如何取得持久化的審計日誌?

tag-icon tag-icon gentoo auditd
如何取得持久化的審計日誌?

我目前正在嘗試找出哪個應用程式正在我的主目錄中建立一個名為“no”的神秘套接字檔案。這種情況每隔幾週就會發生一次,這就是為什麼我在以下規則中設定了auditd /etc/audit.d/rules.d/no

# This is to clear out old rules, so we don't append to them.
-D

# Feel free to add below this line. See auditctl man page
-w /home/philipp/no

執行一些測試(例如touch /home/philipp/no確認此方法有效)。但是,日誌檔案不是持久的。

我剛剛遇到該文件顯然是昨天創建的,但是auditd日誌消失了——當我今天啟動機器時,它被新的日誌覆蓋,即使日誌在配置中設置為“旋轉”。

如何設定auditd 保留所有日誌?我正在使用 Gentoo 和 systemd,以及 3.0 版本的審計。

審計.conf:

#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = KEEP_LOGS
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 400
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d

相關內容