From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: question Date: Mon, 3 Nov 2008 09:15:45 -0500 Message-ID: <200811030915.45658.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: David Flatley Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Sunday 02 November 2008 21:42:47 David Flatley wrote: > Presently I am using the S.T.I.G. recommendations but I may > have to use more extensive rules which I am in the process of testing. Are you using the stig.rules from the audit package or something else? If I were you, I'd spend some time making sure your rules are tuned. Assuming that you have keys on you rules, you can run a key report to see what is causing you the most events: aureport --start this-week --key --summary. Then you'd want to dig into some of those records and see what kinds of things are happening. Assuming you have a key of delete and you wanted to see what syscalls are the most often logged: ausearch --start this-week -k delete --raw | aureport --syscall --summary -i Assuming that shows unlinkat the most prevalent syscall: ausearch --start this-week -k delete -sc unlinkat --raw | aureport --user --summary -i And so on until you see what is causing so much logging. This doesn't help with the archiving, but could help you get the right audit data recorded. -Steve