From mboxrd@z Thu Jan  1 00:00:00 1970
From: hujianyang <hujianyang@huawei.com>
Subject: Re: [RFC PATCH] audit: correctly record file names with different
	path name types
Date: Tue, 2 Dec 2014 15:31:17 +0800
Message-ID: <547D6AC5.4020507@huawei.com>
References: <20141201212747.19982.27425.stgit@localhost>
	<547D6659.6090603@huawei.com>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <547D6659.6090603@huawei.com>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Paul Moore <pmoore@redhat.com>
Cc: rgb@redhat.com, linux-audit@redhat.com, jlayton@redhat.com
List-Id: linux-audit@redhat.com

This is configure options in my environment. I hope it would
help you~!


# 5.2 audit configuration
# 5.2.1

# 5.2.2 Stop system when log is full
configuration modify "/etc/audit/auditd.conf@space_left_action = SYSLOG@space_left_action = SYSLOG"
#configuration modify "/etc/audit/auditd.conf@admin_space_left_action = SUSPEND@admin_space_left_action = HALT"
configuration modify "/etc/audit/auditd.conf@space_left = 75@space_left = 2"
configuration modify "/etc/audit/auditd.conf@admin_space_left = 50@admin_space_left = 1"

# 5.2.3
configuration modify "/etc/audit/auditd.conf@max_log_file_action = ROTATE@max_log_file_action = ROTATE"
configuration modify "/etc/audit/auditd.conf@max_log_file = 6@max_log_file = 5"

# 5.2.4 Audit syscall for reset system time
configuration add "/etc/audit/audit.rules@@-w /etc/group -p wa -k identity"
configuration add "/etc/audit/audit.rules@@-w /etc/passwd -p wa -k identity"
# 5.2.6
configuration add "/etc/audit/audit.rules@@-w /etc/issue -p wa -k system-locale"
configuration add "/etc/audit/audit.rules@@-w /etc/issue.net -p wa -k system-locale"
# 5.2.7
configuration add "/etc/audit/audit.rules@@-w /etc/selinux/ -p wa -k MAC-policy"

# 5.2.8
configuration add "/etc/audit/audit.rules@@-w /var/log/faillog -p wa -k logins"
configuration add "/etc/audit/audit.rules@@-w /var/log/lastlog -p wa -k logins"

# 5.2.9
configuration add "/etc/audit/audit.rules@@-w /var/run/utmp -p wa -k session"
configuration add "/etc/audit/audit.rules@@-w /var/log/wtmp -p wa -k session"

# 5.2.10
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid!=4294967295 -k perm_mod"

# 5.2.11
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid!=4294967295 -k access"
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid!=4294967295 -k access"

# 5.2.12


# 5.2.13
configuration add "/etc/audit/audit.rules@@-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -S rmdir -F auid!=4294967295 -k delete"

# 5.2.14
configuration add "/etc/audit/audit.rules@@-w /etc/sudoers -p wa -k scope"

# 5.2.15
#configuration add "/etc/audit/audit.rules@@-e 2"