From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Aaron Lippold" <lippold@gmail.com>
Subject: Re: Filesystem filling up ...
Date: Sat, 7 Jul 2007 22:42:56 +0200
Message-ID: <39d2723b0707071342g157656ddjad1734fac62c7824@mail.gmail.com>
References: <39d2723b0706271042y2885144dj29e7da8adc90e630@mail.gmail.com>
	<200707031713.12553.sgrubb@redhat.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25])
	by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l67KgwIa009161
	for <linux-audit@redhat.com>; Sat, 7 Jul 2007 16:42:58 -0400
Received: from an-out-0708.google.com (an-out-0708.google.com [209.85.132.248])
	by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l67Kgu9q009997
	for <linux-audit@redhat.com>; Sat, 7 Jul 2007 16:42:57 -0400
Received: by an-out-0708.google.com with SMTP id c31so130949ana
	for <linux-audit@redhat.com>; Sat, 07 Jul 2007 13:42:56 -0700 (PDT)
In-Reply-To: <200707031713.12553.sgrubb@redhat.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Thank you for the advise. I will send this on to the testers.

Hopefully we can get this worked out.

By the way, does anyone know of an audit.rules repository list where
some baselines of tested/documented configs can be downloaded?

Yours,

Aaron

On 7/3/07, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
> > I was hoping some smarter audit folks than I could look at this small
> > set of rules and let me know if anythings seem: 1) way too broad 2)
> > would fill up a file system fast 3) could use improvement
>
> > # Audit Failed opens
> > -a exit,always -S open -F success!=0
>
> Maybe:
> -a exit,always -S open -F exit=-13
> -a exit,always -S open -F exit=-1
>
> > #
> > # Audit success and failure of delete
> > -a exit,always -S unlink -S rmdir
> > #
> > # Audit success and failure of admin actions
> > #-a task,always -F uid=0
> > -w /var/log/audit/ -k ADMIN
> > -w /etc/auditd.conf -k ADMIN
> > -w /etc/audit.rules -k ADMIN
> > -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
> > setrlimit -a exit,always -S setdomainname -S sched_setparam -S
> > sched_setscheduler EOF
>
> Some of these may be broad. setrlimit for example.
>
>
> > Some of my end users are saying their logging a lot of audits. We are
> > using the same kickstart file but my test systems are not filling up.
>
> You might be able to do some work with aureport to find out what is filling
> your logs. Something like:
>
> aureport --start this-week --summary -i --event
> aureport --start this-week --summary -i --syscall
>
> -Steve
>