{"id":6404,"date":"2020-01-19T20:08:37","date_gmt":"2020-01-19T12:08:37","guid":{"rendered":"https:\/\/www.linuxcool.com\/?p=6404"},"modified":"2023-05-01T15:25:49","modified_gmt":"2023-05-01T07:25:49","slug":"auditctl","status":"publish","type":"post","link":"https:\/\/www.linuxcool.com\/auditctl","title":{"rendered":"auditctl\u547d\u4ee4 &#8211; \u7ba1\u7406\u5185\u6838\u7684\u5ba1\u8ba1\u7cfb\u7edf"},"content":{"rendered":"\n<p>auditctl\u547d\u4ee4\u6765\u81ea\u82f1\u6587\u8bcd\u7ec4\u201caudit contol\u201d\u7684\u7f29\u5199\uff0c\u5176\u529f\u80fd\u662f\u7528\u4e8e\u7ba1\u7406\u5185\u6838\u7684\u5ba1\u8ba1\u7cfb\u7edf\u3002\u7cfb\u7edf\u7ba1\u7406\u5458\u53ef\u4ee5\u4f7f\u7528auditctl\u547d\u4ee4\u5bf9Linux\u7cfb\u7edf\u5185\u6838\u7684\u5ba1\u8ba1\u7cfb\u7edf\u8fdb\u884c\u7ba1\u7406\uff0c\u4f8b\u5982\u6267\u884c\u67e5\u770b\u5ba1\u8ba1\u7cfb\u7edf\u72b6\u6001\u3001\u6dfb\u52a0\u6216\u5220\u9664\u5ba1\u8ba1\u89c4\u5219\u7b49\u7b49\u64cd\u4f5c\u3002<\/p>\n\n\n\n<p><strong>\u8bed\u6cd5\u683c\u5f0f\uff1a<\/strong>auditctl [\u53c2\u6570]<\/p>\n\n\n\n<p><strong>\u5e38\u7528\u53c2\u6570\uff1a<\/strong><\/p>\n\n\n\n<figure class=\"wp-block-table\"><table class=\"has-fixed-layout\"><tbody><tr><td>-a<\/td><td>\u5411\u5217\u8868\u5c3e\u90e8\u6dfb\u52a0\u89c4\u5219<\/td><\/tr><tr><td>-A<\/td><td>\u5411\u5217\u8868\u5934\u90e8\u6dfb\u52a0\u89c4\u5219<\/td><\/tr><tr><td>-b<\/td><td>\u8bbe\u7f6e\u7f13\u51b2\u533a\u6700\u5927\u503c<\/td><\/tr><tr><td>-d<\/td><td>\u5220\u9664\u89c4\u5219<\/td><\/tr><tr><td>-D<\/td><td>\u6e05\u7a7a\u5168\u90e8\u89c4\u5219<\/td><\/tr><tr><td>-F<\/td><td>\u521b\u5efa\u4e00\u4e2a\u5b57\u6bb5<\/td><\/tr><tr><td>-i<\/td><td>\u5ffd\u7565\u8bfb\u53d6\u6587\u4ef6\u65f6\u7684\u9519\u8bef<\/td><\/tr><tr><td>-k<\/td><td>\u8bbe\u7f6e\u8981\u8fc7\u6ee4\u7684\u5173\u952e\u8bcd<\/td><\/tr><tr><td>-l<\/td><td>\u663e\u793a\u6240\u6709\u7684\u89c4\u5219<\/td><\/tr><tr><td>-p<\/td><td>\u8bbe\u7f6e\u5ba1\u8ba1\u6587\u4ef6\u7684\u6743\u9650<\/td><\/tr><tr><td>-R<\/td><td>\u8bbe\u7f6e\u4ece\u6587\u4ef6\u4e2d\u8bfb\u53d6\u89c4\u5219<\/td><\/tr><tr><td>-s<\/td><td>\u663e\u793a\u5ba1\u8ba1\u7cfb\u7edf\u72b6\u6001<\/td><\/tr><tr><td>-S<\/td><td>\u8bbe\u7f6e\u89c4\u5219\u540d\u79f0<\/td><\/tr><tr><td>-w<\/td><td>\u8bbe\u7f6e\u8981\u76d1\u63a7\u7684\u8def\u5f84<\/td><\/tr><\/tbody><\/table><\/figure>\n\n\n\n<p><strong>\u53c2\u8003\u793a\u4f8b<\/strong><\/p>\n\n\n\n<p>\u67e5\u770b\u5ba1\u8ba1\u7cfb\u7edf\u7684\u8fd0\u884c\u72b6\u6001\u4fe1\u606f\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[root@linuxcool ~]# <strong>auditctl -s <\/strong>\nenabled 1\nfailure 1\npid 937\nrate_limit 0\nbacklog_limit 8192\nlost 0\nbacklog 0\nbacklog_wait_time 60000\nloginuid_immutable 0 unlocked\n<\/pre>\n\n\n\n<p>\u67e5\u770b\u73b0\u6709\u7684\u5ba1\u8ba1\u89c4\u5219\uff1a<\/p>\n\n\n\n<div class=\"wp-block-group\"><div class=\"wp-block-group__inner-container is-layout-constrained wp-block-group-is-layout-constrained\">\n<pre class=\"wp-block-preformatted\">[root@linuxcool ~]# <strong>auditctl -l<\/strong>\nNo rules<\/pre>\n\n\n\n<p>\u6dfb\u52a0\u4e00\u6761\u5ba1\u8ba1\u89c4\u5219\uff0c\u7528\u4e8e\u8bb0\u5f55\u6307\u5b9a\u7528\u6237\uff08UID\uff1a1000\uff09\u7684\u6240\u6709\u6253\u5f00\u7cfb\u7edf\u8c03\u7528\u7684\u884c\u4e3a\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[root@linuxcool ~]# <strong>auditctl -a entry, always -S open -F uid=1000<\/strong>\nWarning - entry rules deprecated, changing to exit rule]\nWARNING -32\/64 bit syscall mismatch, you should specify an arch<\/pre>\n\n\n\n<p>\u5220\u9664\u4e00\u6761\u6307\u5b9a\u7684\u5ba1\u8ba1\u89c4\u5219\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[root@linuxcool ~]# <strong>auditctl -d entry, always -S open -F uid=1000<\/strong>\nWarning - entry rules deprecated, changing to exit rule<\/pre>\n\n\n\n<p>\u6e05\u7a7a\u5f53\u524d\u7cfb\u7edf\u4e2d\u5df2\u6709\u7684\u5168\u90e8\u5ba1\u8ba1\u89c4\u5219\uff1a<\/p>\n\n\n\n<pre class=\"wp-block-preformatted\">[root@linuxcool ~]# <strong>auditctl -D<\/strong><\/pre>\n<\/div><\/div>\n","protected":false},"excerpt":{"rendered":"<p>auditctl\u547d\u4ee4\u6765\u81ea\u82f1\u6587\u8bcd\u7ec4\u201caudit contol\u201d\u7684\u7f29\u5199\uff0c\u5176\u529f\u80fd\u662f\u7528\u4e8e\u7ba1\u7406\u5185\u6838\u7684\u5ba1\u8ba1\u7cfb\u7edf\u3002\u7cfb\u7edf\u7ba1\u7406\u5458 [&hellip;]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[1],"tags":[],"class_list":["post-6404","post","type-post","status-publish","format-standard","hentry","category-file"],"_links":{"self":[{"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/posts\/6404","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/comments?post=6404"}],"version-history":[{"count":10,"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/posts\/6404\/revisions"}],"predecessor-version":[{"id":14699,"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/posts\/6404\/revisions\/14699"}],"wp:attachment":[{"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/media?parent=6404"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/categories?post=6404"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.linuxcool.com\/wp-json\/wp\/v2\/tags?post=6404"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}