Linux audit log分析工具---aureport、ausearch、autrace
一、概述
上一篇(理解Linux Audit Service.)我们主要解析了audit服务的结构,audit服务的配置以及如何阅读audit log各项所代表的意思。这一篇我们主要介绍如何利用audit提供的三个工具aureport、ausearch、autrace有针对性地去统计分析以及跟踪log日志。
二、aureport
RAW类型的audit log会存放在/var/log/audit目录下,这些log体量大而且比较难懂,用aureport可以轻易的统计量化日志报告:
aureport -if myfile #aureport 没带任何参数,仅用-if指定一个audit log文件, 统计出它的总体的log报告, 如何不指定文件,显示当前audit的统计。 Summary Report ====================== Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:52:27.971 Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:52:27.971 Number of changes in configuration: 13 Number of changes to accounts, groups, or roles: 0 Number of logins: 6 Number of failed logins: 13 Number of authentications: 7 Number of failed authentications: 573 Number of users: 1 Number of terminals: 9 Number of host names: 4 Number of executables: 17 Number of files: 279 Number of AVC‘s: 0 Number of MAC events: 0 Number of failed syscalls: 994 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of keys: 2 Number of process IDs: 1211 Number of events: 5320
aureport -l
aureport -l -ts 14:00 -te 15:00 -if myfile #对于myfile的log文件,统计出从14:00到15:00的用户登录信息。 Login Report ============================================ # date time auid host term exe success event ============================================ 1. 17/02/09 14:21:09 root: 192.168.2.100 sshd /usr/sbin/sshd no 7718 2. 17/02/09 14:21:15 0 jupiter /dev/pts/3 /usr/sbin/sshd yes 7724
aureport --failed/success
aureport --failed #针对失败的event的统计,如果统计成功的用aureport --success Failed Summary Report ====================== Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:57:35.183 Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:57:35.183 Number of changes in configuration: 0 Number of changes to accounts, groups, or roles: 0 Number of logins: 0 Number of failed logins: 13 Number of authentications: 0 Number of failed authentications: 574 Number of users: 1 Number of terminals: 5 Number of host names: 4 Number of executables: 11 Number of files: 77 Number of AVC‘s: 0 Number of MAC events: 0 Number of failed syscalls: 994 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of keys: 2 Number of process IDs: 708 Number of events: 1583
aureport -u -i --summary #对用户的event进行总体统计 User Summary Report =========================== total auid =========================== 5640 root 13 tux 3 wilber
aureport -e -ts 14:00 -te 14:21 #从14:00到14:21的event事件列表。 Event Report =================================== # date time event type auid success =================================== 1. 17/02/09 14:20:27 7462 DAEMON_START 0 yes 2. 17/02/09 14:20:27 7715 CONFIG_CHANGE 0 yes 3. 17/02/09 14:20:57 7716 USER_END 0 yes 4. 17/02/09 14:20:57 7717 CRED_DISP 0 yes 5. 17/02/09 14:21:09 7718 USER_LOGIN -1 no 6. 17/02/09 14:21:15 7719 USER_AUTH -1 yes 7. 17/02/09 14:21:15 7720 USER_ACCT -1 yes 8. 17/02/09 14:21:15 7721 CRED_ACQ -1 yes 9. 17/02/09 14:21:15 7722 LOGIN 0 yes 10. 17/02/09 14:21:15 7723 USER_START 0 yes 11. 17/02/09 14:21:15 7724 USER_LOGIN 0 yes 12. 17/02/09 14:21:15 7725 CRED_REFR 0 yes
aureport -p #对于进程所有event的信息 Process ID Report ====================================== # date time pid exe syscall auid event ====================================== 1. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 35 2. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 36 3. 13/02/09 15:38:34 32734 /usr/lib/gdm/gdm-session-worker 0 -1 37
aureport -s #system call的报告 Syscall Report ======================================= # date time syscall pid comm auid event ======================================= 1. 16/02/09 17:45:01 2 20343 cron -1 2279 2. 16/02/09 17:45:02 83 20350 mktemp 0 2284 3. 16/02/09 17:45:02 83 20351 mkdir 0 2285
aureport -x #从可执行的角度去查看audit log Executable Report ==================================== # date time exe term host auid event ==================================== 1. 13/02/09 15:08:26 /usr/sbin/sshd sshd 192.168.2.100 -1 12 2. 13/02/09 15:08:28 /usr/lib/gdm/gdm-session-worker :0 ? -1 13 3. 13/02/09 15:08:28 /usr/sbin/sshd ssh 192.168.2.100 -1 14
aureport -f #生成一个文件相关event的日志报告 File Report =============================================== # date time file syscall success exe auid event =============================================== 1. 16/02/09 17:45:01 /etc/shadow 2 yes /usr/sbin/cron -1 2279 2. 16/02/09 17:45:02 /tmp/ 83 yes /bin/mktemp 0 2284 3. 16/02/09 17:45:02 /var 83 no /bin/mkdir 0 2285
aureport -u #对于用户在系统运行命令的生成的报告 User ID Report ==================================== # date time auid term host exe event ==================================== 1. 13/02/09 15:08:26 -1 sshd 192.168.2.100 /usr/sbin/sshd 12 2. 13/02/09 15:08:28 -1 :0 ? /usr/lib/gdm/gdm-session-worker 13 3. 14/02/09 08:25:39 -1 ssh 192.168.2.101 /usr/sbin/sshd 14
aureport -l -i #用户登录事件生成的报告 Login Report ============================================ # date time auid host term exe success event ============================================ 1. 13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19 2. 16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108 3. 17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809
aureport -t #查看audit log文件包含日志的起止时间
Log Time Range Report
=====================
/var/log/audit/audit.log: 03/02/09 14:13:38.225 - 17/02/09 15:30:01.636
三、ausearch
aureport帮助我们生成总体的日志总结, 如果我们对特定的event感兴趣,我们可以通过ausearch去过滤想要的日志。
ausearch - option -if myfile
它可以指定特定的日志文件进行分析, 通过加上"-i"可以将数据格式的,转化成可读的文本格式,比如user ID 和ASCII 码形式的cmd。
ausearch -a 5207 #搜寻当期audit服务中event ID等于5207的log ---- time->Tue Feb 17 13:43:58 2009 type=PATH msg=audit(1234874638.599:5207): item=0 name="/var/log/audit/audit.log" inode=1219041 dev=08:06 mode=0100644 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1234874638.599:5207): cwd="/root"
ausearch -m #按消息类型查找 ausearch -ul #按登陆ID查找 ausearch -ua #按uid和euid查找 ausearch -ui #按uid查找 ausearch -ue #按euid查找 ausearch -ga #按gid和egid查找 ausearch -gi #按gid查找 ausearch -ge #按egid查找 ausearch -c #按cmd查找 ausearch -x #按exe查找 ausearch -sc #按syscall查找 ausearch -p #按pid查找 ausearch -sv #按syscall的返回值查找(yes/no) ausearch -f #按文件名查找 ausearch -tm #按连接终端查找(term/ssh/tty) ausearch -hn #按主机名查找 ausearch -k #按特定的key值查找 ausearch -w #按在audit rule设定的字符串查找
四、autrace
为了跟踪设置的rule有没有生效,我们经常会追踪指定的进程,autrace生成的log会存放在/var/log/audit/audit.log。 当用autrace去跟踪一个进程时,为了保证避免autrace与之前audit rule生成的日志冲突,使用auditctl -D去停止所有的audit log, 当autrace结束后,使用systemctl restart auditd重启audit服务。
auditctl -D No rules autrace /usr/bin/less Waiting to execute: /usr/bin/less Cleaning up... No rules Trace complete. You can locate the records with ‘ausearch -i -p 7642‘
五、日志的可视化
aureport -e -i --summary #分类统计事件数量 Event Summary Report ====================== total type ====================== 2434 SYSCALL 816 USER_START 816 USER_ACCT 814 CRED_ACQ 810 LOGIN 806 CRED_DISP 779 USER_END 99 CONFIG_CHANGE 52 USER_LOGIN aureport -e -i --summary | mkbar events #分类统计事件数量,并画出图表。
以上就是audit service到生成aduit log的所有内容,中间省略了audisp作为audit event的分发器,将事件实时分类发送到各应用程序。下一篇将列出Audit Record Type的所有列表贡查阅。