notas:seguridad:auditd
Diferencias
Muestra las diferencias entre dos versiones de la página.
Próxima revisión | Revisión previa | ||
notas:seguridad:auditd [2012/08/24 18:21] – creado cayu | notas:seguridad:auditd [Fecha desconocida] (actual) – borrado - editor externo (Fecha desconocida) 127.0.0.1 | ||
---|---|---|---|
Línea 1: | Línea 1: | ||
- | ====== Auditoría en Linux ====== | ||
- | Estas son algunas de las preguntas claves : **¿Cómo auditar los eventos de archivo como de lectura / escritura, etc? ¿Cómo puedo utilizar la auditoría para saber quién cambió un archivo en Linux?** | ||
- | |||
- | La respuesta es utilizar el sistema de auditoría del Kernel >= 2.6. Las distribuciones actuales vienen con el demoniio auditd. Es el responsable de escribir los registros de auditoría en el disco. Durante el arranque, carga las reglas almacenadas en / | ||
- | |||
- | Para poder aprovechar las posibilidades de auditoria del Kernel Linux deberemos usar el comando => **auditctl**. | ||
- | |||
- | => **ausearch** - comando con el que se puede consultar el log de audit basado en diferentes criterios de búsqueda. | ||
- | |||
- | => **aureport** - herramienta que genera reportes de los sumarios de los logs de audit. | ||
- | |||
- | ==== Task: install audit package ==== | ||
- | |||
- | The audit package contains the user space utilities for storing and searching the audit records generate by the audit subsystem in the Linux 2.6 kernel. CentOS/Red Hat and Fedora core includes audit rpm package. Use yum or up2date command to install package | ||
- | |||
- | < | ||
- | # yum install audit | ||
- | # up2date install audit | ||
- | </ | ||
- | |||
- | Auto start auditd service on boot | ||
- | |||
- | < | ||
- | # ntsysv | ||
- | # chkconfig auditd on | ||
- | # / | ||
- | </ | ||
- | |||
- | ==== How do I set a watch on a file for auditing? ==== | ||
- | |||
- | Let us say you would like to audit a /etc/passwd file. You need to type command as follows:''# | ||
- | |||
- | Where, | ||
- | |||
- | * **-w / | ||
- | * **-p war** : Set permissions filter for a file system watch. It can be r for read, w for write, x for execute, a for append. | ||
- | * **-k password-file** : Set a filter key on a /etc/passwd file (watch). The password-file is a filterkey (string of text that can be up to 31 bytes long). It can uniquely identify the audit records produced by the watch. You need to use password-file string or phrase while searching audit logs. | ||
- | |||
- | In short you are monitoring (read as watching) a /etc/passwd file for anyone (including syscall) that may perform a write, append or read operation on a file. | ||
- | |||
- | Wait for some time or as a normal user run command as follows:'' | ||
- | |||
- | Following are more examples: | ||
- | |||
- | ==== File System audit rules ==== | ||
- | |||
- | Add a watch on "/ | ||
- | < | ||
- | # auditctl -w /etc/shadow -k shadow-file -p rwxa | ||
- | </ | ||
- | |||
- | === syscall audit rule === | ||
- | |||
- | The next rule suppresses auditing for mount syscall exits''# | ||
- | |||
- | === File system audit rule === | ||
- | |||
- | Add a watch " | ||
- | < | ||
- | # auditctl -w /tmp -p e -k webserver-watch-tmp | ||
- | </ | ||
- | === syscall audit rule using pid === | ||
- | |||
- | To see all syscalls made by a program called sshd (pid - 1005): | ||
- | |||
- | < | ||
- | # auditctl -a entry, | ||
- | </ | ||
- | ==== How do I find out who changed or accessed a file / | ||
- | |||
- | Use ausearch command as follows: | ||
- | |||
- | < | ||
- | # ausearch -f /etc/passwd | ||
- | # ausearch -f /etc/passwd | less | ||
- | # ausearch -f /etc/passwd -i | less | ||
- | </ | ||
- | |||
- | Where | ||
- | |||
- | * **-f / | ||
- | * **-i** : Interpret numeric entities into text. For example, uid is converted to account name. | ||
- | |||
- | Output: | ||
- | |||
- | < | ||
- | type=PATH msg=audit(03/ | ||
- | type=CWD msg=audit(03/ | ||
- | type=FS_INODE msg=audit(03/ | ||
- | type=FS_WATCH msg=audit(03/ | ||
- | type=SYSCALL msg=audit(03/ | ||
- | </ | ||
- | |||
- | Let us try to understand output | ||
- | |||
- | * **audit(03/ | ||
- | * **uid=lighttpd gid=lighttpd** : User ids in numerical format. By passing **-i** option to command you can convert most of numeric data to human readable format. In our example user is lighttpd used grep command to open a file | ||
- | * **exe="/ | ||
- | * perm_mask=read : File was open for read operation | ||
- | |||
- | So from log files you can clearly see who read file using grep or made changes to a file using vi/vim text editor. Log provides tons of other information. You need to read man pages and documentation to understand raw log format. | ||
- | |||
- | === Script parser de audit.log === | ||
- | |||
- | Script para parsear el contenido del audit.log y ver el timestamp en formato humano | ||
- | |||
- | <file perl auditsearch.pl> | ||
- | # | ||
- | use strict; | ||
- | |||
- | # what do I want to look for in the audit log. | ||
- | my $pattern = $ARGV[0]; | ||
- | |||
- | # Define the audit directory if the user doesn' | ||
- | my $dir = '/ | ||
- | $dir = $ARGV[1] if scalar(@ARGV) == 2; | ||
- | |||
- | # Strip any trailing slash | ||
- | $dir =~ s/\/$//g; | ||
- | |||
- | # walk through the directory and save the list of files as an array. | ||
- | # find is nice because it gives you full path + executable | ||
- | my @files = `sudo find $dir`; | ||
- | # strip new lines from the array. | ||
- | chomp(@files); | ||
- | |||
- | # loop through each element in the array and do something. | ||
- | for my $file (@files) | ||
- | { | ||
- | # declare the empty array before use | ||
- | my @arr; | ||
- | |||
- | # determine if we use zgrep or grep | ||
- | # zgrep is needed for gz and grep is for regular files | ||
- | if ( $file =~ /gz$/ ) | ||
- | { | ||
- | @arr = `sudo zgrep $pattern $file`; | ||
- | } | ||
- | else | ||
- | { | ||
- | @arr = `sudo grep $pattern $file`; | ||
- | } | ||
- | |||
- | # print the filename only if we found something in the file | ||
- | print " | ||
- | | ||
- | # for each element in the array translate epoch to human readable | ||
- | foreach(@arr) | ||
- | { | ||
- | chomp; | ||
- | # do a little regex for easy matching | ||
- | if ( / | ||
- | { | ||
- | convert epoch to human readable | ||
- | my $td = scalar localtime $2; | ||
- | print " | ||
- | } | ||
- | } | ||
- | } | ||
- | </ | ||
- | |||
- | Original : http:// | ||
- | |||
- | |||
- | O ni solución mucho mas simple : | ||
- | |||
- | <code perl> | ||
- | # cat / | ||
- | </ | ||
- | |||
- | === Archivo de configuración de ejemplo === | ||
- | **/ | ||
- | |||
- | < | ||
- | log_file = / | ||
- | log_format = RAW | ||
- | log_group = root | ||
- | priority_boost = 4 | ||
- | flush = INCREMENTAL | ||
- | freq = 20 | ||
- | num_logs = 4 | ||
- | disp_qos = lossy | ||
- | dispatcher = / | ||
- | name_format = NONE | ||
- | ##name = mydomain | ||
- | max_log_file_action = keep_logs | ||
- | max_log_file_action = ROTATE | ||
- | space_left = 75 | ||
- | space_left_action = SYSLOG | ||
- | action_mail_acct = root | ||
- | admin_space_left = 50 | ||
- | admin_space_left_action = SUSPEND | ||
- | disk_full_action = SUSPEND | ||
- | disk_error_action = SUSPEND | ||
- | ## | ||
- | tcp_listen_queue = 5 | ||
- | ## | ||
- | tcp_client_max_idle = 0 | ||
- | </ | ||
- | |||
- | **/ | ||
- | |||
- | < | ||
- | # This file contains the auditctl rules that are loaded | ||
- | # whenever the audit daemon is started via the initscripts. | ||
- | # The rules are simply the parameters that would be passed | ||
- | # to auditctl. | ||
- | |||
- | # First rule - delete all | ||
- | -D | ||
- | |||
- | # Increase the buffers to survive stress events. | ||
- | # Make this bigger for busy systems | ||
- | -b 320 | ||
- | |||
- | # Archivos de configuracion de audit | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | |||
- | # Feel free to add below this line. See auditctl man page | ||
- | -w / | ||
- | -w / | ||
- | |||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | |||
- | # Actividades de sistema | ||
- | -a entry, | ||
- | -a entry, | ||
- | #-a entry, | ||
- | #-a entry, | ||
- | #-a entry, | ||
- | #-a entry, | ||
- | #-a entry, | ||
- | #-a entry, | ||
- | #-a entry, | ||
- | -a entry, | ||
- | -a entry, | ||
- | -a entry, | ||
- | -a exit, | ||
- | |||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | |||
- | # Librerias de sistema | ||
- | -w / | ||
- | -w / | ||
- | |||
- | # Configuracion de modulos | ||
- | #-w / | ||
- | #-w / | ||
- | #-w / | ||
- | |||
- | |||
- | # Configuración de CRON | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | |||
- | # --- Recomendaciones de la NSA | ||
- | #- Records Events that Modify Date and Time Information | ||
- | -a always,exit -S settimeofday -k time-change | ||
- | -a always,exit -S clock_settime -k time-change | ||
- | -w / | ||
- | #- Record Events that Modify User/Group Information | ||
- | -w /etc/group -p wa -k identity | ||
- | -w /etc/passwd -p wa -k identity | ||
- | -w / | ||
- | -w /etc/shadow -p wa -k identity | ||
- | #- Record Events that Modify the System’s Network Environment | ||
- | -a exit,always -S sethostname -S setdomainname -k system-locale | ||
- | -w /etc/issue -p wa -k system-locale | ||
- | -w / | ||
- | -w /etc/hosts -p wa -k system-locale | ||
- | -w / | ||
- | #- Record Attempts to Alter Logon and Logout Events | ||
- | -w / | ||
- | -w / | ||
- | #- Record Attempts to Alter Process and Session Initiation Information | ||
- | -w / | ||
- | -w / | ||
- | -w / | ||
- | #- Ensure auditd Collects Information on Kernel Module Loading and Unloading | ||
- | #-w / | ||
- | #-w /sbin/rmmod -p x -k modules | ||
- | #-w / | ||
- | #-a always,exit -S init_module -S delete_module -k modules | ||
- | #- Make the auditd Configuration Immutable | ||
- | #Add the following as the last rule in / | ||
- | #-e 2 | ||
- | #With this setting, a reboot will be required to change any audit rules. | ||
- | </ | ||
- | |||
- | ====== Reportes ====== | ||
- | |||
- | Mostar un reporte de los que se loguearon entre ayer y hoy : | ||
- | |||
- | < | ||
- | # aureport -l -i -ts yesterday -te today | ||
- | </ | ||
- | |||
- | Generar un conteo de las actividades auditadas : | ||
- | < | ||
- | # aureport --key --summary | ||
- | </ | ||
- | |||
- | Violaciones de acceso : | ||
- | < | ||
- | # ausearch --key access --raw | aureport --file --summary | ||
- | </ | ||
- | |||
- | Violaciones de acceso al /etc/shadow : | ||
- | < | ||
- | # ausearch --key access --file /etc/shadow --raw | aureport --user --summary -i | ||
- | </ | ||
- | |||
- | Sumario de ejecuciones auditadas : | ||
- | < | ||
- | # ausearch --key access --raw | aureport -x --summary | ||
- | </ | ||
- | |||
- | Reporte de anomalias : | ||
- | < | ||
- | # aureport --anomaly | ||
- | </ | ||
- | |||
- | Search for events with date and time stamps. if the date is omitted, today is assumed. If the time is omitted, now is assumed. Use 24 hour clock time rather than AM or PM to specify time. An example date is 10/24/05. An example of time is 18:00:00. | ||
- | |||
- | < | ||
- | # ausearch -ts today -k password-file | ||
- | # ausearch -ts 3/12/07 -k password-file | ||
- | </ | ||
- | |||
- | Search for an event matching the given executable name using -x option. For example find out who has accessed /etc/passwd using rm command: | ||
- | |||
- | < | ||
- | # ausearch -ts today -k password-file -x rm | ||
- | # ausearch -ts 3/12/07 -k password-file -x rm | ||
- | </ | ||
- | |||
- | Search for an event with the given user name (UID). For example find out if user vivek (uid 506) try to open / | ||
- | |||
- | < | ||
- | # ausearch -ts today -k password-file -x rm -ui 506 | ||
- | # ausearch -k password-file -ui 506 | ||
- | </ | ||
- | |||
- | < | ||
- | auditctl -w /etc/fstab -p war -k someconfig-exclude -F auid!=0 | ||
- | </ | ||
- | |||
- | To see all syscalls made by a specific program: | ||
- | < | ||
- | auditctl -a entry, | ||
- | </ | ||
- | To see files opened by a specific user: | ||
- | < | ||
- | auditctl -a exit,always -S open -F auid=510 | ||
- | </ | ||
- | To see unsuccessful open call' | ||
- | < | ||
- | auditctl -a exit,always -S open -F success=0 | ||
- | </ | ||
- | To watch a file for changes (2 ways to express): | ||
- | < | ||
- | auditctl -w /etc/shadow -p wa | ||
- | auditctl -a exit,always -F path=/ | ||
- | </ | ||
- | To recursively watch a directory for changes (2 ways to express): | ||
- | < | ||
- | auditctl -w /etc/ -p wa | ||
- | auditctl -a exit,always -F dir=/etc/ -F perm=wa | ||
- | </ | ||
- | |||
- | ===== Referencias útiles ===== | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// | ||
- | |||
- | [[http:// |