From c1a40ab95a8877eaca746ca4fc132737b3b529a4 Mon Sep 17 00:00:00 2001 From: Justin Gerace Date: Wed, 30 Nov 2016 17:21:05 -0800 Subject: [PATCH] Enable kernel auditing in the example configuration --- go-audit.yaml.example | 2 ++ 1 file changed, 2 insertions(+) diff --git a/go-audit.yaml.example b/go-audit.yaml.example index 63308cf..66c15a0 100644 --- a/go-audit.yaml.example +++ b/go-audit.yaml.example @@ -90,6 +90,8 @@ rules: - -a exit,always -F arch=b64 -S execve # Watch all 32 bit program executions - -a exit,always -F arch=b32 -S execve + # Enable kernel auditing (required if not done via the "audit" kernel boot parameter) + - -e 1 # If kaudit filtering isn't powerful enough you can use the following filter mechanism filters: