From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Suppress or exclude messages from /var/log/audit.log via audit.rules Date: Sat, 04 Apr 2015 10:47:22 -0400 Message-ID: <10204897.6gJiKKv096@x2> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "[Cloud ASIA] Toshihiro Takehara" List-Id: linux-audit@redhat.com On Saturday, April 04, 2015 12:23:56 AM [Cloud ASIA] Toshihiro Takehara wrote: > This is the audit.rules below. > > # First rule - delete all > > > -D > > # Increase the buffers to survive stress events. > > # Make this bigger for busy systems > > -b 320 > > # Feel free to add below this line. See auditctl man page > > -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate > > -a exit,always -F arch=b64 -S open -F uid=10 > > -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa > > -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh > > -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT > > -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT > > -w /etc/sudoers -p wa -k sudoers-change > > -w /etc/ -p wa > > -w /var/lib/mysql -p wa One thing I forgot to mention yesterday is that the kernel rule matching engine works from top to bottom. That means "never" should probably be before "always" when they both cover the same syscall and the "never" is a subset of the possible selections of the "always" rule. -Steve