Re: Filesystem filling up ...
On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
I was hoping some smarter audit folks than I could look at this
small
set of rules and let me know if anythings seem: 1) way too broad 2)
would fill up a file system fast 3) could use improvement
# Audit Failed opens
-a exit,always -S open -F success!=0
Maybe:
-a exit,always -S open -F exit=-13
-a exit,always -S open -F exit=-1
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
setrlimit -a exit,always -S setdomainname -S sched_setparam -S
sched_setscheduler EOF
Some of these may be broad. setrlimit for example.
Some of my end users are saying their logging a lot of audits. We
are
using the same kickstart file but my test systems are not filling up.
You might be able to do some work with aureport to find out what is filling
your logs. Something like:
aureport --start this-week --summary -i --event
aureport --start this-week --summary -i --syscall
-Steve