审核规则无法通过 systemctl restartauditd 加载

tag-icon tag-icon audit
审核规则无法通过 systemctl restartauditd 加载

我试图查看文件 /proc/sys/net/ipv4/ip_forward 中启用 ipv4 转发的内容(我发现这是 docker,但我仍然想了解我的auditd 问题)所以我决定制作一个审核规则:

-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward

问题是该规则仅在我手动发出时加载:

augenrules --load

一个简单的操作systemctl restart auditd就会清除这个规则。这意味着在启动过程中,这将被擦除。

我的 /etc/audit/rules.d/audit.rules 文件内容(仅目录中的规则文件):

-D

-b 8192

--backlog_wait_time 60000

-f 1

-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward
-w /etc/fstab -p rwa -k fstab

重新启动auditd的示例:

$ sudo systemctl restart auditd
$ sudo auditctl -l
-w /etc/fstab -p rwa -k fstab #<- Only this rule loads

运行 augenrules 的示例:

$ sudo augenrules --load
/usr/sbin/augenrules: No change
No rules
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0
enabled 1
failure 1
pid 3116
rate_limit 0
backlog_limit 8192
lost 0
backlog 0
backlog_wait_time 60000
backlog_wait_time_actual 0

$ sudo auditctl -l
-w /proc/sys/net/ipv4/ip_forward -p wa -k ip4forward
-w /etc/fstab -p rwa -k fstab

$ sudo systemctl status auditd
● auditd.service - Security Auditing Service
     Loaded: loaded (/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
     Active: active (running) since Mon 2023-12-11 16:42:29 EST; 6min ago
       Docs: man:auditd(8)
             https://github.com/linux-audit/audit-documentation
    Process: 3114 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
    Process: 3119 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
   Main PID: 3116 (auditd)
      Tasks: 2 (limit: 9346)
     Memory: 548.0K
        CPU: 125ms
     CGroup: /system.slice/auditd.service
             └─3116 /sbin/auditd

Dec 11 16:42:29 ubuntu augenrules[3130]: enabled 1
Dec 11 16:42:29 ubuntu augenrules[3130]: failure 1
Dec 11 16:42:29 ubuntu augenrules[3130]: pid 3116
Dec 11 16:42:29 ubuntu augenrules[3130]: rate_limit 0
Dec 11 16:42:29 ubuntu augenrules[3130]: backlog_limit 8192
Dec 11 16:42:29 ubuntu augenrules[3130]: lost 0
Dec 11 16:42:29 ubuntu augenrules[3130]: backlog 0
Dec 11 16:42:29 ubuntu augenrules[3130]: backlog_wait_time 60000
Dec 11 16:42:29 ubuntu augenrules[3130]: backlog_wait_time_actual 0
Dec 11 16:42:29 ubuntu systemd[1]: Started Security Auditing Service.

使用auditd版本1运行Ubuntu 22.04:3.0.7-1build1 有什么想法吗?谢谢!

答案1

如果有帮助,augenrules --load请将所有规则编译/etc/audit/rules.d/*.rules/etc/audit/audit.rules.该命令也在启动时运行。

相关内容