From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Question about excluding rules
Date: Thu, 20 Feb 2020 18:41:08 -0500 [thread overview]
Message-ID: <2400991.fjeXDc8RHV@x2> (raw)
In-Reply-To: <CAM5ObREwVjihySamgkSGOxBK8Rwe0jgra5+Ec5ZHK5J5XzD_Ow@mail.gmail.com>
On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> Hello Experts,
>
> We have a big customer that facing the following issue on RHEL 6.2.
> As per customer request I've configured the following rules:
>
> $ cat audit.rules
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
>
> # First rule - delete all
> -D
>
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
>
> # Feel free to add below this line. See auditctl man page
>
> -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
>
>
> Audit start working as expected. Now customer is asking to exclude/ignore
> the following from audit logs:
>
> type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> key="rootact"
> type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> a2=2F62696E2F70732061757877777777
> type=CWD msg=audit(1581664357.597:257516):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> exe="/bin/ps" key="rootact"
> type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> What would be the best way to exclude such audit?
> Your help would be much appreciated.
What's objectionable about these events? The fact that its got a key says
they think they wanted it.
-Steve
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Question about excluding rules
Date: Thu, 20 Feb 2020 18:41:08 -0500 [thread overview]
Message-ID: <2400991.fjeXDc8RHV@x2> (raw)
Message-ID: <20200220234108.qBlRUfqVhnimVP82YOFV-dNM41BVbWBdLS3o9vs89TE@z> (raw)
In-Reply-To: <CAM5ObREwVjihySamgkSGOxBK8Rwe0jgra5+Ec5ZHK5J5XzD_Ow@mail.gmail.com>
On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> Hello Experts,
>
> We have a big customer that facing the following issue on RHEL 6.2.
> As per customer request I've configured the following rules:
>
> $ cat audit.rules
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
>
> # First rule - delete all
> -D
>
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
>
> # Feel free to add below this line. See auditctl man page
>
> -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
>
>
> Audit start working as expected. Now customer is asking to exclude/ignore
> the following from audit logs:
>
> type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> key="rootact"
> type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> a2=2F62696E2F70732061757877777777
> type=CWD msg=audit(1581664357.597:257516):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> exe="/bin/ps" key="rootact"
> type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> What would be the best way to exclude such audit?
> Your help would be much appreciated.
What's objectionable about these events? The fact that its got a key says
they think they wanted it.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-02-20 23:41 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-20 23:36 Question about excluding rules Moshe Rechtman
2020-02-20 23:36 ` Moshe Rechtman
2020-02-20 23:41 ` Steve Grubb [this message]
2020-02-20 23:41 ` Steve Grubb
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:27 ` Steve Grubb
2020-02-21 0:27 ` Steve Grubb
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 13:53 ` Steve Grubb
2020-02-21 13:53 ` Steve Grubb
2020-02-24 0:27 ` Moshe Rechtman
2020-02-24 0:27 ` Moshe Rechtman
2020-02-20 23:48 ` Paul Moore
2020-02-20 23:48 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2400991.fjeXDc8RHV@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.