store | blogs | forums | twitter | facebook | wiki | downloads | support portal
Atomic Secure Linux
It is currently Mon Jul 28, 2014 8:20 am

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: Disk Space
Unread postPosted: Thu Jul 28, 2011 10:45 am 
Offline
Forum User
Forum User

Joined: Wed Apr 18, 2007 7:58 am
Posts: 24
Location: Burlington, NJ USA
Hello:

I am having a problem with the amount of disk space used since upgrading to ASL 3.0. The directory /var/ossec/queue/diff/local/etc/webmin/virtual-server/history has grown almost 100 GB in just 1 week. I'll soon be out of disk space.

I am using:

Centos 5.6
Latest Virtualmin/Webmin (non-Plesk system)
Latest ASL and ossec

Any assistance would be appreciated.

John


Top
 Profile  
 
 Post subject: Re: Disk Space
Unread postPosted: Thu Jul 28, 2011 11:12 am 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3603
Location: Chantilly, VA
Thank you for the question. ASL has a new feature that will record and report changes to important files (it will literally tell you, this line changed and this is what it was before). By default, it will only report and record the specific changes to files in the /etc directory. This option in the file integrity system is called "reporting". It sounds like you have an application that uses /etc as a place for logs (we recommend you tell the developer this is a bad idea too, that does not follow the Linux standard). To prevent ASL from doing this, you just need to exclude that subdirectory from reporting.

Just log into ASL, click the ASL tab, select the "File Integrity" menu option. Then press the "Options" button and then select the "Directories" button. At the bottom of the screen you will see a drop down list that says "-- add new rule --". Click that, then type in /etc/webmin/virtual-server/history and hit enter. If there are any other files you want to ignore, add them too. You can also ignore a directory, just put in the directory path there too. We recommend you look at any directories before you ignore them, as they may contain files you do want to be alerted if they change. We do not under any circumastances recommend you exclude /etc.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
 Post subject: Re: Disk Space
Unread postPosted: Thu Jul 28, 2011 4:39 pm 
Offline
Forum User
Forum User

Joined: Wed Apr 18, 2007 7:58 am
Posts: 24
Location: Burlington, NJ USA
OK, did it. Now I'll wait and see what happens. So far, it appears to be working.

Interesting note: All of the files (about 100 GB worth) appear to be written every 5 minutes between 4 PM and 4 AM. For the other 12 hours, little or nothing.

John


Top
 Profile  
 
 Post subject: Re: Disk Space
Unread postPosted: Thu Jul 28, 2011 5:50 pm 
Offline
Atomicorp Staff - Site Admin
Atomicorp Staff - Site Admin
User avatar

Joined: Thu Feb 07, 2008 7:49 pm
Posts: 3603
Location: Chantilly, VA
Quote:
Interesting note: All of the files (about 100 GB worth) appear to be written every 5 minutes between 4 PM and 4 AM. For the other 12 hours, little or nothing.


That means the file(s) is/are changing. ASL detects this in real time, so if a file changes it will alert and if configured, it will also report what changed.

_________________
Michael Shinn
Atomicorp - Security For Everyone

Co-Author of Troubleshooting Linux Firewalls.


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

» Feed - Atomicorp

All times are UTC - 5 hours [ DST ]


Who is online

Users browsing this forum: Yahoo [Bot] and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Search for:
Jump to:  
Powered by phpBB © 2000, 2002, 2005, 2007 phpBB Group