Re: Auditd.conf settings for Satellite 6 server

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Auditd.conf settings for Satellite 6 server
Date: Thu, 30 Mar 2017 11:59:54 -0400	[thread overview]
Message-ID: <74546986.W0uhg84Tpr@x2> (raw)
In-Reply-To: <f4f9c8c0a84d4d449de0d66fae6b54b1@XCGVAG22.northgrum.com>

On Thursday, March 30, 2017 11:40:31 AM EDT Fulda, Paul R [US] (MS) wrote:
> Can someone give me some optimized auditd.conf settings for a Red Hat
> Satellite 6 server running on Red Hat 7.3?  When I am creating and updating
> content views on satellite, auditd cannot keep up and bogs the system to a
> halt.  The audit.rules file is configured for DISA security settings so
> it's looking at a lot of things.  Any help would be much appreciated.

For one, you can set the flush mode in auditd.conf to INCREMENTAL_ASYNC and it 
should allow you to completely fill up your disks in a hurry without bogging 
down the system. Also set freq to something like 250.

I would then take a look at the key report during that time to see what event 
is getting triggered. 

aureport --start xxx --end yyy --key --summary

Where xxx is start of this burst and yyy is end of this burst. (More than 
likely its some rule watching deletes which is not very useful.) Once you know 
which rule is getting triggered I think we can talk about how to minimize the 
events.

-Steve

     prev parent reply	other threads:[~2017-03-30 15:59 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-03-30 15:40 Auditd.conf settings for Satellite 6 server Fulda, Paul R [US] (MS)
2017-03-30 15:59 ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=74546986.W0uhg84Tpr@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.