我正在创建一条auditd规则,用于跟踪文件和目录的删除。我有一个经常出现在在线搜索中的规则,但我不确定它是否真的那么有用:
-a exit,always -F arch=b32 -S unlink -S rmdir -k deletion
实际上有两个。32 位和 64 位各一个。
我遇到的问题是,我不知道有谁使用unlink
来删除文件,而不是rm
。我测试过,rm
想着也许它真的被调用了unlink
,但日志中什么也没有显示。
我遗漏了什么吗?有没有办法使用 来跟踪文件删除rm
?
答案1
有时,文件可能会被命令重命名mv
,看起来好像原始文件已被删除。对于这种情况(假设您正在目录中查找文件/tmp/
),您可以在文件中添加以下规则audit.rules
。
-a always,exit -F arch=b32 -F dir=/tmp/ -S unlink -S unlinkat -S rename -S renameat -S rmdir -k file_del
/tmp/
您可以简单地通过使用键进行搜索来搜索与路径下任何文件相关的删除或重命名事件,file_del
方法是通过对文件进行 grep 操作audit.log
或更好地使用以下命令:
ausearch -k file_del
答案2
我运行了一下,strace rm test
看看它是否在调用unlink
。它并没有调用unlink
自己,而是unlinkat
。我已将其添加到 auditd 规则中:
-a exit,always -F arch=b32 -S unlink -S unlinkat -S rmdir -k deletion
无论是 root 用户还是普通用户删除文件,都会触发此操作。
输出strace
:
execve("/bin/rm", ["rm", "test"], [/* 17 vars */]) = 0
brk(0) = 0x60d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e43c000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26788, ...}) = 0
mmap(NULL, 26788, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3a8e435000
close(3) = 0
open("/lib64/libc.so.6", O_RDONLY) = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\356\0015;\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1926760, ...}) = 0
mmap(0x3b35000000, 3750152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b35000000
mprotect(0x3b3518a000, 2097152, PROT_NONE) = 0
mmap(0x3b3538a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18a000) = 0x3b3538a000
mmap(0x3b3538f000, 18696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3b3538f000
close(3) = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e434000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e433000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e432000
arch_prctl(ARCH_SET_FS, 0x7f3a8e433700) = 0
mprotect(0x3b3538a000, 16384, PROT_READ) = 0
mprotect(0x3b34a1f000, 4096, PROT_READ) = 0
munmap(0x7f3a8e435000, 26788) = 0
brk(0) = 0x60d000
brk(0x62e000) = 0x62e000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=99158576, ...}) = 0
mmap(NULL, 99158576, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3a885a1000
close(3) = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
newfstatat(AT_FDCWD, "test", {st_mode=S_IFREG|0640, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
geteuid() = 0
unlinkat(AT_FDCWD, "test", 0) = 0
close(0) = 0
close(1) = 0
close(2) = 0
exit_group(0) = ?