From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Norman Mark St. Laurent" Subject: Re: buffer space Date: Mon, 17 Aug 2009 11:36:42 -0400 Message-ID: <4A89790A.8070505@conceras.com> References: <200908131428.52924.sgrubb@redhat.com> <200908171108.00417.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-15; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id n7HFb1S4012020 for ; Mon, 17 Aug 2009 11:37:02 -0400 Received: from p3plsmtpa01-09.prod.phx3.secureserver.net (p3plsmtpa01-09.prod.phx3.secureserver.net [72.167.82.89]) by mx3.redhat.com (8.13.8/8.13.8) with SMTP id n7HFaiX5011019 for ; Mon, 17 Aug 2009 11:36:44 -0400 In-Reply-To: <200908171108.00417.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve, I maybe able to get the Red Hat Federal Team a copy of SECSCAN... If Justin and Gunnar do not already have a copy.... Best regards, Norman Mark St. Laurent Conceras | Chief Technology Officer and ISSE Phone: 703-965-4892 Email: mstlaurent@conceras.com Web: http://www.conceras.com Connect. Collaborate. Conceras. Steve Grubb wrote: > On Monday 17 August 2009 10:49:55 am David Flatley wrote: > >> If I were to move all the rotated logs to another directory, >> say /home/logs. So instead of doing "ausearch -i" to capture all the >> information in the rotated logs in >> /var/log/audit directory. I would do "ausearch -i -f /home/logs" , correct? >> > > Yes. > > >> Backlog is set to 12288 right now. >> > > ok > > >> The SECSCAN requires many -w (watches) and a fair amount of syscalls. I >> modified the syscalls to add your recommendation for using "arch=b32" and >> "arch=b64". >> > > Are there any public references to this standard? > > > >> Because I was getting errors restarting the auditd on some of their >> recommendations one of which was mount? >> > > Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386. > > > >> Another setting I believe was doing me in was the log size is 20 megs and >> I allow 8 rotated logs. But I had admin_disk_full set to 160 and the action >> was suspend. >> So this could have been tripping me up also. >> > > If the partition was 320Mb or smaller, then yes that would be a problem. But I > also think the fact that its being suspended is sent to syslog. > > > >> I would like to be able to do the audit log extractions (ausearch and >> aureport) when I get say 8 - 20 megs logs. I see I can do an exec on a >> script in max_log_file_action. >> So if I set the max_log_file to 160, I can then run a script to move the >> rotated logs and process them, thus not stopping auditd and keeping things >> working? >> > > Yes, I think so. But if you are hooking max_log_file action, then you would > need to send sigusr1 to ppid to get auditd to rotate the log and open another > one. If you don't, auditd will still have an open descriptor to the file. > > -Steve > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > > >