sudo mkdir /var/log/audisp sudo chmod 750 /var/log/audisp sudo chown root:wheel /var/log/audisp sudo touch /var/log/audisp/audisp.log sudo chown root:wheel /var/log/audisp/audisp.log sudo chmod 640 /var/log/audisp/audisp.log # audisp sudo vim /etc/audisp/plugins.d/syslog.conf -- active = yes args = LOG_LOCAL6 -- # rsyslog sudo vim /etc/rsyslog.d/audit.conf -- $umask 0000 $DirCreateMode 0750 $DirGroup wheel $FileCreateMode 0640 $FileGroup wheel local6.* /var/log/audisp/audisp.log & ~ $FileCreateMode 0600 $FileGroup root -- # logrotate sudo vim /etc/logrotate.d/audit -- /var/log/audisp/audisp.log { daily compress missingok notifempty create 0640 root wheel dateext su root wheel sharedscripts postrotate /bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null || true endscript } -- sudo service auditd restart
# syscall=setsockopt に一致する最初の1件を表示 sudo ausearch -i -sc setsockopt --just-one
auditdデーモンを利用する。
chkconfig auditd on service auditd restart
vi /etc/audit/audit.rules ---- -w /var/log/audit/audit.log ----
tail -f /var/log/audit/audit.log