Commit 9efdb900 authored by Jonathan Lent's avatar Jonathan Lent
Browse files

Adding i386 default audit.rules

parent 926d75ce
release/001.012 (2015-09-23)
Filter "Audit daemon rotating log files" log entry (akkornel)
Add default audit.rules for 32-bit systems and push out
accordingly (jlent)
release/001.011 (2015-09-09)
Removing MORE duplicate entries from audit.rules (/etc/ssh,
# auditctl rules that are loaded whenever the audit daemon is
# started via the initscripts.
# First rule - delete all
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 32767
# The following rules create log entries to be written whenever the
# rmdir, unlink, execve system calls exit. This will record file
# deletion and command line executions.
-a exit,always -F arch=b32 -S execve -k EXEC
# Uncomment if you want BIND and CONNECT events to be logged
#-a exit,always -F arch=b32 -S bind -k BIND -F exit!=-2
#-a exit,always -F arch=b32 -S connect -k CONNECT -F exit!=-2
-a exit,always -F arch=b32 -S socketcall -k SOCKETCALL -F exit!=-2
-a exit,always -F arch=b32 -S link -S unlink -k FILEWRITE
-a exit,always -F arch=b32 -S mkdir -S rmdir -k FILEWRITE
# The following rules create log entries when the critical system
# files are created or deleted.
-w /bin -p wa -k binfiles
-w /etc/audisp -p wa -k sysfiles
-w /etc/audit -p wa -k sysfiles
-w /etc/krb5.conf -p wa -k sysfiles
-w /etc/krb5.keytab -p wa -k sysfiles
-w /etc/pam.d -p wa -k sysfiles
-w /etc/passwd -p wa -k sysfiles
-w /etc/remctl/acl -p wa -k sysfiles
-w /etc/shadow -p wa -k sysfiles
-w /etc/ssh -p wa -k sysfiles
-w /sbin -p wa -k binfiles
-w /usr/bin -p wa -k binfiles
-w /usr/sbin -p wa -k binfiles
# Disable adding any additional rules - note that adding *new* rules
# will require a reboot
-e 2
......@@ -45,7 +45,12 @@ define audit::auditd (
# What to audit
if $content == 'NONE' {
if $source == 'NONE' {
$src_rules = "$afile/etc/audit/audit.rules"
# Rules implying 64-bit addressing cause errors on 32-bit systems
if ($::architecture == 'x86_64' or $::architecture == 'amd64') {
$src_rules = "$afile/etc/audit/audit.rules.x86_64"
} else {
$src_rules = "$afile/etc/audit/audit.rules.i386"
} else {
$src_rules = $source
Supports Markdown
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment