audit守护进程可以通过/etc/audit/auditd.conf文件进行配置,默认的auditd配置文件可以满足大多数环境的要求。
local_events = yes write_logs = yes log_file = /var/log/audit/audit.log log_group = root log_format = RAW flush = INCREMENTAL_ASYNC freq = 50 max_log_file = 8 num_logs = 5 priority_boost = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND use_libwrap = yes ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key distribute_network = no
如果你的环境需要满足严格的安全规则,如下的一些配置可以参考:
log_file:audit 日志放置的路径。这里放置日志的地方最好是一个独立的分区(mount point),这样可以避免其他进程消耗掉这个路径的空间,并且可以为auditd提供精确的剩余空间。
max_log_file:指定每一个单独的audit log文件的最大的size,单位为M,必须设置为充分利用保存着审计日志文件所在分区的可用空间。默认为8M。
max_log_file_action:当达到了日志的最大size后,需要执行的动作,设置为KEEP_LOGS时,可以避免日志被重写。我们先看下如下的记录:
linux-xdYUnA:/var/log/audit # ll total 36496 -rw------- 1 root root 3780142 Mar 31 09:32 audit.log -r-------- 1 root root 8388893 Mar 30 17:40 audit.log.1 -r-------- 1 root root 8388625 Mar 30 17:39 audit.log.2 -r-------- 1 root root 8388806 Mar 30 17:39 audit.log.3 -r-------- 1 root root 8388670 Mar 30 17:39 audit.log.4 linux-xdYUnA:/var/log/audit # ll total 32828 -rw------- 1 root root 27948 Mar 31 09:34 audit.log -r-------- 1 root root 8388809 Mar 31 09:34 audit.log.1 -r-------- 1 root root 8388893 Mar 30 17:40 audit.log.2 -r-------- 1 root root 8388625 Mar 30 17:39 audit.log.3 -r-------- 1 root root 8388806 Mar 30 17:39 audit.log.4
第一次查询时,audit.log还没有写满到8M,第二次查询时应该是已经到了8M了,重新写的audit.log。那么之前的audit.log去哪里了呢,我们仔细看每个日志文件的大小,不难发现。第一次查询到的audit.log.4已经没有了,系统认为这个是最老的日志,因为我们设置的num_logs为5,所以这个最老的日志就被删除了,或者理解为新日志把最老的日志给覆盖了。如果我们不想让日志被覆盖,我们可以设置为KEEP_LOGS。如下所示,一直增长的audit的日志,最后无论num_logs设置为多少,日志都在继续增加,这样,最好要保证存放audit日志的空间是一个独立分区,不然会影响其他系统日志的记录。
linux-xdYUnA:/var/log/audit # ll total 61104 -rw------- 1 root root 3791866 Mar 31 10:01 audit.log -r-------- 1 root root 8388849 Mar 31 10:01 audit.log.1 -r-------- 1 root root 8388772 Mar 31 09:59 audit.log.2 -r-------- 1 root root 8388776 Mar 31 09:59 audit.log.3 -r-------- 1 root root 8388809 Mar 31 09:34 audit.log.4 -r-------- 1 root root 8388893 Mar 30 17:40 audit.log.5 -r-------- 1 root root 8388625 Mar 30 17:39 audit.log.6 -r-------- 1 root root 8388806 Mar 30 17:39 audit.log.7
下面让我看一下max_log_file_action总共有几个不同的动作的具体英文解释吧。
This parameter tells the system what action to take when the system has detected that the max file size limit has been reached.
Valid values are ignore, syslog, suspend, rotate and keep_logs. If set to ignore, the audit daemon does nothing.
syslog means that it will issue a warning to syslog. suspend will cause the audit daemon to stop writing records to the disk.
The daemon will still be alive. The rotate option will cause the audit daemon to rotate the logs.
It should be noted that logs with higher numbers are older than logs with lower numbers. This is the same convention used by the logrotate utility.
The keep_logs option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten.
space_left:明确出磁盘剩余多少空间时,执行space_left_action指定的动作,这个值的设定需要保证,管理员有足够的时间响应并且清理磁盘空间,这个值的设定依赖于audit日志产生的速率。默认为75M。
space_left_action:磁盘空间快要不足时设定的动作。还是看英文解释吧。
This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space.
Valid values are ignore, syslog, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing.
syslog means that it will issue a warning to syslog.
Email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog.
exec /path-to-script will execute the script. You cannot pass parameters to the script.
suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive.
The single option will cause the audit daemon to put the computer system in single user mode.
halt option will cause the audit daemon to shutdown the computer system.
admin_space_left:指出最低的磁盘剩余空间大小,当到达这个值时,执行admin_space_left_action指定的动作。
admin_space_left_action:可以设置为single,使系统成为single-user mode,然后让管理员释放磁盘空间。按照默认的来设置比较好。达到space_left时,执行syslog上报warning,达到admin_space_left时,停止记录日志。
his parameter tells the system what action to take when the system has detected that it is low on disk space.
Valid values are ignore, syslog, email, exec, suspend, single, and halt.
disk_full_action:当分区上没有空间时,执行的动作。默认为suspend。
disk_error_action:当分区出现error时,执行的动作。这些动作都依据你所需要的安全规则。
flush:这个参数与freq联合使用,freq表示的是在与硬件驱动强制同步前,有多少个记录可以发送到磁盘。这个确保audit数据与磁盘中的log文件保持同步。保持默认值即可。
更具体的配置参数可以参考
https://linux.die.net/man/5/auditd.conf