts 14:00 -te 15:00 -if audit.log.2 #对于audit.log.2的log文件,统计出从14:00到15:00的用户登录信息。
Login Report
============================================
# date time auid host term exe success event
============================================
1. 17/02/09 14:21:09 root: 192.168.2.100 sshd /usr/sbin/sshd no 7718
2. 17/02/09 14:21:15 0 jupiter /dev/pts/3 /usr/sbin/sshd yes 7724
aureport --failed/success
aureport --failed #针对失败的event的统计,如果统计成功的用aureport --success
Failed Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:57:35.183
Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:57:35.183
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 13
Number of authentications: 0
Number of failed authentications: 574
Number of users: 1
Number of terminals: 5
Number of host names: 4
Number of executables: 11
Number of files: 77
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 708
Number of events: 1583
aureport -u -i --summary #对用户的event进行总体统计
User Summary Report
===========================
total auid
===========================
5640 root
13 tux
3 wilber
aureport -e -ts 14:00 -te 14:21 #从14:00到14:21的event事件列表。
Event Report
===================================
# date time event type auid success
===================================
1. 17/02/09 14:20:27 7462 DAEMON_START 0 yes
2. 17/02/09 14:20:27 7715 CONFIG_CHANGE 0 yes
3. 17/02/09 14:20:57 7716 USER_END 0 yes
4. 17/02/09 14:20:57 7717 CRED_DISP 0 yes
5. 17/02/09 14:21:09 7718 USER_LOGIN -1 no
6. 17/02/09 14:21:15 7719 USER_AUTH -1 yes
7. 17/02/09 14:21:15 7720 USER_ACCT -1 yes
8. 17/02/09 14:21:15 7721 CRED_ACQ -1 yes
9. 17/02/09 14:21:15 7722 LOGIN 0 yes
10. 17/02/09 14:21:15 7723 USER_START 0 yes
11. 17/02/09 14:21:15 7724 USER_LOGIN 0 yes
12. 17/02/09 14:21:15 7725 CRED_REFR 0 yes
aureport -p #对于进程所有event的信息
Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 35
2. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 36
3. 13/02/09 15:38:34 32734 /usr/lib/gdm/gdm-session-worker 0 -1 37
aureport -s #system call的报告
Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 16/02/09 17:45:01 2 20343 cron -1 2279
2. 16/02/09 17:45:02 83 20350 mktemp 0 2284
3. 16/02/09 17:45:02 83 20351 mkdir 0 2285
aureport -x #从可执行的角度去查看audit log
Executable Report
====================================
# date time exe term host auid event
====================================
1. 13/02/09 15:08:26 /usr/sbin/sshd sshd 192.168.2.100 -1 12
2. 13/02/09 15:08:28 /usr/lib/gdm/gdm-session-worker :0 ? -1 13
3. 13/02/09 15:08:28 /usr/sbin/sshd ssh 192.168.2.100 -1 14
aureport -f #生成一个文件相关event的日志报告
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 16/02/09 17:45:01 /etc/shadow 2 yes /usr/sbin/cron -1 2279
2. 16/02/09 17:45:02 /tmp/ 83 yes /bin/mktemp 0 2284
3. 16/02/09 17:45:02 /var 83 no /bin/mkdir 0 2285
aureport -u #对于用户在系统运行命令的生成的报告
User ID Report
====================================
# date time auid term host exe event
====================================
1. 13/02/09 15:08:26 -1 sshd 192.168.2.100 /usr/sbin/sshd 12
2. 13/02/09 15:08:28 -1 :0 ? /usr/lib/gdm/gdm-session-worker 13
3. 14/02/09 08:25:39 -1 ssh 192.168.2.101 /usr/sbin/sshd 14
aureport -l -i #用户登录事件生成的报告
Login Report
============================================
# date time auid host term exe success event
============================================
1. 13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19
2. 16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108
3. 17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809
aureport -t #查看audit log文件包含日志的起止时间
Log Time Range Report
=====================
/var/log/audit/audit.log: 03/02/09 14:13:38.225 - 17/02/09 15:30:01.636
三、ausearch
aureport帮助我们生成总体的日志总结, 如果我们对特定的event感兴趣,我们可以通过ausearch去过滤想要的日志。
ausearch - option -if audit.log.2
它可以指定特定的日志文件进行分析, 通过加上"-i"可以将数据格式的,转化成可读的文本格式,比如user ID 和ASCII 码形式的cmd。
ausearch -a 5207 #搜寻当期audit服务中event ID等于5207的log
----
time->Tue Feb 17 13:43:58 2009
type=PATH msg=audit(1234874638.599:5207): item=0 name="/var/log/audit/audit.log" inode=1219041 dev=08:06 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1234874638.599:5207): cwd="/root"
ausearch -m #按消息类型查找
ausearch -ul #按登陆ID查找
ausearch -ua #按uid和euid查找
ausearch -ui #按uid查找
ausearch -ue #按euid查找
ausearch -ga #按gid和egid查找
ausearch -gi #按gid查找
ausearch -ge #按egid查找
ausearch -c #按cmd查找
ausearch -x #按exe查找
ausearch -sc #按syscall查找
ausearch -p #按pid查找
ausearch -sv #按syscall的返回值查找(yes/no)
ausearch -f #按文件名查找
ausearch -tm #按连接终端查找(term/ssh/tty)
ausearch -hn #按主机名查找
ausearch -k #按特定的key值查找
ausearch -w #按在audit rule设定的字符串查找
四、autrace
为了跟踪设置的rule有没有生效,我们经常会追踪指定的进程,autrace生成的log会存放在/var/log/audit/audit.log。 当用autrace去跟踪一个进程时,为了保证避免autrace与之前audit rule生成的日志冲突,使用auditctl -D去停止所有的audit log, 当autrace结束后,使用systemctl restart auditd重启audit服务。
auditctl -D
No rules
autrace /usr/bin/less
Waiting to execute: /usr/bin/less
Cleaning up...
No rules
Trace complete. You can locate the records with 'ausearch -i -p 7642'
五、日志的可视化
aureport -e -i --summary #分类统计事件数量
Event Summary Report
======================
total type
======================
2434 SYSCALL
816 USER_START
816 USER_ACCT
814 CRED_ACQ
810 LOGIN
806 CRED_DISP
779 USER_END
99 CONFIG_CHANGE
52 USER_LOGIN
aureport -e -i --summary | mkbar events #分类统计事件数量,并画出图表。
以上就是audit service到生成aduit log的所有内容,中间省略了audisp作为audit event的分发器,将事件实时分类发送到各应用程序。下一篇将列出Audit Record Type的所有列表贡查阅。
suse文档:[了解 Linux 审计][1]