[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Excluding certain processes



I'm running audit 1.7.17-3 (RHEL 5) on ~450 clients sending via audisp to
a single server.  This is mostly working well, except that periodically, I
get messages like:

Jan  4 07:57:33 hostfoo audispd: queue is full - dropping event
Jan  4 07:58:04 hostfoo last message repeated 814 times
Jan  4 07:59:05 hostfoo last message repeated 4121 times
Jan  4 08:00:06 hostfoo last message repeated 2602 times
Jan  4 08:00:31 hostfoo last message repeated 773 times

Reading through the man pages, I've increased the q_depth value in
audispd.conf.  But even with it set at 99999 (the maximum), many events
are still being dropped from almost half the clients.  Setting disp_qos to
"lossless" in auditd.conf has also not helped.

It would be nice to solve this in general.  More specifically, however, I
know that on the worst offender, the flood of events is being caused by an
rsync job that runs at 8 and 12.  The events look something like:

node=hostfoo.domain.com type=SYSCALL msg=audit(1294232521.544:29609884):
arch=c000003e syscall=90 success=yes exit=0 a0=7fffbe5a7f60 a1=1ed a2=1
a3=0 items=1 ppid=4397 pid=4398 auid=4990 uid=4990 gid=100 euid=4990
suid=4990 fsuid=4990 egid=100 sgid=100 fsgid=100 tty=(none) ses=2867
comm="rsync" exe="/home/bob/.toast/pkg/rsync/v3.0.4/1/root/bin/rsync"
key="perm_mod"

Is there any way I can tell the perm_mod rules in audit.rules "Don't tell
me about it if the command is rsync"?  I couldn't find an obvious answer
from the auditctl man page (it doesn't seem that I can just specify, say,
comm!=rsync).

Thanks,

--Ray


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]