[root@db ~]# service auditd start && chkconfig auditd on
[root@db ~] # auditctl -e 0 命令临时禁用 auditd,
[root@db ~] # auditctl -e 1 重新启用它。
[root@db ~]# cat /etc/audit/audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-w /etc/passwd -p rwxa
-w /etc/shadow -p rwxa
-w /etc/xinetd.d -p rwxa
-w /etc/at.allow
-w /etc/at.deny
-w /etc/inittab -p wa
-w /etc/init.d/
-w /etc/init.d/auditd -p wa
-w /etc/cron.d/ -p wa
-w /etc/cron.daily/ -p wa
-w /etc/cron.hourly/ -p wa
-w /etc/cron.monthly/ -p wa
-w /etc/cron.weekly/ -p wa
-w /etc/crontab -p wa
-w /etc/group -p wa
-w /etc/sudoers -p wa
-w /etc/hosts -p wa
-w /etc/sysconfig/
-w /etc/sysctl.conf -p wa
-w /etc/modprobe.d/
-w /etc/aliases -p wa
-w /etc/bashrc -p wa
-w /etc/profile -p wa
-w /etc/profile.d/
-w /var/log/lastlog
-w /var/log/yum.log
-w /etc/issue -p wa
-w /etc/issue.net -p wa
-w /usr/bin/ -p wa
-w /usr/sbin/ -p wa
-w /bin -p wa
-w /etc/ssh/sshd_config