linux审计工具audit,Linux audit安全审计工具

/**********************************************************************

* Linux audit安全审计工具

* 说明：

* 今天接触到安全审计，查看一下，发现内核有支持安全审计方面的东西。

*

* 2018-4-23 深圳 宝安西乡 曾剑锋

*********************************************************************/一、参考文档：1. Unable to open /sbin/audispd (No such file or directory)

https://bugzilla.redhat.com/show_bug.cgi?id=207627

二、Error- audit support not inkernel

lqqqqqqqqqqqqqqqqqqqqqqqqqqqqq General setup qqqqqqqqqqqqqqqqqqqqqqqqqqqqqk

x Arrow keys navigate the menu. selects submenus --->(or empty x

x submenus----). Highlighted letters are hotkeys. Pressing x

x includes, excludes, modularizes features. Press to x

x exit,> for Help, > for Search. Legend: [*] built-in[ ] x

x lqqqq^(-)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x

x x [*] open by fhandle syscalls x x

x x [*] uselib syscall x x

x x [*] Auditing support

x x [*] Enable system-call auditing support x x

x x IRQ subsystem--->x x

x x Timers subsystem--->x x

x x CPU/Task time and stats accounting --->x x

x x RCU Subsystem--->x x

x xKernel .config support x x

x x [*] Enable access to .config through /proc/config.gz x x

x mqqqqv(+)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x

tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu

x < Exit > < Help > < Save > < Load >x

mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

三、运行测试：1. 命令测试：

[buildroot@root~]# auditd -f

Config file/etc/audit/auditd.conf opened forparsing

local_events_parser called with: yes

writaudit: type=1305 audit(61.430:2): audit_pid=283 old=0 auid=4294967295 ses=4294967295 res=1e_logs_parser called with: yes

log_file_parser called with:/var/log/audit/audit.log

log_group_parser called with: root

log_format_parser called with: RAW

flush_parser called with: INCREMENTAL_ASYNC

freq_parser called with:50max_log_size_parser called with:8num_logs_parser called with:5priority_boost_parser called with:4qos_parser called with: lossy

dispatch_parser called with:/usr/sbin/audispd

name_format_parser called with: NONE

max_log_size_action_parser called with: ROTATE

space_left_parser called with:75space_action_parser called with: SYSLOG

action_mail_acct_parser called with: root

admin_space_left_parser called with:50admin_space_left_action_parser called with: SUSPEND

disk_full_action_parser called with: SUSPEND

disk_error_action_parser called with: SUSPEND

use_libwrap_parser called with: yes

tcp_listen_queue_parser called with:5tcp_max_per_addr_parser called with:1tcp_client_max_idle_parser called with:0enable_krb5_parser called with: no

GSSAPI supportis not enabled, ignoring value at line 33krb5_principal_parser called with: auditd

GSSAPI supportis not enabled, ignoring value at line 34distribute_network_parser called with: no

Started dispatcher:/usr/sbin/audispd pid: 285type=DAEMON_START msg=audit(61.435:1106): op=start ver=2.7.1 format=raw kernel=4.1.15+g30278ab auid=4294967295 pid=283 uid=0 ses=4294967295 res=success

config_manager init complete

dispatcher285reaped

Init complete, auditd2.7.1 listening forevents (startup state enable)2. 开机自启动：

[buildroot@root~]# ps aux |grep audit168 root /usr/sbin/auditd171root [kauditd]283root grep audit

[buildroot@root~]# aureport -m

Account Modifications Report=================================================# date time auid addr term exe acct successevent

=================================================

[buildroot@root~]#