Audit framework
Seguridad
menos de un minuto
- Info
auditctl -s # reports the status of the Audit syste
systemctl status systemd-journald-audit.socket
systemctl status auditd.service
auditctl -l # lists all currently loaded Audit rules
- Config
auditctl -D # deletes all currently loaded Audit rules
augenrules --load
- Reportes
aureport -n # Look for abnormalities
ausearch
Configuración
Control Rules
-D # Delete all previous rules
-b 8192 # Set buffer size
-e 2 # Make the configuration immutable -- reboot is required to change audit rules
-f 2 # Panic when a failure occurs
-r 100 # Generate at most 100 audit messages per second
--loginuid-immutable 1 # Make login UID immutable once it is set (may break containers)
Documentación
- https://wiki.archlinux.org/index.php/Audit_framework
- https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/7/html/security_guide/sec-defining_audit_rules_and_controls
Última modificación August 8, 2023: icons (c6ce76c)