Auditd 仅记录CWD、PATH和类型的事件SYSCALL。它似乎从不检测USER_LOGIN例如 类型的事件。我已启用规则来捕获这些login/logout事件,但它们似乎无法被 正确检测到auditd。运行aureport --failed或aureport --success永远不会产生任何与登录或身份验证相关的结果,即使和日志faillog文件中有多个条目。我确实看到了 中的条目,但我试图将这些条目放在一个合并的位置,就像我一直能够使用 Redhat 和 SuSe 发行版那样。任何帮助都将不胜感激。wtmpbtmpauth.log
audit、libaudit、libauparse0 和 audispd-plugins 版本全部:1:2.3.2-2ubuntu1
audit.rules(用于测试的最小规则)
-D
-b 8192
-f 2
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
-a exit,always -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a exit,always -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/network -p wa -k system-locale
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
auditd.conf
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = SYNC
freq = 0
num_logs = 0
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 5
max_log_file_action = KEEP_LOGS
space_left = 750
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 500
admin_space_left_action = SYSLOG
disk_full_action = SYSLOG
disk_error_action = SYSLOG
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
故障日志输出
Login Failures Maximum Latest On
test 1 0 03/21/15 21:31:10 -0400 /dev/pts/3
test2 2 0 03/21/15 22:42:09 -0400
/var/log/authlog(片段)
Mar 21 20:51:11 U1 login[101526]: FAILED LOGIN (1) on '/dev/pts/3' FOR 'test2', Authentication failure
Mar 21 20:51:13 U1 login[101526]: pam_securetty(login:auth): access denied: tty '/dev/pts/3' is not secure !
Mar 21 20:51:13 U1 login[101526]: pam_tally(login:auth): pam_get_uid; no such user
Mar 21 21:17:01 U1 CRON[109494]: pam_unix(cron:session): session opened for user root by (uid=0)
Mar 21 21:17:01 U1 CRON[109494]: pam_unix(cron:session): session closed for user root
Mar 21 21:29:33 U1 login[112465]: pam_tally(login:auth): user test2 (1002) tally 5, deny 3
Mar 21 21:29:42 U1 login[112465]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/3 ruser= rhost= user=test2
Mar 21 21:29:45 U1 login[112465]: FAILED LOGIN (1) on '/dev/pts/3' FOR 'test2', Authentication failure
Mar 21 21:30:37 U1 login[112471]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/3 ruser= rhost= user=test2
Mar 21 21:30:40 U1 login[112471]: FAILED LOGIN (1) on '/dev/pts/3' FOR 'test2', Authentication failure
Mar 21 21:30:54 U1 login[112471]: pam_unix(login:session): session opened for user test2 by root(uid=0)
Mar 21 21:30:54 U1 login[112657]: 'test2' logged in on '/dev/pts/3'
Mar 21 21:31:14 U1 su[112756]: pam_unix(su:auth): authentication failure; logname=test2 uid=1002 euid=0 tty=/dev/pts/3 ruser=test2 rhost= user=test
Mar 21 21:31:16 U1 su[112756]: pam_authenticate: Authentication failure
Mar 21 21:31:16 U1 su[112756]: FAILED su for test by test2
Mar 21 21:31:16 U1 su[112756]: - /dev/pts/3 test2:test
Mar 21 21:31:21 U1 login[112471]: pam_unix(login:session): session closed for user test2
Mar 21 22:42:02 U1 login[123946]: pam_unix(login:auth): authentication failure; logname=root uid=0 euid=0 tty=/dev/pts/2 ruser= rhost= user=test2
Mar 21 22:42:06 U1 login[123946]: FAILED LOGIN (1) on '/dev/pts/2' FOR 'test2', Authentication failure
Mar 21 22:42:14 U1 login[123946]: FAILED LOGIN (2) on '/dev/pts/2' FOR 'test2', Authentication failure
aureport 输出
Failed Summary Report
======================
Range of time in logs: 03/21/2015 20:26:48.495 - 03/21/2015 21:46:21.023
Selected time for report: 03/21/2015 20:26:48 - 03/21/2015 21:46:21.023
Number of changes in configuration: 0
Number of changes to accounts, groups, or roles: 0
Number of logins: 0
Number of failed logins: 0
Number of authentications: 0
Number of failed authentications: 0
Number of users: 0
Number of terminals: 0
Number of host names: 0
Number of executables: 0
Number of files: 0
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 0
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 0
Number of keys: 0
Number of process IDs: 0
Number of events: 0
答案1
我在 12.04 系统上运行 aureport 时也遇到了同样的问题。这似乎是由操作系统错误引起的。请参阅https://bugs.launchpad.net/ubuntu/+source/audit/+bug/1478087。“该错误不在 aureport 或 libaudit 中。aureport 在审计日志中查找 AUDIT_USER_LOGIN 事件,但由于在构建时未启用 libaudit 支持,或者在 lightdm 的情况下缺少 libaudit 支持,因此我们没有在登录程序中生成它们。
请注意,我们在登录时从内核生成 AUDIT_LOGIN 事件,但 aureport 和朋友正在从用户空间寻找 AUDIT_USER_LOGIN 事件。”