Linux audit安全审计工具

/**********************************************************************
 *                Linux audit安全审计工具
 * 说明：
 *     今天接触到安全审计，查看一下，发现内核有支持安全审计方面的东西。
 *
 *                                2018-4-23 深圳 宝安西乡 曾剑锋
 *********************************************************************/

一、参考文档：
    . Unable to open /sbin/audispd (No such file or directory)
        https://bugzilla.redhat.com/show_bug.cgi?id=207627

二、Error - audit support not in kernel
    lqqqqqqqqqqqqqqqqqqqqqqqqqqqqq General setup qqqqqqqqqqqqqqqqqqqqqqqqqqqqqk
    x  Arrow keys navigate the menu.  <Enter> selects submenus ---> (or empty x
    x  submenus ----).  Highlighted letters are hotkeys.  Pressing <Y>        x
    x  includes, <N> excludes, <M> modularizes features.  Press <Esc><Esc> to x
    x  exit, <?> for Help, </> for Search.  Legend: [*] built-in  [ ]         x
    x lqqqq^(-)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqk x
    x x    [*] open by fhandle syscalls                                     x x
    x x    [*] uselib syscall                                               x x
    x x    [*] Auditing support         <---------------------              x x
    x x    [*] Enable system-call auditing support                          x x
    x x        IRQ subsystem  --->                                          x x
    x x        Timers subsystem  --->                                       x x
    x x        CPU/Task time and stats accounting  --->                     x x
    x x        RCU Subsystem  --->                                          x x
    x x    <*> Kernel .config support                                       x x
    x x    [*]   Enable access to .config through /proc/config.gz           x x
    x mqqqqv(+)qqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj x
    tqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqu
    x        <Select>    < Exit >    < Help >    < Save >    < Load >         x
    mqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqqj

三、运行测试：
    . 命令测试：
        [buildroot@root ~]#  auditd  -f
        Config file /etc/audit/auditd.conf opened for parsing
        local_events_parser called with: yes
        writaudit: type= audit(61.430:): audit_pid= old= auid= ses= res=
        e_logs_parser called with: yes
        log_file_parser called with: /var/log/audit/audit.log
        log_group_parser called with: root
        log_format_parser called with: RAW
        flush_parser called with: INCREMENTAL_ASYNC
        freq_parser called with:
        max_log_size_parser called with:
        num_logs_parser called with:
        priority_boost_parser called with:
        qos_parser called with: lossy
        dispatch_parser called with: /usr/sbin/audispd
        name_format_parser called with: NONE
        max_log_size_action_parser called with: ROTATE
        space_left_parser called with:
        space_action_parser called with: SYSLOG
        action_mail_acct_parser called with: root
        admin_space_left_parser called with:
        admin_space_left_action_parser called with: SUSPEND
        disk_full_action_parser called with: SUSPEND
        disk_error_action_parser called with: SUSPEND
        use_libwrap_parser called with: yes
        tcp_listen_queue_parser called with:
        tcp_max_per_addr_parser called with:
        tcp_client_max_idle_parser called with:
        enable_krb5_parser called with: no
        GSSAPI support is not enabled, ignoring value at line
        krb5_principal_parser called with: auditd
        GSSAPI support is not enabled, ignoring value at line
        distribute_network_parser called with: no
        Started dispatcher: /usr/sbin/audispd pid:
        type=DAEMON_START msg=audit(61.435:): op=start ver=2.7. format=raw kernel=4.1.+g30278ab auid= pid= uid= ses= res=success
        config_manager init complete
        dispatcher  reaped
        Init complete, auditd 2.7. listening for events (startup state enable)
    . 开机自启动：
        [buildroot@root ~]#  ps aux | grep audit
           root     /usr/sbin/auditd
           root     [kauditd]
           root     grep audit
        [buildroot@root ~]#  aureport -m

        Account Modifications Report
        =================================================
        # date time auid addr term exe acct success event
        =================================================
        <no events of interest were found>

        [buildroot@root ~]#