审计守护进程不从 audit.rules 中获取规则

【问题标题】:Audit daemon does not take rules from audit.rules审计守护进程不从 audit.rules 中获取规则
【发布时间】:2019-10-13 16:37:54
【问题描述】:

我无法使用 /etc/audit/audit.rules 向审核守护程序添加规则 每次我使用 auditctl 添加规则时,它都会在重新启动或审核守护程序重新启动时被删除我已附加 /etc/audit/audit.rules 和 /etc/audit/auditd.conf cat /etc/audit/auditd.conf 

$ cat /etc/audit/auditd.conf 
#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /NU_Application/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 22
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

cat /etc/audit/audit.rules 

$ cat /etc/audit/audit.rules 
## First rule - delete all

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 0

## Set failure mode to syslog
-f 1
-w /var/log/lastlog -p wa
root@iWave-G22M:~# auditctl

当我重新启动审核守护程序(即 /etc/init.d/auditd restart )并尝试列出规则时,我收到消息 No rules

$ /etc/init.d/auditd restart
Restarting audit daemon auditd
type=1305 audit(1558188111.980:3): audit_pid=0 old=1148 auid=4294967295 ses=4294967295
 res=1
type=1305 audit(1558188112.010:4): audit_enabled=1 old=1 auid=4294967295 ses=4294967295
 res=1
type=1305 audit(1558188112.020:5): audit_pid=30342 old=0 auid=4294967295 ses=4294967295
 res=1
1
$ auditctl -l               
No rules

操作系统信息

$ uname -a
Linux iWave-G22M 3.10.31-ltsi-svn743 #5 SMP PREEMPT Mon May 27 18:28:01 IST 2019 armv7l GNU/Linux

audit_2.8.4.bb 文件用于通过 yocto 安装 auditd 守护进程 audit_2.8.4.bb 路径 -- http://git.yoctoproject.org/cgit/cgit.cgi/meta-selinux/tree/recipes-security/audit/audit_2.8.4.bb?h=master

【问题讨论】:

    标签: yocto audit


    【解决方案1】:

    通过 /etc/audit/audit.rulesauditctl 命令添加的审核规则不是永久性的。要使它们在重新启动后永久存在,您必须添加它们 /etc/audit/rules.d/audit.rules 文件。 添加规则后,重新启动auditd服务并运行命令auditctl -l,它将列出所有规则并反映在/etc/audit/audit.rules 文件。

    【讨论】:

      猜你喜欢
      • 2018-11-20
      • 2016-10-08
      • 2014-12-11
      • 1970-01-01
      • 2016-12-21
      • 2013-10-07
      • 2023-03-02
      • 2020-07-28
      • 2017-07-13
      相关资源
      最近更新 更多
      热门标签
      Java Python linux javascript Mysql C# Docker 算法 前端 SpringBoot Redis Vue spring 设计模式 .net core .net kubernetes c++ 数据库 数据结构 大数据 js 机器学习 微服务 Android Go 程序员 面试 JVM ASP.net core 云原生 人工智能 后端 PHP git CSS golang k8s Nginx Django mybatis 深度学习 多线程 React 架构 devops 爬虫 云计算 Spring Boot LeetCode