Auditd and Watches

Thu May 24 13:53:03 UTC 2007

All,

This is my first post to the list so...be gentle ;) Anyway, I'm trying
to get some monitoring going where I plan on using auditd to monitor
changes to files I deem important. Currently I have a watch on one file
(called important_file), I've given a key so I can find events related
to my one important file. Below is my watch:

[root at XXXX-22 ~]# auditctl -l
No rules
AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/important_test,
filterkey=test-file, perms=wa, valid=0

I've got no rules in my audit.rules (except -D and the -b 256 default).

My question is this (about time eh?) even though the only rule I have in
my rules is a single watch on a file, I'm getting all sorts of other
events in my /var/log/audit/audit.log. A lot of it are don't care items
at this phase and would only aid in growing my log files. Is there
something I'm missing that can turn off the additional chatter in the
logs? Below are some examples:

type=USER_ACCT msg=audit(05/24/2007 08:44:27.341:8311) : user pid=5633
uid=root auid=unknown(4294967295) msg='PAM accounting:
user=scrubbeduserid exe="/usr/sbin/sshd"
(hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146, terminal=ssh
result=Success)'
----
type=LOGIN msg=audit(05/24/2007 08:44:27.368:8312) : login pid=5640
uid=root old auid=unknown(4294967295) new auid=scrubbeduserid
----
type=USER_START msg=audit(05/24/2007 08:44:27.370:8313) : user pid=5640
uid=root auid=scrubbeduserid msg='PAM session open: user=scrubbeduserid
exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com,
addr=XXX.XXX.XXX.146, terminal=ssh result=Success)'
----
type=CRED_REFR msg=audit(05/24/2007 08:44:27.373:8314) : user pid=5640
uid=root auid=scrubbeduserid msg='PAM setcred: user=scrubbeduserid
exe="/usr/sbin/sshd" (hostname=cnu448f4g2.edwardjones.com,
addr=XXX.XXX.XXX.146, terminal=ssh result=Success)'
----
type=USER_LOGIN msg=audit(05/24/2007 08:44:27.382:8315) : user pid=5633
uid=root auid=unknown(4294967295) msg='uid=7532: exe="/usr/sbin/sshd"
(hostname=cnu448f4g2.edwardjones.com, addr=XXX.XXX.XXX.146,
terminal=/dev/pts/1 res=success)'
----
type=USER_AUTH msg=audit(05/24/2007 08:44:37.379:8316) : user pid=5698
uid=scrubbeduserid auid=scrubbeduserid msg='PAM authentication:
user=scrubbeduserid exe="/usr/local/bin/priv-escalator"
(hostname=nldg-22.appl.devjones.com, addr=XXX.XXX.XXX.186,
terminal=/dev/pts/1 result=Success)'
----
type=USER_ACCT msg=audit(05/24/2007 08:44:37.384:8317) : user pid=5698
uid=scrubbeduserid auid=scrubbeduserid msg='PAM accounting:
user=scrubbeduserid exe="/usr/local/bin/priv-escalator"
(hostname=nldg-22.appl.devjones.com, addr=XXX.XXX.XXX.186,
terminal=/dev/pts/1 result=Success)'
----
type=USER_AUTH msg=audit(05/24/2007 08:44:41.884:8318) : user pid=5728
uid=root auid=unknown(4294967295) msg='PAM authentication: user=root
exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'
----
type=USER_ACCT msg=audit(05/24/2007 08:44:41.889:8319) : user pid=5728
uid=root auid=unknown(4294967295) msg='PAM accounting: user=root
exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'
----
type=USER_START msg=audit(05/24/2007 08:44:41.890:8320) : user pid=5728
uid=root auid=unknown(4294967295) msg='PAM session open: user=root
exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'
----
type=CRED_ACQ msg=audit(05/24/2007 08:44:41.890:8321) : user pid=5728
uid=root auid=unknown(4294967295) msg='PAM setcred: user=root
exe="/bin/su" (hostname=?, addr=?, terminal=pts/3 result=Success)'

Basically I'm trying to chunk the logs down so my host based ids can
snag the events and alert accordingly. I'm pretty new to linux auditd
and I'm coming from the Solaris BSM Audit school of thought. Steve if
you're reading this, thanks for your time and effort keeping linux
auditd going.

-Felix
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20070524/e1468e13/attachment.htm>