From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Audit reporting Invalid argument
Date: Wed, 11 May 2016 15:52:02 -0400
Message-ID: <1581661.ndI2rhVsuG@x2>
References: <8FC6AD31395616439ECBCD98E071A87F4BF14ED7@G4W3202.americas.hpqcorp.net>
	<10236212.OL7rdstKfk@x2>
	<8FC6AD31395616439ECBCD98E071A87F4BF15146@G4W3202.americas.hpqcorp.net>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <8FC6AD31395616439ECBCD98E071A87F4BF15146@G4W3202.americas.hpqcorp.net>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: "Bhagwat, Shriniketan Manjunath" <shriniketan.bhagwat@hpe.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
> Thanks for the response. Your response cleared many of my doubts. I need one
> clarity on use of Linux capability CAP_AUDIT_CONTROL.
> 
> My understanding is that, only root user can start/stop audit service and
> configure auditctl rules. auditctl.c and auditd.c specifically check for
> uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable
> kernel auditing; change auditing filter rules; retrieve auditing status and
> filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL
> capability running from non root account will be able to start/stop audit
> and configure auditctl rules?

Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I 
have not revisited the checks since allowing libcap-ng to link with other 
components.

> Are there any documentation about how to use
> CAP_AUDIT_CONTROL capability and how it is related to audit?

Very little. Its mostly reading source code.


> Is it possible to suppress events for a file for the set of specific
> syscalls? Example: Using the below rule I want to suppress audit event only
> for chmod syscall for file /tmp/read_only. However below rule not only
> suppresses the audit event for chmod syscall but also for other syscalls
> for /tmp/read_only file. 
>
> # auditctl -a never,exit -F arch=x86_64  -F path=/tmp/read_only  -S chmod

This is how I would try to write it. If that suppresses more syscalls than 
chmod and you can give us a reproducer, I think it should go in the new github 
issue tracker for the kernel.

-Steve


> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 09, 2016 7:20 PM
> To: linux-audit@redhat.com
> Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Subject: Re: Audit reporting Invalid argument
> 
> On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> > I am trying to monitor multiple files using Linux audit. In order to
> > get better performance, I am trying to reduce number of rules. If I
> > specify more than one path field  as in below example I am getting
> > "Invalid argument".
> > 
> > Examle1:
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F path=/home/secpack/test -S open Error sending add rule data request
> > (Invalid argument)
> > 
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F dir=/tmp/ -S open Error sending add rule data request (Invalid
> > argument)
> > 
> > However, I am able to create a single rule to monitor multiple PIDs or
> > UIDs as below.
> > 
> > Examle2:
> > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> > auid=1002
> 
> Which will produce no events due to the anding you mention below. Something
> cannot have both pid 3526 and 3537.
> > As per the auditctl man page, Build a rule field takes up to 64 fields
> > on a single command line. Each one must start with -F. Each field
> > equation  is anded  with  each other  to  trigger  an audit record. My
> > question is, 1. specify more than one path field as in example1 is valid?
> 
> Nope.
> 
> > 2. If not valid than how do I create single audit rule to monitor
> > multiple files/directory?
> 
> They need to be separate rules. You can also recursively watch a directory
> with 'dir'
> > 3. If valid, then why "Invalid argument" is reported?
> > 4. To monitor 10 files, should 10 audit rules required?
> 
> Possibly.
> 
> > 5.  if 10 rules are required, how to I optimize the rule for performance?
> 
> The filesystem watches are very efficient. You can probably put a 100
> watches on random files and you will not be able to see any performance hit
> unless they are actually triggered. Syscall rules on the otherhand do
> affect performance.
> > My next question is does Linux audit support regular expressions?
> 
> No. The kernel pretty much wants things to be numbers rather than strings.
> 
> > How do I create audit rule to monitor /var/log/*.log?
> 
> -a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
> 
> -Steve
> 
> > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  -S open
> > Error sending add rule data request (Invalid argument)
> > 
> > If my questions are already documented, please guide me to the
> > documentation.
> > 
> > Regards,
> > Ketan