Limiting Audit Logs For Specific Directories & Specific Error Codes

All of lore.kernel.org
 help / color / mirror / Atom feed

* Limiting Audit Logs For Specific Directories & Specific Error Codes
@ 2009-12-11 18:20 Wyllie, Aaron
  2009-12-11 19:40 ` Steve Grubb
  0 siblings, 1 reply; 2+ messages in thread
From: Wyllie, Aaron @ 2009-12-11 18:20 UTC (permalink / raw)
  To: 'linux-audit@redhat.com'

[-- Attachment #1.1: Type: text/plain, Size: 1933 bytes --]

Hi.  I have a few basic questions.

First, we have a particular piece of software that generates a lot of log entries for file deletes (successful & unsuccessful).  I'd like to limit what is actually captured by excluding that directory.

I'm thinking that I could add: -F dir!=/var/opt/xxx/xxx

Would that prevent logging from anything recursively from that directory and below or do I need to set rules to specifically exclude for each file (which I may do anyways)?  Is there a different/better means for doing this?

The second question is events resulting from running 'ls -al' as a normal user 'su -' to root.  This is generating a failed syscall error for getxattr with an error code of 61 (no data available).  I'm assuming that this is because no extended attributes were set but, regardless, I'd like to avoid this.

I have the following rules that I think may be logging this but I'm not sure:

-a entry,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -k SYS_attribute
-a entry,always -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate

Would adding the following prevent these events from being logged or do I need to create a new rule(?): -F exit!=-61

Lastly, is there any benefit associated with ordering the rules in audit.rules, i.e., are they applied in the order they are read?

Thanks and let me know if need to provide additional information.

Aaron

________________________________
The information contained in this message is proprietary and/or confidential. If you are not the intended recipient, please: (i) delete the message and all copies; (ii) do not disclose, distribute or use the message in any manner; and (iii) notify the sender immediately. In addition, please be aware that any message addressed to our domain is subject to archiving and review by persons other than the intended recipient. Thank you.

[-- Attachment #1.2: Type: text/html, Size: 7889 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: Limiting Audit Logs For Specific Directories & Specific Error Codes
  2009-12-11 18:20 Limiting Audit Logs For Specific Directories & Specific Error Codes Wyllie, Aaron
@ 2009-12-11 19:40 ` Steve Grubb
  0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2009-12-11 19:40 UTC (permalink / raw)
  To: linux-audit; +Cc: Wyllie, Aaron

On Friday 11 December 2009 01:20:49 pm Wyllie, Aaron wrote:
> Hi.  I have a few basic questions.
> 
> First, we have a particular piece of software that generates a lot of log
>  entries for file deletes (successful & unsuccessful).  I'd like to limit
>  what is actually captured by excluding that directory.
> 
> I'm thinking that I could add: -F dir!=/var/opt/xxx/xxx
> 
> Would that prevent logging from anything recursively from that directory
>  and below or do I need to set rules to specifically exclude for each file
>  (which I may do anyways)?  Is there a different/better means for doing
>  this?

I think you want

-a exit,never -F dir=/var/opt/xxx/xxx


> The second question is events resulting from running 'ls -al' as a normal
>  user 'su -' to root.  This is generating a failed syscall error for
>  getxattr with an error code of 61 (no data available).  I'm assuming that
>  this is because no extended attributes were set but, regardless, I'd like
>  to avoid this.
> 
> I have the following rules that I think may be logging this but I'm not
>  sure:
> 
> -a entry,always -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
>  removexattr -S lremovexattr -S fremovexattr -k SYS_attribute -a
>  entry,always -F arch=b32 -S creat -S open -S openat -S truncate -S
>  ftruncate
> 
> Would adding the following prevent these events from being logged or do I
>  need to create a new rule(?): -F exit!=-61

Yes, that would do it. Also note that the exit code is not available for rules 
on the entry filter. So, you need to change that, too.

> Lastly, is there any benefit associated with ordering the rules in
>  audit.rules, i.e., are they applied in the order they are read?

They are in the order they are read in per each filter as long as you use the 
'-a' operator. If you use '-A', then that rule goes to the front of the list 
for the stated filter.

The only reason to order them is when you have a specific rule that you would 
like to take priority over rules after it.

-Steve

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2009-12-11 19:40 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2009-12-11 18:20 Limiting Audit Logs For Specific Directories & Specific Error Codes Wyllie, Aaron
2009-12-11 19:40 ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.