From: Brian LaMere <brianl@clinicomp.com>
To: linux-audit@redhat.com
Subject: no logging of successful events?
Date: Mon, 18 Aug 2008 12:09:34 -0700 [thread overview]
Message-ID: <1219086574.6522.8.camel@orpheus.clinicomp.com> (raw)
with the following auditd.conf and audit.rules, we generate MASSIVE logs
very quickly. I don't care about successful audit events; I'm not
required to log them, and there's no way I could have the space for a
year's worth anyway. So...why is it that "LIST_RULES: exit,always
success!=0 syscall=open" doesn't disregard the successful calls? I can
still see them if I do an aureport.
The logs are simply too massive to keep; if I set the max_log_file to
much higher than 50 with 99 logs, an aureport takes eons.
Unfortunately, it needs to be that high to save even a day's worth of
logs when they're running certain programs. Any suggestions?
----------------------
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 50
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 20
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
--------------------------
LIST_RULES: exit,always success!=0 syscall=open
LIST_RULES: exit,always syscall=rmdir,unlink
LIST_RULES: exit,always syscall=acct,swapon,reboot
LIST_RULES: exit,always syscall=setrlimit,settimeofday,setdomainname
LIST_RULES: exit,always syscall=sched_setparam,sched_setscheduler
LIST_RULES: exit,always syscall=chmod,fchmod,chown,fchown
LIST_RULES: exit,always syscall=lchown
LIST_RULES: exit,always watch=/etc/auditd.conf perm=rwxa
LIST_RULES: exit,always watch=/etc/audit.rules perm=rwxa
------------------------------------------
next reply other threads:[~2008-08-18 19:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-08-18 19:09 Brian LaMere [this message]
2008-08-18 19:18 ` no logging of successful events? Steve Grubb
2008-08-18 19:25 ` Eric Paris
2008-08-18 19:49 ` Brian LaMere
2008-08-18 19:51 ` Eric Paris
2008-08-18 19:39 ` Brian LaMere
2008-08-18 20:07 ` Steve Grubb
2008-08-18 20:43 ` Brian LaMere
2008-08-18 20:52 ` Steve Grubb
2008-08-18 22:13 ` Brian LaMere
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1219086574.6522.8.camel@orpheus.clinicomp.com \
--to=brianl@clinicomp.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.