内容纲要

Linux audit log分析工具—aureport、ausearch、autrace

一、概述

上一篇(理解Linux Audit Service.)我们主要解析了audit服务的结构,audit服务的配置以及如何阅读audit log各项所代表的意思。这一篇我们主要介绍如何利用audit提供的三个工具aureport、ausearch、autrace有针对性地去统计分析以及跟踪log日志。

二、aureport

RAW类型的audit log会存放在/var/log/audit目录下,这些log体量大而且比较难懂,用aureport可以轻易的统计量化日志报告:

aureport -if audit.log.2           #aureport 没带任何参数,仅用-if指定一个audit log文件, 统计出它的总体的log报告, 如何不指定文件,显示当前audit的统计。

Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:52:27.971
Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:52:27.971
Number of changes in configuration: 13
Number of changes to accounts, groups, or roles: 0
Number of logins: 6
Number of failed logins: 13
Number of authentications: 7
Number of failed authentications: 573
Number of users: 1
Number of terminals: 9
Number of host names: 4
Number of executables: 17
Number of files: 279
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 1211
Number of events: 5320

aureport -l

aureport -l -ts 14:00 -te 15:00 -if audit.log.2    #对于audit.log.2的log文件,统计出从14:00到15:00的用户登录信息。

Login Report
============================================
# date time auid host term exe success event
============================================
1. 17/02/09 14:21:09 root: 192.168.2.100 sshd /usr/sbin/sshd no 7718
2. 17/02/09 14:21:15 0 jupiter /dev/pts/3 /usr/sbin/sshd yes 7724

aureport –failed/success

aureport --failed    #针对失败的event的统计,如果统计成功的用aureport --success

Failed Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:57:35.183
Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:57:35.183
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 13
Number of authentications: 0
Number of failed authentications: 574
Number of users: 1
Number of terminals: 5
Number of host names: 4
Number of executables: 11
Number of files: 77
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 708
Number of events: 1583
aureport -u -i --summary    #对用户的event进行总体统计

User Summary Report
===========================
total  auid
===========================
5640  root
13  tux
3  wilber
aureport -e -ts 14:00 -te 14:21    #从14:00到14:21的event事件列表。

Event Report
===================================
# date time event type auid success
===================================
1. 17/02/09 14:20:27 7462 DAEMON_START 0 yes
2. 17/02/09 14:20:27 7715 CONFIG_CHANGE 0 yes
3. 17/02/09 14:20:57 7716 USER_END 0 yes
4. 17/02/09 14:20:57 7717 CRED_DISP 0 yes
5. 17/02/09 14:21:09 7718 USER_LOGIN -1 no
6. 17/02/09 14:21:15 7719 USER_AUTH -1 yes
7. 17/02/09 14:21:15 7720 USER_ACCT -1 yes
8. 17/02/09 14:21:15 7721 CRED_ACQ -1 yes
9. 17/02/09 14:21:15 7722 LOGIN 0 yes
10. 17/02/09 14:21:15 7723 USER_START 0 yes
11. 17/02/09 14:21:15 7724 USER_LOGIN 0 yes
12. 17/02/09 14:21:15 7725 CRED_REFR 0 yes
aureport -p    #对于进程所有event的信息

Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 35
2. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 36
3. 13/02/09 15:38:34 32734 /usr/lib/gdm/gdm-session-worker 0 -1 37
aureport -s   #system call的报告

Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 16/02/09 17:45:01 2 20343 cron -1 2279
2. 16/02/09 17:45:02 83 20350 mktemp 0 2284
3. 16/02/09 17:45:02 83 20351 mkdir 0 2285
aureport -x   #从可执行的角度去查看audit log

Executable Report
====================================
# date time exe term host auid event
====================================
1. 13/02/09 15:08:26 /usr/sbin/sshd sshd 192.168.2.100 -1 12
2. 13/02/09 15:08:28 /usr/lib/gdm/gdm-session-worker :0 ? -1 13
3. 13/02/09 15:08:28 /usr/sbin/sshd ssh 192.168.2.100 -1 14
aureport -f    #生成一个文件相关event的日志报告

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 16/02/09 17:45:01 /etc/shadow 2 yes /usr/sbin/cron -1 2279
2. 16/02/09 17:45:02 /tmp/ 83 yes /bin/mktemp 0 2284
3. 16/02/09 17:45:02 /var 83 no /bin/mkdir 0 2285
aureport -u     #对于用户在系统运行命令的生成的报告

User ID Report
====================================
# date time auid term host exe event
====================================
1. 13/02/09 15:08:26 -1 sshd 192.168.2.100 /usr/sbin/sshd 12
2. 13/02/09 15:08:28 -1 :0 ? /usr/lib/gdm/gdm-session-worker 13
3. 14/02/09 08:25:39 -1 ssh 192.168.2.101 /usr/sbin/sshd 14
aureport -l -i    #用户登录事件生成的报告

Login Report
============================================
# date time auid host term exe success event
============================================
1. 13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19
2. 16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108
3. 17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809
aureport -t   #查看audit log文件包含日志的起止时间

Log Time Range Report
=====================
/var/log/audit/audit.log: 03/02/09 14:13:38.225 - 17/02/09 15:30:01.636

三、ausearch

aureport帮助我们生成总体的日志总结, 如果我们对特定的event感兴趣,我们可以通过ausearch去过滤想要的日志。

ausearch – option -if audit.log.2

它可以指定特定的日志文件进行分析, 通过加上"-i"可以将数据格式的,转化成可读的文本格式,比如user ID 和ASCII 码形式的cmd。

ausearch -a 5207    #搜寻当期audit服务中event ID等于5207的log
----
time->Tue Feb 17 13:43:58 2009
type=PATH msg=audit(1234874638.599:5207): item=0 name="/var/log/audit/audit.log" inode=1219041 dev=08:06 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1234874638.599:5207):  cwd="/root"
ausearch -m    #按消息类型查找
ausearch -ul   #按登陆ID查找
ausearch -ua   #按uid和euid查找
ausearch -ui   #按uid查找
ausearch -ue   #按euid查找
ausearch -ga   #按gid和egid查找
ausearch -gi   #按gid查找
ausearch -ge   #按egid查找
ausearch -c    #按cmd查找
ausearch -x    #按exe查找
ausearch -sc   #按syscall查找
ausearch -p    #按pid查找
ausearch -sv   #按syscall的返回值查找(yes/no)
ausearch -f    #按文件名查找
ausearch -tm   #按连接终端查找(term/ssh/tty)
ausearch -hn   #按主机名查找
ausearch -k    #按特定的key值查找
ausearch -w    #按在audit rule设定的字符串查找

四、autrace

为了跟踪设置的rule有没有生效,我们经常会追踪指定的进程,autrace生成的log会存放在/var/log/audit/audit.log。 当用autrace去跟踪一个进程时,为了保证避免autrace与之前audit rule生成的日志冲突,使用auditctl -D去停止所有的audit log, 当autrace结束后,使用systemctl restart auditd重启audit服务。

auditctl -D

No rules

autrace /usr/bin/less

Waiting to execute: /usr/bin/less
Cleaning up...
No rules
Trace complete. You can locate the records with 'ausearch -i -p 7642'

五、日志的可视化

aureport -e -i --summary   #分类统计事件数量

Event Summary Report
======================
total  type
======================
2434  SYSCALL
816  USER_START
816  USER_ACCT
814  CRED_ACQ
810  LOGIN
806  CRED_DISP
779  USER_END
99  CONFIG_CHANGE
52  USER_LOGIN

aureport -e -i --summary  | mkbar events    #分类统计事件数量,并画出图表。

以上就是audit service到生成aduit log的所有内容,中间省略了audisp作为audit event的分发器,将事件实时分类发送到各应用程序。下一篇将列出Audit Record Type的所有列表贡查阅。

suse文档:[了解 Linux 审计][1]

转:https://www.cnblogs.com/liquan2005/p/9240734.html