見出し画像

Appendix auditd.conf(RockyLinux9)

環境

  • RockyLinux 9

  • audit 3.0.7

設定ファイル

auditd.conf

[root@lpic303-rocky34 ~]#
[root@lpic303-rocky34 ~]# cd /etc/audit/
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# pwd
/etc/audit
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# ls -la
合計 24
drwxr-x---.  4 root root  100  121 23:05 .
drwxr-xr-x. 85 root root 8192  22 21:24 ..
-rw-r-----.  1 root root  127 1028 17:02 audit-stop.rules
-rw-r-----.  1 root root  107  629  2023 audit.rules
-rw-r-----.  1 root root  882 1028 17:02 auditd.conf
drwxr-x---.  2 root root   26  121 23:05 plugins.d
drwxr-x---.  2 root root   25 1028 17:02 rules.d
[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# cat auditd.conf
#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 1200
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
end_of_event_timeout = 2
[root@lpic303-rocky34 audit]#

audit.rules

[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# cat audit.rules
## This file is automatically generated from /etc/audit/rules.d
-D
-b 8192
-f 1
--backlog_wait_time 60000

[root@lpic303-rocky34 audit]#

/etc/audit/rules.d

[root@lpic303-rocky34 audit]#
[root@lpic303-rocky34 audit]# cd /etc/audit/rules.d
[root@lpic303-rocky34 rules.d]#
[root@lpic303-rocky34 rules.d]# pwd
/etc/audit/rules.d
[root@lpic303-rocky34 rules.d]#
[root@lpic303-rocky34 rules.d]# ls -la
合計 4
drwxr-x---. 2 root root  25 1028 17:02 .
drwxr-x---. 4 root root 100  121 23:05 ..
-rw-------. 1 root root 244  629  2023 audit.rules
[root@lpic303-rocky34 rules.d]#
[root@lpic303-rocky34 rules.d]# cat audit.rules
## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
--backlog_wait_time 60000

## Set failure mode to syslog
-f 1

[root@lpic303-rocky34 rules.d]#


この記事が気に入ったらサポートをしてみませんか?