Way too many logs!

[troy.s.curtis at l-3com.com]

I don't typically monitor this list too closely which is why this is so
late but I might have a rule to help you trim things down.  This has so
far passed muster for NISPOM, but I'm not too familiar with DIACAP STIG
(yet, it's coming I think!).

Once you get your RULE7 trimmed down you may run into an excessive
number of unsuccessful open calls.  Especially if your systems are used
for any kind of develop (like mine).  The reason is that as your shell
searches through the path looking for an executable you get lots of
failures due to it not existing in various places.  I think you may not
run into too many issues with an actual shell because they typically
cache the locations, but running something like Make hits them all the
time. 

Anyway, to cut down on those and be able to defend it you can exclude
failures due to non-existence:

-a exit,always -S open -F success=0 -f exit!=-2

It looks like maybe you can use the actual errno here, but maybe not on
my old version?  But I'm using the above rule on a RHEL 4 box
successfully.  It pretty much single handedly took our logs from
unmanageable (not to mention a MAJOR performance hit for compiles) to
usable.  

Troy Curtis, Jr.

-----Original Message-----
From: linux-audit-bounces at redhat.com
[mailto:linux-audit-bounces at redhat.com] On Behalf Of Jeremy Leonard
Sent: Friday, May 09, 2008 3:21 PM
To: linux-audit at redhat.com
Subject: Way too many logs!

Here are the rules I'm using:

 -D 
-b 8096 
-a exit,always -S open -F success=0 -k RULE1 
-a exit,always -S unlink -S rmdir -k RULE2 
-w /etc/auditd.conf -k RULE3 
-w /etc/audit.rules -k RULE4 
-a exit,always -S acct -S reboot -S swapon -k RULE5 
-a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6 
-a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 
-a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8 
-a exit,always -S lchown -k RULE9


Here is the output of aureport: 

Summary Report ====================== 
Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266 
Number of changes in configuration: 22 
Number of changes to accounts, groups, or roles: 0 
Number of logins: 0 Number of failed logins: 0 
Number of users: 2 Number of terminals: 4 Number of host names: 2 
Number of executables: 33 Number of files: 693 
Number of AVC denials: 0 Number of MAC events: 0 
Number of failed syscalls: 4052 
Number of anomaly events: 0 
Number of responses to anomaly events: 0 
Number of crypto events: 0 
Number of process IDs: 1428 
Number of events: 1444530 


This is 475mb in ten minutes! 

Here is how the rule hits add up: 

RULE1: 4052 
RULE2: 601 
RULE3: 9 
RULE4: 1 
RULE5: 0 
RULE6: 40 
RULE7: 1438239 
RULE8: 1503 
RULE9: 0 

Here is one of the log entries I have so many of. 

type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386
syscall=_newselect per=400000 success=yes exit=0 a0=13 a1=f692e220 a2=0
a3=0 items=0 ppid=1 pid=4012 auid=unknown(4294967295) uid=root gid=root
euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none)
comm=savd exe=/opt/sophos-av/engine/_/savd.0 subj=unconstrained
key="RULE7" 

How can I exclude this so it doesn't get logged? 

The rules I have above are required by the government. DIACAP STIG

Thanks!



--
Linux-audit mailing list
Linux-audit at redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit