Filesystem filling up ...
Stephen John Smoogen
smooge at gmail.com
Wed Jun 27 18:17:46 UTC 2007
On 6/27/07, Aaron Lippold <lippold at gmail.com> wrote:
> Hello,
>
> I was hoping some smarter audit folks than I could look at this small
> set of rules and let me know if anythings seem: 1) way too broad 2)
> would fill up a file system fast 3) could use improvement
>
> cat << 'EOF' > /etc/audit/audit.rules
> ## Submitted by JasonM at FSO.
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
>
> # First rule - delete all
> -D
>
> # Feel free to add below this line. See auditctl man page
>
> # Increase the buffers to survive stress events
> -b 256
> -e 1
> # Audit Failed opens
> -a exit,always -S open -F success!=0
> #
> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir
> #
> # Audit success and failure of admin actions
> #-a task,always -F uid=0
> -w /var/log/audit/ -k ADMIN
> -w /etc/auditd.conf -k ADMIN
> -w /etc/audit.rules -k ADMIN
> -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
> -a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
> EOF
>
> Some of my end users are saying their logging a lot of audits. We are
> using the same kickstart file but my test systems are not filling up.
>
Not one of the smarter people... but I would think that you would need
to see what the others are seeing in large amounts and what you are
not seeing on the test boxes.
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
More information about the Linux-audit
mailing list