Linux系统上针对rm命令做审计
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -S execve -F path=/bin/rm -k rm --新增此行
[root@test ~]# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
[root@test ~]# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) watch=/bin/rm key=rm syscall=execve
[root@test ~]#
开始测试:
#rm 22.txt
#pwd
[root@test ~]# ausearch -k rm
----
time->Wed Sep 14 12:22:13 2016
type=PATH msg=audit(1473826933.202:4232482): item=1 name=(null) inode=3277219 dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=PATH msg=audit(1473826933.202:4232482): item=0 name="/bin/rm" inode=27918399 dev=08:05 mode=0100755 ouid=0 ogid=0 rdev=00:00
type=CWD msg=audit(1473826933.202:4232482): cwd="/root"
type=EXECVE msg=audit(1473826933.202:4232482): argc=3 a0="rm" a1="-i" a2="22.txt"
type=SYSCALL msg=audit(1473826933.202:4232482): arch=c000003e syscall=59 success=yes exit=0 a0=e46e20 a1=e458e0 a2=e18d40 a3=20 items=2 ppid=26701 pid=5248 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts4 ses=359759 comm="rm" exe="/bin/rm" key="rm"
测试结束:能够记录在什么时间用什么命令删除了那个目录上的文件。
建议:在生产系统上最好建议文件系统的删除文件的回收站,避免不必要的损失,以防万一。