使用 auditd 针对 /data/logs 进行监控
# auditctl -w /data/logs -p wxa -k watchdata
- -w
监控目录
- -p
r=read, w=write, x=execute, a=attribute
- -k
名称
查看 auditd 任务
# auditctl -l
-w /data/logs -p wxa -k watchdata
测试
# date && echo test > /data/logs/w.log
Tue May 26 17:43:20 CST 2020
#
# stat /data/logs/w.log
File: ‘/data/logs/w.log’
Size: 5 Blocks: 8 IO Block: 4096 regular file
Device: fd00h/64768d Inode: 936663 Links: 1
Access: (0644/-rw-r--r--) Uid: ( 0/ root) Gid: ( 0/ root)
Access: 2020-05-26 17:42:22.091560497 +0800
Modify: 2020-05-26 17:43:20.542095768 +0800
Change: 2020-05-26 17:43:20.542095768 +0800
Birth: -
查看
# ausearch -k watchdata
time->Tue May 26 17:43:20 2020
type=PROCTITLE msg=audit(1590486200.542:1483346): proctitle="-bash"
type=PATH msg=audit(1590486200.542:1483346): item=1 name="/data/logs/w.log" inode=936663 dev=fd:00 mode=0100644 ouid=0 ogid=0 rdev=00:00 objtype=NORMAL cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=PATH msg=audit(1590486200.542:1483346): item=0 name="/data/logs/" inode=920223 dev=fd:00 mode=040755 ouid=0 ogid=0 rdev=00:00 objtype=PARENT cap_fp=0000000000000000 cap_fi=0000000000000000 cap_fe=0 cap_fver=0
type=CWD msg=audit(1590486200.542:1483346): cwd="/root"
type=SYSCALL msg=audit(1590486200.542:1483346): arch=c000003e syscall=2 success=yes exit=3 a0=20fd8e0 a1=241 a2=1b6 a3=0 items=2 ppid=4726 pid=4727 auid=1009 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=211247 comm="bash" exe="/usr/bin/bash" key="watchdata"
删除任务
# auditctl -D -k watchdata
linux 的 audit 服务
使用 auditd 监控目录变化
转载请注明:爱开源 » 使用 auditd 监控目录变化