一、用户空间审计系统简介

Linux 内核有用日志记录事件的能力，包括记录系统调用和文件访问。管理员可以检查这些日志，确定是否存在安全漏洞（如多次失败的登录尝试，或者用户对系统文件不成功的访问）。

Linux 用户空间审计系统由 auditd、audispd、auditctl、autrace、ausearch 和 aureport 等应用程序组成。下面依次说明：

auditctl：即时控制审计守护进程的行为的工具，如添加规则等。
auditd：audit 守护进程负责把内核产生的信息写入到硬盘上，这些信息由应用程序和系统活动触发产生。用户空间审计系统通过 auditd 后台进程接收内核审计系统传送来的审计信息，将信息写入到 /var/log/audit/audit.log。
aureport：查看和生成审计报告的工具。
ausearch：查找审计事件的工具
auditspd：转发事件通知给其他应用程序，而不是写入到审计日志文件中。
autrace：一个用于跟踪进程的命令。

audit和syslog日志系统的关系

audit 主要用来记录安全信息，用于对系统安全事件的追溯，而 syslog 用来记录系统信息，如硬件警报和软件日志等。syslog 属于应用层，没办法记录太多信息，audit 用来记录内核信息，包括文件的读写，权限的改变等。

二、auditd配置文件

vi /etc/audit/auditd.conf

# 是否记录本地事件，如果设为no，只记录来自网络的事件
local_events = yes
write_logs = yes
# 日志文件
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
# 日志文件刷新方式，可选的选项有：
# NONE：不做特别处理
# INCREMENTAL：用freq选项的值确定多长时间发生一次向磁盘的刷新
# DATA：审计数据和日志文件是同步的
# SYNC：写日志文件时，数据和元数据是同步的
flush = INCREMENTAL_ASYNC
freq = 50
# 日志文件最大8MB
max_log_file = 8
# 日志文件数量
num_logs = 5
# 进程优先级（-4），ps axl | grep auditd 可查
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
# 当log文件达到max_log_file设定大小后的动作。可选的动作有：
# IGNORE：忽略max_log_file设置的限制，继续写log文件
# SYSLOG：向syslog中写入一条warning
# SUSPEND：auditd不再写log文件，但是auditd继续运行
# ROTATE：分多个log文件，一个log文件达到上限后在创建一个新的不同名字的log文件
max_log_file_action = ROTATE
# log_file文件所在的分区空闲空间少于这个设定的值时，触发相应的动作，单位是MB
space_left = 75
# space_left设定被触发时的动作。可选动作有：
# IGNORE, SYSLOG, SUSPEND：与前面max_log_file_action相似
# SINGLE：audit进程会将系统模式变为单用户模式
# HALT：audit进程将会触发系统关机
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
# 磁盘满后触发的动作
disk_full_action = SUSPEND
# 磁盘错误触发的动作
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

三、配置审计规则

auditctl命令可以控制审计系统的基本功能、设定规则等，但为了定义重启后一直有效的审计规则，需要把规则定义到/etc/audit/rules.d/目录下，重启auditd时，/etc/audit/rules.d/目录下所有文件的规则会合并到/etc/audit/audit.rules。

预配置规则文件

在/usr/share/doc/audit-{version}/rules/目录下，audit根据不同的标准提供了一组预配置规则文件：

nispom.rules — 审计规则配置符合《国家行业安全程序操作运行指南》的第八章中详细说明的要求。
pci-dss-v31.rules - 审计规则配置满足第三方支付行业所设定的要求。
stig.rules — 审计规则配置满足由STIG（安全技术实施指南）所设定的要求。

如配置为nispom规则：

cp /usr/share/doc/audit-2.8.4/rules/10-base-config.rules /usr/share/doc/audit-2.8.4/rules/30-nispom.rules /usr/share/doc/audit-2.8.4/rules/99-finalize.rules /etc/audit/rules.d/

重启auditd：

service auditd restart

四、审计日志内容

type=SYSCALL msg=audit(1557427974.683:2260): arch=c000003e syscall=257 success=yes exit=3 a0=ffffffffffffff9c a1=e61320 a2=90800 a3=0 items=1 ppid=31275 pid=4114 auid=1000 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=113 comm="bash" exe="/usr/bin/bash" key="audit-logs"
type=CWD msg=audit(1557427974.683:2260): cwd="/etc/audit"
type=PATH msg=audit(1557427974.683:2260): item=0 name="/var/log/audit/" inode=101477489 dev=fc:00 mode=040700 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1557427974.683:2260): proctitle="bash"

事件分析：

type=SYSCALL

记录类型，可以到RedHat网站查询所有类型和说明：

B.2. AUDIT RECORD TYPES

Table B.2, “Record Types” lists all currently-supported types of Audit records. The event type is specified in the type= field at the beginning of every Audit record.

Table B.2. Record Types

Event Type Explanation

ADD_GROUP Triggered when a user-space group is added.

ADD_USER Triggered when a user-space user account is added.

ANOM_ABEND[a] Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled).

ANOM_ACCESS_FS[a] Triggered when a file or a directory access ends abnormally.

ANOM_ADD_ACCT[a] Triggered when a user-space account addition ends abnormally.

ANOM_AMTU_FAIL[a] Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected.

ANOM_CRYPTO_FAIL[a] Triggered when a failure in the cryptographic system is detected.

ANOM_DEL_ACCT[a] Triggered when a user-space account deletion ends abnormally.

ANOM_EXEC[a] Triggered when an execution of a file ends abnormally.

ANOM_LOGIN_ACCT[a] Triggered when an account login attempt ends abnormally.

ANOM_LOGIN_FAILURES[a] Triggered when the limit of failed login attempts is reached.

ANOM_LOGIN_LOCATION[a] Triggered when a login attempt is made from a forbidden location.

ANOM_LOGIN_SESSIONS[a] Triggered when a login attempt reaches the maximum amount of concurrent sessions.

ANOM_LOGIN_TIME[a] Triggered when a login attempt is made at a time when it is prevented by, for example, pam_time.

ANOM_MAX_DAC[a] Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached.

ANOM_MAX_MAC[a] Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached.

ANOM_MK_EXEC[a] Triggered when a file is made executable.

ANOM_MOD_ACCT[a] Triggered when a user-space account modification ends abnormally.

ANOM_PROMISCUOUS[a] Triggered when a device enables or disables promiscuous mode.

ANOM_RBAC_FAIL[a] Triggered when a Role-Based Access Control (RBAC) self-test failure is detected.

ANOM_RBAC_INTEGRITY_FAIL[a] Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected.

ANOM_ROOT_TRANS[a] Triggered when a user becomes root.

AVC Triggered to record an SELinux permission check.

AVC_PATH Triggered to record the dentry and vfsmount pair when an SELinux permission check occurs.

BPRM_FCAPS Triggered when a user executes a program with a file system capability.

CAPSET Triggered to record any changes in process-based capabilities.

CHGRP_ID Triggered when a user-space group ID is changed.

CHUSER_ID Triggered when a user-space user ID is changed.

CONFIG_CHANGE Triggered when the Audit system configuration is modified.

CRED_ACQ Triggered when a user acquires user-space credentials.

CRED_DISP Triggered when a user disposes of user-space credentials.

CRED_REFR Triggered when a user refreshes their user-space credentials.

CRYPTO_FAILURE_USER Triggered when a decrypt, encrypt, or randomize cryptographic operation fails.

CRYPTO_KEY_USER Triggered to record the cryptographic key identifier used for cryptographic purposes.

CRYPTO_LOGIN Triggered when a cryptographic officer login attempt is detected.

CRYPTO_LOGOUT Triggered when a crypto officer logout attempt is detected.

CRYPTO_PARAM_CHANGE_USER Triggered when a change in a cryptographic parameter is detected.

CRYPTO_REPLAY_USER Triggered when a replay attack is detected.

CRYPTO_SESSION Triggered to record parameters set during a TLS session establishment.

CRYPTO_TEST_USER Triggered to record cryptographic test results as required by the FIPS-140 standard.

CWD Triggered to record the current working directory.

DAC_CHECK Triggered to record DAC check results.

DAEMON_ABORT Triggered when a daemon is stopped due to an error.

DAEMON_ACCEPT Triggered when the auditd daemon accepts a remote connection.

DAEMON_CLOSE Triggered when the auditd daemon closes a remote connection.

DAEMON_CONFIG Triggered when a daemon configuration change is detected.

DAEMON_END Triggered when a daemon is successfully stopped.

DAEMON_RESUME Triggered when the auditd daemon resumes logging.

DAEMON_ROTATE Triggered when the auditd daemon rotates the Audit log files.

DAEMON_START Triggered when the auditd daemon is started.

DEL_GROUP Triggered when a user-space group is deleted

DEL_USER Triggered when a user-space user is deleted

DEV_ALLOC Triggered when a device is allocated.

DEV_DEALLOC Triggered when a device is deallocated.

EOE Triggered to record the end of a multi-record event.

EXECVE Triggered to record arguments of the execve(2) system call.

FD_PAIR Triggered to record the use of the pipe and socketpair system calls.

FS_RELABEL Triggered when a file system relabel operation is detected.

GRP_AUTH Triggered when a group password is used to authenticate against a user-space group.

INTEGRITY_DATA[b] Triggered to record a data integrity verification event run by the kernel.

INTEGRITY_HASH[b] Triggered to record a hash type integrity verification event run by the kernel.

INTEGRITY_METADATA[b] Triggered to record a metadata integrity verification event run by the kernel.

INTEGRITY_PCR[b] Triggered to record Platform Configuration Register (PCR) invalidation messages.

INTEGRITY_RULE[b] Triggered to record a policy rule.

INTEGRITY_STATUS[b] Triggered to record the status of integrity verification.

IPC Triggered to record information about a Inter-Process Communication object referenced by a system call.

IPC_SET_PERM Triggered to record information about new values set by an IPC_SET control operation on an IPC object.

KERNEL Triggered to record the initialization of the Audit system.

KERNEL_OTHER Triggered to record information from third-party kernel modules.

LABEL_LEVEL_CHANGE Triggered when an object's level label is modified.

LABEL_OVERRIDE Triggered when an administrator overrides an object's level label.

LOGIN Triggered to record relevant login information when a user log in to access the system.

MAC_CIPSOV4_ADD Triggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.

MAC_CIPSOV4_DEL Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.

MAC_CONFIG_CHANGE Triggered when an SELinux Boolean value is changed.

MAC_IPSEC_EVENT Triggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes.

MAC_MAP_ADD Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.

MAC_MAP_DEL Triggered when an existing LSM domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.

MAC_POLICY_LOAD Triggered when a SELinux policy file is loaded.

MAC_STATUS Triggered when the SELinux mode (enforcing, permissive, off) is changed.

MAC_UNLBL_ALLOW Triggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel.

MAC_UNLBL_STCADD Triggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel.

MAC_UNLBL_STCDEL Triggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel.

MMAP Triggered to record a file descriptor and flags of the mmap(2)system call.

MQ_GETSETATTR Triggered to record the mq_getattr(3) and mq_setattr(3)message queue attributes.

MQ_NOTIFY Triggered to record arguments of the mq_notify(3) system call.

MQ_OPEN Triggered to record arguments of the mq_open(3) system call.

MQ_SENDRECV Triggered to record arguments of the mq_send(3) and mq_receive(3) system calls.

NETFILTER_CFG Triggered when Netfilter chain modifications are detected.

NETFILTER_PKT Triggered to record packets traversing Netfilter chains.

OBJ_PID Triggered to record information about a process to which a signal is sent.

PATH Triggered to record file name path information.

RESP_ACCT_LOCK[c] Triggered when a user account is locked.

RESP_ACCT_LOCK_TIMED[c] Triggered when a user account is locked for a specified period of time.

RESP_ACCT_REMOTE[c] Triggered when a user account is locked from a remote session.

RESP_ACCT_UNLOCK_TIMED[c] Triggered when a user account is unlocked after a configured period of time.

RESP_ALERT[c] Triggered when an alert email is sent.

RESP_ANOMALY[c] Triggered when an anomaly was not acted upon.

RESP_EXEC[c] Triggered when an intrusion detection program responds to a threat originating from the execution of a program.

RESP_HALT[c] Triggered when the system is shut down.

RESP_KILL_PROC[c] Triggered when a process is terminated.

RESP_SEBOOL[c] Triggered when an SELinux Boolean value is set.

RESP_SINGLE[c] Triggered when the system is put into single-user mode.

RESP_TERM_ACCESS[c] Triggered when a session is terminated.

RESP_TERM_LOCK[c] Triggered when a terminal is locked.

ROLE_ASSIGN Triggered when an administrator assigns a user to an SELinux role.

ROLE_MODIFY Triggered when an administrator modifies an SELinux role.

ROLE_REMOVE Triggered when an administrator removes a user from an SELinux role.

SELINUX_ERR Triggered when an internal SELinux error is detected.

SERVICE_START Triggered when a service is started.

SERVICE_STOP Triggered when a service is stopped.

SOCKADDR Triggered to record a socket address.

SOCKETCALL Triggered to record arguments of the sys_socketcall system call (used to multiplex many socket-related system calls).

SYSCALL Triggered to record a system call to the kernel.

SYSTEM_BOOT Triggered when the system is booted up.

SYSTEM_RUNLEVEL Triggered when the system's run level is changed.

SYSTEM_SHUTDOWN Triggered when the system is shut down.

TEST Triggered to record the success value of a test message.

TRUSTED_APP The record of this type can be used by third party application that require auditing.

TTY Triggered when TTY input was sent to an administrative process.

USER_ACCT Triggered when a user-space user account is modified.

USER_AUTH Triggered when a user-space authentication attempt is detected.

USER_AVC Triggered when a user-space AVC message is generated.

USER_CHAUTHTOK Triggered when a user account attribute is modified.

USER_CMD Triggered when a user-space shell command is executed.

USER_END Triggered when a user-space session is terminated.

USER_ERR Triggered when a user account state error is detected.

USER_LABELED_EXPORT Triggered when an object is exported with an SELinux label.

USER_LOGIN Triggered when a user logs in.

USER_LOGOUT Triggered when a user logs out.

USER_MAC_POLICY_LOAD Triggered when a user-space daemon loads an SELinux policy.

USER_MGMT Triggered to record user-space management data.

USER_ROLE_CHANGE Triggered when a user's SELinux role is changed.

USER_SELINUX_ERR Triggered when a user-space SELinux error is detected.

USER_START Triggered when a user-space session is started.

USER_TTY Triggered when an explanatory message about TTY input to an administrative process is sent from user-space.

USER_UNLABELED_EXPORT Triggered when an object is exported without SELinux label.

USYS_CONFIG Triggered when a user-space system configuration change is detected.

VIRT_CONTROL Triggered when a virtual machine is started, paused, or stopped.

VIRT_MACHINE_ID Triggered to record the binding of a label to a virtual machine.

VIRT_RESOURCE Triggered to record resource assignment of a virtual machine.

[a] All Audit event types prepended with ANOM are intended to be processed by an intrusion detection program.

[b] This event type is related to the Integrity Measurement Architecture (IMA), which functions best with a Trusted Platform Module (TPM) chip.

[c] All Audit event types prepended with RESP are intended responses of an intrusion detection system in case it detects malicious activity on the system.

Event Type	Explanation
`ADD_GROUP`	Triggered when a user-space group is added.
`ADD_USER`	Triggered when a user-space user account is added.
`ANOM_ABEND`[a]	Triggered when a processes ends abnormally (with a signal that could cause a core dump, if enabled).
`ANOM_ACCESS_FS`[a]	Triggered when a file or a directory access ends abnormally.
`ANOM_ADD_ACCT`[a]	Triggered when a user-space account addition ends abnormally.
`ANOM_AMTU_FAIL`[a]	Triggered when a failure of the Abstract Machine Test Utility (AMTU) is detected.
`ANOM_CRYPTO_FAIL`[a]	Triggered when a failure in the cryptographic system is detected.
`ANOM_DEL_ACCT`[a]	Triggered when a user-space account deletion ends abnormally.
`ANOM_EXEC`[a]	Triggered when an execution of a file ends abnormally.
`ANOM_LOGIN_ACCT`[a]	Triggered when an account login attempt ends abnormally.
`ANOM_LOGIN_FAILURES`[a]	Triggered when the limit of failed login attempts is reached.
`ANOM_LOGIN_LOCATION`[a]	Triggered when a login attempt is made from a forbidden location.
`ANOM_LOGIN_SESSIONS`[a]	Triggered when a login attempt reaches the maximum amount of concurrent sessions.
`ANOM_LOGIN_TIME`[a]	Triggered when a login attempt is made at a time when it is prevented by, for example, `pam_time`.
`ANOM_MAX_DAC`[a]	Triggered when the maximum amount of Discretionary Access Control (DAC) failures is reached.
`ANOM_MAX_MAC`[a]	Triggered when the maximum amount of Mandatory Access Control (MAC) failures is reached.
`ANOM_MK_EXEC`[a]	Triggered when a file is made executable.
`ANOM_MOD_ACCT`[a]	Triggered when a user-space account modification ends abnormally.
`ANOM_PROMISCUOUS`[a]	Triggered when a device enables or disables promiscuous mode.
`ANOM_RBAC_FAIL`[a]	Triggered when a Role-Based Access Control (RBAC) self-test failure is detected.
`ANOM_RBAC_INTEGRITY_FAIL`[a]	Triggered when a Role-Based Access Control (RBAC) file integrity test failure is detected.
`ANOM_ROOT_TRANS`[a]	Triggered when a user becomes root.
`AVC`	Triggered to record an SELinux permission check.
`AVC_PATH`	Triggered to record the `dentry` and `vfsmount` pair when an SELinux permission check occurs.
`BPRM_FCAPS`	Triggered when a user executes a program with a file system capability.
`CAPSET`	Triggered to record any changes in process-based capabilities.
`CHGRP_ID`	Triggered when a user-space group ID is changed.
`CHUSER_ID`	Triggered when a user-space user ID is changed.
`CONFIG_CHANGE`	Triggered when the Audit system configuration is modified.
`CRED_ACQ`	Triggered when a user acquires user-space credentials.
`CRED_DISP`	Triggered when a user disposes of user-space credentials.
`CRED_REFR`	Triggered when a user refreshes their user-space credentials.
`CRYPTO_FAILURE_USER`	Triggered when a decrypt, encrypt, or randomize cryptographic operation fails.
`CRYPTO_KEY_USER`	Triggered to record the cryptographic key identifier used for cryptographic purposes.
`CRYPTO_LOGIN`	Triggered when a cryptographic officer login attempt is detected.
`CRYPTO_LOGOUT`	Triggered when a crypto officer logout attempt is detected.
`CRYPTO_PARAM_CHANGE_USER`	Triggered when a change in a cryptographic parameter is detected.
`CRYPTO_REPLAY_USER`	Triggered when a replay attack is detected.
`CRYPTO_SESSION`	Triggered to record parameters set during a TLS session establishment.
`CRYPTO_TEST_USER`	Triggered to record cryptographic test results as required by the FIPS-140 standard.
`CWD`	Triggered to record the current working directory.
`DAC_CHECK`	Triggered to record DAC check results.
`DAEMON_ABORT`	Triggered when a daemon is stopped due to an error.
`DAEMON_ACCEPT`	Triggered when the `auditd` daemon accepts a remote connection.
`DAEMON_CLOSE`	Triggered when the `auditd` daemon closes a remote connection.
`DAEMON_CONFIG`	Triggered when a daemon configuration change is detected.
`DAEMON_END`	Triggered when a daemon is successfully stopped.
`DAEMON_RESUME`	Triggered when the `auditd` daemon resumes logging.
`DAEMON_ROTATE`	Triggered when the `auditd` daemon rotates the Audit log files.
`DAEMON_START`	Triggered when the `auditd` daemon is started.
`DEL_GROUP`	Triggered when a user-space group is deleted
`DEL_USER`	Triggered when a user-space user is deleted
`DEV_ALLOC`	Triggered when a device is allocated.
`DEV_DEALLOC`	Triggered when a device is deallocated.
`EOE`	Triggered to record the end of a multi-record event.
`EXECVE`	Triggered to record arguments of the `execve(2)` system call.
`FD_PAIR`	Triggered to record the use of the `pipe` and `socketpair` system calls.
`FS_RELABEL`	Triggered when a file system relabel operation is detected.
`GRP_AUTH`	Triggered when a group password is used to authenticate against a user-space group.
`INTEGRITY_DATA`[b]	Triggered to record a data integrity verification event run by the kernel.
`INTEGRITY_HASH`[b]	Triggered to record a hash type integrity verification event run by the kernel.
`INTEGRITY_METADATA`[b]	Triggered to record a metadata integrity verification event run by the kernel.
`INTEGRITY_PCR`[b]	Triggered to record Platform Configuration Register (PCR) invalidation messages.
`INTEGRITY_RULE`[b]	Triggered to record a policy rule.
`INTEGRITY_STATUS`[b]	Triggered to record the status of integrity verification.
`IPC`	Triggered to record information about a Inter-Process Communication object referenced by a system call.
`IPC_SET_PERM`	Triggered to record information about new values set by an `IPC_SET` control operation on an IPC object.
`KERNEL`	Triggered to record the initialization of the Audit system.
`KERNEL_OTHER`	Triggered to record information from third-party kernel modules.
`LABEL_LEVEL_CHANGE`	Triggered when an object's level label is modified.
`LABEL_OVERRIDE`	Triggered when an administrator overrides an object's level label.
`LOGIN`	Triggered to record relevant login information when a user log in to access the system.
`MAC_CIPSOV4_ADD`	Triggered when a Commercial Internet Protocol Security Option (CIPSO) user adds a new Domain of Interpretation (DOI). Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
`MAC_CIPSOV4_DEL`	Triggered when a CIPSO user deletes an existing DOI. Adding DOIs is a part of the packet labeling capabilities of the kernel provided by NetLabel.
`MAC_CONFIG_CHANGE`	Triggered when an SELinux Boolean value is changed.
`MAC_IPSEC_EVENT`	Triggered to record information about an IPSec event, when one is detected, or when the IPSec configuration changes.
`MAC_MAP_ADD`	Triggered when a new Linux Security Module (LSM) domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
`MAC_MAP_DEL`	Triggered when an existing LSM domain mapping is added. LSM domain mapping is a part of the packet labeling capabilities of the kernel provided by NetLabel.
`MAC_POLICY_LOAD`	Triggered when a SELinux policy file is loaded.
`MAC_STATUS`	Triggered when the SELinux mode (enforcing, permissive, off) is changed.
`MAC_UNLBL_ALLOW`	Triggered when unlabeled traffic is allowed when using the packet labeling capabilities of the kernel provided by NetLabel.
`MAC_UNLBL_STCADD`	Triggered when a static label is added when using the packet labeling capabilities of the kernel provided by NetLabel.
`MAC_UNLBL_STCDEL`	Triggered when a static label is deleted when using the packet labeling capabilities of the kernel provided by NetLabel.
`MMAP`	Triggered to record a file descriptor and flags of the `mmap(2)`system call.
`MQ_GETSETATTR`	Triggered to record the `mq_getattr(3)` and `mq_setattr(3)`message queue attributes.
`MQ_NOTIFY`	Triggered to record arguments of the `mq_notify(3)` system call.
`MQ_OPEN`	Triggered to record arguments of the `mq_open(3)` system call.
`MQ_SENDRECV`	Triggered to record arguments of the `mq_send(3)` and `mq_receive(3)` system calls.
`NETFILTER_CFG`	Triggered when Netfilter chain modifications are detected.
`NETFILTER_PKT`	Triggered to record packets traversing Netfilter chains.
`OBJ_PID`	Triggered to record information about a process to which a signal is sent.
`PATH`	Triggered to record file name path information.
`RESP_ACCT_LOCK`[c]	Triggered when a user account is locked.
`RESP_ACCT_LOCK_TIMED`[c]	Triggered when a user account is locked for a specified period of time.
`RESP_ACCT_REMOTE`[c]	Triggered when a user account is locked from a remote session.
`RESP_ACCT_UNLOCK_TIMED`[c]	Triggered when a user account is unlocked after a configured period of time.
`RESP_ALERT`[c]	Triggered when an alert email is sent.
`RESP_ANOMALY`[c]	Triggered when an anomaly was not acted upon.
`RESP_EXEC`[c]	Triggered when an intrusion detection program responds to a threat originating from the execution of a program.
`RESP_HALT`[c]	Triggered when the system is shut down.
`RESP_KILL_PROC`[c]	Triggered when a process is terminated.
`RESP_SEBOOL`[c]	Triggered when an SELinux Boolean value is set.
`RESP_SINGLE`[c]	Triggered when the system is put into single-user mode.
`RESP_TERM_ACCESS`[c]	Triggered when a session is terminated.
`RESP_TERM_LOCK`[c]	Triggered when a terminal is locked.
`ROLE_ASSIGN`	Triggered when an administrator assigns a user to an SELinux role.
`ROLE_MODIFY`	Triggered when an administrator modifies an SELinux role.
`ROLE_REMOVE`	Triggered when an administrator removes a user from an SELinux role.
`SELINUX_ERR`	Triggered when an internal SELinux error is detected.
`SERVICE_START`	Triggered when a service is started.
`SERVICE_STOP`	Triggered when a service is stopped.
`SOCKADDR`	Triggered to record a socket address.
`SOCKETCALL`	Triggered to record arguments of the `sys_socketcall` system call (used to multiplex many socket-related system calls).
`SYSCALL`	Triggered to record a system call to the kernel.
`SYSTEM_BOOT`	Triggered when the system is booted up.
`SYSTEM_RUNLEVEL`	Triggered when the system's run level is changed.
`SYSTEM_SHUTDOWN`	Triggered when the system is shut down.
`TEST`	Triggered to record the success value of a test message.
`TRUSTED_APP`	The record of this type can be used by third party application that require auditing.
`TTY`	Triggered when TTY input was sent to an administrative process.
`USER_ACCT`	Triggered when a user-space user account is modified.
`USER_AUTH`	Triggered when a user-space authentication attempt is detected.
`USER_AVC`	Triggered when a user-space AVC message is generated.
`USER_CHAUTHTOK`	Triggered when a user account attribute is modified.
`USER_CMD`	Triggered when a user-space shell command is executed.
`USER_END`	Triggered when a user-space session is terminated.
`USER_ERR`	Triggered when a user account state error is detected.
`USER_LABELED_EXPORT`	Triggered when an object is exported with an SELinux label.
`USER_LOGIN`	Triggered when a user logs in.
`USER_LOGOUT`	Triggered when a user logs out.
`USER_MAC_POLICY_LOAD`	Triggered when a user-space daemon loads an SELinux policy.
`USER_MGMT`	Triggered to record user-space management data.
`USER_ROLE_CHANGE`	Triggered when a user's SELinux role is changed.
`USER_SELINUX_ERR`	Triggered when a user-space SELinux error is detected.
`USER_START`	Triggered when a user-space session is started.
`USER_TTY`	Triggered when an explanatory message about TTY input to an administrative process is sent from user-space.
`USER_UNLABELED_EXPORT`	Triggered when an object is exported without SELinux label.
`USYS_CONFIG`	Triggered when a user-space system configuration change is detected.
`VIRT_CONTROL`	Triggered when a virtual machine is started, paused, or stopped.
`VIRT_MACHINE_ID`	Triggered to record the binding of a label to a virtual machine.
`VIRT_RESOURCE`	Triggered to record resource assignment of a virtual machine.
[a] All Audit event types prepended with `ANOM` are intended to be processed by an intrusion detection program. [b] This event type is related to the Integrity Measurement Architecture (IMA), which functions best with a Trusted Platform Module (TPM) chip. [c] All Audit event types prepended with `RESP` are intended responses of an intrusion detection system in case it detects malicious activity on the system.

msg=audit(1557427974.683:2260)

括号中为时间缀和特殊ID，如果多种记录生成为相同审核事件的一部分，那么它们可以共享相同的时间戳和ID。

后面为Kernel或用户空间提供的不同事件（name=value组）。

五、使用ausearch搜索审计日志

如：搜索登录失败的日志信息：

ausearch --message USER_LOGIN --success no --interpret

搜索内容如下：

----
type=USER_LOGIN msg=audit(2019年05月09日 09:58:07.647:537) : pid=6772 uid=root auid=unset ses=unset msg='op=login acct=root exe=/usr/sbin/sshd hostname=? addr=192.168.9.165 terminal=ssh res=failed'
----
type=USER_LOGIN msg=audit(2019年05月10日 03:06:53.549:2317) : pid=5003 uid=root auid=unset ses=unset msg='op=login acct=root exe=/usr/sbin/sshd hostname=? addr=192.168.9.166 terminal=ssh res=failed'

六、使用aureport查看审计报告

可以直接使用aureport命令生成概要报告，内容如下：

Summary Report
======================
Range of time in logs: 1970年01月01日 08:00:00.000 - 2019年05月10日 03:11:46.045
Selected time for report: 1970年01月01日 08:00:00 - 2019年05月10日 03:11:46.045
Number of changes in configuration: 79
Number of changes to accounts, groups, or roles: 0
Number of logins: 2
Number of failed logins: 3
Number of authentications: 7
Number of failed authentications: 16
Number of users: 3
Number of terminals: 8
Number of host names: 4
Number of executables: 14
Number of commands: 10
Number of files: 13
Number of AVC's: 0
Number of MAC events: 0
Number of failed syscalls: 812
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 55
Number of integrity events: 0
Number of virt events: 0
Number of keys: 9
Number of process IDs: 950
Number of events: 1935

可以通过传入参数生成不同类型的报告。

复制于(http://blog.gopersist.com/2019/05/10/centos7-audit/index.html)

CentOS7日志审计相关推荐

安全审计——等级保护日志审计要求的一种解决方案
前言在网络安全等级保护中,对日志有着一系列的要求,通常以部署日志审计系统来满足等保的要求,此处我们选择syslog来实现日志的集中收集,统一管理. 等级保护要求在这里我们主要目标是 ...
菜鸟学习之linux用户行为日志审计方案
今天学习了了sudo日志审计,专门对使用sudo命令系统的用户记录其执行的相关命令信息说明:所谓sudo命令日志审计,不记录普通用户操作,而是记录执行sudo命令的用户操作 1.安装sudo命令,s ...
网路游侠：日志审计系统与SOC的区别
日志审计系统是"我要什么" 主要收集各类设备的日志:路由器.防火墙.交换机.数据库等的日志主要基于agent.syslog.snmp trap等主要面向合规中"审计& ...
Oracle ETL日志审计存储过程示例
Oracle ETL日志审计存储过程示例需求概述在ETL中,为了方便跟踪每个步骤的执行情况,需要建立日志审计表来跟踪以便后期的跟踪与问题问题.本文就通过一个存储过程来实现对存储过程执行异常的跟踪( ...
日志审计产品（转载）
由于业务需要,在网上粗略整理了一些日志审计系统: 安恒明御天融信网络卫士网御神州SecFox-LA Manageengine -Event Analyzer 分类安恒明御天融信网络卫士网御神 ...
mysql数据库安全审计_MySQL数据库安全日志审计工具
说明由于MySQL社区版没有自带的审计功能或插件,对于等级保护当中对数据库管理的要求的就存在一定的不满足情况的,抛开条条框框不说数据库的日志是值得研究的,通过收集数据库的日志到企业SOC平台便于安全 ...
dataguard日志传输模式解析_网络运维基础日志审计
点击上面蓝字关注我们综合日志审计平台综合日志审计平台通过集中采集信息系统中的系统安全事件.用户访问记录.系统运行日志.系统运行状态等各类信息,经过规范化.过滤.归并和告警分析等处理后,以统一格式的 ...
snmp获取交换机日志_日志审计系统和数据库审计系统的区别
今天就易混淆的日志审计系统与数据库审计系统进行辨析.从日志审计系统和数据库审计系统的技术特点和原理来切入,来分析日志审计系统与数据库审计系统的异同. 01.日志审计系统系统日志系统日志是记录系统中 ...
日志审计携手DDoS防护助力云上安全
简介: 本文主要介绍日志审计结合DDoS防护保障云上业务安全的新实践. 日志审计携手DDoS防护助力云上安全 1 背景介绍设想一下,此时你正在高速公路上开车去上班,路上还有其他汽车,总体而言,大家都 ...

CentOS7日志审计