From: Steve Grubb <sgrubb@redhat.com>
To: "Bhagwat, Shriniketan Manjunath" <shriniketan.bhagwat@hpe.com>
Cc: "linux-audit@redhat.com" <linux-audit@redhat.com>
Subject: Re: Audit reporting Invalid argument
Date: Wed, 11 May 2016 15:52:02 -0400 [thread overview]
Message-ID: <1581661.ndI2rhVsuG@x2> (raw)
In-Reply-To: <8FC6AD31395616439ECBCD98E071A87F4BF15146@G4W3202.americas.hpqcorp.net>
On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
> Thanks for the response. Your response cleared many of my doubts. I need one
> clarity on use of Linux capability CAP_AUDIT_CONTROL.
>
> My understanding is that, only root user can start/stop audit service and
> configure auditctl rules. auditctl.c and auditd.c specifically check for
> uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable
> kernel auditing; change auditing filter rules; retrieve auditing status and
> filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL
> capability running from non root account will be able to start/stop audit
> and configure auditctl rules?
Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I
have not revisited the checks since allowing libcap-ng to link with other
components.
> Are there any documentation about how to use
> CAP_AUDIT_CONTROL capability and how it is related to audit?
Very little. Its mostly reading source code.
> Is it possible to suppress events for a file for the set of specific
> syscalls? Example: Using the below rule I want to suppress audit event only
> for chmod syscall for file /tmp/read_only. However below rule not only
> suppresses the audit event for chmod syscall but also for other syscalls
> for /tmp/read_only file.
>
> # auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod
This is how I would try to write it. If that suppresses more syscalls than
chmod and you can give us a reproducer, I think it should go in the new github
issue tracker for the kernel.
-Steve
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 09, 2016 7:20 PM
> To: linux-audit@redhat.com
> Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Subject: Re: Audit reporting Invalid argument
>
> On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> > I am trying to monitor multiple files using Linux audit. In order to
> > get better performance, I am trying to reduce number of rules. If I
> > specify more than one path field as in below example I am getting
> > "Invalid argument".
> >
> > Examle1:
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F path=/home/secpack/test -S open Error sending add rule data request
> > (Invalid argument)
> >
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F dir=/tmp/ -S open Error sending add rule data request (Invalid
> > argument)
> >
> > However, I am able to create a single rule to monitor multiple PIDs or
> > UIDs as below.
> >
> > Examle2:
> > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> > auid=1002
>
> Which will produce no events due to the anding you mention below. Something
> cannot have both pid 3526 and 3537.
> > As per the auditctl man page, Build a rule field takes up to 64 fields
> > on a single command line. Each one must start with -F. Each field
> > equation is anded with each other to trigger an audit record. My
> > question is, 1. specify more than one path field as in example1 is valid?
>
> Nope.
>
> > 2. If not valid than how do I create single audit rule to monitor
> > multiple files/directory?
>
> They need to be separate rules. You can also recursively watch a directory
> with 'dir'
> > 3. If valid, then why "Invalid argument" is reported?
> > 4. To monitor 10 files, should 10 audit rules required?
>
> Possibly.
>
> > 5. if 10 rules are required, how to I optimize the rule for performance?
>
> The filesystem watches are very efficient. You can probably put a 100
> watches on random files and you will not be able to see any performance hit
> unless they are actually triggered. Syscall rules on the otherhand do
> affect performance.
> > My next question is does Linux audit support regular expressions?
>
> No. The kernel pretty much wants things to be numbers rather than strings.
>
> > How do I create audit rule to monitor /var/log/*.log?
>
> -a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
>
> -Steve
>
> > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
> > Error sending add rule data request (Invalid argument)
> >
> > If my questions are already documented, please guide me to the
> > documentation.
> >
> > Regards,
> > Ketan
next prev parent reply other threads:[~2016-05-11 19:52 UTC|newest]
Thread overview: 11+ messages / expand[flat|nested] mbox.gz Atom feed top
2016-05-09 13:40 Audit reporting Invalid argument Bhagwat, Shriniketan Manjunath
2016-05-09 13:50 ` Steve Grubb
2016-05-11 11:19 ` Bhagwat, Shriniketan Manjunath
2016-05-11 19:52 ` Steve Grubb [this message]
2016-05-14 9:40 ` Bhagwat, Shriniketan Manjunath
2016-05-16 12:53 ` Steve Grubb
2016-05-16 17:21 ` Richard Guy Briggs
2016-05-19 3:37 ` Bhagwat, Shriniketan Manjunath
2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath
2016-06-13 15:01 ` Steve Grubb
2016-06-14 13:44 ` Bhagwat, Shriniketan Manjunath
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1581661.ndI2rhVsuG@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=shriniketan.bhagwat@hpe.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox