使用auditd跟踪文件删除而不取消链接?


0

我正在创建一个审计规则来跟踪文件和目录的删除。我有一个常常出现在在线搜索中,但我不确定它是否真的有用:

-a exit,always -F arch=b32 -S unlink -S rmdir -k deletion

实际上有两个。一个用于32位和64位。

我遇到的问题是我不知道有谁unlink用来删除文件而不是rm。我已经测试过rm想过它可能实际上已经调用unlink但是日志中没有显示任何内容。

我错过了什么吗?有没有办法跟踪文件删除rm


由于问题的操作系统特性,我正在迁移到SuperUser。这在技术上是一个操作系统内部问题,而不是安全问题。
schroeder 2015年

unlink是特定于Windows的,对吗?如果是这样,帖子需要Windows标签。
杰克古尔德2015年

1
不,unlink肯定不是特定于Windows的。它是Unix系统函数的名称,它是Unix rm程序的核心,并且(至少)是原始版本的rmdir。名为的程序unlink出现在各种Unix系统上,事实上,它是由POSIX指定的。它基本上是unlink系统调用的一个简单的包装器- 即rm删除了所有健全性检查的程序。我不知道unlinkWindows上是否有。
Scott

Answers:


1

我跑去strace rm test看看它是否正在打电话unlink。它不是在呼唤unlink自己,而是在呼唤自己unlinkat。我已将其添加到auditd规则中:

-a exit,always -F arch=b32 -S unlink -S unlinkat -S rmdir -k deletion

无论是root用户还是普通用户,都会触发任何文件删除。

strace输出:

execve("/bin/rm", ["rm", "test"], [/* 17 vars */]) = 0
brk(0)                                  = 0x60d000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e43c000
access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY)      = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=26788, ...}) = 0
mmap(NULL, 26788, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3a8e435000
close(3)                                = 0
open("/lib64/libc.so.6", O_RDONLY)      = 3
read(3, "\177ELF\2\1\1\3\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\356\0015;\0\0\0"..., 832) = 832
fstat(3, {st_mode=S_IFREG|0755, st_size=1926760, ...}) = 0
mmap(0x3b35000000, 3750152, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x3b35000000
mprotect(0x3b3518a000, 2097152, PROT_NONE) = 0
mmap(0x3b3538a000, 20480, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x18a000) = 0x3b3538a000
mmap(0x3b3538f000, 18696, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x3b3538f000
close(3)                                = 0
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e434000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e433000
mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x7f3a8e432000
arch_prctl(ARCH_SET_FS, 0x7f3a8e433700) = 0
mprotect(0x3b3538a000, 16384, PROT_READ) = 0
mprotect(0x3b34a1f000, 4096, PROT_READ) = 0
munmap(0x7f3a8e435000, 26788)           = 0
brk(0)                                  = 0x60d000
brk(0x62e000)                           = 0x62e000
open("/usr/lib/locale/locale-archive", O_RDONLY) = 3
fstat(3, {st_mode=S_IFREG|0644, st_size=99158576, ...}) = 0
mmap(NULL, 99158576, PROT_READ, MAP_PRIVATE, 3, 0) = 0x7f3a885a1000
close(3)                                = 0
ioctl(0, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0
newfstatat(AT_FDCWD, "test", {st_mode=S_IFREG|0640, st_size=0, ...}, AT_SYMLINK_NOFOLLOW) = 0
geteuid()                               = 0
unlinkat(AT_FDCWD, "test", 0)           = 0
close(0)                                = 0
close(1)                                = 0
close(2)                                = 0
exit_group(0)                           = ?
By using our site, you acknowledge that you have read and understand our Cookie Policy and Privacy Policy.
Licensed under cc by-sa 3.0 with attribution required.