Identificando a origem das mensagens de auditoria no kern.log

Question

Identificando a origem das mensagens de auditoria no kern.log

#1 resposta do (3 votos)

4

Instalei recentemente o pacote auditd em minha máquina Debian. Fiz alguns testes com auditctl , criando uma única regra para assistir a um diretório, provei algo e, em seguida, removi e purgei auditd .

Posteriormente, ainda estou vendo essas entradas em kern.log .

May  1 08:29:55 trinity kernel: [5654985.963656] type=1325 audit(1462087795.379:71): table=filter family=2 entries=58
May  1 08:29:55 trinity kernel: [5654985.963736] type=1300 audit(1462087795.379:71): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf9a75a0 a2=b7750ff4 a3=2250 items=0 ppid=13411 pid=13412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  1 11:29:33 trinity kernel: [5665764.295688] type=1325 audit(1462098573.714:72): table=filter family=2 entries=57
May  1 11:29:33 trinity kernel: [5665764.295765] type=1300 audit(1462098573.714:72): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfda2ba0 a2=b77adff4 a3=22e4 items=0 ppid=32410 pid=32411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  1 19:48:03 trinity kernel: [5695674.149293] type=1325 audit(1462128483.567:73): table=filter family=2 entries=58
May  1 19:48:03 trinity kernel: [5695674.149370] type=1300 audit(1462128483.567:73): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bffb3910 a2=b76cfff4 a3=2378 items=0 ppid=20765 pid=20766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  1 20:40:53 trinity kernel: [5698844.383281] type=1325 audit(1462131653.801:74): table=filter family=2 entries=59
May  1 20:40:53 trinity kernel: [5698844.383357] type=1300 audit(1462131653.801:74): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe7d880 a2=b7761ff4 a3=22e4 items=0 ppid=26521 pid=26522 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 05:53:28 trinity kernel: [5731999.457579] type=1325 audit(1462164808.877:75): table=filter family=2 entries=58
May  2 05:53:28 trinity kernel: [5731999.457657] type=1300 audit(1462164808.877:75): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfc307b0 a2=b77a8ff4 a3=2250 items=0 ppid=20606 pid=20607 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 08:02:07 trinity kernel: [5739717.728041] type=1325 audit(1462172527.145:76): table=filter family=2 entries=57
May  2 08:02:07 trinity kernel: [5739717.728130] type=1300 audit(1462172527.145:76): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb655f0 a2=b76f7ff4 a3=21bc items=0 ppid=2530 pid=2531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 09:36:04 trinity kernel: [5745355.212056] type=1325 audit(1462178164.630:77): table=filter family=2 entries=56
May  2 09:36:04 trinity kernel: [5745355.212135] type=1300 audit(1462178164.630:77): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb26040 a2=b7764ff4 a3=2250 items=0 ppid=12830 pid=12831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 10:37:32 trinity kernel: [5749043.125431] type=1325 audit(1462181852.547:78): table=filter family=2 entries=57
May  2 10:37:32 trinity kernel: [5749043.125507] type=1300 audit(1462181852.547:78): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfae3220 a2=b76e7ff4 a3=21bc items=0 ppid=19175 pid=19176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 12:14:13 trinity kernel: [5754843.852220] type=1325 audit(1462187653.271:79): table=filter family=2 entries=56
May  2 12:14:13 trinity kernel: [5754843.852297] type=1300 audit(1462187653.271:79): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe58c60 a2=b76ecff4 a3=2128 items=0 ppid=29308 pid=29309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 12:41:59 trinity kernel: [5756510.071418] type=1325 audit(1462189319.490:80): table=filter family=2 entries=55
May  2 12:41:59 trinity kernel: [5756510.071496] type=1300 audit(1462189319.490:80): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe31480 a2=b7722ff4 a3=2094 items=0 ppid=32586 pid=32587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 12:58:14 trinity kernel: [5757485.373768] type=1325 audit(1462190294.794:81): table=filter family=2 entries=54
May  2 12:58:14 trinity kernel: [5757485.373846] type=1300 audit(1462190294.794:81): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf8cb380 a2=b7754ff4 a3=2128 items=0 ppid=1736 pid=1737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 14:34:51 trinity kernel: [5763282.057294] type=1325 audit(1462196091.475:82): table=filter family=2 entries=55
May  2 14:34:51 trinity kernel: [5763282.057370] type=1300 audit(1462196091.475:82): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfce29f0 a2=b7736ff4 a3=2094 items=0 ppid=12057 pid=12058 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May  2 15:31:28 trinity kernel: [5766679.552808] type=1325 audit(1462199488.973:83): table=filter family=2 entries=54
May  2 15:31:28 trinity kernel: [5766679.552884] type=1300 audit(1462199488.973:83): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfc402f0 a2=b7718ff4 a3=2128 items=0 ppid=18365 pid=18366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)

Isso sugere que o comando iptables está, por algum motivo, gerando um alerta de auditoria. Estes não apareceram antes da instalação e remoção de auditd .

A verificação em /var/log desse registro de data e hora sugere que elas se relacionam com fail2ban , alterando a iptables config para adicionar endereços IP proibidos.

Estou bem com o gatilho, mas não consigo descobrir como desativá-los, pois removi auditd (e, portanto, auditctl ). Reinstalar auditd e executar auditctl -l não retorna regras.

Por que iptables está gerando essas entradas em kern.log e como eu reverti para a configuração antes de instalar auditd ?

A versão do Debian é 7.10.

Atualização:

É interessante que durante o período em que auditd foi reinstalado, as entradas do kernel não aparecem, elas só aparecem quando são removidas. Então eles não existiam, então eu instalei auditd e eles ainda não existiam, então eu removi auditd e eles começaram a aparecer. A instalação de auditd suprime-os novamente e a desinstalação resulta na exibição deles.

Do history.log do apt,

Start-Date: 2016-04-26  11:47:13
Commandline: apt-get install auditd
Install: auditd:i386 (1.7.18-1.1)
End-Date: 2016-04-26  11:47:20

Start-Date: 2016-04-26  11:48:39
Commandline: apt-get remove auditd
Remove: auditd:i386 (1.7.18-1.1)
End-Date: 2016-04-26  11:48:42

Start-Date: 2016-04-26  11:48:46
Commandline: apt-get purge auditd
Purge: auditd:i386 ()
End-Date: 2016-04-26  11:48:47

Start-Date: 2016-05-03  11:17:43
Commandline: apt-get install auditd
Install: auditd:i386 (1.7.18-1.1)
End-Date: 2016-05-03  11:17:50

Start-Date: 2016-05-03  14:46:14
Commandline: apt-get remove auditd
Remove: auditd:i386 (1.7.18-1.1)
End-Date: 2016-05-03  14:46:17

Start-Date: 2016-05-03  14:47:24
Commandline: apt-get purge auditd
Purge: auditd:i386 ()
End-Date: 2016-05-03  14:47:25

E, em seguida, de kern.log ,

root@trinity:/var/log# cat kern.log* | grep filter | sort
Apr 26 13:30:54 trinity kernel: [5241045.164714] type=1325 audit(1461673854.583:9): table=filter family=2 entries=62
Apr 26 13:32:53 trinity kernel: [5241164.339388] type=1325 audit(1461673973.758:10): table=filter family=2 entries=63
Apr 26 22:05:15 trinity kernel: [5271906.481895] type=1325 audit(1461704715.901:11): table=filter family=2 entries=62
Apr 27 02:28:01 trinity kernel: [5287671.603861] type=1325 audit(1461720481.020:12): table=filter family=2 entries=61
Apr 27 08:44:33 trinity kernel: [5310263.791931] type=1325 audit(1461743073.208:13): table=filter family=2 entries=60
Apr 27 11:07:33 trinity kernel: [5318844.230913] type=1325 audit(1461751653.650:14): table=filter family=2 entries=59
Apr 27 11:11:25 trinity kernel: [5319076.553128] type=1325 audit(1461751885.972:15): table=filter family=2 entries=58
Apr 27 12:31:29 trinity kernel: [5323879.969177] type=1325 audit(1461756689.387:16): table=filter family=2 entries=59
Apr 27 16:22:10 trinity kernel: [5337721.409895] type=1325 audit(1461770530.830:17): table=filter family=2 entries=58
Apr 27 17:18:25 trinity kernel: [5341095.909392] type=1325 audit(1461773905.329:18): table=filter family=2 entries=59
Apr 27 20:25:45 trinity kernel: [5352335.879430] type=1325 audit(1461785145.297:19): table=filter family=2 entries=60
Apr 27 21:19:06 trinity kernel: [5355537.157802] type=1325 audit(1461788346.575:20): table=filter family=2 entries=59
Apr 27 21:23:49 trinity kernel: [5355820.549272] type=1325 audit(1461788629.970:21): table=filter family=2 entries=58
Apr 27 21:53:23 trinity kernel: [5357593.916306] type=1325 audit(1461790403.338:22): table=filter family=2 entries=57
Apr 28 01:32:28 trinity kernel: [5370739.384433] type=1325 audit(1461803548.804:23): table=filter family=2 entries=58
Apr 28 03:35:24 trinity kernel: [5378115.178977] type=1325 audit(1461810924.598:24): table=filter family=2 entries=59
Apr 28 04:44:17 trinity kernel: [5382247.691370] type=1325 audit(1461815057.108:25): table=filter family=2 entries=60
Apr 28 05:47:42 trinity kernel: [5386052.769582] type=1325 audit(1461818862.189:26): table=filter family=2 entries=59
Apr 28 06:49:40 trinity kernel: [5389770.729248] type=1325 audit(1461822580.149:27): table=filter family=2 entries=58
Apr 28 07:03:26 trinity kernel: [5390596.850019] type=1325 audit(1461823406.267:28): table=filter family=2 entries=59
Apr 28 07:54:25 trinity kernel: [5393655.953013] type=1325 audit(1461826465.374:29): table=filter family=2 entries=60
Apr 28 17:19:02 trinity kernel: [5427533.079358] type=1325 audit(1461860342.498:30): table=filter family=2 entries=59
Apr 28 17:40:50 trinity kernel: [5428840.833735] type=1325 audit(1461861650.252:31): table=filter family=2 entries=60
Apr 28 22:11:09 trinity kernel: [5445060.419843] type=1325 audit(1461877869.838:32): table=filter family=2 entries=59
Apr 28 22:20:05 trinity kernel: [5445596.145146] type=1325 audit(1461878405.563:33): table=filter family=2 entries=60
Apr 29 01:34:17 trinity kernel: [5457247.685479] type=1325 audit(1461890057.103:34): table=filter family=2 entries=61
Apr 29 03:08:41 trinity kernel: [5462912.272201] type=1325 audit(1461895721.690:35): table=filter family=2 entries=62
Apr 29 04:05:43 trinity kernel: [5466333.873413] type=1325 audit(1461899143.292:36): table=filter family=2 entries=63
Apr 29 05:27:26 trinity kernel: [5471237.463612] type=1325 audit(1461904046.880:37): table=filter family=2 entries=64
Apr 29 05:57:55 trinity kernel: [5473065.931068] type=1325 audit(1461905875.349:38): table=filter family=2 entries=63
Apr 29 07:43:16 trinity kernel: [5479387.398790] type=1325 audit(1461912196.819:39): table=filter family=2 entries=62
Apr 29 07:59:20 trinity kernel: [5480350.703929] type=1325 audit(1461913160.122:40): table=filter family=2 entries=61
Apr 29 09:01:10 trinity kernel: [5484060.685008] type=1325 audit(1461916870.105:41): table=filter family=2 entries=62
Apr 29 09:08:56 trinity kernel: [5484527.328113] type=1325 audit(1461917336.744:42): table=filter family=2 entries=61
Apr 29 09:28:40 trinity kernel: [5485710.910410] type=1325 audit(1461918520.327:43): table=filter family=2 entries=60
Apr 29 09:35:24 trinity kernel: [5486115.462325] type=1325 audit(1461918924.881:44): table=filter family=2 entries=59
Apr 29 11:58:55 trinity kernel: [5494725.939858] type=1325 audit(1461927535.357:45): table=filter family=2 entries=58
Apr 29 12:29:44 trinity kernel: [5496575.471597] type=1325 audit(1461929384.889:46): table=filter family=2 entries=57
Apr 29 14:38:01 trinity kernel: [5504271.706427] type=1325 audit(1461937081.127:47): table=filter family=2 entries=58
Apr 29 17:01:28 trinity kernel: [5512879.168191] type=1325 audit(1461945688.583:48): table=filter family=2 entries=57
Apr 29 19:31:41 trinity kernel: [5521892.127411] type=1325 audit(1461954701.545:49): table=filter family=2 entries=56
Apr 29 19:34:02 trinity kernel: [5522033.333315] type=1325 audit(1461954842.755:50): table=filter family=2 entries=55
Apr 29 20:00:13 trinity kernel: [5523604.428545] type=1325 audit(1461956413.851:51): table=filter family=2 entries=54
Apr 29 20:34:45 trinity kernel: [5525676.172737] type=1325 audit(1461958485.593:52): table=filter family=2 entries=53
Apr 29 20:57:39 trinity kernel: [5527050.000970] type=1325 audit(1461959859.421:53): table=filter family=2 entries=54
Apr 29 21:03:22 trinity kernel: [5527393.467046] type=1325 audit(1461960202.886:54): table=filter family=2 entries=53
Apr 29 23:18:37 trinity kernel: [5535508.254569] type=1325 audit(1461968317.673:55): table=filter family=2 entries=52
Apr 30 00:29:58 trinity kernel: [5539788.920100] type=1325 audit(1461972598.339:56): table=filter family=2 entries=53
Apr 30 03:12:14 trinity kernel: [5549524.805118] type=1325 audit(1461982334.225:57): table=filter family=2 entries=54
Apr 30 03:56:03 trinity kernel: [5552154.294060] type=1325 audit(1461984963.713:58): table=filter family=2 entries=55
Apr 30 05:31:18 trinity kernel: [5557868.878686] type=1325 audit(1461990678.296:59): table=filter family=2 entries=54
Apr 30 05:51:28 trinity kernel: [5559079.495954] type=1325 audit(1461991888.912:60): table=filter family=2 entries=55
Apr 30 11:18:56 trinity kernel: [5578727.564823] type=1325 audit(1462011536.983:61): table=filter family=2 entries=56
Apr 30 11:38:34 trinity kernel: [5579905.149630] type=1325 audit(1462012714.569:62): table=filter family=2 entries=57
Apr 30 11:58:54 trinity kernel: [5581124.785297] type=1325 audit(1462013934.204:63): table=filter family=2 entries=56
Apr 30 12:28:32 trinity kernel: [5582903.150044] type=1325 audit(1462015712.567:64): table=filter family=2 entries=55
Apr 30 14:41:21 trinity kernel: [5590871.696820] type=1325 audit(1462023681.116:65): table=filter family=2 entries=54
Apr 30 17:58:37 trinity kernel: [5602708.432415] type=1325 audit(1462035517.855:66): table=filter family=2 entries=55
Apr 30 20:07:46 trinity kernel: [5610456.713610] type=1325 audit(1462043266.133:67): table=filter family=2 entries=56
May  1 00:15:50 trinity kernel: [5625341.571375] type=1325 audit(1462058150.990:68): table=filter family=2 entries=57
May  1 01:56:34 trinity kernel: [5631384.621056] type=1325 audit(1462064194.039:69): table=filter family=2 entries=58
May  1 03:47:50 trinity kernel: [5638061.478266] type=1325 audit(1462070870.899:70): table=filter family=2 entries=57
May  1 08:29:55 trinity kernel: [5654985.963656] type=1325 audit(1462087795.379:71): table=filter family=2 entries=58
May  1 11:29:33 trinity kernel: [5665764.295688] type=1325 audit(1462098573.714:72): table=filter family=2 entries=57
May  1 19:48:03 trinity kernel: [5695674.149293] type=1325 audit(1462128483.567:73): table=filter family=2 entries=58
May  1 20:40:53 trinity kernel: [5698844.383281] type=1325 audit(1462131653.801:74): table=filter family=2 entries=59
May  2 05:53:28 trinity kernel: [5731999.457579] type=1325 audit(1462164808.877:75): table=filter family=2 entries=58
May  2 08:02:07 trinity kernel: [5739717.728041] type=1325 audit(1462172527.145:76): table=filter family=2 entries=57
May  2 09:36:04 trinity kernel: [5745355.212056] type=1325 audit(1462178164.630:77): table=filter family=2 entries=56
May  2 10:37:32 trinity kernel: [5749043.125431] type=1325 audit(1462181852.547:78): table=filter family=2 entries=57
May  2 12:14:13 trinity kernel: [5754843.852220] type=1325 audit(1462187653.271:79): table=filter family=2 entries=56
May  2 12:41:59 trinity kernel: [5756510.071418] type=1325 audit(1462189319.490:80): table=filter family=2 entries=55
May  2 12:58:14 trinity kernel: [5757485.373768] type=1325 audit(1462190294.794:81): table=filter family=2 entries=54
May  2 14:34:51 trinity kernel: [5763282.057294] type=1325 audit(1462196091.475:82): table=filter family=2 entries=55
May  2 15:31:28 trinity kernel: [5766679.552808] type=1325 audit(1462199488.973:83): table=filter family=2 entries=54
May  2 15:58:13 trinity kernel: [5768283.694922] type=1325 audit(1462201093.113:84): table=filter family=2 entries=55
May  2 16:42:33 trinity kernel: [5770944.249180] type=1325 audit(1462203753.667:85): table=filter family=2 entries=56
May  2 23:25:56 trinity kernel: [5795147.404091] type=1325 audit(1462227956.820:86): table=filter family=2 entries=57
May  3 03:41:43 trinity kernel: [5810493.831850] type=1325 audit(1462243303.249:87): table=filter family=2 entries=58
May  3 04:44:46 trinity kernel: [5814276.874392] type=1325 audit(1462247086.292:88): table=filter family=2 entries=57
May  3 06:57:06 trinity kernel: [5822217.391993] type=1325 audit(1462255026.809:89): table=filter family=2 entries=56
May  3 08:21:19 trinity kernel: [5827270.101048] type=1325 audit(1462260079.522:90): table=filter family=2 entries=55
May  3 11:03:16 trinity kernel: [5836986.964890] type=1325 audit(1462269796.383:91): table=filter family=2 entries=54
May  3 16:19:19 trinity kernel: [5855950.133701] type=1325 audit(1462288759.553:306): table=filter family=2 entries=56

Os registros do kernel remontam a 14 de março, e o acima mostra a primeira entrada para o material de auditoria.

Há muitos dados, mas você pode ver que há uma lacuna entre as 11:03 e 16:19 de hoje. No entanto, durante esse tempo, fail2ban baniu 3 endereços IP e fez atualizações do iptables. Portanto, enquanto auditd foi instalado, nenhuma entrada de auditoria foi criada.

2016-05-01 08:29:55,374 fail2ban.actions: WARNING [ssh] Unban 113.107.24.247
2016-05-01 11:29:33,708 fail2ban.actions: WARNING [ssh] Ban 52.37.98.155
2016-05-01 19:48:03,560 fail2ban.actions: WARNING [ssh] Ban 185.70.184.135
2016-05-01 20:40:53,795 fail2ban.actions: WARNING [ssh] Unban 185.103.252.142
2016-05-02 05:53:28,816 fail2ban.actions: WARNING [ssh] Unban 185.110.132.54
2016-05-02 08:02:07,030 fail2ban.actions: WARNING [ssh] Unban 202.203.179.129
2016-05-02 09:36:04,623 fail2ban.actions: WARNING [ssh] Ban 42.116.173.198
2016-05-02 10:37:32,536 fail2ban.actions: WARNING [ssh] Unban 125.212.232.159
2016-05-02 12:14:13,263 fail2ban.actions: WARNING [ssh] Unban 146.0.77.32
2016-05-02 12:41:59,482 fail2ban.actions: WARNING [ssh] Unban 112.217.150.112
2016-05-02 12:58:14,786 fail2ban.actions: WARNING [ssh] Ban 210.211.99.15
2016-05-02 14:34:51,468 fail2ban.actions: WARNING [ssh] Unban 179.43.144.43
2016-05-02 15:31:28,963 fail2ban.actions: WARNING [ssh] Ban 37.54.25.239
2016-05-02 15:58:13,105 fail2ban.actions: WARNING [ssh] Ban 125.212.232.63
2016-05-02 16:42:33,660 fail2ban.actions: WARNING [ssh] Ban 146.0.77.32
2016-05-02 23:25:56,812 fail2ban.actions: WARNING [ssh] Ban 193.201.225.31
2016-05-03 03:41:43,242 fail2ban.actions: WARNING [ssh] Unban 42.112.131.91
2016-05-03 04:44:46,285 fail2ban.actions: WARNING [ssh] Unban 173.208.220.131
2016-05-03 06:57:06,803 fail2ban.actions: WARNING [ssh] Unban 193.201.225.29
2016-05-03 08:21:19,512 fail2ban.actions: WARNING [ssh] Unban 185.22.65.27
2016-05-03 11:03:16,375 fail2ban.actions: WARNING [ssh] Ban 173.208.129.210
2016-05-03 13:30:55,106 fail2ban.actions: WARNING [ssh] Unban 58.187.224.226
2016-05-03 14:01:26,542 fail2ban.actions: WARNING [ssh] Ban 221.11.92.253
2016-05-03 14:32:17,009 fail2ban.actions: WARNING [ssh] Ban 82.204.67.66
2016-05-03 16:19:19,543 fail2ban.actions: WARNING [ssh] Ban 169.54.174.138

debian iptables linux-audit

por EightBitTony 03.05.2016 / 15:54

1 resposta

Tags debian iptables linux-audit

Não é possível exportar variáveis de ambiente no início da sessão X intervalo de portas efêmeras IPv6

score 3 · Accepted Answer

Entradas de auditoria são geradas independentemente de algum servidor estar escutando usando audit_log_acct_message .

Até onde eu sei, syscall 102 é getuid() - você pode verificar usando ausyscall 102 (eu tenho medo de instalar auditctl depois de tudo isso: P).

A mensagem de auditoria não é invocada por iptables em si, mas em algum lugar no kernel. Você pode se livrar dele usando audit_enable=0 ou audit=0 na inicialização. Mas o problema de propriedade não será resolvido por isso (a instalação de auditctl pode ter adicionado esse gatilho de habilitação à opção de inicialização?).

Uma investigação mais aprofundada provavelmente deve ser feita com a verificação do Debian mais recente se ele fizer o mesmo e, em seguida, grep ing fontes do kernel na versão que é fornecida com o Debian 7.

Parâmetros do kernel explicados:

audit=  [KNL] Enable the audit sub-system
        Format: { "0" | "1" } (0 = disabled, 1 = enabled)
        0 - kernel audit is disabled and can not be enabled
            until the next reboot
        unset - kernel audit is initialized but disabled and
            will be fully enabled by the userspace auditd.
        1 - kernel audit is initialized and partially enabled,
            storing at most audit_backlog_limit messages in
            RAM until it is fully enabled by the userspace
            auditd.
        Default: unset

Portanto, não foi inicializado antes, a inicialização foi feita por auditd e após a desinstalação, as mensagens são geradas, mas capturadas pelo kernel ... ainda não tem certeza de como desabilitar audit no espaço do kernel, além da reinicialização e / ou configurando boot=0 (e reinicializando).