From: Steven Grubb <sgrubb@redhat.com>
To: rshaw1@umbc.edu
Cc: linux-audit@redhat.com
Subject: Re: Filtering audit events
Date: Mon, 31 Aug 2015 09:22:16 -0400 (EDT) [thread overview]
Message-ID: <1315756444.19796884.1441027336015.JavaMail.zimbra@redhat.com> (raw)
In-Reply-To: <80528828ce7a24c2d9ed2e16b46f4fb6.squirrel@webmail.umbc.edu>
----- Original Message -----
>From: rshaw1@umbc.edu
>To: linux-audit@redhat.com
>Sent: Monday, August 31, 2015 8:18:12 AM
>Subject: Filtering audit events
>
>I'm trying to figure out a way to filter a large number of events similar
>to the following:
>
>time->Mon Aug 31 08:08:26 2015
>type=PATH msg=audit(1441022906.019:52947542): item=1 name=(null) inode=133
>dev=fd:06 mode=0100640 ouid=0 ogid=9002 rdev=00:00
>obj=system_u:object_r:var_log_t:s0 nametype=NORMAL
>type=PATH msg=audit(1441022906.019:52947542): item=0
>name="/var/log/simpana/Log_Files/locks/" inode=92 dev=fd:06 mode=040775
>ouid=0 ogid=9002 rdev=00:00 obj=system_u:object_r:var_log_t:s0
>nametype=PARENT
>type=CWD msg=audit(1441022906.019:52947542): cwd="/opt/simpana"
>type=SYSCALL msg=audit(1441022906.019:52947542): arch=c000003e syscall=2
>success=no exit=-13 a0=996d68 a1=42 a2=1b6 a3=0 items=2 ppid=11855
>pid=15755 auid=7538 uid=0 gid=9002 euid=4990 suid=4990 fsuid=4990
>egid=9002 sgid=9002 fsgid=9002 tty=(none) ses=125779 comm="clBackup"
>exe="/opt/simpana/iDataAgent/clBackup" subj=system_u:system_r:initrc_t:s0
>key="access"
If you use the -i argument to ausearch, it becomes more clear what the issue is. The problem is that the program is opening the file for read and write, but the permissions are just for group read. If that file were 0660, then you would not get this audit event.
>The STIG-compliant audit ruleset we're using seems to generate a lot of
>these, and I'm concerned that may be affecting the performance of the app
>in question (also, I consider it log spam). I tried the following rule
>(plus a few variations like ogid), but it doesn't seem to be working:
>
>-a exit,never -F gid=9002 -k exclude
This should work as long as its before the open rule. Rules are processed from top to bottom with first match winning.
>What would be the best way to approach this?
Fix the permissions if possible?
-Steve
>I have a few other apps with similar issues.
next prev parent reply other threads:[~2015-08-31 13:22 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-31 12:18 Filtering audit events rshaw1
2015-08-31 13:22 ` Steven Grubb [this message]
2015-08-31 13:58 ` rshaw1
2015-09-02 23:31 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1315756444.19796884.1441027336015.JavaMail.zimbra@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=rshaw1@umbc.edu \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox