linux 的audit 自带了记录所有session 命令的功能(pam_tty_audit.so估计这个shared object 里面有相应的函数,可以使用ln来看shared object的符号表)。
要使用是如此的简单:
-
vim /etc/pam.d/password-auth-ac
-
加入下面行:
-
session required pam_tty_audit.so enable=*
然后重启auditd.
-
service auditd restart
-
注意:不能使用systemctl restart auditd 会报错:
-
Failed to issue method call: Unit audited.service failed to load: No such file or directory
然后exit当前session,再连接上来的时候这个功能就会生效了。
随便输入一些命令:然后使用aureport 来查看历史命令:
另外附上audit 系统的一些命令:
Once of the simplest rules to add is a watch rule which can be set on files and directories. In the example below we are watching the /etc/passwd file for permission changes (writes and attibute changes specifically). We are creating a custom key to use for organizational purposes.
-p wa measn watch write(w) and attribute change(a),also we can use read(r) and execute(x)
-k edit_watch this is an arbitratry string,later we can search on this.
-
auditctl -w /etc/passwd -p wa -k edit_watch
-
ausearch -i -k edit_watch
Delete the edit_watch rule.
-
auditctl -D -k edit_watch
-
auditctl -W /etc/passwd (-W I do not fully get this parameter meaning )
Here is a cool one – lets audit all binary executions under /usr/bin.
-
auditctl -w /usr/bin -p x
Using the -l option you can list your current audit rules, and using the -s option you can see the current status of the auditd subsystem
-
[root@22062 ~]# auditctl -l
-
-w /usr/bin/ -p x
-
[root@22062 ~]# auditctl -s
-
enabled 1
-
flag 1
-
pid 32196
-
rate_limit 0
-
backlog_limit 320
-
lost 0
-
backlog 0
-
loginuid_immutable 0 unlocked
Want to get down and dirty with audit rules – you can check out the audit rules man page by running the command below.
search all the audit related document
-
apropos audit
-
man -k audit
check out all the audit logs:
view audit logs in raw format:
search by event id
display report
-
aureport
-
ausearch --start today --raw | aureport
even trace a system call
-
[root@22062 ~]# autrace /usr/bin/nslookup python.org
-
autrace cannot be run with rules loaded.
-
Please delete all rules using 'auditctl -D' if you really wanted to
-
run this command.
-
[root@22062 ~]# auditctl -D
-
No rules
-
[root@22062 ~]# autrace /usr/bin/nslookup python.org
-
Waiting to execute: /usr/bin/nslookup
-
Server: x.x.x.x
-
Address: x.x.x.x
-
-
Non-authoritative answer:
-
Name: python.org
-
Address: 104.130.43.121
-
-
Cleaning up...
-
Trace complete. You can locate the records with 'ausearch -i -p 9365'
END
参考资料:
https://www.suse.com/documentation/sles11/singlehtml/audit_quickstart/audit_quickstart.html(suse的audit quick start)
/>
阅读(3166) | 评论(0) | 转发(0) |