From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Bill Tangren" Subject: more on limiting auditing of file access Date: Mon, 5 Nov 2007 13:36:30 -0500 (EST) Message-ID: <32998.10.1.5.58.1194287790.squirrel@aa.usno.navy.mil> Mime-Version: 1.0 Content-Type: text/plain;charset=iso-8859-1 Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id lA5Iabwv018351 for ; Mon, 5 Nov 2007 13:36:37 -0500 Received: from aa.usno.navy.mil (beatrix.usno.navy.mil [198.116.61.254]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id lA5Iaam5026052 for ; Mon, 5 Nov 2007 13:36:36 -0500 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux-audit@redhat.com List-Id: linux-audit@redhat.com Like Greg, I have servers that are doing a lot of auditing of file access that I don't want it to do. I am running a RHEL ES 4 system, fully patched, that runs audit-1.0.15-3.EL4. This is the output for aureport summary: [root@aa ~]# /sbin/aureport -ts yesterday 00:00:00 -te today 00:00:00 Summary Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D Range of time: 11/02/2007 10:38:28.035 - 11/05/2007 10:53:23.707 Number of changes in configuration: 0 Number of changes to accounts or groups: 0 Number of logins: 0 Number of failed logins: 0 Number of users: 3 Number of terminals: 2 Number of host names: 1 Number of executables: 55 Number of files: 3151 Number of AVC denials: 96937 Number of failed syscalls: 4300876 Number of watched file events: 215001 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of process IDs: 32349 Number of events: 4531650 Notice the large number of watched file events. The daily audit logs are nearly 2GB in size. [And I'm required to keep a year's worth of audit logs!] When I issue this command: [root@aa ~]# aureport -f --summary | head -20 File Summary Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D total file =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D= =3D=3D 703314 passwd 703313 /etc/passwd 515973 /dev/tty 355209 /home/httpd/faq/docs/daylight_time.php/.htaccess 288538 /home/httpd/css/default.css/.htaccess 281723 /home/httpd/js/default.js/.htaccess 237471 /home/httpd/menu/stmenu.js/.htaccess 211210 /home/httpd/graphics/USNODomeatNight_painted.png/.htaccess 209720 /home/httpd/css/print.css/.htaccess 205240 /home/httpd/graphics/blank.gif/.htaccess 205042 /home/httpd/graphics/header_strip_stars.jpg/.htaccess 202624 /home/httpd/graphics/valid-html401.png/.htaccess 188072 /home/httpd/favicon.ico/.htaccess 131774 /home/httpd/data/USPLACES.DA 49634 /home/httpd/faq/docs/daylight_time.html/.htaccess Note the high percentage of files accessed by the web server, especially .htaccess. I have a rule that audits failed access to files: -a exit,always -S chmod -S lchown -S chown -F success=3D0 I assume that this is the rule that is causing so many files accessed by the web server to be logged. How can change this rule to exclude user apache from tripping this rule? --=20 Bill Tangren U.S. Naval Observatory