在Centos7的/etc/audit/audit.rules上面,它告诉我:
## This file is automatically generated from /etc/audit/rules.d
好吧,我去看了看,发现/etc/audit/rules.d/audit.rules 。 它有以下线
# Feel free to add below this line. See auditctl man page
我做了什么,并发现什么样子 ,也许是这样的select:
-R file Read rules from a file. The rules must be 1 per line and in the order that they are to be executed in. The rule file must be owned by root and not readable by other users or it will be rejected. The rule file may have comments embedded by starting the line with a '#' character. Rules that are read from a file are identical to what you would type on a command line except they are not preceded by auditctl (since auditctl is the one executing the file) and you would not use shell escaping since auditctl is reading the file instead of bash.
但是我运行了auditctl -R /etc/audit/rules.d/audit.rules这似乎工作, 但它没有对/etc/audit/audit.rules做任何事情。
什么是正确的方式来重新生成该文件?
实用程序augenrules从目录/etc/audit/rules.d中的* .rules文件构build/etc/audit/audit.rules。
这个工具是从auditd服务调用的(或者你可以手动调用它,然后在你发现的时候加载规则文件 – 但重新启动服务更简单)。
我不记得审计系统本身不能使用systemd的原因。 检查[email protected]邮件列表档案。