[Clip] reducing audit traffic

Julian Onions Julian.Onions at nexor.com
Thu Sep 24 03:34:06 CDT 2009 

We're using the mostly unchanged audit.rules from CLIP 5.2. However we
find with the system under load that auditd is using the most CPU time
and rotating its logs about every 20 minutes. 
Is there anything that might be turned down a little to reduce the
impact of auditing on the system?
 
Below are the current settings.
 
Julian.
 
auditd.conf
    log_file = /var/log/audit/audit.log
    log_format = RAW
    priority_boost = 3
    flush = INCREMENTAL
    freq = 20
    num_logs = 4
    #dispatcher = /sbin/audispd
    max_log_file = 256
    max_log_file_action = ROTATE
    space_left = 75
    space_left_action = SYSLOG
    action_mail_acct = root
    admin_space_left = 50
    admin_space_left_action = HALT
    disk_full_action = HALT
    disk_error_action = HALT

audit.rules
    ## Add keys to the audit rules below using the -k option to allow
for more
    ## organized and quicker searches with the ausearch tool.  See
auditctl(8)
    ## and ausearch(8) for more information.
 
    # Remove any existing rules
    -D
 
    # Enable auditing
    -e 1
 
    # Increase buffer size to handle the increased number of messages.
    -b 16384
 
    # Failure of auditd causes a kernel panic
    -f 2
 
    -w /bin/login -p x
    -w /bin/logout -p x
 
    # DAC permission changes
-a exit,always -S chmod -S chown -S fchmod -S fchown -S lchown -S
chown32 -S fchown32 -S lchown32
 
    # unauthorized file access attempts
#-a exit,always -S open -F success=0 ### Only change we've made
-a exit,always -F success=0 -S mknod -S pipe -S mkdir -S creat -S
truncate -S ftruncate -S truncate64 -S ftruncate64
 
    # privileged commands
    -w /usr/sbin/pwck
    -w /bin/chgrp
    -w /usr/bin/newgrp
    -w /usr/sbin/groupadd
    -w /usr/sbin/groupmod
    -w /usr/sbin/groupdel
    -w /usr/sbin/useradd
    -w /usr/sbin/userdel
    -w /usr/sbin/usermod
    -w /usr/bin/chage
    -w /usr/bin/setfacl
    -w /usr/bin/chacl
-a exit,always -S chroot -S mount -S umount2 -S adjtimex -S kill -S
umount
 
    # deleting files
    -a exit,always -S unlink -S rmdir -S rename -S link -S symlink
 
    # system administration actions
    -w /var/log/audit/audit.log
    -w /var/log/audit/audit[1-4].log
    -w /var/log/messages
    -w /var/log/lastlog
    -w /var/log/faillog
    -w /etc/audit/auditd.conf -p wa
    -w /etc/audit/audit.rules -p wa
    -w /etc/selinux/config -p wa
    -w /etc/passwd -p wa
    -w /etc/shadow -p wa
    -w /etc/group  -p wa
    -w /etc/ld.so.conf -p wa
    -w /etc/ld.so.conf.d -p wa
    -w /etc/ssh/sshd_config
    -w /etc/pam.d
    -w /etc/login.defs
    -w /etc/rc.d/init.d
    -w /etc/inittab -p wa
    -w /var/run/utmp
    -w /var/run/wtmp
-a exit,always -S acct -S reboot -S sched_setparam -S sched_setscheduler
-S setdomainname -S setrlimit -S settimeofday -S swapon -S stime
 
    # security personnel actions
    -a exit,always -S init_module -S delete_module -S setxattr -S
lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr
    -w /bin/su

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://oss.tresys.com/pipermail/clip/attachments/20090924/9f4fd389/attachment.html

More information about the Clip mailing list