审计目录
今天调试容器应用的时候发现,app运行一段时间后,容器外挂的一个volumn会偶发性的被删除。 于是需要监控下到底是谁/哪个进程把文件目录给删除了。 google一阵子后,发现可以使用auditd 服务来监控和搜索出都有那些进程操作够目标文件/目录。 整个过程分为3步: 开启 auditd 服务; 使用auditctl 配置 auditd服务; 一段时间之后 使用 ausearch 来查看/搜索审计的日志。 启动监控 开启auditd服务: 1 2 systemctl start auditd ## you may need `mkdir /var/log/audit` 添加监控规则 编辑审计规则: 1 2 3 4 5 6 7 8 ## list existing rules auditctl -l ## clean existing rules auditctl -D ## watch /var/run/yourfolder auditctl -w /var/run/yourfolder -p war -k serachkey auditctl语法 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 [root@ddeoops ~]# auditctl -h usage: auditctl [options] -a <l,a> Append rule to end of <l>ist with <a>ction -A <l,a> Add rule at beginning of <l>ist with <a>ction -b <backlog> Set max number of outstanding audit buffers allowed Default=64 -c Continue through errors in rules -C f=f Compare collected fields if available: Field name, operator(=,!=), field name -d <l,a> Delete rule from <l>ist with <a>ction l=task,exit,user,exclude a=never,always -D Delete all rules and watches -e [0..2] Set enabled flag -f [0..2] Set failure flag 0=silent 1=printk 2=panic -F f=v Build rule: field name, operator(=,!=,<,>,<=, >=,&,&=) value -h Help -i Ignore errors when reading rules from file -k <key> Set filter key on audit rule -l List rules -m text Send a user-space message -p [r|w|x|a] Set permissions filter on watch r=read, w=write, x=execute, a=attribute -q <mount,subtree> make subtree part of mount point's dir watches -r <rate> Set limit in messages/sec (0=none) -R <file> read rules from file -s Report status -S syscall Build rule: syscall name or number -t Trim directory watches -v Version -w <path> Insert watch at <path> -W <path> Remove watch at <path> --loginuid-immutable Make loginuids unchangeable once set --reset-lost Reset the lost record counter 分析日志 查看/搜索 审计日志: ...