将审核日志命令解析为带有参数的完整命令

将审核日志命令解析为带有参数的完整命令

我的audit日志如下所示:

type=CWD msg=audit(1613110144.560:260397): cwd="/"
type=PATH msg=audit(1613110144.560:260397): item=0 name="/usr/bin/sed" inode=393388 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1613110144.560:260397): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=389403 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1613110144.560:260397): proctitle=736564002D6E6500732F5E73657373696F6E5C2E736176655F706174683D5C282E2A3B5C295C3F5C282E2A5C29242F5C322F70
type=SYSCALL msg=audit(1613110144.564:260398): arch=c000003e syscall=59 success=yes exit=0 a0=55779395c2a0 a1=55779395c250 a2=55779395c270 a3=0 items=2 ppid=22687 pid=22689 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj==unconfined key=(null)
type=EXECVE msg=audit(1613110144.564:260398): argc=3 a0="sed" a1="-ne" a2="s/^session\.gc_maxlifetime=\(.*\)$/\1/p"
type=CWD msg=audit(1613110144.564:260398): cwd="/"
type=PATH msg=audit(1613110144.564:260398): item=0 name="/usr/bin/sed" inode=393388 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1613110144.564:260398): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=389403 dev=fe:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1613110144.564:260398): proctitle=736564002D6E6500732F5E73657373696F6E5C2E67635F6D61786C69666574696D653D5C282E2A5C29242F5C312F70
type=SYSCALL msg=audit(1613110144.564:260399): arch=c000003e syscall=59 success=yes exit=0 a0=55779395c2a0 a1=55779395c250 a2=55779395c270 a3=5577932dfd82 items=2 ppid=22690 pid=22692 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sed" exe="/usr/bin/sed" subj==unconfined key=(null)
type=EXECVE msg=audit(1613110144.564:260399): argc=3 a0="sed" a1="-e" a2="s,@VERSION@,7.3,"

我需要获取 bash ( type=EXECVE) 中执行的所有命令。

例如,采用以下日志条目:

 type=EXECVE msg=audit(1613110144.564:260398): argc=3 a0="sed" a1="-ne" a2="s/^session\.gc_maxlifetime=\(.*\)$/\1/p

它应该被解析为:

sed -ne s/^session\.gc_maxlifetime=\(.*\)$/\1/p

我怎样才能实现它,也许有办法使用来获得所需的结果auditsearch

答案1

使用GNU sed在扩展正则表达式模式下-E并假设:

  • 双引号内的双引号被反斜杠\"转义。
  • 所有参数都在双引号内。
sed -Ee '
  /^type=EXECVE\s/!d
  s/\sa0=/\na0=/;s/.*\n//
  s/a[0-9]+="(([^\"]*|\\.)*)"/\1/g
' audit.log

输出:

sed -ne s/^session\.gc_maxlifetime=\(.*\)$/\1/p
sed -e s,@VERSION@,7.3,

相关内容