From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Auditd and Watches
Date: Thu, 24 May 2007 10:10:08 -0400 [thread overview]
Message-ID: <200705241010.08629.sgrubb@redhat.com> (raw)
In-Reply-To: <B3821BA782B4D24AA57B5D9103D35D1201BEA42A@nwpsrv07.edj.ad.edwardjones.com>
On Thursday 24 May 2007 09:53, Simmons Jr,Felix wrote:
> [root@XXXX-22 ~]# auditctl -l
> No rules
> AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/important_test,
> filterkey=test-file, perms=wa, valid=0
This seems slightly odd output. What kernel and audit package are you using?
> My question is this (about time eh?) even though the only rule I have in
> my rules is a single watch on a file, I'm getting all sorts of other
> events in my /var/log/audit/audit.log. A lot of it are don't care items
> at this phase and would only aid in growing my log files. Is there
> something I'm missing that can turn off the additional chatter in the
> logs?
Yes if you are using 2.6.16 and later kernels.
/usr/include/libaudit.h has this table:
* 1000 - 1099 are for commanding the audit system
* 1100 - 1199 user space trusted application messages
* 1200 - 1299 messages internal to the audit daemon
* 1300 - 1399 audit event messages
* 1400 - 1499 kernel SE Linux use
* 1500 - 1599 AppArmor events
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
* 1800 - 1999 future kernel use (maybe integrity labels and related events)
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
* 2200 - 2299 user space actions taken in response to anomalies
* 2300 - 2399 user space generated LSPP events
* 2400 - 2499 user space crypto events
* 2500 - 2999 future user space (maybe integrity labels and related events)
So, you could do:
-a exclude,always -F msgtype>=1100 -F msgtype<=1299
-a exclude,always -F msgtype>=1400 -F msgtype<=2999
Although I recommend widening the choices to allow SE Linux AVC's through. And
note that if you try to type this at a command prompt, you will need quotes
around "msgtype>=1100" since <> are something the shell will interpret.
> Basically I'm trying to chunk the logs down so my host based ids can
> snag the events and alert accordingly.
Yes, I am working on a IDS/IPS system, too. But it doesn't use the logs,
rather it uses the realtime interface so it can react in realtime. I made a
presentation about it at the Red Hat Summit a couple weeks ago and put my
presentation here:
http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp
To some extent that is what's driving development and requirements for the
audit event dispatcher and the audit parsing library.
-Steve
next prev parent reply other threads:[~2007-05-24 14:10 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2007-05-24 13:53 Auditd and Watches Simmons Jr,Felix
2007-05-24 14:10 ` Steve Grubb [this message]
2007-05-24 15:32 ` Simmons Jr,Felix
2007-05-24 15:51 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=200705241010.08629.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.