Suppress or exclude messages from /var/log/audit.log via audit.rules

Steve Grubb sgrubb at redhat.com
Fri Apr 3 17:28:02 UTC 2015 

On Saturday, April 04, 2015 12:23:56 AM [Cloud ASIA] Toshihiro Takehara wrote:
> Now I set up audit.rules, then audit.log became very big.
> The reason why is keepalived daemon and it's misc check shell adds some
> entry every seconds.

Typically when logs get too big, its because of a problem in the rules. There 
are also times when a system is misconfigured and that will cause a flood, too.


> I want to suppress or exclude log entry, and I searched the way like this.
>   => https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html
> but I could not get effective answer.
> 
> Could you please tell me someone an effective way?
> 
> 
> This is the audit.rules below.
> 
> # First rule - delete all
> 
> > -D
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> > # Feel free to add below this line. See auditctl man page

For one thing, your analysis will be easier if you used "keys" to say what the 
event represents. For example, why open on uid = 10 and uid >=500? And is 500 
the minimal user id or is 1000 the minimal? Recent distributions have moved to 
1000 meaning the rules may need migrating from 500 to 1000.


> > -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> > -a exit,always -F arch=b64 -S open -F uid=10
> > -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa

The audit system uses unsigned numbers in the rule matching engine. That means 
-1 is >=500. So you have to add auid!=4294967295. And why do you want all 
opens? Both success and failure? Typically, programs open a lot of non-
existing files giving ENOENT.

> > -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> > -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> > -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT

Typically for security auditiing, you are interested in the files that the user 
is denied access to rather than everything they access. To do this, I'd 
recommend:

-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F 
exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=failed-access
-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F 
exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=failed-access


> > -w /etc/sudoers -p wa -k sudoers-change
> > -w /etc/ -p wa
> > -w /var/lib/mysql -p wa
> 
> - keepalived is checking every seconds.
>   /usr/sbin/keepalived
> - misc check program
>   /root/mysql_status_check.sh
> 
> type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2
> success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379
> auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)

This is an open syscall from a program started by a user in session 3. They 
used the keepalived program to do it. Is this a daemon or a user program? If 
its a daemon, why does it have a auid and session set? That would be the 
source of the problem.


> type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2
> success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915
> pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)

Same issue different program.

> type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e syscall=2
> success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916
> pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)

This seems to be a user program. But again, why do you want all open syscalls?

-Steve

More information about the Linux-audit mailing list