audit监控进程的使用

Linux Audit守护进程是一个可以审计Linux系统事件的框架。通过使用一个强大的审计框架，系统可以追踪很多事件类型来监控和并审计它。

autrace使用

教程 http://man7.org/linux/man-pages/man8/autrace.8.html

命令语法

autrace program [-r] [program-args]

-r: Limit syscalls collected to ones needed for analyzing resource usage. This could help people doing threat modeling. This saves space in logs.

两个例子：

The following illustrates a typical session:

autrace /bin/ls /tmp
ausearch --start recent -p 2442 -i

and for resource usage mode:

autrace -r /bin/ls
ausearch --start recent -p 2450 --raw | aureport --file --summary
ausearch --start recent -p 2450 --raw | aureport --host --summary

注意

autrace是一个进程在运行时一直运行的命令行工具，就像strace命令一样。它会将跟踪结果保存在/var/www/audit/audit.log文件中，为了使这个命令可以正常运行，你需要先将所有的跟踪规则删除。

root@tangmingyu-QiTianM610-D529:/home/tangmingyu# autrace /bin/ls /tmp
autrace cannot be run with rules loaded.
Please delete all rules using 'auditctl -D' if you really wanted to
run this command.
root@tangmingyu-QiTianM610-D529:/home/tangmingyu# auditctl -D
No rules

测试 autrace /bin/ls /tmp

root@tangmingyu-QiTianM610-D529:/home/tangmingyu# autrace /bin/ls /tmp
Waiting to execute: /bin/ls
config-err-AL6x5R
evince-17425
fcitx-socket-:0
mongodb-27017.sock
pulse-PKdhtXMmr18n
sogou-qimpanel:0.pid
sogou-qimpanel-celltangmingyu
sogou-qimpaneltangmingyu
ssh-hNCvHjbAH7t7
systemd-private-ff4273de04ce4c55b26935a8433811f7-bolt.service-2fgcSg
systemd-private-ff4273de04ce4c55b26935a8433811f7-chrony.service-Iu7400
systemd-private-ff4273de04ce4c55b26935a8433811f7-colord.service-Oa8cnd
systemd-private-ff4273de04ce4c55b26935a8433811f7-fwupd.service-mEczCx
systemd-private-ff4273de04ce4c55b26935a8433811f7-rtkit-daemon.service-uQDnPB
systemd-private-ff4273de04ce4c55b26935a8433811f7-systemd-resolved.service-6xPKc3
user-1563
VMwareDnD
vmware-root
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 18226'

查看跟踪内容

root@tangmingyu-QiTianM610-D529:/home/tangmingyu# ausearch -i -p 18226
----
type=PROCTITLE msg=audit(2018年11月20日 14:12:14.311:6667) : proctitle=autrace /bin/ls /tmp 
type=SYSCALL msg=audit(2018年11月20日 14:12:14.311:6667) : arch=x86_64 syscall=close success=yes exit=0 a0=0x4 a1=0x0 a2=0x0 a3=0x7f8192577a10 items=0 ppid=18224 pid=18226 auid=tangmingyu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=autrace exe=/sbin/autrace key=(null) 
----
type=PROCTITLE msg=audit(2018年11月20日 14:12:14.311:6669) : proctitle=autrace /bin/ls /tmp 
type=SYSCALL msg=audit(2018年11月20日 14:12:14.311:6669) : arch=x86_64 syscall=fstat success=yes exit=0 a0=0x1 a1=0x7ffefa2aa7a0 a2=0x7ffefa2aa7a0 a3=0x55e6e54b23e2 items=0 ppid=18224 pid=18226 auid=tangmingyu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=autrace exe=/sbin/autrace key=(null) 
----
type=PROCTITLE msg=audit(2018年11月20日 14:12:14.311:6670) : proctitle=autrace /bin/ls /tmp 
type=SYSCALL msg=audit(2018年11月20日 14:12:14.311:6670) : arch=x86_64 syscall=write success=yes exit=28 a0=0x1 a1=0x55e6e591c4d0 a2=0x1c a3=0xfffffff9 items=0 ppid=18224 pid=18226 auid=tangmingyu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=autrace exe=/sbin/autrace key=(null) 
----
type=PROCTITLE msg=audit(2018年11月20日 14:12:14.311:6671) : proctitle=autrace /bin/ls /tmp 
type=SYSCALL msg=audit(2018年11月20日 14:12:14.311:6671) : arch=x86_64 syscall=read success=yes exit=1 a0=0x3 a1=0x7ffefa2aaf70 a2=0x1 a3=0xfffffff9 items=0 ppid=18224 pid=18226 auid=tangmingyu uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 ses=4 comm=autrace exe=/sbin/autrace key=(null)

测试 autrace -r /bin/ls

root@tangmingyu-QiTianM610-D529:/home/tangmingyu# autrace -r /bin/ls
Waiting to execute: /bin/ls
cur_temp		eclipse-workspace  mininet  oftest    pox  snap     sublime-text-imfix	wget-log  模板	图片  下载  桌面
deepin-wine-for-ubuntu	go		   oflops   openflow  ryu  sqldata  test		公共的	  视频	文档  音乐
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 18809'

root@tangmingyu-QiTianM610-D529:/home/tangmingyu# ausearch --start recent -p 18809 --raw | aureport --file --summary

File Summary Report
===========================
total  file
===========================
1  /bin/ls
1  /lib64/ld-linux-x86-64.so.2
1  /etc/ld.so.cache
1  /lib/x86_64-linux-gnu/libselinux.so.1
1  /lib/x86_64-linux-gnu/libc.so.6
1  /lib/x86_64-linux-gnu/libpcre.so.3
1  /lib/x86_64-linux-gnu/libdl.so.2
1  /lib/x86_64-linux-gnu/libpthread.so.0
1  /proc/filesystems
1  /usr/lib/locale/locale-archive
1  .
1  /usr/lib/x86_64-linux-gnu/gconv/gconv-modules.cache
root@tangmingyu-QiTianM610-D529:/home/tangmingyu# ausearch --start recent -p 18809 --raw | aureport --host --summary

Host Summary Report
===========================
total  host
===========================
<no events of interest were found>

测试 autrace -r /usr/share/typora/Typora

跳出来Typora的运行界面，然后随便输入了一行数字 点击保存。这个过程产生的记录如下：

root@tangmingyu-QiTianM610-D529:/home/tangmingyu# ausearch --start recent -p 19046 --raw | aureport --file --summary

File Summary Report
===========================
total  file
===========================
403  /etc/localtime
227  /dev/shm/
61  /proc/self/status
52  /run/user/1000/bus
37  /root/.icons/DMZ-White/index.theme
32  /root/.config/Typora/
24  /usr/share/icons/DMZ-White/index.theme
24  /usr/share/pixmaps/DMZ-White/index.theme
21  /root/.config/Typora/themes/
..........很长
1  /usr/share/pixmaps/default/cursors/col-resize
1  /root/.icons/DMZ-White/cursors/h_double_arrow
1  /usr/share/icons/DMZ-White/cursors/h_double_arrow
1  /root/.icons/default/cursors/text
1  /usr/share/icons/default/cursors/text
1  /usr/share/pixmaps/default/cursors/text
1  /root/.icons/DMZ-White/cursors/xterm
1  /usr/share/icons/DMZ-White/cursors/xterm
1  /usr/share/fonts/truetype/ubuntu/Ubuntu-B.ttf
1  /root/.config/Typora/backups/1
1  /home/tangmingyu/.hidden
1  /home/.hidden
1  /usr/share/icons/Numix/16/status/image-missing.svg
1  /usr/share/icons/Numix/16/places/folder.svg
1  /home/tangmingyu/文档/.hidden
1  /usr/share/icons/Numix/16/mimetypes/text-markdown.svg
1  /home/tangmingyu/文档/日志分析小组/.hidden
root@tangmingyu-QiTianM610-D529:/home/tangmingyu#

stace

使用方法

usage: strace [-CdffhiqrtttTvVwxxy] [-I n] [-e expr]...
              [-a column] [-o file] [-s strsize] [-P path]...
              -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]
   or: strace -c[dfw] [-I n] [-e expr]... [-O overhead] [-S sortby]
              -p pid... / [-D] [-E var=val]... [-u username] PROG [ARGS]

Output format:
  -a column      alignment COLUMN for printing syscall results (default 40)
  -i             print instruction pointer at time of syscall
  -k             obtain stack trace between each syscall (experimental)
  -o file        send trace output to FILE instead of stderr
  -q             suppress messages about attaching, detaching, etc.
  -r             print relative timestamp
  -s strsize     limit length of print strings to STRSIZE chars (default 32)
  -t             print absolute timestamp
  -tt            print absolute timestamp with usecs
  -T             print time spent in each syscall
  -x             print non-ascii strings in hex
  -xx            print all strings in hex
  -y             print paths associated with file descriptor arguments
  -yy            print protocol specific information associated with socket file descriptors

Statistics:
  -c             count time, calls, and errors for each syscall and report summary
  -C             like -c but also print regular output
  -O overhead    set overhead for tracing syscalls to OVERHEAD usecs
  -S sortby      sort syscall counts by: time, calls, name, nothing (default time)
  -w             summarise syscall latency (default is system time)

Filtering:
  -e expr        a qualifying expression: option=[!]all or option=[!]val1[,val2]...
     options:    trace, abbrev, verbose, raw, signal, read, write, fault
  -P path        trace accesses to path

Tracing:
  -b execve      detach on execve syscall
  -D             run tracer process as a detached grandchild, not as parent
  -f             follow forks
  -ff            follow forks with output into separate files
  -I interruptible
     1:          no signals are blocked
     2:          fatal signals are blocked while decoding syscall (default)
     3:          fatal signals are always blocked (default if '-o FILE PROG')
     4:          fatal signals and SIGTSTP (^Z) are always blocked
                 (useful to make 'strace -o FILE PROG' not stop on ^Z)

Startup:
  -E var         remove var from the environment for command
  -E var=val     put var=val in the environment for command
  -p pid         trace process with process id PID, may be repeated
  -u username    run command as username handling setuid and/or setgid

Miscellaneous:
  -d             enable debug output to stderr
  -v             verbose mode: print unabbreviated argv, stat, termios, etc. args
  -h             print help message
  -V             print version

测试 strace -p 17195（谷歌浏览器pid）

futex(0x7fff4a526f58, FUTEX_WAIT_PRIVATE, 0, {tv_sec=29, tv_nsec=14812037}) = 0
futex(0x7fff4a526f08, FUTEX_WAKE_PRIVATE, 1) = 0
gettid()                                = 1
gettid()                                = 1
futex(0x7fff4a526f58, FUTEX_WAIT_PRIVATE, 0, {tv_sec=14, tv_nsec=475116389}) = -1 ETIMEDOUT (Connection timed out)
futex(0x7fff4a526f08, FUTEX_WAKE_PRIVATE, 1) = 0
gettid()                                = 1
gettid()                                = 1
gettid()                                = 1
gettid()                                = 1
futex(0x7fff4a526f58, FUTEX_WAIT_PRIVATE, 0, {tv_sec=0, tv_nsec=29569165}) = -1 ETIMEDOUT (Connection timed out)
futex(0x7fff4a526f08, FUTEX_WAKE_PRIVATE, 1) = 0
gettid()                                = 1
gettid()                                = 1
gettid()                                = 1
madvise(0x14a188e31000, 4096, MADV_DONTNEED) = 0
madvise(0x14a189148000, 8192, MADV_DONTNEED) = 0
madvise(0x14a189154000, 28672, MADV_DONTNEED) = 0
madvise(0x14a1893e7000, 20480, MADV_DONTNEED) = 0
gettid()                                = 1
futex(0x7fff4a526f58, FUTEX_WAIT_PRIVATE, 0, {tv_sec=31, tv_nsec=118372204}