FW: I'd like to turn auditd off but...

FW: I'd like to turn auditd off but...

[Brian Ross]

[-- Attachment #1.1.1: Type: text/plain, Size: 1986 bytes --]

Further to this, I've just found out that auditd is logging it seems every transaction that Oracle makes.   I have found squillions of entries in the log file for the oracle user "orpmpxgi".  Is there any way to quickly stop auditd logging for a particular user?

Stopping that, may fix many of my problems.

Cheers

Brian Ross

From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Brian Ross
Sent: Tuesday, November 22, 2011 9:04 AM
To:
Subject: I'd like to turn auditd off but...

I have a client who is still running RHEL3.  Over the last 12 months the auditd process has become steadily more and more intrusive and causing problems.   I have attempted to turn it off but whenever I do so, suddenly SSH logins stop working.

At the moment the only way I have to manage the auditd process is to regularly delete the 2+GB of log files it creates every 4 hours.   Can anybody tell me how to turn it off without affecting other things?

Cheers

Brian Ross

Brian Ross
Technical Consultant

ASG Group Limited
Level 1 / 267 St Georges Tce.
Perth, WA, 6000
Telephone            +61 8 9420 5451
Mobile                   +61 0434 181 701
Facsimile              +61 8 9420 5422
Brian.Ross@asggroup.com.au<mailto:DooWhan.Kweon@asggroup.com.au>
http://www.asggroup.com.au/

[cid:image001.gif@01CBB23E.C8A47A50][cid:a481d55a-5674-4333-904b-fdf6e072879c]
Confidentiality Notice: The information contained in this message is strictly confidential. It is intended only for the use of the individual or entity named above. If the reader is not the intended recipient, or the authorised agent thereof, you are hereby notified that any disclosure, use, distribution or copying of the within information is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete all copies of the original message.
P PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL




[-- Attachment #1.1.2: Type: text/html, Size: 9778 bytes --]

[-- Attachment #1.2: Picture (Device Independent Bitmap) 1.jpg --]
[-- Type: image/jpeg, Size: 3813 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

FW: I'd like to turn auditd off but...

[Worsham, Michael]

[-- Attachment #1.1: Type: text/plain, Size: 2042 bytes --]

If you have figured out a way to exclude logging via a User or UID, please post it. Our Oracle OEM and VMware Tools daemons just spit out so much information it's unreal.

As for your earlier question about the large audit.log files, we have this line in our /etc/audit/auditd.conf file:

max_log_file_action = ROTATE

-- Michael


________________________________
CONFIDENTIALITY NOTICE: This email constitutes an electronic communication within the meaning of the Electronic Communications Privacy Act, 18 U.S.C. 2510, and its disclosure is strictly limited to the named recipient(s) intended by the sender of this message. This email, and any attachments, may contain confidential and/or proprietary information of Scientific Research Corporation. If you are not a named recipient, any copying, using, disclosing or distributing to others the information in this email and attachments is STRICTLY PROHIBITED. If you have received this email in error, please notify the sender immediately and permanently delete the email, any attachments, and all copies thereof from any drives or storage media and destroy any printouts or hard copies of the email and attachments.

EXPORT COMPLIANCE NOTICE: This email and any attachments may contain technical data subject to U.S export restrictions under the International Traffic in Arms Regulations (ITAR) or the Export Administration Regulations (EAR). Export or transfer of this technical data and/or related information to any foreign person(s) or entity(ies), either within the U.S. or outside of the U.S., may require advance export authorization by the appropriate U.S. Government agency prior to export or transfer. In addition, technical data may not be exported or transferred to certain countries or specified designated nationals identified by U.S. embargo controls without prior export authorization. By accepting this email and any attachments, all recipients confirm that they understand and will comply with all applicable ITAR, EAR and embargo compliance requirements.


[-- Attachment #1.2: Type: text/html, Size: 3988 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: FW: I'd like to turn auditd off but...

[Steve Grubb]

On Thursday, November 24, 2011 08:28:49 PM Brian Ross wrote:
> Further to this, I've just found out that auditd is logging it seems every
> transaction that Oracle makes.   I have found squillions of entries in the
> log file for the oracle user "orpmpxgi".  Is there any way to quickly stop
> auditd logging for a particular user?

If you are on RHEL4 or later, you can do something like this near the top of your 
rules:

-a never,exit -F uid=orpmpxgi

But that means you also won't get security relevant events either.

-Steve

Re: FW: I'd like to turn auditd off but...

[Steve Grubb]

On Monday, November 28, 2011 01:37:23 PM Worsham, Michael wrote:
> If you have figured out a way to exclude logging via a User or UID, please
> post it. Our Oracle OEM and VMware Tools daemons just spit out so much
> information it's unreal.

What kinds of events are we talking about? (assuming oracle is uid orpmpxgi):

ausearch --start today --uid orpmpxgi --raw | aureport --summary --event -i

-Steve