linux audit審計（3）--audit服務配置

audit守護進程可以通過/etc/audit/auditd.conf文件進行配置，默認的auditd配置文件可以滿足大多數環境的要求。

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW
flush = INCREMENTAL_ASYNC
freq = 50
max_log_file = 8
num_logs = 5
priority_boost = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
use_libwrap = yes
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

如果你的環境需要滿足嚴格的安全規則，如下的一些配置可以參考：

log_file：audit 日志放置的路徑。這里放置日志的地方最好是一個獨立的分區（mount point），這樣可以避免其他進程消耗掉這個路徑的空間，並且可以為auditd提供精確的剩余空間。

max_log_file：指定每一個單獨的audit log文件的最大的size，單位為M，必須設置為充分利用保存着審計日志文件所在分區的可用空間。默認為8M。

max_log_file_action：當達到了日志的最大size后，需要執行的動作，設置為KEEP_LOGS時，可以避免日志被重寫。我們先看下如下的記錄：

linux-xdYUnA:/var/log/audit # ll
total 36496
-rw------- 1 root root 3780142 Mar 31 09:32 audit.log
-r-------- 1 root root 8388893 Mar 30 17:40 audit.log.1
-r-------- 1 root root 8388625 Mar 30 17:39 audit.log.2
-r-------- 1 root root 8388806 Mar 30 17:39 audit.log.3
-r-------- 1 root root 8388670 Mar 30 17:39 audit.log.4
linux-xdYUnA:/var/log/audit # ll
total 32828
-rw------- 1 root root   27948 Mar 31 09:34 audit.log
-r-------- 1 root root 8388809 Mar 31 09:34 audit.log.1
-r-------- 1 root root 8388893 Mar 30 17:40 audit.log.2
-r-------- 1 root root 8388625 Mar 30 17:39 audit.log.3
-r-------- 1 root root 8388806 Mar 30 17:39 audit.log.4

第一次查詢時，audit.log還沒有寫滿到8M，第二次查詢時應該是已經到了8M了，重新寫的audit.log。那么之前的audit.log去哪里了呢，我們仔細看每個日志文件的大小，不難發現。第一次查詢到的audit.log.4已經沒有了，系統認為這個是最老的日志，因為我們設置的num_logs為5，所以這個最老的日志就被刪除了，或者理解為新日志把最老的日志給覆蓋了。如果我們不想讓日志被覆蓋，我們可以設置為KEEP_LOGS。如下所示，一直增長的audit的日志，最后無論num_logs設置為多少，日志都在繼續增加，這樣，最好要保證存放audit日志的空間是一個獨立分區，不然會影響其他系統日志的記錄。

linux-xdYUnA:/var/log/audit # ll
total 61104
-rw------- 1 root root 3791866 Mar 31 10:01 audit.log
-r-------- 1 root root 8388849 Mar 31 10:01 audit.log.1
-r-------- 1 root root 8388772 Mar 31 09:59 audit.log.2
-r-------- 1 root root 8388776 Mar 31 09:59 audit.log.3
-r-------- 1 root root 8388809 Mar 31 09:34 audit.log.4
-r-------- 1 root root 8388893 Mar 30 17:40 audit.log.5
-r-------- 1 root root 8388625 Mar 30 17:39 audit.log.6
-r-------- 1 root root 8388806 Mar 30 17:39 audit.log.7

下面讓我看一下max_log_file_action總共有幾個不同的動作的具體英文解釋吧。

This parameter tells the system what action to take when the system has detected that the max file size limit has been reached. 
Valid values are ignore, syslog, suspend, rotate and keep_logs. If set to ignore, the audit daemon does nothing.
syslog means that it will issue a warning to syslog. suspend will cause the audit daemon to stop writing records to the disk. 
The daemon will still be alive. The rotate option will cause the audit daemon to rotate the logs. 
It should be noted that logs with higher numbers are older than logs with lower numbers. This is the same convention used by the logrotate utility. 
The keep_logs option is similar to rotate except it does not use the num_logs setting. This prevents audit logs from being overwritten.

space_left：明確出磁盤剩余多少空間時，執行space_left_action指定的動作，這個值的設定需要保證，管理員有足夠的時間響應並且清理磁盤空間，這個值的設定依賴於audit日志產生的速率。默認為75M。

space_left_action：磁盤空間快要不足時設定的動作。還是看英文解釋吧。

This parameter tells the system what action to take when the system has detected that it is starting to get low on disk space. 
Valid values are ignore, syslog, email, exec, suspend, single, and halt. If set to ignore, the audit daemon does nothing. 
syslog means that it will issue a warning to syslog. 
Email means that it will send a warning to the email account specified in action_mail_acct as well as sending the message to syslog. 
exec /path-to-script will execute the script. You cannot pass parameters to the script. 
suspend will cause the audit daemon to stop writing records to the disk. The daemon will still be alive. 
The single option will cause the audit daemon to put the computer system in single user mode.
halt option will cause the audit daemon to shutdown the computer system.

admin_space_left：指出最低的磁盤剩余空間大小，當到達這個值時，執行admin_space_left_action指定的動作。

admin_space_left_action：可以設置為single，使系統成為single-user mode，然后讓管理員釋放磁盤空間。按照默認的來設置比較好。達到space_left時，執行syslog上報warning，達到admin_space_left時，停止記錄日志。

his parameter tells the system what action to take when the system has detected that it is low on disk space. 
Valid values are ignore, syslog, email, exec, suspend, single, and halt.

disk_full_action：當分區上沒有空間時，執行的動作。默認為suspend。

disk_error_action：當分區出現error時，執行的動作。這些動作都依據你所需要的安全規則。

flush：這個參數與freq聯合使用，freq表示的是在與硬件驅動強制同步前，有多少個記錄可以發送到磁盤。這個確保audit數據與磁盤中的log文件保持同步。保持默認值即可。

更具體的配置參數可以參考

https://linux.die.net/man/5/auditd.conf