Регистрация событий

• Система systemd-journal.
• Система auditd. Правила. Списки task, exit, user, exclude. Действия never, always.

# auditctl -D
No rules
# auditctl -w /etc/selinux/config -p warx -k selinux_config
# auditctl -l
-w /etc/selinux/config -p rwxa -k selinux_config
# cat /etc/selinux/config
# cat /var/log/audit/audit.log

• Первая запись

type=SYSCALL msg=audit(1585350972.773:258): arch=c000003e syscall=257 success=yes exit=3 a0=ffffff9c a1=7ffef1991a96 a2=0 a3=0 items=1 ppid=3678 pid=3759 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cat" exe="/usr/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="selinux_config" ARCH=x86_64 SYSCALL=openat AUID="defanov" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"

type=SYSCALL The type field contains the type of the record. In this example, the SYSCALL value specifies that this record was triggered by a system call to the kernel.

msg=audit(1585350972.773:258): The msg field records: a time stamp and a unique ID of the record in the form audit(time_stamp:ID). Multiple records can share the same time stamp and ID if they were generated as part of the same Audit event. The time stamp is using the Unix time format - seconds since 00:00:00 UTC on 1 January 1970. Also various event-specific name=value pairs provided by the kernel or user-space applications.

arch=c000003e The arch field contains information about the CPU architecture of the system. The value, c000003e, is encoded in hexadecimal notation. When searching Audit records with the ausearch command, use the -i or --interpret option to automatically convert hexadecimal values into their human-readable equivalents. The c000003e value is interpreted as x86_64.

syscall=257 The syscall field records the type of the system call that was sent to the kernel. The value can be matched with its human-readable equivalent in the /usr/include/asm/unistd_64.h file.

$ grep 257 /usr/include/asm/unistd_64.h
#define __NR_openat 257

$ ausyscall --dump | grep 257
257	openat

success=yes The success field records whether the system call recorded in that particular event succeeded or failed.

exit=3 The exit field contains a value that specifies the exit code returned by the system call. This value varies for a different system call. You can interpret the value to its human-readable equivalent with the following command:

    # ausearch --interpret --exit 3

a0=ffffff9c, a1=7ffef1991a96, a2=0, a3=0 The a0 to a3 fields record the first four arguments, encoded in hexadecimal notation, of the system call in this event.

items=1 The items field contains the number of PATH auxiliary records that follow the syscall record.

ppid=3678 The ppid field records the Parent Process ID (PPID).

pid=3759 The pid field records the Process ID (PID). In this case, the PID of the cat process.

auid=1000 The auid field records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user’s identity changes, for example, by switching user accounts with the su command.

uid=1000 The uid field records the user ID of the user who started the analyzed process. The user ID can be interpreted into user names with the following command: ausearch -i --uid UID.

gid=1000 The gid field records the group ID of the user who started the analyzed process.

euid=1000 The euid field records the effective user ID of the user who started the analyzed process.

suid=1000 The suid field records the set user ID of the user who started the analyzed process.

fsuid=1000 The fsuid field records the file system user ID of the user who started the analyzed process.

egid=1000 The egid field records the effective group ID of the user who started the analyzed process.

sgid=1000 The sgid field records the set group ID of the user who started the analyzed process.

fsgid=1000 The fsgid field records the file system group ID of the user who started the analyzed process.

tty=pts0 The tty field records the terminal from which the analyzed process was invoked.

ses=1 The ses field records the session ID of the session from which the analyzed process was invoked.

comm="cat" The comm field records the command-line name of the command that was used to invoke the analyzed process. In this case, the cat command was used to trigger this Audit event.

exe="/bin/cat" The exe field records the path to the executable that was used to invoke the analyzed process.

subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 The subj field records the SELinux context with which the analyzed process was labeled at the time of execution.

key="selinux_config" The key field records the administrator-defined string associated with the rule that generated this event in the Audit log.

• Вторая запись

type=CWD msg=audit(1585350972.773:258): cwd="/home/user1"

type=CWD

In the second record, the type field value is CWD — current working directory. This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed. The purpose of this record is to record the current process’s location in case a relative path winds up being captured in the associated PATH record. This way the absolute path can be reconstructed.

The msg field holds the same time stamp and ID value as the value in the first record. The time stamp is using the Unix time format - seconds since 00:00:00 UTC on 1 January 1970.

The cwd field contains the path to the directory in which the system call was invoked.

• Третья запись

type=PATH msg=audit(1585350972.773:258): item=0 name="/etc/selinux/config" inode=133133 dev=08:02 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:selinux_config_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"

type=PATH An Audit event contains a PATH-type record for every path that is passed to the system call as an argument.

The msg field holds the same time stamp and ID value as the value in the first and second record.

The item field indicates which item, of the total number of items referenced in the SYSCALL type record, the current record is. This number is zero-based; a value of 0 means it is the first item.

The name field records the path of the file or directory that was passed to the system call as an argument.

The inode field contains the inode number associated with the file or directory recorded in this event. The following command displays the file or directory that is associated with the 133133 inode number:

# find / -inum 133133 -print
/etc/selinux/config

dev=08:02 The dev field specifies the minor and major ID of the device that contains the file or directory recorded in this event.

mode=0100644 The mode field records the file or directory permissions, encoded in numerical notation as returned by the stat command in the st_mode field. See the stat(2) man page for more information.

ouid=0 The ouid field records the object owner’s user ID.

ogid=0 The ogid field records the object owner’s group ID.

rdev=00:00 The rdev field contains a recorded device identifier for special files only. In this case, it is not used as the recorded file is a regular file.

obj=system_u:object_r:selinux_config_t:s0 The obj field records the SELinux context with which the recorded file or directory was labeled at the time of execution.

nametype=NORMAL The nametype field records the intent of each path record’s operation in the context of a given syscall.

cap_fp=none The cap_fp field records data related to the setting of a permitted file system-based capability of the file or directory object.

cap_fi=none The cap_fi field records data related to the setting of an inherited file system-based capability of the file or directory object.

cap_fe=0 The cap_fe field records the setting of the effective bit of the file system-based capability of the file or directory object.

cap_fver=0 The cap_fver field records the version of the file system-based capability of the file or directory object.

• Четвёртая запись

type=PROCTITLE msg=audit(1585350972.773:258): proctitle=636174002F6574632F73656C696E75782F636F6E666967

type=PROCTITLE The type field contains the type of the record. In this example, the PROCTITLE value specifies that this record gives the full command-line that triggered this Audit event, triggered by a system call to the kernel.

The proctitle field records the full command-line of the command that was used to invoke the analyzed process. The field is encoded in hexadecimal notation to not allow the user to influence the Audit log parser. The text decodes to the command that triggered this Audit event. When searching Audit records with the ausearch command, use the -i or --interpret option to automatically convert hexadecimal values into their human-readable equivalents.

Команды и файлы

• Команды: journalctl, auditctl, ausearch, aureport.
• Файлы: /etc/systemd/journald.conf, /etc/audit/auditd.conf, /etc/audit/audit.rules.

Ссылки:

1. https://tools.ietf.org/html/rfc5424
2. 23.10. USING THE JOURNAL
3. Journal Export Format
4. http://man7.org/linux/man-pages/man1/journalctl.1.html
5. http://man7.org/linux/man-pages/man7/systemd.journal-fields.7.html
6. https://github.com/linux-audit
7. https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/8/html/security_hardening/auditing-the-system_security-hardening
8. http://man7.org/linux/man-pages/man8/auditd.8.html
9. http://man7.org/linux/man-pages/man8/auditctl.8.html
10. http://man7.org/linux/man-pages/man7/audit.rules.7.html
11. The Linux Audit Framework
12. RHEL Audit System Reference
13. SPEC-Writing-Good-Events