> Yes, but you may be able to use the SE Linux label to prevent auditing of the > process. Steve, can you please tell me more about how to make use of the SELinux label here?
On Thu, Sep 8, 2011 at 6:44 PM, Steve Grubb <[email protected]> wrote: > On Thursday, September 08, 2011 02:38:03 AM Vipin Rathor wrote: >> My auditd server is getting overwhelm by the logs that it is getting. > > This is almost always means the rules are not properly tuned. > >> I've configured a remote audit logging via audisp-plugin. Earlier I >> tried to reduce the amount of logs by optimizing the audit rules. But >> we want to reduce it further. >> Here's the list of things that I can think to reduce the overwhelming >> of logs further: >> 1. Increase kernel buffer for auditd from 20480 (current) to 99999. >> 2. Increase the priority of auditd process. Currently 'priority_boost >> = 10'. Default is 4. I don't know the maximum value (though I've seen >> someone using 12). Can anyone tell me what's the maximum priority I >> can give? > > Probably 19. This is dictated by the kernel. See the nice(1) command. > > >> 3. Optimize the audit messages further: >> a. Exclude single file (like /etc/sysconfig/bash-prompt-xterm ) from >> being audited. This can be done with following rule (Thanks to >> Steve!): >> -a exit,never -F path=/etc/sysconfig/bash-prompt-xterm >> b. Exclude specific processes by their PIDs. This will be tricky as >> we will need to keep track of PIDs incase of process >> start/stop/restart etc. > > Yes, but you may be able to use the SE Linux label to prevent auditing of the > process. > > -Steve > -- -Rathor -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
