Re: Filesystem filling up ...
Thank you for the advise. I will send this on to the testers.
Hopefully we can get this worked out.
By the way, does anyone know of an audit.rules repository list where
some baselines of tested/documented configs can be downloaded?
Yours,
Aaron
On 7/3/07, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
> I was hoping some smarter audit folks than I could look at this small
> set of rules and let me know if anythings seem: 1) way too broad 2)
> would fill up a file system fast 3) could use improvement
> # Audit Failed opens
> -a exit,always -S open -F success!=0
Maybe:
-a exit,always -S open -F exit=-13
-a exit,always -S open -F exit=-1
> #
> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir
> #
> # Audit success and failure of admin actions
> #-a task,always -F uid=0
> -w /var/log/audit/ -k ADMIN
> -w /etc/auditd.conf -k ADMIN
> -w /etc/audit.rules -k ADMIN
> -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
> setrlimit -a exit,always -S setdomainname -S sched_setparam -S
> sched_setscheduler EOF
Some of these may be broad. setrlimit for example.
> Some of my end users are saying their logging a lot of audits. We are
> using the same kickstart file but my test systems are not filling up.
You might be able to do some work with aureport to find out what is filling
your logs. Something like:
aureport --start this-week --summary -i --event
aureport --start this-week --summary -i --syscall
-Steve