Audit slowing system.

Audit slowing system.

[David Flatley]

[-- Attachment #1.1: Type: text/plain, Size: 397 bytes --]

    RHEL 4.7 system running Steve Grubb's STIG compliant audit.rules file. 
System seems to be struggling to run audit. I run this
config on several systems with no problems. Top does not show anything 
that indicates a problem, no directories filling. Any 
suggestions on settings to change? It is a 64 bit system with the 32 bit 
rules commented out in the rules file.
    Thanks. 

D Flatley 


[-- Attachment #1.2: Type: text/html, Size: 637 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit slowing system.

[Steve Grubb]

On Wednesday, May 04, 2011 03:41:09 PM David Flatley wrote:
>     RHEL 4.7 system running Steve Grubb's STIG compliant audit.rules file. 
> System seems to be struggling to run audit. I run this
> config on several systems with no problems. Top does not show anything 
> that indicates a problem, no directories filling. Any 
> suggestions on settings to change? It is a 64 bit system with the 32 bit 
> rules commented out in the rules file.

Are you getting lots of audit events logged? If so, that might point towards a rule 
that might need adjusting. Also, stig rules were never shipped (or tested) on RHEL4. 
So, I don't know which ones you are using. If the rules do not explicitly add the -F 
arch=b64 on the 64 bit rules, that would cause problems.

-Steve

Re: Audit slowing system.

[David Flatley]

[-- Attachment #1.1: Type: text/plain, Size: 1242 bytes --]

    Yes I have had to adjust the rules file for RHEL 4. I have this 
running on several RHEL 4 systems with no problems but this system is a 
server
running a database. I upped the priority from 3 to 4 and increased the 
buffer from 8 to 12 megs. I will recheck for the -F.
    Thanks.

D Flatley 



From:
Steve Grubb <sgrubb@redhat.com>
To:
linux-audit@redhat.com
Cc:
David Flatley/Burlington/IBM@IBMUS
Date:
05/05/2011 08:48 AM
Subject:
Re: Audit slowing system.



On Wednesday, May 04, 2011 03:41:09 PM David Flatley wrote:
>     RHEL 4.7 system running Steve Grubb's STIG compliant audit.rules 
file. 
> System seems to be struggling to run audit. I run this
> config on several systems with no problems. Top does not show anything 
> that indicates a problem, no directories filling. Any 
> suggestions on settings to change? It is a 64 bit system with the 32 bit 

> rules commented out in the rules file.

Are you getting lots of audit events logged? If so, that might point 
towards a rule 
that might need adjusting. Also, stig rules were never shipped (or tested) 
on RHEL4. 
So, I don't know which ones you are using. If the rules do not explicitly 
add the -F 
arch=b64 on the 64 bit rules, that would cause problems.

-Steve



[-- Attachment #1.2: Type: text/html, Size: 2192 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit slowing system.

[LC Bruzenak]

You generally should start with an aureport over the time period you saw
the issue, then drill down from there. But if your audit logs are not
larger than usual maybe this isn't your problem.

What symptoms of struggling are you seeing? You said top shows nothing
out of the ordinary and no directories are getting full (I suppose you
mean /var/log/audit)...so I am not certain what behavior you see that is
leading you towards audit being the problem.

LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com