我需要更新 /etc/audit/audit.rules。我会替换文件并重新启动服务,但我在日志中发现在机器首次启动期间对 augenrules 的调用。
除了初始启动之外,augenrules 是否有自动运行的时间?
答案1
答案就在/etc/systemd/system/multi-user.target.wants/auditd.service
[Service]
ExecStart=/sbin/auditd -n
## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
## and comment/delete the next line and uncomment the auditctl line.
## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
ExecStartPost=-/sbin/augenrules --load
#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID
因此启动服务会调用 augenrules。请注意,该服务仅在服务器启动时启动。