From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: two questions regarding default audit behavior Date: Wed, 17 Jan 2007 11:07:18 -0500 Message-ID: <200701171107.18591.sgrubb@redhat.com> References: <45AE47AB.4090708@aa.usno.navy.mil> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <45AE47AB.4090708@aa.usno.navy.mil> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Wednesday 17 January 2007 10:58, Bill Tangren wrote: > I have two questions regarding default audit behavior (i.e. auditd is > running, but there is nothing in audit.rules but "-D" and "-b 256"): > > 1) what is being audited? Nothing except the hardcoded events in various apps and SE Linux avc events. The default settings is to cater to SE Linux users that have no other use for the audit system. > 2) can I use the -D command to prevent those things from being audited? Nope. You'd have to do "-e 0" to do that. Even then, SE Linux will still send things to the audit system. > I am required to have auditing running, but what I need to audit is > specific. One server in particular is slow (a 750 MHz Pentium III) to start > with, and default auditing is slowing it down to a crawl. Do you have any oprofile data showing the bottleneck? I'd be curious. Also, what kernel are you using? We've tested the performance of the audit system and its not a big hit unless you have a lot of syscall rules loaded. Watches are cheap. -Steve