Re: Way too many logs!
On Friday 09 May 2008 16:43:38 Steve Grubb wrote:
> The rules I have above are required by the government. DIACAP
STIG
Do you need to log all changes to the scheduler? Or just the changes caused
by users? If the latter, you can cut back your events like this:
-a exit,always -S sched_setparam -S sched_setscheduler -F auid>=500 -k
RULE7
I should mention the above rule is probably not correct. It better to state it
this way:
a exit,always -F arch=b32 -S sched_setparam -S sched_setscheduler -F auid>=500 -F
auid!=4294967295 -k RULE7
a exit,always -F arch=b64 -S sched_setparam -S sched_setscheduler -F auid>=500 -F
auid!=4294967295 -k RULE7
The reason why is that you also have to check for the unset auid and set
a rule for each arch if its a bi-arch system (x86_64).
-Steve