Significant performance hit auditing system account actions?

Significant performance hit auditing system account actions?

[leam hall]

[-- Attachment #1.1: Type: text/plain, Size: 434 bytes --]

Some security requirements include auditing events by users and root. So
the line might include something like:

  -F auid=0 -F auid>=500 -F auid!=4294967295

My question is, if you don't include that phrase will the audit system
still get everything and not incur a serious performance hit. Effectively
it will audit everything for users 1-499, the usual system accounts.

Leam

-- 
Mind on a Mission <http://leamhall.blogspot.com/>

[-- Attachment #1.2: Type: text/html, Size: 670 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Significant performance hit auditing system account actions?

[Steve Grubb]

On Thursday, May 14, 2015 03:24:16 PM leam hall wrote:
> Some security requirements include auditing events by users and root. So
> the line might include something like:
> 
>   -F auid=0 -F auid>=500 -F auid!=4294967295

The fields will be "anded". You cannot simultaneously have auid of 0 and >=500. 
So, you won't get any events.

> My question is, if you don't include that phrase will the audit system
> still get everything and not incur a serious performance hit. Effectively
> it will audit everything for users 1-499, the usual system accounts.

Typically the requirements read as audit root user actions - which is covered 
by TTY auditing. Everything else is covered by the other rules.

-Steve