/********************************************************************** * Linux audit security audit tool * illustrate: * I came into contact with security auditing today, check it out, and found that the kernel has something to support security auditing. * * 2018-4-23 Zeng Jianfeng, Xixiang, Baoan, Shenzhen *********************************************************************/ 1. Reference documents: 1. Unable to open /sbin/audispd (No such file or directory) https://bugzilla.redhat.com/show_bug.cgi?id=207627 二、Error - audit support not in kernel lqqqqqqqqqqqqqqqqqqqqqqqqqqqqq General setup qqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x Arrow keys navigate the menu. <Enter> selects submenus ---> (or empty x x submenus ----). Highlighted letters are hotkeys. Pressing <Y> x x includes, <N> excludes, <M> modularizes features. Press <Esc><Esc> to x x exit, <?> for Help, </> for Search. Legend: [*] built-in [ ] x x lqqqq^(-)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x x x [*] open by fhandle syscalls x x x x [*] uselib syscall x x x x [*] Auditing support <--------------------- x x x x [*] Enable system-call auditing support x x x x IRQ subsystem ---> x x x x Timers subsystem ---> x x x x CPU/Task time and stats accounting ---> x x x x RCU Subsystem ---> x x x x <*> Kernel .config support x x x x [*] Enable access to .config through /proc/config.gz x x x mqqqqv(+)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x tummy tuck x <Select> < Exit > < Help > < Save > < Load > x ... 3. Run the test: 1 Command test: [buildroot@root ~]# auditd -f Config file /etc/audit/auditd.conf opened for parsing local_events_parser called with: yes writaudit: type=1305 audit(61.430:2): audit_pid=283 old=0 auid=4294967295 ses=4294967295 res=1 e_logs_parser called with: yes log_file_parser called with: /var/log/audit/audit.log log_group_parser called with: root log_format_parser called with: RAW flush_parser called with: INCREMENTAL_ASYNC freq_parser called with: 50 max_log_size_parser called with: 8 num_logs_parser called with: 5 priority_boost_parser called with: 4 qos_parser called with: lossy dispatch_parser called with: /usr/sbin/audispd name_format_parser called with: NONE max_log_size_action_parser called with: ROTATE space_left_parser called with: 75 space_action_parser called with: SYSLOG action_mail_acct_parser called with: root admin_space_left_parser called with: 50 admin_space_left_action_parser called with: SUSPEND disk_full_action_parser called with: SUSPEND disk_error_action_parser called with: SUSPEND use_libwrap_parser called with: yes tcp_listen_queue_parser called with: 5 tcp_max_per_addr_parser called with: 1 tcp_client_max_idle_parser called with: 0 enable_krb5_parser called with: no GSSAPI support is not enabled, ignoring value at line 33 krb5_principal_parser called with: auditd GSSAPI support is not enabled, ignoring value at line 34 distribute_network_parser called with: no Started dispatcher: /usr/sbin/audispd pid: 285 type=DAEMON_START msg=audit(61.435:1106): op=start ver=2.7.1 format=raw kernel=4.1.15+g30278ab auid=4294967295 pid=283 uid=0 ses=4294967295 res=success config_manager init complete dispatcher 285 reaped Init complete, auditd 2.7 . 1 listening for events (startup state enable) 2 . Self-start at boot: [buildroot@root ~]# ps aux | grep audit 168 root /usr/sbin/auditd 171 root [kauditd] 283 root grep audit [buildroot@root ~]# aureport -m Account Modifications Report ================================================= # date time auid addr term exe acct success event ================================================= <no events of interest were found> [buildroot@root ~]#