Hello I have a simple and basic question to auditbeat and auditd, but which I can not answer to myself at the moment.
How could I delete or reverse the audit.rules and file.integrity which got created on an server? This file which got activated produces a lot of log volume.
Defining any audit rules in the config causes Auditbeat to purge all existing audit rules prior to adding the rules specified in the config. Therefore it is unnecessary and unsupported to include a
-D
(delete all) rule.
Does this mean, I could just edit the auditbeat file without rules and the system will get rid of them?
In reference this is what got created and I want to get rid off.
auditbeat.modules:
- module: auditd
resolve_ids: true
failure_mode: log
backlog_limit: 8196
rate_limit: 0
include_raw_message: true
include_warnings: true
backpressure_strategy: auto
audit_rules: |
-a always,exit -F arch=b32 -S all -F key=32bit-abi
-a always,exit -F arch=b64 -S execve,execveat -k exec
-a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
- module: file_integrity
paths:
- /bin
- /usr/bin
- /sbin
- /usr/sbin
- /etc
- /etc/graylog/server
exclude_files:
- '(?i)\.sw[nop]$'
- '~$'
- '/\.git($|/)'
include_files: []
scan_at_start: true
scan_rate_per_sec: 50 MiB
max_file_size: 100 MiB
hash_types: [sha256]
recursive: false