我有一个系统正在为我们称之为“已编辑”的特定帐户获取大量审核流量。日志显示该帐户正在执行 su 命令。我的第一反应是检查规则etc/audit/rules.d
并禁用任何与该帐户有关的规则su
,并添加禁止记录该帐户的规则。我仍在获取这些日志,因此我删除了审核规则以得到一张白纸。 ( auditctl -l No Rules
)
我仍然看到这些日志,所以我的问题是这些日志是否来自 PAM 模块,有没有办法抑制它们?
type=CRED_DISP msg=audit(1652729209.332:1763023): pid=375379 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_AUTH msg=audit(1652729210.442:1763024): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:authentication grantors=pam_rootok acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_ACCT msg=audit(1652729210.443:1763025): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:accounting grantors=pam_succeed_if acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=CRED_ACQ msg=audit(1652729210.446:1763026): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:setcred grantors=pam_rootok acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
type=USER_START msg=audit(1652729210.462:1763027): pid=375600 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 msg='op=PAM:session_open grantors=pam_keyinit,pam_limits,pam_systemd,pam_unix,pam_lastlog,pam_umask,pam_xauth acct="redacted" exe="/usr/bin/su" hostname=? addr=? terminal=? res=success'UID="root" AUID="unset"
答案1
我能够通过添加规则来按类型抑制消息来抑制这些输出。例如-a never,exclude -F msgtype=USER_AUTH