Re: Filesystem filling up ...
On 6/27/07, Aaron Lippold <lippold(a)gmail.com> wrote:
Hello,
I was hoping some smarter audit folks than I could look at this small
set of rules and let me know if anythings seem: 1) way too broad 2)
would fill up a file system fast 3) could use improvement
cat << 'EOF' > /etc/audit/audit.rules
## Submitted by JasonM at FSO.
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Feel free to add below this line. See auditctl man page
# Increase the buffers to survive stress events
-b 256
-e 1
# Audit Failed opens
-a exit,always -S open -F success!=0
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
-a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
EOF
Some of my end users are saying their logging a lot of audits. We are
using the same kickstart file but my test systems are not filling up.
Not one of the smarter people... but I would think that you would need
to see what the others are seeing in large amounts and what you are
not seeing on the test boxes.
--
Linux-audit mailing list
Linux-audit(a)redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"