Way*_*ner 3 configuration auditd
在/etc/audit/audit.rulesCentos7的顶部它告诉我:
## This file is automatically generated from /etc/audit/rules.d
好的,所以我去寻找,并找到了/etc/audit/rules.d/audit.rules。它有以下行
# Feel free to add below this line. See auditctl man page
我做了,发现看起来可能是这个选项:
-R file
Read rules from a file. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be
owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting
the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except
they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since
auditctl is reading the file instead of bash.
但是我跑了auditctl -R /etc/audit/rules.d/audit.rules这似乎有效,但它没有做任何事情/etc/audit/audit.rules。
重新生成该文件的正确方法是什么?
小智 7
实用程序 augenrules 从 /etc/audit/rules.d 目录中的 *.rules 文件构建 /etc/audit/audit.rules。
这个实用程序是从 auditd 服务调用的(或者您可以手动调用它,然后按照您发现的方式加载规则文件 - 但重新启动服务更简单)。
我不记得审计系统不能原生使用 systemd 的原因。检查 linux-audit@redhat.com 邮件列表档案。