审计服务Auditd规则配置与查询

审计文件

1、增加规则（临时）

auditctl -w /etc/hosts -p wa -k hosts
auditctl -w /etc/fstab -p wa -k fstab
auditctl -w /etc/passwd -p wa -k passwd
auditctl -w /etc/shadow -p wa -k shadow

持久化

cat >/etc/audit/rules.d/audit.rules<<EOF
-w /etc/hosts -p wa -k hosts
-w /etc/fstab -p wa -k fstab
-w /etc/passwd -p wa -k passwd
-w /etc/shadow -p wa -k shadow
EOF
service auditd restart

2、列出所有规则

auditctl -l

3、查询审计日志

ausearch -k hosts
ausearch -k fstab
ausearch -k passwd
ausearch -k shadow

4、删除特定规则

auditctl -D -k hosts
auditctl -D -k fstab
auditctl -D -k passwd
auditctl -D -k shadow

5、删除所有规则

auditctl -D

审计执行命令

1、增加规则（临时）

auditctl -a exit,always -F arch=b32 -S execve -k commands
auditctl -a exit,always -F arch=b64 -S execve -k commands

只审计特定UID的用户

auditctl -a exit,always -F arch=b32 -F euid=1000 -S execve -k user1-commands
auditctl -a exit,always -F arch=b64 -F euid=1000 -S execve -k user1-commands

持久化

cat >/etc/audit/rules.d/audit.rules<<EOF
-a exit,always -F arch=b32 -S execve -k commands
-a exit,always -F arch=b64 -S execve -k commands
EOF
service auditd restart

2、列出所有规则

auditctl -l

3、查询审计日志

ausearch -k commands
ausearch -k user1-commands

4、查询特定用户执行的命令

ausearch -ue 0
ausearch -ue 1000

5、删除特定规则

auditctl -D -k commands
auditctl -D -k user1-commands

6、删除所有规则

auditctl -D