/**********************************************************************
* Linux audit安全审计工具
* 说明:
* 今天接触到安全审计,查看一下,发现内核有支持安全审计方面的东西。
*
* 2018-4-23 深圳 宝安西乡 曾剑锋
*********************************************************************/
一、参考文档:
1. Unable to open /sbin/audispd (No such file or directory)
https://bugzilla.redhat.com/show_bug.cgi?id=207627
二、Error - audit support not in kernel
lqqqqqqqqqqqqqqqqqqqqqqqqqqqqq General setup qqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
x Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty x
x submenus ----). Highlighted letters are hotkeys. Pressing <Y> x
x includes, <N> excludes, <M> modularizes features. Press <Esc><Esc> to x
x exit, <?> for Help, </> for Search. Legend: [*] built-in [ ] x
x lqqqq^(-)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
x x [*] open by fhandle syscalls x x
x x [*] uselib syscall x x
x x [*] Auditing support <--------------------- x x
x x [*] Enable system-call auditing support x x
x x IRQ subsystem ---> x x
x x Timers subsystem ---> x x
x x CPU/Task time and stats accounting ---> x x
x x RCU Subsystem ---> x x
x x <*> Kernel .config support x x
x x [*] Enable access to .config through /proc/config.gz x x
x mqqqqv(+)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
x <Select> < Exit > < Help > < Save > < Load > x
mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj
三、运行测试:
1. 命令测试:
[buildroot@root ~]# auditd -f
Config file /etc/audit/auditd.conf opened for parsing
local_events_parser called with: yes
writaudit: type=1305 audit(61.430:2): audit_pid=283 old=0 auid=4294967295 ses=4294967295 res=1
e_logs_parser called with: yes
log_file_parser called with: /var/log/audit/audit.log
log_group_parser called with: root
log_format_parser called with: RAW
flush_parser called with: INCREMENTAL_ASYNC
freq_parser called with: 50
max_log_size_parser called with: 8
num_logs_parser called with: 5
priority_boost_parser called with: 4
qos_parser called with: lossy
dispatch_parser called with: /usr/sbin/audispd
name_format_parser called with: NONE
max_log_size_action_parser called with: ROTATE
space_left_parser called with: 75
space_action_parser called with: SYSLOG
action_mail_acct_parser called with: root
admin_space_left_parser called with: 50
admin_space_left_action_parser called with: SUSPEND
disk_full_action_parser called with: SUSPEND
disk_error_action_parser called with: SUSPEND
use_libwrap_parser called with: yes
tcp_listen_queue_parser called with: 5
tcp_max_per_addr_parser called with: 1
tcp_client_max_idle_parser called with: 0
enable_krb5_parser called with: no
GSSAPI support is not enabled, ignoring value at line 33
krb5_principal_parser called with: auditd
GSSAPI support is not enabled, ignoring value at line 34
distribute_network_parser called with: no
Started dispatcher: /usr/sbin/audispd pid: 285
type=DAEMON_START msg=audit(61.435:1106): op=start ver=2.7.1 format=raw kernel=4.1.15+g30278ab auid=4294967295 pid=283 uid=0 ses=4294967295 res=success
config_manager init complete
dispatcher 285 reaped
Init complete, auditd 2.7.1 listening for events (startup state enable)
2. 开机自启动:
[buildroot@root ~]# ps aux | grep audit
168 root /usr/sbin/auditd
171 root [kauditd]
283 root grep audit
[buildroot@root ~]# aureport -m
Account Modifications Report
=================================================
# date time auid addr term exe acct success event
=================================================
<no events of interest were found>
[buildroot@root ~]#
