[SOLVED] Need An Audit Rule to Stop Logging Of A Specific Item - logs filling up
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
What rule can I add to /etc/audit/audit.rules so that I can exclude this item from being audited?
I tried adding these two rules, rebooting the server, has no effect:
-a exit,never -F path=/usr/libexec/mysqld
-a exit,never -F path=/usr/libexec/mysqld -F auid=4294967295
Robert
Last edited by rgsurfs; 05-13-2014 at 12:11 PM.
Reason: added some info, about what doesn't work
tks. I got frustrated and rebuilt my audit.rules file.
Here is what it looks like and the mysql is still logging constantly!!!
==================================================================================================== ====================================
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1500
# Feel free to add below this line. See auditctl man page
#to prevent mysql from filing up the logs
-a exit,never -F path=/usr/libexec/mysqld
#GEN2720, 2720-2, 2720-3, 2720-4, 2720-5
-a exit,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM
-a exit,always -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES
#GEN2740
-a exit,always -F arch=b32 -S unlink
-a exit,always -F arch=b64 -S unlink
#GEN2740-2
-a exit,always -F arch=b32 -S rmdir
-a exit,always -F arch=b64 -S rmdir
#GEN2750
-w /usr/sbin/useradd -p x -k useradd
-w /usr/sbin/groupadd -p x -k groupadd
-w /etc/passwd -p a -k passwd
-w /etc/shadow -p a -k shadow
-w /etc/group -p a -k group
-w /etc/gshadow -p a -k gshadow
#GEN2751
-w /usr/sbin/usermod -p x -k usermod
-w /usr/sbin/groupmod -p x -k groupmod
-w /etc/passwd -p w -k passwd
-w /etc/shadow -p w -k shadow
-w /etc/group -p w -k group
-w /etc/gshadow -p w -k gshadow
#GEN2752
-w /usr/bin/passwd -p x -k passwd
#GEN2753
-w /usr/sbin/userdel -p x
-w /usr/sbin/groupdel -p x
#GEN2760-2
-w /etc/audit/audit.rules
#GEN2760, 2760-3, 2760-4, 2760-5, 2760-6
-a exit,always -F arch=b32 -S sched_setscheduler -S adjtimex -S settimeofday -S stime -S clock_settime
-a exit,always -F arch=b64 -S sched_setscheduler -S adjtimex -S settimeofday -S clock_settime
#GEN2760-7, 2760-8, 2760-9
-a exit,always -F arch=b32 -S sethostname -S setdomainname -S sched_setparam
-a exit,always -F arch=b64 -S sethostname -S setdomainname -S sched_setparam
#GEN2800
-w /var/log/faillog -p wa
-w /var/log/lastlog -p wa
#GEN2820, 2820-10, 2820-11, 2820-12, 2820-13
-a exit,always -F arch=b32 -S chmod -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
-a exit,always -F arch=b64 -S chmod -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
#GEN2820-2, 2820-3, 2820-4, 2820-5, 2820-6, 2820-7, 2820-8, 2820-9
-a exit,always -F arch=b32 -S fchmod -S fchmodat -S chown32 -S fchown32 -S fchownat -S lchown32 -S setxattr -S lsetxattr
-a exit,always -F arch=b64 -S fchmod -S fchmodat -S chown -S fchown -S fchownat -S lchown -S setxattr -S lsetxattr
#GEN2825, 2825-2
-a exit,always -F arch=b32 -S init_module -S delete_module
-a exit,always -F arch=b64 -S init_module -S delete_module
#GEN2825-3
-w /sbin/insmod -p x
#GEN2825-4
-w /sbin/modprobe -p x
#GEN2825-3
-w /sbin/rmmod -p x
#adding -e requires reboot to implement new rules
-e 2
Last edited by rgsurfs; 05-15-2014 at 02:47 AM.
Reason: re-open it is not solved.
I edited the /etc/my.cnf and added skip-thread-priority under the [mysqld] area. Restarted services. Fixed now.
==============================working /etc/my.cnf file======================================
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.
