On Saturday, April 04, 2015 12:23:56 AM [Cloud ASIA] Toshihiro Takehara wrote:
This is the audit.rules below.
# First rule - delete all
> -D
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
> # Feel free to add below this line. See auditctl man page
> -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> -a exit,always -F arch=b64 -S open -F uid=10
> -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
> -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
> -w /etc/sudoers -p wa -k sudoers-change
> -w /etc/ -p wa
> -w /var/lib/mysql -p wa
One thing I forgot to mention yesterday is that the kernel rule matching
engine works from top to bottom. That means "never" should probably be before
"always" when they both cover the same syscall and the "never" is a
subset of
the possible selections of the "always" rule.
-Steve