sudo auditctl -a entry, always -S chmod
提示:
Add rule - bad keyword entry,always
这什么意思?
风吹又日晒,自由又自在
离线
这是我在wiki抄到的,为什么还是有错误?
风吹又日晒,自由又自在
离线
说是从wiki抄的, 页面链接你倒是放一下呀
离线
https://wiki.archlinux.org/title/Audit_framework
=============
Audit syscalls
The audit framework allows you to audit the syscalls performed with the -a option.
A security related rule is to track the chmod(2) syscall, to detect file ownership changes :
# auditctl -a entry,always -S chmod
For a list of all syscalls: syscalls(2)
A lot of rules and posibilities are available, see auditctl(8) and audit.rules(7).
风吹又日晒,自由又自在
离线
简单看了一下,应该是wiki内容过期了,参考相关手册
https://man.archlinux.org/man/auditctl.8
https://man.archlinux.org/man/audit.rules.7
这个auditctl 命令的-a参数里面都没有entry,
你应该根据你的实际需求来用手册里面列出来的参数,
list 参数有 task/exit/user/exclude/filesystem这几种,action参数只有nerver/always两种,
离线
软件包带的各种rule sample哪些可以用?
systemctl status auditd.service
ExecStartPost=/sbin/augenrules --load (code=exited, status=1/FAILURE
这说的是不是rule不对?
风吹又日晒,自由又自在
离线
-a exit,always -F path=file -F perm=rwxa -F key=text
我这条规则对不对啊,老是报错
最近编辑记录 弯弓射小白 (2023-05-06 21:02:06)
风吹又日晒,自由又自在
离线