问题描述
如何监控对 ECS Linux 实例上的文件系统做的更改?
问题分析
linux audit子系统是一个用于收集记录系统、内核、用户进程发生的行为事件的一种安全审计系统,可以使用audit进行监控
解决方案
1.查看是否安装了audit包
[root@i-ijuv2jn1i3h5w5ckuiij ~]# yum list installed | grep audit
Failed to set locale, defaulting to C.UTF-8
audit.x86_64 3.0-0.17.20191104git1c2f876.el8 @anaconda
audit-libs.x86_64 3.0-0.17.20191104g
如果没有安装,则进行安装:
RHEL 和 CentOS:
# sudo yum install audit
SUSE Linux:
# sudo zypper install audit
Ubuntu:
# sudo apt install auditd
2.查看auditd 服务状态
[root@i-ijuv2jn1i3h5w5ckuiij ~]# systemctl status auditd
● auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2021-09-03 13:48:06 CST; 13min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 683 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 676 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 679 (auditd)
Tasks: 2 (limit: 49472)
Memory: 5.3M
CGroup: /system.slice/auditd.service
└─679 /sbin/auditd
Sep 03 13:48:06 localhost.localdomain augenrules[683]: backlog_wait_time 60000
Sep 03 13:48:06 localhost.localdomain augenrules[683]: enabled 1
Sep 03 13:48:06 localhost.localdomain augenrules[683]: failure 1
Sep 03 13:48:06 localhost.localdomain augenrules[683]: pid 679
Sep 03 13:48:06 localhost.localdomain augenrules[683]: rate_limit 0
Sep 03 13:48:06 localhost.localdomain augenrules[683]: backlog_limit 8192
Sep 03 13:48:06 localhost.localdomain augenrules[683]: lost 0
Sep 03 13:48:06 localhost.localdomain augenrules[683]: backlog 0
Sep 03 13:48:06 localhost.localdomain augenrules[683]: backlog_wait_time 60000
Sep 03 13:48:06 localhost.localdomain systemd[1]: Started Security Auditing Service.
3.使用 auditctl 命令为 Linux 审计系统创建规则。 定义文件系统规则,语法如下:
auditctl -w path -p permission -k key_name
- path为需要审计的文件或目录
- 权限可以是r,w,x,a(文件或目录的属性发生变化)
- key_name为可选项,方便识别哪些规则生成特定的日志项
下面监控了/root/test的所有活动:
[root@i-ijuv2jn1i3h5w5ckuiij test]# auditctl -w /root/test -k test_change
查看规则:
[root@i-ijuv2jn1i3h5w5ckuiij test]# auditctl -l
-w /root/test -p rwxa -k test_changes
[root@i-ijuv2jn1i3h5w5ckuiij test
下面进行测试操作:
[root@i-ijuv2jn1i3h5w5ckuiij test]# mkdir dir1;touch file1;touch file2;mv file1 file3;rm -f file2;chmod 600 file3;rmdir dir1;rm -f file3
4.使用 ausearch -k test_changes 命令查看审计日志。 下面列出了上面测试操作中所示的 mkdir 命令的审计日志:
[root@i-ijuv2jn1i3h5w5ckuiij test]# ausearch -k test_changes
----
time->Fri Sep 3 14:23:25 2021
type=PROCTITLE msg=audit(1630650205.098:418): proctitle=6D6B6469720064697231
type=PATH msg=audit(1630650205.098:418): item=1 name="dir1" inode=524332 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=CREATE cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(1630650205.098:418): item=0 name="/root/test" inode=524331 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1630650205.098:418): cwd="/root/test"
type=SYSCALL msg=audit(1630650205.098:418): arch=c000003e syscall=83 success=yes exit=0 a0=7fff4a8935eb a1=1ff a2=0 a3=0 items=2 ppid=1560 pid=1696 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=3 comm="mkdir" exe="/usr/bin/mkdir" key="test_changes"
----
上面的结果显示了原始审计日志,审计日志包含每个操作的大量信息。 下面使用 aureport 命令在审计日志中创建一个不太详细的输出,但显示所有操作:
[root@i-ijuv2jn1i3h5w5ckuiij test]# ausearch -k test_changes | aureport -f -i
File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 09/03/21 14:22:09 /root/test sendto yes /usr/sbin/auditctl root 417
2. 09/03/21 14:23:25 dir1 mkdir yes /usr/bin/mkdir root 418
3. 09/03/21 14:23:25 file2 openat yes /usr/bin/touch root 419
4. 09/03/21 14:23:25 /root/test renameat2 no /usr/bin/mv root 420
5. 09/03/21 14:23:25 file2 unlinkat yes /usr/bin/rm root 421
6. 09/03/21 14:23:25 dir1 rmdir yes /usr/bin/rmdir root 422
7. 09/03/21 14:23:25 /root/test unlinkat no /usr/bin/rm root 423
8. 09/03/21 14:23:35 dir1 mkdir yes /usr/bin/mkdir root 424
9. 09/03/21 14:23:35 file1 openat yes /usr/bin/touch root 425
10. 09/03/21 14:23:35 file2 openat yes /usr/bin/touch root 426
11. 09/03/21 14:23:35 file3 renameat2 yes /usr/bin/mv root 427
12. 09/03/21 14:23:35 file2 unlinkat yes /usr/bin/rm root 428
13. 09/03/21 14:23:35 file3 fchmodat yes /usr/bin/chmod root 429
14. 09/03/21 14:23:35 dir1 rmdir yes /usr/bin/rmdir root 430
15. 09/03/21 14:23:35 file3 unlinkat yes /usr/bin/rm root 431
5.常用监控设置
[root@web100 ~]# auditctl -w /etc/passwd -p wa -k passwd_change #设置规则所有对passwd文件的写,属性修改操作都会被记录审计日志
[root@web100 ~]# auditctl -w /etc/selinux/ -p wa -k selinux_change #设置规则,监控/etc/selinux目录
[root@web100 ~]# auditctl -w /usr/sbin/fdisk -p x -k disk_partition # 设置规则,监控fdisk程序
6.要持久化规则,在 /etc/audit/audit.rules 文件中进行配置,可参考如下文档[1]:
参考文档
[1] 7.5.2. Defining Persistent Audit Rules and Controls in the /etc/audit/audit.rules File Red Hat Enter