内容简介:本文风哥教程参考Linux官方文档、Red Hat Enterprise Linux官方文档、Ansible Automation Platform官方文档、Docker官方文档、Kubernetes官方文档和Podman官方文档等内容,学习交流加群风哥QQ113257174详细介绍了相关技术的配置和使用方法。
本
风哥提示:
文档详细介绍Linux系统审计的配置和管理方法。
Part01-Audit基础配置
1.1 安装和启动Audit
$ sudo dnf install -y audit
# 启动auditd服务
$ sudo systemctl start auditd
$ sudo systemctl enable auditd
# 查看auditd状态
$ sudo systemctl status auditd
● auditd.service – Security Auditing Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
Active: active (running) since Fri 2026-04-04 02:50:00 UTC; 1min ago
# 查看审计规则
$ sudo auditctl -l
No rules
# 添加审计规则
$ sudo auditctl -w /etc/passwd -p wa -k passwd_changes
# 查看审计日志
$ sudo ausearch -k passwd_changes
time->Fri Apr 4 02:50:30 2026
type=PATH msg=audit(1712206230.123:456): item=0 name=”/etc/passwd” inode=12345 dev=08:01 mode=0100644 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL
# 查看所有审计日志
$ sudo ausearch -m all | head -20
# 清除审计规则
$ sudo auditctl -D
No rules
Part02-审计规则配置
2.1 配置审计规则
$ sudo tee /etc/audit/rules.d/audit.rules << 'EOF' ## 删除所有规则 -D ## 设置缓冲区大小 -b 8192 ## 设置失败模式 -f 1 ## 监控系统调用 -a always,exit -F arch=b64 -S from PG视频:www.itpux.comchmod,更多视频教程www.fgedu.net.cnc更多学习教程公众号风哥教程itpux_comhown,fchmod,fchown -F auid>=1000 -F auid!=4294967295 -k perm_mod
## 监控文件访问
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/ssh/sshd_config -p wa -k ssh_config
## 监控目录变化
-w /etc/ -p wa -k etc_changes
-w /var/log/ -p wa -k log_changes
## 监控用户活动
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
## 监控模块加载
-w /usr/bin/insmod -p x -k modules
-w /usr/bin/rmmod -p x -k modules
-w /usr/bin/modprobe -p x -k modules
## 监控时间变化
-a always,exit -F arch=b64 -S settimeofday -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
## 监控网络配置
-a exit,always -F arch=b64 -S sethostname -k network
-a exit,always -F arch=b64 -S setdomainname -k network
## 监控进程
-a always,exit -F arch=b64 -S execve -k exec
EOF
# 重启auditd应用规则
$ sudo systemctl restart auditd
# 查看规则
$ sudo auditctl -l
-w /etc/passwd -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/sudoers -p wa -k sudoers
-w /etc/ssh/sshd_config -p wa -k ssh_config
# 监控特定用户
$ sudo auditctl -a always,exit -F arch=b64 -F auid=1000 -k user_activity
# 监控特定程序
$ sudo auditctl -a always,exit -F arch=b64 -S execve -F path=/usr/bin/passwd -k passwd_exec
Part03-审计日志分析
3.1 日志查询和分析
$ sudo ausearch -ts today
$ sudo ausearch -ts yesterday
$ sudo ausearch -ts “02:50:00”
$ sudo ausearch -ts “2026-04-04 02:50:00”
# 按类型查询
$ sudo ausearch -m USER_LOGIN
$ sudo ausearch -m USER_AUTH
$ sudo ausearch -m EXECVE
$ sudo ausearch -m SYSCALL
# 按用户查询
$ sudo ausearch -ua user1
$ sudo ausearch -ua 1000
# 按键值查询
$ sudo ausearch -k passwd_changes
$ sudo ausearch -k identity
# 按系统调用查询
$ sudo ausearch -sc chmod
$ sudo ausearch -sc execve
# 按文件查询
$ sudo ausearch -f /etc/passwd
# 生成审计报告
$ sudo aureport
Summary Report
======================
Range of time in logs: 04/04/2026 02:50:00.000 – 04/04/2026 03:00:00.000
Selected time for report: 04/04/2026 02:50:00 – 04/04/2026 03:00:00
Number of changes in configuration: 10
Number of changes to accounts, groups, or roles: 5
Number of logins: 3
Number of failed logins: 1
Number of authentications: 5
Number of failed authentications: 2
Number of users: 2
Number of terminals: 3
Number of host names: 2
Number of executables: 10
Number of commands: 15
Number of files: 20
Number of AVC’s: 0
Number of MAC events: 5
Number of failed syscalls: 3
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of crypto events: 2
Number of integrity events: 0
Number of virt events: 0
Number of keys: 5
Number of process IDs: 50
Number of events: 100
# 生成登录报告
$ sudo aureport -l
# 生成用户报告
$ sudo aureport -u
# 生成文件访问报告
$ sudo aureport -f
# 生成系统调用报告
$ sudo aureport -s
# 生成可执行文件报告
$ sudo aureport -x
Part04-审计日志管理
4.1 日志轮转和归档
$ sudo tee /etc/audit/auditd.conf << 'EOF' local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = RAW flush = INCREMENTAL_ASYNC freq = 50 max_log_file = 100 num_logs = 5 priority_boost = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG verify_email = yes action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND use_libwrap = yes tcp_listen_queue = 5 tcp_max_per_addr = 1 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd EOF # 重启auditd $ sudo systemctl restart auditd # 手动轮转日志 $ sudo service auditd rotate # 查看日志文件 $ ls -lh /var/log/audit/ total 50M -rw-------. 1 root root 10M Apr 4 03:00 audit.log -rw-------. 1 root root 10M Apr 4 02:50 audit.log.1 -rw-------. 1 root root 1学习交流加群风哥微信: itpux-com0M Apr 4 02:40 audit.log.2 # 归档审计日志 $ sudo tar -czf /backup/audit-$(date +%Y%m%d).tar.gz /var/log/audit/ # 配置日志远程传输 $ sudo tee /etc/audisp/audisp-remote.conf << 'EOF' remote_server = logserver.fgedu.net.cn port = 60 local_port = transport = tcp queue_file = /var/spool/audit/remote.log queue_depth = 1024 format = managed network_retry_time = 1 max_tries_per_record = 3 max_time_per_record = 5 heartbeat_timeout = 0 EOF # 启用远程插件 $ sudo sed -i 's/active = no/active = yes/' /etc/audisp/plugins.d/au-remote.conf # 重启auditd $ sudo systemctl restart auditd
1. 监控关键文件和目录
2. 记录用户活动
3. 监控系统调用
4. 定期分析审计日志
5. 配置日志远程传输
本文由风哥教程整理发布,仅用于学习测试使用,转载注明出处:http://www.fgedu.net.cn/10327.html
