Suppress or exclude messages from /var/log/audit.log via audit.rules

Suppress or exclude messages from /var/log/audit.log via audit.rules

[[Cloud ASIA] Toshihiro Takehara]

[-- Attachment #1.1: Type: text/plain, Size: 2694 bytes --]

Hi

My name is Takehara liveng in japan.

Now I set up audit.rules, then audit.log became very big.
The reason why is keepalived daemon and it's misc check shell adds some
entry every seconds.
I want to suppress or exclude log entry, and I searched the way like this.
  => https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html
but I could not get effective answer.

Could you please tell me someone an effective way?


This is the audit.rules below.

# First rule - delete all
> -D
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
> # Feel free to add below this line. See auditctl man page
> -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> -a exit,always -F arch=b64 -S open -F uid=10
> -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
> -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
> -w /etc/sudoers -p wa -k sudoers-change
> -w /etc/ -p wa
> -w /var/lib/mysql -p wa



- keepalived is checking every seconds.
  /usr/sbin/keepalived
- misc check program
  /root/mysql_status_check.sh

type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2
success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379
auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)

type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2
success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915
pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e syscall=2
success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916
pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)


=========================
Cloud ASIA Co., Ltd. [ 株式会社クラウドエイジア ]
Founder & CEO Takehara Toshihiro

  〒174-0073
  33-14-101, Higashiyama-cho, Itabashi-ku, Tokyo, Japan
  TEL: +81-3-6869-2994  FAX: +81-3-6869-3974
  Mobile: +81-90-4737-8137
  Mobile in Laos: +856-20-5912-2188
  http://www.cloud-asia.co.jp
  http://www.facebook.com/cloud.asia.japan
  takehara@cloud-asia.co.jp

Lao Systems [ ラオシステムズ ]
  Founder & CEO Takehara Toshihiro
  http://lao-systems.jp/
=========================

[-- Attachment #1.2: Type: text/html, Size: 4166 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Suppress or exclude messages from /var/log/audit.log via audit.rules

[Steve Grubb]

On Saturday, April 04, 2015 12:23:56 AM [Cloud ASIA] Toshihiro Takehara wrote:
> Now I set up audit.rules, then audit.log became very big.
> The reason why is keepalived daemon and it's misc check shell adds some
> entry every seconds.

Typically when logs get too big, its because of a problem in the rules. There 
are also times when a system is misconfigured and that will cause a flood, too.


> I want to suppress or exclude log entry, and I searched the way like this.
>   => https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html
> but I could not get effective answer.
> 
> Could you please tell me someone an effective way?
> 
> 
> This is the audit.rules below.
> 
> # First rule - delete all
> 
> > -D
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> > # Feel free to add below this line. See auditctl man page

For one thing, your analysis will be easier if you used "keys" to say what the 
event represents. For example, why open on uid = 10 and uid >=500? And is 500 
the minimal user id or is 1000 the minimal? Recent distributions have moved to 
1000 meaning the rules may need migrating from 500 to 1000.


> > -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> > -a exit,always -F arch=b64 -S open -F uid=10
> > -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa

The audit system uses unsigned numbers in the rule matching engine. That means 
-1 is >=500. So you have to add auid!=4294967295. And why do you want all 
opens? Both success and failure? Typically, programs open a lot of non-
existing files giving ENOENT.

> > -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> > -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> > -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT

Typically for security auditiing, you are interested in the files that the user 
is denied access to rather than everything they access. To do this, I'd 
recommend:

-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F 
exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=failed-access
-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F 
exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=failed-access


> > -w /etc/sudoers -p wa -k sudoers-change
> > -w /etc/ -p wa
> > -w /var/lib/mysql -p wa
> 
> - keepalived is checking every seconds.
>   /usr/sbin/keepalived
> - misc check program
>   /root/mysql_status_check.sh
> 
> type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2
> success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379
> auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
> ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)

This is an open syscall from a program started by a user in session 3. They 
used the keepalived program to do it. Is this a daemon or a user program? If 
its a daemon, why does it have a auid and session set? That would be the 
source of the problem.


> type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e syscall=2
> success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915
> pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)

Same issue different program.

> type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e syscall=2
> success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916
> pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)

This seems to be a user program. But again, why do you want all open syscalls?

-Steve

Re: Suppress or exclude messages from /var/log/audit.log via audit.rules

[Steve Grubb]

On Saturday, April 04, 2015 12:23:56 AM [Cloud ASIA] Toshihiro Takehara wrote:
> This is the audit.rules below.
> 
> # First rule - delete all
> 
> > -D
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> > # Feel free to add below this line. See auditctl man page
> > -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S truncate
> > -a exit,always -F arch=b64 -S open -F uid=10
> > -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
> > -a exit,never -F arch=x86_64 -S all -F path=/root/mysql_status_check.sh
> > -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> > -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
> > -w /etc/sudoers -p wa -k sudoers-change
> > -w /etc/ -p wa
> > -w /var/lib/mysql -p wa

One thing I forgot to mention yesterday is that the kernel rule matching 
engine works from top to bottom. That means "never" should probably be before 
"always" when they both cover the same syscall and the "never" is a subset of 
the possible selections of the "always" rule.

-Steve

Re: Suppress or exclude messages from /var/log/audit.log via audit.rules

[[Cloud ASIA] Toshihiro Takehara]

[-- Attachment #1.1: Type: text/plain, Size: 753 bytes --]

Dear Steve

Thank you very much for a lot of suggestions.
I apology for late response.

The messages you gave me was helpful, so I was able to resolve the problems.

Best Regards,
Toshihiro Takehara

=========================
Cloud ASIA Co., Ltd. [ 株式会社クラウドエイジア ]
Founder & CEO Takehara Toshihiro

  〒174-0073
  33-14-101, Higashiyama-cho, Itabashi-ku, Tokyo, Japan
  TEL: +81-3-6869-2994  FAX: +81-3-6869-3974
  Mobile: +81-90-4737-8137
  Mobile in Laos: +856-20-5912-2188
  http://www.cloud-asia.co.jp
  http://www.facebook.com/cloud.asia.japan
  takehara@cloud-asia.co.jp

Lao Systems [ ラオシステムズ ]
  Founder & CEO Takehara Toshihiro
  http://lao-systems.jp/
=========================

[-- Attachment #1.2: Type: text/html, Size: 1679 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]