Red Hat 5.3 running audit 1.7.7-6
Rotating logs at 20 megs and allowing 8 logs
Rules have watches and syscalls from the SECSCAN recommendations, and have added some of Steve Grubb's recommendations.
When we extract and archive the audit logs we get "Error receiving audit netlink packet (No buffer space available) an "error sending signal info request"
Our extract is: stop auditd then create a file and run ausearch -i > file then run an aureport -i > file then once that is done we delete all the logs and restart auditd.
If I run this manually it works fine but if I have it running it in a cron we get Kernel panics, lockups and log data loss plus the buffer messages.
I added "-r 0" to the audit.rules but it does not seem to work. We run a very similar configuration on Red Hat ES and AS 4 with no problems.
We are testing the subject systems and running a looping regression test that can fill the audit logs in a little over an hour at the present settings.
Thoughts or ideas??
David Flatley CISSP
I.T. Specialist, Managing Consultant
Member: ISC2, ISACA, Center for Internet Security