From: Steve Grubb <sgrubb@redhat.com>
To: Moshe Rechtman <mrechtma@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Question about excluding rules
Date: Fri, 21 Feb 2020 08:53:35 -0500 [thread overview]
Message-ID: <2890955.nCKnN53pJf@x2> (raw)
In-Reply-To: <CAM5ObRErKLEDB_2RAWBf_Xp+V+aEdBQhi_dnicM9o2Q7SK_y2g@mail.gmail.com>
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
> 1 # This file contains the auditctl rules that are loaded
> 2 # whenever the audit daemon is started via the initscripts.
> 3 # The rules are simply the parameters that would be passed
> 4 # to auditctl.
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 320
> 10 ### Feel free to add below this line. See auditctl man page
> 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
> 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact
It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.
> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Unknown user: unset
> -F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Moshe Rechtman <mrechtma@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Question about excluding rules
Date: Fri, 21 Feb 2020 08:53:35 -0500 [thread overview]
Message-ID: <2890955.nCKnN53pJf@x2> (raw)
Message-ID: <20200221135335.zGSShHZ02_TsAWbUkSJ-vMEkln3TmmxJZiQRDHXzi4I@z> (raw)
In-Reply-To: <CAM5ObRErKLEDB_2RAWBf_Xp+V+aEdBQhi_dnicM9o2Q7SK_y2g@mail.gmail.com>
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
> 1 # This file contains the auditctl rules that are loaded
> 2 # whenever the audit daemon is started via the initscripts.
> 3 # The rules are simply the parameters that would be passed
> 4 # to auditctl.
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 320
> 10 ### Feel free to add below this line. See auditctl man page
> 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
> 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact
It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.
> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Unknown user: unset
> -F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-02-21 13:53 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-20 23:36 Question about excluding rules Moshe Rechtman
2020-02-20 23:36 ` Moshe Rechtman
2020-02-20 23:41 ` Steve Grubb
2020-02-20 23:41 ` Steve Grubb
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:27 ` Steve Grubb
2020-02-21 0:27 ` Steve Grubb
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 13:53 ` Steve Grubb [this message]
2020-02-21 13:53 ` Steve Grubb
2020-02-24 0:27 ` Moshe Rechtman
2020-02-24 0:27 ` Moshe Rechtman
2020-02-20 23:48 ` Paul Moore
2020-02-20 23:48 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2890955.nCKnN53pJf@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=mrechtma@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.