From: "Bill Tangren" <bjt@usno.navy.mil>
To: Linux-audit@redhat.com
Subject: more on limiting auditing of file access
Date: Mon, 5 Nov 2007 13:36:30 -0500 (EST) [thread overview]
Message-ID: <32998.10.1.5.58.1194287790.squirrel@aa.usno.navy.mil> (raw)
Like Greg, I have servers that are doing a lot of auditing of file access
that I don't want it to do. I am running a RHEL ES 4 system, fully
patched, that runs audit-1.0.15-3.EL4. This is the output for aureport
summary:
[root@aa ~]# /sbin/aureport -ts yesterday 00:00:00 -te today 00:00:00
Summary Report
======================
Range of time: 11/02/2007 10:38:28.035 - 11/05/2007 10:53:23.707
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 0
Number of failed logins: 0
Number of users: 3
Number of terminals: 2
Number of host names: 1
Number of executables: 55
Number of files: 3151
Number of AVC denials: 96937
Number of failed syscalls: 4300876
Number of watched file events: 215001
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 32349
Number of events: 4531650
Notice the large number of watched file events. The daily audit logs are
nearly 2GB in size. [And I'm required to keep a year's worth of audit
logs!]
When I issue this command:
[root@aa ~]# aureport -f --summary | head -20
File Summary Report
===========================
total file
===========================
703314 passwd
703313 /etc/passwd
515973 /dev/tty
355209 /home/httpd/faq/docs/daylight_time.php/.htaccess
288538 /home/httpd/css/default.css/.htaccess
281723 /home/httpd/js/default.js/.htaccess
237471 /home/httpd/menu/stmenu.js/.htaccess
211210 /home/httpd/graphics/USNODomeatNight_painted.png/.htaccess
209720 /home/httpd/css/print.css/.htaccess
205240 /home/httpd/graphics/blank.gif/.htaccess
205042 /home/httpd/graphics/header_strip_stars.jpg/.htaccess
202624 /home/httpd/graphics/valid-html401.png/.htaccess
188072 /home/httpd/favicon.ico/.htaccess
131774 /home/httpd/data/USPLACES.DA
49634 /home/httpd/faq/docs/daylight_time.html/.htaccess
Note the high percentage of files accessed by the web server, especially
.htaccess.
I have a rule that audits failed access to files:
-a exit,always -S chmod -S lchown -S chown -F success=0
I assume that this is the rule that is causing so many files accessed by
the web server to be logged. How can change this rule to exclude user
apache from tripping this rule?
--
Bill Tangren
U.S. Naval Observatory
next reply other threads:[~2007-11-05 18:36 UTC|newest]
Thread overview: 3+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-11-05 18:36 Bill Tangren [this message]
2007-11-05 20:08 ` more on limiting auditing of file access Steve Grubb
2007-11-05 20:32 ` Bill Tangren
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=32998.10.1.5.58.1194287790.squirrel@aa.usno.navy.mil \
--to=bjt@usno.navy.mil \
--cc=Linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox