Update audit.rules #85
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
The audit.rules files that is currently in this repo does not work with well with RHEL 6.8 deployments. Something has changed in that my workstations are often times experiencing kernel panic due to the buffer filling up or something related to auditd. This condition can be created anytime you delete a large file structure (i.e. svn checkout directory) or during certain large builds. I've attributed it to the aggressiveness of the audit.rules file and the system not being able to "keep up" at which point it panics due to the "-f 2" logic. I took the NISPOM baseline found under /usr and added the lines needed to mitigate findings from a SCC/SCAP scan using Red Hat 6 STIG Benchmark - Ver 1, Rel 13 Using this file I have not had any issues with servers or workstations throwing a kernel panic under heavy use. There is likely some cleanup that could be performed here with the commented out lines (some are redundant I believe) but I haven't had time to chase that down.
fcaviggia
reviewed
Nov 15, 2016
Owner
fcaviggia
left a comment
fcaviggia
left a comment
There was a problem hiding this comment.
I should probably replace the audit.rules with a script - similar to what I'm doing in RHEL 7 https://github.com/RedHatGov/ssg-el7-kickstart/blob/master/config/hardening/ssg-supplemental.sh (lines 149-338) to capture the privileged commands as those vary from box to box.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
The audit.rules file that is currently in this repo does not work with well with RHEL 6.8 deployments. Something has changed in that my workstations are often times experiencing kernel panic due to the buffer filling up or something related to auditd. It happened some on RHEL 6.7 but got considerably worse in RHEL6.8 installs to the point it will sometimes panic on shutdown activity. This condition can be created by deleting a large file structure (i.e. svn checkout directory) or during certain large builds. I've attributed it to the aggressiveness of the audit.rules file and the system not being able to "keep up" at which point it panics due to the "-f 2" logic.
I took the NISPOM baseline found under /usr and added the lines needed to mitigate audit.rules findings from a SCC/SCAP scan using Red Hat 6 STIG Benchmark - Ver 1, Rel 13
Using this file I have not had any issues with servers or workstations throwing a kernel panic under heavy use.
There is likely some cleanup that could be performed here with the commented out lines (some are redundant I believe) but I haven't had time to chase that down.