我最近auditd在我的 Debian 机器上安装了该软件包。我做了一些测试auditctl,创建了一个规则来监视目录,证明了一些东西,然后删除并清除了auditd。
随后,我仍然在 中看到这些条目kern.log。
May 1 08:29:55 trinity kernel: [5654985.963656] type=1325 audit(1462087795.379:71): table=filter family=2 entries=58
May 1 08:29:55 trinity kernel: [5654985.963736] type=1300 audit(1462087795.379:71): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf9a75a0 a2=b7750ff4 a3=2250 items=0 ppid=13411 pid=13412 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 1 11:29:33 trinity kernel: [5665764.295688] type=1325 audit(1462098573.714:72): table=filter family=2 entries=57
May 1 11:29:33 trinity kernel: [5665764.295765] type=1300 audit(1462098573.714:72): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfda2ba0 a2=b77adff4 a3=22e4 items=0 ppid=32410 pid=32411 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 1 19:48:03 trinity kernel: [5695674.149293] type=1325 audit(1462128483.567:73): table=filter family=2 entries=58
May 1 19:48:03 trinity kernel: [5695674.149370] type=1300 audit(1462128483.567:73): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bffb3910 a2=b76cfff4 a3=2378 items=0 ppid=20765 pid=20766 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 1 20:40:53 trinity kernel: [5698844.383281] type=1325 audit(1462131653.801:74): table=filter family=2 entries=59
May 1 20:40:53 trinity kernel: [5698844.383357] type=1300 audit(1462131653.801:74): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe7d880 a2=b7761ff4 a3=22e4 items=0 ppid=26521 pid=26522 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 05:53:28 trinity kernel: [5731999.457579] type=1325 audit(1462164808.877:75): table=filter family=2 entries=58
May 2 05:53:28 trinity kernel: [5731999.457657] type=1300 audit(1462164808.877:75): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfc307b0 a2=b77a8ff4 a3=2250 items=0 ppid=20606 pid=20607 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 08:02:07 trinity kernel: [5739717.728041] type=1325 audit(1462172527.145:76): table=filter family=2 entries=57
May 2 08:02:07 trinity kernel: [5739717.728130] type=1300 audit(1462172527.145:76): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb655f0 a2=b76f7ff4 a3=21bc items=0 ppid=2530 pid=2531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 09:36:04 trinity kernel: [5745355.212056] type=1325 audit(1462178164.630:77): table=filter family=2 entries=56
May 2 09:36:04 trinity kernel: [5745355.212135] type=1300 audit(1462178164.630:77): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfb26040 a2=b7764ff4 a3=2250 items=0 ppid=12830 pid=12831 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 10:37:32 trinity kernel: [5749043.125431] type=1325 audit(1462181852.547:78): table=filter family=2 entries=57
May 2 10:37:32 trinity kernel: [5749043.125507] type=1300 audit(1462181852.547:78): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfae3220 a2=b76e7ff4 a3=21bc items=0 ppid=19175 pid=19176 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 12:14:13 trinity kernel: [5754843.852220] type=1325 audit(1462187653.271:79): table=filter family=2 entries=56
May 2 12:14:13 trinity kernel: [5754843.852297] type=1300 audit(1462187653.271:79): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe58c60 a2=b76ecff4 a3=2128 items=0 ppid=29308 pid=29309 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 12:41:59 trinity kernel: [5756510.071418] type=1325 audit(1462189319.490:80): table=filter family=2 entries=55
May 2 12:41:59 trinity kernel: [5756510.071496] type=1300 audit(1462189319.490:80): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfe31480 a2=b7722ff4 a3=2094 items=0 ppid=32586 pid=32587 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 12:58:14 trinity kernel: [5757485.373768] type=1325 audit(1462190294.794:81): table=filter family=2 entries=54
May 2 12:58:14 trinity kernel: [5757485.373846] type=1300 audit(1462190294.794:81): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bf8cb380 a2=b7754ff4 a3=2128 items=0 ppid=1736 pid=1737 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 14:34:51 trinity kernel: [5763282.057294] type=1325 audit(1462196091.475:82): table=filter family=2 entries=55
May 2 14:34:51 trinity kernel: [5763282.057370] type=1300 audit(1462196091.475:82): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfce29f0 a2=b7736ff4 a3=2094 items=0 ppid=12057 pid=12058 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
May 2 15:31:28 trinity kernel: [5766679.552808] type=1325 audit(1462199488.973:83): table=filter family=2 entries=54
May 2 15:31:28 trinity kernel: [5766679.552884] type=1300 audit(1462199488.973:83): arch=40000003 syscall=102 success=yes exit=0 a0=e a1=bfc402f0 a2=b7718ff4 a3=2128 items=0 ppid=18365 pid=18366 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="iptables" exe="/sbin/xtables-multi" key=(null)
这表明该iptables命令由于某种原因生成审核警报。这些在安装和删除之前不会显示auditd。
检查/var/log该时间戳表明这些与fail2ban更改iptables配置以添加禁止的 IP 地址有关。
我对触发器很好,但我不知道如何禁用它们,因为我已经删除了auditd(因此,auditctl)。重新安装auditd并运行auditctl -l不会返回任何规则。
为什么iptables现在在 中生成这些条目kern.log,以及如何恢复到安装之前的配置auditd?
Debian 版本是 7.10。
更新:
有趣的是,在重新安装期间auditd,内核条目不会出现,只有在删除时才会出现。所以它们根本不存在,然后我安装了auditd,它们仍然不存在,然后我删除了auditd,它们开始出现。安装auditd会再次抑制它们,卸载它会导致它们出现。
从apt的history.log来看,
Start-Date: 2016-04-26 11:47:13
Commandline: apt-get install auditd
Install: auditd:i386 (1.7.18-1.1)
End-Date: 2016-04-26 11:47:20
Start-Date: 2016-04-26 11:48:39
Commandline: apt-get remove auditd
Remove: auditd:i386 (1.7.18-1.1)
End-Date: 2016-04-26 11:48:42
Start-Date: 2016-04-26 11:48:46
Commandline: apt-get purge auditd
Purge: auditd:i386 ()
End-Date: 2016-04-26 11:48:47
Start-Date: 2016-05-03 11:17:43
Commandline: apt-get install auditd
Install: auditd:i386 (1.7.18-1.1)
End-Date: 2016-05-03 11:17:50
Start-Date: 2016-05-03 14:46:14
Commandline: apt-get remove auditd
Remove: auditd:i386 (1.7.18-1.1)
End-Date: 2016-05-03 14:46:17
Start-Date: 2016-05-03 14:47:24
Commandline: apt-get purge auditd
Purge: auditd:i386 ()
End-Date: 2016-05-03 14:47:25
然后从kern.log,
root@trinity:/var/log# cat kern.log* | grep filter | sort
Apr 26 13:30:54 trinity kernel: [5241045.164714] type=1325 audit(1461673854.583:9): table=filter family=2 entries=62
Apr 26 13:32:53 trinity kernel: [5241164.339388] type=1325 audit(1461673973.758:10): table=filter family=2 entries=63
Apr 26 22:05:15 trinity kernel: [5271906.481895] type=1325 audit(1461704715.901:11): table=filter family=2 entries=62
Apr 27 02:28:01 trinity kernel: [5287671.603861] type=1325 audit(1461720481.020:12): table=filter family=2 entries=61
Apr 27 08:44:33 trinity kernel: [5310263.791931] type=1325 audit(1461743073.208:13): table=filter family=2 entries=60
Apr 27 11:07:33 trinity kernel: [5318844.230913] type=1325 audit(1461751653.650:14): table=filter family=2 entries=59
Apr 27 11:11:25 trinity kernel: [5319076.553128] type=1325 audit(1461751885.972:15): table=filter family=2 entries=58
Apr 27 12:31:29 trinity kernel: [5323879.969177] type=1325 audit(1461756689.387:16): table=filter family=2 entries=59
Apr 27 16:22:10 trinity kernel: [5337721.409895] type=1325 audit(1461770530.830:17): table=filter family=2 entries=58
Apr 27 17:18:25 trinity kernel: [5341095.909392] type=1325 audit(1461773905.329:18): table=filter family=2 entries=59
Apr 27 20:25:45 trinity kernel: [5352335.879430] type=1325 audit(1461785145.297:19): table=filter family=2 entries=60
Apr 27 21:19:06 trinity kernel: [5355537.157802] type=1325 audit(1461788346.575:20): table=filter family=2 entries=59
Apr 27 21:23:49 trinity kernel: [5355820.549272] type=1325 audit(1461788629.970:21): table=filter family=2 entries=58
Apr 27 21:53:23 trinity kernel: [5357593.916306] type=1325 audit(1461790403.338:22): table=filter family=2 entries=57
Apr 28 01:32:28 trinity kernel: [5370739.384433] type=1325 audit(1461803548.804:23): table=filter family=2 entries=58
Apr 28 03:35:24 trinity kernel: [5378115.178977] type=1325 audit(1461810924.598:24): table=filter family=2 entries=59
Apr 28 04:44:17 trinity kernel: [5382247.691370] type=1325 audit(1461815057.108:25): table=filter family=2 entries=60
Apr 28 05:47:42 trinity kernel: [5386052.769582] type=1325 audit(1461818862.189:26): table=filter family=2 entries=59
Apr 28 06:49:40 trinity kernel: [5389770.729248] type=1325 audit(1461822580.149:27): table=filter family=2 entries=58
Apr 28 07:03:26 trinity kernel: [5390596.850019] type=1325 audit(1461823406.267:28): table=filter family=2 entries=59
Apr 28 07:54:25 trinity kernel: [5393655.953013] type=1325 audit(1461826465.374:29): table=filter family=2 entries=60
Apr 28 17:19:02 trinity kernel: [5427533.079358] type=1325 audit(1461860342.498:30): table=filter family=2 entries=59
Apr 28 17:40:50 trinity kernel: [5428840.833735] type=1325 audit(1461861650.252:31): table=filter family=2 entries=60
Apr 28 22:11:09 trinity kernel: [5445060.419843] type=1325 audit(1461877869.838:32): table=filter family=2 entries=59
Apr 28 22:20:05 trinity kernel: [5445596.145146] type=1325 audit(1461878405.563:33): table=filter family=2 entries=60
Apr 29 01:34:17 trinity kernel: [5457247.685479] type=1325 audit(1461890057.103:34): table=filter family=2 entries=61
Apr 29 03:08:41 trinity kernel: [5462912.272201] type=1325 audit(1461895721.690:35): table=filter family=2 entries=62
Apr 29 04:05:43 trinity kernel: [5466333.873413] type=1325 audit(1461899143.292:36): table=filter family=2 entries=63
Apr 29 05:27:26 trinity kernel: [5471237.463612] type=1325 audit(1461904046.880:37): table=filter family=2 entries=64
Apr 29 05:57:55 trinity kernel: [5473065.931068] type=1325 audit(1461905875.349:38): table=filter family=2 entries=63
Apr 29 07:43:16 trinity kernel: [5479387.398790] type=1325 audit(1461912196.819:39): table=filter family=2 entries=62
Apr 29 07:59:20 trinity kernel: [5480350.703929] type=1325 audit(1461913160.122:40): table=filter family=2 entries=61
Apr 29 09:01:10 trinity kernel: [5484060.685008] type=1325 audit(1461916870.105:41): table=filter family=2 entries=62
Apr 29 09:08:56 trinity kernel: [5484527.328113] type=1325 audit(1461917336.744:42): table=filter family=2 entries=61
Apr 29 09:28:40 trinity kernel: [5485710.910410] type=1325 audit(1461918520.327:43): table=filter family=2 entries=60
Apr 29 09:35:24 trinity kernel: [5486115.462325] type=1325 audit(1461918924.881:44): table=filter family=2 entries=59
Apr 29 11:58:55 trinity kernel: [5494725.939858] type=1325 audit(1461927535.357:45): table=filter family=2 entries=58
Apr 29 12:29:44 trinity kernel: [5496575.471597] type=1325 audit(1461929384.889:46): table=filter family=2 entries=57
Apr 29 14:38:01 trinity kernel: [5504271.706427] type=1325 audit(1461937081.127:47): table=filter family=2 entries=58
Apr 29 17:01:28 trinity kernel: [5512879.168191] type=1325 audit(1461945688.583:48): table=filter family=2 entries=57
Apr 29 19:31:41 trinity kernel: [5521892.127411] type=1325 audit(1461954701.545:49): table=filter family=2 entries=56
Apr 29 19:34:02 trinity kernel: [5522033.333315] type=1325 audit(1461954842.755:50): table=filter family=2 entries=55
Apr 29 20:00:13 trinity kernel: [5523604.428545] type=1325 audit(1461956413.851:51): table=filter family=2 entries=54
Apr 29 20:34:45 trinity kernel: [5525676.172737] type=1325 audit(1461958485.593:52): table=filter family=2 entries=53
Apr 29 20:57:39 trinity kernel: [5527050.000970] type=1325 audit(1461959859.421:53): table=filter family=2 entries=54
Apr 29 21:03:22 trinity kernel: [5527393.467046] type=1325 audit(1461960202.886:54): table=filter family=2 entries=53
Apr 29 23:18:37 trinity kernel: [5535508.254569] type=1325 audit(1461968317.673:55): table=filter family=2 entries=52
Apr 30 00:29:58 trinity kernel: [5539788.920100] type=1325 audit(1461972598.339:56): table=filter family=2 entries=53
Apr 30 03:12:14 trinity kernel: [5549524.805118] type=1325 audit(1461982334.225:57): table=filter family=2 entries=54
Apr 30 03:56:03 trinity kernel: [5552154.294060] type=1325 audit(1461984963.713:58): table=filter family=2 entries=55
Apr 30 05:31:18 trinity kernel: [5557868.878686] type=1325 audit(1461990678.296:59): table=filter family=2 entries=54
Apr 30 05:51:28 trinity kernel: [5559079.495954] type=1325 audit(1461991888.912:60): table=filter family=2 entries=55
Apr 30 11:18:56 trinity kernel: [5578727.564823] type=1325 audit(1462011536.983:61): table=filter family=2 entries=56
Apr 30 11:38:34 trinity kernel: [5579905.149630] type=1325 audit(1462012714.569:62): table=filter family=2 entries=57
Apr 30 11:58:54 trinity kernel: [5581124.785297] type=1325 audit(1462013934.204:63): table=filter family=2 entries=56
Apr 30 12:28:32 trinity kernel: [5582903.150044] type=1325 audit(1462015712.567:64): table=filter family=2 entries=55
Apr 30 14:41:21 trinity kernel: [5590871.696820] type=1325 audit(1462023681.116:65): table=filter family=2 entries=54
Apr 30 17:58:37 trinity kernel: [5602708.432415] type=1325 audit(1462035517.855:66): table=filter family=2 entries=55
Apr 30 20:07:46 trinity kernel: [5610456.713610] type=1325 audit(1462043266.133:67): table=filter family=2 entries=56
May 1 00:15:50 trinity kernel: [5625341.571375] type=1325 audit(1462058150.990:68): table=filter family=2 entries=57
May 1 01:56:34 trinity kernel: [5631384.621056] type=1325 audit(1462064194.039:69): table=filter family=2 entries=58
May 1 03:47:50 trinity kernel: [5638061.478266] type=1325 audit(1462070870.899:70): table=filter family=2 entries=57
May 1 08:29:55 trinity kernel: [5654985.963656] type=1325 audit(1462087795.379:71): table=filter family=2 entries=58
May 1 11:29:33 trinity kernel: [5665764.295688] type=1325 audit(1462098573.714:72): table=filter family=2 entries=57
May 1 19:48:03 trinity kernel: [5695674.149293] type=1325 audit(1462128483.567:73): table=filter family=2 entries=58
May 1 20:40:53 trinity kernel: [5698844.383281] type=1325 audit(1462131653.801:74): table=filter family=2 entries=59
May 2 05:53:28 trinity kernel: [5731999.457579] type=1325 audit(1462164808.877:75): table=filter family=2 entries=58
May 2 08:02:07 trinity kernel: [5739717.728041] type=1325 audit(1462172527.145:76): table=filter family=2 entries=57
May 2 09:36:04 trinity kernel: [5745355.212056] type=1325 audit(1462178164.630:77): table=filter family=2 entries=56
May 2 10:37:32 trinity kernel: [5749043.125431] type=1325 audit(1462181852.547:78): table=filter family=2 entries=57
May 2 12:14:13 trinity kernel: [5754843.852220] type=1325 audit(1462187653.271:79): table=filter family=2 entries=56
May 2 12:41:59 trinity kernel: [5756510.071418] type=1325 audit(1462189319.490:80): table=filter family=2 entries=55
May 2 12:58:14 trinity kernel: [5757485.373768] type=1325 audit(1462190294.794:81): table=filter family=2 entries=54
May 2 14:34:51 trinity kernel: [5763282.057294] type=1325 audit(1462196091.475:82): table=filter family=2 entries=55
May 2 15:31:28 trinity kernel: [5766679.552808] type=1325 audit(1462199488.973:83): table=filter family=2 entries=54
May 2 15:58:13 trinity kernel: [5768283.694922] type=1325 audit(1462201093.113:84): table=filter family=2 entries=55
May 2 16:42:33 trinity kernel: [5770944.249180] type=1325 audit(1462203753.667:85): table=filter family=2 entries=56
May 2 23:25:56 trinity kernel: [5795147.404091] type=1325 audit(1462227956.820:86): table=filter family=2 entries=57
May 3 03:41:43 trinity kernel: [5810493.831850] type=1325 audit(1462243303.249:87): table=filter family=2 entries=58
May 3 04:44:46 trinity kernel: [5814276.874392] type=1325 audit(1462247086.292:88): table=filter family=2 entries=57
May 3 06:57:06 trinity kernel: [5822217.391993] type=1325 audit(1462255026.809:89): table=filter family=2 entries=56
May 3 08:21:19 trinity kernel: [5827270.101048] type=1325 audit(1462260079.522:90): table=filter family=2 entries=55
May 3 11:03:16 trinity kernel: [5836986.964890] type=1325 audit(1462269796.383:91): table=filter family=2 entries=54
May 3 16:19:19 trinity kernel: [5855950.133701] type=1325 audit(1462288759.553:306): table=filter family=2 entries=56
内核日志可以追溯到 3 月 14 日,上面显示了审计内容的第一个条目。
数据很多,但您可以看到今天 11:03 和 16:19 之间存在差距。然而,在此期间,fail2ban禁止了 3 个 IP 地址并更新了 iptables。因此,在auditd安装时,不会创建任何审核条目。
2016-05-01 08:29:55,374 fail2ban.actions: WARNING [ssh] Unban 113.107.24.247
2016-05-01 11:29:33,708 fail2ban.actions: WARNING [ssh] Ban 52.37.98.155
2016-05-01 19:48:03,560 fail2ban.actions: WARNING [ssh] Ban 185.70.184.135
2016-05-01 20:40:53,795 fail2ban.actions: WARNING [ssh] Unban 185.103.252.142
2016-05-02 05:53:28,816 fail2ban.actions: WARNING [ssh] Unban 185.110.132.54
2016-05-02 08:02:07,030 fail2ban.actions: WARNING [ssh] Unban 202.203.179.129
2016-05-02 09:36:04,623 fail2ban.actions: WARNING [ssh] Ban 42.116.173.198
2016-05-02 10:37:32,536 fail2ban.actions: WARNING [ssh] Unban 125.212.232.159
2016-05-02 12:14:13,263 fail2ban.actions: WARNING [ssh] Unban 146.0.77.32
2016-05-02 12:41:59,482 fail2ban.actions: WARNING [ssh] Unban 112.217.150.112
2016-05-02 12:58:14,786 fail2ban.actions: WARNING [ssh] Ban 210.211.99.15
2016-05-02 14:34:51,468 fail2ban.actions: WARNING [ssh] Unban 179.43.144.43
2016-05-02 15:31:28,963 fail2ban.actions: WARNING [ssh] Ban 37.54.25.239
2016-05-02 15:58:13,105 fail2ban.actions: WARNING [ssh] Ban 125.212.232.63
2016-05-02 16:42:33,660 fail2ban.actions: WARNING [ssh] Ban 146.0.77.32
2016-05-02 23:25:56,812 fail2ban.actions: WARNING [ssh] Ban 193.201.225.31
2016-05-03 03:41:43,242 fail2ban.actions: WARNING [ssh] Unban 42.112.131.91
2016-05-03 04:44:46,285 fail2ban.actions: WARNING [ssh] Unban 173.208.220.131
2016-05-03 06:57:06,803 fail2ban.actions: WARNING [ssh] Unban 193.201.225.29
2016-05-03 08:21:19,512 fail2ban.actions: WARNING [ssh] Unban 185.22.65.27
2016-05-03 11:03:16,375 fail2ban.actions: WARNING [ssh] Ban 173.208.129.210
2016-05-03 13:30:55,106 fail2ban.actions: WARNING [ssh] Unban 58.187.224.226
2016-05-03 14:01:26,542 fail2ban.actions: WARNING [ssh] Ban 221.11.92.253
2016-05-03 14:32:17,009 fail2ban.actions: WARNING [ssh] Ban 82.204.67.66
2016-05-03 16:19:19,543 fail2ban.actions: WARNING [ssh] Ban 169.54.174.138
答案1
无论某些服务器正在侦听,都会生成审核条目audit_log_acct_message。
据我所知,系统调用102是getuid()——你可以检查使用ausyscall 102(我害怕auditctl在这一切之后安装:P)。
审计消息不是由其iptables本身调用的,而是在内核的某个地方调用的。您可以使用audit_enable=0或在启动时摆脱它audit=0。但这样并不能解决拥有问题(安装auditctl可能已将这个启用触发器添加到启动选项中?)。
进一步的调查可能应该检查最新的 Debian,如果它做了同样的事情,然后grep在 Debian 7 附带的版本上进一步检查内核源代码。
内核参数解释:
audit= [KNL] Enable the audit sub-system
Format: { "0" | "1" } (0 = disabled, 1 = enabled)
0 - kernel audit is disabled and can not be enabled
until the next reboot
unset - kernel audit is initialized but disabled and
will be fully enabled by the userspace auditd.
1 - kernel audit is initialized and partially enabled,
storing at most audit_backlog_limit messages in
RAM until it is fully enabled by the userspace
auditd.
Default: unset
所以它之前没有初始化,初始化是在卸载时auditd和卸载后进行的,生成消息,但被内核捕获......仍然不确定如何在内核空间中以重新启动和/或设置(和重新启动)audit以外的方式禁用boot=0。