Auditd 未记录某些受监视文件的事件

tag-icon tag-icon linux centos
Auditd 未记录某些受监视文件的事件

我们已经配置了 auditd 来记录对某些关键文件的所有访问。系统运行 WebLogic Server,我们想知道是否有人试图窥探敏感的系统文件,例如域配置文件、加密盐等。过去,在某些系统上,在某些情况下,这种方法可以按预期工作,但最近却不行了,我正绞尽脑汁想找出原因。所以我违背了自己的本性,寻求外部帮助来解决这个问题。

我一直在调查的相关数据点和可能的线索:

  • 我们最近获得了一个带有新内核版本的更新系统映像。
  • 系统映像是 OEL5(基本上是 RHEL5/CentOS 5)
  • 当我重新启动系统时,它仅加载最小规则集:
    # 审计控制 -l
    LIST_RULES:退出,始终 dir=/etc/audit (0xa) perm=wa key=auditsys
    LIST_RULES:退出,始终 dir=/var/log/audit (0xe) perm=wa key=auditsys

尽管完整的规则文件仍然存在。

当我尝试重新启动审计守护程序(服务 auditd restart )时,收到以下错误消息:

Error sending add rule data request (No such file or directory)
There was an error in line 30 of /etc/audit/audit.rules

结果是因为我们要求它监视的一个文件尚不存在。我通过手动创建文件来解决这个问题,并对每个后续错误重复此操作。因此,在我看来,不能让审计守护进程预先监视路径并报告给定文件的初始创建。

有人可以建议解决这个问题的方法或替代解决方案吗?

答案1

这里有两个想法:

1)考虑在规则文件中使用-i。

“从文件读取规则时忽略错误。这会导致 auditctl 始终返回成功退出代码。”

这样会在出现错误时继续解析并拾取其他规则。否则,您最终只会得到出现错误之前的规则。显然,这样做有缺点,但有时无论如何,最好还是制定正确的规则。

2)解决启动时不存在的目录/文件的一个简单方法是,一旦系统达到运行状态,重新启动/重新加载 auditd。

答案2

从审计邮件列表传递过来...

> On Mon, 2015-05-11 at 15:52 -0400, Steve Grubb wrote:
> > On Monday, May 11, 2015 11:50:19 AM Bill Jackson III wrote:
> > > Any pointers for troubleshooting  auditd missing events for file reads,
> > > edits, etc. ( -w _path_ -p raw) on OEL5/RHEL 5/CentOS 5?
> > > 
> > > http://security.stackexchange.com/q/89009/56827
> > 
> > The -w notation is the same as
> > 
> > -a always,exit -F path=XXX -F perms=rwa
> > 
> > What this does is audit the following functions defined in the syscall 
> > classifiers
> > :
> > http://lxr.free-electrons.com/source/include/asm-generic/audit_read.h
> > http://lxr.free-electrons.com/source/include/asm-generic/audit_write.h
> > http://lxr.free-electrons.com/source/include/asm-generic/audit_change_attr.h
> > 
> > You are not going to get a hit for each and every read system call because 
> > read is not audited.
> 
> Bill,
> 
> Is your question
> 
>   "Can one apply a file watch using auditd if the file does not exist?"
> 
> then I believe the answer is no. 

There is a patch set coming to be able to address this case if the
directory exists.  Down the road, I'm hoping to be able to accomodate
non-existant directories too.

> Options would be 
> - as part of your application deployment standard operating procedures
> (SOPs) add appropriate watches to audit.rules and restart the auditd
> service
> - keep all you sensitive files in one directory location, set a
> directory watch on this directory tree and then as part of your
> application deployment SOPs, place the real files in the sensitive file
> area and then link to them from the application area. (I've just tried
> this on a fc22 system and it works)
> 
> Regards

- RGB

--
Richard Guy Briggs <[email protected]>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545

相关内容