LinuxQuestions.org
Latest LQ Deal: Linux Power User Bundle
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Security
User Name
Password
Linux - Security This forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.

Notices


Reply
  Search this Thread
Old 04-13-2014, 04:20 PM   #1
tmunkz
LQ Newbie
 
Registered: Apr 2014
Posts: 1

Rep: Reputation: Disabled
Question auditd and rule read order optimization


Hi,

As the subject states, I am wondering about the load that a large audit.rule file creates. So, in the case where multiple files and directories are being watched will it cause a high load on the system?

Something like the following :
Code:
## Watch for changes / reads on the audit
## configs and rules for auditd.
-w /etc/audit/auditd.conf -p wa -k AUDIT_cfg
-w /etc/audit/audit.rules -p wa -k AUDIT_cfg
-w /etc/audit/rules.d/ -p wa -k AUDIT_cfg

## Watch for change on security related config files.

-w /etc/hosts.allow -p wxa -k SYSEC_cfg
-w /etc/hosts.deny -p wxa -k SYSEC_cfg
-w /etc/denyhosts.conf -p wxa -k SYSEC_cfg
-w /etc/pam.d/ -p wa -k SYSEC_cfg
-w /etc/security/access.conf -p wa  -k SYSEC_cfg
-w /etc/security/limits.conf -p wa  -k SYSEC_cfg
-w /etc/security/pam_env.conf -p wa -k SYSEC_cfg
-w /etc/security/namespace.conf -p wa -k SYSEC_cfg
-w /etc/security/namespace.d/ -p wa -k SYSEC_cfg
-w /etc/security/namespace.init -p wa -k SYSEC_cfg
-w /etc/security/sepermit.conf -p wa -k SYSEC_cfg
-w /etc/security/time.conf -p wa -k SYSEC_cfg
-w /etc/security/ -p wxa -k SYSEC_cfg
I am wondering if it would be better to use an action that looks for multiple types of system calls. However, I am not seeing anything that shows that an action (-a) can be used to watch a path or file. Everything I am seeing in the man pages and google hits shows that the -w flag is used for a file or path watch.

Would it be possible to get some input on this from anyone? It just seems that things would run a bit better if it was a string of sys calls types made against a location, all in one rule. I dunno. Any help is appreciated.
 
Old 04-13-2014, 06:09 PM   #2
unSpawn
Moderator
 
Registered: May 2001
Posts: 29,393
Blog Entries: 55

Rep: Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565Reputation: 3565
Code:
# Active rules in set:
]# grep -v ^# /etc/audit/audit.rules |wc -l
531

# Amount of watches:
]# grep -v ^# /etc/audit/audit.rules|grep -c -- "-w"
192

# CPU usage of audit daemon:
]# \ps --no-headers -C auditd -opcpu
 0.0
# ...so I'd say at 500 rules it doesn't cause much load.
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
The auditd daemon stops logging after deleting audit.log until auditd is restarted Latitude Linux - Security 2 06-20-2013 04:10 PM
auditd: auditd startup failed cmschube Red Hat 2 05-11-2009 08:08 AM
how to log read/write access using auditd? neversetsun Linux - Software 1 02-17-2009 06:18 PM
iptables rule order Kumado Linux - Security 4 10-14-2005 12:12 AM
iptables rule order dunkyb Linux - Security 2 03-21-2003 08:56 AM

LinuxQuestions.org > Forums > Linux Forums > Linux - Security

All times are GMT -5. The time now is 04:09 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration