RE: Way too many logs!

I don't typically monitor this list too closely which is why this is so late but I might have a rule to help you trim things down. This has so far passed muster for NISPOM, but I'm not too familiar with DIACAP STIG (yet, it's coming I think!). Once you get your RULE7 trimmed down you may run into an excessive number of unsuccessful open calls. Especially if your systems are used for any kind of develop (like mine). The reason is that as your shell searches through the path looking for an executable you get lots of failures due to it not existing in various places. I think you may not run into too many issues with an actual shell because they typically cache the locations, but running something like Make hits them all the time. Anyway, to cut down on those and be able to defend it you can exclude failures due to non-existence: -a exit,always -S open -F success=0 -f exit!=-2 It looks like maybe you can use the actual errno here, but maybe not on my old version? But I'm using the above rule on a RHEL 4 box successfully. It pretty much single handedly took our logs from unmanageable (not to mention a MAJOR performance hit for compiles) to usable. Troy Curtis, Jr. -----Original Message----- From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Jeremy Leonard Sent: Friday, May 09, 2008 3:21 PM To: linux-audit(a)redhat.com Subject: Way too many logs! Here are the rules I'm using: -D -b 8096 -a exit,always -S open -F success=0 -k RULE1 -a exit,always -S unlink -S rmdir -k RULE2 -w /etc/auditd.conf -k RULE3 -w /etc/audit.rules -k RULE4 -a exit,always -S acct -S reboot -S swapon -k RULE5 -a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6 -a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 -a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8 -a exit,always -S lchown -k RULE9 Here is the output of aureport: Summary Report ====================== Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266 Number of changes in configuration: 22 Number of changes to accounts, groups, or roles: 0 Number of logins: 0 Number of failed logins: 0 Number of users: 2 Number of terminals: 4 Number of host names: 2 Number of executables: 33 Number of files: 693 Number of AVC denials: 0 Number of MAC events: 0 Number of failed syscalls: 4052 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 1428 Number of events: 1444530 This is 475mb in ten minutes! Here is how the rule hits add up: RULE1: 4052 RULE2: 601 RULE3: 9 RULE4: 1 RULE5: 0 RULE6: 40 RULE7: 1438239 RULE8: 1503 RULE9: 0 Here is one of the log entries I have so many of. type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect per=400000 success=yes exit=0 a0=13 a1=f692e220 a2=0 a3=0 items=0 ppid=1 pid=4012 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=savd exe=/opt/sophos-av/engine/_/savd.0 subj=unconstrained key="RULE7" How can I exclude this so it doesn't get logged? The rules I have above are required by the government. DIACAP STIG Thanks! -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit