Many thanks the @Romeo Ninov's help! The mistakes I made are
- should use file
/etc/audit/rules.d/audit.rules
to add a rule for RedHat 7 & 8 - should use
service auditd restart
to restart auditctl to make the new rule take effect. - should use
ausearch -k testing
to search audit trails. - should remove the
-a task,never
from/etc/audit/rules.d/audit.rules
, which uppresses syscall auditing for all tasks started
I added a rule in /etc/audit/rules.d/audit.rules
and execute reboot
since cannot restart audit by systemctl restart
.
root@localhost:~# cat /etc/audit/rules.d/audit.rules
## This set of rules is to suppress the performance effects of the
## audit system. The result is that you only get hardwired events.
-D
## This suppresses syscall auditing for all tasks started
## with this rule in effect. Remove it if you need syscall
## auditing.
-a task,never
-w /root/testing/ -p rwxa -k testing
root@localhost:~# systemctl restart auditd.service
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
in some time, the server is up, I ssh log in
root@localhost:~# service auditd status
Redirecting to /bin/systemctl status auditd.service
● auditd.service - Security Audit Logging Service
Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; preset: enabled)
Drop-In: /usr/lib/systemd/system/service.d
└─10-timeout-abort.conf
Active: active (running) since Sat 2024-06-22 17:51:41 CST; 24s ago
Docs: man:auditd(8)
https://github.com/linux-audit/audit-documentation
Process: 795 ExecStart=/usr/sbin/auditd (code=exited, status=0/SUCCESS)
Main PID: 797 (auditd)
Tasks: 4 (limit: 2257)
Memory: 2.8M (peak: 3.1M)
CPU: 24ms
CGroup: /system.slice/auditd.service
├─797 /usr/sbin/auditd
└─799 /usr/sbin/sedispatch
Jun 22 17:51:41 localhost systemd[1]: Starting auditd.service - Security Audit Logging Service...
Jun 22 17:51:41 localhost auditd[797]: audit dispatcher initialized with q_depth=2000 and 1 active plugins
Jun 22 17:51:41 localhost auditd[797]: Init complete, auditd 4.0.1 listening for events (startup state enable)
Jun 22 17:51:41 localhost systemd[1]: Started auditd.service - Security Audit Logging Service.
root@localhost:~#
root@localhost:~# auditctl -l
-a never,task
-w /root/testing -p rwxa -k testing
root@localhost:~#
I bar.txt
under /root/testing
edit foo.txt
to add a new line foo.txt
in it and delete bar.txt
root@localhost:~/testing# vim bar.txt
root@localhost:~/testing# vim foo.txt
root@localhost:~/testing# rm -f bar.txt
root@localhost:~/testing# cat foo.txt
foo.txt
foo.txt
I expect to get some audit trail in log file, so I can know someone creates and edits files under /root/testing/
folder and a file is deleted, but failed:
root@localhost:~/testing# grep "testing" /var/log/audit/audit.log
type=CONFIG_CHANGE msg=audit(1718981523.208:192): auid=4294967295 ses=4294967295 subj=system_u:system_r:unconfined_service_t:s0 op=add_rule key="testing" list=4 res=1AUID="unset"
type=CONFIG_CHANGE msg=audit(1719049566.384:285): auid=0 ses=3 subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 op=remove_rule key="testing" list=4 res=1AUID="root"
root@localhost:~/testing#
Many thanks for your help!