Add auditd.py module It is possible now to pass a list of paths where suid/sgid binaries should not be find. The python module uses multiprocessing and can be buggy. All ideas how to do it more safely (too high I/O and so on) and keep the performance in the same time, are highly appreciated. Change-Id: Icd1ae445fb8fed1ea08842606f371223f72bc82f Closes-PROD: https://mirantis.jira.com/browse/PROD-21273

commit: 9f9fbf40ba5dfaea2ab8aaa590d9d4543ed9f529 [log] [tgz]
author: Ivan Suzdal <isuzdal@mirantis.com> Wed Jul 11 18:27:25 2018 +0400
committer: Ivan Suzdal <isuzdal@mirantis.com> Mon Jul 16 14:26:31 2018 +0400
tree: 764dc88baed25dafcd5e319da37e4f4b5b767e58
parent: 91e02458ddccf2c20381c9b68695406de67b8481 [diff] [blame]
diff --git a/metadata/service/rules/ciscat.yml b/metadata/service/rules/ciscat.yml
index 1596dd5..2417e1c 100644
--- a/metadata/service/rules/ciscat.yml
+++ b/metadata/service/rules/ciscat.yml

@@ -5,6 +5,22 @@
 parameters:
   auditd:
     rules:
+      filter_fs:
+      - binfmt_misc
+      - cgroup
+      - debugfs
+      - devpts
+      - devtmpfs
+      - fusectl
+      - hugetlbfs
+      - mqueue
+      - nsfs
+      - proc
+      - pstore
+      - securityfs
+      - sysfs
+      filter_paths:
+      - /var/lib/docker
       options:
         enabled: 2
         bufsize: 8192
commit	9f9fbf40ba5dfaea2ab8aaa590d9d4543ed9f529	[log] [tgz]
author	Ivan Suzdal <isuzdal@mirantis.com>	Wed Jul 11 18:27:25 2018 +0400
committer	Ivan Suzdal <isuzdal@mirantis.com>	Mon Jul 16 14:26:31 2018 +0400
tree	764dc88baed25dafcd5e319da37e4f4b5b767e58
parent	91e02458ddccf2c20381c9b68695406de67b8481 [diff] [blame]