Linux系统上针对rm命令做审计
[root@test ~]# cat /etc/audit/audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k rm --新增此行
[root@test ~]# [root@test ~]# service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] [root@test ~]# auditctl -l LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/bin/rm key=rm syscall=execve [root@test ~]# 开始测试: #rm 22.txt #pwd [root@test ~]# ausearch -k rm ---- time->Wed Sep 14 12:22:13 2016 type=PATH msg=audit(1473826933.202:4232482): item=1 name=(null) inode=3277219 dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=PATH msg=audit(1473826933.202:4232482): item=0 name="/bin/rm" inode=27918399 dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00 type=CWD msg=audit(1473826933.202:4232482): cwd="/root" type=EXECVE msg=audit(1473826933.202:4232482): argc=3 a0="rm" a1="-i" a2="22.txt" type=SYSCALL msg=audit(1473826933.202:4232482): arch=c000003e syscall=59 success=yes exit=0 a0=e46e20 a1=e458e0 a2=e18d40 a3=20 items=2 ppid=26701 pid=5248 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=359759 comm="rm" exe="/bin/rm" key="rm"
测试结束:能够记录在什么时间用什么命令删除了那个目录上的文件。
建议:在生产系统上最好建议文件系统的删除文件的回收站,避免不必要的损失,以防万一。
