* auditd questions
@ 2011-09-08 6:38 Vipin Rathor
2011-09-08 13:14 ` Steve Grubb
0 siblings, 1 reply; 3+ messages in thread
From: Vipin Rathor @ 2011-09-08 6:38 UTC (permalink / raw)
To: linux-audit
Hi Guys,
My auditd server is getting overwhelm by the logs that it is getting.
I've configured a remote audit logging via audisp-plugin. Earlier I
tried to reduce the amount of logs by optimizing the audit rules. But
we want to reduce it further.
Here's the list of things that I can think to reduce the overwhelming
of logs further:
1. Increase kernel buffer for auditd from 20480 (current) to 99999.
2. Increase the priority of auditd process. Currently 'priority_boost
= 10'. Default is 4. I don't know the maximum value (though I've seen
someone using 12). Can anyone tell me what's the maximum priority I
can give?
3. Optimize the audit messages further:
a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
being audited. This can be done with following rule (Thanks to
Steve!):
-a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
b. Exclude specific processes by their PIDs. This will be tricky as
we will need to keep track of PIDs incase of process
start/stop/restart etc.
Any other idea that I'm missing on this list? Is it possible to filter
the messages based on message pattern matching (like syslog)?
Any help will be much appreciated.
--
-Rathor
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: auditd questions
2011-09-08 6:38 auditd questions Vipin Rathor
@ 2011-09-08 13:14 ` Steve Grubb
2011-09-09 4:55 ` Vipin Rathor
0 siblings, 1 reply; 3+ messages in thread
From: Steve Grubb @ 2011-09-08 13:14 UTC (permalink / raw)
To: linux-audit
On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote:
> My auditd server is getting overwhelm by the logs that it is getting.
This is almost always means the rules are not properly tuned.
> I've configured a remote audit logging via audisp-plugin. Earlier I
> tried to reduce the amount of logs by optimizing the audit rules. But
> we want to reduce it further.
> Here's the list of things that I can think to reduce the overwhelming
> of logs further:
> 1. Increase kernel buffer for auditd from 20480 (current) to 99999.
> 2. Increase the priority of auditd process. Currently 'priority_boost
> = 10'. Default is 4. I don't know the maximum value (though I've seen
> someone using 12). Can anyone tell me what's the maximum priority I
> can give?
Probably 19. This is dictated by the kernel. See the nice(1) command.
> 3. Optimize the audit messages further:
> a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
> being audited. This can be done with following rule (Thanks to
> Steve!):
> -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
> b. Exclude specific processes by their PIDs. This will be tricky as
> we will need to keep track of PIDs incase of process
> start/stop/restart etc.
Yes, but you may be able to use the SE Linux label to prevent auditing of the process.
-Steve
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: auditd questions
2011-09-08 13:14 ` Steve Grubb
@ 2011-09-09 4:55 ` Vipin Rathor
0 siblings, 0 replies; 3+ messages in thread
From: Vipin Rathor @ 2011-09-09 4:55 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
> Yes, but you may be able to use the SE Linux label to prevent auditing of the process.
Steve, can you please tell me more about how to make use of the
SELinux label here?
On Thu, Sep 8, 2011 at 6:44 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote:
>> My auditd server is getting overwhelm by the logs that it is getting.
>
> This is almost always means the rules are not properly tuned.
>
>> I've configured a remote audit logging via audisp-plugin. Earlier I
>> tried to reduce the amount of logs by optimizing the audit rules. But
>> we want to reduce it further.
>> Here's the list of things that I can think to reduce the overwhelming
>> of logs further:
>> 1. Increase kernel buffer for auditd from 20480 (current) to 99999.
>> 2. Increase the priority of auditd process. Currently 'priority_boost
>> = 10'. Default is 4. I don't know the maximum value (though I've seen
>> someone using 12). Can anyone tell me what's the maximum priority I
>> can give?
>
> Probably 19. This is dictated by the kernel. See the nice(1) command.
>
>
>> 3. Optimize the audit messages further:
>> a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from
>> being audited. This can be done with following rule (Thanks to
>> Steve!):
>> -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm
>> b. Exclude specific processes by their PIDs. This will be tricky as
>> we will need to keep track of PIDs incase of process
>> start/stop/restart etc.
>
> Yes, but you may be able to use the SE Linux label to prevent auditing of the process.
>
> -Steve
>
--
-Rathor
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2011-09-09 4:55 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-09-08 6:38 auditd questions Vipin Rathor
2011-09-08 13:14 ` Steve Grubb
2011-09-09 4:55 ` Vipin Rathor
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox