When is EOE generated?

When is EOE generated?

[Giovanni Panepinto]

Hello all,

According to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security_guide/sec-audit_record_types , the record EOE gets generated to represent "the end of a multi-record event."

In my audit logs, I can see that for some events, EOE doesn't get generated.

Log sample:
type=SYSCALL msg=audit(1568174009.456:2069021): arch=c000003e syscall=2 success=yes exit=3 a0=7ffcaf5b3915 a1=941 a2=1b6 a3=7c9bd777 items=2 ppid=22527 pid=23323 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6417 comm="touch" exe="/usr/bin/touch" key="usr_local_bin_change"
type=PATH msg=audit(1568174009.456:2069021): item=0 name="/usr/local/bin/" inode=12583209 dev=fe:00 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1568174009.456:2069021): item=1 name="/usr/local/bin/myfile1" inode=12599538 dev=fe:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
type=UNKNOWN[1327] msg=audit(1568174009.456:2069021): proctitle=746F756368002F7573722F6C6F63616C2F62696E2F6D7966696C6531


Auditd version:
2.3.6

Following rule set:

-D
-b 4096
-w /etc/sudoers -p wa -k sysadmin-scope
-w /etc/sudoers.d -p wa -k sysadmin-scope
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S umount2 -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S umount2 -F auid>=500 -F auid!=4294967295 -k mounts
-w /var/log/sudo.log -p wa -k sysadmin-actions
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F path=/usr/lib/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/lib/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a never,exit -F dir=/sys/fs/cgroup
-a never,exit -F dir=/run/systemd/journal
-a never,exit -F uid=1002
-a never,exit -F uid=1003
-a never,exit -F uid=521
-a always,exit -F perm=w -F dir=/sbin -F arch=b64 -F success=1 -F key=sbin_write
-a always,exit -F perm=a -F dir=/sbin -F arch=b64 -F success=1 -F key=sbin_attribute_change
-a always,exit -F perm=a -F path=/var/log/messages -F arch=b64 -F success=1 -F key=var_log_messages_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/messages -F success=1 -F key=var_log_messages_delete
-a always,exit -F perm=w -F dir=/usr/sbin -F arch=b64 -F success=1 -F key=usr_sbin_write
-a always,exit -F perm=a -F dir=/usr/sbin -F arch=b64 -F success=1 -F key=usr_sbin_attribute_change
-a always,exit -F arch=b64 -S unlink  -F path=/etc/ssh/sshd_config -F success=1 -F key=sshd_config_delete
-a always,exit -F perm=wa -F path=/etc/ssh/sshd_config -F arch=b64 -F success=1 -F key=sshd_config_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/dmesg -F success=1 -F key=var_log_dmesg_delete
-a always,exit -F perm=a -F path=/var/log/dmesg -F arch=b64 -F success=1 -F key=var_log_dmesg_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/faillog -F success=1 -F key=var_log_faillog_delete
-a always,exit -F perm=a -F path=/var/log/faillog -F arch=b64 -F success=1 -F key=var_log_faillog_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/utmp -F success=1 -F key=var_log_utmp_delete
-a always,exit -F perm=a -F path=/var/log/utmp -F arch=b64 -F success=1 -F key=var_log_utmp_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/user.log -F success=1 -F key=var_log_user_delete
-a always,exit -F perm=a -F path=/var/log/user.log -F arch=b64 -F success=1 -F key=var_log_user_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/auth.log -F success=1 -F key=var_log_auth_delete
-a always,exit -F perm=a -F path=/var/log/auth.log -F arch=b64 -F success=1 -F key=var_log_auth_change
-a always,exit -F arch=b64 -S unlink  -F path=/etc/login.defs -F success=1 -F key=etc_logindefs_delete
-a always,exit -F perm=aw -F path=/etc/login.defs -F arch=b64 -F success=1 -F key=etc_logindefs_change
-a always,exit -F perm=w -F dir=/usr/bin -F arch=b64 -F success=1 -F key=usr_bin_write
-a always,exit -F perm=a -F dir=/usr/bin -F arch=b64 -F success=1 -F key=usr_bin_attribute_change
-a always,exit -F arch=b64 -S unlink  -F path=/etc/passwd -F success=1 -F key=etc_passwd_delete
-a always,exit -F perm=aw -F path=/etc/passwd -F arch=b64 -F success=1 -F key=etc_passwd_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/boot.log -F success=1 -F key=var_log_boot_delete
-a always,exit -F perm=a -F path=/var/log/boot.log -F arch=b64 -F success=1 -F key=var_log_boot_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/kern.log -F success=1 -F key=var_log_kernlog_delete
-a always,exit -F perm=a -F path=/var/log/kern.log -F arch=b64 -F success=1 -F key=var_log_kernlog_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/btmp -F success=1 -F key=var_log_btmp_delete
-a always,exit -F perm=a -F path=/var/log/btmp -F arch=b64 -F success=1 -F key=var_log_btmp_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/wtmp -F success=1 -F key=var_log_wtmp_delete
-a always,exit -F perm=a -F path=/var/log/wtmp -F arch=b64 -F success=1 -F key=var_log_wtmp_change
-a always,exit -F arch=b64 -S unlink  -F path=/etc/pam.d/common-password -F success=1 -F key=etc_pam_commonpassword_delete
-a always,exit -F perm=aw -F path=/etc/pam.d/common-password -F arch=b64 -F success=1 -F key=etc_pam_commonpassword_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/syslog -F success=1 -F key=var_log_syslog_delete
-a always,exit -F perm=a -F path=/var/log/syslog -F arch=b64 -F success=1 -F key=var_log_syslog_change
-a always,exit -F perm=aw -F dir=/boot -F arch=b64 -F success=1 -F key=boot_change
-a always,exit -F arch=b64 -S unlink  -F path=/etc/sudoers -F success=1 -F key=etc_sudoers_delete
-a always,exit -F perm=aw -F path=/etc/sudoers -F arch=b64 -F success=1 -F key=etc_sudoers_change
-a always,exit -F arch=b64 -S unlink  -F path=/etc/sudoers -F success=1 -F key=etc_shadow_delete
-a always,exit -F perm=aw -F path=/etc/shadow -F arch=b64 -F success=1 -F key=etc_shadow_change
-a always,exit -F perm=aw -F dir=/usr/local/bin -F arch=b64 -F success=1 -F key=usr_local_bin_change
-a always,exit -F arch=b64 -S unlink  -F path=/var/log/cron -F success=1 -F key=var_log_cron_delete
-a always,exit -F perm=a -F path=/var/log/cron -F arch=b64 -F success=1 -F key=var_log_cron_change
-a always,exit -F perm=aw -F dir=/bin -F arch=b64 -F success=1 -F key=bin_change
-a always,exit -F perm=w -F dir=/usr/local/sbin -F arch=b64 -F success=1 -F key=usr_local_sbin_write
-a always,exit -F perm=a -F dir=/usr/local/sbin -F arch=b64 -F success=1 -F key=usr_local_sbin_attribute_change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/apparmor -p wa -k MAC-policy
-w /etc/selinux -p wa -k MAC-policy
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity

So my question is, what defines a multi-record event? And why is EOE not generated when I create a file under /usr/local/bin?

-- 
Kind Regards,
Giovanni

Re: When is EOE generated?

[Steve Grubb]

Hello,

On Tuesday, September 10, 2019 11:55:58 PM EDT Giovanni Panepinto wrote:
> According to
> https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/h
> tml/security_guide/sec-audit_record_types , the record EOE gets generated
> to represent "the end of a multi-record event."
> 
> In my audit logs, I can see that for some events, EOE doesn't get
> generated.

<snip>

> So my question is, what defines a multi-record event? And why is EOE not
> generated when I create a file under /usr/local/bin?

The EOE record is stripped by the audit daemon to save disk space. The audit 
libraries and utilities use heuristics to determine the end of an event. So, 
if you are parsing events with auparse, it will figure out the end of the 
event and group all related records for you. The EOE record is passes along 
to the real time interface just in case it helps to mark an event complete 
before the heuristics determine it is complete.

-Steve

Re: When is EOE generated?

[Giovanni Panepinto]

Thanks for the response Steve.

What exact criteria the deamon uses when it strips EOE? Is it purely based on the size of the event or remaining disk space or?

That leads me to the next question, can I force it to log EOE regardless?

-- 
Kind Regards,
Giovanni

On Thu, Sep 12, 2019, at 07:19, Steve Grubb wrote:
> Hello,
> 
> On Tuesday, September 10, 2019 11:55:58 PM EDT Giovanni Panepinto wrote:
> > According to
> > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/h
> > tml/security_guide/sec-audit_record_types , the record EOE gets generated
> > to represent "the end of a multi-record event."
> > 
> > In my audit logs, I can see that for some events, EOE doesn't get
> > generated.
> 
> <snip>
> 
> > So my question is, what defines a multi-record event? And why is EOE not
> > generated when I create a file under /usr/local/bin?
> 
> The EOE record is stripped by the audit daemon to save disk space. The audit 
> libraries and utilities use heuristics to determine the end of an event. So, 
> if you are parsing events with auparse, it will figure out the end of the 
> event and group all related records for you. The EOE record is passes along 
> to the real time interface just in case it helps to mark an event complete 
> before the heuristics determine it is complete.
> 
> -Steve
> 
> 
>

Re: When is EOE generated?

[Steve Grubb]

On Wednesday, September 11, 2019 8:59:32 PM EDT Giovanni Panepinto wrote:
> Thanks for the response Steve.
> 
> What exact criteria the deamon uses when it strips EOE?

Is it going to disk? If so, its stripped.

> Is it purely based on the size of the event or remaining disk space or?
> 
> That leads me to the next question, can I force it to log EOE regardless?

You can always modify the audit daemon's source code.  Just remove the "if" 
statement here:

https://github.com/linux-audit/audit-userspace/blob/master/src/auditd.c#L283

so that it always calls handle_event() which write it to disk. But that leads 
me to the question of why would you need to do that? Is auparse not working 
for you?

-Steve

> > On Tuesday, September 10, 2019 11:55:58 PM EDT Giovanni Panepinto wrote:
> > > According to
> > > https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/
> > > 6/h
> > > tml/security_guide/sec-audit_record_types , the record EOE gets
> > > generated
> > > to represent "the end of a multi-record event."
> > > 
> > > In my audit logs, I can see that for some events, EOE doesn't get
> > > generated.
> > 
> > <snip>
> > 
> > > So my question is, what defines a multi-record event? And why is EOE
> > > not
> > > generated when I create a file under /usr/local/bin?
> > 
> > The EOE record is stripped by the audit daemon to save disk space. The
> > audit libraries and utilities use heuristics to determine the end of an
> > event. So, if you are parsing events with auparse, it will figure out
> > the end of the event and group all related records for you. The EOE
> > record is passes along to the real time interface just in case it helps
> > to mark an event complete before the heuristics determine it is
> > complete.
> > 
> > -Steve