Auditd.conf settings for Satellite 6 server

Auditd.conf settings for Satellite 6 server

[Fulda, Paul R [US] (MS)]

[-- Attachment #1.1: Type: text/plain, Size: 401 bytes --]

All,

Can someone give me some optimized auditd.conf settings for a Red Hat Satellite 6 server running on Red Hat 7.3?  When I am creating and updating content views on satellite, auditd cannot keep up and bogs the system to a halt.  The audit.rules file is configured for DISA security settings so it's looking at a lot of things.  Any help would be much appreciated.

Thanks,

Paul Fulda



[-- Attachment #1.2: Type: text/html, Size: 2314 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Auditd.conf settings for Satellite 6 server

[Steve Grubb]

On Thursday, March 30, 2017 11:40:31 AM EDT Fulda, Paul R [US] (MS) wrote:
> Can someone give me some optimized auditd.conf settings for a Red Hat
> Satellite 6 server running on Red Hat 7.3?  When I am creating and updating
> content views on satellite, auditd cannot keep up and bogs the system to a
> halt.  The audit.rules file is configured for DISA security settings so
> it's looking at a lot of things.  Any help would be much appreciated.

For one, you can set the flush mode in auditd.conf to INCREMENTAL_ASYNC and it 
should allow you to completely fill up your disks in a hurry without bogging 
down the system. Also set freq to something like 250.

I would then take a look at the key report during that time to see what event 
is getting triggered. 

aureport --start xxx --end yyy --key --summary

Where xxx is start of this burst and yyy is end of this burst. (More than 
likely its some rule watching deletes which is not very useful.) Once you know 
which rule is getting triggered I think we can talk about how to minimize the 
events.

-Steve