devbox
Cpp五条
这个屌丝很懒,什么也没留下!
关注作者
热门标签
热门文章
当前位置:   article > 正文

Linux审计日志_linux审计内容 spid

作者:Cpp五条 | 2024-03-07 09:34:19

linux审计内容 spid

  最近在Linux日志中发现有如下信息:

vi /var/log/messages

<span style="font-family:KaiTi_GB2312;font-size:14px;">type=CRYPTO_KEY_USER msg=audit(1448528863.866:163): user pid=7735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=df:d3:ff:1f:0b:11:d7:ce:e6:00:be:28:cc:4a:16:40 direction=? spid=7735 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=CRYPTO_KEY_USER msg=audit(1448528863.873:164): user pid=7735 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=destroy kind=server fp=60:ec:35:76:1e:f2:1e:6e:0c:3b:62:52:78:23:38:4c direction=? spid=7735 suid=0  exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'
type=USER_END msg=audit(1448528864.026:165): user pid=9719 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:session_close acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.111 addr=192.168.1.111 terminal=ssh res=success'
type=CRED_DISP msg=audit(1448528864.027:166): user pid=9719 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.1.111 addr=192.168.1.111 terminal=ssh res=success'
type=USER_END msg=audit(1448528864.042:167): user pid=9719 uid=0 auid=0 ses=11 subj=system_u:system_r:sshd_t:s0-s0:c0.c1023 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/1 res=success'</span>

仔细发现原来是Linux系统的审计日志,本来审计日志应该是写到如下文件中:

/var/log/audit/audit.log 


Linux的审计服务为auditd

  1. [root@marmot ~]# service auditd status
  2. auditd is stopped

发现审计服务已经停止了,此时会把审计信息写到message中

我们把审计服务启动,则审计日志便写到原来的日志文件中了

  1. [root@marmot ~]# service auditd start
  2. Starting auditd:                                           [  OK  ]


vi /var/log/audit/audit.log 

  1. type=USER_END msg=audit(1472701553.949:20): user pid=4438 uid=0 auid=0 ses=7 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/3 res=success'
  2. type=USER_LOGOUT msg=audit(1472701553.949:21): user pid=4438 uid=0 auid=0 ses=7 msg='op=login id=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=/dev/pts/3 res=success'
  3. type=USER_END msg=audit(1472701553.951:22): user pid=4438 uid=0 auid=0 ses=7 msg='op=PAM:session_close acct="root" exe="/usr/sbin/sshd" hostname=192.168.137.1 addr=192.168.137.1 terminal=ssh res=success'
  4. type=CRED_DISP msg=audit(1472701553.951:23): user pid=4438 uid=0 auid=0 ses=7 msg='op=PAM:setcred acct="root" exe="/usr/sbin/sshd" hostname=192.168.137.1 addr=192.168.137.1 terminal=ssh res=success'
  5. type=CRYPTO_KEY_USER msg=audit(1472701553.952:24): user pid=4438 uid=0 auid=0 ses=7 msg='op=destroy kind=session fp=? direction=both spid=4438 suid=0 rport=57507 laddr=192.168.137.10 lport=22  exe="/usr/sbin/sshd" hostname=? addr=192.168.137.1 terminal=? res=success'
  6. type=CRYPTO_KEY_USER msg=audit(1472701553.952:25): user pid=4438 uid=0 auid=0 ses=7 msg='op=destroy kind=server fp=df:d3:ff:1f:0b:11:d7:ce:e6:00:be:28:cc:4a:16:40 direction=? spid=4438 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.137.1 terminal=? res=success'
  7. type=CRYPTO_KEY_USER msg=audit(1472701553.953:26): user pid=4438 uid=0 auid=0 ses=7 msg='op=destroy kind=server fp=60:ec:35:76:1e:f2:1e:6e:0c:3b:62:52:78:23:38:4c direction=? spid=4438 suid=0  exe="/usr/sbin/sshd" hostname=? addr=192.168.137.1 terminal=? res=success'

原来审计关闭,需要在grub文件中添加 audit=0,再关闭audit服务才可以

关闭audit可以更改如下文件内容


vi /etc/audit/auditd.conf

  1. #
  2. # This file controls the configuration of the audit daemon
  3. #
  4.  
  5. log_file = /var/log/audit/audit.log
  6. log_format = RAW
  7. log_group = root
  8. priority_boost = 4
  9. flush = INCREMENTAL
  10. freq = 20
  11. num_logs = 5
  12. disp_qos = lossy
  13. dispatcher = /sbin/audispd
  14. name_format = NONE
  15. ##name = mydomain
  16. max_log_file = 6
  17. max_log_file_action = ROTATE
  18. space_left = 75
  19. space_left_action = SYSLOG
  20. action_mail_acct = root
  21. admin_space_left = 50
  22. admin_space_left_action = SUSPEND
  23. disk_full_action = SUSPEND
  24. disk_error_action = SUSPEND
  25. ##tcp_listen_port =
  26. tcp_listen_queue = 5
  27. tcp_max_per_addr = 1
  28. ##tcp_client_ports = 1024-65535
  29. tcp_client_max_idle = 0
  30. enable_krb5 = no
  31. krb5_principal = auditd
  32. ##krb5_key_file = /etc/audit/audit.key

写日志时要使用的格式。当设置为RAW时,数据会以从内核中检索到的格式写到日志文件中。
当设置为NOLOG时,数据不会写到日志文件中,但是如果用dispatcher选项指定了一个,
则数据仍然会发送到审计事件调度程序中


以下是网上找到的图片,实线代表数据流,虚线代表控制



声明:本文内容由网友自发贡献,不代表【wpsshop博客】立场,版权归原作者所有,本站不承担相应法律责任。如您发现有侵权的内容,请联系我们。转载请注明出处:https://www.wpsshop.cn/w/Cpp五条/article/detail/204811
推荐阅读
相关标签

Copyright © 2003-2013 www.wpsshop.cn 版权所有,并保留所有权利。

  

闽ICP备14008679号