Excluding the single executable on the top of audit.rules

Исаев Виталий Анатольевич isaev at fintech.ru
Wed Aug 20 09:47:03 UTC 2014 

Hello, Steve,



thanks for a nice idea  about adding new context for pulseaudio. We'll try to configure SELinux in this way. Also I would ask you to give some info about the unfinished branch that was intended to provide the "exe" filtering. Probably our team could work it out.





I would be curious which rule you are getting hit with.



I have attached the small piece of audit logs just for the case if you want to see what’s going on with pulseaudio. The vast majority of captured syscalls is #2 - syscall open.



Normally, you design the rules so that a properly running system does not cause events. This means qualifying the rules with something like EPERM or EACCES so that you only log real problems and not normal system operation.



The main reason of making the audit.rules so exhaustive is our attempt to trace and log all  the user’s  actions. Unfortunately /usr/bin/pulseaudio always has the uid value of a non-system user (>500). That’s why our logs are flooded.



Sincerelly,

Vitaly Isaev

Software engineer

Information security department

Fintech JSC, Moscow, Russia



-----Original Message-----
From: Steve Grubb [mailto:sgrubb at redhat.com]
Sent: Wednesday, August 20, 2014 12:34 AM
To: linux-audit at redhat.com
Cc: Исаев Виталий Анатольевич
Subject: Re: Excluding the single executable on the top of audit.rules



Hello,



On Tuesday, August 19, 2014 11:07:18 AM Исаев Виталий Анатольевич wrote:

> I would like to ask for an explanation about making my audit.rules proper.

> What am I trying to do is to exclude all the syscall events coming

> from exe="/usr/bin/pulseaudio" and its components. At the moment about

> 95% of audit log is filled with messages related to pulseaudio:

>

> # aureport -x -if my.log --summary

> Executable Summary Report

> =================================

> total  file

> =================================

> 1156923  /usr/bin/pulseaudio



I would be curious which rule you are getting hit with. Normally, you design the rules so that a properly running system does not cause events. This means qualifying the rules with something like EPERM or EACCES so that you only log real problems and not normal system operation. That said, at the moment, the best way to remove a single process is to use selinux types in the audit event. However, this trick does not work in this case because pulseaudio has no SE Linux policy. You would almost want to give it a type that maps to unconfined_t. Then you could write a rule like:



-a exit,never -S all -F subj_type=pulseaudio_t



You would place that at the top of the rules so it matches first. There was work going on to match against an executable name. But I haven't seen any progress in a long time. If that were finished, it would solve your problem.



-Steve





> 191719  /usr/libexec/pulse/gconf-helper

> 49282  /usr/bin/gnome-volume-control-applet

> 8035  /usr/libexec/gnome-settings-daemon

> 1045  /usr/sbin/crond

> 265  /usr/bin/nautilus

> 23  /usr/sbin/sshd

>

> Please look through the current version of audit.rules. How should I

> modify them?

>

> # First rule - delete all

> -D

>

> # Increase the buffers to survive stress events.

> # Make this bigger for busy systems

> -b 320

>

> # Feel free to add below this line. See auditctl man page #-a

> exit,never -F exe=/usr/bin/pulseaudio -S open -a exit,always -F

> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F

> auid!=429496729 -S open -a exit,always -F arch=x86_64 -F uid>=500 -F

> gid>=500 -F ppid!=1 -F auid!=429496729 -S execve -a exit,always -F

> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S

> fork -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1

> -F

> auid!=429496729 -S vfork -a exit,always -F arch=x86_64 -F uid>=500 -F

> gid>=500 -F ppid!=1 -F auid!=429496729 -S exit -a exit,always -F

> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S

> exit_group -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F

> ppid!=1 -F auid!=429496729 -S getdents -a exit,always -F arch=x86_64

> -F uid>=500 -F

> gid>=500 -F ppid!=1 -F auid!=429496729 -S chmod -a exit,always -F

> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S

> fchmod -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F

> ppid!=1 -F

> auid!=429496729 -S fchmodat -a exit,always -F arch=x86_64 -F uid>=500

> -F

> gid>=500 -F ppid!=1 -F auid!=429496729 -S chown -a exit,always -F

> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S

> fchown -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F

> ppid!=1 -F

> auid!=429496729 -S lchown -a exit,always -F arch=x86_64 -F uid>=500 -F

> gid>=500 -F ppid!=1 -F auid!=429496729 -S fchownat -a exit,always -F

> arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S

> unlink -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F

> ppid!=1 -F

> auid!=429496729 -S unlinkat

>

> P.S. We're using RHEL 6.4 with audit-2.2-2.el6.x86_64.

>

> Sincerely,

> Vitaly Isaev

> Software engineer

> Information security department

> Fintech JSC, Moscow, Russia


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140820/01fbcea4/attachment.htm>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: pulseaudio.audit.log
Type: application/octet-stream
Size: 1048576 bytes
Desc: pulseaudio.audit.log
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20140820/01fbcea4/attachment.obj>

More information about the Linux-audit mailing list