{"id":5821,"date":"2020-10-15T17:07:05","date_gmt":"2020-10-15T08:07:05","guid":{"rendered":"https:\/\/www.secuavail.com\/product\/logstarecollector\/kb\/?p=5821"},"modified":"2024-08-26T15:53:10","modified_gmt":"2024-08-26T06:53:10","slug":"tb-201015_01","status":"publish","type":"post","link":"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/","title":{"rendered":"\u30c6\u30ad\u30b9\u30c8\u30de\u30c3\u30c1\u30f3\u30b0\u3092\u5229\u7528\u3057\u305fAudit.log\u306e\u76e3\u8996\u306b\u3064\u3044\u3066"},"content":{"rendered":"<p>\u5f53\u8a18\u4e8b\u3067\u306f\u3001LogStare Collector\uff08\u4ee5\u4e0b\u3001LSC\u3068\u8a18\u8f09\uff09\u306e\u6a5f\u80fd\u3092\u5229\u7528\u3057\u3066\u3001Linux\u306eAudit.log\u3092\u76e3\u8996\u3059\u308b\u65b9\u6cd5\u306b\u3064\u3044\u3066\u8a2d\u5b9a\u4f8b\u3092\u4ea4\u3048\u305f\u8aac\u660e\u3092\u8a18\u8f09\u3057\u307e\u3059\u3002<\/p>\n<div id=\"ez-toc-container\" class=\"ez-toc-v2_0_82_2 counter-hierarchy ez-toc-counter ez-toc-grey ez-toc-container-direction\">\n<div class=\"ez-toc-title-container\"><p class=\"ez-toc-title\" style=\"cursor:inherit\">\u76ee\u6b21<\/p>\n<\/div><nav><ul class='ez-toc-list ez-toc-list-level-1 ' ><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-1\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E5%89%8D%E6%8F%90%E6%9D%A1%E4%BB%B6\" >\u524d\u63d0\u6761\u4ef6<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-2\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E8%A8%AD%E5%AE%9A%EF%BC%88Linux%E5%81%B4%EF%BC%89\" >\u8a2d\u5b9a\uff08Linux\u5074\uff09<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-3\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#Audit%E3%83%AB%E3%83%BC%E3%83%AB%E3%81%AE%E8%BF%BD%E5%8A%A0%E6%96%B9%E6%B3%95\" >Audit\u30eb\u30fc\u30eb\u306e\u8ffd\u52a0\u65b9\u6cd5<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-4\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E4%B8%80%E6%99%82%E7%9A%84%E3%81%AAAudit%E3%83%AB%E3%83%BC%E3%83%AB%E8%BF%BD%E5%8A%A0%E6%96%B9%E6%B3%95\" >\u4e00\u6642\u7684\u306aAudit\u30eb\u30fc\u30eb\u8ffd\u52a0\u65b9\u6cd5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-5\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E6%B0%B8%E7%B6%9A%E7%9A%84%E3%81%AAAudit%E3%83%AB%E3%83%BC%E3%83%AB%E8%BF%BD%E5%8A%A0%E6%96%B9%E6%B3%95\" >\u6c38\u7d9a\u7684\u306aAudit\u30eb\u30fc\u30eb\u8ffd\u52a0\u65b9\u6cd5<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-6\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%83%87%E3%82%A3%E3%83%AC%E3%82%AF%E3%83%88%E3%83%AA%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E7%9B%A3%E8%A6%96%E3%81%AE%E3%83%AB%E3%83%BC%E3%83%AB%E8%A8%AD%E5%AE%9A\" >\u30d5\u30a1\u30a4\u30eb\/\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30a2\u30af\u30bb\u30b9\u76e3\u8996\u306e\u30eb\u30fc\u30eb\u8a2d\u5b9a<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-7\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E6%A7%8B%E6%96%87%E5%86%85%E3%81%AE%E5%90%84%E8%A8%AD%E5%AE%9A%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\" >\u69cb\u6587\u5185\u306e\u5404\u8a2d\u5b9a\u306b\u3064\u3044\u3066<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-8\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E3%82%B7%E3%82%B9%E3%83%86%E3%83%A0%E3%82%B3%E3%83%BC%E3%83%AB%E7%9B%A3%E8%A6%96%E3%81%AE%E3%83%AB%E3%83%BC%E3%83%AB%E8%A8%AD%E5%AE%9A\" >\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u76e3\u8996\u306e\u30eb\u30fc\u30eb\u8a2d\u5b9a<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-9\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E6%A7%8B%E6%96%87%E5%86%85%E3%81%AE%E5%90%84%E8%A8%AD%E5%AE%9A%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6-2\" >\u69cb\u6587\u5185\u306e\u5404\u8a2d\u5b9a\u306b\u3064\u3044\u3066<\/a><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-10\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#Auditlog%E3%81%AELSC%E3%81%B8%E3%81%AE%E5%87%BA%E5%8A%9B%E6%96%B9%E6%B3%95\" >Audit.log\u306eLSC\u3078\u306e\u51fa\u529b\u65b9\u6cd5<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-11\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E3%81%9D%E3%81%AE%E4%BB%96\" >\u305d\u306e\u4ed6<\/a><ul class='ez-toc-list-level-4' ><li class='ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-12\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#SELinux%E6%9C%89%E5%8A%B9%E6%99%82%E3%81%AE%E3%83%AD%E3%82%B0%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\" >SELinux\u6709\u52b9\u6642\u306e\u30ed\u30b0\u306b\u3064\u3044\u3066<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-4'><a class=\"ez-toc-link ez-toc-heading-13\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E3%83%AD%E3%82%B0%E3%83%95%E3%82%A9%E3%83%BC%E3%83%9E%E3%83%83%E3%83%88%E3%81%AE%E5%A4%89%E6%9B%B4%E6%96%B9%E6%B3%95%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\" >\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u306e\u5909\u66f4\u65b9\u6cd5\u306b\u3064\u3044\u3066<\/a><\/li><\/ul><\/li><\/ul><\/li><li class='ez-toc-page-1 ez-toc-heading-level-2'><a class=\"ez-toc-link ez-toc-heading-14\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E8%A8%AD%E5%AE%9A%EF%BC%88LSC%E5%81%B4%EF%BC%89\" >\u8a2d\u5b9a\uff08LSC\u5074\uff09<\/a><ul class='ez-toc-list-level-3' ><li class='ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-15\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E5%9F%BA%E6%9C%AC%E8%A8%AD%E5%AE%9A\" >\u57fa\u672c\u8a2d\u5b9a<\/a><\/li><li class='ez-toc-page-1 ez-toc-heading-level-3'><a class=\"ez-toc-link ez-toc-heading-16\" href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-201015_01\/#%E3%83%AD%E3%82%B0%E7%9B%A3%E8%A6%96%E8%A8%AD%E5%AE%9A\" >\u30ed\u30b0\u76e3\u8996\u8a2d\u5b9a<\/a><\/li><\/ul><\/li><\/ul><\/nav><\/div>\n<h2><span class=\"ez-toc-section\" id=\"%E5%89%8D%E6%8F%90%E6%9D%A1%E4%BB%B6\"><\/span>\u524d\u63d0\u6761\u4ef6<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<p>\u5f53\u8a18\u4e8b\u5185\u306e\u8aac\u660e\u306f\u4e0b\u8a18\u524d\u63d0\u306b\u3066\u691c\u8a3c\u3057\u305f\u5185\u5bb9\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\"># yum list installed | grep audit\r\naudit.x86_64                         2.8.5-4.el7\r\naudit-libs.x86_64                    2.8.5-4.el7\r\n# cat \/etc\/redhat-release\r\nCentOS Linux release 7.8.2003 (Core)<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"%E8%A8%AD%E5%AE%9A%EF%BC%88Linux%E5%81%B4%EF%BC%89\"><\/span>\u8a2d\u5b9a\uff08Linux\u5074\uff09<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"Audit%E3%83%AB%E3%83%BC%E3%83%AB%E3%81%AE%E8%BF%BD%E5%8A%A0%E6%96%B9%E6%B3%95\"><\/span>Audit\u30eb\u30fc\u30eb\u306e\u8ffd\u52a0\u65b9\u6cd5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>Audit\u30eb\u30fc\u30eb\u306e\u8ffd\u52a0\u65b9\u6cd5\u306b\u306f\u3001\u30eb\u30fc\u30eb\u8ffd\u52a0\u5f8c\u306bauditd\u30b5\u30fc\u30d3\u30b9\u3092\u518d\u8d77\u52d5\u3059\u308b\u3068\u8ffd\u52a0\u3057\u305f\u30eb\u30fc\u30eb\u304c\u6d88\u5931\u3059\u308b\u4e00\u6642\u7684\u306a\u30eb\u30fc\u30eb\u8ffd\u52a0\u65b9\u6cd5\u3068\u3001auditd\u30b5\u30fc\u30d3\u30b9\u3092\u518d\u8d77\u52d5\u3057\u3066\u3082\u8ffd\u52a0\u3057\u305f\u30eb\u30fc\u30eb\u304c\u6d88\u5931\u3057\u306a\u3044\u6c38\u7d9a\u7684\u306a\u30eb\u30fc\u30eb\u8ffd\u52a0\u65b9\u6cd5\u306e2\u7a2e\u985e\u3054\u3056\u3044\u307e\u3059\u3002<\/p>\n<h4><span class=\"ez-toc-section\" id=\"%E4%B8%80%E6%99%82%E7%9A%84%E3%81%AAAudit%E3%83%AB%E3%83%BC%E3%83%AB%E8%BF%BD%E5%8A%A0%E6%96%B9%E6%B3%95\"><\/span>\u4e00\u6642\u7684\u306aAudit\u30eb\u30fc\u30eb\u8ffd\u52a0\u65b9\u6cd5<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>auditctl\u30b3\u30de\u30f3\u30c9\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002auditctl\u306b\u7d9a\u3051\u3066\u8ffd\u52a0\u3057\u305f\u3044\u30eb\u30fc\u30eb\u3092\u8a18\u8ff0\u3057\u30a8\u30f3\u30bf\u30fc\u30ad\u30fc\u3092\u62bc\u4e0b\u3057\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\/etc\/sudoers\u30d5\u30a1\u30a4\u30eb\u306b\u5bfe\u3057\u3066\u5c5e\u6027\u5909\u66f4\u304c\u3042\u3063\u305f\u5834\u5408\u3001\u30ed\u30b0\u3068\u3057\u3066\u8a18\u9332\u3059\u308b\u30eb\u30fc\u30eb\u3092auditctl\u30b3\u30de\u30f3\u30c9\u306b\u3066\u8ffd\u52a0\u3059\u308b\u65b9\u6cd5\u3067\u3059\u3002<\/p>\n<ul style=\"list-style-type: disc;\">\n<li>auditctl\u306b\u3066\u73fe\u5728\u306eAudit\u30eb\u30fc\u30eb\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002\u203b\u73fe\u5728\u306e\u8a2d\u5b9a\u306b\u3088\u3063\u3066\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u7d50\u679c\u306f\u4e0b\u8a18\u5185\u5bb9\u3068\u7570\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># auditctl -l\r\nNo rules<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>auditctl\u306b\u3066\u8ffd\u52a0\u3057\u305f\u3044\u30eb\u30fc\u30eb\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># auditctl -w \/etc\/sudoers -p a<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>auditctl\u306b\u3066\u8ffd\u52a0\u3055\u308c\u305f\u30eb\u30fc\u30eb\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># auditctl -l\r\n-w \/etc\/sudoers -p a\r\n<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"%E6%B0%B8%E7%B6%9A%E7%9A%84%E3%81%AAAudit%E3%83%AB%E3%83%BC%E3%83%AB%E8%BF%BD%E5%8A%A0%E6%96%B9%E6%B3%95\"><\/span>\u6c38\u7d9a\u7684\u306aAudit\u30eb\u30fc\u30eb\u8ffd\u52a0\u65b9\u6cd5<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>OS\u518d\u8d77\u52d5\u5f8c\u3082\u8ffd\u52a0\u3057\u305fAudit\u30eb\u30fc\u30eb\u8a2d\u5b9a\u3092\u6c38\u7d9a\u7684\u306b\u53cd\u6620\u3055\u305b\u308b\u306b\u306f\u3001\/etc\/audit\/rules.d\/\u914d\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u3066\u8a2d\u5b9a\u3057\u305f\u3044Audit\u30eb\u30fc\u30eb\u3092\u8ffd\u8a18\u3057\u3001augenrules\u30b3\u30de\u30f3\u30c9\u306b\u3066\u30eb\u30fc\u30eb\u3092\u8aad\u307f\u8fbc\u3080\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u300cexecve\u300d\u304c\u547c\u3073\u51fa\u3055\u308c\u305f\u5834\u5408\u3001\u30ed\u30b0\u3068\u3057\u3066\u8a18\u9332\u3059\u308b\u30eb\u30fc\u30eb\u3092\/etc\/audit\/rules.d\/\u914d\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u306b\u8ffd\u8a18\u3057\u3066augenrules\u30b3\u30de\u30f3\u30c9\u306b\u3066\u30eb\u30fc\u30eb\u3092\u8aad\u307f\u8fbc\u3080\u305f\u3081\u306e\u65b9\u6cd5\u3067\u3059\u3002<\/p>\n<ul style=\"list-style-type: disc;\">\n<li>\/etc\/audit\/rules.d\/\u914d\u4e0b\u306e\u30d5\u30a1\u30a4\u30eb\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># ls \/etc\/audit\/rules.d\/\r\naudit.rules\r\n<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>audit.rules\u30d5\u30a1\u30a4\u30eb\u306e\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># cp \/etc\/audit\/rules.d\/audit.rules \/etc\/audit\/rules.d\/audit.rules.org<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>auditctl\u306b\u3066\u73fe\u5728\u306eAudit\u30eb\u30fc\u30eb\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<br \/>\n\u203b\u73fe\u5728\u306e\u8a2d\u5b9a\u306b\u3088\u3063\u3066\u30b3\u30de\u30f3\u30c9\u306e\u5b9f\u884c\u7d50\u679c\u306f\u4e0b\u8a18\u5185\u5bb9\u3068\u7570\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># auditctl -l\r\nNo rules<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>audit.rules\u30d5\u30a1\u30a4\u30eb\u306b\u8ffd\u52a0\u3057\u305f\u3044\u30eb\u30fc\u30eb\u3092\u8ffd\u8a18\u3057\u307e\u3059\u3002\u203b\u30d0\u30fc\u30b8\u30e7\u30f3\u306b\u3088\u3063\u3066\u30d5\u30a1\u30a4\u30eb\u306e\u4e2d\u8eab\u306f\u7570\u306a\u308a\u307e\u3059\u3002<\/li>\n<\/ul>\n<p>\u5909\u66f4\u524d<\/p>\n<pre class=\"lang:default highlight:0 decode:true\"># vi \/etc\/audit\/rules.d\/audit.rules\r\n## First rule - delete all\r\n-D\r\n\r\n## Increase the buffers to survive stress events.\r\n## Make this bigger for busy systems\r\n-b 8192\r\n\r\n## Set failure mode to syslog\r\n-f 1<\/pre>\n<p>\u5909\u66f4\u5f8c<\/p>\n<pre class=\"lang:default highlight:0 decode:true\"># vi \/etc\/audit\/rules.d\/audit.rules\r\n## First rule - delete all\r\n-D\r\n\r\n## Increase the buffers to survive stress events.\r\n## Make this bigger for busy systems\r\n-b 8192\r\n\r\n## Set failure mode to syslog\r\n-f 1\r\n\r\n## Rule01\r\n-a always,exit -F arch=b64 -S execve<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>augenrules\u306b\u3066\u8ffd\u52a0\u3057\u305f\u30eb\u30fc\u30eb\u3092\u8aad\u307f\u8fbc\u307f\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true \"># augenrules --load\r\n<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>auditctl\u306b\u3066\u8ffd\u52a0\u3055\u308c\u305f\u30eb\u30fc\u30eb\u3092\u78ba\u8a8d\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># auditctl -l\r\n-a always,exit -F arch=b64 -S execve\r\n<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"%E3%83%95%E3%82%A1%E3%82%A4%E3%83%AB%E3%83%87%E3%82%A3%E3%83%AC%E3%82%AF%E3%83%88%E3%83%AA%E3%82%A2%E3%82%AF%E3%82%BB%E3%82%B9%E7%9B%A3%E8%A6%96%E3%81%AE%E3%83%AB%E3%83%BC%E3%83%AB%E8%A8%AD%E5%AE%9A\"><\/span>\u30d5\u30a1\u30a4\u30eb\/\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30a2\u30af\u30bb\u30b9\u76e3\u8996\u306e\u30eb\u30fc\u30eb\u8a2d\u5b9a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u7279\u5b9a\u306e\u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3078\u306e\u30a2\u30af\u30bb\u30b9\u3092\u76e3\u8996\u3059\u308b\u305f\u3081\u306e\u30eb\u30fc\u30eb\u8a2d\u5b9a\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002\u30d5\u30a1\u30a4\u30eb\/\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30a2\u30af\u30bb\u30b9\u76e3\u8996\u306e\u30eb\u30fc\u30eb\u3092\u5b9a\u7fa9\u3059\u308b\u305f\u3081\u306b\u306f\u4e0b\u8a18\u306e\u69cb\u6587\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-w path_to_file -p permissions -k key_name<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"%E6%A7%8B%E6%96%87%E5%86%85%E3%81%AE%E5%90%84%E8%A8%AD%E5%AE%9A%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\"><\/span>\u69cb\u6587\u5185\u306e\u5404\u8a2d\u5b9a\u306b\u3064\u3044\u3066<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>-w path_to_file : \u76e3\u8996\u5bfe\u8c61\u3068\u3057\u305f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u3082\u3057\u304f\u306f\u30d5\u30a1\u30a4\u30eb\u30d1\u30b9\u3092path_to_file\u306e\u90e8\u5206\u306b\u8a18\u8f09\u3057\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\/etc\/sudoers\u3092\u76e3\u8996\u5bfe\u8c61\u3068\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a\u4f8b\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-w \/etc\/sudoers\r\n<\/pre>\n<p>-p permissions : \u30ed\u30b0\u51fa\u529b\u5bfe\u8c61\u3068\u3059\u308b\u30d1\u30fc\u30df\u30c3\u30b7\u30e7\u30f3\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002\u30d1\u30fc\u30df\u30c3\u30b7\u30e7\u30f3\u306f\u4e0b\u8a18\u306e4\u7a2e\u985e\u304b\u3089\u9078\u629e\u3067\u304d\u307e\u3059\u3002<\/p>\n<div class=\"itemizedlist\">\n<ul>\n<li class=\"listitem\">\n<div class=\"para\">r : \u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3078\u306e\u8aad\u307f\u53d6\u308a\u30a2\u30af\u30bb\u30b9\u3002<\/div>\n<\/li>\n<li class=\"listitem\">\n<div class=\"para\">w : \u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3078\u306e\u66f8\u304d\u8fbc\u307f\u30a2\u30af\u30bb\u30b9\u3002<\/div>\n<\/li>\n<li class=\"listitem\">\n<div class=\"para\">x : \u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3078\u306e\u5b9f\u884c\u30a2\u30af\u30bb\u30b9\u3002<\/div>\n<\/li>\n<li class=\"listitem\">\n<div class=\"para\">a : \u30d5\u30a1\u30a4\u30eb\u307e\u305f\u306f\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u30fc\u3078\u306e\u5c5e\u6027\u5909\u66f4\u3002<\/div>\n<\/li>\n<\/ul>\n<p>\u4e0b\u8a18\u306f\u76e3\u8996\u5bfe\u8c61\u3068\u3057\u305f\/etc\/sudoers\u306b\u5bfe\u3057\u3066\u8aad\u307f\u53d6\u308a\u3082\u3057\u304f\u306f\u5c5e\u6027\u5909\u66f4\u304c\u5834\u5408\u3001\u30ed\u30b0\u3068\u3057\u3066\u8a18\u9332\u3059\u308b\u8a2d\u5b9a\u4f8b\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-w \/etc\/sudoers -p ra\r\n<\/pre>\n<p>-k key_name : \u3069\u306e\u30eb\u30fc\u30eb\u306b\u3066\u30ed\u30b0\u304c\u8a18\u9332\u3055\u308c\u305f\u304b\u3092\u7279\u5b9a\u3059\u308b\u969b\u306b\u5f79\u7acb\u3064\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\u76e3\u8996\u5bfe\u8c61\u3068\u3057\u305f\/etc\/sudoers\u306b\u5bfe\u3057\u3066\u8aad\u307f\u53d6\u308a\u3082\u3057\u304f\u306f\u5c5e\u6027\u5909\u66f4\u304c\u767a\u751f\u3057\u305f\u5834\u5408\u3001\u8a18\u9332\u3055\u308c\u308b\u30ed\u30b0\u30e1\u30c3\u30bb\u30fc\u30b8\u5185\u306b\u300ckey=sudoers\u300d\u3068\u3044\u3046\u6587\u5b57\u5217\u3092\u542b\u307e\u305b\u308b\u8a2d\u5b9a\u4f8b\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-w \/etc\/sudoers -p ra -k sudoers\r\n<\/pre>\n<\/div>\n<h3><span class=\"ez-toc-section\" id=\"%E3%82%B7%E3%82%B9%E3%83%86%E3%83%A0%E3%82%B3%E3%83%BC%E3%83%AB%E7%9B%A3%E8%A6%96%E3%81%AE%E3%83%AB%E3%83%BC%E3%83%AB%E8%A8%AD%E5%AE%9A\"><\/span>\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u76e3\u8996\u306e\u30eb\u30fc\u30eb\u8a2d\u5b9a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u7279\u5b9a\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u304c\u767a\u751f\u3057\u305f\u6642\u306b\u30ed\u30b0\u51fa\u529b\u3059\u308b\u305f\u3081\u306e\u30eb\u30fc\u30eb\u8a2d\u5b9a\u306b\u3064\u3044\u3066\u8aac\u660e\u3057\u307e\u3059\u3002\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u76e3\u8996\u306e\u30eb\u30fc\u30eb\u3092\u5b9a\u7fa9\u3059\u308b\u305f\u3081\u306b\u306f\u4e0b\u8a18\u306e\u69cb\u6587\u3092\u4f7f\u7528\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\" style=\"font-size: 12.8px;\">-a action,filter -S system_call -F field=value -k key_name\r\n<\/pre>\n<h4><span class=\"ez-toc-section\" id=\"%E6%A7%8B%E6%96%87%E5%86%85%E3%81%AE%E5%90%84%E8%A8%AD%E5%AE%9A%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6-2\"><\/span>\u69cb\u6587\u5185\u306e\u5404\u8a2d\u5b9a\u306b\u3064\u3044\u3066<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>-a action,filter : \u7279\u5b9a\u306e\u30a4\u30d9\u30f3\u30c8\u306b\u3064\u3044\u3066\u30ed\u30b0\u3092\u8a18\u9332\u3059\u308b\u304b\u3069\u3046\u304b\u3001\u30bf\u30a4\u30df\u30f3\u30b0\u3092\u6307\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<p>action:\u30ed\u30b0\u8a18\u9332\u306e\u6709\u7121\u3092\u8a2d\u5b9a\u3067\u304d\u307e\u3059\u3002\u4e0b\u8a18\u306e2\u7a2e\u985e\u3088\u308a\u9078\u629e\u3057\u307e\u3059\u3002<\/p>\n<ul style=\"list-style-type: disc;\">\n<li>always : \u30ed\u30b0\u3092\u8a18\u9332\u3057\u307e\u3059\u3002<\/li>\n<li>never : \u30ed\u30b0\u3092\u8a18\u9332\u3057\u307e\u305b\u3093\u3002<\/li>\n<\/ul>\n<p>filter:\u30d5\u30a3\u30eb\u30bf\u30fc\u306f\u3001\u300ctask\u300d\u300cexit\u300d\u300cuser\u300d\u300cexclude\u300d\u306e4\u7a2e\u985e\u304b\u3089\u9078\u629e\u3067\u304d\u307e\u3059\u3002\u901a\u5e38\u3001\u300cexit\u300d\u3092\u9078\u629e\u3057\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\u7279\u5b9a\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3092\u76e3\u8996\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a\u4f8b\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-a always,exit\r\n<\/pre>\n<p>-S system_call : \u30ed\u30b0\u306b\u8a18\u9332\u3059\u308b\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3092\u9078\u629e\u3057\u307e\u3059\u3002\u8907\u6570\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3092\u6307\u5b9a\u3059\u308b\u5834\u5408\u3001\u4e00\u3064\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u6bce\u306b-S\u3092\u8a18\u8f09\u3057\u307e\u3059\u3002\u3059\u3079\u3066\u306e\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u3092\u5bfe\u8c61\u3068\u3059\u308b\u5834\u5408\u3001\u300c-S all\u300d\u3068\u8a18\u8f09\u3057\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u300cexecve\u300d\u300cclone\u300d\u3092\u76e3\u8996\u5bfe\u8c61\u3068\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a\u4f8b\u3067\u3059\u3002<br \/>\n\u203b\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u306f\u82f1\u5b57\u3082\u3057\u304f\u306f\u6570\u5b57\u306b\u3066\u6307\u5b9a\u3057\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-a always,exit -S execve -S 56\r\n<\/pre>\n<p>-F field=value : \u5f53\u9805\u76ee\u306b\u3066\u8a2d\u5b9a\u3057\u305f\u8981\u7d20\u3068\u5408\u81f4\u3057\u305f\u30a4\u30d9\u30f3\u30c8\u306e\u307f\u30ed\u30b0\u306b\u8a18\u9332\u3055\u308c\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u300cexecve\u300d\u300cclone\u300d\u304b\u3064\u30e6\u30fc\u30b6ID\u304c1000\u4ee5\u4e0a\u306e\u30a4\u30d9\u30f3\u30c8\u3092\u76e3\u8996\u5bfe\u8c61\u3068\u3059\u308b\u5834\u5408\u3001\u30ed\u30b0\u3068\u3057\u3066\u8a18\u9332\u3059\u308b\u8a2d\u5b9a\u4f8b\u3067\u3059\u3002<br \/>\n\u203b\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u76e3\u8996\u306e\u30eb\u30fc\u30eb\u3092\u8a2d\u5b9a\u3059\u308b\u969b\u3001\u30a8\u30e9\u30fc\u30e1\u30c3\u30bb\u30fc\u30b8\u3068\u3057\u3066\u3001\u300cWARNING - 32\/64 bit syscall mismatch in line XX, you should specify an arch\u300d\u3068\u51fa\u529b\u3055\u308c\u308b\u5834\u5408\u304c\u3042\u308a\u307e\u3059\u3002\u305d\u306e\u5834\u5408\u3001-S\u306e\u524d\u306b\u300c-F arch=b32\u300d\u3082\u3057\u304f\u306f\u300c-F arch=b64\u300d\u3092\u633f\u5165\u3059\u308b\u5fc5\u8981\u304c\u3042\u308a\u307e\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-a always,exit -F arch=b64 -S execve,56 -F uid&gt;=1000\r\n<\/pre>\n<p>-k key_name : \u3069\u306e\u30eb\u30fc\u30eb\u306b\u3066\u30ed\u30b0\u304c\u8a18\u9332\u3055\u308c\u305f\u304b\u3092\u7279\u5b9a\u3059\u308b\u969b\u306b\u5f79\u7acb\u3064\u30aa\u30d7\u30b7\u30e7\u30f3\u3067\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\u30b7\u30b9\u30c6\u30e0\u30b3\u30fc\u30eb\u304c\u300cexecve\u300d\u300cclone\u300d\u3067\u3001\u30e6\u30fc\u30b6ID\u304c1000\u4ee5\u4e0a\u306e\u30a4\u30d9\u30f3\u30c8\u304c\u767a\u751f\u3057\u305f\u5834\u5408\u3001\u8a18\u9332\u3055\u308c\u308b\u30ed\u30b0\u30e1\u30c3\u30bb\u30fc\u30b8\u5185\u306b\u300ckey=actions\u300d\u3068\u3044\u3046\u6587\u5b57\u5217\u3092\u542b\u307e\u305b\u308b\u8a2d\u5b9a\u4f8b\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">-a always,exit -F arch=b64 -S execve,56 -F uid&gt;=1000 -k actions\r\n<\/pre>\n<h3><span class=\"ez-toc-section\" id=\"Auditlog%E3%81%AELSC%E3%81%B8%E3%81%AE%E5%87%BA%E5%8A%9B%E6%96%B9%E6%B3%95\"><\/span>Audit.log\u306eLSC\u3078\u306e\u51fa\u529b\u65b9\u6cd5<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u8a2d\u5b9a\u65b9\u6cd5\u306b\u3064\u3044\u3066\u306e\u8a73\u7d30\u306f\u4ee5\u4e0b\u306e\u8a18\u4e8b\u3092\u3054\u53c2\u7167\u304f\u3060\u3055\u3044\u3002<br \/>\n<a href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-200623_01\/\">Audit.log\u3092syslog\u3092\u5229\u7528\u3057\u3066\u53ce\u96c6\u3059\u308b\u65b9\u6cd5<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"%E3%81%9D%E3%81%AE%E4%BB%96\"><\/span>\u305d\u306e\u4ed6<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<h4><span class=\"ez-toc-section\" id=\"SELinux%E6%9C%89%E5%8A%B9%E6%99%82%E3%81%AE%E3%83%AD%E3%82%B0%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\"><\/span>SELinux\u6709\u52b9\u6642\u306e\u30ed\u30b0\u306b\u3064\u3044\u3066<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>SELinux\u6709\u52b9\u6642\u3068\u7121\u52b9\u6642\u3067\u306f\u30ed\u30b0\u30e1\u30c3\u30bb\u30fc\u30b8\u306e\u4e2d\u8eab\u304c\u7570\u306a\u308a\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306fSELinux\u6709\u52b9\u6642\u306e\u30ed\u30b0\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">Oct 26 18:11:12 localhost audispd: type=SYSCALL msg=audit(1603703472.072:784): arch=c000003e syscall=2 success=no exit=-13 a0=7fff4dfa27f7 a1=0 a2=1fffffffffff0000 a3=7fff4dfa14e0 items=1 ppid=5588 pid=5607 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm=\"cat\" exe=\"\/usr\/bin\/cat\" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) ARCH=x86_64 SYSCALL=open AUID=\"test02\" UID=\"test02\" GID=\"test02\" EUID=\"test02\" SUID=\"test02\" FSUID=\"test02\" EGID=\"test02\" SGID=\"test02\" FSGID=\"test02\"<\/pre>\n<p>\u4e0b\u8a18\u306fSELinux\u7121\u52b9\u6642\u306e\u30ed\u30b0\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">Oct 26 18:16:16 localhost audispd: type=SYSCALL msg=audit(1603703776.754:690): arch=c000003e syscall=2 success=no exit=-13 a0=7ffe17688843 a1=0 a2=1fffffffffff0000 a3=7ffe17687720 items=1 ppid=5466 pid=5485 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm=\"cat\" exe=\"\/usr\/bin\/cat\" key=(null) ARCH=x86_64 SYSCALL=open AUID=\"test02\" UID=\"test02\" GID=\"test02\" EUID=\"test02\" SUID=\"test02\" FSUID=\"test02\" EGID=\"test02\" SGID=\"test02\" FSGID=\"test02\"<\/pre>\n<p>\u9055\u3044\u3068\u3057\u3066SELinux\u6709\u52b9\u6642\u306e\u307f\u30ed\u30b0\u30e1\u30c3\u30bb\u30fc\u30b8\u5185\u306b\u8ffd\u52a0\u3055\u308c\u308b\u9805\u76ee\u304c\u5b58\u5728\u3059\u308b\u3053\u3068\u304c\u6319\u3052\u3089\u308c\u307e\u3059\u3002<\/p>\n<h4><span class=\"ez-toc-section\" id=\"%E3%83%AD%E3%82%B0%E3%83%95%E3%82%A9%E3%83%BC%E3%83%9E%E3%83%83%E3%83%88%E3%81%AE%E5%A4%89%E6%9B%B4%E6%96%B9%E6%B3%95%E3%81%AB%E3%81%A4%E3%81%84%E3%81%A6\"><\/span>\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u306e\u5909\u66f4\u65b9\u6cd5\u306b\u3064\u3044\u3066<span class=\"ez-toc-section-end\"><\/span><\/h4>\n<p>Audit.log\u306e\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u306b\u306f\u300cRAW\u300d\u3068\u300cENRICHED\u300d\u304c\u3042\u308a\u307e\u3059\u3002\u521d\u671f\u8a2d\u5b9a\u3067\u306f\u300cRAW\u300d\u304c\u9078\u629e\u3055\u308c\u3066\u3044\u307e\u3059\u3002<br \/>\n\u4e0b\u8a18\u306f\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u300cRAW\u300d\u306e\u30ed\u30b0\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true \">Oct 26 18:28:34 localhost audispd: node=localhost.localdomain type=SYSCALL msg=audit(1603704514.417:755): arch=c000003e syscall=2 success=no exit=-13 a0=7fffbf773843 a1=0 a2=1fffffffffff0000 a3=7fffbf7724e0 items=1 ppid=5466 pid=5555 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm=\"cat\" exe=\"\/usr\/bin\/cat\" key=(null)<\/pre>\n<p>\u4e0b\u8a18\u306f\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u300cENRICHED\u300d\u306e\u30ed\u30b0\u30b5\u30f3\u30d7\u30eb\u3067\u3059\u3002<\/p>\n<pre class=\"lang:default highlight:0 decode:true\">Oct 26 18:31:29 localhost audispd: type=SYSCALL msg=audit(1603704689.827:796): arch=c000003e syscall=2 success=no exit=-13 a0=7ffd2d03a843 a1=0 a2=1fffffffffff0000 a3=7ffd2d038ee0 items=1 ppid=5466 pid=5606 auid=1000 uid=1000 gid=1000 euid=1000 suid=1000 fsuid=1000 egid=1000 sgid=1000 fsgid=1000 tty=pts1 ses=2 comm=\"cat\" exe=\"\/usr\/bin\/cat\" key=(null) ARCH=x86_64 SYSCALL=open AUID=\"test02\" UID=\"test02\" GID=\"test02\" EUID=\"test02\" SUID=\"test02\" FSUID=\"test02\" EGID=\"test02\" SGID=\"test02\" FSGID=\"test02\"<\/pre>\n<p>\u9055\u3044\u3068\u3057\u3066\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u300cRAW\u300d\u306b\u306f\u30d5\u30a3\u30fc\u30eb\u30c9\u300ctype\u300d\u306e\u524d\u306b\u30d5\u30a3\u30fc\u30eb\u30c9\u300cnode\u300d\u3068\u3044\u3046\u9805\u76ee\u304c\u542b\u307e\u308c\u307e\u3059\u304c\u3001\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u300cENRICHED\u300d\u306b\u30d5\u30a3\u30fc\u30eb\u30c9\u300cnode\u300d\u3068\u3044\u3046\u9805\u76ee\u306f\u542b\u307e\u308c\u307e\u305b\u3093\u3002\u307e\u305f\u3001\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u300cENRICHED\u300d\u3067\u306f\u3001\u30e6\u30fc\u30b6ID\u3084\u30b0\u30eb\u30fc\u30d7ID\u7b49\u304c\u6570\u5b57\u304b\u3089\u30c6\u30ad\u30b9\u30c8\u306b\u5909\u63db\u3055\u308c\u305f\u5f62\u5f0f\u306e\u30e1\u30c3\u30bb\u30fc\u30b8\u304c\u4ed8\u4e0e\u3055\u308c\u3066\u3044\u307e\u3059\u3002<\/p>\n<p>\u4e0b\u8a18\u306fAudit.log\u306e\u30ed\u30b0\u30d5\u30a9\u30fc\u30de\u30c3\u30c8\u306e\u5909\u66f4\u65b9\u6cd5\u306b\u3064\u3044\u3066\u306e\u8aac\u660e\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<ul style=\"list-style-type: disc;\">\n<li>auditd.conf\u30d5\u30a1\u30a4\u30eb\u306e\u30d0\u30c3\u30af\u30a2\u30c3\u30d7\u3092\u53d6\u5f97\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># cp \/etc\/audit\/auditd.conf \/etc\/audit\/auditd.conf.org<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>\u300cRAW\u300d\u3092\u300cENRICHED\u300d\u3078\u5909\u66f4\u3057\u307e\u3059\u3002\u5909\u66f4\u7b87\u6240\u306f\u300clog_format\u300d\u3067\u3059\u3002<\/li>\n<\/ul>\n<p>\u5909\u66f4\u524d<\/p>\n<pre class=\"lang:default highlight:0 decode:true\"># vi \/etc\/audit\/auditd.conf\r\n\r\nlocal_events = yes\r\nwrite_logs = yes\r\nlog_file = \/var\/log\/audit\/audit.log\r\nlog_group = root\r\nlog_format = RAW\r\n\uff5e\uff5e\u7701\u7565\uff5e\uff5e\r\n##krb5_key_file = \/etc\/audit\/audit.key\r\ndistribute_network = no<\/pre>\n<p>\u5909\u66f4\u5f8c<\/p>\n<pre class=\"lang:default highlight:0 decode:true\"># vi \/etc\/audit\/auditd.conf\r\n\r\nlocal_events = yes\r\nwrite_logs = yes\r\nlog_file = \/var\/log\/audit\/audit.log\r\nlog_group = root\r\nlog_format = ENRICHED\r\n\uff5e\uff5e\u7701\u7565\uff5e\uff5e\r\n##krb5_key_file = \/etc\/audit\/audit.key\r\ndistribute_network = no<\/pre>\n<ul style=\"list-style-type: disc;\">\n<li>\u30b5\u30fc\u30d3\u30b9\u3092\u518d\u8d77\u52d5\u3057\u307e\u3059\u3002<\/li>\n<\/ul>\n<pre class=\"lang:default highlight:0 decode:true\"># service auditd restart<\/pre>\n<h2><span class=\"ez-toc-section\" id=\"%E8%A8%AD%E5%AE%9A%EF%BC%88LSC%E5%81%B4%EF%BC%89\"><\/span>\u8a2d\u5b9a\uff08LSC\u5074\uff09<span class=\"ez-toc-section-end\"><\/span><\/h2>\n<h3><span class=\"ez-toc-section\" id=\"%E5%9F%BA%E6%9C%AC%E8%A8%AD%E5%AE%9A\"><\/span>\u57fa\u672c\u8a2d\u5b9a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u8a2d\u5b9a\u65b9\u6cd5\u306b\u3064\u3044\u3066\u306e\u8a73\u7d30\u306f\u4ee5\u4e0b\u306e\u8a18\u4e8b\u3092\u3054\u53c2\u7167\u304f\u3060\u3055\u3044\u3002<br \/>\n<a href=\"https:\/\/www.secuavail.com\/kb\/tech-blog\/tb-200623_01\/\">Audit.log\u3092syslog\u3092\u5229\u7528\u3057\u3066\u53ce\u96c6\u3059\u308b\u65b9\u6cd5<\/a><\/p>\n<h3><span class=\"ez-toc-section\" id=\"%E3%83%AD%E3%82%B0%E7%9B%A3%E8%A6%96%E8%A8%AD%E5%AE%9A\"><\/span>\u30ed\u30b0\u76e3\u8996\u8a2d\u5b9a<span class=\"ez-toc-section-end\"><\/span><\/h3>\n<p>\u76e3\u8996\u30fb\u53ce\u96c6\u3088\u308a\u76e3\u8996\u3057\u305f\u3044\u6a5f\u5668\u3092\u9078\u629e\u3057\u3001\u30c6\u30ad\u30b9\u30c8\u30de\u30c3\u30c1\u30f3\u30b0\u6587\u5b57\u5217\u306e\u6b04\u306b\u901a\u77e5\u3092\u53d7\u3051\u305f\u3044\u30ed\u30b0\u3067\u4f7f\u7528\u3055\u308c\u308b\u6587\u5b57\u5217\u3092\u3001\u8a2d\u5b9a\u540d\u6b04\u306b\u8aac\u660e\u3092\u8a2d\u5b9a\u3057\u307e\u3059\u3002<br \/>\n\u8a2d\u5b9a\u65b9\u6cd5\u306b\u3064\u3044\u3066\u306e\u8a73\u7d30\u306f\u4e0b\u8a18\u306e\u8a18\u4e8b\u3092\u3054\u53c2\u7167\u304f\u3060\u3055\u3044\u3002<br \/>\n<a href=\"https:\/\/www.secuavail.com\/kb\/references\/ref-20200716_02\/\">\u30c6\u30ad\u30b9\u30c8\u30de\u30c3\u30c1\u30f3\u30b0\u306b\u3064\u3044\u3066<\/a><\/p>\n<p>\u4ee5\u4e0b\u306f\u300c\u30ed\u30b0\u30a4\u30f3\u5931\u6557\u300d\u3068\u300csudo\u30b3\u30de\u30f3\u30c9\u4f7f\u7528\u300d\u306e\u30ed\u30b0\u3092\u691c\u77e5\u3059\u308b\u5834\u5408\u306e\u8a2d\u5b9a\u4f8b\u306b\u306a\u308a\u307e\u3059\u3002<\/p>\n<p><img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5991\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/802dcd30b9b4b51d101b00f1aa0c9ace.png\" alt=\"\" width=\"704\" height=\"184\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/802dcd30b9b4b51d101b00f1aa0c9ace.png 704w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/802dcd30b9b4b51d101b00f1aa0c9ace-300x78.png 300w\" sizes=\"auto, (max-width: 704px) 100vw, 704px\" \/><\/p>\n<p>&nbsp;<\/p>\n<p>\u4ee5\u4e0b\u306f\u30c6\u30ad\u30b9\u30c8\u30de\u30c3\u30c1\u30f3\u30b0\u306b\u3066\u8a2d\u5b9a\u3057\u305f\u6587\u5b57\u5217\u3092\u691c\u77e5\u3057\u3066\u3001\u300c\u30ed\u30b0\u30a4\u30f3\u5931\u6557\u300d\u3068\u3057\u3066\u30a2\u30e9\u30fc\u30c8\u30e1\u30fc\u30eb\u306b\u3066\u901a\u77e5\u3055\u308c\u305f\u3082\u306e\u3067\u3059\u3002<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5993\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/f50d963bd1602e8f0a9ae1cfc53f00a3.png\" alt=\"\" width=\"554\" height=\"619\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/f50d963bd1602e8f0a9ae1cfc53f00a3.png 554w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/f50d963bd1602e8f0a9ae1cfc53f00a3-268x300.png 268w\" sizes=\"auto, (max-width: 554px) 100vw, 554px\" \/><br \/>\n\u4ee5\u4e0b\u306f\u30c6\u30ad\u30b9\u30c8\u30de\u30c3\u30c1\u30f3\u30b0\u306b\u3066\u8a2d\u5b9a\u3057\u305f\u6587\u5b57\u5217\u3092\u691c\u77e5\u3057\u3066\u3001\u300csudo\u30b3\u30de\u30f3\u30c9\u306e\u4f7f\u7528\u300d\u3068\u3057\u3066\u30a2\u30e9\u30fc\u30c8\u30e1\u30fc\u30eb\u306b\u3066\u901a\u77e5\u3055\u308c\u305f\u3082\u306e\u3067\u3059\u3002<br \/>\n<img loading=\"lazy\" decoding=\"async\" class=\"alignnone size-full wp-image-5996\" src=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/692e30cb1d5aa1c3a420de41b14b0e34.png\" alt=\"\" width=\"548\" height=\"738\" srcset=\"https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/692e30cb1d5aa1c3a420de41b14b0e34.png 548w, https:\/\/www.secuavail.com\/kb\/wp-content\/uploads\/2020\/10\/692e30cb1d5aa1c3a420de41b14b0e34-223x300.png 223w\" sizes=\"auto, (max-width: 548px) 100vw, 548px\" \/><br \/>\n\u4ee5\u4e0a\u3067\u30c6\u30ad\u30b9\u30c8\u30de\u30c3\u30c1\u30f3\u30b0\u3092\u5229\u7528\u3057\u305fAudit.log\u306e\u76e3\u8996\u306b\u3064\u3044\u3066\u306e\u8aac\u660e\u306f\u7d42\u4e86\u3068\u306a\u308a\u307e\u3059\u3002<\/p>\n<p>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"\u5f53\u8a18\u4e8b\u3067\u306f\u3001LogStare Collector\uff08\u4ee5\u4e0b\u3001LSC\u3068\u8a18\u8f09\uff09\u306e\u6a5f\u80fd\u3092\u5229\u7528\u3057\u3066\u3001Linux\u306eAudit.log\u3092\u76e3\u8996\u3059\u308b\u65b9\u6cd5\u306b\u3064\u3044\u3066\u8a2d\u5b9a\u4f8b\u3092\u4ea4\u3048\u305f\u8aac\u660e\u3092\u8a18\u8f09\u3057\u307e\u3059\u3002 \u524d\u63d0\u6761\u4ef6 \u5f53\u8a18\u4e8b\u5185\u306e\u8aac\u660e\u306f\u4e0b\u8a18\u524d\u63d0\u306b\u3066\u691c\u8a3c\u3057\u305f [&hellip;]","protected":false},"author":14,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[50,2],"tags":[9,17],"class_list":["post-5821","post","type-post","status-publish","format-standard","hentry","category-windows-linux","category-tech-blog","tag-linux","tag-lscconf"],"acf":[],"_links":{"self":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts\/5821","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/users\/14"}],"replies":[{"embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/comments?post=5821"}],"version-history":[{"count":95,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts\/5821\/revisions"}],"predecessor-version":[{"id":8798,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/posts\/5821\/revisions\/8798"}],"wp:attachment":[{"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/media?parent=5821"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/categories?post=5821"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.secuavail.com\/kb\/wp-json\/wp\/v2\/tags?post=5821"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}