Hello!
I’m trying to configure FIM with Auditd on Ubuntu 14.04 (I know, ancient software). When I set it up, I’m getting a tremendous amount of traffic to /var/log/audit/audit.log. It appears that every time a command in a monitored directory is run, it triggers a log entry.
I’d like to only have log entries generated when a file is modified, rather than simply accessed. Is this possible? My auditd config is below.
I have InsightIDR Essentials, so I’m using NXLog to get FIM on my more recent Ubuntu machines, but am stuck with Auditd for 14.04 systems.
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = adm
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
My rules are as follows:
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## This determine how long to wait in burst of events
#--backlog_wait_time 0
# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems
-a always,exit -F arch=b64 -S execve -F key=execve
-w /bin -p w
-w /boot -p w
-w /etc -p w
-w /sbin -p w
-w /usr/bin -p w
-w /usr/local/bin -p w
-w /usr/local/sbin -p w
-w /usr/sbin -p w
-w /usr/share/keyrings -p w
-w /var/spool/cron -p w
## Set failure mode to syslog
-f 1