Este contenido no está disponible en el idioma seleccionado.
7.6. Understanding Audit Log Files
By default, the Audit system stores log entries in the
/var/log/audit/audit.log file; if log rotation is enabled, rotated audit.log files are stored in the same directory.
The following Audit rule logs every attempt to read or modify the
/etc/ssh/sshd_config file:
-w /etc/ssh/sshd_config -p warx -k sshd_config
If the
auditd daemon is running, for example, using the following command creates a new event in the Audit log file:
~]$ cat /etc/ssh/sshd_config
This event in the
audit.log file looks as follows:
type=SYSCALL msg=audit(1364481363.243:24287): arch=c000003e syscall=2 success=no exit=-13 a0=7fffd19c5592 a1=0 a2=7fffd19c4b50 a3=a items=1 ppid=2686 pid=3538 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts0 ses=1 comm="cat" exe="/bin/cat" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="sshd_config" type=CWD msg=audit(1364481363.243:24287): cwd="/home/shadowman" type=PATH msg=audit(1364481363.243:24287): item=0 name="/etc/ssh/sshd_config" inode=409248 dev=fd:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 type=PROCTITLE msg=audit(1364481363.243:24287) : proctitle=636174002F6574632F7373682F737368645F636F6E666967
The above event consists of four records, which share the same time stamp and serial number. Records always start with the
type= keyword. Each record consists of several name=value pairs separated by a white space or a comma. A detailed analysis of the above event follows:
First Record
type=SYSCALL- The
typefield contains the type of the record. In this example, theSYSCALLvalue specifies that this record was triggered by a system call to the kernel.For a list of all possible type values and their explanations, see Audit Record Types. msg=audit(1364481363.243:24287):- The
msgfield records:- a time stamp and a unique ID of the record in the form
audit(time_stamp:ID). Multiple records can share the same time stamp and ID if they were generated as part of the same Audit event. The time stamp is using the Unix time format - seconds since 00:00:00 UTC on 1 January 1970. - various event-specific
name=valuepairs provided by the kernel or user space applications.
arch=c000003e- The
archfield contains information about the CPU architecture of the system. The value,c000003e, is encoded in hexadecimal notation. When searching Audit records with theausearchcommand, use the-ior--interpretoption to automatically convert hexadecimal values into their human-readable equivalents. Thec000003evalue is interpreted asx86_64. syscall=2- The
syscallfield records the type of the system call that was sent to the kernel. The value,2, can be matched with its human-readable equivalent in the/usr/include/asm/unistd_64.hfile. In this case,2is theopensystem call. Note that the ausyscall utility allows you to convert system call numbers to their human-readable equivalents. Use theausyscall --dumpcommand to display a listing of all system calls along with their numbers. For more information, see the ausyscall(8) man page. success=no- The
successfield records whether the system call recorded in that particular event succeeded or failed. In this case, the call did not succeed. exit=-13- The
exitfield contains a value that specifies the exit code returned by the system call. This value varies for different system call. You can interpret the value to its human-readable equivalent with the following command:~]#
ausearch --interpret --exit -13Note that the previous example assumes that your Audit log contains an event that failed with exit code-13. a0=7fffd19c5592,a1=0,a2=7fffd19c5592,a3=a- The
a0toa3fields record the first four arguments, encoded in hexadecimal notation, of the system call in this event. These arguments depend on the system call that is used; they can be interpreted by the ausearch utility. items=1- The
itemsfield contains the number of PATH auxiliary records that follow the syscall record. ppid=2686- The
ppidfield records the Parent Process ID (PPID). In this case,2686was the PPID of the parent process such asbash. pid=3538- The
pidfield records the Process ID (PID). In this case,3538was the PID of thecatprocess. auid=1000- The
auidfield records the Audit user ID, that is the loginuid. This ID is assigned to a user upon login and is inherited by every process even when the user's identity changes, for example, by switching user accounts with thesu - johncommand. uid=1000- The
uidfield records the user ID of the user who started the analyzed process. The user ID can be interpreted into user names with the following command:ausearch -i --uid UID. gid=1000- The
gidfield records the group ID of the user who started the analyzed process. euid=1000- The
euidfield records the effective user ID of the user who started the analyzed process. suid=1000- The
suidfield records the set user ID of the user who started the analyzed process. fsuid=1000- The
fsuidfield records the file system user ID of the user who started the analyzed process. egid=1000- The
egidfield records the effective group ID of the user who started the analyzed process. sgid=1000- The
sgidfield records the set group ID of the user who started the analyzed process. fsgid=1000- The
fsgidfield records the file system group ID of the user who started the analyzed process. tty=pts0- The
ttyfield records the terminal from which the analyzed process was invoked. ses=1- The
sesfield records the session ID of the session from which the analyzed process was invoked. comm="cat"- The
commfield records the command-line name of the command that was used to invoke the analyzed process. In this case, thecatcommand was used to trigger this Audit event. exe="/bin/cat"- The
exefield records the path to the executable that was used to invoke the analyzed process. subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023- The
subjfield records the SELinux context with which the analyzed process was labeled at the time of execution. key="sshd_config"- The
keyfield records the administrator-defined string associated with the rule that generated this event in the Audit log.
Second Record
type=CWD- In the second record, the
typefield value isCWD— current working directory. This type is used to record the working directory from which the process that invoked the system call specified in the first record was executed.The purpose of this record is to record the current process's location in case a relative path winds up being captured in the associated PATH record. This way the absolute path can be reconstructed. msg=audit(1364481363.243:24287)- The
msgfield holds the same time stamp and ID value as the value in the first record. The time stamp is using the Unix time format - seconds since 00:00:00 UTC on 1 January 1970. cwd="/home/user_name"- The
cwdfield contains the path to the directory in which the system call was invoked.
Third Record
type=PATH- In the third record, the
typefield value isPATH. An Audit event contains aPATH-type record for every path that is passed to the system call as an argument. In this Audit event, only one path (/etc/ssh/sshd_config) was used as an argument. msg=audit(1364481363.243:24287):- The
msgfield holds the same time stamp and ID value as the value in the first and second record. item=0- The
itemfield indicates which item, of the total number of items referenced in theSYSCALLtype record, the current record is. This number is zero-based; a value of0means it is the first item. name="/etc/ssh/sshd_config"- The
namefield records the path of the file or directory that was passed to the system call as an argument. In this case, it was the/etc/ssh/sshd_configfile. inode=409248- The
inodefield contains the inode number associated with the file or directory recorded in this event. The following command displays the file or directory that is associated with the409248inode number:~]#
find / -inum 409248 -print/etc/ssh/sshd_config dev=fd:00- The
devfield specifies the minor and major ID of the device that contains the file or directory recorded in this event. In this case, the value represents the/dev/fd/0device. mode=0100600- The
modefield records the file or directory permissions, encoded in numerical notation as returned by thestatcommand in thest_modefield. See thestat(2)man page for more information. In this case,0100600can be interpreted as-rw-------, meaning that only the root user has read and write permissions to the/etc/ssh/sshd_configfile. ouid=0- The
ouidfield records the object owner's user ID. ogid=0- The
ogidfield records the object owner's group ID. rdev=00:00- The
rdevfield contains a recorded device identifier for special files only. In this case, it is not used as the recorded file is a regular file. obj=system_u:object_r:etc_t:s0- The
objfield records the SELinux context with which the recorded file or directory was labeled at the time of execution. objtype=NORMAL- The
objtypefield records the intent of each path record's operation in the context of a given syscall. cap_fp=none- The
cap_fpfield records data related to the setting of a permitted file system-based capability of the file or directory object. cap_fi=none- The
cap_fifield records data related to the setting of an inherited file system-based capability of the file or directory object. cap_fe=0- The
cap_fefield records the setting of the effective bit of the file system-based capability of the file or directory object. cap_fver=0- The
cap_fverfield records the version of the file system-based capability of the file or directory object.
Fourth Record
type=PROCTITLE- The
typefield contains the type of the record. In this example, thePROCTITLEvalue specifies that this record gives the full command-line that triggered this Audit event, triggered by a system call to the kernel. proctitle=636174002F6574632F7373682F737368645F636F6E666967- The
proctitlefield records the full command-line of the command that was used to invoke the analyzed process. The field is encoded in hexadecimal notation to not allow the user to influence the Audit log parser. The text decodes to the command that triggered this Audit event. When searching Audit records with theausearchcommand, use the-ior--interpretoption to automatically convert hexadecimal values into their human-readable equivalents. The636174002F6574632F7373682F737368645F636F6E666967value is interpreted ascat /etc/ssh/sshd_config.
The Audit event analyzed above contains only a subset of all possible fields that an event can contain. For a list of all event fields and their explanation, see Audit Event Fields. For a list of all event types and their explanation, see Audit Record Types.
Example 7.6. Additional audit.log Events
The following Audit event records a successful start of the
auditd daemon. The ver field shows the version of the Audit daemon that was started.
type=DAEMON_START msg=audit(1363713609.192:5426): auditd start, ver=2.2 format=raw kernel=2.6.32-358.2.1.el6.x86_64 auid=1000 pid=4979 subj=unconfined_u:system_r:auditd_t:s0 res=success
The following Audit event records a failed attempt of user with UID of 1000 to log in as the root user.
type=USER_AUTH msg=audit(1364475353.159:24270): user pid=3280 uid=1000 auid=1000 ses=1 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 msg='op=PAM:authentication acct="root" exe="/bin/su" hostname=? addr=? terminal=pts/0 res=failed'
