* Question about excluding rules @ 2020-02-20 23:36 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-20 23:36 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2987 bytes --] Hello Experts, We have a big customer that facing the following issue on RHEL 6.2. As per customer request I've configured the following rules: $ cat audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract Audit start working as expected. Now customer is asking to exclude/ignore the following from audit logs: type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" key="rootact" type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" a2=2F62696E2F70732061757877777777 type=CWD msg=audit(1581664357.597:257516): cwd="/opt/microfocus/Discovery/bin" type=PATH msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" key="rootact" type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): cwd="/opt/microfocus/Discovery/bin" type=PATH msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL What would be the best way to exclude such audit? Your help would be much appreciated. Thanks in advance & kind regards, Moshe Moshe Rechtman Technical Support Engineer Red Hat Israel <https://www.redhat.com/> 34 Jerusalem rd. Ra'anana, 43501 *mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 * M: *+972-54-4971516* F: +972-9-7692223 @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://red.ht/sig> [-- Attachment #1.2: Type: text/html, Size: 7286 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Question about excluding rules @ 2020-02-20 23:36 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-20 23:36 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2987 bytes --] Hello Experts, We have a big customer that facing the following issue on RHEL 6.2. As per customer request I've configured the following rules: $ cat audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 # Feel free to add below this line. See auditctl man page -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract Audit start working as expected. Now customer is asking to exclude/ignore the following from audit logs: type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" key="rootact" type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" a2=2F62696E2F70732061757877777777 type=CWD msg=audit(1581664357.597:257516): cwd="/opt/microfocus/Discovery/bin" type=PATH msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" exe="/bin/ps" key="rootact" type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): cwd="/opt/microfocus/Discovery/bin" type=PATH msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 nametype=NORMAL What would be the best way to exclude such audit? Your help would be much appreciated. Thanks in advance & kind regards, Moshe Moshe Rechtman Technical Support Engineer Red Hat Israel <https://www.redhat.com/> 34 Jerusalem rd. Ra'anana, 43501 *mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 * M: *+972-54-4971516* F: +972-9-7692223 @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://red.ht/sig> [-- Attachment #1.2: Type: text/html, Size: 7286 bytes --] [-- Attachment #2: Type: text/plain, Size: 102 bytes --] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-20 23:41 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2020-02-20 23:41 UTC (permalink / raw) To: linux-audit On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > Hello Experts, > > We have a big customer that facing the following issue on RHEL 6.2. > As per customer request I've configured the following rules: > > $ cat audit.rules > > # This file contains the auditctl rules that are loaded > # whenever the audit daemon is started via the initscripts. > # The rules are simply the parameters that would be passed > # to auditctl. > > # First rule - delete all > -D > > # Increase the buffers to survive stress events. > # Make this bigger for busy systems > -b 320 > > # Feel free to add below this line. See auditctl man page > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > Audit start working as expected. Now customer is asking to exclude/ignore > the following from audit logs: > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > key="rootact" > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > a2=2F62696E2F70732061757877777777 > type=CWD msg=audit(1581664357.597:257516): > cwd="/opt/microfocus/Discovery/bin" type=PATH > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > exe="/bin/ps" key="rootact" > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > cwd="/opt/microfocus/Discovery/bin" type=PATH > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > > What would be the best way to exclude such audit? > Your help would be much appreciated. What's objectionable about these events? The fact that its got a key says they think they wanted it. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-20 23:41 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2020-02-20 23:41 UTC (permalink / raw) To: linux-audit On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > Hello Experts, > > We have a big customer that facing the following issue on RHEL 6.2. > As per customer request I've configured the following rules: > > $ cat audit.rules > > # This file contains the auditctl rules that are loaded > # whenever the audit daemon is started via the initscripts. > # The rules are simply the parameters that would be passed > # to auditctl. > > # First rule - delete all > -D > > # Increase the buffers to survive stress events. > # Make this bigger for busy systems > -b 320 > > # Feel free to add below this line. See auditctl man page > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > Audit start working as expected. Now customer is asking to exclude/ignore > the following from audit logs: > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > key="rootact" > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > a2=2F62696E2F70732061757877777777 > type=CWD msg=audit(1581664357.597:257516): > cwd="/opt/microfocus/Discovery/bin" type=PATH > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > exe="/bin/ps" key="rootact" > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > cwd="/opt/microfocus/Discovery/bin" type=PATH > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > nametype=NORMAL > > What would be the best way to exclude such audit? > Your help would be much appreciated. What's objectionable about these events? The fact that its got a key says they think they wanted it. -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 0:04 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-21 0:04 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3391 bytes --] Hello Steve, Thanks for the quick response. Those particular logs generated by a third party monitoring application named Microfocus, which keeps on running "ps -auxwwww" command and filling up quickly the audit log. Please your advice.. Thanks in adbance, Kind regards, Moshe בתאריך יום ו׳, 21 בפבר׳ 2020, 01:41, מאת Steve Grubb <sgrubb@redhat.com>: > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > > Hello Experts, > > > > We have a big customer that facing the following issue on RHEL 6.2. > > As per customer request I've configured the following rules: > > > > $ cat audit.rules > > > > # This file contains the auditctl rules that are loaded > > # whenever the audit daemon is started via the initscripts. > > # The rules are simply the parameters that would be passed > > # to auditctl. > > > > # First rule - delete all > > -D > > > > # Increase the buffers to survive stress events. > > # Make this bigger for busy systems > > -b 320 > > > > # Feel free to add below this line. See auditctl man page > > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > > > > Audit start working as expected. Now customer is asking to exclude/ignore > > the following from audit logs: > > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > > key="rootact" > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > > a2=2F62696E2F70732061757877777777 > > type=CWD msg=audit(1581664357.597:257516): > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > > exe="/bin/ps" key="rootact" > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > > > What would be the best way to exclude such audit? > > Your help would be much appreciated. > > What's objectionable about these events? The fact that its got a key says > they think they wanted it. > > -Steve > > > > [-- Attachment #1.2: Type: text/html, Size: 4515 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 0:04 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-21 0:04 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3391 bytes --] Hello Steve, Thanks for the quick response. Those particular logs generated by a third party monitoring application named Microfocus, which keeps on running "ps -auxwwww" command and filling up quickly the audit log. Please your advice.. Thanks in adbance, Kind regards, Moshe בתאריך יום ו׳, 21 בפבר׳ 2020, 01:41, מאת Steve Grubb <sgrubb@redhat.com>: > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > > Hello Experts, > > > > We have a big customer that facing the following issue on RHEL 6.2. > > As per customer request I've configured the following rules: > > > > $ cat audit.rules > > > > # This file contains the auditctl rules that are loaded > > # whenever the audit daemon is started via the initscripts. > > # The rules are simply the parameters that would be passed > > # to auditctl. > > > > # First rule - delete all > > -D > > > > # Increase the buffers to survive stress events. > > # Make this bigger for busy systems > > -b 320 > > > > # Feel free to add below this line. See auditctl man page > > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > > > > Audit start working as expected. Now customer is asking to exclude/ignore > > the following from audit logs: > > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > > key="rootact" > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > > a2=2F62696E2F70732061757877777777 > > type=CWD msg=audit(1581664357.597:257516): > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > > exe="/bin/ps" key="rootact" > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > nametype=NORMAL > > > > What would be the best way to exclude such audit? > > Your help would be much appreciated. > > What's objectionable about these events? The fact that its got a key says > they think they wanted it. > > -Steve > > > > [-- Attachment #1.2: Type: text/html, Size: 4515 bytes --] [-- Attachment #2: Type: text/plain, Size: 102 bytes --] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 0:27 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2020-02-21 0:27 UTC (permalink / raw) To: Moshe Rechtman; +Cc: linux-audit Hello, On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote: > Those particular logs generated by a third party monitoring application > named Microfocus, which keeps on running "ps -auxwwww" command and filling > up quickly the audit log. It looks like this is a daemon since auid is -1. So, I'd suggest that the rule be something like: -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact This will not filter just that one item, it will filter all execution by all daemons. -Steve > > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > > > $ cat audit.rules > > > > > > # This file contains the auditctl rules that are loaded > > > # whenever the audit daemon is started via the initscripts. > > > # The rules are simply the parameters that would be passed > > > # to auditctl. > > > > > > # First rule - delete all > > > -D > > > > > > # Increase the buffers to survive stress events. > > > # Make this bigger for busy systems > > > -b 320 > > > > > > # Feel free to add below this line. See auditctl man page > > > > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > > > > > > > Audit start working as expected. Now customer is asking to > > > exclude/ignore the following from audit logs: > > > > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > > > key="rootact" > > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > > > a2=2F62696E2F70732061757877777777 > > > type=CWD msg=audit(1581664357.597:257516): > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 > > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > > > exe="/bin/ps" key="rootact" > > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > > > > What would be the best way to exclude such audit? > > > Your help would be much appreciated. > > > > What's objectionable about these events? The fact that its got a key says > > they think they wanted it. > > > > -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 0:27 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2020-02-21 0:27 UTC (permalink / raw) To: Moshe Rechtman; +Cc: linux-audit Hello, On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote: > Those particular logs generated by a third party monitoring application > named Microfocus, which keeps on running "ps -auxwwww" command and filling > up quickly the audit log. It looks like this is a daemon since auid is -1. So, I'd suggest that the rule be something like: -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact This will not filter just that one item, it will filter all execution by all daemons. -Steve > > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > > > $ cat audit.rules > > > > > > # This file contains the auditctl rules that are loaded > > > # whenever the audit daemon is started via the initscripts. > > > # The rules are simply the parameters that would be passed > > > # to auditctl. > > > > > > # First rule - delete all > > > -D > > > > > > # Increase the buffers to survive stress events. > > > # Make this bigger for busy systems > > > -b 320 > > > > > > # Feel free to add below this line. See auditctl man page > > > > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > > > > > > > Audit start working as expected. Now customer is asking to > > > exclude/ignore the following from audit logs: > > > > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > > > key="rootact" > > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > > > a2=2F62696E2F70732061757877777777 > > > type=CWD msg=audit(1581664357.597:257516): > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59 > > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > > > exe="/bin/ps" key="rootact" > > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > nametype=NORMAL > > > > > > What would be the best way to exclude such audit? > > > Your help would be much appreciated. > > > > What's objectionable about these events? The fact that its got a key says > > they think they wanted it. > > > > -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 7:32 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-21 7:32 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 6128 bytes --] Hello Steve, Thanks so much for your help! I've included your suggested filter in audit.rules as shown below: # cat audit.rules1 1 # This file contains the auditctl rules that are loaded 2 # whenever the audit daemon is started via the initscripts. 3 # The rules are simply the parameters that would be passed 4 # to auditctl. 5 # First rule - delete all 6 -D 7 # Increase the buffers to survive stress events. 8 # Make this bigger for busy systems 9 -b 320 10 ### Feel free to add below this line. See auditctl man page 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k rootact After restarting the auditd service following error received: # service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] Unknown user: unset -F unknown field: auid There was an error in line 15 of /etc/audit/audit.rules # auditctl -l LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 key=rootact syscall=execve LIST_RULES: exit,always arch=1073741827 (0x40000003) euid=0 key=rootact syscall=execve LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid>=500 (0x1f4) key=useract syscall=execve LIST_RULES: exit,always arch=1073741827 (0x40000003) euid>=500 (0x1f4) key=useract syscall=execve # auditctl -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact Unknown user: unset -F unknown field: auid You advice would be much appreciated. Many thanks, Kind regards, Moshe Moshe Rechtman Technical Support Engineer Red Hat Israel <https://www.redhat.com/> 34 Jerusalem rd. Ra'anana, 43501 *mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 * M: *+972-54-4971516* F: +972-9-7692223 @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://red.ht/sig> On Fri, Feb 21, 2020 at 2:27 AM Steve Grubb <sgrubb@redhat.com> wrote: > Hello, > > On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote: > > Those particular logs generated by a third party monitoring application > > named Microfocus, which keeps on running "ps -auxwwww" command and > filling > > up quickly the audit log. > > It looks like this is a daemon since auid is -1. So, I'd suggest that the > rule be something like: > > -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact > > This will not filter just that one item, it will filter all execution by > all > daemons. > > -Steve > > > > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > > > > $ cat audit.rules > > > > > > > > # This file contains the auditctl rules that are loaded > > > > # whenever the audit daemon is started via the initscripts. > > > > # The rules are simply the parameters that would be passed > > > > # to auditctl. > > > > > > > > # First rule - delete all > > > > -D > > > > > > > > # Increase the buffers to survive stress events. > > > > # Make this bigger for busy systems > > > > -b 320 > > > > > > > > # Feel free to add below this line. See auditctl man page > > > > > > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > > > > > > > > > > Audit start working as expected. Now customer is asking to > > > > exclude/ignore the following from audit logs: > > > > > > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > > > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > > > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > > > > key="rootact" > > > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > > > > a2=2F62696E2F70732061757877777777 > > > > type=CWD msg=audit(1581664357.597:257516): > > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > > > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e > syscall=59 > > > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > > > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > > > > exe="/bin/ps" key="rootact" > > > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > > > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > > > > > What would be the best way to exclude such audit? > > > > Your help would be much appreciated. > > > > > > What's objectionable about these events? The fact that its got a key > says > > > they think they wanted it. > > > > > > -Steve > > > > > [-- Attachment #1.2: Type: text/html, Size: 11539 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 7:32 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-21 7:32 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 6128 bytes --] Hello Steve, Thanks so much for your help! I've included your suggested filter in audit.rules as shown below: # cat audit.rules1 1 # This file contains the auditctl rules that are loaded 2 # whenever the audit daemon is started via the initscripts. 3 # The rules are simply the parameters that would be passed 4 # to auditctl. 5 # First rule - delete all 6 -D 7 # Increase the buffers to survive stress events. 8 # Make this bigger for busy systems 9 -b 320 10 ### Feel free to add below this line. See auditctl man page 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k rootact After restarting the auditd service following error received: # service auditd restart Stopping auditd: [ OK ] Starting auditd: [ OK ] Unknown user: unset -F unknown field: auid There was an error in line 15 of /etc/audit/audit.rules # auditctl -l LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 key=rootact syscall=execve LIST_RULES: exit,always arch=1073741827 (0x40000003) euid=0 key=rootact syscall=execve LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid>=500 (0x1f4) key=useract syscall=execve LIST_RULES: exit,always arch=1073741827 (0x40000003) euid>=500 (0x1f4) key=useract syscall=execve # auditctl -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact Unknown user: unset -F unknown field: auid You advice would be much appreciated. Many thanks, Kind regards, Moshe Moshe Rechtman Technical Support Engineer Red Hat Israel <https://www.redhat.com/> 34 Jerusalem rd. Ra'anana, 43501 *mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 * M: *+972-54-4971516* F: +972-9-7692223 @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://red.ht/sig> On Fri, Feb 21, 2020 at 2:27 AM Steve Grubb <sgrubb@redhat.com> wrote: > Hello, > > On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote: > > Those particular logs generated by a third party monitoring application > > named Microfocus, which keeps on running "ps -auxwwww" command and > filling > > up quickly the audit log. > > It looks like this is a daemon since auid is -1. So, I'd suggest that the > rule be something like: > > -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact > > This will not filter just that one item, it will filter all execution by > all > daemons. > > -Steve > > > > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote: > > > > $ cat audit.rules > > > > > > > > # This file contains the auditctl rules that are loaded > > > > # whenever the audit daemon is started via the initscripts. > > > > # The rules are simply the parameters that would be passed > > > > # to auditctl. > > > > > > > > # First rule - delete all > > > > -D > > > > > > > > # Increase the buffers to survive stress events. > > > > # Make this bigger for busy systems > > > > -b 320 > > > > > > > > # Feel free to add below this line. See auditctl man page > > > > > > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > > > > > > > > > > > Audit start working as expected. Now customer is asking to > > > > exclude/ignore the following from audit logs: > > > > > > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e > > > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20 > > > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266 > > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash" > > > > key="rootact" > > > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c" > > > > a2=2F62696E2F70732061757877777777 > > > > type=CWD msg=audit(1581664357.597:257516): > > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398 > > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null) > > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > > > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e > syscall=59 > > > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2 > > > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 > > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps" > > > > exe="/bin/ps" key="rootact" > > > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" > > > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517): > > > > cwd="/opt/microfocus/Discovery/bin" type=PATH > > > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451 > > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null) > > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00 > > > > nametype=NORMAL > > > > > > > > What would be the best way to exclude such audit? > > > > Your help would be much appreciated. > > > > > > What's objectionable about these events? The fact that its got a key > says > > > they think they wanted it. > > > > > > -Steve > > > > > [-- Attachment #1.2: Type: text/html, Size: 11539 bytes --] [-- Attachment #2: Type: text/plain, Size: 102 bytes --] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 13:53 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2020-02-21 13:53 UTC (permalink / raw) To: Moshe Rechtman; +Cc: linux-audit On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote: > Thanks so much for your help! I've included your suggested filter in > audit.rules as shown below: > > # cat audit.rules1 > > 1 # This file contains the auditctl rules that are loaded > 2 # whenever the audit daemon is started via the initscripts. > 3 # The rules are simply the parameters that would be passed > 4 # to auditctl. > 5 # First rule - delete all > 6 -D > 7 # Increase the buffers to survive stress events. > 8 # Make this bigger for busy systems > 9 -b 320 > 10 ### Feel free to add below this line. See auditctl man page > 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k > rootact > 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k > rootact It won't work this way. You now have 2 sets of rootact. The audit rule engine is a first match wins. So, this second set of rules will never trigger. The rule I mentioned was supposed to replace the rule in the list. > After restarting the auditd service following error received: > > # service auditd restart > Stopping auditd: [ OK ] > Starting auditd: [ OK ] > Unknown user: unset > -F unknown field: auid OK. I guess this is really old. Then make it auid=-1 -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-21 13:53 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2020-02-21 13:53 UTC (permalink / raw) To: Moshe Rechtman; +Cc: linux-audit On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote: > Thanks so much for your help! I've included your suggested filter in > audit.rules as shown below: > > # cat audit.rules1 > > 1 # This file contains the auditctl rules that are loaded > 2 # whenever the audit daemon is started via the initscripts. > 3 # The rules are simply the parameters that would be passed > 4 # to auditctl. > 5 # First rule - delete all > 6 -D > 7 # Increase the buffers to survive stress events. > 8 # Make this bigger for busy systems > 9 -b 320 > 10 ### Feel free to add below this line. See auditctl man page > 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k > rootact > 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k > rootact It won't work this way. You now have 2 sets of rootact. The audit rule engine is a first match wins. So, this second set of rules will never trigger. The rule I mentioned was supposed to replace the rule in the list. > After restarting the auditd service following error received: > > # service auditd restart > Stopping auditd: [ OK ] > Starting auditd: [ OK ] > Unknown user: unset > -F unknown field: auid OK. I guess this is really old. Then make it auid=-1 -Steve -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-24 0:27 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-24 0:27 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3147 bytes --] Hello Steve, Thanks so much for your help, I've modified audit.rules as per you recommendation: # cat audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 #-b 32768 # Feel free to add below this line. See auditctl man page -a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact # auditctl -l LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1 (0xffffffff) key=rootact syscall=execve With the above settings, audit stop from logging all root commands! Any recommendations/suggestions would be appreciated. Kind regards, Moshe Moshe Rechtman Technical Support Engineer Red Hat Israel <https://www.redhat.com/> 34 Jerusalem rd. Ra'anana, 43501 *mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 * M: *+972-54-4971516* F: +972-9-7692223 @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://red.ht/sig> On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb@redhat.com> wrote: > On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote: > > Thanks so much for your help! I've included your suggested filter in > > audit.rules as shown below: > > > > # cat audit.rules1 > > > > 1 # This file contains the auditctl rules that are loaded > > 2 # whenever the audit daemon is started via the initscripts. > > 3 # The rules are simply the parameters that would be passed > > 4 # to auditctl. > > 5 # First rule - delete all > > 6 -D > > 7 # Increase the buffers to survive stress events. > > 8 # Make this bigger for busy systems > > 9 -b 320 > > 10 ### Feel free to add below this line. See auditctl man page > > 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k > > rootact > > 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k > > rootact > > It won't work this way. You now have 2 sets of rootact. The audit rule > engine > is a first match wins. So, this second set of rules will never trigger. > The > rule I mentioned was supposed to replace the rule in the list. > > > After restarting the auditd service following error received: > > > > # service auditd restart > > Stopping auditd: [ OK ] > > Starting auditd: [ OK ] > > Unknown user: unset > > -F unknown field: auid > > OK. I guess this is really old. Then make it auid=-1 > > -Steve > > > [-- Attachment #1.2: Type: text/html, Size: 7691 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-24 0:27 ` Moshe Rechtman 0 siblings, 0 replies; 16+ messages in thread From: Moshe Rechtman @ 2020-02-24 0:27 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 3147 bytes --] Hello Steve, Thanks so much for your help, I've modified audit.rules as per you recommendation: # cat audit.rules # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all -D # Increase the buffers to survive stress events. # Make this bigger for busy systems -b 320 #-b 32768 # Feel free to add below this line. See auditctl man page -a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact # auditctl -l LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1 (0xffffffff) key=rootact syscall=execve With the above settings, audit stop from logging all root commands! Any recommendations/suggestions would be appreciated. Kind regards, Moshe Moshe Rechtman Technical Support Engineer Red Hat Israel <https://www.redhat.com/> 34 Jerusalem rd. Ra'anana, 43501 *mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 * M: *+972-54-4971516* F: +972-9-7692223 @RedHat <https://twitter.com/redhat> Red Hat <https://www.linkedin.com/company/red-hat> Red Hat <https://www.facebook.com/RedHatInc> <https://red.ht/sig> On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb@redhat.com> wrote: > On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote: > > Thanks so much for your help! I've included your suggested filter in > > audit.rules as shown below: > > > > # cat audit.rules1 > > > > 1 # This file contains the auditctl rules that are loaded > > 2 # whenever the audit daemon is started via the initscripts. > > 3 # The rules are simply the parameters that would be passed > > 4 # to auditctl. > > 5 # First rule - delete all > > 6 -D > > 7 # Increase the buffers to survive stress events. > > 8 # Make this bigger for busy systems > > 9 -b 320 > > 10 ### Feel free to add below this line. See auditctl man page > > 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact > > 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact > > 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract > > 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract > > 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k > > rootact > > 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k > > rootact > > It won't work this way. You now have 2 sets of rootact. The audit rule > engine > is a first match wins. So, this second set of rules will never trigger. > The > rule I mentioned was supposed to replace the rule in the list. > > > After restarting the auditd service following error received: > > > > # service auditd restart > > Stopping auditd: [ OK ] > > Starting auditd: [ OK ] > > Unknown user: unset > > -F unknown field: auid > > OK. I guess this is really old. Then make it auid=-1 > > -Steve > > > [-- Attachment #1.2: Type: text/html, Size: 7691 bytes --] [-- Attachment #2: Type: text/plain, Size: 102 bytes --] -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-20 23:48 ` Paul Moore 0 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2020-02-20 23:48 UTC (permalink / raw) To: Moshe Rechtman; +Cc: linux-audit On Thu, Feb 20, 2020 at 6:37 PM Moshe Rechtman <mrechtma@redhat.com> wrote: > Hello Experts, > > We have a big customer that facing the following issue on RHEL 6.2. > As per customer request I've configured the following rules ... A few things: 1) please try to stick to only plaintext email on this list (no html mail) 2) this mailing list is for the discussion and development of the Linux audit subsystem in the upstream (or close to upstream) code. If you are looking for RHEL, or any other enterprise Linux distro, support please use the appropriate support channels. Thank you. -- paul moore www.paul-moore.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules @ 2020-02-20 23:48 ` Paul Moore 0 siblings, 0 replies; 16+ messages in thread From: Paul Moore @ 2020-02-20 23:48 UTC (permalink / raw) To: Moshe Rechtman; +Cc: linux-audit On Thu, Feb 20, 2020 at 6:37 PM Moshe Rechtman <mrechtma@redhat.com> wrote: > Hello Experts, > > We have a big customer that facing the following issue on RHEL 6.2. > As per customer request I've configured the following rules ... A few things: 1) please try to stick to only plaintext email on this list (no html mail) 2) this mailing list is for the discussion and development of the Linux audit subsystem in the upstream (or close to upstream) code. If you are looking for RHEL, or any other enterprise Linux distro, support please use the appropriate support channels. Thank you. -- paul moore www.paul-moore.com -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2020-02-24 0:28 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2020-02-20 23:36 Question about excluding rules Moshe Rechtman 2020-02-20 23:36 ` Moshe Rechtman 2020-02-20 23:41 ` Steve Grubb 2020-02-20 23:41 ` Steve Grubb 2020-02-21 0:04 ` Moshe Rechtman 2020-02-21 0:04 ` Moshe Rechtman 2020-02-21 0:27 ` Steve Grubb 2020-02-21 0:27 ` Steve Grubb 2020-02-21 7:32 ` Moshe Rechtman 2020-02-21 7:32 ` Moshe Rechtman 2020-02-21 13:53 ` Steve Grubb 2020-02-21 13:53 ` Steve Grubb 2020-02-24 0:27 ` Moshe Rechtman 2020-02-24 0:27 ` Moshe Rechtman 2020-02-20 23:48 ` Paul Moore 2020-02-20 23:48 ` Paul Moore
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.