below command is the example of adding rule
#auditctl -w /etc/selinux/ -p wa -k selinux_changes
#auditctl -l //listed out the rules
-w /etc/audit/audit.rules -p w -k access
-w /etc/audisp/plugins.d/syslog.conf -p w -k access
-w /etc/selinux -p wa -k selinux_changes
# auditctl -D //delete all rules
No rules
# auditctl -l
No rules
# auditctl -s
enabled 1
failure 1
pid 724
rate_limit 0
backlog_limit 64 ////////you can increase the backlog using -b
lost 0
backlog 0
loginuid_immutable 0 unlocked
# vi /etc/audit/rules.d/audit.rules
//////add your rules here and save the file
# service auditd stop
Stopping logging: [ OK ]
# service auditd start
Redirecting to /bin/systemctl start auditd.service
# systemctl status auditd.service
//now you could see the audit ruled on #auditctl -l
//if you want to add again then you have to delete old rules again and restart service then it will come all together
/etc/audit/audit.rules this file will generate the rules according to /etc/audit/rules.d/audit.rules hence please make sure the backup of /etc/audit/rules.d/audit.rules
0 Comments