Way too many logs!
Steve Grubb
sgrubb at redhat.com
Sun May 11 00:41:38 UTC 2008
On Friday 09 May 2008 16:43:38 Steve Grubb wrote:
> > The rules I have above are required by the government. DIACAP STIG
>
> Do you need to log all changes to the scheduler? Or just the changes caused
> by users? If the latter, you can cut back your events like this:
>
> -a exit,always -S sched_setparam -S sched_setscheduler -F auid>=500 -k
> RULE7
I should mention the above rule is probably not correct. It better to state it
this way:
a exit,always -F arch=b32 -S sched_setparam -S sched_setscheduler -F auid>=500 -F auid!=4294967295 -k RULE7
a exit,always -F arch=b64 -S sched_setparam -S sched_setscheduler -F auid>=500 -F auid!=4294967295 -k RULE7
The reason why is that you also have to check for the unset auid and set
a rule for each arch if its a bi-arch system (x86_64).
-Steve
More information about the Linux-audit
mailing list