Skip to main content

audit

apk add audit
service auditd start

ls /usr/share/audit/sample-rules/

auditctl -R /etc/audit/audit.rules # load rules
auditctl -s # report status
auditctl -l # list rules
auditctl -D # flush rules
auditctl -w /var/lib -p w
auditctl -w /etc -p w

# auditctl -w /etc/hosts -p war -k hostswrap
ausearch

sudo tail -f /var/log/audit/audit.log

ausearch -f /etc/passwd
ausearch --message USER_LOGIN --success no --interpret

aureport -x
aureport -x --summary
aureport -t # 时间范围
aureport --start this-week
aureport --start this-week --key --summary

auditd

  • /etc/audit/rules.d/audit.rules
  • /var/log/audit/audit.log
# -w file -p permissions -k key_name
auditctl -w /etc/passwd -p wa -k user-modify
# useradd testuser # 会修改 /etc/passwd
cat /var/log/audit/audit.log | grep user-modify

ausearch -i -k user-modify
aureport -x

以 root 执行的命令

-a exit,always -F arch=b64 -F euid=0 -S execve -k root-commands
-a exit,always -F arch=b32 -F euid=0 -S execve -k root-commands

所有 root 的 syscall

-a exit,always -S all -F euid=0 -F perm=awx -k root-commands
ausearch -k root-commands

ausearch

ausearch -f /var/lib -i

augenrules

# /etc/audit/rules.d -> /etc/audit/audit.rules
augenrules

augenrules --load
prefixfor
10Kernel and auditctl configuration
20Rules that could match general rules but you want a different match
30Main rules
40Optional rules
50Server-specific rules
70System local rules
90Finalize (immutable)

conf

  • /etc/audit/audit.rules.stop.pre
  • /etc/audit/audit.rules.stop.post
  • /etc/audit/audit.rules
  • /etc/audit/audit-stop.rules
    • stop 时设置的 rules
  • /etc/audit/auditd.conf
  • AUDITD_LANG=C
  • /etc/audit/rules.d
    • augenrules
audit-stop.rules
# Disable auditing
-e 0

# Delete all rules
-D

rules

FS

-w path-to-file -p permissions -k keyname
  • permissions
    • r - read
    • w - write
    • x - execute
    • a - change attr

syscall

-a action,list -S syscall -F field=value -k keyname
  • action - always,never
  • list/filter - task, exit, user, exclude, filesystem, io_uring
    • kernel rule-matching filter

log

type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config"
type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman"
type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1364481363.243:24287) : proctitle=636174002F6574632F7373682F737368645F636F6E666967
type=SYSCALL msg=audit(1687705400.741:250): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7ffe429aec10 a2=a0002 a3=0 items=1 ppid=15931 pid=13750 auid=4294967295 uid=999 gid=999 euid=999 suid=999 fsuid=999 egid=999 sgid=999 fsgid=999 tty=(none) ses=4294967295 comm="postgres" exe="/usr/lib/postgresql/15/bin/postgres" key=(null)ARCH=x86_64 SYSCALL=openat AUID="unset" UID="etcd" GID="ping" EUID="etcd" SUID="etcd" FSUID="etcd" EGID="ping" SGID="ping" FSGID="ping"
type=CWD msg=audit(1687705400.741:250): cwd="/var/lib/postgresql/data/pgdata"
type=PATH msg=audit(1687705400.741:250): item=0 name="/dev/shm/PostgreSQL.845382982" inode=3 dev=00:90 mode=0100600 ouid=999 ogid=999 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="etcd" OGID="ping"
type=PROCTITLE msg=audit(1687705400.741:250): proctitle=706F7374677265733A206175746F76616375756D20776F726B657220
  • audit(timestamp:ID) - 1364481363.243:24287
    • timestamp 和 serial number 相同,同一个事件
  • arch=c000003e
    • x86_64
  • syscall
    • /usr/include/asm/unistd_64.h
    • syscall
  • SYSCALL
    • syscall=N,success=yes/no,exit=N
    • aN=参数
    • items=N 之后有多少个 PATH
    • ppid - Parent Process ID
    • pid - Process ID
    • auid - Audit user ID - loginuid
    • uid,gid
    • euid,egid - effective user/group ID
    • suid,sgid - set user/group ID - who started the analyzed process
    • fsuid,fsgid - file system user ID
    • tty
    • ses - session ID
    • comm - 命令
    • exe - 可执行文件完整路径
    • key - 用于标识事件的字符串
    • subj - SELinux
  • CWD
    • cwd
  • PATH
    • item - Index of items
    • name
    • inode
    • dev
    • mode
    • ouid,ogid
    • rdev - recorded device identifier
    • nametype
    • cap_fp, cap_fi, cap_fe, cap_fver - permitted, inherited, effective bit, version
    • cap_frootid
    • obj - SELinux
  • PROCTITLE
    • proctitle - 编码后进程标题
typeattr
SYSCALL
CWD
PATH
PROCTITLE

reference

# AVC Access Vector Cache used by SELinux/Apparmor
# https://serverfault.com/a/954291/190601
auditctl -a never,exclude -F msgtype=AVC
audit.rules
# First rule - delete all
-D

# increase the buffers to survive stress events. make this bigger for busy systems.
-b 1024

# monitor unlink() and rmdir() system calls.
-a exit,always -S unlink -S rmdir

# monitor open() system call by Linux UID 1001.
-a exit,always -S open -F loginuid=1001

# monitor write-access and change in file properties (read/write/execute) of the following files.
-w /etc/group -p wa
-w /etc/passwd -p wa
-w /etc/shadow -p wa
-w /etc/sudoers -p wa

# monitor read-access of the following directory.
-w /etc/secret_directory -p r

# lock the audit configuration to prevent any modification of this file.
-e 2