Hey all,
Issue at hand is this. I have a Redhat 6.5 server 64b locked down with selinux enforcing, and audit rules and config shown in the attachments.
My issue is that even though the system is extremely robust, when it goes to rotate the logs, the system will Halt/Crash. I've set the max_log_file size to anywhere between 1gig and 15 gigs, and var/log/audit/ is on it's own partition of 100Gig. (Ignore the b32 rules in there please)
The issue is that during compilation of code, the audit log will get filled with simple messages/syscalls from the compiler cc1plus, as such:
There's thousands of these in a second, and it ends up writing out more than a gig per second into the audit logs. So when the rotate comes, after 5 logs, even though the buffer is 65535, it still halts.
The system has 128 Gigs of memory, 12 cores, raid 6, etc, so it's not that the system is short on power.
Any suggestions would be gladly received.
Thanks,
Brian
Issue at hand is this. I have a Redhat 6.5 server 64b locked down with selinux enforcing, and audit rules and config shown in the attachments.
My issue is that even though the system is extremely robust, when it goes to rotate the logs, the system will Halt/Crash. I've set the max_log_file size to anywhere between 1gig and 15 gigs, and var/log/audit/ is on it's own partition of 100Gig. (Ignore the b32 rules in there please)
The issue is that during compilation of code, the audit log will get filled with simple messages/syscalls from the compiler cc1plus, as such:
Code:
type=SYSCALL msg=audit(1423599930.598:66698879): arch=c000003e syscall=2 success=no exit=-2 a0=170cc30 a1=100 a2=1b6 a3=7f8dfde6 items=1 ppid=7504 pid=7506 auid=0 uid=12763 gid=130 euid=12763 suid=12763 fsuid=12763 egid=130 sgid=130 fsgid=130 tty=pts0 ses=212 comm="cc1plus" exe="/usr/libexec/gcc/x86_64-redhat-linux/4.4.4/cc1plus" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)The system has 128 Gigs of memory, 12 cores, raid 6, etc, so it's not that the system is short on power.
Any suggestions would be gladly received.
Thanks,
Brian