* questions about auditing on a new RH 6 box @ 2011-01-14 16:21 Tangren, Bill 2011-01-14 16:42 ` Eric Paris 0 siblings, 1 reply; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 16:21 UTC (permalink / raw) To: linux-audit@redhat.com [-- Attachment #1.1: Type: text/plain, Size: 563 bytes --] I have a new VM running RH 6 server. I put some audit.rules in place, and now I notice that I am getting 11 MB of audit log entries every half hour. This server has no users or services running. I am trying to use audit-viewer to determine which of my rules is creating so much log traffic, but I don't understand the output enough to be able to tell. The version of audit is 2.0.4-1 (64 bit). Is this the correct forum to ask this question? If so, I can provide the audit rules and some of the logs. --- Bill Tangren IAM U.S. Naval Observatory, Washington [-- Attachment #1.2: smime.p7s --] [-- Type: application/x-pkcs7-signature, Size: 5784 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: questions about auditing on a new RH 6 box 2011-01-14 16:21 questions about auditing on a new RH 6 box Tangren, Bill @ 2011-01-14 16:42 ` Eric Paris 2011-01-14 17:23 ` Tangren, Bill 0 siblings, 1 reply; 16+ messages in thread From: Eric Paris @ 2011-01-14 16:42 UTC (permalink / raw) To: Tangren, Bill; +Cc: linux-audit@redhat.com On Fri, 2011-01-14 at 16:21 +0000, Tangren, Bill wrote: > I have a new VM running RH 6 server. I put some audit.rules in place, and > now I notice that I am getting 11 MB of audit log entries every half hour. > This server has no users or services running. I am trying to use > audit-viewer to determine which of my rules is creating so much log traffic, > but I don't understand the output enough to be able to tell. The version of > audit is 2.0.4-1 (64 bit). > > Is this the correct forum to ask this question? > > If so, I can provide the audit rules and some of the logs. This is probably the best forum there is. Let us know your troubles. -Eric ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 16:42 ` Eric Paris @ 2011-01-14 17:23 ` Tangren, Bill 2011-01-14 17:35 ` LC Bruzenak 0 siblings, 1 reply; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 17:23 UTC (permalink / raw) To: linux-audit@redhat.com -----Original Message----- From: Eric Paris [mailto:eparis@redhat.com] Sent: Friday, January 14, 2011 11:42 AM To: Tangren, Bill Cc: linux-audit@redhat.com Subject: Re: questions about auditing on a new RH 6 box On Fri, 2011-01-14 at 16:21 +0000, Tangren, Bill wrote: > I have a new VM running RH 6 server. I put some audit.rules in place, and > now I notice that I am getting 11 MB of audit log entries every half hour. > This server has no users or services running. I am trying to use > audit-viewer to determine which of my rules is creating so much log traffic, > but I don't understand the output enough to be able to tell. The version of > audit is 2.0.4-1 (64 bit). > > Is this the correct forum to ask this question? > > If so, I can provide the audit rules and some of the logs. This is probably the best forum there is. Let us know your troubles. -Eric OK, here goes. These are the audit rules. And before you read them, please don't shoot the messenger. This is what I was told to audit, according to regulations. If it is misconfigured, or if something causes excessive logging to no good purpose, I can modify them some. I've used these rules on RH 5 systems with no problems. Also, I've left in the comments. *********************** -f 2 # Ensures that any access or modifications to the password file is audited -w /etc/passwd -p rwa # Ensures that any access or modifications to the shadow file is audited -w /etc/shadow -p rwa # Ensures that any reads of the audit log by the current user that's logged is # audited. It might be beneficial to create a rule for each of the 5 logs # that are generated. -w /var/log/audit/audit.log -k LOG_audit # Ensures that the user who is logged in and fails to access a file or process # is audited. Note: this will prevent kernel panics if you have a web server running # because it will not log apache file accesses -a exit,always -F arch=b64 -S open -S openat -F exit=EACCES -F uid!=apache -k access -a exit,always -F arch=b64 -S open -S openat -F exit=EPERM -F uid!=apache -k access # Ensures that any user who fails to change permissions of a file or directory is # audited -a exit,always -F arch=b64 -S chmod -S lchown -S chown -F success=0 -F exit!=-11 # Ensures that any user who mounts or unmounts a device is audited # ensures that mounting and dismounting are audited -a exit,always -F arch=b64 -S mount -S umount2 # Ensures that when anything is written to CD or DVD is audited # This rule MUST be edited to reflect the device path that is specific to # the system that the rules are being written for. -w /dev/cdrom -p w # AUDITING THE EXECVE FUNCTION # Ensures any user that properly executes a process is audited. # Since the open command is being audited, this rule causes # redundancy. Since any command must be opened prior to execution, with this # in affect, the system will have duplicate entries for every time something is # executed. This is noted in case the desire to audit both comes up. -a exit,always -F arch=b64 -S execve -F auid=-1 -F success=0 # AUDITING SHUTDOWNS AND REBOOTS # Red Hat ensures auditing whenever the reboot command is sent to the kernel -a exit,always -F arch=b64 -S socket -F a0=13 # AUDITING THE ROOT DIRECTORY IN FEDORA # Ensures auditing of any unauthorized access to roots home directory. -w /root -p rw -F uid!=0 # AUDITING THE ROOT DIRECTORY IN FEDORA # Ensures auditing of any failed unauthorized access to roots home directory. -w /root -p rw -F uid!=0 -F success=0 #Auditing configuration changes to the audit.conf and audit.rules files -w /etc/audit.conf -k wa -w /etc/audit.rules -k wa #Ensure that the following system calls are audited for the current logged in #user and for root -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F exit!=-11 #Ensure that failed attempts at using the following system calls are audited -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F exit!=-11 #Ensure that failed deletion of files and processes by anyone is audited -a exit,always -F arch=b64 -S rmdir -S unlink -F success=0 -F exit!=-11 #Ensure that failed use of the following system calls is audited -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=-1 -F exit!=-11 #Ensure that successful use of the following system calls is audited -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=-1 -F exit!=-11 #Ensure that failed use of the following system calls is audited -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=-1 -F exit!=-11 #Ensure that successful use of the following system calls is audited -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=0 -F exit!=-11 -a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=-1 -F exit!=-11 #Ensure that when a failed login is recorded by syslog to the faillog file is #audited -w /var/log/faillog -k wa -w /var/log/lastlog -k wa #Ensure that when a login in recorded by syslog to the appropriate file is #audited -w /var/log/wtmp -k wa ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 17:23 ` Tangren, Bill @ 2011-01-14 17:35 ` LC Bruzenak 2011-01-14 17:56 ` Tangren, Bill ` (2 more replies) 0 siblings, 3 replies; 16+ messages in thread From: LC Bruzenak @ 2011-01-14 17:35 UTC (permalink / raw) To: Tangren, Bill; +Cc: linux-audit@redhat.com Probably can use a sampling of events as well. LCB -- LC (Lenny) Bruzenak lenny@magitekltd.com ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 17:35 ` LC Bruzenak @ 2011-01-14 17:56 ` Tangren, Bill 2011-01-14 18:39 ` LC Bruzenak 2011-01-14 18:10 ` Tangren, Bill 2011-01-14 18:58 ` Steve Grubb 2 siblings, 1 reply; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 17:56 UTC (permalink / raw) To: linux-audit@redhat.com -----Original Message----- From: LC Bruzenak [mailto:lenny@magitekltd.com] Sent: Friday, January 14, 2011 12:35 PM To: Tangren, Bill Cc: linux-audit@redhat.com Subject: RE: questions about auditing on a new RH 6 box Probably can use a sampling of events as well. LCB -- LC (Lenny) Bruzenak lenny@magitekltd.com This is an example of what I see in audit-viewer: There are LOTS of the following: 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod, success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren, comm=escd, egid=bill.tangren, euid=bill.tangren, exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid= bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren, subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, tty=none, uid=bill.tangren There are also some like this, but syscall=open instead. During this time, I am logged in to a GUI, but the screensaver has activated, and I am doing nothing. No one else has an account. Bill ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 17:56 ` Tangren, Bill @ 2011-01-14 18:39 ` LC Bruzenak 2011-01-14 19:04 ` Tangren, Bill 0 siblings, 1 reply; 16+ messages in thread From: LC Bruzenak @ 2011-01-14 18:39 UTC (permalink / raw) To: Tangren, Bill; +Cc: linux-audit@redhat.com On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote: > > There are LOTS of the following: > > 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod, > success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren, > comm=escd, egid=bill.tangren, euid=bill.tangren, > exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid= > bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren, > subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, > tty=none, uid=bill.tangren > > There are also some like this, but syscall=open instead. > > > During this time, I am logged in to a GUI, but the screensaver has > activated, and I am doing nothing. No one else has an account. > Well, herein lies the rub...the audit rules you have in place are doing their job. :) The escd is creating device files as it does its thing...do you trust it? Assuming so, maybe there is a way to filter those out. Can you send a couple of the results of this command? This will tell you the top (recent) auditing processes: % sudo aureport -ts recent -i -x --summary Also a couple of of these results (since you said there were a lot of escd process events). Change "recent" to "today" or a specific start time (see ausearch man page): % sudo ausearch -ts recent -i -c escd You will likely want to use aureport/ausearch just because they are faster than the audit-viewer. But it is possible to use it... HTH, LCB ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 18:39 ` LC Bruzenak @ 2011-01-14 19:04 ` Tangren, Bill 0 siblings, 0 replies; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 19:04 UTC (permalink / raw) To: LC Bruzenak; +Cc: linux-audit@redhat.com -----Original Message----- From: LC Bruzenak [mailto:lenny@magitekltd.com] Sent: Friday, January 14, 2011 1:39 PM To: Tangren, Bill Cc: linux-audit@redhat.com Subject: RE: questions about auditing on a new RH 6 box On Fri, 2011-01-14 at 17:56 +0000, Tangren, Bill wrote: > > There are LOTS of the following: > > 01/14/2011 11:44:29 type=SYSCALL, arch=x86_64, syscall=mknod, > success=yes, exit=0, a0-3=[hex numbers that vary), auid=bill.tangren, > comm=escd, egid=bill.tangren, euid=bill.tangren, > exe=/usr/lib64/esc-1.1.0/escd, fsgid= bill.tangren, fsuid= > bill.tangren, gid=bill.tangren, items=2, key=null, sgid=bill.tangren, > subject=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023, > tty=none, uid=bill.tangren > > There are also some like this, but syscall=open instead. > > > During this time, I am logged in to a GUI, but the screensaver has > activated, and I am doing nothing. No one else has an account. > Well, herein lies the rub...the audit rules you have in place are doing their job. :) The escd is creating device files as it does its thing...do you trust it? Assuming so, maybe there is a way to filter those out. Can you send a couple of the results of this command? This will tell you the top (recent) auditing processes: % sudo aureport -ts recent -i -x --summary Also a couple of of these results (since you said there were a lot of escd process events). Change "recent" to "today" or a specific start time (see ausearch man page): % sudo ausearch -ts recent -i -c escd ^^^^^^^^^^^^^^^^ These are the top results for the ausearch command given above: 930 /usr/lib64/esc-1.1.0/escd 82 /usr/libexec/abrt-hook-ccpp 44 /usr/sbin/sshd 43 /usr/sbin/crond 41 /usr/sbin/usermod 34 /sbin/unix_chkpwd 31 /usr/bin/sudo 24 /bin/ls 22 /usr/sbin/abrtd (deleted) 21 /usr/sbin/httpd 17 /usr/libexec/openssh/sftp-server 15 /bin/su 14 /usr/libexec/gnome-screensaver-dialog 14 /usr/sbin/cupsd OK. It appears that the RH smart card reader software is doing this, which is odd, considering I'm not using a smart card right now. I'll disable it (for now) and see what happens. But I'm going to want it working eventually. Bill ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 17:35 ` LC Bruzenak 2011-01-14 17:56 ` Tangren, Bill @ 2011-01-14 18:10 ` Tangren, Bill 2011-01-14 19:12 ` Steve Grubb 2011-01-14 18:58 ` Steve Grubb 2 siblings, 1 reply; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 18:10 UTC (permalink / raw) To: linux-audit@redhat.com -----Original Message----- From: LC Bruzenak [mailto:lenny@magitekltd.com] Sent: Friday, January 14, 2011 12:35 PM To: Tangren, Bill Cc: linux-audit@redhat.com Subject: RE: questions about auditing on a new RH 6 box Probably can use a sampling of events as well. LCB -- LC (Lenny) Bruzenak lenny@magitekltd.com Here are more logs (from /var/log/audit/audit.log): type=CWD msg=audit(1295028176.635:718007): cwd="/usr/lib64/esc-1.1.0" type=PATH msg=audit(1295028176.635:718007): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 type=PATH msg=audit(1295028176.635:718007): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0 type=SYSCALL msg=audit(1295028177.287:718008): arch=c000003e syscall=133 success=yes exit=0 a0=7f5828f08bf0 a1=11a4 a2=0 a3=ffffffeb items=2 ppid=1 pid=28374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=139 comm="escd" exe="/usr/lib64/esc-1.1.0/escd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1295028177.287:718008): cwd="/usr/lib64/esc-1.1.0" type=PATH msg=audit(1295028177.287:718008): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 type=PATH msg=audit(1295028177.287:718008): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0 type=SYSCALL msg=audit(1295028177.742:718009): arch=c000003e syscall=2 success=yes exit=3 a0=7fff05d84891 a1=0 a2=0 a3=60 items=1 ppid=28453 pid=29995 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=139 comm="tail" exe="/usr/bin/tail" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="LOG_audit" type=CWD msg=audit(1295028177.742:718009): cwd="/root" type=PATH msg=audit(1295028177.742:718009): item=0 name="/var/log/audit/audit.log" inode=203 dev=fd:03 mode=0100600 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:auditd_log_t:s0 type=SYSCALL msg=audit(1295028177.939:718010): arch=c000003e syscall=133 success=yes exit=0 a0=7f5828f08bf0 a1=11a4 a2=0 a3=ffffffeb items=2 ppid=1 pid=28374 auid=500 uid=500 gid=500 euid=500 suid=500 fsuid=500 egid=500 sgid=500 fsgid=500 tty=(none) ses=139 comm="escd" exe="/usr/lib64/esc-1.1.0/escd" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null) type=CWD msg=audit(1295028177.939:718010): cwd="/usr/lib64/esc-1.1.0" type=PATH msg=audit(1295028177.939:718010): item=0 name="/var/run/pcscd.events/" inode=105 dev=fd:03 mode=041733 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:pcscd_var_run_t:s0 type=PATH msg=audit(1295028177.939:718010): item=1 name="/var/run/pcscd.events/event.28372.17008539" inode=204 dev=fd:03 mode=010644 ouid=500 ogid=500 rdev=00:00 obj=unconfined_u:object_r:pcscd_var_run_t:s0 I think that some of this is capturing that I was using the tail command to capture some of the logs to email to myself to post here. Obviously that isn't typical, but hopefully there is some useful information here. Oh, and my uid and gid are both 500. Bill ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: questions about auditing on a new RH 6 box 2011-01-14 18:10 ` Tangren, Bill @ 2011-01-14 19:12 ` Steve Grubb 2011-01-14 19:26 ` Tangren, Bill 0 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2011-01-14 19:12 UTC (permalink / raw) To: linux-audit On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote: > I think that some of this is capturing that I was using the tail command to > capture some of the logs to email to myself to post here. Obviously that > isn't typical, but hopefully there is some useful information here. Oh, > and my uid and gid are both 500. This is coming from: -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F auid=0 -F exit!=-11 Which says, audit mknod calls that are not successful and who's errno does not equal EAGAIN for anyone that logged in as root. -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F exit!=-11 Which says audit mknod calls that are not successful, its a system event meaning not coming from a user session, and the exit code is not EAGAIN. #Ensure that failed attempts at using the following system calls are audited -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F exit!=-11 Which says audit mknod calls that are successful and the exit code is not EAGAIN. Are you sure this is what you intended? -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 19:12 ` Steve Grubb @ 2011-01-14 19:26 ` Tangren, Bill 2011-01-14 19:57 ` Steve Grubb 0 siblings, 1 reply; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 19:26 UTC (permalink / raw) To: linux-audit@redhat.com -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Friday, January 14, 2011 2:13 PM To: linux-audit@redhat.com Cc: Tangren, Bill Subject: Re: questions about auditing on a new RH 6 box On Friday, January 14, 2011 01:10:09 pm Tangren, Bill wrote: > I think that some of this is capturing that I was using the tail command to > capture some of the logs to email to myself to post here. Obviously that > isn't typical, but hopefully there is some useful information here. Oh, > and my uid and gid are both 500. This is coming from: -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -Fsuccess=0 -F auid=0 -F exit!=-11 Which says, audit mknod calls that are not successful and who's errno does not equal EAGAIN for anyone that logged in as root. -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F exit!=-11 Which says audit mknod calls that are not successful, its a system event meaning not coming from a user session, and the exit code is not EAGAIN. #Ensure that failed attempts at using the following system calls are audited -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F exit!=-11 Which says audit mknod calls that are successful and the exit code is not EAGAIN. Are you sure this is what you intended? -Steve ****************** The comments above each line are excerpts from the regulations. It is the requirements in those comments that the audit rules are supposed to be implementing. Perhaps I need to study error codes and modify these rules. Do you have a suggestion on where I can learn the proper error commands? Bill ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: questions about auditing on a new RH 6 box 2011-01-14 19:26 ` Tangren, Bill @ 2011-01-14 19:57 ` Steve Grubb 0 siblings, 0 replies; 16+ messages in thread From: Steve Grubb @ 2011-01-14 19:57 UTC (permalink / raw) To: linux-audit On Friday, January 14, 2011 02:26:40 pm Tangren, Bill wrote: > #Ensure that failed attempts at using the following system calls are > audited > -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F > success=1 -F exit!=-11 > > Which says audit mknod calls that are successful and the exit code is not > EAGAIN. > > Are you sure this is what you intended? > > ****************** > The comments above each line are excerpts from the regulations. The last rule does not match the comment for starters. It would be something like this: -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 But this is overlapping the other rules right above it. Let's look: #Ensure that the following system calls are audited for the current logged in #user and for root #Ensure that failed attempts at using the following system calls are audited So the first is all use for anyone logged in except the system. The second one is all failed use regardless of someone logged in or not, so that is just 2 rules (assuming you don't want EAGAIN): -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F auid!=-1 -F exit!=-11 -k user-root-syscalls -a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F exit!=-11 -k failed-syscalls You may have other rules that do not match the requirements. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: questions about auditing on a new RH 6 box 2011-01-14 17:35 ` LC Bruzenak 2011-01-14 17:56 ` Tangren, Bill 2011-01-14 18:10 ` Tangren, Bill @ 2011-01-14 18:58 ` Steve Grubb 2011-01-14 19:07 ` Tangren, Bill 2 siblings, 1 reply; 16+ messages in thread From: Steve Grubb @ 2011-01-14 18:58 UTC (permalink / raw) To: linux-audit, Tangren, Bill On Friday, January 14, 2011 12:35:06 pm LC Bruzenak wrote: > Probably can use a sampling of events as well. Since keys are not being used to classify events (hint hint) the best you can do is run something like this: aureport --start today --summary --syscall -i -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 18:58 ` Steve Grubb @ 2011-01-14 19:07 ` Tangren, Bill 2011-01-14 19:24 ` LC Bruzenak 0 siblings, 1 reply; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 19:07 UTC (permalink / raw) To: linux-audit@redhat.com -----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Friday, January 14, 2011 1:59 PM To: linux-audit@redhat.com; Tangren, Bill Subject: Re: questions about auditing on a new RH 6 box On Friday, January 14, 2011 12:35:06 pm LC Bruzenak wrote: > Probably can use a sampling of events as well. Since keys are not being used to classify events (hint hint) the best you can do is run something like this: aureport --start today --summary --syscall -i -Steve ****************** Where can I read on how to classify events? I have been frustrated in the past, because I was required to generate volumes of audit logs, and I haven't had much success there. Thanks everyone for all of your help. I really appreciate it. Bill ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 19:07 ` Tangren, Bill @ 2011-01-14 19:24 ` LC Bruzenak 2011-01-14 19:27 ` Tangren, Bill 2011-01-14 19:39 ` Steve Grubb 0 siblings, 2 replies; 16+ messages in thread From: LC Bruzenak @ 2011-01-14 19:24 UTC (permalink / raw) To: Tangren, Bill; +Cc: linux-audit@redhat.com On Fri, 2011-01-14 at 19:07 +0000, Tangren, Bill wrote: > > Where can I read on how to classify events? I have been frustrated in > the past, because I was required to generate volumes of audit logs, > and I haven't had much success there. man auditctl look for the "-k key" section LCB ^ permalink raw reply [flat|nested] 16+ messages in thread
* RE: questions about auditing on a new RH 6 box 2011-01-14 19:24 ` LC Bruzenak @ 2011-01-14 19:27 ` Tangren, Bill 2011-01-14 19:39 ` Steve Grubb 1 sibling, 0 replies; 16+ messages in thread From: Tangren, Bill @ 2011-01-14 19:27 UTC (permalink / raw) Cc: linux-audit@redhat.com -----Original Message----- From: LC Bruzenak [mailto:lenny@magitekltd.com] Sent: Friday, January 14, 2011 2:24 PM To: Tangren, Bill Cc: linux-audit@redhat.com Subject: RE: questions about auditing on a new RH 6 box On Fri, 2011-01-14 at 19:07 +0000, Tangren, Bill wrote: > > Where can I read on how to classify events? I have been frustrated in > the past, because I was required to generate volumes of audit logs, > and I haven't had much success there. man auditctl look for the "-k key" section LCB OK, thanks. I'll read that. ^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: questions about auditing on a new RH 6 box 2011-01-14 19:24 ` LC Bruzenak 2011-01-14 19:27 ` Tangren, Bill @ 2011-01-14 19:39 ` Steve Grubb 1 sibling, 0 replies; 16+ messages in thread From: Steve Grubb @ 2011-01-14 19:39 UTC (permalink / raw) To: linux-audit On Friday, January 14, 2011 02:24:19 pm LC Bruzenak wrote: > > Where can I read on how to classify events? I have been frustrated in > > the past, because I was required to generate volumes of audit logs, > > and I haven't had much success there. > > man auditctl > look for the "-k key" section I also give a write on using that in the audit.rules man page. See the NOTES section in particular. -Steve ^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2011-01-14 19:57 UTC | newest] Thread overview: 16+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2011-01-14 16:21 questions about auditing on a new RH 6 box Tangren, Bill 2011-01-14 16:42 ` Eric Paris 2011-01-14 17:23 ` Tangren, Bill 2011-01-14 17:35 ` LC Bruzenak 2011-01-14 17:56 ` Tangren, Bill 2011-01-14 18:39 ` LC Bruzenak 2011-01-14 19:04 ` Tangren, Bill 2011-01-14 18:10 ` Tangren, Bill 2011-01-14 19:12 ` Steve Grubb 2011-01-14 19:26 ` Tangren, Bill 2011-01-14 19:57 ` Steve Grubb 2011-01-14 18:58 ` Steve Grubb 2011-01-14 19:07 ` Tangren, Bill 2011-01-14 19:24 ` LC Bruzenak 2011-01-14 19:27 ` Tangren, Bill 2011-01-14 19:39 ` Steve Grubb
This is a public inbox, see mirroring instructions for how to clone and mirror all data and code used for this inbox