From: "Toralf Förster" <toralf.foerster@gmx.de>
To: Paul Moore <paul@paul-moore.com>
Cc: linux Kernel <linux-kernel@vger.kernel.org>, linux-audit@redhat.com
Subject: Re: v3.19-rc2: crashes during boot (syslog-ng, rpcbind ...)
Date: Mon, 29 Dec 2014 21:18:44 +0100 [thread overview]
Message-ID: <54A1B724.8070106@gmx.de> (raw)
In-Reply-To: <4182091.odzUCAWhED@sifl>
On 12/29/2014 08:41 PM, Paul Moore wrote:
> To help verify that I'm heading down the right path, could you share your
> audit configuration as well? If that's not possible, can you at least confirm
> that you using a few audit directory watches?
Well, it is just a victim system for trinity - but I did not configured auditd in a special manner - so it is just the plain default configuration of Gentoo:
n22kvm-clone audit # wc *
26 201 1127 audit.rules
13 85 573 audit.rules.stop.post
16 81 547 audit.rules.stop.pre
32 95 701 auditd.conf
87 462 2948 total
n22kvm-clone audit # tail -n 40 -v *
==> audit.rules <==
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $
#
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
# This is to clear out old rules, so we don't append to them.
-D
# Feel free to add below this line. See auditctl man page
# The following rule would cause all of the syscalls listed to be ignored in logging.
-a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
#-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat
# The following rule would cause the capture of all systems not caught above.
# -a exit,always -S all
# Increase the buffers to survive stress events
-b 8192
# vim:ft=conf:
==> audit.rules.stop.post <==
# Copyright 1999-2005 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.post,v 1.1 2006/06/22 07:41:46 robbat2 Exp $
#
# This file contains the auditctl rules that are loaded immediately after the
# audit deamon is stopped via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# Not used for the default Gentoo configuration as of v1.2.3
# Paranoid security types might wish to reconfigure kauditd here.
# vim:ft=conf:
==> audit.rules.stop.pre <==
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.pre,v 1.2 2011/09/11 02:58:55 robbat2 Exp $
#
# This file contains the auditctl rules that are loaded immediately before the
# audit deamon is stopped via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# auditd is stopping, don't capture events anymore
-D
# Disable kernel generating audit events
-e 0
# vim:ft=conf:
==> auditd.conf <==
#
# This file controls the configuration of the audit daemon
#
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key
n22kvm-clone audit # cat /etc/conf.d/auditd
# Copyright 1999-2011 Gentoo Foundation
# Distributed under the terms of the GNU General Public License v2
# $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $
# Configuration options for auditd
# -f for foreground mode
# There are some other options as well, but you'll have to look in the source
# code to find them as they aren't ready for use yet.
EXTRAOPTIONS=''
# Audit rules file to run after starting auditd
RULEFILE_STARTUP=/etc/audit/audit.rules
# Audit rules file to run before and after stopping auditd
RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre
RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post
# If you want to enforce a certain locale for auditd,
# uncomment one of the next lines:
#AUDITD_LANG=none
AUDITD_LANG=C
#AUDITD_LANG=en_US
#AUDITD_LANG=en_US.UTF-8
--
Toralf
pgp key: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 0076 E94E
next prev parent reply other threads:[~2014-12-29 20:18 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-12-29 16:07 v3.19-rc2: crashes during boot (syslog-ng, rpcbind ...) Toralf Förster
2014-12-29 16:21 ` Paul Moore
2014-12-29 16:24 ` Toralf Förster
2014-12-29 19:41 ` Paul Moore
2014-12-29 20:18 ` Toralf Förster [this message]
2014-12-30 14:11 ` Paul Moore
2014-12-30 18:46 ` Paul Moore
2014-12-31 8:47 ` Toralf Förster
2014-12-31 10:57 ` Toralf Förster
2014-12-31 15:16 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=54A1B724.8070106@gmx.de \
--to=toralf.foerster@gmx.de \
--cc=linux-audit@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=paul@paul-moore.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.