From: Steve Grubb <sgrubb@redhat.com>
To: Moshe Rechtman <mrechtma@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Question about excluding rules
Date: Thu, 20 Feb 2020 19:27:34 -0500 [thread overview]
Message-ID: <3341724.7X2qyikPX2@x2> (raw)
In-Reply-To: <CAM5ObRF7HEK2qyCX+bbW_CTVwuEbmrCJVKg9mHQZkHUcJXRWwA@mail.gmail.com>
Hello,
On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> Those particular logs generated by a third party monitoring application
> named Microfocus, which keeps on running "ps -auxwwww" command and filling
> up quickly the audit log.
It looks like this is a daemon since auid is -1. So, I'd suggest that the
rule be something like:
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
This will not filter just that one item, it will filter all execution by all
daemons.
-Steve
> > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > $ cat audit.rules
> > >
> > > # This file contains the auditctl rules that are loaded
> > > # whenever the audit daemon is started via the initscripts.
> > > # The rules are simply the parameters that would be passed
> > > # to auditctl.
> > >
> > > # First rule - delete all
> > > -D
> > >
> > > # Increase the buffers to survive stress events.
> > > # Make this bigger for busy systems
> > > -b 320
> > >
> > > # Feel free to add below this line. See auditctl man page
> > >
> > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > >
> > >
> > > Audit start working as expected. Now customer is asking to
> > > exclude/ignore the following from audit logs:
> > >
> > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > > key="rootact"
> > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > > a2=2F62696E2F70732061757877777777
> > > type=CWD msg=audit(1581664357.597:257516):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > exe="/bin/ps" key="rootact"
> > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > What would be the best way to exclude such audit?
> > > Your help would be much appreciated.
> >
> > What's objectionable about these events? The fact that its got a key says
> > they think they wanted it.
> >
> > -Steve
WARNING: multiple messages have this Message-ID (diff)
From: Steve Grubb <sgrubb@redhat.com>
To: Moshe Rechtman <mrechtma@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Question about excluding rules
Date: Thu, 20 Feb 2020 19:27:34 -0500 [thread overview]
Message-ID: <3341724.7X2qyikPX2@x2> (raw)
Message-ID: <20200221002734.kEsCu4aJq39cK5Jfqp9xW5V4R1FmZMJ7WD0lynYGuVs@z> (raw)
In-Reply-To: <CAM5ObRF7HEK2qyCX+bbW_CTVwuEbmrCJVKg9mHQZkHUcJXRWwA@mail.gmail.com>
Hello,
On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> Those particular logs generated by a third party monitoring application
> named Microfocus, which keeps on running "ps -auxwwww" command and filling
> up quickly the audit log.
It looks like this is a daemon since auid is -1. So, I'd suggest that the
rule be something like:
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
This will not filter just that one item, it will filter all execution by all
daemons.
-Steve
> > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > $ cat audit.rules
> > >
> > > # This file contains the auditctl rules that are loaded
> > > # whenever the audit daemon is started via the initscripts.
> > > # The rules are simply the parameters that would be passed
> > > # to auditctl.
> > >
> > > # First rule - delete all
> > > -D
> > >
> > > # Increase the buffers to survive stress events.
> > > # Make this bigger for busy systems
> > > -b 320
> > >
> > > # Feel free to add below this line. See auditctl man page
> > >
> > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > >
> > >
> > > Audit start working as expected. Now customer is asking to
> > > exclude/ignore the following from audit logs:
> > >
> > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > > key="rootact"
> > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > > a2=2F62696E2F70732061757877777777
> > > type=CWD msg=audit(1581664357.597:257516):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > exe="/bin/ps" key="rootact"
> > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > What would be the best way to exclude such audit?
> > > Your help would be much appreciated.
> >
> > What's objectionable about these events? The fact that its got a key says
> > they think they wanted it.
> >
> > -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2020-02-21 0:27 UTC|newest]
Thread overview: 16+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-02-20 23:36 Question about excluding rules Moshe Rechtman
2020-02-20 23:36 ` Moshe Rechtman
2020-02-20 23:41 ` Steve Grubb
2020-02-20 23:41 ` Steve Grubb
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:27 ` Steve Grubb [this message]
2020-02-21 0:27 ` Steve Grubb
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 13:53 ` Steve Grubb
2020-02-21 13:53 ` Steve Grubb
2020-02-24 0:27 ` Moshe Rechtman
2020-02-24 0:27 ` Moshe Rechtman
2020-02-20 23:48 ` Paul Moore
2020-02-20 23:48 ` Paul Moore
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3341724.7X2qyikPX2@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=mrechtma@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.