Filesystem filling up ...
Steve Grubb
sgrubb at redhat.com
Tue Jul 3 21:13:12 UTC 2007
On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
> I was hoping some smarter audit folks than I could look at this small
> set of rules and let me know if anythings seem: 1) way too broad 2)
> would fill up a file system fast 3) could use improvement
> # Audit Failed opens
> -a exit,always -S open -F success!=0
Maybe:
-a exit,always -S open -F exit=-13
-a exit,always -S open -F exit=-1
> #
> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir
> #
> # Audit success and failure of admin actions
> #-a task,always -F uid=0
> -w /var/log/audit/ -k ADMIN
> -w /etc/auditd.conf -k ADMIN
> -w /etc/audit.rules -k ADMIN
> -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
> setrlimit -a exit,always -S setdomainname -S sched_setparam -S
> sched_setscheduler EOF
Some of these may be broad. setrlimit for example.
> Some of my end users are saying their logging a lot of audits. We are
> using the same kickstart file but my test systems are not filling up.
You might be able to do some work with aureport to find out what is filling
your logs. Something like:
aureport --start this-week --summary -i --event
aureport --start this-week --summary -i --syscall
-Steve
More information about the Linux-audit
mailing list