tmunkz |
04-13-2014 03:20 PM |
auditd and rule read order optimization
Hi,
As the subject states, I am wondering about the load that a large audit.rule file creates. So, in the case where multiple files and directories are being watched will it cause a high load on the system?
Something like the following :
Code:
## Watch for changes / reads on the audit
## configs and rules for auditd.
-w /etc/audit/auditd.conf -p wa -k AUDIT_cfg
-w /etc/audit/audit.rules -p wa -k AUDIT_cfg
-w /etc/audit/rules.d/ -p wa -k AUDIT_cfg
## Watch for change on security related config files.
-w /etc/hosts.allow -p wxa -k SYSEC_cfg
-w /etc/hosts.deny -p wxa -k SYSEC_cfg
-w /etc/denyhosts.conf -p wxa -k SYSEC_cfg
-w /etc/pam.d/ -p wa -k SYSEC_cfg
-w /etc/security/access.conf -p wa -k SYSEC_cfg
-w /etc/security/limits.conf -p wa -k SYSEC_cfg
-w /etc/security/pam_env.conf -p wa -k SYSEC_cfg
-w /etc/security/namespace.conf -p wa -k SYSEC_cfg
-w /etc/security/namespace.d/ -p wa -k SYSEC_cfg
-w /etc/security/namespace.init -p wa -k SYSEC_cfg
-w /etc/security/sepermit.conf -p wa -k SYSEC_cfg
-w /etc/security/time.conf -p wa -k SYSEC_cfg
-w /etc/security/ -p wxa -k SYSEC_cfg
I am wondering if it would be better to use an action that looks for multiple types of system calls. However, I am not seeing anything that shows that an action (-a) can be used to watch a path or file. Everything I am seeing in the man pages and google hits shows that the -w flag is used for a file or path watch.
Would it be possible to get some input on this from anyone? It just seems that things would run a bit better if it was a string of sys calls types made against a location, all in one rule. I dunno. Any help is appreciated.
|