From: Steve Grubb <sgrubb@redhat.com>
To: Brad Zynda <bradley.v.zynda@nasa.gov>
Cc: linux-audit@redhat.com
Subject: Re: Systemd Journald and audit logging causing journal issues
Date: Wed, 18 Oct 2017 11:40:21 -0400 [thread overview]
Message-ID: <6322244.dH2N8TGAnG@x2> (raw)
In-Reply-To: <4b320e7b-fd69-a01d-2b0c-74e5e1ce6e5b@nasa.gov>
On Wednesday, October 18, 2017 11:14:31 AM EDT Brad Zynda wrote:
> Here is an output from the server with PATH audit type re-allowed
> (everything back to normal):
>
> Key Summary Report
> ===========================
> total key
> ===========================
> 6019 perm_mod
> 3878 delete
> 964 access
> 96 privileged
> 57 time-change
> 51 session
> 41 modules
> 20 logins
> 6 system-locale
> 5 identity
> 2 mounts
> 2 scope
> 2 actions
> 1 MAC-policy
>
> Now this is probably not a peak result but I have come across 2 questions..
>
> 1. I wanted to cron this and email results but get, verified path sbin:
>
> Key Summary Report
> ===========================
> total key
> ===========================
> <no events of interest were found>
This is a well known problem. From aureport man page:
--input-logs
Use the log file location from auditd.conf as input for analy‐
sis. This is needed if you are using aureport from a cron job.
ausearch/report can be piped to by stdin. This takes priority over the logs.
Cron uses pipes for all 3 descriptors. Therefore you have to tell them to
ignore what they are seeing and just use the logs.
> 2. If it ends up being perm_mod as the high count what is the next step
> to identify the rule in question?
grep perm_mod /etc/audit/audit.rules
delete also looks excessive.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2017-10-18 15:40 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 17:30 Systemd Journald and audit logging causing journal issues Brad Zynda
2017-10-17 15:25 ` Steve Grubb
2017-10-17 15:40 ` Brad Zynda
2017-10-17 16:25 ` Steve Grubb
2017-10-17 17:13 ` Brad Zynda
2017-10-18 15:14 ` Brad Zynda
2017-10-18 15:40 ` Steve Grubb [this message]
2017-10-18 16:13 ` Brad Zynda
2017-10-18 16:26 ` Steve Grubb
2017-10-18 16:32 ` Brad Zynda
2017-10-18 23:27 ` Steve Grubb
2017-10-19 17:08 ` Brad Zynda
2017-10-19 20:13 ` Steve Grubb
2017-12-01 13:17 ` Brad Zynda
2017-12-01 13:54 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=6322244.dH2N8TGAnG@x2 \
--to=sgrubb@redhat.com \
--cc=bradley.v.zynda@nasa.gov \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox