Hello, I was hoping some smarter audit folks than I could look at this small set of rules and let me know if anythings seem: 1) way too broad 2) would fill up a file system fast 3) could use improvement
cat << 'EOF' > /etc/audit/audit.rules ## Submitted by JasonM at FSO. # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Feel free to add below this line. See auditctl man page # Increase the buffers to survive stress events -b 256 -e 1 # Audit Failed opens -a exit,always -S open -F success!=0 # # Audit success and failure of delete -a exit,always -S unlink -S rmdir # # Audit success and failure of admin actions #-a task,always -F uid=0 -w /var/log/audit/ -k ADMIN -w /etc/auditd.conf -k ADMIN -w /etc/audit.rules -k ADMIN -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit -a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler EOF Some of my end users are saying their logging a lot of audits. We are using the same kickstart file but my test systems are not filling up. Thanks for the help. Aaron -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
