Linux的审计系统包括内核审计子系统和一些进程,auditd服务则是Linux审计子系统的用户空间进程。内核的审计模块将收集的审计消息发送给用户空间的后台进程auditd进行处理。在默认的情况下,审计结果会发送到/var/log/audit/audit.log文件中。如果auditd没有运行,审计消息会发送给rsyslog。
)window.location=%27http://www.debugo.com/wp-content/uploads/2014/03/audit_components.png%27)
(图片来源:http://doc.opensuse.org)
审计消息的来源主要有两方面:
a).内核、应用程序(audit-libs-devel提供的API)。
b).系统管理员添加的审计规则,匹配规则的事件都将被记录下来。
auditd守护进程是audit RPM包中的组成,基本的服务器都会有这个组件。它包含三个配置文件:
/etc/sysconfig/auditd 启动初始化参数,通常由
/etc/audit/auditd.conf 主配置文件
/etc/audit/audit.rules 规则文件。该文件中的规则永久生效。相关文档参见manual: http://man7.org/linux/man-pages/man7/audit.rules.7.html
1. 添加审计规则
内核审计子系统的审计规则可以通过auditctl命令来添加(manual: http://man7.org/linux/man-pages/man8/auditctl.8.html
auditctl的常见操作如下:
auditctl -e to enable or disable audit
auditctl -f to control the failure flag
auditctl -r to control the rate limit for audit messages
auditctl -b to control the backlog limit
auditctl -s to query the current status of the audit daemon
而其中的审计规则,分为下面三大类:
(1). file system 规则
该规则能监视文件被读、写、执行、修改文件属性的操作。当发生某个问价的读写时,发送一条审计规则。如:
auditctl -w /etc/passwd -p rwax
-p [r|w|x|a]
Describe the permission access type that a file system watch
will trigger on. r=read, w=write, x=execute, a=attribute
change.
(2). syscall 规则
会根据定义的列表规则有不同的行为,常见的列表规则设置如下:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 |
-a [list,action|action,list] task Add a rule to the per task list. This rule list is used only at the time a task is created -- when fork() or clone() are called by the parent task. When using this list, you should only use fields that are known at task creation time, such as the uid, gid, etc. 该规则在调用fork() 或者clone()产生新进程的时候触发,因此,该规则适用的“域”仅仅是此时可见的,例如uid gid pid 等等。 exit Add a rule to the syscall exit list. This list is used upon exit from a system call to determine if an audit event should be created. user Add a rule to the user message filter list. This list is used by the kernel to filter events originating in user space before relaying them to the audit daemon. It should be noted that the only fields that are valid are: uid, auid, gid, pid, subj_user, subj_role, subj_type, subj_sen, subj_clr, and msgtype. All other fields will be treated as non-matching. It should be understood that any event originating from user space from a process that has CAP_AUDIT_WRITE will be recorded into the audit trail. This means that the most likely use for this filter is with rules that have an action of never since nothing has to be done to allow events to be recorded. exclude Add a rule to the event type exclusion filter list. This list is used to filter events that you do not want to see. For example, if you do not want to see any avc messages, you would using this list to record that. The message type that you do not wish to see is given with the msgtype field. The following describes the valid actions for the rule: never No audit records will be generated. This can be used to suppress event generation. In general, you want suppressions at the top of the list instead of the bottom. This is because the event triggers on the first matching rule. always Allocate an audit context, always fill it in at syscall entry time, and always write out a record at syscall exit time. |
例如:记录uid为root的用户调用mkdir系统调用的情况
auditctl -a exit,always -F UID=root -S mkdir
(3). control规则
控制规则通常是在配置审计子系统时候产生,比如删除审计规则,设置审计的backlog队列,让auditctl忽略语法错误等操作。
2. 审计消息
通常可以通过ausearch来查看审计消息(a tool to query audit daemon logs, view manual:http://man7.org/linux/man-pages/man8/ausearch.8.html)
一条审计消息的格式如下:
type=SYSCALL msg=audit(1168206647.422:5227): arch=c000003e syscall=2 success=no exit=-2 a0=7fff37fc5a40 a1=0 a2=2aaaaaaab000 a3=0 items=1 ppid=26640 pid=2716 auid=501 uid=501 gid=501 euid=501 suid=501 fsuid=501 egid=501 sgid=501 fsgid=501 tty=pts5 comm=”vim” exe=”/usr/bin/vim”
其中:
msg=audit(time_stamp:event_number)
uid和gid是触发这条审计消息的原始uid和gid,而suid和guid是由于SUID和SGID位被设置后触发这条审计消息时的实际UID/GID.
exe是触发这条审计消息的可执行文件名称。
key通常是一个自定义的可辨识度高的规则的过滤词。例如ausearch –key “passwd-modify”
对于file system的规则,还可以通过ausearch –file
3. 审计报告
aureport(a tool that produces summary reports of audit daemon logs)工具可以用来创建简洁的审计报告(brief report)。Manual: http://man7.org/linux/man-pages/man8/aureport.8.html
例如报告系统的syscalls:
# aureport -s | more
)window.location=%27http://www.debugo.com/wp-content/uploads/2014/03/2.png%27)
其中syscall#已经在syscallent.h头文件中定义:
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 |
/* Linux system calls */ "0", /* 0 */ "exit", /* 1 */ "fork", /* 2 */ "read", /* 3 */ "write", /* 4 */ "open", /* 5 */ "close", /* 6 */ "waitpid", /* 7 */ "creat", /* 8 */ "link", /* 9 */ "unlink", /* 10 */ "execve", /* 11 */ "chdir", /* 12 */ "time", /* 13 */ "mknod", /* 14 */ "chmod", /* 15 */ "lchown", /* 16 */ "break", /* 17 */ "oldstat", /* 18 */ "lseek", /* 19 */ "getpid", /* 20 */ "mount", /* 21 */ "umount", /* 22 */ "setuid", /* 23 */ "getuid", /* 24 */ "stime", /* 25 */ "ptrace", /* 26 */ "alarm", /* 27 */ "oldfstat", /* 28 */ "pause", /* 29 */ "utime", /* 30 */ "stty", /* 31 */ "gtty", /* 32 */ "access", /* 33 */ "nice", /* 34 */ "ftime", /* 35 */ "sync", /* 36 */ "kill", /* 37 */ "rename", /* 38 */ "mkdir", /* 39 */ "rmdir", /* 40 */ "dup", /* 41 */ "pipe", /* 42 */ "times", /* 43 */ "prof", /* 44 */ "brk", /* 45 */ "setgid", /* 46 */ "getgid", /* 47 */ "signal", /* 48 */ "geteuid", /* 49 */ "getegid", /* 50 */ "acct", /* 51 */ "umount2", /* 52 */ "lock", /* 53 */ "ioctl", /* 54 */ "fcntl", /* 55 */ "mpx", /* 56 */ "setpgid", /* 57 */ "ulimit", /* 58 */ "oldolduname", /* 59 */ "umask", /* 60 */ "chroot", /* 61 */ "ustat", /* 62 */ "dup2", /* 63 */ "getppid", /* 64 */ "getpgrp", /* 65 */ "setsid", /* 66 */ "sigaction", /* 67 */ "sgetmask", /* 68 */ "ssetmask", /* 69 */ "setreuid", /* 70 */ "setregid", /* 71 */ "sigsuspend", /* 72 */ "sigpending", /* 73 */ "sethostname", /* 74 */ "setrlimit", /* 75 */ "getrlimit", /* 76 */ "getrusage", /* 77 */ "gettimeofday", /* 78 */ "settimeofday", /* 79 */ "getgroups", /* 80 */ "setgroups", /* 81 */ "select", /* 82 */ "symlink", /* 83 */ "oldlstat", /* 84 */ "readlink", /* 85 */ "uselib", /* 86 */ "swapon", /* 87 */ "reboot", /* 88 */ "readdir", /* 89 */ "mmap", /* 90 */ "munmap", /* 91 */ "truncate", /* 92 */ "ftruncate", /* 93 */ "fchmod", /* 94 */ "fchown", /* 95 */ "getpriority", /* 96 */ "setpriority", /* 97 */ "profil", /* 98 */ "statfs", /* 99 */ "fstatfs", /* 100 */ "ioperm", /* 101 */ "socketcall", /* 102 */ "syslog", /* 103 */ "setitimer", /* 104 */ "getitimer", /* 105 */ "stat", /* 106 */ "lstat", /* 107 */ "fstat", /* 108 */ "olduname", /* 109 */ "iopl", /* 110 */ "vhangup", /* 111 */ "idle", /* 112 */ "vm86old", /* 113 */ "wait4", /* 114 */ "swapoff", /* 115 */ "sysinfo", /* 116 */ "ipc", /* 117 */ "fsync", /* 118 */ "sigreturn", /* 119 */ "clone", /* 120 */ "setdomainname", /* 121 */ "uname", /* 122 */ "modify_ldt", /* 123 */ "adjtimex", /* 124 */ "mprotect", /* 125 */ "sigprocmask", /* 126 */ "create_module", /* 127 */ "init_module", /* 128 */ "delete_module", /* 129 */ "get_kernel_syms", /* 130 */ "quotactl", /* 131 */ "getpgid", /* 132 */ "fchdir", /* 133 */ "bdflush", /* 134 */ "sysfs", /* 135 */ "personality", /* 136 */ "afs_syscall", /* 137 */ "setfsuid", /* 138 */ "setfsgid", /* 139 */ "_llseek", /* 140 */ "getdents", /* 141 */ "_newselect", /* 142 */ "flock", /* 143 */ "msync", /* 144 */ "readv", /* 145 */ "writev", /* 146 */ "getsid", /* 147 */ "fdatasync", /* 148 */ "_sysctl", /* 149 */ "mlock", /* 150 */ "munlock", /* 151 */ "mlockall", /* 152 */ "munlockall", /* 153 */ "sched_setparam", /* 154 */ "sched_getparam", /* 155 */ "sched_setscheduler", /* 156 */ "sched_getscheduler", /* 157 */ "sched_yield", /* 158 */ "sched_get_priority_max", /* 159 */ "sched_get_priority_min", /* 160 */ "sched_rr_get_interval", /* 161 */ "nanosleep", /* 162 */ "mremap", /* 163 */ "setresuid", /* 164 */ "getresuid", /* 165 */ "vm86", /* 166 */ "query_module", /* 167 */ "poll", /* 168 */ "nfsservctl", /* 169 */ "setresgid", /* 170 */ "getresgid", /* 171 */ "prctl", /* 172 */ "rt_sigreturn", /* 173 */ "rt_sigaction", /* 174 */ "rt_sigprocmask", /* 175 */ "rt_sigpending", /* 176 */ "rt_sigtimedwait", /* 177 */ "rt_sigqueueinfo", /* 178 */ "rt_sigsuspend", /* 179 */ "pread", /* 180 */ "pwrite", /* 181 */ "chown", /* 182 */ "getcwd", /* 183 */ "capget", /* 184 */ "capset", /* 185 */ "sigaltstack", /* 186 */ "sendfile", /* 187 */ "getpmsg", /* 188 */ "putpmsg", /* 189 */ "vfork", /* 190 */ "ugetrlimit", /* 191 */ "mmap2", /* 192 */ "truncate64", /* 193 */ "ftruncate64", /* 194 */ "stat64", /* 195 */ "lstat64", /* 196 */ "fstat64", /* 197 */ "lchown32", /* 198 */ "getuid32", /* 199 */ "getgid32", /* 200 */ "geteuid32", /* 201 */ "getegid32", /* 202 */ "setreuid32", /* 203 */ "setregid32", /* 204 */ "getgroups32", /* 205 */ "setgroups32", /* 206 */ "fchown32", /* 207 */ "setresuid32", /* 208 */ "getresuid32", /* 209 */ "setresgid32", /* 210 */ "getresgid32", /* 211 */ "chown32", /* 212 */ "setuid32", /* 213 */ "setgid32", /* 214 */ "setfsuid32", /* 215 */ "setfsgid32", /* 216 */ "pivot_root", /* 217 */ "mincore", /* 218 */ "madvise1", /* 219 */ "getdents64", /* 220 */ "fcntl64", /* 221 */ "222", /* 222 */ "security", /* 223 */ "gettid", /* 224 */ "readahead", /* 225 */ "setxattr", /* 226 */ "lsetxattr", /* 227 */ "fsetxattr", /* 228 */ "getxattr", /* 229 */ "lgetxattr", /* 230 */ "fgetxattr", /* 231 */ "listxattr", /* 232 */ "llistxattr", /* 233 */ "flistxattr", /* 234 */ "removexattr", /* 235 */ "lremovexattr", /* 236 */ "fremovexattr", /* 237 */ "tkill", /* 238 */ "sendfile64", /* 239 */ "futex", /* 240 */ "sched_setaffinity", /* 241 */ "sched_getaffinity", /* 242 */ "set_thread_area", /* 243 */ "get_thread_area", /* 244 */ "io_setup", /* 245 */ "io_destroy", /* 246 */ "io_getevents", /* 247 */ "io_submit", /* 248 */ "io_cancel", /* 249 */ "alloc_hugepages", /* 250 */ "free_hugepages", /* 251 */ "exit_group", /* 252 */ |
4. 追踪程序
autrace 可以用来通过审计子系统调查该程序使用了哪些syscall。当运行autrace时,会禁用所有自定义的额外规则。而结束trace时,则需要auditctl -D 来清空规则。
)window.location=%27http://www.debugo.com/wp-content/uploads/2014/03/11.png%27)
5. 一份很实用的audit.rule配置文件
下面这个rule满足了基本的安全需求:监控了unlink(rm), rmdir,stime(sets the system’s idea of the time and date), setrlimit(set resource limits)等危险行为和敏感的文件的改写。
cat /etc/audit/audit.rules
|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 |
# This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 1024 -a exit,always -S unlink -S rmdir -a exit,always -S stime.* -a exit,always -S setrlimit.* -w /etc/group -p wa -w /etc/passwd -p wa -w /etc/shadow -p wa -w /etc/sudoers -p wa # Disable adding any additional rules - note that adding *new* rules will require a reboot -e 2 |
6. 使用syslog/rsyslog来管理日志
使用audit dispatching来配置,audispd的配置文件是/etc/audisp/audisp.conf.
为了让audispd能够把日志发送到syslog,需要在syslog插件的配置文件/etc/audisp/plugins.d/syslog.conf中设置active = yes.
将auditd日志发送到远程rsyslog服务器的方法:http://serverfault.com/questions/202044/sending-audit-logs-to-syslog-server
参考文档
Linux Manual
Introducing the Components of Linux Audit http://doc.opensuse.org/products/draft/SLES/SLES-security_sd_draft/cha.audit.comp.html
linux服务——auditd http://blog.csdn.net/updba/article/details/7389779
^^
没有问题啊,也该扑杀的