with the following auditd.conf and audit.rules, we generate MASSIVE logs very quickly. I don't care about successful audit events; I'm not required to log them, and there's no way I could have the space for a year's worth anyway. So...why is it that "LIST_RULES: exit,always success!=0 syscall=open" doesn't disregard the successful calls? I can still see them if I do an aureport.
The logs are simply too massive to keep; if I set the max_log_file to much higher than 50 with 99 logs, an aureport takes eons. Unfortunately, it needs to be that high to save even a day's worth of logs when they're running certain programs. Any suggestions? ---------------------- log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 3 flush = INCREMENTAL freq = 20 num_logs = 50 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 20 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND -------------------------- LIST_RULES: exit,always success!=0 syscall=open LIST_RULES: exit,always syscall=rmdir,unlink LIST_RULES: exit,always syscall=acct,swapon,reboot LIST_RULES: exit,always syscall=setrlimit,settimeofday,setdomainname LIST_RULES: exit,always syscall=sched_setparam,sched_setscheduler LIST_RULES: exit,always syscall=chmod,fchmod,chown,fchown LIST_RULES: exit,always syscall=lchown LIST_RULES: exit,always watch=/etc/auditd.conf perm=rwxa LIST_RULES: exit,always watch=/etc/audit.rules perm=rwxa ------------------------------------------ -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
