more on limiting auditing of file access

Bill Tangren bjt at usno.navy.mil
Mon Nov 5 18:36:30 UTC 2007 

Like Greg, I have servers that are doing a lot of auditing of file access
that I don't want it to do. I am running a RHEL ES 4 system, fully
patched, that runs audit-1.0.15-3.EL4. This is the output for aureport
summary:

[root at aa ~]# /sbin/aureport    -ts yesterday 00:00:00 -te today 00:00:00

Summary Report
======================
Range of time: 11/02/2007 10:38:28.035 - 11/05/2007 10:53:23.707
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 0
Number of failed logins: 0
Number of users: 3
Number of terminals: 2
Number of host names: 1
Number of executables: 55
Number of files: 3151
Number of AVC denials: 96937
Number of failed syscalls: 4300876
Number of watched file events: 215001
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 32349
Number of events: 4531650

Notice the large number of watched file events. The daily audit logs are
nearly 2GB in size. [And I'm required to keep a year's worth of audit
logs!]

When I issue this command:

[root at aa ~]# aureport -f --summary | head -20

File Summary Report
===========================
total  file
===========================
703314  passwd
703313  /etc/passwd
515973  /dev/tty
355209  /home/httpd/faq/docs/daylight_time.php/.htaccess
288538  /home/httpd/css/default.css/.htaccess
281723  /home/httpd/js/default.js/.htaccess
237471  /home/httpd/menu/stmenu.js/.htaccess
211210  /home/httpd/graphics/USNODomeatNight_painted.png/.htaccess
209720  /home/httpd/css/print.css/.htaccess
205240  /home/httpd/graphics/blank.gif/.htaccess
205042  /home/httpd/graphics/header_strip_stars.jpg/.htaccess
202624  /home/httpd/graphics/valid-html401.png/.htaccess
188072  /home/httpd/favicon.ico/.htaccess
131774  /home/httpd/data/USPLACES.DA
49634  /home/httpd/faq/docs/daylight_time.html/.htaccess

Note the high percentage of files accessed by the web server, especially
.htaccess.

I have a rule that audits failed access to files:

-a exit,always -S chmod -S lchown -S chown -F success=0

I assume that this is the rule that is causing so many files accessed by
the web server to be logged. How can change this rule to exclude user
apache from tripping this rule?

-- 
Bill Tangren
U.S. Naval Observatory

More information about the Linux-audit mailing list