This is configure options in my environment. I hope it would help you~!
# 5.2 audit configuration # 5.2.1 # 5.2.2 Stop system when log is full configuration modify "/etc/audit/auditd.conf@space_left_action = SYSLOG@space_left_action = SYSLOG" #configuration modify "/etc/audit/auditd.conf@admin_space_left_action = SUSPEND@admin_space_left_action = HALT" configuration modify "/etc/audit/auditd.conf@space_left = 75@space_left = 2" configuration modify "/etc/audit/auditd.conf@admin_space_left = 50@admin_space_left = 1" # 5.2.3 configuration modify "/etc/audit/auditd.conf@max_log_file_action = ROTATE@max_log_file_action = ROTATE" configuration modify "/etc/audit/auditd.conf@max_log_file = 6@max_log_file = 5" # 5.2.4 Audit syscall for reset system time configuration add "/etc/audit/audit.rules@@-w /etc/group -p wa -k identity" configuration add "/etc/audit/audit.rules@@-w /etc/passwd -p wa -k identity" # 5.2.6 configuration add "/etc/audit/audit.rules@@-w /etc/issue -p wa -k system-locale" configuration add "/etc/audit/audit.rules@@-w /etc/issue.net -p wa -k system-locale" # 5.2.7 configuration add "/etc/audit/audit.rules@@-w /etc/selinux/ -p wa -k MAC-policy" # 5.2.8 configuration add "/etc/audit/audit.rules@@-w /var/log/faillog -p wa -k logins" configuration add "/etc/audit/audit.rules@@-w /var/log/lastlog -p wa -k logins" # 5.2.9 configuration add "/etc/audit/audit.rules@@-w /var/run/utmp -p wa -k session" configuration add "/etc/audit/audit.rules@@-w /var/log/wtmp -p wa -k session" # 5.2.10 configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid!=4294967295 -k perm_mod" # 5.2.11 configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid!=4294967295 -k access" configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid!=4294967295 -k access" # 5.2.12 # 5.2.13 configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid!=4294967295 -k delete" # 5.2.14 configuration add "/etc/audit/audit.rules@@-w /etc/sudoers -p wa -k scope" # 5.2.15 #configuration add "/etc/audit/audit.rules@@-e 2" -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
