配置audit规则
auditctl -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
auditctl -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
auditctl -a always,exit -F arch=b64 -S clock_settime -k time-change
auditctl -a always,exit -F arch=b32 -S clock_settime -k time-change
auditctl -w /usr/sbin/ntpdate -p warx -k ntpdate_use
检查规则是否配置完整
[root@k8s-master01 ~]# auditctl -l
-a always,exit -F arch=b64 -S adjtimex,settimeofday -F key=time-change
-a always,exit -F arch=b32 -S stime,settimeofday,adjtimex -F key=time-change
-a always,exit -F arch=b64 -S clock_settime -F key=time-change
-a always,exit -F arch=b32 -S clock_settime -F key=time-change
-w /usr/sbin/ntpdate -p rwxa -k ntpdate_use
[root@k8s-master01 ~]#
以上配置完成,后续只需要查看ausearch -k time-change和ausearch -k ntpdate_use 有没有数据
以下是常用命令捕捉测试
检查 是否捕捉到
可以看到每分钟有执行ntpdate
time->Wed Feb 8 23:01:01 2023
type=PROCTITLE msg=audit(1675868461.268:2562): proctitle=2F7573722F7362696E2F6E747064617465006E74702E616C6979756E2E636F6D
type=PATH msg=audit(1675868461.268:2562): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=36467 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1675868461.268:2562): item=0 name="/usr/sbin/ntpdate" inode=2276 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1675868461.268:2562): cwd="/root"
type=EXECVE msg=audit(1675868461.268:2562): argc=2 a0="/usr/sbin/ntpdate" a1="ntp.aliyun.com"
type=SYSCALL msg=audit(1675868461.268:2562): arch=c000003e syscall=59 success=yes exit=0 a0=2442cc0 a1=2442d90 a2=2441cf0 a3=7ffd053f07e0 items=2 ppid=10287 pid=10289 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=42 comm="ntpdate" exe="/usr/sbin/ntpdate" key="ntpdate_use"
----
time->Wed Feb 8 23:01:01 2023
type=PROCTITLE msg=audit(1675868461.270:2563): proctitle=2F7573722F7362696E2F6E747064617465006E7470312E616C6979756E2E636F6D
type=PATH msg=audit(1675868461.270:2563): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=36467 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1675868461.270:2563): item=0 name="/usr/sbin/ntpdate" inode=2276 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1675868461.270:2563): cwd="/root"
type=EXECVE msg=audit(1675868461.270:2563): argc=2 a0="/usr/sbin/ntpdate" a1="ntp1.aliyun.com"
type=SYSCALL msg=audit(1675868461.270:2563): arch=c000003e syscall=59 success=yes exit=0 a0=1f4ed80 a1=1f4eec0 a2=1f4dd10 a3=7fffd2688c60 items=2 ppid=10290 pid=10291 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=44 comm="ntpdate" exe="/usr/sbin/ntpdate" key="ntpdate_use"
You have new mail in /var/spool/mail/root
1.【不必要操作】停止chrony,将/usr/sbin/ntpdate改为ntpdate_bak
mv /usr/sbin/ntpdate /usr/sbin/ntpdate_bak
修改之后没有调用了。使用ntpdate_bak进行同步
[root@k8s-master01 ~]# /usr/sbin/ntpdate_bak 203.107.6.88
8 Feb 23:10:29 ntpdate_bak[12630]: adjust time server 203.107.6.88 offset -0.015085 sec
返回结果,捕捉到ntpdate_bak命令
----
time->Wed Feb 8 23:07:09 2023
type=PROCTITLE msg=audit(1675868829.639:2982): proctitle=2F7573722F7362696E2F6E747064617465006E7470312E616C6979756E2E636F6D
type=SYSCALL msg=audit(1675868829.639:2982): arch=c000003e syscall=159 success=yes exit=0 a0=7fff684fadc0 a1=7fff684faf50 a2=861 a3=2c items=0 ppid=11794 pid=11795 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=50 comm="ntpdate" exe="/usr/sbin/ntpdate" key="time-change"
----
time->Wed Feb 8 23:08:09 2023
type=PROCTITLE msg=audit(1675868889.792:3051): proctitle=2F7573722F7362696E2F6E747064617465006E7470312E616C6979756E2E636F6D
type=SYSCALL msg=audit(1675868889.792:3051): arch=c000003e syscall=159 success=yes exit=0 a0=7ffdbaae2a20 a1=7ffdbaae2bb0 a2=861 a3=80 items=0 ppid=12027 pid=12028 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=51 comm="ntpdate" exe="/usr/sbin/ntpdate" key="time-change"
----
time->Wed Feb 8 23:10:29 2023
type=PROCTITLE msg=audit(1675869029.346:3214): proctitle=2F7573722F7362696E2F6E7470646174655F62616B003230332E3130372E362E3838
type=SYSCALL msg=audit(1675869029.346:3214): arch=c000003e syscall=159 success=yes exit=0 a0=7fffe3165ce0 a1=7fffe3165e70 a2=861 a3=ca items=0 ppid=1548 pid=12630 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="ntpdate_bak" exe="/usr/sbin/ntpdate_bak" key="time-change"
2.开启chrony同步
可以看到chrony进程在同步时间
time->Wed Feb 8 23:15:04 2023
type=PROCTITLE msg=audit(1675869304.024:3538): proctitle="/usr/sbin/chronyd"
type=SYSCALL msg=audit(1675869304.024:3538): arch=c000003e syscall=159 success=yes exit=0 a0=7fff322f52d0 a1=0 a2=ffffffffffe4367c a3=7f7b6 items=0 ppid=1 pid=13494 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" key="time-change"
----
time->Wed Feb 8 23:15:04 2023
type=PROCTITLE msg=audit(1675869304.024:3539): proctitle="/usr/sbin/chronyd"
type=SYSCALL msg=audit(1675869304.024:3539): arch=c000003e syscall=159 success=yes exit=0 a0=7fff322f52e0 a1=0 a2=ffffffffffd67af8 a3=7f7b8 items=0 ppid=1 pid=13494 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" key="time-change"
----
time->Wed Feb 8 23:15:04 2023
type=PROCTITLE msg=audit(1675869304.024:3540): proctitle="/usr/sbin/chronyd"
type=SYSCALL msg=audit(1675869304.024:3540): arch=c000003e syscall=159 success=yes exit=0 a0=7fff322f53d0 a1=1 a2=0 a3=7f7b8 items=0 ppid=1 pid=13494 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" key="time-change"
----
time->Wed Feb 8 23:15:12 2023
type=PROCTITLE msg=audit(1675869312.261:3544): proctitle="/usr/sbin/chronyd"
type=SYSCALL msg=audit(1675869312.261:3544): arch=c000003e syscall=159 success=yes exit=0 a0=7fff322f5d40 a1=0 a2=ffffffffffe4371b a3=7fcea items=0 ppid=1 pid=13494 auid=4294967295 uid=998 gid=996 euid=998 suid=998 fsuid=998 egid=996 sgid=996 fsgid=996 tty=(none) ses=4294967295 comm="chronyd" exe="/usr/sbin/chronyd" key="time-change"
[root@k8s-master01 ~]# ausearch -k time-change
3.使用date命令修改时间
[root@k8s-master01 ~]# date
Wed Feb 8 23:19:07 CST 2023
[root@k8s-master01 ~]# date -s'23:00'
Wed Feb 8 23:00:00 CST 2023
[root@k8s-master01 ~]# date
Wed Feb 8 23:00:01 CST 2023
捕捉到
time->Wed Feb 8 23:19:13 2023
type=PROCTITLE msg=audit(1675869553.273:3831): proctitle=64617465002D7332333A3030
type=SYSCALL msg=audit(1675869553.273:3831): arch=c000003e syscall=227 success=yes exit=0 a0=0 a1=7ffe77accae0 a2=1 a3=7ffe77acc4e0 items=0 ppid=1548 pid=14812 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=2 comm="date" exe="/usr/bin/date" key="time-change"
[root@k8s-master01 ~]# ausearch -k time-change
4.timedatectl修改时间
[root@localhost ~]# timedatectl set-time 9:45
[root@localhost ~]# date
date
Wed Feb 8 09:45:01 WIB 2023
捕捉到
time->Wed Feb 8 22:44:13 2023
type=PROCTITLE msg=audit(1675871053.000:116): proctitle="/usr/lib/systemd/systemd-timedated"
type=SYSCALL msg=audit(1675871053.000:116): arch=c000003e syscall=227 success=yes exit=0 a0=0 a1=7fffc8bc5e40 a2=0 a3=0 items=0 ppid=1 pid=1622 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="systemd-timedat" exe="/usr/lib/systemd/systemd-timedated" subj=system_u:system_r:systemd_timedated_t:s0 key="time-change"
标签:audit,ntpdate,捕捉,usr,time,msg,type,时钟
From: https://www.cnblogs.com/lianshanspeak/p/17103773.html