auditd questions
Vipin Rathor
v.rathor at gmail.com
Fri Sep 9 04:55:36 UTC 2011
> Yes, but you may be able to use the SE Linux label to prevent auditing of the process.
Steve, can you please tell me more about how to make use of the
SELinux label here?
On Thu, Sep 8, 2011 at 6:44 PM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote:
>> My auditd server is getting overwhelm by the logs that it is getting.
>
> This is almost always means the rules are not properly tuned.
>
>> I've configured a remote audit logging via audisp-plugin. Earlier I
>> tried to reduce the amount of logs by optimizing the audit rules. But
>> we want to reduce it further.
>> Here's the list of things that I can think to reduce the overwhelming
>> of logs further:
>> 1. Increase kernel buffer for auditd from 20480 (current) to 99999.
>> 2. Increase the priority of auditd process. Currently 'priority_boost
>> = 10'. Default is 4. I don't know the maximum value (though I've seen
>> someone using 12). Can anyone tell me what's the maximum priority I
>> can give?
>
> Probably 19. This is dictated by the kernel. See the nice(1) command.
>
>
>> 3. Optimize the audit messages further:
>> a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
>> being audited. This can be done with following rule (Thanks to
>> Steve!):
>> -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
>> b. Exclude specific processes by their PIDs. This will be tricky as
>> we will need to keep track of PIDs incase of process
>> start/stop/restart etc.
>
> Yes, but you may be able to use the SE Linux label to prevent auditing of the process.
>
> -Steve
>
--
-Rathor
More information about the Linux-audit
mailing list