[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Filesystem filling up ...



On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
> I was hoping some smarter audit folks than I could look at this small
> set of rules and let me know if anythings seem: 1) way too broad 2)
> would fill up a file system fast 3) could use improvement

> # Audit Failed opens
> -a exit,always -S open -F success!=0

Maybe:
-a exit,always -S open -F exit=-13
-a exit,always -S open -F exit=-1

> #
> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir
> #
> # Audit success and failure of admin actions
> #-a task,always -F uid=0
> -w /var/log/audit/ -k ADMIN
> -w /etc/auditd.conf -k ADMIN
> -w /etc/audit.rules -k ADMIN
> -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
> setrlimit -a exit,always -S setdomainname -S sched_setparam -S
> sched_setscheduler EOF

Some of these may be broad. setrlimit for example.


> Some of my end users are saying their logging a lot of audits. We are
> using the same kickstart file but my test systems are not filling up.

You might be able to do some work with aureport to find out what is filling 
your logs. Something like:

aureport --start this-week --summary -i --event
aureport --start this-week --summary -i --syscall

-Steve


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]