audit.log space requirements:
Casey Schaufler
casey at schaufler-ca.com
Wed Jun 15 15:12:12 UTC 2005
--- Michael C Thompson <mcthomps at us.ibm.com> wrote:
> To begin the space-requirements discussion:
Pathnames tend to be the leading cause of large
audit records on production Unix systems. It
would be instructive to use a kernel make as
an audit test case, if you're looking to
understand the behavior of the audit system
under a file system load.
You can also use:
% find / -type f
to generate a pathname edgecase test.
To really make the developers sweat try:
% find / -type f & find / -type f & find / -type f
I haven't been able to gleen what is being
audited in the networking context. If there
is audit of packet delivery (has been required
on past CAPP and LSPP evaluations) turning
that on and starting X11 will offer insights
as well.
Lots of fun to be had here!
Casey Schaufler
casey at schaufler-ca.com
__________________________________
Discover Yahoo!
Get on-the-go sports scores, stock quotes, news and more. Check it out!
http://discover.yahoo.com/mobile.html
More information about the Linux-audit
mailing list