questions about auditing on a new RH 6 box

questions about auditing on a new RH 6 box

[Tangren, Bill]

[-- Attachment #1.1: Type: text/plain, Size: 563 bytes --]

I have a new VM running RH 6 server. I put some audit.rules in place, and
now I notice that I am getting 11 MB of audit log entries every half hour.
This server has no users or services running. I am trying to use
audit-viewer to determine which of my rules is creating so much log traffic,
but I don't understand the output enough to be able to tell. The version of
audit is 2.0.4-1 (64 bit). 

Is this the correct forum to ask this question? 

If so, I can provide the audit rules and some of the logs.

---
Bill Tangren
IAM
U.S. Naval Observatory, Washington


[-- Attachment #1.2: smime.p7s --]
[-- Type: application/x-pkcs7-signature, Size: 5784 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: questions about auditing on a new RH 6 box

[Eric Paris]

On Fri, 2011-01-14 at 16:21 +0000, Tangren, Bill wrote:
> I have a new VM running RH 6 server. I put some audit.rules in place, and
> now I notice that I am getting 11 MB of audit log entries every half hour.
> This server has no users or services running. I am trying to use
> audit-viewer to determine which of my rules is creating so much log traffic,
> but I don't understand the output enough to be able to tell. The version of
> audit is 2.0.4-1 (64 bit). 
> 
> Is this the correct forum to ask this question? 
> 
> If so, I can provide the audit rules and some of the logs.

This is probably the best forum there is.  Let us know your troubles.

-Eric

RE: questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: Eric Paris [mailto:eparis@redhat.com] 
Sent: Friday, January 14, 2011 11:42 AM
To: Tangren, Bill
Cc: linux-audit@redhat.com
Subject: Re: questions about auditing on a new RH 6 box

On Fri, 2011-01-14 at 16:21 +0000, Tangren, Bill wrote:
> I have a new VM running RH 6 server. I put some audit.rules in place, and
> now I notice that I am getting 11 MB of audit log entries every half hour.
> This server has no users or services running. I am trying to use
> audit-viewer to determine which of my rules is creating so much log traffic,
> but I don't understand the output enough to be able to tell. The version of
> audit is 2.0.4-1 (64 bit). 
> 
> Is this the correct forum to ask this question? 
> 
> If so, I can provide the audit rules and some of the logs.

This is probably the best forum there is.  Let us know your troubles.

-Eric


OK, here goes. These are the audit rules. And before you read them, please don't shoot the messenger. This is what I was told to audit, according to regulations. If it is misconfigured, or if something causes excessive logging to no good purpose, I can modify them some. I've used these rules on RH 5 systems with no problems. Also, I've left in the comments.

***********************
-f 2

# Ensures that any access or modifications to the password file is audited
-w /etc/passwd -p rwa

# Ensures that any access or modifications to the shadow file is audited
-w /etc/shadow -p rwa

# Ensures that any reads of the audit log by the current user that's logged is
# audited. It might be beneficial to create a rule for each of the 5 logs
# that are generated.
-w /var/log/audit/audit.log -k LOG_audit

# Ensures that the user who is logged in and fails to access a file or process
# is audited. Note: this will prevent kernel panics if you have a web server running
# because it will not log apache file accesses
-a exit,always -F arch=b64 -S open -S openat -F exit=EACCES -F uid!=apache -k access
-a exit,always -F arch=b64 -S open -S openat -F exit=EPERM -F uid!=apache -k access

# Ensures that any user who fails to change permissions of a file or directory is
# audited
-a exit,always -F arch=b64 -S chmod -S lchown -S chown -F success=0  -F exit!=-11

# Ensures that any user who mounts or unmounts a device is audited

# ensures that mounting and dismounting are audited
-a exit,always -F arch=b64 -S mount -S umount2

# Ensures that when anything is written to CD or DVD is audited
# This rule MUST be edited to reflect the device path that is specific to
# the system that the rules are being written for.
-w /dev/cdrom -p w

# AUDITING THE EXECVE FUNCTION
# Ensures any user that properly executes a process is audited.
# Since the open command is being audited, this rule causes
# redundancy. Since any command must be opened prior to execution, with this
# in affect, the system will have duplicate entries for every time something is
# executed. This is noted in case the desire to audit both comes up.
-a exit,always -F arch=b64 -S execve -F auid=-1 -F success=0

# AUDITING SHUTDOWNS AND REBOOTS
# Red Hat ensures auditing whenever the reboot command is sent to the kernel
-a exit,always -F arch=b64 -S socket -F a0=13

# AUDITING THE ROOT DIRECTORY IN FEDORA
# Ensures auditing of any unauthorized access to roots home directory.
-w /root -p rw -F uid!=0

# AUDITING THE ROOT DIRECTORY IN FEDORA
# Ensures auditing of any failed unauthorized access to roots home directory.
-w /root -p rw -F uid!=0 -F success=0

#Auditing configuration changes to the audit.conf and audit.rules files
-w /etc/audit.conf -k wa
-w /etc/audit.rules -k wa

#Ensure that the following system calls are audited for the current logged in
#user and for root

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F exit!=-11

#Ensure that failed attempts at using the following system calls are audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F exit!=-11

#Ensure that failed deletion of files and processes by anyone is audited
-a exit,always -F arch=b64 -S rmdir -S unlink -F success=0 -F exit!=-11

#Ensure that failed use of the following system calls is audited
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=-1 -F exit!=-11

#Ensure that successful use of the following system calls is audited
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=-1 -F exit!=-11

#Ensure that failed use of the following system calls is audited
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=-1 -F exit!=-11

#Ensure that successful use of the following system calls is audited
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=-1 -F exit!=-11

#Ensure that when a failed login is recorded by syslog to the faillog file is
#audited
-w /var/log/faillog -k wa
-w /var/log/lastlog -k wa

#Ensure that when a login in recorded by syslog to the appropriate file is
#audited
-w /var/log/wtmp -k wa

RE: questions about auditing on a new RH 6 box

[LC Bruzenak]

Probably can use a sampling of events as well.

LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com

RE: questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: LC Bruzenak [mailto:lenny@magitekltd.com] 
Sent: Friday, January 14, 2011 12:35 PM
To: Tangren, Bill
Cc: linux-audit@redhat.com
Subject: RE: questions about auditing on a new RH 6 box

Probably can use a sampling of events as well.

LCB

-- 
LC (Lenny) Bruzenak
lenny@magitekltd.com


This is an example of what I see in audit-viewer:

There are LOTS of the following:

01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod, success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren, comm=escd, egid=bill.tangren, euid=bill.tangren, exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid= bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren, subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, tty=none, uid=bill.tangren

There are also some like this, but syscall=open instead.


During this time, I am logged in to a GUI, but the screensaver has activated, and I am doing nothing. No one else has an account. 

Bill

RE: questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: LC Bruzenak [mailto:lenny@magitekltd.com]
Sent: Friday, January 14, 2011 12:35 PM
To: Tangren, Bill
Cc: linux-audit@redhat.com
Subject: RE: questions about auditing on a new RH 6 box

Probably can use a sampling of events as well.

LCB

--
LC (Lenny) Bruzenak
lenny@magitekltd.com

Here are more logs (from /var/log/audit/audit.log):

type=CWD msg=audit(1295028176.635:718007):  cwd="/usr/lib64/esc-1.1.0"
type=PATH msg=audit(1295028176.635:718007): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0
type=PATH msg=audit(1295028176.635:718007): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0
type=SYSCALL msg=audit(1295028177.287:718008): arch=c000003e syscall=133 success=yes exit=0 a0=7f5828f08bf0 a1=11a4 a2=0 a3=ffffffeb items=2 ppid=1 pid=28374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=139 comm="escd" exe="/usr/lib64/esc-1.1.0/escd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1295028177.287:718008):  cwd="/usr/lib64/esc-1.1.0"
type=PATH msg=audit(1295028177.287:718008): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0
type=PATH msg=audit(1295028177.287:718008): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0
type=SYSCALL msg=audit(1295028177.742:718009): arch=c000003e syscall=2 success=yes exit=3 a0=7fff05d84891 a1=0 a2=0 a3=60 items=1 ppid=28453 pid=29995 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=139 comm="tail" exe="/usr/bin/tail" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="LOG_audit"
type=CWD msg=audit(1295028177.742:718009):  cwd="/root"
type=PATH msg=audit(1295028177.742:718009): item=0 name="/var/log/audit/audit.log" inode=203 dev=fd:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_log_t:s0
type=SYSCALL msg=audit(1295028177.939:718010): arch=c000003e syscall=133 success=yes exit=0 a0=7f5828f08bf0 a1=11a4 a2=0 a3=ffffffeb items=2 ppid=1 pid=28374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=139 comm="escd" exe="/usr/lib64/esc-1.1.0/escd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
type=CWD msg=audit(1295028177.939:718010):  cwd="/usr/lib64/esc-1.1.0"
type=PATH msg=audit(1295028177.939:718010): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0
type=PATH msg=audit(1295028177.939:718010): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0

I think that some of this is capturing that I was using the tail command to capture some of the logs to email to myself to post here. Obviously that isn't typical, but hopefully there is some useful information here. Oh, and my uid and gid are both 500.

Bill

RE: questions about auditing on a new RH 6 box

[LC Bruzenak]

On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
> 
> There are LOTS of the following:
> 
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
> 
> There are also some like this, but syscall=open instead.
> 
> 
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account. 
> 

Well, herein lies the rub...the audit rules you have in place are doing
their job.
:)

The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.

Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary

Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd


You will likely want to use aureport/ausearch just because they are
faster than the audit-viewer. But it is possible to use it...

HTH,
LCB

Re: questions about auditing on a new RH 6 box

[Steve Grubb]

On Friday, January 14, 2011 12:35:06 pm LC Bruzenak wrote:
> Probably can use a sampling of events as well.

Since keys are not being used to classify events (hint hint) the best you can do is 
run something like this:

aureport --start today --summary --syscall -i

-Steve

RE: questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: LC Bruzenak [mailto:lenny@magitekltd.com]
Sent: Friday, January 14, 2011 1:39 PM
To: Tangren, Bill
Cc: linux-audit@redhat.com
Subject: RE: questions about auditing on a new RH 6 box

On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote:
>
> There are LOTS of the following:
>
> 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod,
> success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren,
> comm=escd, egid=bill.tangren, euid=bill.tangren,
> exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid=
> bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren,
> subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023,
> tty=none, uid=bill.tangren
>
> There are also some like this, but syscall=open instead.
>
>
> During this time, I am logged in to a GUI, but the screensaver has
> activated, and I am doing nothing. No one else has an account.
>

Well, herein lies the rub...the audit rules you have in place are doing
their job.
:)

The escd is creating device files as it does its thing...do you trust
it? Assuming so, maybe there is a way to filter those out.

Can you send a couple of the results of this command? This will tell you
the top (recent) auditing processes:
% sudo aureport -ts recent -i -x --summary

Also a couple of of these results (since you said there were a lot of
escd process events). Change "recent" to "today" or a specific start
time (see ausearch man page):
% sudo ausearch -ts recent -i -c escd

^^^^^^^^^^^^^^^^

These are the top results for the ausearch command given above:

930  /usr/lib64/esc-1.1.0/escd
82  /usr/libexec/abrt-hook-ccpp
44  /usr/sbin/sshd
43  /usr/sbin/crond
41  /usr/sbin/usermod
34  /sbin/unix_chkpwd
31  /usr/bin/sudo
24  /bin/ls
22  /usr/sbin/abrtd (deleted)
21  /usr/sbin/httpd
17  /usr/libexec/openssh/sftp-server
15  /bin/su
14  /usr/libexec/gnome-screensaver-dialog
14  /usr/sbin/cupsd

OK. It appears that the RH smart card reader software is doing this, which is odd, considering I'm not using a smart card right now. I'll disable it (for now) and see what happens. But I'm going to want it working eventually.

Bill

RE: questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Friday, January 14, 2011 1:59 PM
To: linux-audit@redhat.com; Tangren, Bill
Subject: Re: questions about auditing on a new RH 6 box

On Friday, January 14, 2011 12:35:06 pm LC Bruzenak wrote:
> Probably can use a sampling of events as well.

Since keys are not being used to classify events (hint hint) the best you can do is 
run something like this:

aureport --start today --summary --syscall -i

-Steve

******************
Where can I read on how to classify events? I have been frustrated in the past, because I was required to generate volumes of audit logs, and I haven't had much success there.


Thanks everyone for all of your help. I really appreciate it.

Bill

Re: questions about auditing on a new RH 6 box

[Steve Grubb]

On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
> I think that some of this is capturing that I was using the tail command to
> capture some of the logs to email to myself to post here. Obviously that
> isn't typical, but hopefully there is some useful information here. Oh,
> and my uid and gid are both 500.

This is coming from:

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F 
auid=0 -F exit!=-11

Which says, audit mknod calls that are not successful and who's errno does not equal 
EAGAIN for anyone that logged in as root.

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F 
auid=-1 -F exit!=-11

Which says audit mknod calls that are not successful, its a system event meaning not 
coming from a user session, and the exit code is not EAGAIN.

#Ensure that failed attempts at using the following system calls are
 audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F 
exit!=-11

Which says audit mknod calls that are successful and the exit code is not EAGAIN.

Are you sure this is what you intended? 

-Steve

RE: questions about auditing on a new RH 6 box

[LC Bruzenak]

On Fri, 2011-01-14 at 19:07 +0000, Tangren, Bill wrote:
> 
> Where can I read on how to classify events? I have been frustrated in
> the past, because I was required to generate volumes of audit logs,
> and I haven't had much success there. 

man auditctl 
look for the "-k key" section

LCB

RE: questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Friday, January 14, 2011 2:13 PM
To: linux-audit@redhat.com
Cc: Tangren, Bill
Subject: Re: questions about auditing on a new RH 6 box

On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote:
> I think that some of this is capturing that I was using the tail command to
> capture some of the logs to email to myself to post here. Obviously that
> isn't typical, but hopefully there is some useful information here. Oh,
> and my uid and gid are both 500.

This is coming from:

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F 
auid=0 -F exit!=-11

Which says, audit mknod calls that are not successful and who's errno does not equal 
EAGAIN for anyone that logged in as root.

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F 
auid=-1 -F exit!=-11

Which says audit mknod calls that are not successful, its a system event meaning not 
coming from a user session, and the exit code is not EAGAIN.

#Ensure that failed attempts at using the following system calls are
 audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F 
exit!=-11

Which says audit mknod calls that are successful and the exit code is not EAGAIN.

Are you sure this is what you intended? 

-Steve

******************
The comments above each line are excerpts from the regulations. It is the requirements in those comments that the audit rules are supposed to be implementing. 

Perhaps I need to study error codes and modify these rules. Do you have a suggestion on where I can learn the proper error commands?

Bill 

RE: questions about auditing on a new RH 6 box

[Tangren, Bill]

-----Original Message-----
From: LC Bruzenak [mailto:lenny@magitekltd.com] 
Sent: Friday, January 14, 2011 2:24 PM
To: Tangren, Bill
Cc: linux-audit@redhat.com
Subject: RE: questions about auditing on a new RH 6 box

On Fri, 2011-01-14 at 19:07 +0000, Tangren, Bill wrote:
> 
> Where can I read on how to classify events? I have been frustrated in
> the past, because I was required to generate volumes of audit logs,
> and I haven't had much success there. 

man auditctl 
look for the "-k key" section

LCB


OK, thanks. I'll read that.

Re: questions about auditing on a new RH 6 box

[Steve Grubb]

On Friday, January 14, 2011 02:24:19 pm LC Bruzenak wrote:
> > Where can I read on how to classify events? I have been frustrated in
> > the past, because I was required to generate volumes of audit logs,
> > and I haven't had much success there. 
> 
> man auditctl 
> look for the "-k key" section

I also give a write on using that in the audit.rules man page. See the NOTES section 
in particular.

-Steve

Re: questions about auditing on a new RH 6 box

[Steve Grubb]

On Friday, January 14, 2011 02:26:40 pm Tangren, Bill wrote:
> #Ensure that failed attempts at using the following system calls are
>  audited
> -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
> success=1 -F  exit!=-11
> 
> Which says audit mknod calls that are successful and the exit code is not
> EAGAIN.
> 
> Are you sure this is what you intended? 
> 
> ******************
> The comments above each line are excerpts from the regulations. 

The last rule does not match the comment for starters. It would be something like 
this:

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F
 success=0

But this is overlapping the other rules right above it. Let's look:

#Ensure that the following system calls are audited for the current logged in
#user and for root
#Ensure that failed attempts at using the following system calls are audited

So the first is all use for anyone logged in except the system. The second one is all 
failed use regardless of someone logged in or not, so that is just 2 rules (assuming 
you don't want EAGAIN):

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F auid!=-1 -F 
exit!=-11 -k user-root-syscalls
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F 
exit!=-11 -k failed-syscalls

You may have other rules that do not match the requirements.

-Steve