{"id":460,"date":"2025-11-26T20:16:24","date_gmt":"2025-11-26T11:16:24","guid":{"rendered":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/?page_id=460"},"modified":"2025-11-26T20:27:06","modified_gmt":"2025-11-26T11:27:06","slug":"ausearch_aureport","status":"publish","type":"page","link":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/?page_id=460","title":{"rendered":"ausearch_aureport"},"content":{"rendered":"\n<ul class=\"wp-block-list\">\n<li>Linux\u30de\u30b7\u30f3\u3067audit\u30ed\u30b0\u304c\u3042\u308b\u3082\u306e\u306f\u3001\u305d\u306e\u691c\u7d22\u3084\u5831\u544a\u306b\u95a2\u3059\u308b\u30e6\u30fc\u30c6\u30a3\u30ea\u30c6\u30a3\u6a5f\u80fd\u3092\u4f7f\u3048\u308b\u3068\u4fbf\u5229\u3067\u3059\u3002\u5177\u4f53\u306f\u4f8b\u3048\u3070\u3001RH\u7cfb\u306e\u30c7\u30a3\u30b9\u30c8\u30ea\u30d3\u30e5\u30fc\u30b7\u30e7\u30f3\u306a\u3089\u3001\u4ee5\u4e0b\u306e\u30de\u30cb\u30e5\u30a2\u30eb\u53c2\u7167\u3002<\/li>\n\n\n\n<li><a href=\"https:\/\/docs.redhat.com\/ja\/documentation\/red_hat_enterprise_linux\/9\/html\/security_hardening\/auditing-the-system_security-hardening\">https:\/\/docs.redhat.com\/ja\/documentation\/red_hat_enterprise_linux\/9\/html\/security_hardening\/auditing-the-system_security-hardening<\/a><\/li>\n<\/ul>\n\n\n\n<p>\uff08\u53c2\u8003\u5c0e\u5165\u4f8b\uff09<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li>\/var\/www\u4ee5\u4e0b\u306e\u30c7\u30a3\u30ec\u30af\u30c8\u30ea\u306b\u66f8\u304d\u8fbc\u307f\u304c\u884c\u308f\u308c\u305f\u5834\u5408\u306b\u8a18\u9332\u3059\u308b\u30b3\u30de\u30f3\u30c9\u3084\u30d1\u30b9\u30ef\u30fc\u30c9\u5909\u66f4\u306e\u8a18\u9332\u30b3\u30de\u30f3\u30c9\u3092\u8a66\u3057\u3066\u307f\u308b<\/li>\n\n\n\n<li>$ sudo auditctl -a always,exit -F arch=b64 -F dir=\/var\/www -F perm=wa -k dir_write<\/li>\n\n\n\n<li>$ sudo auditctl -a always,exit -F arch=b64 -F path=\/etc\/passwd -F perm=wa -k passwd_changes<\/li>\n\n\n\n<li>\u3067auditctl list\u306b\u30eb\u30fc\u30eb\u304c\u63b2\u8f09\u3055\u308c\u308b\u304b\u3092\u78ba\u8a8d<\/li>\n\n\n\n<li>$ sudo auditctl -l<\/li>\n\n\n\n<li>\u8aad\u307f\u8fbc\u3081\u3066\u308b\u3053\u3068\u3092\u78ba\u8a8d\u3057\u305f\u3089\u3001\u9069\u5f53\u306a\u30d5\u30a1\u30a4\u30eb\u3092\/var\/www\u306b\u4f5c\u3063\u3066\u4e0b\u8a18\u3067\u78ba\u8a8d\u3057\u3066\u307f\u308b<\/li>\n\n\n\n<li>$ sudo ausearch -k dir_write | sudo aureport -f<\/li>\n\n\n\n<li>\u78ba\u8a8d\u3067\u304d\u305f\u3089\u6210\u529f\u306a\u306e\u3067\u3001\u624b\u52d5\u3067\u5165\u308c\u305f\u3082\u306e\u306f\u30eb\u30fc\u30eb\u304b\u3089\u4e00\u65e6\u6d88\u3057\u3066\u304b\u3089\u30eb\u30fc\u30eb\u306b\u52a0\u7b46\u3059\u308b<\/li>\n\n\n\n<li>$ sudo auditctl -D<\/li>\n\n\n\n<li>$ sudo vi \/etc\/audit\/rules.d\/audit.rules<\/li>\n\n\n\n<li>-a always,exit -F arch=b64 -F dir=\/var\/www -F perm=wa -k dir_write<\/li>\n\n\n\n<li>-a always,exit -F arch=b64 -F path=\/etc\/passwd -F perm=wa -k <\/li>\n\n\n\n<li>\u3053\u308c\u3067\u518d\u8d77\u52d5\u3057\u3066auditctl -l \u3057\u3066\u4e8c\u3064\u30eb\u30fc\u30eb\u304c\u5165\u3063\u3066\u305f\u3089OK<\/li>\n\n\n\n<li>\u3042\u3068\u306f\u3001\/var\/log\/audit\/audit.log \u306b\u3053\u308c\u3089\u304c\u52a0\u308f\u3063\u3066\u308b\u306e\u3067\u3001logwatch\u3067\u53cd\u6620\u3055\u308c\u308b\u3088\u3046\u306b\u8abf\u6574\u3059\u308b\u3002<\/li>\n\n\n\n<li>\u3042\u308b\u3044\u306f\u3001\u624b\u52d5\u3067\u4e0a\u8a18\u306e\u78ba\u8a8d\u30b3\u30de\u30f3\u30c9\uff08\u4e0b\u8a18\u518d\u63b2\uff09\u3067\u5b9a\u671f\u7684\u306b\u4e0b\u8a18\u3067\u76ee\u8996\u78ba\u8a8d\u3059\u308b\u3002<\/li>\n\n\n\n<li>$ sudo ausearch -k dir_write | sudo aureport -f<\/li>\n\n\n\n<li><\/li>\n<\/ul>\n\n\n\n<p><\/p>\n\n\n\n<p><\/p>\n","protected":false},"excerpt":{"rendered":"<p>\uff08\u53c2\u8003\u5c0e\u5165\u4f8b\uff09<\/p>\n","protected":false},"author":8,"featured_media":0,"parent":0,"menu_order":0,"comment_status":"closed","ping_status":"closed","template":"","meta":{"footnotes":""},"class_list":["post-460","page","type-page","status-publish","hentry"],"_links":{"self":[{"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=\/wp\/v2\/pages\/460","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=\/wp\/v2\/users\/8"}],"replies":[{"embeddable":true,"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=460"}],"version-history":[{"count":3,"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=\/wp\/v2\/pages\/460\/revisions"}],"predecessor-version":[{"id":464,"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=\/wp\/v2\/pages\/460\/revisions\/464"}],"wp:attachment":[{"href":"https:\/\/wwp.ait.tokushima-u.ac.jp\/ma2lab\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=460"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}