/etc/audit/audit.rules在Centos7的顶部,它告诉我:
## This file is automatically generated from /etc/audit/rules.d
好的,所以我去看看,发现/etc/audit/rules.d/audit.rules。它有以下行
# Feel free to add below this line. See auditctl man page
我做了,发现看起来可能是选项:
-R file
Read rules from a file. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be
owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting
the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except
they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since
auditctl is reading the file instead of bash.
但是我跑了auditctl -R /etc/audit/rules.d/audit.rules这似乎工作,但它没有做任何事情/etc/audit/audit.rules。
重新生成该文件的正确方法是什么?
实用程序 augenrules 从 /etc/audit/rules.d 目录中的 *.rules 文件构建 /etc/audit/audit.rules。
该实用程序是从 auditd 服务调用的(或者您可以手动调用它,然后加载您发现的规则文件 - 但重新启动服务更简单)。
我不记得 auditd 系统不能原生使用 systemd 的原因。检查 [email protected] 邮件列表存档。
文件中规则的重新生成
/etc/audit/audit.rules使用/etc/audit/rules.d/. RHEL7/CentOS7 就是这种情况,如果有记忆,RHEL6/CentOS6 也是如此。以 root 身份或使用 sudo 执行以下操作:
sudo augenrules --check如果检测到更改,请更新:
sudo augenrules --load对文件所做的任何更改
/etc/audit/rules.d/现在也应该显示在/etc/audit/audit.rules.要确保任何更改都处于活动状态,请重新启动 auditd:
sudo systemctl restart auditd检查更改是否处于活动状态/正在使用中:
sudo auditctl -l | grep -i [your change value]如果未找到更改,则 auditd 可能正在“不可变”模式下运行,这意味着您必须重新启动才能使任何更改变为活动状态,因为“不可变”将不允许在运行系统上进行审计更改,即使是 root。如果运行 'immutable',任何 auditd 重新启动尝试都将失败,并且 'systemctl' 应该提醒您注意这一事实。