auditd: filter out ntp time adjust event
This commit is contained in:
parent
9e12ff1ffb
commit
d288c9ecfa
|
@ -1,14 +1,19 @@
|
|||
---
|
||||
- name: auditd | Copy configuration and rules
|
||||
- name: auditd | Copy auditd configuration
|
||||
copy:
|
||||
src: '{{ item }}'
|
||||
dest: /etc/audit/{{ item }}
|
||||
src: auditd.conf
|
||||
dest: /etc/audit/auditd.conf
|
||||
mode: '644'
|
||||
owner: root
|
||||
group: root
|
||||
|
||||
- name: auditd | Copy audit rules
|
||||
template:
|
||||
src: audit.rules.j2
|
||||
dest: /etc/audit/audit.rules
|
||||
mode: '644'
|
||||
owner: root
|
||||
group: root
|
||||
loop:
|
||||
- auditd.conf
|
||||
- audit.rules
|
||||
|
||||
- name: auditd | Copy daily cron job to rotate audit log
|
||||
copy:
|
||||
|
|
|
@ -52,6 +52,12 @@
|
|||
## This is not very interesting and wastes a lot of space if the server is public facing
|
||||
-a always,exclude -F msgtype=CRYPTO_KEY_USER
|
||||
|
||||
# This prevents ntpd daemons from overwhelming the logs
|
||||
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=ntp
|
||||
{% if ntp_client == 'chrony' %}
|
||||
-a never,exit -F arch=b64 -S adjtimex -F auid=unset -F uid=chrony
|
||||
{% endif %}
|
||||
|
||||
## High Volume Event Filter (especially on Linux Workstations)
|
||||
-a never,exit -F arch=b64 -F dir=/dev/shm -k sharedmemaccess
|
||||
-a never,exit -F arch=b64 -F dir=/var/lock/lvm -k locklvm
|
Reference in New Issue