即使“auditctl -l”为空,如何让“auditd”记录到“/var/log/audit/audit.log”中?

tag-icon tag-icon centos7 auditd
即使“auditctl -l”为空,如何让“auditd”记录到“/var/log/audit/audit.log”中?

我的服务器是centos7.6

[root@localhost /]# auditctl -l
No rules
[root@localhost /]# cat /var/log/audit/audit.log
type=CRED_REFR msg=audit(1552434501.528:25860): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=CRED_DISP msg=audit(1552434501.570:25861): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
type=SYSCALL msg=audit(1552434501.574:25862): arch=c000003e syscall=2 success=yes exit=3 a0=7fd2239664d2 a1=80000 a2=1b6 a3=24 items=1 ppid=20513 pid=12659 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3578 comm="crond" exe="/usr/sbin/crond" key="passwd_changes"
type=CWD msg=audit(1552434501.574:25862):  cwd="/"
type=PATH msg=audit(1552434501.574:25862): item=0 name="/etc/passwd" inode=1573099 dev=fd:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PROCTITLE msg=audit(1552434501.574:25862): proctitle=2F7573722F7362696E2F63727F6E64002D6E
type=USER_END msg=audit(1552434501.574:25863): pid=12659 uid=0 auid=0 ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'

问题是我passwd_changes最近从来没有。是什么意思comm="crond" exe="/usr/sbin/crond" key="passwd_changes"

答案1

我认为您会发现其他功能(例如 pam 库)也会向 auditd 发送消息。

有关字段的良好参考,请参阅https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-understanding_audit_log_files

如果你在原始日志上运行 ausearch 程序,你还可以获得更多信息。例如,在上面运行 ausearch 时,会显示

# ausearch -i -if /tmp/x.1
----
type=CRED_REFR msg=audit(03/13/2019 10:48:21.528:25860) : pid=12659 uid=root auid=root ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' 
----
type=CRED_DISP msg=audit(03/13/2019 10:48:21.570:25861) : pid=12659 uid=root auid=root ses=3578 msg='op=PAM:setcred grantors=pam_env,pam_unix acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' 
----
type=USER_END msg=audit(03/13/2019 10:48:21.574:25863) : pid=12659 uid=root auid=root ses=3578 msg='op=PAM:session_close grantors=pam_loginuid,pam_keyinit,pam_limits,pam_systemd acct=root exe=/usr/sbin/crond hostname=? addr=? terminal=cron res=success' 
----
type=PROCTITLE msg=audit(03/13/2019 10:48:21.574:25862) : proctitle=/usr/sbin/crnd -n 
type=PATH msg=audit(03/13/2019 10:48:21.574:25862) : item=0 name=/etc/passwd inode=1573099 dev=fd:01 mode=file,644 ouid=root ogid=root rdev=00:00 objtype=NORMAL cap_fp=none cap_fi=none cap_fe=0 cap_fver=0 
type=CWD msg=audit(03/13/2019 10:48:21.574:25862) :  cwd=/ 
type=SYSCALL msg=audit(03/13/2019 10:48:21.574:25862) : arch=x86_64 syscall=open success=yes exit=3 a0=0x7fd2239664d2 a1=O_RDONLY|O_CLOEXEC a2=0x1b6 a3=0x24 items=1 ppid=20513 pid=12659 auid=root uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=3578 comm=crond exe=/usr/sbin/crond key=passwd_changes 
#

相关内容