Linux-audit Archive on lore.kernel.org
 help / color / mirror / Atom feed
From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Bhagwat, Shriniketan Manjunath" <shriniketan.bhagwat@hpe.com>
Subject: Re: Audit reporting Invalid argument
Date: Mon, 09 May 2016 09:50:17 -0400	[thread overview]
Message-ID: <10236212.OL7rdstKfk@x2> (raw)
In-Reply-To: <8FC6AD31395616439ECBCD98E071A87F4BF14ED7@G4W3202.americas.hpqcorp.net>

On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to get
> better performance, I am trying to reduce number of rules. If I specify
> more than one path field  as in below example I am getting "Invalid
> argument".
> 
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
> path=/home/secpack/test -S open Error sending add rule data request
> (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
> dir=/tmp/ -S open Error sending add rule data request (Invalid argument)
> 
> However, I am able to create a single rule to monitor multiple PIDs or UIDs
> as below.
> 
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
> # auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002

Which will produce no events due to the anding you mention below. Something 
cannot have both pid 3526 and 3537.

 
> As per the auditctl man page, Build a rule field takes up to 64 fields on a
> single command line. Each one must start with -F. Each field  equation  is 
> anded  with  each other  to  trigger  an audit record. My question is,
> 1. specify more than one path field as in example1 is valid?

Nope.

> 2. If not valid than how do I create single audit rule to monitor multiple
> files/directory?

They need to be separate rules. You can also recursively watch a directory 
with 'dir'


> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?

Possibly.

> 5.  if 10 rules are required, how to I optimize the rule for performance?

The filesystem watches are very efficient. You can probably put a 100 watches on 
random files and you will not be able to see any performance hit unless they 
are actually triggered. Syscall rules on the otherhand do affect performance.


> My next question is does Linux audit support regular expressions?

No. The kernel pretty much wants things to be numbers rather than strings.

> How do I create audit rule to monitor /var/log/*.log?

-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
 
-Steve


> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  -S open
> Error sending add rule data request (Invalid argument)
> 
> If my questions are already documented, please guide me to the
> documentation.
> 
> Regards,
> Ketan

  reply	other threads:[~2016-05-09 13:50 UTC|newest]

Thread overview: 11+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2016-05-09 13:40 Audit reporting Invalid argument Bhagwat, Shriniketan Manjunath
2016-05-09 13:50 ` Steve Grubb [this message]
2016-05-11 11:19   ` Bhagwat, Shriniketan Manjunath
2016-05-11 19:52     ` Steve Grubb
2016-05-14  9:40       ` Bhagwat, Shriniketan Manjunath
2016-05-16 12:53         ` Steve Grubb
2016-05-16 17:21           ` Richard Guy Briggs
2016-05-19  3:37           ` Bhagwat, Shriniketan Manjunath
2016-06-13  8:15           ` Bhagwat, Shriniketan Manjunath
2016-06-13 15:01             ` Steve Grubb
2016-06-14 13:44               ` Bhagwat, Shriniketan Manjunath

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=10236212.OL7rdstKfk@x2 \
    --to=sgrubb@redhat.com \
    --cc=linux-audit@redhat.com \
    --cc=shriniketan.bhagwat@hpe.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox