[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

configuration for busy docker host

Hello Audit team,

As I have not found a location anywhere else on the web, I am sending my question to this list. I have an Ubuntu 18.04 machine with auditd and it acts as a Docker Host machine. I have hardened the system via this package: https://github.com/konstruktoid/hardening which installs auditd with the configuration to be found here: https://github.com/konstruktoid/hardening/blob/master/misc/audit.rules.

The problems I have are related to the directives -f and -b. The hardening package uses -b 8192 and -f 2. That results in a kernel panic very quickly because of audit backlog limit exceeded, and that causes a reboot of the system. Now I wonder what a good configuration would be. I started reading on the subject and read that -f 2 is probably the best for security reasons. However, I do not want to have a system that panics very quickly and reboots.

Should I simply increase the backlog to much higher numbers? Or should I change -f to not cause a kernel panic? Or am I missing something and should I change some other configuration? Thanks for your help.

Kind regards,
Frederik Bosch

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]