安装auditd
查看auditd是否启动
service auditd status
如果出现 Active: active (running),说明已启动。
先查看规则:
auditctl -l
添加规则:
auditctl -a always,exit -F arch=b64 -S socket
auditctl -a always,exit -F arch=b64 -S connect
auditctl -a always,exit -F arch=b64 -S sendmmsg
auditctl -a always,exit -F arch=b64 -S sendmsg
auditctl -a always,exit -F arch=b64 -S bind
auditctl -a always,exit -F arch=b64 -S recvmsg
auditctl -a always,exit -F arch=b64 -S close
类似这样的规则,
运行测试程序
例如: echo "Hello World\!" | nc -4u 192.168.1.163 5000
通过查看tail -f /var/log/audit/audit.log系统调用
或者ausearch查看日志
添加过滤规则
auditctl -a always,exit -F a0!=0