LinuxQuestions.org
Download your favorite Linux distribution at LQ ISO.
Go Back   LinuxQuestions.org > Forums > Linux Forums > Linux - Server
User Name
Password
Linux - Server This forum is for the discussion of Linux Software used in a server related context.

Notices


Reply
  Search this Thread
Old 05-15-2014, 03:17 AM   #1
zizoumed
LQ Newbie
 
Registered: May 2014
Posts: 2

Rep: Reputation: Disabled
Exclamation L'Audit du système Linux


salut à tous :-)

je veux determiner la configuration de l'audit idéale de mon serveur (Redhat) pour autant pénaliser l'espace disque.
sachan que la configuration du fichier audid.conf est par defaut:


# This file controls the configuration of the audit daemon

log_file = /var/log/audit/audit.log
log_format = RAW
lg_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_port =
tcp_listen_queue = 5
tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
krb5_key_file = /etc/audit/audit.key

Merci
 
Old 05-15-2014, 05:55 AM   #2
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,642

Rep: Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481
S'il vous plaît, écrire en anglais.

Quote:
All member-created content should be in English. This allows our moderators to ensure all content complies with all LQ rules. In addition, we recommend you avoid sms/l33t speak in the technical fora. Avoiding sms/l33t speak will improve question clarity and increase the chance of receiving a helpful response.
https://www.linuxquestions.org/linux/rules.html

Merci beaucoup
 
Old 05-15-2014, 06:33 AM   #3
zizoumed
LQ Newbie
 
Registered: May 2014
Posts: 2

Original Poster
Rep: Reputation: Disabled
I want to determine the configuration of the audit ideal of my server (Redhat).
The configuration file audid.conf is default:
# This file controls the configuration of the audit daemon

log_file = /var/log/audit/audit.log
log_format = RAW
lg_group = root
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 4
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
name = mydomain
max_log_file = 5
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
tcp_listen_port =
tcp_listen_queue = 5
tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
krb5_key_file = /etc/audit/audit.key


By default, auditd retains 4 log files of size 5Mb apiece. For a busy system or a system which is thoroughly
auditing system activity, this is likely to be insufficient.

I want to determine the configuration of the audit ideal of my server.

Thnx a lot.

Last edited by zizoumed; 05-15-2014 at 06:34 AM.
 
Old 05-19-2014, 07:14 AM   #4
chrism01
LQ Guru
 
Registered: Aug 2004
Location: Sydney
Distribution: Centos 6.10, Centos 7.5
Posts: 17,642

Rep: Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481Reputation: 2481
If you want to store more log info, see the man page http://linux.die.net/man/5/auditd.conf, specifically
Quote:
num_logs
This keyword specifies the number of log files to keep if rotate is given as the max_log_file_action. If the number is < 2, logs are not rotated. This number must be 99 or less. The default is 0 - which means no rotation. As you increase the number of log files being rotated, you may need to adjust the kernel backlog setting upwards since it takes more time to rotate the files. This is typically done in /etc/audit/audit.rules. If log rotation is configured to occur, the daemon will check for excess logs and remove them in effort to keep disk space available. The excess log check is only done on startup and when a reconfigure results in a space check.

max_log_file
This keyword specifies the maximum file size in megabytes. When this limit is reached, it will trigger a configurable action. The value given must be numeric.

admin_space_left
This is a numeric value in megabytes that tells the audit daemon when to perform a configurable action because the system is running low on disk space. This should be considered the last chance to do something before running out of disk space. The numeric value for this parameter should be lower than the number for space_left.
but best to read the whole page first and understand the implications of each setting.

HTH
 
  


Reply


Thread Tools Search this Thread
Search this Thread:

Advanced Search

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is Off
HTML code is Off



Similar Threads
Thread Thread Starter Forum Replies Last Post
it is naturally speaking possible with one linux ? for translation one systeme michel rousseau Linux - Newbie 3 11-04-2013 01:15 PM
[SOLVED] a little help with someone else's code? (open-audit> audit.sh) Habitual Programming 1 07-26-2013 10:10 PM
How can I read the audit time stamp? msg=audit(1213186256.105:20663) abefroman Linux - Software 3 04-21-2011 06:37 PM
[Linux Audit]: Which groups should be allowed to read audit log files? quanba Linux - Security 1 11-15-2010 10:09 AM
error in line 5 of /etc/audit/audit.rules RHEL5u3 abti Red Hat 1 04-06-2010 05:42 PM

LinuxQuestions.org > Forums > Linux Forums > Linux - Server

All times are GMT -5. The time now is 03:18 PM.

Main Menu
Advertisement
My LQ
Write for LQ
LinuxQuestions.org is looking for people interested in writing Editorials, Articles, Reviews, and more. If you'd like to contribute content, let us know.
Main Menu
Syndicate
RSS1  Latest Threads
RSS1  LQ News
Twitter: @linuxquestions
Facebook: linuxquestions Google+: linuxquestions
Open Source Consulting | Domain Registration