linux 如何排除auditd中没有tty的用户的结果?

tv6aics1  于 2023-01-12  发布在  Linux
关注(0)|答案(1)|浏览(148)

我们现有的auditd规则记录了除UID 501之外的所有命令,并且运行良好:

% cat /etc/audit/audit.rules
-D
-b 320
-a exit,always -F arch=b64 -S execve -F uid!=501
-a exit,always -F arch=b32 -S execve -F uid!=501

它们会产生如下数据:

type=SYSCALL msg=audit(1493677870.320:573818): arch=c000003e syscall=59 
success=yes exit=0 a0=18e0d80 a1=18e9ac0 a2=18df340 a3=20 items=2 
ppid=29928 pid=29943 auid=4294967295 uid=501 gid=103 euid=501 suid=501
fsuid=501 egid=103 sgid=103 fsgid=103 tty=(none) ses=4294967295 
comm="bb" exe="xxxx" key=(null)

但是,我们希望忽略记录的没有TTY的命令,如上面所示:“tty=(无)”选择仅记录有效TTY的SYSCALL,例如“tty= pts 1
在阅读了数小时的auditd文档之后,我已经用尽了所有的方法来完成这个任务。虽然有uid,euid等的钩子,但似乎没有tty的钩子,如果是这样的话,当“(none)”只是日志代码中NULL的文本表示时,你如何表示一个空tty呢?
提前感谢!:)

icnyk63a

icnyk63a1#

我用Python的魔法石来砍木头。

#!/usr/bin/python3

from sh import tail
from datetime import datetime
import re
import socket
import time

UDP_IP = "127.0.0.1" #changeme (send to remote server)
UDP_PORT = 5555 #changeme (send to remote server)
logfile = '/var/log/audit_commands.log'

sock = socket.socket(socket.AF_INET, socket.SOCK_DGRAM)
hostname = socket.gethostname()


def callback(m):
    try:
        m = m.group(0)
        m = m[1:]
        return '='+m.decode('hex')
    except:
        return '='+m

for line in tail("-F", "/var/log/audit/audit.log", _iter=True):
    if "type=SYSCALL" and "tty=pts" not in line:
        continue
    _,msg=line.strip().split('msg=')
    aid,exe = msg.split(": ",1)
    time, id = aid.split(":",1)
    time = int(time[6:16])
    time = datetime.fromtimestamp(time).strftime("%Y-%m-%d %H:%M:%S")
    logTable = line.split(' ')
    success=logTable[4]
    comm=logTable[24]
    auid=logTable[29]
    euid=logTable[32]
    log_entry="timestamp='"+time+"'"+" "+"address='"+hostname+"'"+" "+comm+" "+success+" "+auid+" "+euid+"\n"
    #sock.sendto(bytes(log_entry, "utf-8"), (UDP_IP, UDP_PORT))  #uncomment if you set ip/port
    try:
        log_file = open(logfile, 'a')
        log_file.write(log_entry)
        log_file.close()
    except FileNotFoundError:
        pass

相关问题