adding rules

Steve Grubb sgrubb at redhat.com
Sat Oct 17 16:46:48 UTC 2009


On Friday 16 October 2009 06:22:13 pm Pittigher, Raymond - CS wrote:
>  We run servers that are on a classified network and require auditing so the
>  nisbom rules are loaded in the servers. This causes huge log files, and I
>  mean 12GB huge, too much to parse information quickly. The file is full on
>  entries with such things as the Backup Exec program that generates these:

It would be helpful to know which kernel/audit versions you are using since 
there have been new options added over time.


> type=SYSCALL msg=audit(1246316460.238:30532639): arch=c000003e syscall=2
>  success=no exit=-13 a0=3aaad4e8e0 a1=0 a2=0 a3=1 items=1 ppid=1 pid=19748
>  auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
>  tty=(none) ses=4294967295 comm="beremote"
>  exe="/opt/VRTSralus/bin/beremote" subj=system_u:system_r:initrc_t:s0
>  key="open" type=CWD msg=audit(1246316460.238:30532639):  cwd="/"
> type=PATH msg=audit(1246316460.238:30532639): item=0 name="/tmp/filec5sswB"
>  inode=17 dev=08:03 mode=060000 ouid=0 ogid=0 rdev=08:08
>  obj=system_u:object_r:tmp_t:s0

This looks like an open syscall failed with errno EACCES trying to open 
/tmp/filec5sswB. This would almost look like a real system problem. I would 
look into why beremote is not allowed to create tmp files.

But assuming that you wanted to do this with the audit system and you are on a 
somewhat recent kernel, you should be able to do something like:

-a exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k 
open

at the top of the open section so that it matches first. This will cause all 
opens that have a subject label of initrc_t to not record an event. The 
problem is that it will do this not just for beremote, but all apps that have 
initrc_t for a subject label. The fix for this is to make a policy for beremote 
so that it has a different label and then the audit rule will only be applied 
to beremote.


> and also crond entries:
> type=USER_ACCT msg=audit(1254500281.236:65937): user pid=17320 uid=0
>  auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
>  accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
>  terminal=cron res=success)'
> type=CRED_ACQ msg=audit(1254500281.240:65938): user pid=17320 uid=0
>  auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
>  setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
>  terminal=cron res=success)'
> type=USER_START msg=audit(1254500281.248:65939): user pid=17320 uid=0
>  auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session
>  open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
>  terminal=cron res=success)'
> type=CRED_DISP msg=audit(1254500281.310:65940): user pid=17320 uid=0 auid=0
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root"
>  : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
> type=USER_END msg=audit(1254500281.312:65941): user pid=17320 uid=0 auid=0
>  subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close
>  acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron
>  res=success)'

There's no good way to stop cron events unless you make some selinux policy 
that prevents cron from opening the netlink socket to send an audit event. 
This could be don't audited so that you don't wind up with AVC's instead.


> and also ntpd entries:
> type=SYSCALL msg=audit(1222281403.726:1905): arch=40000003 syscall=124
>  success=yes exit=0 a0=9d6d60 a1=8 a2=9466f8 a3=9d6d60 items=0 ppid=1
>  pid=4897 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38
>  sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd"
>  exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
> 
> I have the ntp stuff under control by removing the 2 lines in the
>  audit.rules file but the other 2 have thousands of entries per day. How do
>  I not log those in the rules?

I would consider keeping the rule, but put something ahead of it that like 
this:

-a exit,never -F arch=b32 -S adjtimex  -F subj_type=ntpd_t

This is in case you time gets changed some other way during a security breach. 
It would cause the chain of events to not look right.


>  I notice that they both have selinux sub fields
>  (subj=system_u:system_r:crond_t) but a rule created with
> auditctl -A exit,never -F subj_user=system_u -F subj_role=system_r -F
>  subj_type=crond_t or any variation of does nothing. What can I read that
>  would lead me in the right direction?

you might want to look at:

http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp

Look at page 9. This shows where events come from and which filters they hit. 
The rule you mention above is written for the exit filter. The cron event comes 
from user space. It goes through the user filter, so that where the rule would 
need to be. The only valid fields for this filter is: uid, auid, gid, and  pid. 
So, there is not much there to help you.

The best approach for now is to use selinux to prevent crond_t from opening 
its socket. This might cause crond to have an error, or it might work out OK. 
I haven't tried it.
 
-Steve




More information about the Linux-audit mailing list