首页 发现 帮助
登录
Troglodyne
/
audit-log-perl
2
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
目录树: 4de65d3d66
分支列表 标签列表
audit-log-perl
/
lib
/
Audit
/
Log.pm

Log.pm 6.3 KB
文件历史 原始文件

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191 
  1. package Audit::Log;
    2. 

  2. 

  3. use strict;
    4. 

  4. use warnings;
    5. 

  5. 

  6. use 5.006;
    7. 

  7. use v5.12.0;    # Before 5.006, v5.10.0 would not be understood.
    8. 

  8. 

  9. # ABSTRACT: auditd log parser with no external dependencies, using no perl features past 5.12
    10. 

  10. 

  11. =head1 WHY
    12. 

  12. 

  13. I had to do reporting for non-incremental backups.
    14. 

  14. I needed something faster than GNU find, and which took less memory as well.
    15. 

  15. I didn't want to stat 1M+ files.
    16. 

  16. Just reads a log and keeps the bare minimum useful information.
    17. 

  17. 

  18. You can use auditd for a number of other interesting purposes, which this should support as well.
    19. 

  19. 

  20. =head1 SYNOPSIS
    21. 

  21. 

  22.     my $parser = Audit::Log->new();
    23. 

  23.     my $rows = $parser->search(
    24. 

  24.         type     => qr/path/i,
    25. 

  25.         nametype => qr/delete|create|normal/i,
    26. 

  26.         name     => qr/somefile.txt/i,
    27. 

  27.     );
    28. 

  28. 

  29. =head1 CONSTRUCTOR
    30. 

  30. 

  31. =head2 new(STRING path, ARRAY returning) = Audit::Log
    32. 

  32. 

  33. Opens the provided audit log path when searching, or
    34. 

  34. 

  35.     /var/log/audit/audit.log
    36. 

  36. 

  37. if none is provided.
    38. 

  38. 

  39. Also can filter returned keys by the provided array to not allocate unnecesarily in low mem situations.
    40. 

  40. 

  41. =head3 using with ausearch
    42. 

  42. 

  43. It's common to have the audit log be quite verbose, and log-rotated.
    44. 

  44. To get around that you can dump pieces of the audit log as appropriate with ausearch.
    45. 

  45. Here's an example of dumping keyed events for the last day, which you could then load into new().
    46. 

  46. 

  47.     ausearch --raw --key backupwatch -ts `date --date yesterday '+%x'` > yesterdays-audit.log
    48. 

  48. 

  49. Even then the audit log is quite likely to only have a few days of retention.
    50. 

  50. Be sure to stash results appropriately.
    51. 

  51. 

  52. =cut
    53. 

  53. 

  54. sub new {
    55. 

  55.     my ($class, $path, @returning) = @_;
    56. 

  56.     $path = '/var/log/audit/audit.log' unless $path;
    57. 

  57.     die "Cannot access $path" unless -f $path;
    58. 

  58.     return bless({ path => $path, returning => \@returning}, $class);
    59. 

  59. }
    60. 

  60. 

  61. =head1 METHODS
    62. 

  62. 

  63. =head2 search(key => constraint) = ARRAY[HashRef{}]
    64. 

  64. 

  65. Searches the log for lines where the value corresponding to the provided key matches the constraint, which is expected to be a quoted regex.
    66. 

  66. If no constraints are provided, all matching rows will be returned.
    67. 

  67. 

  68. Example:
    69. 

  69. 

  70.     my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
    71. 

  71. 

  72. The above effectively will get you a list of all file modifications/creations/deletions in watched directories.
    73. 

  73. 

  74. Adds in a 'line' parameter to rows returned in case you want to know which line in the log it's on.
    75. 

  75. Also adds a 'timestamp' parameter, since this is a parsed parameter.
    76. 

  76. 

  77. =head3 Speeding it up: by event
    78. 

  78. 

  79. Auditd logs are also structured in blocks separated between SYSCALL lines, which are normally filtered by 'key', which corresponds to rule name.
    80. 

  80. We can speed up processing by ignoring events of the incorrect key.
    81. 

  81. 

  82. Example:
    83. 

  83. 

  84.     my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, key => qr/backup_watch/i );
    85. 

  85. 

  86. The above will ignore events from all rules save those from the "backup_watch" rule.
    87. 

  87. 

  88. =head3 Speeding it up: by timeframe
    89. 

  89. 

  90. Auditd log rules also print a timestamp, which means we need a numeric comparison.
    91. 

  91. Pass in 'older' and 'newer', and we can filter out things appropriately.
    92. 

  92. 

  93. Example:
    94. 

  94. 

  95.     # Get all records that are from the last 24 hours
    96. 

  96.     my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i, newer => ( time - 86400 ) );
    97. 

  97. 

  98. =head3 Getting full paths with CWDs
    99. 

  99. 

  100. PATH records don't actually store the full path to what is acted upon unless the process acting upon it used an absolute path.
    101. 

  101. Thankfully, SYSCALL records are are always followed by a CWD record.  As such we add the 'cwd' field to all subsequent records.
    102. 

  102. As such, you can build full paths like so:
    103. 

  103. 

  104.     my $parser = Audit::Log->new(undef, 'name', 'cwd');
    105. 

  105.     my $rows = $parser->search( type => qr/path/i, nametype=qr/delete|create|normal/i );
    106. 

  106.     my @full_paths = map { "$_->{cwd}/$_->{name}" } @$rows;
    107. 

  107. 

  108. =head3 Filtering by command
    109. 

  109. 

  110. SYSCALL records store the command which executed the call.  This is exposed as part of the parse for each child record, such as PATH or DAEMON_* records.
    111. 

  111. Example of getting all the commands run which triggered audit events:
    112. 

  112. 

  113.     my $parser = Audit::Log->new(undef, 'exe')
    114. 

  114.     my $rows = $parser->search();
    115. 

  115. 

  116. =cut
    117. 

  117. 

  118. sub search {
    119. 

  119.     my ($self,%options) = @_;
    120. 

  120. 

  121.     my $ret = [];
    122. 

  122.     my $in_block = 1;
    123. 

  123.     my $line = -1;
    124. 

  124.     my ($cwd, $exe, $comm) = ('','','');
    125. 

  125.     open(my $fh, '<', $self->{path});
    126. 

  126.     LINE: while (<$fh>) {
    127. 

  127.         next if index( $_, 'SYSCALL') < 0 && !$in_block;
    128. 

  128. 

  129.         # I am trying to cheat here to snag the timestamp.
    130. 

  130.         my $msg_start = index($_, 'msg=audit(') + 10;
    131. 

  131.         my $msg_end   = index($_, ':');
    132. 

  132.         my $timestamp = substr($_, $msg_start, $msg_end - $msg_start);
    133. 

  133.         next if $options{older} && $timestamp > $options{older};
    134. 

  134.         next if $options{newer} && $timestamp < $options{newer};
    135. 

  135. 

  136.         # Snag CWDs
    137. 

  137.         if ( index( $_, 'type=CWD') == 0) {
    138. 

  138.             my $cwd_start = index($_, 'cwd="') + 5;
    139. 

  139.             my $cwd_end   = index($_, "\n") - 1;
    140. 

  140.             $cwd = substr($_, $cwd_start, $cwd_end - $cwd_start);
    141. 

  141.             $line++;
    142. 

  142.             next;
    143. 

  143.         }
    144. 

  144. 

  145.         # Replace GROUP SEPARATOR usage with simple spaces
    146. 

  146.         s/[\x1D]/ /g;
    147. 

  147. 

  148.         my %parsed = map {
    149. 

  149.             my @out = split(/=/, $_);
    150. 

  150.             shift @out, join('=',@out)
    151. 

  151.         } grep { $_ } map {
    152. 

  152.             my $subj = $_;
    153. 

  153.             $subj =~ s/"//g;
    154. 

  154.             chomp $subj;
    155. 

  155.             $subj
    156. 

  156.         } split(/ /,$_);
    157. 

  157. 

  158.         $line++;
    159. 

  159.         $parsed{line}      = $line;
    160. 

  160.         $parsed{timestamp} = $timestamp;
    161. 

  161.         $parsed{cwd}       = $cwd;
    162. 

  162.         $parsed{exe}       //= $exe;
    163. 

  163.         $parsed{comm}      //= $comm;
    164. 

  164. 

  165.         if (exists $options{key} && $parsed{type} eq 'SYSCALL') {
    166. 

  166.             $in_block = $parsed{key} =~ $options{key};
    167. 

  167.             $exe = $parsed{exe};
    168. 

  168.             $comm = $parsed{comm};
    169. 

  169.             $cwd = '';
    170. 

  170.             next unless $in_block;
    171. 

  171.         }
    172. 

  172. 

  173.         # Check constraints BEFORE filtering returned values, this is a WHERE clause
    174. 

  174.         CONSTRAINT: foreach my $constraint (keys(%options)) {
    175. 

  175.             next CONSTRAINT if !exists $parsed{$constraint};
    176. 

  176.             next LINE if $parsed{$constraint} !~ $options{$constraint};
    177. 

  177.         }
    178. 

  178. 

  179.         # Filter fields for RETURNING clause
    180. 

  180.         if (@{$self->{returning}}) {
    181. 

  181.             foreach my $field (keys(%parsed)) {
    182. 

  182.                 delete $parsed{$field} unless grep { $field eq $_ } @{$self->{returning}};
    183. 

  183.             }
    184. 

  184.         }
    185. 

  185.         push(@$ret,\%parsed);
    186. 

  186.     }
    187. 

  187.     close($fh);
    188. 

  188.     return $ret;
    189. 

  189. }
    190. 

  190. 

  191. 1;
    192.