Red Hat 5.3 running audit 1.7.7-6
Rotating logs at 20 megs and allowing 8 logs
Rules have watches and syscalls from the SECSCAN recommendations, and have
added some of Steve Grubb's recommendations.
When we extract and archive the audit logs we get "Error receiving audit
netlink packet (No buffer space available) an "error sending signal info
request"
Our extract is: stop auditd then create a file and run ausearch -i > file
then run an aureport -i > file then once that is done we delete all the
logs and restart auditd.
If I run this manually it works fine but if I have it running it in a cron
we get Kernel panics, lockups and log data loss plus the buffer messages.
I added "-r 0" to the audit.rules but it does not seem to work. We run a
very similar configuration on Red Hat ES and AS 4 with no problems.
We are testing the subject systems and running a looping regression test
that can fill the audit logs in a little over an hour at the present
settings.
Thoughts or ideas??
Thanks.
David Flatley CISSP
I.T. Specialist, Managing Consultant
Member: ISC2, ISACA, Center for Internet Security