Thread: Linux Auditing Problems - log file getting large

View Single Post
  #7 (permalink)  
Old 17-05-2007, 09:42 PM
CrackerJack1618 CrackerJack1618 is offline
Junior Member
User
  
Join Date: May 2007
OS: Red Hat Enterprise Linux 4
Posts: 7
Thanks: 0
Thanked 0 Times in 0 Posts
Rep Power: 0
CrackerJack1618 is on a distinguished road
Default
FYI - With SNARE off (disabled dispatcher in auditd.conf), the audit log sizes are manageable. When I turn Snare back on, I get 30-40 MB on a reboot alone.

Here are some of the "failures" that Snare reports (on a reboot):

Failed File Summary Report
===========================
total file
===========================
699 /root/Templates
351 /dev/sda
10 /usr/share/locale/en_US.UTF-8/LC_TIME/coreutils.mo
10 /usr/share/locale/en_US/LC_TIME/coreutils.mo
10 /usr/share/locale/en.UTF-8/LC_TIME/coreutils.mo
10 /usr/share/locale/en.utf8/LC_TIME/coreutils.mo
10 /usr/share/locale/en/LC_TIME/coreutils.mo
10 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en_US.utf8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en_US/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en.UTF-8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en.utf8/LC_MESSAGES/coreutils.mo
10 /usr/share/locale/en/LC_MESSAGES/coreutils.mo
9 /usr/share/locale/en_US.utf8/LC_TIME/coreutils.mo
2 /dev/tty
2 /lib/security/$ISA/pam_deny.so
2 /usr/share/locale/en/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en.utf8/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en.UTF-8/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en_US/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en_US.utf8/LC_MESSAGES/util-linux.mo
2 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/util-linux.mo
1 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en_US.utf8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en_US/LC_MESSAGES/libc.mo
1 /usr/share/locale/en.UTF-8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en.utf8/LC_MESSAGES/libc.mo
1 /usr/share/locale/en/LC_MESSAGES/libc.mo
1 /usr/share/locale/en_US.UTF-8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en_US.utf8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en_US/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en.UTF-8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en.utf8/LC_MESSAGES/initscripts.mo
1 /usr/share/locale/en/LC_MESSAGES/initscripts.mo
1 /lib/security/$ISA/pam_env.so
1 /lib/security/$ISA/pam_unix.so
1 /lib/security/$ISA/pam_smb_auth.so
1 /lib/security/$ISA/pam_succeed_if.so
1 /lib/security/$ISA/pam_permit.so
1 /lib/security/$ISA/pam_cracklib.so
1 /lib/security/$ISA/pam_limits.so
I can't understand why these are failures. Right now I have to leave Snare (dispatcher) disabled.
Reply With Quote