审计自动规则失去意义

Question

[root@rock:/var/log/audit] : service auditd status
Redirecting to /bin/systemctl status auditd.service
  auditd.service - Security Auditing Service
   Loaded: loaded (/usr/lib/systemd/system/auditd.service; enabled; vendor preset: enabled)
   Active: active (running) since Mon 2021-01-11 08:24:35 EST; 51min ago
     Docs: man:auditd(8)
           https://github.com/linux-audit/audit-documentation
  Process: 94529 ExecStartPost=/sbin/augenrules --load (code=exited, status=0/SUCCESS)
  Process: 94513 ExecStart=/sbin/auditd (code=exited, status=0/SUCCESS)
 Main PID: 94515 (auditd)
   CGroup: /system.slice/auditd.service
           +-94515 /sbin/auditd
           +-94517 /sbin/audispd
           +-94519 /usr/sbin/sedispatch

Jan 11 08:24:35 rock augenrules[94529]: lost 4892
Jan 11 08:24:35 rock augenrules[94529]: backlog 0
Jan 11 08:24:35 rock augenrules[94529]: enabled 1
Jan 11 08:24:35 rock augenrules[94529]: failure 1
Jan 11 08:24:35 rock augenrules[94529]: pid 94515
Jan 11 08:24:35 rock augenrules[94529]: rate_limit 0
Jan 11 08:24:35 rock augenrules[94529]: backlog_limit 1048576
Jan 11 08:24:35 rock augenrules[94529]: lost 4892
Jan 11 08:24:35 rock augenrules[94529]: backlog 0
Jan 11 08:24:35 rock systemd[1]: Started Security Auditing Service.

在RHEL7.9中，当我使用auditd时，我相信我所有的东西都运行得很好，但是当我做上面的工作时，我发现丢失了4892。

失去的价值意味着什么？是不是很糟？我应该把它变成零吗？

下面的参考是我的/etc/audit/auditd.conf

#
# This file controls the configuration of the audit daemon
#

local_events = yes
write_logs = yes
log_file = /var/log/audit/audit.log
log_group = root
log_format = RAW

flush = INCREMENTAL_ASYNC
freq = 100

# max log file size in MB, does not matter with KEEP_LOGS
max_log_file = 10000

max_log_file_action = KEEP_LOGS

# no log rotation
num_logs = 0
priority_boost = 0

admin_space_left_action = SINGLE
disk_full_action = SINGLE
disk_error_action = SINGLE

disp_qos = LOSSLESS
dispatcher = /sbin/audispd
name_format = HOSTNAME

space_left = 500
admin_space_left = 300

space_left_action = email
verify_email = yes
action_mail_acct = root

use_libwrap = yes
##tcp_listen_port = 60
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
distribute_network = no

Answer 1

根据auditctl在使用-s选项时的手册页面，这里的新手使用审计：

-s报告内核的审计子系统状态。它将告诉您可以由-e、-f、-r和-b选项设置的内核内值。pid值是审计守护进程的进程号。注意，pid值为0表示审计守护进程没有运行。丢失的条目将告诉您有多少由于内核审计队列溢出而被丢弃的事件记录。backlog字段告诉当前排队等待auditd读取它们的事件记录有多少。这个选项可以后面跟着-i来解释几个字段。

谈到失去价值的部分用粗体表示。