Need help with understanding auditd rules
Michael C Mc Quaid
Michael.C.Mc.Quaid at raytheon.com
Fri Aug 28 12:31:18 UTC 2015
Good Morning,
I don't know if this is an appropriate use of this group email, but after days and days of trying, we are not able to fix the auditing problem we are having, and we're desperate for help.
We need to audit our system to meet new security standards, which we have been able to do via the audit.rules file on our RHEL 5&6 nodes. However, we also have to run the hp-health packages on our systems to remotely monitor our systems with HP Insight Manager. When we run the hp-health processes, our auditd logs go from ~1000 entries to ~35,000 entries (every 10min), which is causing a problem in moving our audit logs to our storage system.
We have set up rules to "never" audit the hp-health processes themselves, but this does not fix the problem. It only reduces the amount of entries by ~10,000. It seems that the hp-ilo module loaded in the kernel is running system "checks" at a very rapid pace and is reporting them to the hp-snmp-agent processes (which are the ones we have set up never audit rules for). We don't know how to set up a rule to eliminate the monitoring of these ilo activities (which are a combination chmods/touches/opens/execves/etc.), while continuing to monitor these syscalls for the rest of the system.
Are you aware of anyone else who has run into this problem, or is there a thread on your web-page we can look at (we looked, but could not find anything). We are looking for a way to set up a rule to not monitor any of the Insight Manager activity but still maintain the capability to monitor all of our other syscalls.
Thanks in advance for your help.
Mike McQuaid.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20150828/4bc81f1d/attachment.htm>
More information about the Linux-audit
mailing list