Re: Systemd Journald and audit logging causing journal issues

On Wednesday, October 18, 2017 11:14:31 AM EDT Brad Zynda wrote: > Here is an output from the server with PATH audit type re-allowed > (everything back to normal): > > Key Summary Report > =========================== > total key > =========================== > 6019 perm_mod > 3878 delete > 964 access > 96 privileged > 57 time-change > 51 session > 41 modules > 20 logins > 6 system-locale > 5 identity > 2 mounts > 2 scope > 2 actions > 1 MAC-policy > > Now this is probably not a peak result but I have come across 2 questions.. > > 1. I wanted to cron this and email results but get, verified path sbin: > > Key Summary Report > =========================== > total key > =========================== > <no events of interest were found> This is a well known problem. From aureport man page: --input-logs Use the log file location from auditd.conf as input for analy‐ sis. This is needed if you are using aureport from a cron job. ausearch/report can be piped to by stdin. This takes priority over the logs. Cron uses pipes for all 3 descriptors. Therefore you have to tell them to ignore what they are seeing and just use the logs. > 2. If it ends up being perm_mod as the high count what is the next step > to identify the rule in question? grep perm_mod /etc/audit/audit.rules delete also looks excessive. -Steve