使用 Auditd,我执行了以下配置:
# /etc/audit/rules.d/audit.rules
[...]
-a always,exit -F arch=b64 -S execve
-a always,exit -F arch=b32 -S execve
它可以工作,但是最终会为用户执行的一个命令生成太多事件。
我只需要输入命令的 SYSCALL、EXECVE、CWD 和 SYSCALL。但后面执行的所有命令也都被记录下来了。
例如:
$ hostnamectl
# /var/log/auditd/auditd.log
[...]
***# Logs I want:***
type=**SYSCALL** msg=audit(1676405948.076:1109891): arch=c000003e syscall=59 success=yes exit=0 a0=55751f25f240 a1=55751f2807c0 a2=55751f12a150 a3=8 items=2 ppid=8200 pid=8528 auid=1002 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts3 ses=45102 comm="hostnamectl" exe="/usr/bin/hostnamectl" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)ARCH=x86_64 SYSCALL=execve AUID="myUser" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=**EXECVE** msg=audit(1676405948.076:1109891): argc=1 a0="hostnamectl"
type=**CWD** msg=audit(1676405948.076:1109891): cwd="/home/myUser"
type=**SYSCALL** msg=audit(1676405948.381:1109892): arch=c000003e syscall=59 success=yes exit=0 a0=5622b4642810 a1=5622b467fb70 a2=5622b4798820 a3=5622b4766810 items=2 ppid=1 pid=8529 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-hostnam" exe="/usr/lib/systemd/systemd-hostnamed" subj=system_u:system_r:systemd_hostnamed_t:s0 key=(null)ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
**# Logs I want to discard**
type=**BPRM_FCAPS **msg=audit(1676405948.381:1109892): fver=0 fp=0000000000000000 fi=0000000000000000 fe=0 old_pp=0000003fffffffff old_pi=0000000000000000 old_pe=0000003fffffffff old_pa=0000000000000000 pp=0000000000200000 pi=0000000000000000 pe=0000000000200000 pa=0000000000000000
type=**EXECVE **msg=audit(1676405948.381:1109892): argc=1 a0="/usr/lib/systemd/systemd-hostnamed"
type=**CWD **msg=audit(1676405948.381:1109892): cwd="/"
type=**SERVICE_START **msg=audit(1676405948.388:1109893): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='unit=systemd-hostnamed comm="systemd" exe="/usr/lib/systemd/systemd" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
[...]
我可以应用一些过滤器来记录有关输入命令的信息吗?
我当前的 audit.rules 配置:
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
--backlog_wait_time 60000
## Set failure mode to syslog
-f 1
## Ignore PATH and PROCTITLE records
-a always,exclude -F msgtype=PATH
-a always,exclude -F msgtype=PROCTITLE
## Cron jobs fill the logs with stuff we normally don't want (works with SELinux)
-a never,user -F subj_type=crond_t
-a exit,never -F subj_type=crond_t
-a exit,always -F arch=b64 -S execve
-a exit,always -F arch=b32 -S execve