我想监控 El Capitan 上的进程启动。
Darwin MaeLucirdosiMac.home 15.5.0 Darwin 内核版本 15.5.0:2016 年 4 月 19 日星期二 18:36:36 PDT;root:xnu-3248.50.21~8/RELEASE_X86_64 x86_64
以下是我的配置。我,pc在第 2 行添加了
bash-3.2# cat /etc/security/audit_control
#
# $P4: //depot/projects/trustedbsd/openbsm/etc/audit_control#8 $
#
dir:/var/audit
flags:lo,aa,pc
minfree:5
naflags:lo,aa
policy:cnt,argv
filesz:2M
expire-after:10M
superuser-set-sflags-mask:has_authenticated,has_console_access
superuser-clear-sflags-mask:has_authenticated,has_console_access
member-set-sflags-mask:
member-clear-sflags-mask:has_authenticated
bash-3.2# ```
我可以使用 launchctl 启动和停止服务,并且 pid 确实会更改,但我无法加载和卸载它。我不清楚这是否有必要。
bash-3.2# launchctl list |grep audit - 0 com.apple.auditd bash-3.2# launchctl unload -w /System/Library/LaunchDaemons/com.apple.auditd.plist /System/Library/LaunchDaemons/com.apple.auditd.plist: Operation not permitted while System Integrity Protection is engaged bash-3.2# launchctl start com.apple.auditd bash-3.2# launchctl list |grep audit 5493 0 com.apple.auditd bash-3.2# launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist /System/Library/LaunchDaemons/com.apple.auditd.plist: service already loaded bash-3.2# launchctl stop com.apple.auditd bash-3.2# launchctl start com.apple.auditd bash-3.2# launchctl list |grep audit 5500 0 com.apple.auditd bash-3.2#
然而,我清楚的是,尽管我重新启动并启动了所有进程,但似乎没有任何内容写入当前日志,该日志不是最新的时间戳,也praudit没有显示任何有关进程的信息。
bash-3.2# ls -trl /var/audit/ . . . . -r--r----- 1 root wheel 125 Jun 20 18:16 20160620215442.20160620221602 -r--r----- 1 root wheel 250 Jun 20 18:17 20160620221602.20160620221734 -r--r----- 1 root wheel 250 Jun 20 19:16 20160620221734.20160620231602 -r--r----- 1 root wheel 125 Jun 20 19:17 20160620231602.20160620231733 -r--r----- 1 root wheel 250 Jun 20 20:16 20160620231733.20160621001602 -r--r----- 1 root wheel 125 Jun 20 20:17 20160621001602.20160621001734 -r--r----- 1 root wheel 250 Jun 20 21:16 20160621001734.20160621011602 -r--r----- 1 root wheel 125 Jun 20 21:17 20160621011602.20160621011733 -r--r----- 1 root wheel 125 Jun 20 21:18 20160621011733.20160621011807 lrwxr-xr-x 1 root wheel 40 Jun 20 21:18 current -> /var/audit/20160621011843.not_terminated -r--r----- 1 root wheel 0 Jun 20 21:18 20160621011843.not_terminated -r--r----- 1 root wheel 250 Jun 20 21:18 20160621011807.20160621011843 bash-3.2# praudit -l /var/audit/20160621011807.20160621011843 header,125,11,session start,0,Mon Jun 20 21:18:14 2016, + 120 msec,argument,1,0x0,sflags,argument,2,0x0,am_success,argument,3,0x0,am_failure,subject,-1,root,wheel,root,wheel,0,100118,0,0.0.0.0,return,success,0,trailer,125, header,125,11,session end,0,Mon Jun 20 21:18:43 2016, + 771 msec,argument,1,0x0,sflags,argument,2,0x0,am_success,argument,3,0x0,am_failure,subject,-1,root,wheel,root,wheel,0,100118,0,0.0.0.0,return,success,0,trailer,125, bash-3.2# praudit -l /var/audit/current bash-3.2#
我如何让审计重新读取配置文件?
答案1
正确的做法是卸载并重新加载 auditd plist。例如:
sudo launchctl unload -w /System/Library/LaunchDaemons/com.apple.auditd.plist
sudo sudo launchctl load -w /System/Library/LaunchDaemons/com.apple.auditd.plist
但请注意这里的陷阱,El Capitan 默认启用了 SIPS,因此您将获得:
/System/Library/LaunchDaemons/com.apple.auditd.plist: Operation not permitted while System Integrity Protection is engaged
您需要重新启动才能使审计规则更改生效。停止并启动启动守护程序launchctl {stop,start} com.apple.auditd不会重新读取该audit_control文件。