audit是linux內核的特性,可以通過內核參數audit=1來啓用。
/etc/audit/audit.rules是audit的規則文件,本文主要講述如何利用audit來監視系統重要資源。
一、監控文件系統行爲(依靠文件、目錄的權限屬性來識別)
規則格式:-w 路徑 -p 權限 -k 關鍵字
其中權限動作分爲四種
r 讀取文件
w 寫入文件
x 執行文件
a 修改文件屬性
示例,監控/etc/passwd文件的修改行爲(寫,權限修改)
-w /etc/passwd -p wa
將上述內容加入到audit.rules中即可實現對該文件的監視。
同理,爲了維護系統正常,下列資源也應該被監視。
-w /etc/at.allow
-w /etc/at.deny
-w /etc/inittab -p wa
-w /etc/init.d/
-w /etc/init.d/auditd -p wa
-w /etc/cron.d/ -p wa
-w /etc/cron.daily/ -p wa
-w /etc/cron.hourly/ -p wa
-w /etc/cron.monthly/ -p wa
-w /etc/cron.weekly/ -p wa
-w /etc/crontab -p wa
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow
-w /etc/sudoers -p wa
-w /etc/hosts -p wa
-w /etc/sysconfig/
-w /etc/sysctl.conf -p wa
-w /etc/modprobe.d/
-w /etc/aliases -p wa
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /var/log/lastlog
-w /var/log/yum.log
-w /etc/issue -p wa
-w /etc/issue.net -p wa
-w /usr/bin/ -p wa
-w /usr/sbin/ -p wa
-w /bin -p wa
-w /etc/ssh/sshd_config
注:如果沒有-p選項,則默認監視所有動作rwxa
二、監控系統調用行爲(依靠系統調用來識別)
規則:-a 一系列動作 -S 系統調用名稱 -F 字段=值 -k 關鍵字
系統調用的種類見:
http://www.ibm.com/developerworks/cn/linux/kernel/syscall/part1/appendix.html
列舉常見應該被監視的系統調用
-a exit,always -F 規則字段 none 不記 exit:行爲完成後記錄審計(一般常用) entry:行爲剛開始時記錄審計(某些規則要求)
監視文件權限變化,因爲改變權限必須調用umask
-a entry,always -S umask -S chown #-a後面的規則:always總是記錄審計;none不記錄;exit行爲完成後記錄審計;entry行爲剛剛開始 時記錄審計
監視主機名變化,因爲修改主機名必須調用sethostname
-a entry,always -S sethostname -S setdomainname
監視系統時間變化
-a entry,always -S adjtimex -S settimeofday -S stime
設置系統日期和時間
-a entry,always -S stime
監控用戶和組ID變化
-a entry,always -S setuid -S seteuid -S setreuid
-a entry,always -S setgid -S setegid -S setregid
監控掛載
-a entry,always -S mount -S umount
注:請查閱系統調用列表後決定監控那種行爲,系統調用是底層的、全局性的,監控不合適的調用,會給系統帶來巨大負擔。
audit.rules 樣本
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1024
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -S umask -S chown -S chmod
-a exit,always -F arch=b64 -S unlink -S rmdir
-a exit,always -F arch=b64 -S setrlimit
-a exit,always -F arch=b64 -S setuid -S setreuid
-a exit,always -F arch=b64 -S setgid -S setregid
-a exit,always -F arch=b64 -S sethostname -S setdomainname
-a exit,always -F arch=b64 -S adjtimex -S settimeofday
-a exit,always -F arch=b64 -S mount -S _sysctl
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa
-w /etc/ssh/sshd_config
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /etc/aliases -p wa
-w /etc/sysctl.conf -p wa
-w /var/log/lastlog
# Disable adding any additional rules - note that adding *new* rules will require a reboot
#-e 2
讀取audit報告
aureport --start this-week
aureport --user
aureport --file
aureport --summary
審計日誌時間轉換腳本
time.pl:
s/(1\d{9})/localtime($1)/e
echo 1234567890|perl -p time.pl
轉自:http://purplegrape.blog.51cto.com/1330104/1010148