Auditd审计服务配置

# Auditd审计服务配置
## 安装
CentOS系统安装后默认会安装审计服务，如果不存在可以使用
```
yum -y install audit audit-libs audit-libs-python
```

## 配置
```
[root@localhost ~]# cat  /etc/audit/auditd.conf

#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log  # 日志文件位置
log_group = root
log_format = ENRICHED
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8 # 日志文件大小，单位Mb
num_logs = 5 # 日志文件数量
priority_boost = 4
name_format = NONE # 日志文件主机名名称，一般不用
##name = mydomain
max_log_file_action = ROTATE # 日志文件达到最大大小和数量后的动作，ROTATE就是循环滚动使用
space_left = 75
space_left_action = SYSLOG
verify_email = yes
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
transport = TCP
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no
q_depth = 400
overflow_action = SYSLOG
max_restarts = 10
plugin_dir = /etc/audit/plugins.d
```

## 基本命令
```shell
# 查看状态
systemctl status auditd
service auditd status 
auditctl -s
# 查看审计规则
auditctl -l
```

## 配置审计规则
### 临时配置规则
[auditctl](https://blog.ihoiwan.com/project-2/doc-137/ "auditctl")
- `-w` 指定所要监控的文件或命令
- `-p` 指定监控属性，如x执行、w修改
- `-k` 是设置一个关键词用于查询
```shell
auditctl -w /bin/rm -p x -k removefile
```

### 永久配置审计规则
修改或添加后需要重启服务。
```shell
# 在/etc/audit/rules.d 下添加审计规则文件
[root@localhost ~]# cat rm.rules
-w /bin/rm -p x -k removefile
[root@localhost ~]# systemctl restart auditd
```

### 搜索审计日志
[ausearch](https://blog.ihoiwan.com/project-2/doc-139/ "ausearch")
事先已用[auditctl](https://blog.ihoiwan.com/project-2/doc-137/ "auditctl")或`audit.rules`文件定义了`key`
```shell
ausearch -k removefile
```

## 整理的一些简单规则
```
[root@localhost ~]# cat common.rules

# 监控passwd命令执行
-w /bin/passwd -p x -k changepassword
# 监控文件删除
-w /bin/rm -p x -k removefile
# 监控密码文件变更
-w /etc/shadow -p w -k changeshadow
# 监控secure日志文件变更,可以将secure文件配置为其它任何文件，记录变更记录，记得修改-k $key
-a always,exit -F arch=b64 -F path=/var/log/secure -F perm=wa -S openat -k open_secure_file
```