Way too many logs!

Refresh

This website lore-kernel.gnuweeb.org/all/200805102117.58187.sgrubb@redhat.com/t/ is currently offline. Cloudflare\'s Always Online™ shows a snapshot of this web page from the Internet Archive\'s Wayback Machine. To check for the live version, click Refresh.

* Way too many logs! @ 2008-05-09 20:20 Jeremy Leonard 2008-05-09 20:43 ` Steve Grubb ` (2 more replies) 0 siblings, 3 replies; 6+ messages in thread From: Jeremy Leonard @ 2008-05-09 20:20 UTC (permalink / raw) To: linux-audit Here are the rules I'm using: -D -b 8096 -a exit,always -S open -F success=0 -k RULE1 -a exit,always -S unlink -S rmdir -k RULE2 -w /etc/auditd.conf -k RULE3 -w /etc/audit.rules -k RULE4 -a exit,always -S acct -S reboot -S swapon -k RULE5 -a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6 -a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 -a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8 -a exit,always -S lchown -k RULE9 Here is the output of aureport: Summary Report ====================== Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266 Number of changes in configuration: 22 Number of changes to accounts, groups, or roles: 0 Number of logins: 0 Number of failed logins: 0 Number of users: 2 Number of terminals: 4 Number of host names: 2 Number of executables: 33 Number of files: 693 Number of AVC denials: 0 Number of MAC events: 0 Number of failed syscalls: 4052 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 1428 Number of events: 1444530 This is 475mb in ten minutes! Here is how the rule hits add up: RULE1: 4052 RULE2: 601 RULE3: 9 RULE4: 1 RULE5: 0 RULE6: 40 RULE7: 1438239 RULE8: 1503 RULE9: 0 Here is one of the log entries I have so many of. type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect per=400000 success=yes exit=0 a0=13 a1=f692e220 a2=0 a3=0 items=0 ppid=1 pid=4012 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=savd exe=/opt/sophos-av/engine/_/savd.0 subj=unconstrained key="RULE7" How can I exclude this so it doesn't get logged? The rules I have above are required by the government. DIACAP STIG Thanks! ^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: Way too many logs! 2008-05-09 20:20 Way too many logs! Jeremy Leonard @ 2008-05-09 20:43 ` Steve Grubb 2008-05-11 0:41 ` Steve Grubb 2008-05-09 21:29 ` Valdis.Kletnieks 2008-05-26 13:42 ` troy.s.curtis 2 siblings, 1 reply; 6+ messages in thread From: Steve Grubb @ 2008-05-09 20:43 UTC (permalink / raw) To: linux-audit On Friday 09 May 2008 16:20:44 Jeremy Leonard wrote: > How can I exclude this so it doesn't get logged? > > The rules I have above are required by the government. DIACAP STIG Do you need to log all changes to the scheduler? Or just the changes caused by users? If the latter, you can cut back your events like this: -a exit,always -S sched_setparam -S sched_setscheduler -F auid>=500 -k RULE7 -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: Way too many logs! 2008-05-09 20:43 ` Steve Grubb @ 2008-05-11 0:41 ` Steve Grubb 0 siblings, 0 replies; 6+ messages in thread From: Steve Grubb @ 2008-05-11 0:41 UTC (permalink / raw) To: linux-audit On Friday 09 May 2008 16:43:38 Steve Grubb wrote: > > The rules I have above are required by the government. DIACAP STIG > > Do you need to log all changes to the scheduler? Or just the changes caused > by users? If the latter, you can cut back your events like this: > > -a exit,always -S sched_setparam -S sched_setscheduler -F auid>=500 -k > RULE7 I should mention the above rule is probably not correct. It better to state it this way: a exit,always -F arch=b32 -S sched_setparam -S sched_setscheduler -F auid>=500 -F auid!=4294967295 -k RULE7 a exit,always -F arch=b64 -S sched_setparam -S sched_setscheduler -F auid>=500 -F auid!=4294967295 -k RULE7 The reason why is that you also have to check for the unset auid and set a rule for each arch if its a bi-arch system (x86_64). -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: Way too many logs! 2008-05-09 20:20 Way too many logs! Jeremy Leonard 2008-05-09 20:43 ` Steve Grubb @ 2008-05-09 21:29 ` Valdis.Kletnieks 2008-05-11 1:17 ` Steve Grubb 2008-05-26 13:42 ` troy.s.curtis 2 siblings, 1 reply; 6+ messages in thread From: Valdis.Kletnieks @ 2008-05-09 21:29 UTC (permalink / raw) To: Jeremy Leonard; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 526 bytes --] On Fri, 09 May 2008 16:20:44 EDT, Jeremy Leonard said: > -a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 > type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect OK, I'll bite - why is a select() syscall tripping sched_setparam or sched_setschdeduler? Or more importantly - are those two cutting audit events for the wrong reasons? (In other words, should the kernel be doing the "trim it to only user-initiated changes" that Steve Grubb suggested 'uid>500' as a workaround? [-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 6+ messages in thread

* Re: Way too many logs! 2008-05-09 21:29 ` Valdis.Kletnieks @ 2008-05-11 1:17 ` Steve Grubb 0 siblings, 0 replies; 6+ messages in thread From: Steve Grubb @ 2008-05-11 1:17 UTC (permalink / raw) To: linux-audit; +Cc: Valdis.Kletnieks On Friday 09 May 2008 17:29:04 Valdis.Kletnieks@vt.edu wrote: > On Fri, 09 May 2008 16:20:44 EDT, Jeremy Leonard said: > > -a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 > > > > type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 > > syscall=_newselect > > OK, I'll bite - why is a select() syscall tripping sched_setparam or > sched_setschdeduler? This record has a personality bit set unlike most events I ever see: "arch=i386 syscall=_newselect per=400000" I don't know if that is affecting the syscalls or not. Assuming it doesn't, _newselect only occurs on ppc as far as I know. Its syscall 142. On x86_64, sched_setparam is syscall 142. Not sure if that is the connection or not. But something is wrong in this audit event. :) Also notice that the subject is unconstrained, so they must be running some special SE Linux policy or have a very unique kernel. > Or more importantly - are those two cutting audit events for the wrong > reasons? Yeah, could be. I think I'd also want to audit the setting of the personality as that could be an attempt at masking the real actions of the user. Most systems never do this. If you have a system doing it, you might want to keep an eye on that. -Steve ^ permalink raw reply [flat|nested] 6+ messages in thread

* RE: Way too many logs! 2008-05-09 20:20 Way too many logs! Jeremy Leonard 2008-05-09 20:43 ` Steve Grubb 2008-05-09 21:29 ` Valdis.Kletnieks @ 2008-05-26 13:42 ` troy.s.curtis 2 siblings, 0 replies; 6+ messages in thread From: troy.s.curtis @ 2008-05-26 13:42 UTC (permalink / raw) To: Jeremy Leonard, linux-audit I don't typically monitor this list too closely which is why this is so late but I might have a rule to help you trim things down. This has so far passed muster for NISPOM, but I'm not too familiar with DIACAP STIG (yet, it's coming I think!). Once you get your RULE7 trimmed down you may run into an excessive number of unsuccessful open calls. Especially if your systems are used for any kind of develop (like mine). The reason is that as your shell searches through the path looking for an executable you get lots of failures due to it not existing in various places. I think you may not run into too many issues with an actual shell because they typically cache the locations, but running something like Make hits them all the time. Anyway, to cut down on those and be able to defend it you can exclude failures due to non-existence: -a exit,always -S open -F success=0 -f exit!=-2 It looks like maybe you can use the actual errno here, but maybe not on my old version? But I'm using the above rule on a RHEL 4 box successfully. It pretty much single handedly took our logs from unmanageable (not to mention a MAJOR performance hit for compiles) to usable. Troy Curtis, Jr. -----Original Message----- From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Jeremy Leonard Sent: Friday, May 09, 2008 3:21 PM To: linux-audit@redhat.com Subject: Way too many logs! Here are the rules I'm using: -D -b 8096 -a exit,always -S open -F success=0 -k RULE1 -a exit,always -S unlink -S rmdir -k RULE2 -w /etc/auditd.conf -k RULE3 -w /etc/audit.rules -k RULE4 -a exit,always -S acct -S reboot -S swapon -k RULE5 -a exit,always -S settimeofday -S setrlimit -S setdomainname -k RULE6 -a exit,always -S sched_setparam -S sched_setscheduler -k RULE7 -a exit,always -S chmod -S fchmod -S chown -S fchown -k RULE8 -a exit,always -S lchown -k RULE9 Here is the output of aureport: Summary Report ====================== Range of time: 04/25/08 16:37:44.116 - 04/25/08 16:47:29.266 Number of changes in configuration: 22 Number of changes to accounts, groups, or roles: 0 Number of logins: 0 Number of failed logins: 0 Number of users: 2 Number of terminals: 4 Number of host names: 2 Number of executables: 33 Number of files: 693 Number of AVC denials: 0 Number of MAC events: 0 Number of failed syscalls: 4052 Number of anomaly events: 0 Number of responses to anomaly events: 0 Number of crypto events: 0 Number of process IDs: 1428 Number of events: 1444530 This is 475mb in ten minutes! Here is how the rule hits add up: RULE1: 4052 RULE2: 601 RULE3: 9 RULE4: 1 RULE5: 0 RULE6: 40 RULE7: 1438239 RULE8: 1503 RULE9: 0 Here is one of the log entries I have so many of. type=SYSCALL msg=audit(04/25/08 16:37:48.568:194518) : arch=i386 syscall=_newselect per=400000 success=yes exit=0 a0=13 a1=f692e220 a2=0 a3=0 items=0 ppid=1 pid=4012 auid=unknown(4294967295) uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=(none) comm=savd exe=/opt/sophos-av/engine/_/savd.0 subj=unconstrained key="RULE7" How can I exclude this so it doesn't get logged? The rules I have above are required by the government. DIACAP STIG Thanks! -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 6+ messages in thread

end of thread, other threads:[~2008-05-26 13:42 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2008-05-09 20:20 Way too many logs! Jeremy Leonard 2008-05-09 20:43 ` Steve Grubb 2008-05-11 0:41 ` Steve Grubb 2008-05-09 21:29 ` Valdis.Kletnieks 2008-05-11 1:17 ` Steve Grubb 2008-05-26 13:42 ` troy.s.curtis