From bf344f7be8674ac24e89c532b58f7cb1de2bb0b1 Mon Sep 17 00:00:00 2001 From: root Date: Sat, 7 Jan 2017 13:22:41 +0100 Subject: [PATCH] saving uncommitted changes in /etc prior to emerge run --- .etckeeper | 1 + audisp/audisp-remote.conf | 5 +++-- audisp/plugins.d/syslog.conf | 3 ++- audit/audit-stop.rules | 8 ++++++++ audit/auditd.conf | 14 +++++++++----- 5 files changed, 23 insertions(+), 8 deletions(-) create mode 100644 audit/audit-stop.rules diff --git a/.etckeeper b/.etckeeper index 2a3d504..83af319 100755 --- a/.etckeeper +++ b/.etckeeper @@ -323,6 +323,7 @@ maybe chmod 0640 'audisp/plugins.d/audispd-zos-remote.conf' maybe chmod 0640 'audisp/plugins.d/syslog.conf' maybe chmod 0640 'audisp/zos-remote.conf' maybe chmod 0755 'audit' +maybe chmod 0644 'audit/audit-stop.rules' maybe chmod 0640 'audit/audit.rules' maybe chmod 0640 'audit/audit.rules.stop.post' maybe chmod 0640 'audit/audit.rules.stop.pre' diff --git a/audisp/audisp-remote.conf b/audisp/audisp-remote.conf index 70d8a99..c7d1562 100644 --- a/audisp/audisp-remote.conf +++ b/audisp/audisp-remote.conf @@ -18,11 +18,12 @@ heartbeat_timeout = 0 network_failure_action = stop disk_low_action = ignore -disk_full_action = ignore -disk_error_action = syslog +disk_full_action = warn_once +disk_error_action = warn_once remote_ending_action = reconnect generic_error_action = syslog generic_warning_action = syslog +queue_error = stop overflow_action = syslog ##enable_krb5 = no diff --git a/audisp/plugins.d/syslog.conf b/audisp/plugins.d/syslog.conf index d603b2f..7d7dbd7 100644 --- a/audisp/plugins.d/syslog.conf +++ b/audisp/plugins.d/syslog.conf @@ -3,7 +3,8 @@ # arguments provided can be the default priority that you # want the events written with. And optionally, you can give # a second argument indicating the facility that you want events -# logged to. Valid options are LOG_LOCAL0 through 7. +# logged to. Valid options are LOG_LOCAL0 through 7, LOG_AUTH, +# LOG_AUTHPRIV, LOG_DAEMON, LOG_SYSLOG, and LOG_USER. active = no direction = out diff --git a/audit/audit-stop.rules b/audit/audit-stop.rules new file mode 100644 index 0000000..7e23cff --- /dev/null +++ b/audit/audit-stop.rules @@ -0,0 +1,8 @@ +# These rules are loaded when the audit daemon stops +# if configured to do so. + +# Disable auditing +-e 0 + +# Delete all rules +-D diff --git a/audit/auditd.conf b/audit/auditd.conf index fdc93f0..50fbde8 100644 --- a/audit/auditd.conf +++ b/audit/auditd.conf @@ -2,18 +2,20 @@ # This file controls the configuration of the audit daemon # +local_events = yes +write_logs = yes log_file = /var/log/audit/audit.log -log_format = RAW log_group = root -priority_boost = 4 -flush = INCREMENTAL -freq = 20 +log_format = RAW +flush = INCREMENTAL_ASYNC +freq = 50 +max_log_file = 8 num_logs = 5 +priority_boost = 4 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain -max_log_file = 6 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG @@ -22,6 +24,7 @@ admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND +use_libwrap = yes ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 @@ -30,3 +33,4 @@ tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key +distribute_network = no -- 2.39.5