Yadda ake Tambayoyi Audit Logs Amfani da kayan aikin ausearch akan CentOS/RHEL

A cikin labarinmu na ƙarshe, mun yi bayanin yadda ake duba tsarin RHEL ko CentOS ta amfani da kayan aikin tantancewa. Tsarin tantancewa (auditd) cikakken tsarin shiga ne kuma baya amfani da syslog akan wannan lamarin. Hakanan yana zuwa tare da saitin kayan aiki don sarrafa tsarin binciken kwaya tare da bincike da samar da rahotanni daga bayanai a cikin fayilolin log.

A cikin wannan koyawa, za mu yi bayanin yadda ake amfani da kayan aikin ausearch don dawo da bayanai daga fayilolin log ɗin da aka bincika akan rarrabawar Linux ta RHEL da CentOS.

Kamar yadda muka ambata a baya, tsarin tantancewa yana da daemon-space audit daemon (auditd) wanda ke tattara bayanan da suka shafi tsaro bisa ka'idojin da aka riga aka tsara, daga kernel kuma yana haifar da shigarwa cikin fayil ɗin log.

ausearch kayan aiki ne mai sauƙi na layin umarni da ake amfani da shi don bincika fayilolin log na duba daemon dangane da abubuwan da suka faru da sharuɗɗan bincike daban-daban kamar ganowar taron, mai gano maɓalli, gine-ginen CPU, sunan umarni, sunan mai masauki, sunan rukuni ko ID na rukuni, sysscall, saƙonni da ƙari. Hakanan yana karɓar danye bayanai daga stdin.

Ta hanyar tsoho, ausearch yana tambayar fayil ɗin /var/log/audit/audit.log, wanda zaku iya dubawa kamar kowane fayil ɗin rubutu.

# cat /var/log/audit/audit.log
OR
# cat /var/log/audit/audit.log | less

Daga hoton hoton da ke sama, zaku iya ganin bayanai da yawa daga fayil ɗin log ɗin yana yin wahalar samun takamaiman bayanan ban sha'awa.

Don haka kuna buƙatar ausearch, wanda ke ba da damar bincika bayanai ta hanya mafi ƙarfi da inganci ta amfani da wannan haɗin gwiwa.

# ausearch [options]

Ana amfani da tutar -p don ƙaddamar da ID na tsari.

# ausearch -p 2317

Anan, kuna buƙatar amfani da zaɓin -m don gano takamaiman saƙonni da -sv don ayyana ƙimar nasara.

# ausearch -m USER_LOGIN -sv no 

Ana amfani da -ua don ƙaddamar da sunan mai amfani.

# ausearch -ua tecmint
OR
# ausearch -ua tecmint -i	# enable interpreting of numeric entities into text.

Don neman ayyukan da wani mai amfani ya yi daga ƙayyadaddun lokaci, yi amfani da -ts don farawa kwanan wata/lokaci da -te don ƙayyadadden kwanan wata/lokaci kamar haka ( lura cewa za ku iya amfani da kalmomi irin su yanzu, kwanan nan, yau, jiya, wannan-mako, sati-da ya wuce, wannan-wata, wannan-shekara da kuma wuraren bincike maimakon ainihin lokaci).

# ausearch -ua tecmint -ts yesterday -te now -i 

Ƙarin misalai akan neman ayyuka na mai amfani da aka bayar akan tsarin.

# ausearch -ua 1000 -ts this-week -i
# ausearch -ua tecmint -m USER_LOGIN -sv no -i

Idan kuna son sake duba duk canje-canjen tsarin don yin tare da asusun mai amfani, ƙungiyoyi da matsayi; saka nau'ikan saƙon waƙafi daban-daban kamar a cikin umarnin da ke ƙasa (ku kula da jerin waƙafi, bar sarari tsakanin waƙafi da abu na gaba):

# ausearch -m ADD_USER,DEL_USER,USER_CHAUTHTOK,ADD_GROUP,DEL_GROUP,CHGRP_ID,ROLE_ASSIGN,ROLE_REMOVE  -i

Yi la'akari da ƙa'idar duba da ke ƙasa wacce za ta shigar da duk wani yunƙurin samun dama ko gyara bayanan bayanan masu amfani da /etc/passwd.

# auditctl -w /etc/passwd -p rwa -k passwd_changes

Yanzu, gwada buɗe fayil ɗin da ke sama don gyarawa kuma rufe shi, kamar haka.

# vi /etc/passwd

Don kawai kun san cewa an yi rikodin shigarwar log game da wannan, za ku iya duba sassan ƙarshe na fayil ɗin log tare da umarnin wutsiya kamar haka:

# tail /var/log/audit/audit.log

Me zai faru idan an yi rikodin wasu abubuwan da suka faru kwanan nan, gano takamaiman bayanan zai zama da wahala sosai, amma ta amfani da ausearch, za ku iya wuce alamar -k tare da maɓallin ƙimar da kuka ayyana a cikin ƙa'idar dubawa don duba duka. saƙon shiga game da abubuwan da suka faru don yin shiga ko gyara fayil /etc/passwd.

Wannan kuma zai nuna sauye-sauyen daidaitawa da aka yi-ma'anar ƙa'idodin dubawa.

# ausearch -k passwd_changes | less

Don ƙarin bayani da zaɓuɓɓukan amfani, karanta shafin ausearch man:

# man ausearch

Don ƙarin sani game da duba tsarin Linux da sarrafa log, karanta waɗannan labarai masu alaƙa.

1. Petiti - Kayan aikin Binciken Log Source na Buɗe don Linux SysAdmins
2. Mai lura da Sabar sabar a cikin ainihin lokaci tare da kayan aikin Log.io akan RHEL/CentOS 7/6
3. Yadda ake Saita da Sarrafa jujjuya rajista ta amfani da Logrotate a cikin Linux
4. lnav - Kalli kuma Yi nazarin Logs Apache daga Tashar Linux

A cikin wannan koyawa, mun bayyana yadda ake amfani da ausearch don dawo da bayanai daga fayil ɗin log ɗin da aka duba akan RHEL da CentOS. Idan kuna da tambayoyi ko tunani don rabawa, yi amfani da sashin sharhi don isa gare mu.

A cikin labarinmu na gaba, za mu yi bayanin yadda ake ƙirƙirar rahotanni daga fayilolin rajista ta amfani da aureport a cikin RHEL/CentOS/Fedora.