Linux audit的作用:帮助你了解,分析发生在你系统中的事情。 Linux 的组成: - audit 内核模块----->监听系统调用,记录有价值事件
- audit daemon【auditd】----->把记录事件写入磁盘【/var/log/audit/audit.log】
- audit 命令行工具【aureport,ausearch等】------>帮助分析audit 日志
- 如:
- [root@client test]# aureport
- Summary Report
- ======================
- Range of time in logs: 12/10/2015 21:34:31.418 - 02/01/2016 17:20:01.482
- Selected time for report: 12/10/2015 21:34:31 - 02/01/2016 17:20:01.482
- Number of changes in configuration: 5
- Number of changes to accounts, groups, or roles: 0
- Number of logins: 77
- Number of failed logins: 11
- Number of authentications: 148
- Number of failed authentications: 28
- Number of users: 2
- Number of terminals: 14
- Number of host names: 17
- Number of executables: 15
- Number of files: 6
- Number of AVC's: 14640
- Number of MAC events: 77
- Number of failed syscalls: 13333
- Number of anomaly events: 2
- Number of responses to anomaly events: 0
- Number of crypto events: 1550
- Number of keys: 0
- Number of process IDs: 13880
- Number of events: 95652
- [root@client test]# ausearch
- usage: ausearch [options]
- -a,--event <Audit event id> search based on audit event id
- --arch <CPU> search based on the CPU architecture
- -c,--comm <Comm name> search based on command line name
- --checkpoint <checkpoint file> search from last complete event
- --debug Write malformed events that are skipped to stderr
- -e,--exit <Exit code or errno> search based on syscall exit code
- -f,--file <File name> search based on file name
- -ga,--gid-all <all Group id> search based on All group ids
- -ge,--gid-effective <effective Group id> search based on Effective
- group id
- -gi,--gid <Group Id> search based on group id
- -h,--help help
- -hn,--host <Host Name> search based on remote host name
- -i,--interpret Interpret results to be human readable
- -if,--input <Input File name> use this file instead of current logs
- --input-logs Use the logs even if stdin is a pipe
- --just-one Emit just one event
- -k,--key <key string> search based on key field
- -l, --line-buffered Flush output on every line
- -m,--message <Message type> search based on message type
- -n,--node <Node name> search based on machine's name
- -o,--object <SE Linux Object context> search based on context of object
- -p,--pid <Process id> search based on process id
- -pp,--ppid <Parent Process id> search based on parent process id
- -r,--raw output is completely unformatted
- -sc,--syscall <SysCall name> search based on syscall name or number
- -se,--context <SE Linux context> search based on either subject or
- object
- --session <login session id> search based on login session id
- -su,--subject <SE Linux context> search based on context of the Subject
- -sv,--success <Success Value> search based on syscall or event
- success value
- -te,--end [end date] [end time] ending date & time for search
- -ts,--start [start date] [start time] starting data & time for search
- -tm,--terminal <TerMinal> search based on terminal
- -ua,--uid-all <all User id> search based on All user id's
- -ue,--uid-effective <effective User id> search based on Effective
- user id
- -ui,--uid <User Id> search based on user id
- -ul,--loginuid <login id> search based on the User's Login id
- -uu,--uuid <guest UUID> search for events related to the virtual
- machine with the given UUID.
- -v,--version version
- -vm,--vm-name <guest name> search for events related to the virtual
- machine with the name.
- -w,--word string matches are whole word
- -x,--executable <executable name> search based on executable name
|