1、使用auditctl添加临时规则
# auditctl -w /tmp/123 -p rwxa -k test123
-w 被审计的文件
-p permissions
r - 对文件或目录的读取访问权限.
w - 对文件或目录的写入访问权限.
x - 执行对文件或目录的访问权限.
a - 更改文件或目录的属性.
-k 定义关键字可用于查询
2、使用ausearch查询审计日志
#ausearch -k test123
----
time->Thu Mar 23 00:39:27 2023
type=PROCTITLE msg=audit(1679503167.183:470): proctitle=617564697463746C002D77002F746D702F313233002D700072777861002D6B0074657374313233
type=SYSCALL msg=audit(1679503167.183:470): arch=c000003e syscall=44 success=yes exit=1072 a0=4 a1=7ffd75df5b50 a2=430 a3=0 items=0 ppid=35376 pid=90370 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="auditctl" exe="/usr/sbin/auditctl" key=(null)
type=CONFIG_CHANGE msg=audit(1679503167.183:470): auid=0 ses=3 op=add_rule key="test123" list=4 res=1
# echo 123> 456
# cp 456 123
cp: overwrite '123'? y
# ausearch -k test123
----
time->Thu Mar 23 00:39:27 2023
type=PROCTITLE msg=audit(1679503167.183:470): proctitle=617564697463746C002D77002F746D702F313233002D700072777861002D6B0074657374313233
type=SYSCALL msg=audit(1679503167.183:470): arch=c000003e syscall=44 success=yes exit=1072 a0=4 a1=7ffd75df5b50 a2=430 a3=0 items=0 ppid=35376 pid=90370 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="auditctl" exe="/usr/sbin/auditctl" key=(null)
type=CONFIG_CHANGE msg=audit(1679503167.183:470): auid=0 ses=3 op=add_rule key="test123" list=4 res=1
----
time->Thu Mar 23 00:40:03 2023
type=PROCTITLE msg=audit(1679503203.642:475): proctitle=6370002D690034353600313233
type=PATH msg=audit(1679503203.642:475): item=0 name="123" inode=100666600 dev=fd:00 mode=0100700 ouid=1000 ogid=1000 rdev=00:00 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0
type=CWD msg=audit(1679503203.642:475): cwd="/tmp"
type=SYSCALL msg=audit(1679503203.642:475): arch=c000003e syscall=257 success=yes exit=4 a0=ffffff9c a1=7ffc741e2e1d a2=201 a3=0 items=1 ppid=35376 pid=90583 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=3 comm="cp" exe="/usr/bin/cp" key="test123"
网友评论