Auditd filtering
Steve Grubb
sgrubb at redhat.com
Sat Jun 25 18:05:14 UTC 2011
Hello,
Missed this email and just noticed it. Hope the discussion is still of use to you.
On Tuesday, June 07, 2011 12:23:41 PM Nick Stires wrote:
> I started with a generic filter for all syscall events, this cut it down
> adequately, but we no longer captured the items we wanted to.
I would probably not approach the problem that way. You might look at the stig.rules
file, which I consider probably the best sample to look at.
> Here's some example logs for the two events we are trying to trim down:
>
> ################
> ################
> Netstat sample
> ################
> ################
> type=SYSCALL msg=audit(1307462086.972:1619017): arch=c000003e syscall=2
> success=no exit=-2 a0=6d9c790 a1=0 a2=0 a3=3074f234f3 items=2 ppid=4945
> pid=32700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat"
> subj=kernel key=(null)
This is saying it returned ENOENT. That meand you are probably filtering all opens with
success = no. Glibc attempts to open a lot of different files when a program is started.
Most of these files don't exist. Is that really anything useful to capture? In the stig
rules, I only look for opens that return EPERM or EACESS because those are the ones
where DAC or MAC policy has been enforced against a processes attempts. We also have a
nother decision as to whether or not you want system processes included in the audit
or just failed opens that directly result from a user. The stig rules file only gets
the ones that start by human invokaction.
> type=CWD msg=audit(1307462086.972:1619017): cwd="/"
> type=PATH msg=audit(1307462086.972:1619017): item=0
> name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo" type=PATH
> msg=audit(1307462086.972:1619017): item=1
> name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo"
>
> ################
> ################
> Ganglia Sample
> ################
> ################
> type=SYSCALL msg=audit(1307462163.369:1620406): arch=c000003e syscall=2
> per=400000 success=no exit=-2 a0=2aaab81124b8 a1=0 a2=1b6 a3=0 items=2
> ppid=678 pid=681 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002
> egid=100 sgid=100 fsgid=100 tty=(none) ses=641 comm="java"
> exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
This one again is a ENOENT return code. So, this is the same as the above discussion.
> Exemption rules:
> # a0=0x413586 appears to prevent proc tcp6 messages in the netstat sections
> -a exit,never -F a0=0x413586 -F success=0
> -a exit,never -F exit=-6 -F success=0
> -a exit,never -F exit=-13 -F success=0
This one ^^ is interesting...it means you don't want any event where the kernel
blocked access due to permissions. I would think this is one of the events you are
interested in.
> -a entry,never -S 159
> # UID 1002 = ganglia user. These do not work as intended.
> -a user,never -F auid=1002
> -a user,never -F uid=1002
These last 2 would only work if ganglia sends audit events. So, you probably want to
delete them.
> Any ideas on how I can target these audit logs for filtering?
I'd probably recommend rewriting your audit rules. However, if you just want a never
rule, its probably something like:
-a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
-a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
-Steve
More information about the Linux-audit
mailing list