auditd audispd auditctl autrace ausearch aureport
[root@rmaster01 ~]# rpm -qa auditaudit-2.8.5-4.el7.x86_64[root@rmaster01 ~]# rpm -ql audit/etc/audisp/etc/audisp/audispd.conf/etc/audisp/plugins.d/etc/audisp/plugins.d/af_unix.conf/etc/audisp/plugins.d/syslog.conf/etc/audit/etc/audit/audit-stop.rules/etc/audit/audit.rules/etc/audit/auditd.conf/etc/audit/rules.d/etc/audit/rules.d/audit.rules/sbin/audispd/sbin/auditctl/sbin/auditd/sbin/augenrules/sbin/aureport/sbin/ausearch/sbin/autrace/usr/bin/aulast/usr/bin/aulastlog/usr/bin/ausyscall/usr/bin/auvirt/usr/lib/systemd/system/auditd.service/usr/libexec/initscripts/legacy-actions/auditd/usr/libexec/initscripts/legacy-actions/auditd/condrestart/usr/libexec/initscripts/legacy-actions/auditd/reload/usr/libexec/initscripts/legacy-actions/auditd/restart/usr/libexec/initscripts/legacy-actions/auditd/resume/usr/libexec/initscripts/legacy-actions/auditd/rotate/usr/libexec/initscripts/legacy-actions/auditd/state/usr/libexec/initscripts/legacy-actions/auditd/stop/usr/share/doc/audit-2.8.5/usr/share/doc/audit-2.8.5/COPYING/usr/share/doc/audit-2.8.5/ChangeLog/usr/share/doc/audit-2.8.5/README/usr/share/doc/audit-2.8.5/auditd.cron/usr/share/doc/audit-2.8.5/rules/usr/share/doc/audit-2.8.5/rules/10-base-config.rules/usr/share/doc/audit-2.8.5/rules/10-no-audit.rules/usr/share/doc/audit-2.8.5/rules/11-loginuid.rules/usr/share/doc/audit-2.8.5/rules/12-cont-fail.rules/usr/share/doc/audit-2.8.5/rules/12-ignore-error.rules/usr/share/doc/audit-2.8.5/rules/20-dont-audit.rules/usr/share/doc/audit-2.8.5/rules/21-no32bit.rules/usr/share/doc/audit-2.8.5/rules/22-ignore-chrony.rules/usr/share/doc/audit-2.8.5/rules/23-ignore-filesystems.rules/usr/share/doc/audit-2.8.5/rules/30-nispom.rules/usr/share/doc/audit-2.8.5/rules/30-ospp-v42.rules/usr/share/doc/audit-2.8.5/rules/30-pci-dss-v31.rules/usr/share/doc/audit-2.8.5/rules/30-stig.rules/usr/share/doc/audit-2.8.5/rules/31-privileged.rules/usr/share/doc/audit-2.8.5/rules/32-power-abuse.rules/usr/share/doc/audit-2.8.5/rules/40-local.rules/usr/share/doc/audit-2.8.5/rules/41-containers.rules/usr/share/doc/audit-2.8.5/rules/42-injection.rules/usr/share/doc/audit-2.8.5/rules/43-module-load.rules/usr/share/doc/audit-2.8.5/rules/70-einval.rules/usr/share/doc/audit-2.8.5/rules/71-networking.rules/usr/share/doc/audit-2.8.5/rules/99-finalize.rules/usr/share/doc/audit-2.8.5/rules/README-rules/usr/share/man/man5/audispd.conf.5.gz/usr/share/man/man5/auditd.conf.5.gz/usr/share/man/man5/ausearch-expression.5.gz/usr/share/man/man7/audit.rules.7.gz/usr/share/man/man8/audispd.8.gz/usr/share/man/man8/auditctl.8.gz/usr/share/man/man8/auditd.8.gz/usr/share/man/man8/augenrules.8.gz/usr/share/man/man8/aulast.8.gz/usr/share/man/man8/aulastlog.8.gz/usr/share/man/man8/aureport.8.gz/usr/share/man/man8/ausearch.8.gz/usr/share/man/man8/ausyscall.8.gz/usr/share/man/man8/autrace.8.gz/usr/share/man/man8/auvirt.8.gz/var/log/audit/var/run/auditd.state[root@rmaster01 ~]#
[root@rmaster01 ~]# systemctl status auditd.service● auditd.service - Security Auditing ServiceLoaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)Active: active (running) since Sun 2021-03-21 14:17:37 CST; 1 months 11 days agoDocs: man:auditd(8)https://github.com/linux-audit/audit-documentationMain PID: 617 (auditd)Tasks: 2Memory: 2.5MCGroup: /system.slice/auditd.service└─617 /sbin/auditdMar 21 14:17:37 rmaster01 augenrules[621]: enabled 1Mar 21 14:17:37 rmaster01 augenrules[621]: failure 1Mar 21 14:17:37 rmaster01 augenrules[621]: pid 617Mar 21 14:17:37 rmaster01 augenrules[621]: rate_limit 0Mar 21 14:17:37 rmaster01 augenrules[621]: backlog_limit 8192Mar 21 14:17:37 rmaster01 augenrules[621]: lost 0Mar 21 14:17:37 rmaster01 augenrules[621]: backlog 1Mar 21 14:17:37 rmaster01 systemd[1]: Started Security Auditing Service.Mar 28 12:01:01 rmaster01 auditd[617]: Audit daemon rotating log filesApr 18 01:50:01 rmaster01 auditd[617]: Audit daemon rotating log files[root@rmaster01 ~]#
[root@rmaster01 ~]# auditctl -helpusage: auditctl [options]-a <l,a> Append rule to end of <l>ist with <a>ction-A <l,a> Add rule at beginning of <l>ist with <a>ction-b <backlog> Set max number of outstanding audit buffersallowed Default=64-c Continue through errors in rules-C f=f Compare collected fields if available:Field name, operator(=,!=), field name-d <l,a> Delete rule from <l>ist with <a>ctionl=task,exit,user,excludea=never,always-D Delete all rules and watches-e [0..2] Set enabled flag-f [0..2] Set failure flag0=silent 1=printk 2=panic-F f=v Build rule: field name, operator(=,!=,<,>,<=,>=,&,&=) value-h Help-i Ignore errors when reading rules from file-k <key> Set filter key on audit rule-l List rules-m text Send a user-space message-p [r|w|x|a] Set permissions filter on watchr=read, w=write, x=execute, a=attribute-q <mount,subtree> make subtree part of mount point's dir watches-r <rate> Set limit in messages/sec (0=none)-R <file> read rules from file-s Report status-S syscall Build rule: syscall name or number-t Trim directory watches-v Version-w <path> Insert watch at <path>-W <path> Remove watch at <path>--loginuid-immutable Make loginuids unchangeable once set--reset-lost Reset the lost record counter[root@rmaster01 ~]#
若有收获,就点个赞吧
0 人点赞
