From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Stephen John Smoogen" Subject: Re: Filesystem filling up ... Date: Wed, 27 Jun 2007 12:17:46 -0600 Message-ID: <80d7e4090706271117x3a24f7aekcf1265314168c089@mail.gmail.com> References: <39d2723b0706271042y2885144dj29e7da8adc90e630@mail.gmail.com> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: Received: from mx2.redhat.com (mx2.redhat.com [10.255.15.25]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id l5RIHm6O028848 for ; Wed, 27 Jun 2007 14:17:49 -0400 Received: from wr-out-0506.google.com (wr-out-0506.google.com [64.233.184.238]) by mx2.redhat.com (8.13.1/8.13.1) with ESMTP id l5RIHlHG001691 for ; Wed, 27 Jun 2007 14:17:47 -0400 Received: by wr-out-0506.google.com with SMTP id 37so209059wra for ; Wed, 27 Jun 2007 11:17:46 -0700 (PDT) In-Reply-To: <39d2723b0706271042y2885144dj29e7da8adc90e630@mail.gmail.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On 6/27/07, Aaron Lippold wrote: > Hello, > > I was hoping some smarter audit folks than I could look at this small > set of rules and let me know if anythings seem: 1) way too broad 2) > would fill up a file system fast 3) could use improvement > > cat << 'EOF' > /etc/audit/audit.rules > ## Submitted by JasonM at FSO. > > # This file contains the auditctl rules that are loaded > # whenever the audit daemon is started via the initscripts. > # The rules are simply the parameters that would be passed > # to auditctl. > > # First rule - delete all > -D > > # Feel free to add below this line. See auditctl man page > > # Increase the buffers to survive stress events > -b 256 > -e 1 > # Audit Failed opens > -a exit,always -S open -F success!=0 > # > # Audit success and failure of delete > -a exit,always -S unlink -S rmdir > # > # Audit success and failure of admin actions > #-a task,always -F uid=0 > -w /var/log/audit/ -k ADMIN > -w /etc/auditd.conf -k ADMIN > -w /etc/audit.rules -k ADMIN > -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit > -a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler > EOF > > Some of my end users are saying their logging a lot of audits. We are > using the same kickstart file but my test systems are not filling up. > Not one of the smarter people... but I would think that you would need to see what the others are seeing in large amounts and what you are not seeing on the test boxes. > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit > -- Stephen J Smoogen. -- CSIRT/Linux System Administrator How far that little candle throws his beams! So shines a good deed in a naughty world. = Shakespeare. "The Merchant of Venice"