Contents
Which is the rule matching filter in auditctl?
The rule-matching filter can be one of the following: task, exit, user, and exclude. action,filter will be always,exit in most cases, which tells auditctl that you want to audit this system call when it exits. system_call specifies the system call by its name.
How to view the current set of audit rules?
You can view the current set of audit rules using the command auditctl -l. It will show no rules if none are present (this is the default): As you add rules in this tutorial, you can use this command to verify that they have been added. The current status of the audit system can be viewed using: Output will be similar to:
How to exclude a file / directory from Auditd rules?
On CentOS/RHEL 6, the configuration file is /etc/audit/audit.rules instead of /etc/audit/rules.d/audit.rules. To exclude files from auditing: -a – Append rule to the end of list with action. never – No audit records will be generated.
Can a user see what is going on in an audit?
In order to allow users to see what is going on, auditd can record all the audit-related events to a disk and we can use various tools such as ausearch or aureport to go through the log files. By default, there are no rules that are configured.
How to write custom system audit rules on CentOS 7?
To make them persistent across reboots, you can add them to the file /etc/audit/rules.d/audit.rules. This file uses the same auditctl command line syntax to specify the rules but without the auditctl command itself in front. Any empty lines or any text following a hash sign (#) is ignored. The default rules file looks like this:
Which is a valid action in auditctl ( 8 )?
The following describes the valid actions for the rule: No audit records will be generated. This can be used to suppress event generation. In general, you want suppressions at the top of the list instead of the bottom. This is because the event triggers on the first matching rule.