| # Copyright 1999-2011 Gentoo Foundation |
| # Distributed under the terms of the GNU General Public License v2 |
| # |
| # This file contains the auditctl rules that are loaded |
| # whenever the audit daemon is started via the initscripts. |
| # The rules are simply the parameters that would be passed |
| # to auditctl. |
| |
| # First rule - delete all |
| # This is to clear out old rules, so we don't append to them. |
| -D |
| |
| # Feel free to add below this line. See auditctl man page |
| |
| # The following rule would cause all of the syscalls listed to be ignored in logging. |
| -a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat |
| -a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat |
| |
| # The following rule would cause the capture of all systems not caught above. |
| # -a exit,always -S all |
| |
| # Increase the buffers to survive stress events |
| -b 8192 |
| |
| # vim:ft=conf: |