Like Greg, I have servers that are doing a lot of auditing of file access that I don't want it to do. I am running a RHEL ES 4 system, fully patched, that runs audit-1.0.15-3.EL4. This is the output for aureport summary:
[EMAIL PROTECTED] ~]# /sbin/aureport -ts yesterday 00:00:00 -te today 00:00:00 Summary Report ====================== Range of time: 11/02/2007 10:38:28.035 - 11/05/2007 10:53:23.707 Number of changes in configuration: 0 Number of changes to accounts or groups: 0 Number of logins: 0 Number of failed logins: 0 Number of users: 3 Number of terminals: 2 Number of host names: 1 Number of executables: 55 Number of files: 3151 Number of AVC denials: 96937 Number of failed syscalls: 4300876 Number of watched file events: 215001 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of process IDs: 32349 Number of events: 4531650 Notice the large number of watched file events. The daily audit logs are nearly 2GB in size. [And I'm required to keep a year's worth of audit logs!] When I issue this command: [EMAIL PROTECTED] ~]# aureport -f --summary | head -20 File Summary Report =========================== total file =========================== 703314 passwd 703313 /etc/passwd 515973 /dev/tty 355209 /home/httpd/faq/docs/daylight_time.php/.htaccess 288538 /home/httpd/css/default.css/.htaccess 281723 /home/httpd/js/default.js/.htaccess 237471 /home/httpd/menu/stmenu.js/.htaccess 211210 /home/httpd/graphics/USNODomeatNight_painted.png/.htaccess 209720 /home/httpd/css/print.css/.htaccess 205240 /home/httpd/graphics/blank.gif/.htaccess 205042 /home/httpd/graphics/header_strip_stars.jpg/.htaccess 202624 /home/httpd/graphics/valid-html401.png/.htaccess 188072 /home/httpd/favicon.ico/.htaccess 131774 /home/httpd/data/USPLACES.DA 49634 /home/httpd/faq/docs/daylight_time.html/.htaccess Note the high percentage of files accessed by the web server, especially .htaccess. I have a rule that audits failed access to files: -a exit,always -S chmod -S lchown -S chown -F success=0 I assume that this is the rule that is causing so many files accessed by the web server to be logged. How can change this rule to exclude user apache from tripping this rule? -- Bill Tangren U.S. Naval Observatory -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
