我的audit.log 中重复发生以下事件。有人可以提供audit.rules 文件规则的有效语法,这将阻止这6 个特定条目吗?
理想情况下,我希望过滤器适用type=于下面所示的六个,以及适用于uid=0andauid-4294967295和ses=4294967295and exe=/bin/suand result=success。
这远程可能吗?
我发现该标志-F msgtype=USER_AUTH仅适用于规则-a exclude,我不能使用任何其他带有排除标志,例如-F auid=4294967295.我不能排除所有 USER_AUTH 类型并错过基本事件。
node=testserver type=USER_AUTH msg=audit(1480608618.705:570): user pid=15378 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:authentication acct="efadmin" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
node=testserver type=USER_ACCT msg=audit(1480608618.705:571): user pid=15378 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:accounting acct="efadmin" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
node=testserver type=CRED_ACQ msg=audit(1480608618.705:572): user pid=15378 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="efadmin" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
node=testserver type=USER_START msg=audit(1480608618.705:573): user pid=15378 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_open acct="efadmin" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
node=testserver type=USER_END msg=audit(1480608618.817:574): user pid=15378 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:session_close acct="efadmin" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'
node=testserver type=CRED_DISP msg=audit(1480608618.817:575): user pid=15378 uid=0 auid=4294967295 ses=4294967295 msg='op=PAM:setcred acct="efadmin" exe="/bin/su" (hostname=?, addr=?, terminal=? res=success)'