From: LC Bruzenak <lenny@magitekltd.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: question
Date: Sun, 02 Nov 2008 12:25:37 -0600 [thread overview]
Message-ID: <1225650337.9388.425.camel@homeserver> (raw)
In-Reply-To: <200810311550.12429.sgrubb@redhat.com>
On Fri, 2008-10-31 at 15:50 -0400, Steve Grubb wrote:
> On Friday 31 October 2008 14:21:12 David Flatley wrote:
> ...
>
> Perhaps we need the capability of switching out partitions used for logging?
> Maybe that could be solved by using the space left action exec capability to
> run a custom program that re-writes the audit config file or changes a
> symlink to point to another config file to point to a new dir and then sends
> sighup to the parent (auditd).
>
> Maybe some others have ideas about how they solve the same problem. If we need
> to make changes to the audit daemon to make this smoother, let me know what's
> needed.
David, I will have similar requirements and I've been thinking about
this also. Not sure about you, but my audit data has the following
requirements (and others):
* archive to off-site storage
* restore from archive
* search capabilities (mostly covered in ausearch and audit-viewer)
* robust (cannot lose any data received)
* etc.
Like you, I'm planning a periodic shift. This enables straightforward
time-based restore/search for humans. Ideally, it would be totally
automated, as in:
1: shift auditing to a new R/W partition each month.
2: Make the previous month audit data RO.
3: archive the previous month to tape/DVD
4: put the RO partition back into the "available" queue
5: ensure the current audit is also mirrored over to a big storage area
with all the past data on it.
6: Send an email to the administrator that all the above has
successfully occurred.
Steve, as my testing progresses I'll add comments in this area. I had
thought a cron-activated logrotate on the month would cover this, but it
means 2 admin areas; if there is a way to do it inside the audit
structure, that would be preferable to me. It would simplify/consolidate
the config rpm(s) I create. Anything you could do to help facilitate a
scheme as described above would be welcome.
David, a couple of questions for you:
* Have you looked at the audit-viewer, and do you intend to use this?
* I assume "heavy usage systems" means lots of audit data...are your
rules tuned appropriately? This is critical for me - one over-zealous
rule will add a flood of unhelpful info.
* You mention "balancing performance" - are you talking about
per-machine or network (via aggregation)? When reading your post I
assumed aggregation from my own perspective but you didn't actually
specify so I thought maybe I should ask. I'm aggregating all audit from
several machines to a single audit machine for
storage/review/adminstration. You?
Thx,
LCB.
--
LC (Lenny) Bruzenak
lenny@magitekltd.com
next prev parent reply other threads:[~2008-11-02 18:25 UTC|newest]
Thread overview: 154+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-31 18:21 question David Flatley
2008-10-31 19:50 ` question Steve Grubb
2008-11-02 17:24 ` question David Flatley
2008-11-03 2:42 ` question David Flatley
2008-11-03 14:15 ` question Steve Grubb
2008-11-03 17:21 ` question David Flatley
2008-11-03 17:57 ` question Steve Grubb
2008-11-02 18:25 ` LC Bruzenak [this message]
2008-11-03 3:54 ` question David Flatley
-- strict thread matches above, loose matches on Subject: below --
2023-06-28 8:45 QUESTION Alvaro a-m
2023-07-03 13:18 ` QUESTION Alvaro a-m
2023-07-03 14:02 ` QUESTION Milan Broz
2021-06-22 10:17 Question Андрей Петров
2021-06-22 18:29 ` Question Karel Zak
2020-05-01 5:59 Question Samuel P. Felton - GPT LLC
2020-05-01 9:52 ` Question Bertrand Marquis
2020-05-01 9:57 ` Question Bertrand Marquis
2020-05-01 11:32 ` Question Julien Grall
2020-05-14 0:20 ` Question Samuel P. Felton - GPT LLC
2020-02-07 15:49 Question o1bigtenor
2020-02-07 15:53 ` Question Reindl Harald
2020-02-07 16:26 ` Question o1bigtenor
2020-02-07 17:30 ` Question Reindl Harald
2020-02-07 18:00 ` Question o1bigtenor
2020-02-07 19:27 ` Question Wols Lists
2020-02-07 22:50 ` Question Sarah Newman
2020-02-07 23:21 ` Question o1bigtenor
2020-02-07 23:41 ` Question Sarah Newman
2015-10-22 12:39 question Shahin Ansari
2015-08-11 8:28 Question Jet Rey Maza
2015-08-11 13:30 ` Question Johannes Schindelin
2014-06-09 11:16 question lilofile
2014-06-07 10:02 question lilofile
2013-10-20 15:19 question lilofile
2013-10-20 16:53 ` question Hugo Mills
[not found] <CAEiarX0p47Cr4EC9k2PrgjrwR7X9_R4h0uoHcWPLH7KqLb2scg@mail.gmail.com>
2013-07-12 20:22 ` question Matthew Khouzam
2013-07-10 21:51 question emy moore
[not found] <CAP7TvLeUdc7NmCQ6hPMLEqSXAQK6-LRwhe5s64OHeLz5_23FuQ@mail.gmail.com>
2012-12-13 10:10 ` Question Mathieu Desnoyers
2012-12-13 5:24 Question tarek slaymia
2012-10-30 17:46 Question tchak adim
2012-10-30 17:33 Question tchak adim
2012-07-04 1:04 Question Andy Canfield
2012-07-04 8:02 ` Question Arbiel Perlacremaz
2012-05-14 22:14 Question Francisco Manuel Cardoso
2012-02-22 19:20 Question John Vulchev
2012-02-22 19:32 ` Question Frank Cox
2012-02-22 20:05 ` Question Paul Lagasse
2010-09-14 19:57 Question Miran Merljak
2009-04-06 15:07 question Juan Diego
2009-04-08 13:55 ` question Alexey Klimov
2009-02-06 17:11 Question Ezzat, Ahmed
2009-02-06 18:04 ` Question Eric Sandeen
2008-08-15 13:35 Question Artjom
2008-08-13 7:48 Question Artjom
2008-08-13 16:39 ` Question Luis R. Rodriguez
2008-08-12 20:06 Question Morey Roof
2008-08-12 20:32 ` Question Jeff Schroeder
2008-08-13 13:19 ` Question Chris Mason
2008-08-10 16:45 Question mengualjeanphi
2008-04-28 9:01 Question Karim Reda Fakhir
2008-04-28 10:11 ` Question Jan Engelhardt
2008-04-29 1:51 ` Question Diego Lacerda
2008-03-01 21:33 newbie programming help: grabbing image(s) from /dev/video0, example code? Elvis Chen
2008-03-01 22:49 ` question Michael Williamson
2008-03-02 0:24 ` question Daniel Glöckner
2007-02-05 17:33 question Stefanos Harhalakis
2007-02-05 18:09 ` question Stephen Smalley
2006-11-17 19:53 Question Chuck Short
2006-12-07 19:08 ` Question Chris Wright
2006-10-18 2:43 question 祝传雷
2006-06-21 12:14 question Fabio S. Silva
2006-06-21 12:23 ` question Sietse van Zanen
2006-06-10 16:05 Question Palec Peter
2006-06-10 18:07 ` Question Adam Wysocki via ArcaBit
2006-03-06 16:49 question Doyle Bradford T (Brad) NPRI
2006-03-06 19:57 ` question Greg KH
2005-12-19 13:54 Question Robert-Panorama
2005-12-14 23:42 Question nramirez
2005-12-15 9:13 ` Question Bernd Petrovitsch
2005-10-27 7:55 question Marcin Giedz
2005-10-27 8:18 ` question Ruprecht Helms
2005-10-27 8:39 ` question Marcin Giedz
2005-10-27 9:09 ` question Ruprecht Helms
2005-10-27 9:28 ` question Sorin Panca
2005-10-27 9:40 ` question Marcin Giedz
2005-10-27 10:04 ` question Oskar Andreasson
2005-10-27 10:25 ` question Marcin Giedz
2005-10-27 10:37 ` question Oskar Andreasson
2005-10-27 11:18 ` question Marcin Giedz
2005-10-27 13:28 ` question Oskar Andreasson
2005-10-04 15:33 question Promod, s.r.o.
2005-10-04 18:59 ` question Jan Willem Stumpel
2005-10-06 13:21 ` question Clarence Dang
2005-05-19 6:23 Question phil
2005-05-19 6:25 ` question Paul Aviles
2005-05-19 6:25 ` question Jean Delvare
2005-05-19 6:25 ` question Philip Pokorny
[not found] <200411151518.iAFFI0Hl011360@host.verdial.org>
2004-11-15 15:18 ` Question comercial-newprint
2004-10-03 20:35 Question Peter Hemström
2004-10-03 21:18 ` Question Juan Quintela
2004-07-05 15:20 Question Christopher Soghoian
2004-07-07 18:47 ` Question Stephen Smalley
2004-04-23 5:01 Question Jurzitza, Dieter
2004-06-21 9:22 ` Question Jurzitza, Dieter
2004-03-20 19:06 question WemiAX
2004-03-03 21:44 Question jacqueslen
2004-03-03 22:18 ` Question Tim Goetze
2004-01-21 9:40 question Jeanmich
2004-01-23 12:21 ` question Henrik Nordstrom
2004-01-14 3:04 question ShadowRage
2004-01-14 4:33 ` question Jody
2004-01-14 6:00 ` question Neil Holmes
2003-09-25 14:04 question emiliano
2003-06-12 22:11 question George Vieira
2003-06-12 20:41 question Sander Sneekes
[not found] <1054404695.3ed8f057467a1@unlp.unlp.edu.ar>
[not found] ` <20030531195305.GA6917@sunbeam.de.gnumonks.org>
[not found] ` <1054429282.3ed95062b0c41@unlp.unlp.edu.ar>
2003-06-01 8:22 ` Question Harald Welte
2003-02-06 1:36 Question benyates3
2003-02-06 9:24 ` Question Guido Guenther
2002-12-18 11:14 question franck Jolimay
2002-12-11 6:35 question Sipos Ferenc
2002-12-11 6:46 ` question Robert Love
2002-09-04 17:48 Question Daniel Chavarria
2002-09-05 1:00 ` Question phrostie
2002-07-14 10:51 question Sipos Ferenc
2002-07-14 11:36 ` question jbradford
2002-06-25 21:14 Question Boyne, Patrick J
2002-06-26 12:20 ` Question Stephen Smalley
2002-06-21 17:33 Question Krish Ahya
2002-06-21 17:40 ` Question Antony Stone
2002-06-21 18:31 ` Question James Mello
2002-06-21 23:12 ` Question Antony Stone
2002-06-21 23:16 ` Question James Mello
2002-06-21 23:26 ` Question Antony Stone
2002-06-22 2:11 ` Question Jack Bowling
2002-06-22 15:25 ` Question Stephen Frost
2002-06-22 15:42 ` Question Ramin Alidousti
2002-06-21 18:59 ` Question Nick Drage
2002-06-21 19:41 ` Question Rowan Reid
2002-06-22 0:26 ` Question Sascha Reissner
2002-06-17 20:50 Question mmacdonald
2002-06-18 15:07 ` Question Earle Nietzel
2002-04-09 23:40 question jimmy keffer
2001-12-19 21:06 Question Justin Smith
2001-12-19 21:29 ` Question Stephen Smalley
2001-05-18 3:47 Question C.Praveen
2001-05-09 20:29 Question Krishnan Ananthanarayanan
2001-03-07 23:22 Question Alberio Bathory-Frota
1999-09-01 15:36 Question S. Ashbrook
1999-09-01 20:00 ` Question Peter Jones
1999-09-01 20:10 ` Question David S. Miller
1996-07-29 3:38 question David S. Miller
1996-06-02 3:46 question David S. Miller
1996-06-02 22:44 ` question William J. Earl
1996-06-03 17:46 ` question Christopher W. Carlson
1996-06-04 3:14 ` question David S. Miller
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1225650337.9388.425.camel@homeserver \
--to=lenny@magitekltd.com \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.