question
Steve Grubb
sgrubb at redhat.com
Mon Nov 3 14:15:45 UTC 2008
On Sunday 02 November 2008 21:42:47 David Flatley wrote:
> Presently I am using the S.T.I.G. recommendations but I may
> have to use more extensive rules which I am in the process of testing.
Are you using the stig.rules from the audit package or something else? If I
were you, I'd spend some time making sure your rules are tuned. Assuming that
you have keys on you rules, you can run a key report to see what is causing
you the most events: aureport --start this-week --key --summary.
Then you'd want to dig into some of those records and see what kinds of things
are happening. Assuming you have a key of delete and you wanted to see what
syscalls are the most often logged:
ausearch --start this-week -k delete --raw | aureport --syscall --summary -i
Assuming that shows unlinkat the most prevalent syscall:
ausearch --start this-week -k delete -sc unlinkat --raw |
aureport --user --summary -i
And so on until you see what is causing so much logging. This doesn't help
with the archiving, but could help you get the right audit data recorded.
-Steve
More information about the Linux-audit
mailing list