Filesystem filling up ...
Aaron Lippold
lippold at gmail.com
Sat Jul 7 20:42:56 UTC 2007
Thank you for the advise. I will send this on to the testers.
Hopefully we can get this worked out.
By the way, does anyone know of an audit.rules repository list where
some baselines of tested/documented configs can be downloaded?
Yours,
Aaron
On 7/3/07, Steve Grubb <sgrubb at redhat.com> wrote:
> On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
> > I was hoping some smarter audit folks than I could look at this small
> > set of rules and let me know if anythings seem: 1) way too broad 2)
> > would fill up a file system fast 3) could use improvement
>
> > # Audit Failed opens
> > -a exit,always -S open -F success!=0
>
> Maybe:
> -a exit,always -S open -F exit=-13
> -a exit,always -S open -F exit=-1
>
> > #
> > # Audit success and failure of delete
> > -a exit,always -S unlink -S rmdir
> > #
> > # Audit success and failure of admin actions
> > #-a task,always -F uid=0
> > -w /var/log/audit/ -k ADMIN
> > -w /etc/auditd.conf -k ADMIN
> > -w /etc/audit.rules -k ADMIN
> > -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
> > setrlimit -a exit,always -S setdomainname -S sched_setparam -S
> > sched_setscheduler EOF
>
> Some of these may be broad. setrlimit for example.
>
>
> > Some of my end users are saying their logging a lot of audits. We are
> > using the same kickstart file but my test systems are not filling up.
>
> You might be able to do some work with aureport to find out what is filling
> your logs. Something like:
>
> aureport --start this-week --summary -i --event
> aureport --start this-week --summary -i --syscall
>
> -Steve
>
More information about the Linux-audit
mailing list