$ sudo cp -p /etc/audit/rules.d/audit.rules /etc/audit/rules.d/audit.rules_20200328
$ sudo vi /etc/audit/rules.d/audit.rules
$ sudo cat /etc/audit/rules.d/audit.rules
## First rule - delete all
-D
## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192
## Set failure mode to syslog
-f 1
## Additional settings ←追加
-a exit,always -S execve ←追加
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
下記の通り、serviceコマンドで再起動を行います。
$ sudo systemctl restart auditd
Failed to restart auditd.service: Operation refused, unit auditd.service may be requested by dependency only (it is configured to refuse manual start/stop).
See system logs and 'systemctl status auditd.service' for details.
$ sudo service auditd restart
Stopping logging: [ OK ]
Redirecting start to /bin/systemctl start auditd.service
