# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
-a exit,always -F arch=b64 -S open -F uid=10
-a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
-a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
-a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
-a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
-w /etc/sudoers -p wa -k sudoers-change
-w /etc/ -p wa
-w /var/lib/mysql -p wa

type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2 success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)

type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2 success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915 pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)