auid=0
auid記錄Audit user ID,that is the loginuid。當我使用lbh用戶登錄系統時,再訪問audit_test,此時記錄的auid為1001,具體日志如下:
type=SYSCALL msg=audit(1523513135.147:4172990525): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=1cb8550 a2=90800 a3=0 items=1 ppid=20655
pid=24299 auid=1001 uid=1001 gid=1001 euid=1001 suid=1001 fsuid=1001 egid=1001 sgid=1001 fsgid=1001 tty=pts3 ses=10868 comm="ls" exe="/usr/bin/ls" key="audit_test"
This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes,
for example, by switching user accounts with the su - john command.
auid為登錄用戶的ID,如果是root,ID為0。並且解釋更換了用戶,那么每個進程事件的auid還是那個登錄用戶的ID。
uid=1001,gid=1001, euid=1001, suid=1001, fsuid=1001, egid=1001, sgid=1001, fsgid=1001
uid為啟動這個分析進程的用戶的ID,即具體執行進程的用戶ID。后面分別對應着,group ID,effective user ID, set user ID, file system user ID, effective group ID, set group ID, file system group ID。
tty=pts0
具體在哪個終端tty執行的操作。如執行ls這個操作是在哪個終端進行的。
ses=10868
session ID,對話ID。
comm=ls
什么命令導致的審計記錄,這里是ls,ls訪問讀取了這個目錄,故記錄了審計日志。
exe=“/usr/bin/ls”
記錄可執行文件的具體路徑。
下面,我們來看一下第二條記錄。
type=CWD
type值為CWD,即current working directory。記錄的是當前進程的位置。目的如下,先不翻譯了,直接上英文吧。
The purpose of this record is to record the current process's location in case a relative path winds up being captured in the associated PATH record.
This way the absolute path can be reconstructed.
第三條記錄
type=PATH
In the third record, the type field value is PATH. An Audit event contains a PATH-type record for every path that is passed to the system call as an argument. In this Audit event, only one path (/etc/ssh/sshd_config) was used as an argument.我理解應該是參數的路徑
item=0
The item field indicates which item, of the total number of items referenced in the SYSCALL type record, the current record is. This number is zero-based; a value of 0means it is the first item.這個路徑為命令的第一個參數。
name=.
我反問audit_test目錄時,是直接在這個目錄下ls的,這個name字段記錄系統調用時文件或目錄的full path,在目錄下直接ls時,name為. 即當前路經,如果我在根目錄下,ls /home/audit_test時,記錄如下:
type=CWD msg=audit(1523515123.152:4172990785): cwd="/"
type=PATH msg=audit(1523515123.152:4172990785): item=0 name="/home/audit_test" inode=99213313 dev=08:11 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL
inode=99213313
inode表示這個文件或目錄的inode number,可以用如下命令來查詢當前inode對應的文件。
linux-xdYUnA:~ # find / -inum 99213313 -print
/home/audit_test
可以用stat命令來查詢文件或目錄的inode number。
linux-xdYUnA:~ # stat /home/audit_test
File: ‘/home/audit_test’ Size: 4096 Blocks: 8 IO Block: 4096 directory Device: 811h/2065d Inode: 99213313 Links: 2 Access: (0755/drwxr-xr-x) Uid: ( 0/ root) Gid: ( 0/ root) Access: 2018-04-11 17:09:36.690392929 +0800 Modify: 2018-04-11 17:04:30.360408595 +0800 Change: 2018-04-11 17:09:12.849394149 +0800 Birth: -
dev=08:11
dev字段,指明device的minor和major ID。
mode=040755
mode字段表示文件或路徑的權限。
ouid=0
the object owner's user ID。當我把audit_test目錄的所有者改為lbh用戶時,記錄如下:ouid為1001。
type=PATH msg=audit(1523516175.932:4172990921): item=0 name="." inode=99213313 dev=08:11 mode=040755 ouid=1001 ogid=0 rdev=00:00 objtype=NORMAL
ogid=0
the object owner's group ID.
rdev=00:00
The rdev field contains a recorded device identifier for special files only. In this case, it is not used as the recorded file is a regular file.
objtype=NORMAL
objtype field records the intent of each path record's operation in the context of a given syscall.