Suppress or exclude messages from /var/log/audit.log via audit.rules
Steve Grubb
sgrubb at redhat.com
Sat Apr 4 14:47:22 UTC 2015
On Saturday, April 04, 2015 12:23:56 AM [Cloud ASIA] Toshihiro Takehara wrote:
> This is the audit.rules below.
>
> # First rule - delete all
>
> > -D
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> > # Feel free to add below this line. See auditctl man page
> > -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> > -a exit,always -F arch=b64 -S open -F uid=10
> > -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
> > -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> > -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> > -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
> > -w /etc/sudoers -p wa -k sudoers-change
> > -w /etc/ -p wa
> > -w /var/lib/mysql -p wa
One thing I forgot to mention yesterday is that the kernel rule matching
engine works from top to bottom. That means "never" should probably be before
"always" when they both cover the same syscall and the "never" is a subset of
the possible selections of the "always" rule.
-Steve
More information about the Linux-audit
mailing list