[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: auditd questions

On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote:
> My auditd server is getting overwhelm by the logs that it is getting.

This is almost always means the rules are not properly tuned.

> I've configured a remote audit logging via audisp-plugin. Earlier I
> tried to reduce the amount of logs by optimizing the audit rules. But
> we want to reduce it further.
> Here's the list of things that I can think to reduce the overwhelming
> of logs further:
> 1. Increase kernel buffer for auditd from 20480 (current) to 99999.
> 2. Increase the priority of auditd process. Currently 'priority_boost
> = 10'. Default is 4. I don't know the maximum value (though I've seen
> someone using 12). Can anyone tell me what's the maximum priority I
> can give?

Probably 19. This is dictated by the kernel. See the nice(1) command.

> 3. Optimize the audit messages further:
>   a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
> being audited. This can be done with following rule (Thanks to
> Steve!):
> -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
>   b. Exclude specific processes by their PIDs. This will be tricky as
> we will need to keep track of PIDs incase of process
> start/stop/restart etc.

Yes, but you may be able to use the SE Linux label to prevent auditing of the process.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]