[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: buffer space


I maybe able to get the Red Hat Federal Team a copy of SECSCAN... If Justin and Gunnar do not already have a copy....

Best regards,

Norman Mark St. Laurent
Conceras | Chief Technology Officer and ISSE
Phone:  703-965-4892
Email:  mstlaurent conceras com
Web:  http://www.conceras.com

Connect. Collaborate. Conceras.

Steve Grubb wrote:
On Monday 17 August 2009 10:49:55 am David Flatley wrote:
 If I were to move all the rotated logs to another directory,
say /home/logs. So instead of doing "ausearch -i" to capture all the
information in the rotated logs in
/var/log/audit directory. I would do "ausearch -i -f /home/logs" , correct?


Backlog is set to 12288 right now.


 The SECSCAN requires many -w (watches) and a fair amount of syscalls. I
modified the syscalls to add your recommendation for using "arch=b32" and

Are there any public references to this standard?

Because I was getting errors restarting the auditd on some of their
recommendations one of which was mount?

Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386.

 Another setting I believe was doing me in was the log size is 20 megs and
I allow 8 rotated logs. But I had admin_disk_full set to 160 and the action
was suspend.
So this could have been tripping me up also.

If the partition was 320Mb or smaller, then yes that would be a problem. But I also think the fact that its being suspended is sent to syslog.

  I would like to be able to do the audit log extractions (ausearch and
aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a
script in max_log_file_action.
So if I set the max_log_file to 160, I can then run a script to move the
rotated logs and process them, thus not stopping auditd and keeping things

Yes, I think so. But if you are hooking max_log_file action, then you would need to send sigusr1 to ppid to get auditd to rotate the log and open another one. If you don't, auditd will still have an open descriptor to the file.


Linux-audit mailing list
Linux-audit redhat com

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]