Delete audit rules on server

Hello I have a simple and basic question to auditbeat and auditd, but which I can not answer to myself at the moment.

How could I delete or reverse the audit.rules and file.integrity which got created on an server? This file which got activated produces a lot of log volume.

Defining any audit rules in the config causes Auditbeat to purge all existing audit rules prior to adding the rules specified in the config. Therefore it is unnecessary and unsupported to include a -D (delete all) rule.

Does this mean, I could just edit the auditbeat file without rules and the system will get rid of them?

In reference this is what got created and I want to get rid off.

auditbeat.modules:

- module: auditd
  resolve_ids: true
  failure_mode: log
  backlog_limit: 8196
  rate_limit: 0
  include_raw_message: true
  include_warnings: true
  backpressure_strategy: auto

  audit_rules: |

    -a always,exit -F arch=b32 -S all -F key=32bit-abi
    -a always,exit -F arch=b64 -S execve,execveat -k exec
    -a always,exit -F arch=b64 -S accept,bind,connect -F key=external-access
    -w /etc/group -p wa -k identity
    -w /etc/passwd -p wa -k identity
    -w /etc/gshadow -p wa -k identity
    -w /etc/shadow -p wa -k identity
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b32 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
    -a always,exit -F arch=b64 -S open,creat,truncate,ftruncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access

- module: file_integrity
  paths:
  - /bin
  - /usr/bin
  - /sbin
  - /usr/sbin
  - /etc
  - /etc/graylog/server
  exclude_files:
  - '(?i)\.sw[nop]$'
  - '~$'
  - '/\.git($|/)'
  include_files: []
  scan_at_start: true
  scan_rate_per_sec: 50 MiB
  max_file_size: 100 MiB
  hash_types: [sha256]
  recursive: false

When you restart, if any rules are defined in the config file then it will first clear all rules before installing the ones defined in the config.

You can use sudo auditbeat show auditd-rules to list the current rules from the kernel.

Ok and if I want to get rid all of the installed rules? What do I do then?

Surprisingly there is no command to accomplish that task using the auditbeat binary. I assume most users are not doing this ever or are using auditctl -D or restarting. Auditbeat should add a sub-command for doing this.

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.