From mboxrd@z Thu Jan  1 00:00:00 1970
From: Brian LaMere <brianl@clinicomp.com>
Subject: no logging of successful events?
Date: Mon, 18 Aug 2008 12:09:34 -0700
Message-ID: <1219086574.6522.8.camel@orpheus.clinicomp.com>
Mime-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m7IJ9pnY020987
	for <linux-audit@redhat.com>; Mon, 18 Aug 2008 15:09:51 -0400
Received: from mailout.clinicomp.com (mailout.clinicomp.com [63.251.123.51])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m7IJ9e8T000316
	for <linux-audit@redhat.com>; Mon, 18 Aug 2008 15:09:41 -0400
Received: from hermes.CLINICOMP.COM (hermes.clinicomp.com [10.224.40.12])
	by mailout.clinicomp.com (Postfix) with ESMTP id 8249A229DD
	for <linux-audit@redhat.com>; Mon, 18 Aug 2008 12:09:31 -0700 (PDT),
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

with the following auditd.conf and audit.rules, we generate MASSIVE logs
very quickly.  I don't care about successful audit events; I'm not
required to log them, and there's no way I could have the space for a
year's worth anyway.  So...why is it that "LIST_RULES: exit,always
success!=0 syscall=open" doesn't disregard the successful calls?  I can
still see them if I do an aureport.

The logs are simply too massive to keep; if I set the max_log_file to
much higher than 50 with 99 logs, an aureport takes eons.
Unfortunately, it needs to be that high to save even a day's worth of
logs when they're running certain programs.  Any suggestions?

----------------------
log_file = /var/log/audit/audit.log
log_format = RAW
log_group = root
priority_boost = 3
flush = INCREMENTAL
freq = 20
num_logs = 50
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 20 
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
--------------------------
LIST_RULES: exit,always success!=0 syscall=open
LIST_RULES: exit,always syscall=rmdir,unlink
LIST_RULES: exit,always syscall=acct,swapon,reboot
LIST_RULES: exit,always syscall=setrlimit,settimeofday,setdomainname
LIST_RULES: exit,always syscall=sched_setparam,sched_setscheduler
LIST_RULES: exit,always syscall=chmod,fchmod,chown,fchown
LIST_RULES: exit,always syscall=lchown
LIST_RULES: exit,always watch=/etc/auditd.conf perm=rwxa
LIST_RULES: exit,always watch=/etc/audit.rules perm=rwxa
------------------------------------------