two questions regarding default audit behavior
Steve Grubb
sgrubb at redhat.com
Wed Jan 17 16:07:18 UTC 2007
On Wednesday 17 January 2007 10:58, Bill Tangren wrote:
> I have two questions regarding default audit behavior (i.e. auditd is
> running, but there is nothing in audit.rules but "-D" and "-b 256"):
>
> 1) what is being audited?
Nothing except the hardcoded events in various apps and SE Linux avc events.
The default settings is to cater to SE Linux users that have no other use for
the audit system.
> 2) can I use the -D command to prevent those things from being audited?
Nope. You'd have to do "-e 0" to do that. Even then, SE Linux will still send
things to the audit system.
> I am required to have auditing running, but what I need to audit is
> specific. One server in particular is slow (a 750 MHz Pentium III) to start
> with, and default auditing is slowing it down to a crawl.
Do you have any oprofile data showing the bottleneck? I'd be curious. Also,
what kernel are you using? We've tested the performance of the audit system
and its not a big hit unless you have a lot of syscall rules loaded. Watches
are cheap.
-Steve
More information about the Linux-audit
mailing list