buffer space
David Flatley
dflatley at us.ibm.com
Mon Aug 17 16:38:07 UTC 2009
>> Because I was getting errors restarting the auditd on some of their
>> recommendations one of which was mount?
>Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386.
-a exit,always -S mount fails on auditd restart
>> I would like to be able to do the audit log extractions (ausearch and
>> aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a
>> script in max_log_file_action.
>> So if I set the max_log_file to 160, I can then run a script to move the
>> rotated logs and process them, thus not stopping auditd and keeping
things
>> working?
>Yes, I think so. But if you are hooking max_log_file action, then you
would
>need to send sigusr1 to ppid to get auditd to rotate the log and open
another
>one. If you don't, auditd will still have an open descriptor to the file.
I am in error, I meant space_left_action because there is an exec for
this.>>
I was going to do the "service auditd rotate" then move all the audit.log.*
to
another directory so that ausearch -i and aureport -i could run on the
logs.
The core for me is to keep audit running while dealing with log
generation..
Our regression test can generate 8 20 meg rotated logs in an hour. So if I
can
get audit to kick off the extraction script at certain points then that
would
fix my situation.
Thanks.
David Flatley CISSP
From: Steve Grubb <sgrubb at redhat.com>
To: David Flatley/Burlington/IBM at IBMUS
Cc: linux-audit at redhat.com
Date: 08/17/2009 11:08 AM
Subject: Re: buffer space
On Monday 17 August 2009 10:49:55 am David Flatley wrote:
> If I were to move all the rotated logs to another directory,
> say /home/logs. So instead of doing "ausearch -i" to capture all the
> information in the rotated logs in
> /var/log/audit directory. I would do "ausearch -i -f /home/logs" ,
correct?
Yes.
> Backlog is set to 12288 right now.
ok
> The SECSCAN requires many -w (watches) and a fair amount of syscalls. I
> modified the syscalls to add your recommendation for using "arch=b32" and
> "arch=b64".
Are there any public references to this standard?
> Because I was getting errors restarting the auditd on some of their
> recommendations one of which was mount?
Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386.
> Another setting I believe was doing me in was the log size is 20 megs
and
> I allow 8 rotated logs. But I had admin_disk_full set to 160 and the
action
> was suspend.
> So this could have been tripping me up also.
If the partition was 320Mb or smaller, then yes that would be a problem.
But I
also think the fact that its being suspended is sent to syslog.
> I would like to be able to do the audit log extractions (ausearch and
> aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a
> script in max_log_file_action.
> So if I set the max_log_file to 160, I can then run a script to move the
> rotated logs and process them, thus not stopping auditd and keeping
things
> working?
Yes, I think so. But if you are hooking max_log_file action, then you would
need to send sigusr1 to ppid to get auditd to rotate the log and open
another
one. If you don't, auditd will still have an open descriptor to the file.
-Steve
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090817/5894bce8/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: graycol.gif
Type: image/gif
Size: 105 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090817/5894bce8/attachment.gif>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ecblank.gif
Type: image/gif
Size: 45 bytes
Desc: not available
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20090817/5894bce8/attachment-0001.gif>
More information about the Linux-audit
mailing list