Chinaunix首页 | 论坛 | 博客
  • 博客访问: 1789923
  • 博文数量: 297
  • 博客积分: 285
  • 博客等级: 二等列兵
  • 技术积分: 3006
  • 用 户 组: 普通用户
  • 注册时间: 2010-03-06 22:04
个人简介

Linuxer, ex IBMer. GNU https://hmchzb19.github.io/

文章分类

全部博文(297)

文章存档

2020年(11)

2019年(15)

2018年(43)

2017年(79)

2016年(79)

2015年(58)

2014年(1)

2013年(8)

2012年(3)

分类: LINUX

2015-09-24 11:21:41

linux 的audit 自带了记录所有session 命令的功能(pam_tty_audit.so估计这个shared object 里面有相应的函数,可以使用ln来看shared object的符号表)。
要使用是如此的简单:

点击(此处)折叠或打开

  1. vim /etc/pam.d/password-auth-ac
  2. 加入下面行:
  3. session required pam_tty_audit.so enable=*
然后重启auditd.

点击(此处)折叠或打开

  1. service auditd restart
  2. 注意:不能使用systemctl restart auditd 会报错:
  3. Failed to issue method call: Unit audited.service failed to load: No such file or directory 
然后exit当前session,再连接上来的时候这个功能就会生效了。
随便输入一些命令:然后使用aureport 来查看历史命令:

点击(此处)折叠或打开

  1. aureport --tty -ts today
另外附上audit 系统的一些命令:
Once of the simplest rules to add is a watch rule which can be set on files and directories. In the example below we are watching the /etc/passwd file for permission changes (writes and attibute changes specifically). We are creating a custom key to use for organizational purposes.
-p wa measn watch write(w) and attribute change(a),also we can use read(r) and execute(x)
-k edit_watch this is an arbitratry string,later we can search on this.

点击(此处)折叠或打开

  1. auditctl -w /etc/passwd -p wa -k edit_watch
  2. ausearch -i -k edit_watch
Delete the edit_watch rule. 

点击(此处)折叠或打开

  1. auditctl -D -k edit_watch
  2. auditctl -W /etc/passwd                (-W I do not fully get this parameter meaning )
Here is a cool one – lets audit all binary executions under /usr/bin.

点击(此处)折叠或打开

  1. auditctl -w /usr/bin -p x
Using the -l option you can list your current audit rules, and using the -s option you can see the current status of the auditd subsystem

点击(此处)折叠或打开

  1. [root@22062 ~]# auditctl -l
  2. -w /usr/bin/ -p x
  3. [root@22062 ~]# auditctl -s
  4. enabled 1
  5. flag 1
  6. pid 32196
  7. rate_limit 0
  8. backlog_limit 320
  9. lost 0
  10. backlog 0
  11. loginuid_immutable 0 unlocked
Want to get down and dirty with audit rules – you can check out the audit rules man page by running the command below.

点击(此处)折叠或打开

  1. man audit.rules
search all the audit related document

点击(此处)折叠或打开

  1. apropos audit
  2. man -k audit
check out all the audit logs:

点击(此处)折叠或打开

  1. ausearch -l
view audit logs in raw format:

点击(此处)折叠或打开

  1. ausearch --raw
search by event id

点击(此处)折叠或打开

  1. ausearch -a 282
display report

点击(此处)折叠或打开

  1. aureport
  2. ausearch --start today --raw | aureport
even trace a system call

点击(此处)折叠或打开

  1. [root@22062 ~]# autrace /usr/bin/nslookup python.org
  2. autrace cannot be run with rules loaded.
  3. Please delete all rules using 'auditctl -D' if you really wanted to
  4. run this command.
  5. [root@22062 ~]# auditctl -D
  6. No rules
  7. [root@22062 ~]# autrace /usr/bin/nslookup python.org
  8. Waiting to execute: /usr/bin/nslookup
  9. Server:        x.x.x.x
  10. Address:    x.x.x.x

  11. Non-authoritative answer:
  12. Name:    python.org
  13. Address: 104.130.43.121

  14. Cleaning up...
  15. Trace complete. You can locate the records with 'ausearch -i -p 9365'
END
参考资料:
https://www.suse.com/documentation/sles11/singlehtml/audit_quickstart/audit_quickstart.html(suse的audit quick start)
/>
阅读(3166) | 评论(0) | 转发(0) |
给主人留下些什么吧!~~