audit skill

---
name: audit
description: 安全审计
version: 1.0.0
author: terminal-skills
tags: [security, audit, auditd, logging, compliance, vulnerability]
---

# 安全审计

## 概述
安全审计、漏洞扫描、合规检查技能。

## auditd 审计系统

### 安装与管理
```bash
# 安装
apt install auditd audispd-plugins      # Debian/Ubuntu
yum install audit                        # CentOS/RHEL

# 服务管理
systemctl start auditd
systemctl enable auditd
systemctl status auditd
```

### 审计规则
```bash
# 查看规则
auditctl -l

# 添加规则 - 监控文件
auditctl -w /etc/passwd -p wa -k passwd_changes
auditctl -w /etc/shadow -p wa -k shadow_changes
auditctl -w /etc/sudoers -p wa -k sudoers_changes

# 监控目录
auditctl -w /etc/ssh/ -p wa -k ssh_config

# 监控系统调用
auditctl -a always,exit -F arch=b64 -S execve -k command_exec

# 监控用户操作
auditctl -a always,exit -F arch=b64 -S open -F auid>=1000 -k user_file_access
```

### 永久规则
```bash
# /etc/audit/rules.d/audit.rules
-w /etc/passwd -p wa -k passwd_changes
-w /etc/shadow -p wa -k shadow_changes
-w /etc/sudoers -p wa -k sudoers_changes
-w /var/log/lastlog -p wa -k logins
-a always,exit -F arch=b64 -S execve -k commands

# 重载规则
augenrules --load
```

### 查看日志
```bash
# 搜索审计日志
ausearch -k passwd_changes
ausearch -k commands -ts today
ausearch -ua root -ts recent

# 生成报告
aureport
aureport --summary
aureport --login
aureport --file
aureport --executable
```

## 日志审计

### 系统日志
```bash
# 查看认证日志
tail -f /var/log/auth.log          # Debian/Ubuntu
tail -f /var/log/secure            # CentOS/RHEL

# 查看登录记录
last
lastb                               # 失败登录
lastlog

# journalctl
journalctl -u sshd
journalctl --since "1 hour ago"
journalctl -p err
```

### 日志分析
```bash
# 统计 SSH 登录失败
grep "Failed password" /var/log/auth.log | awk '{print $11}' | sort | uniq -c | sort -rn

# 统计 sudo 使用
grep "sudo:" /var/log/auth.log | tail -20

# 查找异常登录
grep "Accepted" /var/log/auth.log | grep -v "192.168"
```

## 漏洞扫描

### Lynis
```bash
# 安装
apt install lynis

# 系统审计
lynis audit system

# 查看报告
cat /var/log/lynis-report.dat
```

### OpenSCAP
```bash
# 安装
yum install openscap-scanner scap-security-guide

# 扫描
oscap xccdf eval --profile xccdf_org.ssgproject.content_profile_standard \
    --results results.xml \
    /usr/share/xml/scap/ssg/content/ssg-centos7-ds.xml

# 生成报告
oscap xccdf generate report results.xml > report.html
```

### Nmap 扫描
```bash
# 端口扫描
nmap -sV -sC target.com

# 漏洞扫描
nmap --script vuln target.com

# 全面扫描
nmap -A -T4 target.com
```

## 文件完整性

### AIDE
```bash
# 安装
apt install aide

# 初始化数据库
aide --init
mv /var/lib/aide/aide.db.new /var/lib/aide/aide.db

# 检查变更
aide --check

# 更新数据库
aide --update
```

### Tripwire
```bash
# 初始化
tripwire --init

# 检查
tripwire --check

# 更新策略
tripwire --update-policy
```

## 常见场景

### 场景 1：监控特权操作
```bash
# /etc/audit/rules.d/privileged.rules
# 监控 sudo
-w /usr/bin/sudo -p x -k privileged_sudo
-w /etc/sudoers -p wa -k sudoers_edit

# 监控用户管理
-w /usr/sbin/useradd -p x -k user_add
-w /usr/sbin/userdel -p x -k user_del
-w /usr/sbin/usermod -p x -k user_mod

# 监控网络配置
-w /etc/hosts -p wa -k hosts_edit
-w /etc/network/ -p wa -k network_config
```

### 场景 2：合规检查脚本
```bash
#!/bin/bash
echo "=== 安全合规检查 ==="

# 检查空密码账户
echo "空密码账户:"
awk -F: '($2 == "") {print $1}' /etc/shadow

# 检查 UID 为 0 的账户
echo "UID=0 账户:"
awk -F: '($3 == 0) {print $1}' /etc/passwd

# 检查 SSH 配置
echo "SSH 配置:"
grep -E "^(PermitRootLogin|PasswordAuthentication)" /etc/ssh/sshd_config

# 检查开放端口
echo "监听端口:"
ss -tlnp
```

### 场景 3：登录告警
```bash
#!/bin/bash
# /etc/profile.d/login-alert.sh
if [ -n "$SSH_CLIENT" ]; then
    IP=$(echo $SSH_CLIENT | awk '{print $1}')
    echo "SSH 登录告警: 用户 $USER 从 $IP 登录 $(hostname)" | \
        mail -s "SSH Login Alert" [email protected]
fi
```

## 故障排查

| 问题 | 排查方法 |
|------|----------|
| 审计日志过大 | 配置日志轮转、过滤规则 |
| 性能影响 | 减少审计规则、优化过滤 |
| 规则不生效 | 检查语法、重载规则 |

```bash
# 检查 auditd 状态
auditctl -s

# 查看丢失事件
aureport --summary | grep lost

# 日志轮转配置
# /etc/audit/auditd.conf
max_log_file = 50
num_logs = 5
max_log_file_action = ROTATE
```