From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auditd questions Date: Thu, 8 Sep 2011 09:14:47 -0400 Message-ID: <201109080914.47615.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote: > My auditd server is getting overwhelm by the logs that it is getting. This is almost always means the rules are not properly tuned. > I've configured a remote audit logging via audisp-plugin. Earlier I > tried to reduce the amount of logs by optimizing the audit rules. But > we want to reduce it further. > Here's the list of things that I can think to reduce the overwhelming > of logs further: > 1. Increase kernel buffer for auditd from 20480 (current) to 99999. > 2. Increase the priority of auditd process. Currently 'priority_boost > = 10'. Default is 4. I don't know the maximum value (though I've seen > someone using 12). Can anyone tell me what's the maximum priority I > can give? Probably 19. This is dictated by the kernel. See the nice(1) command. > 3. Optimize the audit messages further: > a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from > being audited. This can be done with following rule (Thanks to > Steve!): > -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm > b. Exclude specific processes by their PIDs. This will be tricky as > we will need to keep track of PIDs incase of process > start/stop/restart etc. Yes, but you may be able to use the SE Linux label to prevent auditing of the process. -Steve