Re: Filtering - Steve Grubb

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: "Thomas, Daniel J." <Daniel.Thomas@jhuapl.edu>
Subject: Re: Filtering
Date: Tue, 16 Jan 2007 14:47:05 -0500	[thread overview]
Message-ID: <200701161447.05986.sgrubb@redhat.com> (raw)
In-Reply-To: <FC11D747323EB24493CDC753367EEB9201A629DA@aplesnation.dom1.jhuapl.edu>

On Tuesday 16 January 2007 11:09, Thomas, Daniel J. wrote:
> We found that we really don't need to use any file watches at all, but
> rather capture exit code -13.  We also found that capturing exit code -1
> would catch failed attempts to change permissions, owner, attributes on the
> file. 
>
> Right now I have a problem with too many logs.

Yep. That is part of the problem in relying on syscall auditing only. You have 
to figure out how to limit the events so that you are recording what you are 
really wanting. This means getting rid of -S all and replacing it with the 
syscalls that only affect disk. 

The next thing is that you really can't be interested in failed accesses of 
everything. I'd look at limiting what you are auditing with devmajor/minor. 
You might even want to partition your system in such a way that its easier to 
get what you want....that is if you find that there's no way to use watches.

> Any ideas?

Everything I can think of involves limiting syscalls, using devmajor/minor, 
and perhaps limiting with -F auid!=0 -F auid!=-1 to get rid of daemon and 
root cron/at access attempts.

-Steve

     prev parent reply	other threads:[~2007-01-16 19:47 UTC|newest]

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
     [not found] <FC11D747323EB24493CDC753367EEB92019FA48D@aplesnation.dom1.jhuapl.edu>
     [not found] ` <200701151457.51419.sgrubb@redhat.com>
2007-01-16 16:09   ` Filtering Thomas, Daniel J.
2007-01-16 19:47     ` Steve Grubb [this message]

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=200701161447.05986.sgrubb@redhat.com \
    --to=sgrubb@redhat.com \
    --cc=Daniel.Thomas@jhuapl.edu \
    --cc=linux-audit@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox