[root@rock:/var/log/audit] : service auditd status
Redirecting to /bin/systemctl status auditd.service
auditd.service - Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Mon 2021-01-11 08:24:35 EST; 51min ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 94529 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
Process: 94513 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 94515 (auditd)
CGroup: /system.slice/auditd.service
+-94515 /sbin/auditd
+-94517 /sbin/audispd
+-94519 /usr/sbin/sedispatch
Jan 11 08:24:35 rock augenrules[94529]: lost 4892
Jan 11 08:24:35 rock augenrules[94529]: backlog 0
Jan 11 08:24:35 rock augenrules[94529]: enabled 1
Jan 11 08:24:35 rock augenrules[94529]: failure 1
Jan 11 08:24:35 rock augenrules[94529]: pid 94515
Jan 11 08:24:35 rock augenrules[94529]: rate_limit 0
Jan 11 08:24:35 rock augenrules[94529]: backlog_limit 1048576
Jan 11 08:24:35 rock augenrules[94529]: lost 4892
Jan 11 08:24:35 rock augenrules[94529]: backlog 0
Jan 11 08:24:35 rock systemd[1]: Started Security Auditing Service.
在 RHEL 7.9 中使用时,auditd
我相信一切都运行良好,但是当我执行上述操作时,我看到丢失 4892
失去的价值意味着什么?是不是很糟糕?我应该希望它为零吗?
以下是我的供参考/etc/audit/auditd.conf
#
# This file controls the configuration of the audit daemon
#
local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 100
# max log file size in MB, does not matter with KEEP_LOGS
max_log_file = 10000
max_log_file_action = KEEP_LOGS
# no log rotation
num_logs = 0
priority_boost = 0
admin_space_left_action = SINGLE
disk_full_action = SINGLE
disk_error_action = SINGLE
disp_qos = LOSSLESS
dispatcher = /sbin/audispd
name_format = HOSTNAME
space_left = 500
admin_space_left = 300
space_left_action = email
verify_email = yes
action_mail_acct = root
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
答案1
新手使用audit,根据auditctl的手册页使用-s选项时:
-s 报告内核的审核子系统状态。它将告诉您可以通过 -e、-f、-r 和 -b 选项设置的内核值。 pid 值是审核守护程序的进程号。请注意,pid 为 0 表示审核守护程序未运行。丢失的条目会告诉您有多少事件记录由于内核审计队列溢出而被丢弃。 backlog 字段告诉当前有多少事件记录正在排队等待auditd 读取它们。此选项后面可以跟 -i 来解释几个字段。
谈到的部分丢失的值以粗体显示。