From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: Auditd and Watches
Date: Thu, 24 May 2007 10:10:08 -0400
Message-ID: <200705241010.08629.sgrubb@redhat.com>
References: <B3821BA782B4D24AA57B5D9103D35D1201BEA42A@nwpsrv07.edj.ad.edwardjones.com>
Mime-Version: 1.0
Content-Type: text/plain;
  charset="utf-8"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <B3821BA782B4D24AA57B5D9103D35D1201BEA42A@nwpsrv07.edj.ad.edwardjones.com>
Content-Disposition: inline
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Thursday 24 May 2007 09:53, Simmons Jr,Felix wrote:
> [root@XXXX-22 ~]# auditctl -l
> No rules
> AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/important_test,
> filterkey=test-file, perms=wa, valid=0

This seems slightly odd output. What kernel and audit package are you using?

> My question is this (about time eh?) even though the only rule I have in
> my rules is a single watch on a file, I'm getting all sorts of other
> events in my /var/log/audit/audit.log. A lot of it are don't care items
> at this phase and would only aid in growing my log files. Is there
> something I'm missing that can turn off the additional chatter in the
> logs?

Yes if you are using 2.6.16 and later kernels.

/usr/include/libaudit.h has this table:

 * 1000 - 1099 are for commanding the audit system
 * 1100 - 1199 user space trusted application messages
 * 1200 - 1299 messages internal to the audit daemon
 * 1300 - 1399 audit event messages
 * 1400 - 1499 kernel SE Linux use
 * 1500 - 1599 AppArmor events
 * 1600 - 1699 kernel crypto events
 * 1700 - 1799 kernel anomaly records
 * 1800 - 1999 future kernel use (maybe integrity labels and related events)
 * 2001 - 2099 unused (kernel)
 * 2100 - 2199 user space anomaly records
 * 2200 - 2299 user space actions taken in response to anomalies
 * 2300 - 2399 user space generated LSPP events
 * 2400 - 2499 user space crypto events
 * 2500 - 2999 future user space (maybe integrity labels and related events)

So, you could do:

-a exclude,always -F msgtype>=1100 -F msgtype<=1299
-a exclude,always -F msgtype>=1400 -F msgtype<=2999

Although I recommend widening the choices to allow SE Linux AVC's through. And 
note that if you try to type this at a command prompt, you will need quotes 
around "msgtype>=1100" since <> are something the shell will interpret.

> Basically I'm trying to chunk the logs down so my host based ids can
> snag the events and alert accordingly.

Yes, I am working on a IDS/IPS system, too. But it doesn't use the logs, 
rather it uses the realtime interface so it can react in realtime. I made a 
presentation about it at the Red Hat Summit a couple weeks ago and put my 
presentation here:

http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp

To some extent that is what's driving development and requirements for the 
audit event dispatcher and the audit parsing library.

-Steve