The example will show you how to configure auditd to watch for commands issued by user. To read the log easilly you can use my script audit_report.
Linux auditing is provided by the auditd daemon. The basic components of the auditd package:
configuration files:
/etc/auditd.conf - configuration file, general behavior of the program
/etc/audit.rules - audit rules, filters applied in kernel
tools:
ausearch - to query logs
aureport - to produce summary reports
auditctl - to modify audit rules interactively
autrace - to trace a process similar to strace
How the Linux audit works?
Auditing rules could be be based on task or entry (simplified):
audit task - audit event generated only at the time a task is created
audit entry - event is generated upon entry to a system call
The major disadvantage of the auditing based on the "task" is the demandingness to system resources (cpu, io, fs size). When task is used, all the time when process calls fork() or clone(), audit event filtering is invoked. The other problem is, filtering could only only be made through the fields already known at task creation time, such – issuer’s uid, gid... Auditing based on entry to “syscall”, if properly configured, has acceptable system resource requirements and allows tracking all the user’s actions. The syscall table could be found at:
http://docs.cs.up.ac.za/programming/asm ... calls.html or http://asm.sourceforge.net/syscall.html
User command auditing on Linux systems
The configuration files for auditd, which tells the auditd to log all syscall 11 (execve) to track the user activity looks like:
/etc/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events
-b 256
# Audit all execve calls
-a entry,always -S execve
-a entry,never
The configuration file, which controls the auditd behavior:
/etc/auditd.conf
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 1
max_log_file = 80
max_log_file_action = IGNORE
space_left = 240
space_left_action = SYSLOG
admin_space_left = 160
admin_space_left_action = EMAIL
action_mail_acct = root
disk_full_action = SUSPEND
disk_error_action = SUSPEND
Explanation:
max_log_file = 80 tells the system to keep max log size to 80 mb when we would like to rotate logs, because we don't logrotate, the value here is not important and auditing runs on until space is available on local disk. space_left = 240 tells the system to write warning to syslog (space_left_action = SYSLOG) when less than 240 mb of filesystem is avalable for collecting audit data. When less than admin_space_left is on the appropriate device, mail warning (root) is issued.
After this configuration, just run
# service auditd start
Basic search within log files (search for my_user, within interval)
# ausearch -ge my_user -ts 10:00:00 -te 12:49:00
time->Thu Apr 5 10:58:25 2007
type=PATH msg=audit(1175767105.483:74858): flags=101 inode=229501 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1175767105.483:74858): name="/bin/rm" flags=101 inode=49200 dev=08:06 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1175767105.483:74858): cwd="/tmp"
type=EXECVE msg=audit(1175767105.483:74858): argv[0]="rm" argv[1]="-f" argv[2]="/tmp/abc.txt"
type=SYSCALL msg=audit(1175767105.483:74858): arch=40000003 syscall=11 success=yes exit=0 a0=9cbb1e8 a1=9cbacf8 a2=9cba490 a3=9cbacf8 items=2 pid=4864 auid=15382 uid=15382 gid=15382 euid=15382 suid=15382 fsuid=15382 egid=15382 sgid=15382 fsgid=15382 comm="rm" exe="/bin/rm"
Search for command 'rm' issued by user my_user
# ausearch -ge my_user -x rm
Žádné komentáře:
Okomentovat