在 Centos7 上生成 /etc/audit/audit.rules 的正確方法是什麼?
/etc/audit/audit.rules在Centos7的頂部,它告訴我:## This file is automatically generated from /etc/audit/rules.d好的,所以我去看看,發現
/etc/audit/rules.d/audit.rules。它有以下行# Feel free to add below this line. See auditctl man page我做了,發現看起來可能是選項:
-R file Read rules from a file. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since auditctl is reading the file instead of bash.但是我跑了
auditctl -R /etc/audit/rules.d/audit.rules這似乎工作,但它沒有做任何事情/etc/audit/audit.rules。重新生成該文件的正確方法是什麼?
實用程序 augenrules 從 /etc/audit/rules.d 目錄中的 *.rules 文件建構 /etc/audit/audit.rules。
該實用程序是從 auditd 服務呼叫的(或者您可以手動呼叫它,然後載入您發現的規則文件 - 但重新啟動服務更簡單)。
我不記得 auditd 系統不能原生使用 systemd 的原因。檢查 linux-audit@redhat.com 郵件列表存檔。
文件中規則的重新生成
/etc/audit/audit.rules使用/etc/audit/rules.d/. RHEL7/CentOS7 就是這種情況,如果有記憶,RHEL6/CentOS6 也是如此。以 root 身份或使用 sudo 執行以下操作:
sudo augenrules --check如果檢測到更改,請更新:
sudo augenrules --load對文件所做的任何更改
/etc/audit/rules.d/現在也應該顯示在/etc/audit/audit.rules.要確保任何更改都處於活動狀態,請重新啟動 auditd:
sudo systemctl restart auditd檢查更改是否處於活動狀態/正在使用中:
sudo auditctl -l | grep -i [your change value]如果未找到更改,則 auditd 可能在“不可變”模式下執行,這意味著您必須重新啟動才能使任何更改變為活動狀態,因為“不可變”不允許在執行系統上進行審計更改,即使是 root。如果執行 ‘immutable’,任何 auditd 重新啟動嘗試都將失敗,並且 ‘systemctl’ 應該提醒您注意這一事實。