auditctl (控制系統核心的稽核功能,其中包含新增與刪除稽核項目)
ausearch (條件式查詢稽核的記錄內容)
aureport (稽核報告清單檢視)
# apt-get install auditd audispd-plugins
# useradd kitty
# passwd kitty
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# ausearch -f /etc/passwd
# cat /etc/passwd | grep kitty
kitty:x:1001:1001::/home/kitty:
設定特定User kitty 存取的audit
# auditctl -a exit,always -F arch=x86_64 -S open -F auid=1001
# auditctl -l
-w /etc/passwd -p wa
-a always,exit -F arch=b64 -S open -F auid=1001
以帳號kitty登入,並執行下列指令
$ mkdir 123
$ top
# ausearch --start today --loginuid 1001 > /tmp/kitty.audit
# vi /tmp/kitty.audit
監控特定目錄/var/www/html/public
-w /var/www/html/public/ -p wa -k WebPageChange
在/usr/share/doc/auditd/examples目錄下有幾個國際規範範例
capp.rules.gz
lspp.rules.gz
nispom.rules.gz
stig.rules.gz
以設定CAPP規範為例
# cp /usr/share/doc/auditd/examples/capp.rules.gz /etc/audit
# gzip -d /etc/audit/capp.rules.gz
# auditctl -R /etc/audit/capp.rules
或是
# cp /etc/audit/capp.rules audit.ruels
# systemctl restart auditd 重啟auditd服務
## auditctl -l
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F a0=0x0 -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F a0=0x0 -F key=time-change
-w /etc/localtime -p wa -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale
-a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
Audit Report的簡單使用
# ausearch -ua 1001 -i 在Audit Log上屬於uid 1001的User紀錄
# aureport --start 12/22/2018 00:00:00 --end 12/28/2018 00:00:00 一段時間內的Summary Report
#