From mboxrd@z Thu Jan  1 00:00:00 1970
From: "Jeremy Leonard" <jeremyl@gracon.com>
Subject: Way too many logs!
Date: Fri, 09 May 2008 16:20:44 -0400
Message-ID: <482479DC020000100005CB37@gsi.gracon.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=US-ASCII
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32])
	by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m49KL6Sg024956
	for <linux-audit@redhat.com>; Fri, 9 May 2008 16:21:06 -0400
Received: from gsi.gracon.com (gsi.gracon.com [207.179.101.130])
	by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m49KKt87027577
	for <linux-audit@redhat.com>; Fri, 9 May 2008 16:20:55 -0400
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Here are the rules I'm using:

 -D=20
-b 8096=20
-a exit,always -S open -F success=3D0 -k RULE1=20
-a exit,always -S unlink -S rmdir -k RULE2=20
-w /etc/auditd.conf -k RULE3=20
-w /etc/audit.rules -k RULE4=20
-a exit,always -S acct -S reboot -S swapon -k RULE5=20
-a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6=20
-a exit,always -S sched_setparam -S sched_setscheduler -k RULE7=20
-a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8=20
-a exit,always -S lchown -k RULE9


Here is the output of aureport:=20

Summary Report =3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=3D=
=3D=3D=20
Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266=20
Number of changes in configuration: 22=20
Number of changes to accounts, groups, or roles: 0=20
Number of logins: 0 Number of failed logins: 0=20
Number of users: 2 Number of terminals: 4 Number of host names: 2=20
Number of executables: 33 Number of files: 693=20
Number of AVC denials: 0 Number of MAC events: 0=20
Number of failed syscalls: 4052=20
Number of anomaly events: 0=20
Number of responses to anomaly events: 0=20
Number of crypto events: 0=20
Number of process IDs: 1428=20
Number of events: 1444530=20


This is 475mb in ten minutes!=20

Here is how the rule hits add up:=20

RULE1: 4052=20
RULE2: 601=20
RULE3: 9=20
RULE4: 1=20
RULE5: 0=20
RULE6: 40=20
RULE7: 1438239=20
RULE8: 1503=20
RULE9: 0=20

Here is one of the log entries I have so many of.=20

type=3DSYSCALL msg=3Daudit(04/25/08 16:37:48.568:194518) : arch=3Di386 sy=
scall=3D_newselect per=3D400000 success=3Dyes exit=3D0 a0=3D13 a1=3Df692e=
220 a2=3D0 a3=3D0 items=3D0 ppid=3D1 pid=3D4012 auid=3Dunknown(4294967295=
) uid=3Droot gid=3Droot euid=3Droot suid=3Droot fsuid=3Droot egid=3Droot =
sgid=3Droot fsgid=3Droot tty=3D(none) comm=3Dsavd exe=3D/opt/sophos-av/en=
gine/_/savd.0 subj=3Dunconstrained key=3D"RULE7"=20

How can I exclude this so it doesn't get logged?=20

The rules I have above are required by the government. DIACAP STIG

Thanks!