From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: configuration for busy docker host
Date: Mon, 20 Aug 2018 13:48:51 -0400
Message-ID: <1898518.JS7Fg7ejBs@x2>
References: <28615add-906a-b86a-2d02-db5ae33898d9@genkgo.nl>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <28615add-906a-b86a-2d02-db5ae33898d9@genkgo.nl>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Monday, August 20, 2018 5:56:04 AM EDT Frederik Bosch wrote:
> As I have not found a location anywhere else on the web, I am sending my
> question to this list. I have an Ubuntu 18.04 machine with auditd and it
> acts as a Docker Host machine. I have hardened the system via this
> package: https://github.com/konstruktoid/hardening which installs auditd
> with the configuration to be found here:
> https://github.com/konstruktoid/hardening/blob/master/misc/audit.rules.

These rules could be improved upon by condensing:

# File deletions
# Capture all unauthorized file accesses
# Capture all failures to access on critical elements
# Permissions

down to 2 rules in each, 4 for the second one. That, however, is not the 
actual problem. My guess is that it is capturing way more information than is 
necessary.

> The problems I have are related to the directives -f and -b. The
> hardening package uses -b 8192 and -f 2. That results in a kernel panic
> very quickly because of audit backlog limit exceeded, and that causes a
> reboot of the system. Now I wonder what a good configuration would be. I
> started reading on the subject and read that -f 2 is probably the best
> for security reasons. However, I do not want to have a system that
> panics very quickly and reboots.

I'd say that you need to run:

aureport --start today --key --summary

and see what rule is triggering all the events. Do you really want all 
deletes? Or just deletes in a specific directory? Do you really want to know 
that a user changed dir permissions on a file in their homedir?

> Should I simply increase the backlog to much higher numbers? Or should I
> change -f to not cause a kernel panic? Or am I missing something and
> should I change some other configuration? Thanks for your help.

For the moment change -f not to cause a kernel panic. I think the rules are 
probably too aggressive.

-Steve