[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: v3.19-rc2: crashes during boot (syslog-ng, rpcbind ...)



On 12/29/2014 08:41 PM, Paul Moore wrote:
> To help verify that I'm heading down the right path, could you share your 
> audit configuration as well?  If that's not possible, can you at least confirm 
> that you using a few audit directory watches?

Well, it is just a victim system for trinity - but I did not configured auditd in a special manner - so it is just the plain default configuration of Gentoo:

n22kvm-clone audit # wc *
  26  201 1127 audit.rules
  13   85  573 audit.rules.stop.post
  16   81  547 audit.rules.stop.pre
  32   95  701 auditd.conf
  87  462 2948 total
n22kvm-clone audit # tail -n 40 -v *
==> audit.rules <==                                                                                                
# Copyright 1999-2011 Gentoo Foundation                                                                            
# Distributed under the terms of the GNU General Public License v2                                                 
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $
#                                                                                                                  
# This file contains the auditctl rules that are loaded                                                            
# whenever the audit daemon is started via the initscripts.                                                        
# The rules are simply the parameters that would be passed                                                         
# to auditctl.                                                                                                     
                                                                                                                                  
# First rule - delete all                                                                                                         
# This is to clear out old rules, so we don't append to them.                                                                     
-D                                                                                                                                
                                                                                                                                                    
# Feel free to add below this line. See auditctl man page                                                                                           
                                                                                                                                                    
# The following rule would cause all of the syscalls listed to be ignored in logging.                                                               
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat                          
#-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat                         
                                                                                                                                                                             
# The following rule would cause the capture of all systems not caught above.                                                                                                
# -a exit,always -S all                                                                                                                                                      
                                                                                                                                                                             
# Increase the buffers to survive stress events                                                                                                                              
-b 8192                                                                                                                                                                      
                                                                                                                                                                             
# vim:ft=conf:                                                                                                                                                               
                                                                                                                                                                             
==> audit.rules.stop.post <==                                                                                                                                                
# Copyright 1999-2005 Gentoo Foundation                                                                                                                                      
# Distributed under the terms of the GNU General Public License v2                                                                                                           
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.post,v 1.1 2006/06/22 07:41:46 robbat2 Exp $                                                     
#                                                                                                                                                                            
# This file contains the auditctl rules that are loaded immediately after the                                                                                                
# audit deamon is stopped via the initscripts.                                                                                                                               
# The rules are simply the parameters that would be passed
# to auditctl.

# Not used for the default Gentoo configuration as of v1.2.3
# Paranoid security types might wish to reconfigure kauditd here.

# vim:ft=conf:

==> audit.rules.stop.pre <==
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.pre,v 1.2 2011/09/11 02:58:55 robbat2 Exp $
#
# This file contains the auditctl rules that are loaded immediately before the
# audit deamon is stopped via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.

# auditd is stopping, don't capture events anymore
-D

# Disable kernel generating audit events
-e 0

# vim:ft=conf:

==> auditd.conf <==
#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port = 
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key



n22kvm-clone audit # cat /etc/conf.d/auditd 
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $

# Configuration options for auditd
# -f for foreground mode
# There are some other options as well, but you'll have to look in the source
# code to find them as they aren't ready for use yet.
EXTRAOPTIONS=''

# Audit rules file to run after starting auditd
RULEFILE_STARTUP=/etc/audit/audit.rules

# Audit rules file to run before and after stopping auditd
RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post

# If you want to enforce a certain locale for auditd, 
# uncomment one of the next lines:
#AUDITD_LANG=none
AUDITD_LANG=C
#AUDITD_LANG=en_US
#AUDITD_LANG=en_US.UTF-8



-- 
Toralf
pgp key: 7B1A 07F4 EC82 0F90 D4C2  8936 872A E508 0076 E94E


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]