auditd questions
Steve Grubb
sgrubb at redhat.com
Thu Sep 8 13:14:47 UTC 2011
On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote:
> My auditd server is getting overwhelm by the logs that it is getting.
This is almost always means the rules are not properly tuned.
> I've configured a remote audit logging via audisp-plugin. Earlier I
> tried to reduce the amount of logs by optimizing the audit rules. But
> we want to reduce it further.
> Here's the list of things that I can think to reduce the overwhelming
> of logs further:
> 1. Increase kernel buffer for auditd from 20480 (current) to 99999.
> 2. Increase the priority of auditd process. Currently 'priority_boost
> = 10'. Default is 4. I don't know the maximum value (though I've seen
> someone using 12). Can anyone tell me what's the maximum priority I
> can give?
Probably 19. This is dictated by the kernel. See the nice(1) command.
> 3. Optimize the audit messages further:
> a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
> being audited. This can be done with following rule (Thanks to
> Steve!):
> -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
> b. Exclude specific processes by their PIDs. This will be tricky as
> we will need to keep track of PIDs incase of process
> start/stop/restart etc.
Yes, but you may be able to use the SE Linux label to prevent auditing of the process.
-Steve
More information about the Linux-audit
mailing list