[RFC PATCH] audit: correctly record file names with different path name types

hujianyang hujianyang at huawei.com
Tue Dec 2 07:31:17 UTC 2014 

This is configure options in my environment. I hope it would
help you~!


# 5.2 audit configuration
# 5.2.1

# 5.2.2 Stop system when log is full
configuration modify "/etc/audit/auditd.conf at space_left_action = SYSLOG at space_left_action = SYSLOG"
#configuration modify "/etc/audit/auditd.conf at admin_space_left_action = SUSPEND at admin_space_left_action = HALT"
configuration modify "/etc/audit/auditd.conf at space_left = 75 at space_left = 2"
configuration modify "/etc/audit/auditd.conf at admin_space_left = 50 at admin_space_left = 1"

# 5.2.3
configuration modify "/etc/audit/auditd.conf at max_log_file_action = ROTATE at max_log_file_action = ROTATE"
configuration modify "/etc/audit/auditd.conf at max_log_file = 6 at max_log_file = 5"

# 5.2.4 Audit syscall for reset system time
configuration add "/etc/audit/audit.rules@@-w /etc/group -p wa -k identity"
configuration add "/etc/audit/audit.rules@@-w /etc/passwd -p wa -k identity"
# 5.2.6
configuration add "/etc/audit/audit.rules@@-w /etc/issue -p wa -k system-locale"
configuration add "/etc/audit/audit.rules@@-w /etc/issue.net -p wa -k system-locale"
# 5.2.7
configuration add "/etc/audit/audit.rules@@-w /etc/selinux/ -p wa -k MAC-policy"

# 5.2.8
configuration add "/etc/audit/audit.rules@@-w /var/log/faillog -p wa -k logins"
configuration add "/etc/audit/audit.rules@@-w /var/log/lastlog -p wa -k logins"

# 5.2.9
configuration add "/etc/audit/audit.rules@@-w /var/run/utmp -p wa -k session"
configuration add "/etc/audit/audit.rules@@-w /var/log/wtmp -p wa -k session"

# 5.2.10
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid!=4294967295 -k perm_mod"

# 5.2.11
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid!=4294967295 -k access"
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid!=4294967295 -k access"

# 5.2.12


# 5.2.13
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid!=4294967295 -k delete"

# 5.2.14
configuration add "/etc/audit/audit.rules@@-w /etc/sudoers -p wa -k scope"

# 5.2.15
#configuration add "/etc/audit/audit.rules@@-e 2"

More information about the Linux-audit mailing list