All of lore.kernel.org
 help / color / mirror / Atom feed
From: "Norman Mark St. Laurent" <mstlaurent@conceras.com>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: buffer space
Date: Mon, 17 Aug 2009 11:36:42 -0400	[thread overview]
Message-ID: <4A89790A.8070505@conceras.com> (raw)
In-Reply-To: <200908171108.00417.sgrubb@redhat.com>

Steve,

I maybe able to get the Red Hat Federal Team a copy of SECSCAN...  If 
Justin and Gunnar do not already have a copy....

Best regards,

Norman Mark St. Laurent
Conceras | Chief Technology Officer and ISSE
Phone:  703-965-4892
Email:  mstlaurent@conceras.com
Web:  http://www.conceras.com

Connect. Collaborate. Conceras.



Steve Grubb wrote:
> On Monday 17 August 2009 10:49:55 am David Flatley wrote:
>   
>>  If I were to move all the rotated logs to another directory,
>> say /home/logs. So instead of doing "ausearch -i" to capture all the
>> information in the rotated logs in
>> /var/log/audit directory. I would do "ausearch -i -f /home/logs" , correct?
>>     
>
> Yes.
>
>   
>> Backlog is set to 12288 right now.
>>     
>
> ok
>
>   
>>  The SECSCAN requires many -w (watches) and a fair amount of syscalls. I
>> modified the syscalls to add your recommendation for using "arch=b32" and
>> "arch=b64".
>>     
>
> Are there any public references to this standard?
>
>
>   
>> Because I was getting errors restarting the auditd on some of their
>> recommendations one of which was mount?
>>     
>
> Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386.
>
>
>   
>>  Another setting I believe was doing me in was the log size is 20 megs and
>> I allow 8 rotated logs. But I had admin_disk_full set to 160 and the action
>> was suspend.
>> So this could have been tripping me up also.
>>     
>
> If the partition was 320Mb or smaller, then yes that would be a problem. But I 
> also think the fact that its being suspended is sent to syslog.
>
>
>   
>>   I would like to be able to do the audit log extractions (ausearch and
>> aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a
>> script in max_log_file_action.
>> So if I set the max_log_file to 160, I can then run a script to move the
>> rotated logs and process them, thus not stopping auditd and keeping things
>> working?
>>     
>
> Yes, I think so. But if you are hooking max_log_file action, then you would 
> need to send sigusr1 to ppid to get auditd to rotate the log and open another 
> one. If you don't, auditd will still have an open descriptor to the file.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
>
>   

  reply	other threads:[~2009-08-17 15:37 UTC|newest]

Thread overview: 34+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2009-08-13 14:56 buffer space David Flatley
2009-08-13 15:29 ` Matthew Booth
2009-08-13 18:28 ` Steve Grubb
2009-08-17 14:49   ` David Flatley
2009-08-17 15:07     ` Steve Grubb
2009-08-17 15:36       ` Norman Mark St. Laurent [this message]
2009-08-17 16:38       ` David Flatley
2009-08-17 16:52         ` LC Bruzenak
2009-08-17 17:06           ` David Flatley
2009-08-17 17:15             ` LC Bruzenak
2009-08-17 17:24               ` LC Bruzenak
2009-08-17 21:18                 ` David Flatley
2009-08-17 17:32               ` David Flatley
2009-08-17 17:46                 ` LC Bruzenak
2009-08-17 18:01                   ` Steve Grubb
2009-08-17 18:13                     ` Norman Mark St. Laurent
2009-08-17 18:14                     ` LC Bruzenak
2009-08-17 18:46                       ` Norman Mark St. Laurent
2009-08-17 19:37                         ` Steve Grubb
2009-08-17 19:46                           ` Norman Mark St. Laurent
2009-08-18 13:02                           ` David Flatley
2009-08-18 15:09                             ` LC Bruzenak
2009-08-18 15:53                               ` Steve Grubb
2009-08-27 17:21                           ` David Flatley
2009-08-27 17:32                             ` Steve Grubb
2009-08-27 17:45                               ` David Flatley
2009-08-27 18:45                                 ` Steve Grubb
2009-08-27 17:33                             ` LC Bruzenak
2009-08-23  4:12       ` D.A. Muran-de Assereto
2009-08-17 15:34     ` Norman Mark St. Laurent
2009-08-17 16:58       ` Mike Nixon
2009-08-23  4:32         ` David Muran-de Assereto
2009-08-23 16:12           ` Mike Nixon
2009-08-23 20:24             ` David Muran-de Assereto

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=4A89790A.8070505@conceras.com \
    --to=mstlaurent@conceras.com \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body. 
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.