OS audit 로그에 저장된 time 을 날짜/시간 으로 변경하여 보는법
페이지 정보
작성자 OSworker 아이디로 검색 전체게시물 댓글 0건 조회 226회 좋아요 0회 작성일 24-10-11 19:44본문
안녕하세요 오늘은 지난번에 이에 Audit을 더 얘기해보려합니다.
어떤분께서 audit을 사용하는데, Log에서 시간을 확인하기가 어려워 보기 불편하다라는 의견이 있어서
오늘은 audit Log를 시간으로 변형해서 볼수있는 방법을 안내드리려 합니다.
- audit.log 에서는 시간 변경으로 볼수는 없습니다.
[root@RHEL89-audit ~]# tail -f /var/log/audit/audit.log
type=SYSCALL msg=audit(1728637455.011:189): arch=c000003e syscall=1 success=yes exit=1 a0=3 a1=7ffeda2d9cf0 a2=1 a3=7ffeda2d9a17 items=0 ppid=1008 pid=3472 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4 comm="sshd" exe="/usr/sbin/sshd" key=(null)ARCH=x86_64 SYSCALL=write AUID="root" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=PROCTITLE msg=audit(1728637455.011:189): proctitle=737368643A20726F6F74205B707269765D
type=USER_START msg=audit(1728637455.014:190): pid=3472 uid=0 auid=0 ses=4 msg='op=PAM:session_open grantors=pam_selinux,pam_loginuid,pam_selinux,pam_namespace,pam_keyinit,pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_umask,pam_lastlog acct="root" exe="/usr/sbin/sshd" hostname=192.168.122.1 addr=192.168.122.1 terminal=ssh res=success'UID="root" AUID="root"
type=CRYPTO_KEY_USER msg=audit(1728637455.014:191): pid=4144 uid=0 auid=0 ses=4 msg='op=destroy kind=server fp=SHA256:0e:64:ad:1d:de:88:58:da:4d:3a:b2:1f:87:5f:bb:a3:a3:f7:80:d3:72:9f:23:54:a1:51:76:15:7c:6a:e0:0a direction=? spid=4144 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'UID="root" AUID="root" SUID="root"
type=CRYPTO_KEY_USER msg=audit(1728637455.014:192): pid=4144 uid=0 auid=0 ses=4 msg='op=destroy kind=server fp=SHA256:14:80:f7:a7:26:58:ec:ec:92:b7:f0:d9:fe:8f:2f:d5:5e:3a:ba:a4:6a:8e:80:99:93:4c:18:a3:1d:65:76:b3 direction=? spid=4144 suid=0 exe="/usr/sbin/sshd" hostname=? addr=? terminal=? res=success'UID="root" AUID="root" SUID="root"
- 다음으로 시스템 시간 변경을 감시하기 위한 새 규칙을 추가합니다(시스템 호출 adjtimex, clock_settime, settimeofday 및 clock_adjtime)
[root@host ~]# auditctl -a exit,always -F arch=b64 -S clock_settime -S adjtimex -S settimeofday -S clock_adjtime -k ADJTIME
[root@host ~]# auditctl -a exit,always -F arch=b32 -S clock_settime -S adjtimex -S settimeofday -S clock_adjtime -k ADJTIME
# auditctl -l
-w /etc/passwd -p wa -k user-modify
-a always,exit -F arch=b64 -S adjtimex,settimeofday,clock_settime,clock_adjtime -F key=ADJTIME
-a always,exit -F arch=b32 -S settimeofday,adjtimex,clock_settime,clock_adjtime -F key=ADJTIME
- 감사 규칙을 테스트하려면 시스템 시간을 변경한 다음 정의된 키에 대한 감사 로그를 검색합니다.
. 위에서 얘기했듯이 audit.log 파일에서는 시간변경된것을 확인 할수 없으며, 아래와 같이 정의된 키에 대한 감사에 대해서는
Log를 시간별로 확인이 가능합니다.
# ausearch -i -k user-modify
----
type=PROCTITLE msg=audit(09/25/2024 00:34:02.338:179) : proctitle=auditctl -w /etc/passwd -p wa -k user-modify
type=SYSCALL msg=audit(09/25/2024 00:34:02.338:179) : arch=x86_64 syscall=sendto success=yes exit=1080 a0=0x4 a1=0x7ffe078edeb0 a2=0x438 a3=0x0 items=0 ppid=2873 pid=3669 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=auditctl exe=/usr/sbin/auditctl key=(null)
type=CONFIG_CHANGE msg=audit(09/25/2024 00:34:02.338:179) : auid=root ses=2 op=add_rule key=user-modify list=exit res=yes
----
type=PROCTITLE msg=audit(09/25/2024 00:34:20.474:180) : proctitle=useradd test
type=PATH msg=audit(09/25/2024 00:34:20.474:180) : item=0 name=/etc/passwd inode=18516061 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/25/2024 00:34:20.474:180) : cwd=/etc/audit
type=SYSCALL msg=audit(09/25/2024 00:34:20.474:180) : arch=x86_64 syscall=openat success=yes exit=5 a0=AT_FDCWD a1=0x55628b682da0 a2=O_RDWR|O_NOCTTY|O_NONBLOCK|O_NOFOLLOW a3=0x0 items=1 ppid=2873 pid=3676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=useradd exe=/usr/sbin/useradd key=user-modify
----
type=PROCTITLE msg=audit(09/25/2024 00:34:20.480:183) : proctitle=useradd test
type=PATH msg=audit(09/25/2024 00:34:20.480:183) : item=4 name=/etc/passwd inode=18213003 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=CREATE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/25/2024 00:34:20.480:183) : item=3 name=/etc/passwd inode=18516061 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/25/2024 00:34:20.480:183) : item=2 name=/etc/passwd+ inode=18213003 dev=fd:00 mode=file,644 ouid=root ogid=root rdev=00:00 nametype=DELETE cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/25/2024 00:34:20.480:183) : item=1 name=/etc/ inode=16777345 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=PATH msg=audit(09/25/2024 00:34:20.480:183) : item=0 name=/etc/ inode=16777345 dev=fd:00 mode=dir,755 ouid=root ogid=root rdev=00:00 nametype=PARENT cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(09/25/2024 00:34:20.480:183) : cwd=/etc/audit
type=SYSCALL msg=audit(09/25/2024 00:34:20.480:183) : arch=x86_64 syscall=rename success=yes exit=0 a0=0x7ffcbdaba800 a1=0x55628b682da0 a2=0x7ffcbdaba770 a3=0x55628bc64d50 items=5 ppid=2873 pid=3676 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=useradd exe=/usr/sbin/useradd key=user-modify
# ausearch -i -k ADJTIME
----
type=PROCTITLE msg=audit(10/11/2024 18:05:43.773:199) : proctitle=auditctl -a exit,always -F arch b64 -S clock_settime -S adjtimex -S settimeofday -S clock_adjtime -k ADJTIME
type=SOCKADDR msg=audit(10/11/2024 18:05:43.773:199) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(10/11/2024 18:05:43.773:199) : arch=x86_64 syscall=sendto success=yes exit=1064 a0=0x4 a1=0x7ffed108e3d0 a2=0x428 a3=0x0 items=0 ppid=3425 pid=4253 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=auditctl exe=/usr/sbin/auditctl key=(null)
type=CONFIG_CHANGE msg=audit(10/11/2024 18:05:43.773:199) : auid=root ses=2 op=add_rule key=ADJTIME list=exit res=yes
----
type=PROCTITLE msg=audit(10/11/2024 18:05:50.020:200) : proctitle=auditctl -a exit,always -F arch b32 -S clock_settime -S adjtimex -S settimeofday -S clock_adjtime -k ADJTIME
type=SOCKADDR msg=audit(10/11/2024 18:05:50.020:200) : saddr={ saddr_fam=netlink nlnk-fam=16 nlnk-pid=0 }
type=SYSCALL msg=audit(10/11/2024 18:05:50.020:200) : arch=x86_64 syscall=sendto success=yes exit=1064 a0=0x4 a1=0x7ffd70512840 a2=0x428 a3=0x0 items=0 ppid=3425 pid=4256 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=auditctl exe=/usr/sbin/auditctl key=(null)
type=CONFIG_CHANGE msg=audit(10/11/2024 18:05:50.020:200) : auid=root ses=2 op=add_rule key=ADJTIME list=exit res=yes
----
type=PROCTITLE msg=audit(10/11/2024 18:06:04.170:201) : proctitle=hwclock --hctosys
type=TIME_INJOFFSET msg=audit(10/11/2024 18:06:04.170:201) : sec=0 nsec=-171000218
type=SYSCALL msg=audit(10/11/2024 18:06:04.170:201) : arch=x86_64 syscall=settimeofday success=yes exit=0 a0=0x7ffc0301c430 a1=0x7ffc0301c448 a2=0x80 a3=0x2ce33e6c02ce33e7 items=0 ppid=3425 pid=4260 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=2 comm=hwclock exe=/usr/sbin/hwclock key=ADJTIME
참고링크: https://access.redhat.com/solutions/1963
혹, 궁금하신점이 있으시면 댓글로 남겨주세요~
감사합니다.
댓글목록
등록된 댓글이 없습니다.