Hi
My name is Takehara liveng in japan.
Now I set up audit.rules, then audit.log became very big.
The reason why is keepalived daemon and it's misc check shell adds some
entry every seconds.
I want to suppress or exclude log entry, and I searched the way like this.
=>
https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html
but I could not get effective answer.
Could you please tell me someone an effective way?
This is the audit.rules below.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
-a exit,always -F arch=b64 -S open -F uid=10
-a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
-a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
-a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
-a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
-w /etc/sudoers -p wa -k sudoers-change
-w /etc/ -p wa
-w /var/lib/mysql -p wa
- keepalived is checking every seconds.
/usr/sbin/keepalived
- misc check program
/root/mysql_status_check.sh
type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2
success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379
auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)
type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2
success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915
pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e syscall=2
success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916
pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
=========================
Cloud ASIA Co., Ltd. [ 株式会社クラウドエイジア ]
Founder & CEO Takehara Toshihiro
〒174-0073
33-14-101, Higashiyama-cho, Itabashi-ku, Tokyo, Japan
TEL: +81-3-6869-2994 FAX: +81-3-6869-3974
Mobile: +81-90-4737-8137
Mobile in Laos: +856-20-5912-2188
http://www.cloud-asia.co.jp
http://www.facebook.com/cloud.asia.japan
takehara(a)cloud-asia.co.jp
Lao Systems [ ラオシステムズ ]
Founder & CEO Takehara Toshihiro
http://lao-systems.jp/
=========================