1:38 a.m.
Hi Guys,
My auditd server is getting overwhelm by the logs that it is getting.
I've configured a remote audit logging via audisp-plugin. Earlier I
tried to reduce the amount of logs by optimizing the audit rules. But
we want to reduce it further.
Here's the list of things that I can think to reduce the overwhelming
of logs further:
1. Increase kernel buffer for auditd from 20480 (current) to 99999.
2. Increase the priority of auditd process. Currently 'priority_boost
= 10'. Default is 4. I don't know the maximum value (though I've seen
someone using 12). Can anyone tell me what's the maximum priority I
can give?
3. Optimize the audit messages further:
a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
being audited. This can be done with following rule (Thanks to
Steve!):
-a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
b. Exclude specific processes by their PIDs. This will be tricky as
we will need to keep track of PIDs incase of process
start/stop/restart etc.
Any other idea that I'm missing on this list? Is it possible to filter
the messages based on message pattern matching (like syslog)?
Any help will be much appreciated.
--
-Rathor
8:14 a.m.
On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote:
My auditd server is getting overwhelm by the logs that it is getting.
This is almost always means the rules are not properly tuned.
I've configured a remote audit logging via audisp-plugin. Earlier
I
tried to reduce the amount of logs by optimizing the audit rules. But
we want to reduce it further.
Here's the list of things that I can think to reduce the overwhelming
of logs further:
1. Increase kernel buffer for auditd from 20480 (current) to 99999.
2. Increase the priority of auditd process. Currently 'priority_boost
= 10'. Default is 4. I don't know the maximum value (though I've seen
someone using 12). Can anyone tell me what's the maximum priority I
can give?
Probably 19. This is dictated by the kernel. See the nice(1) command.
3. Optimize the audit messages further:
a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
being audited. This can be done with following rule (Thanks to
Steve!):
-a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
b. Exclude specific processes by their PIDs. This will be tricky as
we will need to keep track of PIDs incase of process
start/stop/restart etc.
Yes, but you may be able to use the SE Linux label to prevent auditing of the process.
-Steve
11:55 p.m.
Yes, but you may be able to use the SE Linux label to prevent
auditing of the process.
Steve, can you please tell me more about how to make use of
the
SELinux label here?
On Thu, Sep 8, 2011 at 6:44 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote:
>> My auditd server is getting overwhelm by the logs that it is getting.
>
> This is almost always means the rules are not properly tuned.
>
>> I've configured a remote audit logging via audisp-plugin. Earlier I
>> tried to reduce the amount of logs by optimizing the audit rules. But
>> we want to reduce it further.
>> Here's the list of things that I can think to reduce the overwhelming
>> of logs further:
>> 1. Increase kernel buffer for auditd from 20480 (current) to 99999.
>> 2. Increase the priority of auditd process. Currently 'priority_boost
>> = 10'. Default is 4. I don't know the maximum value (though I've
seen
>> someone using 12). Can anyone tell me what's the maximum priority I
>> can give?
>
> Probably 19. This is dictated by the kernel. See the nice(1) command.
>
>
>> 3. Optimize the audit messages further:
>> a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
>> being audited. This can be done with following rule (Thanks to
>> Steve!):
>> -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
>> b. Exclude specific processes by their PIDs. This will be tricky as
>> we will need to keep track of PIDs incase of process
>> start/stop/restart etc.
>
Yes, but you may be able to use the SE Linux label to prevent
auditing of the process.
>
> -Steve
>
--
-Rathor
4853
days inactive
4854
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Steve Grubb -
Vipin Rathor