Linux audit log分析工具---aureport、ausearch、autrace

一、概述

    上一篇（理解Linux Audit Service.）我們主要解析了audit服務的結構，audit服務的配置以及如何閱讀audit log各項所代表的意思。這一篇我們主要介紹如何利用audit提供的三個工具aureport、ausearch、autrace有針對性地去統計分析以及跟蹤log日志。

二、aureport

    RAW類型的audit log會存放在/var/log/audit目錄下，這些log體量大而且比較難懂，用aureport可以輕易的統計量化日志報告：

aureport -if myfile           #aureport 沒帶任何參數，僅用-if指定一個audit log文件， 統計出它的總體的log報告， 如何不指定文件，顯示當前audit的統計。

Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:52:27.971
Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:52:27.971
Number of changes in configuration: 13
Number of changes to accounts, groups, or roles: 0
Number of logins: 6
Number of failed logins: 13
Number of authentications: 7
Number of failed authentications: 573
Number of users: 1
Number of terminals: 9
Number of host names: 4
Number of executables: 17
Number of files: 279
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 1211
Number of events: 5320

aureport -l

aureport -l -ts 14:00 -te 15:00 -if myfile    #對於myfile的log文件，統計出從14：00到15：00的用戶登錄信息。

Login Report
============================================
# date time auid host term exe success event
============================================
1. 17/02/09 14:21:09 root: 192.168.2.100 sshd /usr/sbin/sshd no 7718
2. 17/02/09 14:21:15 0 jupiter /dev/pts/3 /usr/sbin/sshd yes 7724

aureport --failed/success

aureport --failed    #針對失敗的event的統計，如果統計成功的用aureport --success

Failed Summary Report
======================
Range of time in logs: 03/02/09 14:13:38.225 - 17/02/09 14:57:35.183
Selected time for report: 03/02/09 14:13:38 - 17/02/09 14:57:35.183
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 13
Number of authentications: 0
Number of failed authentications: 574
Number of users: 1
Number of terminals: 5
Number of host names: 4
Number of executables: 11
Number of files: 77
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 994
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 2
Number of process IDs: 708
Number of events: 1583

aureport -u -i --summary    #對用戶的event進行總體統計

User Summary Report
===========================
total  auid
===========================
5640  root
13  tux
3  wilber

aureport -e -ts 14:00 -te 14:21    #從14：00到14：21的event事件列表。

Event Report
===================================
# date time event type auid success
===================================
1. 17/02/09 14:20:27 7462 DAEMON_START 0 yes
2. 17/02/09 14:20:27 7715 CONFIG_CHANGE 0 yes
3. 17/02/09 14:20:57 7716 USER_END 0 yes
4. 17/02/09 14:20:57 7717 CRED_DISP 0 yes
5. 17/02/09 14:21:09 7718 USER_LOGIN -1 no
6. 17/02/09 14:21:15 7719 USER_AUTH -1 yes
7. 17/02/09 14:21:15 7720 USER_ACCT -1 yes
8. 17/02/09 14:21:15 7721 CRED_ACQ -1 yes
9. 17/02/09 14:21:15 7722 LOGIN 0 yes
10. 17/02/09 14:21:15 7723 USER_START 0 yes
11. 17/02/09 14:21:15 7724 USER_LOGIN 0 yes
12. 17/02/09 14:21:15 7725 CRED_REFR 0 yes

aureport -p    #對於進程所有event的信息

Process ID Report
======================================
# date time pid exe syscall auid event
======================================
1. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 35
2. 13/02/09 15:30:01 32742 /usr/sbin/cron 0 0 36
3. 13/02/09 15:38:34 32734 /usr/lib/gdm/gdm-session-worker 0 -1 37

aureport -s   #system call的報告

Syscall Report
=======================================
# date time syscall pid comm auid event
=======================================
1. 16/02/09 17:45:01 2 20343 cron -1 2279
2. 16/02/09 17:45:02 83 20350 mktemp 0 2284
3. 16/02/09 17:45:02 83 20351 mkdir 0 2285

aureport -x   #從可執行的角度去查看audit log

Executable Report
====================================
# date time exe term host auid event
====================================
1. 13/02/09 15:08:26 /usr/sbin/sshd sshd 192.168.2.100 -1 12
2. 13/02/09 15:08:28 /usr/lib/gdm/gdm-session-worker :0 ? -1 13
3. 13/02/09 15:08:28 /usr/sbin/sshd ssh 192.168.2.100 -1 14

aureport -f    #生成一個文件相關event的日志報告

File Report
===============================================
# date time file syscall success exe auid event
===============================================
1. 16/02/09 17:45:01 /etc/shadow 2 yes /usr/sbin/cron -1 2279
2. 16/02/09 17:45:02 /tmp/ 83 yes /bin/mktemp 0 2284
3. 16/02/09 17:45:02 /var 83 no /bin/mkdir 0 2285

aureport -u     #對於用戶在系統運行命令的生成的報告

User ID Report
====================================
# date time auid term host exe event
====================================
1. 13/02/09 15:08:26 -1 sshd 192.168.2.100 /usr/sbin/sshd 12
2. 13/02/09 15:08:28 -1 :0 ? /usr/lib/gdm/gdm-session-worker 13
3. 14/02/09 08:25:39 -1 ssh 192.168.2.101 /usr/sbin/sshd 14

aureport -l -i    #用戶登錄事件生成的報告

Login Report
============================================
# date time auid host term exe success event
============================================
1. 13/02/09 15:08:31 tux: 192.168.2.100 sshd /usr/sbin/sshd no 19
2. 16/02/09 12:39:05 root: 192.168.2.101 sshd /usr/sbin/sshd no 2108
3. 17/02/09 15:29:07 geeko: ? tty3 /bin/login yes 7809

aureport -t   #查看audit log文件包含日志的起止時間

Log Time Range Report
=====================
/var/log/audit/audit.log: 03/02/09 14:13:38.225 - 17/02/09 15:30:01.636

三、ausearch

    aureport幫助我們生成總體的日志總結， 如果我們對特定的event感興趣，我們可以通過ausearch去過濾想要的日志。

    ausearch - option -if myfile 

    它可以指定特定的日志文件進行分析， 通過加上"-i"可以將數據格式的，轉化成可讀的文本格式，比如user ID 和ASCII 碼形式的cmd。

ausearch -a 5207    #搜尋當期audit服務中event ID等於5207的log
----
time->Tue Feb 17 13:43:58 2009
type=PATH msg=audit(1234874638.599:5207): item=0 name="/var/log/audit/audit.log" inode=1219041 dev=08:06 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1234874638.599:5207):  cwd="/root"

ausearch -m    #按消息類型查找
ausearch -ul   #按登陸ID查找
ausearch -ua   #按uid和euid查找
ausearch -ui   #按uid查找
ausearch -ue   #按euid查找
ausearch -ga   #按gid和egid查找
ausearch -gi   #按gid查找
ausearch -ge   #按egid查找
ausearch -c    #按cmd查找
ausearch -x    #按exe查找
ausearch -sc   #按syscall查找
ausearch -p    #按pid查找
ausearch -sv   #按syscall的返回值查找（yes/no）
ausearch -f    #按文件名查找
ausearch -tm   #按連接終端查找(term/ssh/tty)
ausearch -hn   #按主機名查找
ausearch -k    #按特定的key值查找
ausearch -w    #按在audit rule設定的字符串查找

四、autrace

    為了跟蹤設置的rule有沒有生效，我們經常會追蹤指定的進程，autrace生成的log會存放在/var/log/audit/audit.log。 當用autrace去跟蹤一個進程時，為了保證避免autrace與之前audit rule生成的日志沖突，使用auditctl -D去停止所有的audit log, 當autrace結束后，使用systemctl restart auditd重啟audit服務。

auditctl -D

No rules

autrace /usr/bin/less

Waiting to execute: /usr/bin/less
Cleaning up...
No rules
Trace complete. You can locate the records with 'ausearch -i -p 7642'

五、日志的可視化

aureport -e -i --summary   #分類統計事件數量

Event Summary Report
======================
total  type
======================
2434  SYSCALL
816  USER_START
816  USER_ACCT
814  CRED_ACQ
810  LOGIN
806  CRED_DISP
779  USER_END
99  CONFIG_CHANGE
52  USER_LOGIN

aureport -e -i --summary  | mkbar events    #分類統計事件數量，並畫出圖表。

 

以上就是audit service到生成aduit log的所有內容，中間省略了audisp作為audit event的分發器，將事件實時分類發送到各應用程序。下一篇將列出Audit Record Type的所有列表貢查閱。