On 13/08/09 15:56, David Flatley wrote:
Red Hat 5.3 running audit 1.7.7-6
Rotating logs at 20 megs and allowing 8 logs
Rules have watches and syscalls from the SECSCAN recommendations, and
have added some of Steve Grubb's recommendations.
When we extract and archive the audit logs we get "Error receiving audit
netlink packet (No buffer space available) an "error sending signal info
request"
Where do you get these messages? Are they in /var/log/messages?
Our extract is: stop auditd then create a file and run ausearch -i
>
file then run an aureport -i > file then once that is done we delete all
the logs and restart auditd.
You don't want to be stopping auditd. I'd either look harder into the
command line arguments to ausearch and aureport and combine ussage with
'service auditd rotate', or use a different collection mechanism.
Also, how are you stopping auditd? Are you using 'service auditd stop'?
If so, you are losing data because it removes audit rules when it stops.
If you are using somethine else like SIGSTOP, the kernel is sensitive to
the audit daemon not being responsive. This is likely to cause problems.
Can you post the exact script you're using?
Matt
--
Matthew Booth, RHCA, RHCSS
Red Hat Engineering, Virtualisation Team
M: +44 (0)7977 267231
GPG ID: D33C3490
GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490