Filtering

Filtering

[Thomas, Daniel J.]

Hello List,

Karen and I have been making good progress with our RHEL4 distro.  Once
we got the kernel updated as suggested, we're getting logs captured
correctly.  We found that we really don't need to use any file watches
at all, but rather capture exit code -13.  We also found that capturing
exit code -1 would catch failed attempts to change permissions, owner,
attributes on the file.

Right now I have a problem with too many logs.  We are seeing events
captured from opening and closing terminal windows both as root or as a
regular user.

I'm doing the following:

-a exit,always -S all -F exit=-13

-a exit,always -S 90 -F exit=-1
-a exit,always -S 92 -F exit=-1

By specifying the sys calls for exit code -13, it reduced the chatter
some, but still captured what we needed.  I still get stuff from exit
code -13 however when I just open a terminal window.  Here is an
example:

As root:

type=SYSCALL msg=audit(1168961366.396:39898): arch=c000003e syscall=21
success=no exit=-13 a0=6c4550 a1=1 a2=11 a3=0 items=1 pid=9636
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="bash" exe="/bin/bash"
type=CWD msg=audit(1168961366.396:39898):  cwd="/root"
type=PATH msg=audit(1168961366.396:39898): name="/etc/bashrc" flags=401
inode=7553057 dev=08:05 mode=0100644 ouid=0 ogid=0 rdev=00:00
type=SYSCALL msg=audit(1168961366.416:39899): arch=c000003e syscall=21
success=no exit=-13 a0=6c7850 a1=1 a2=11 a3=2 items=1 pid=9636
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
comm="bash" exe="/bin/bash"
type=CWD msg=audit(1168961366.416:39899):  cwd="/root"
type=PATH msg=audit(1168961366.416:39899): name="/etc/sysconfig/i18n"
flags=401  inode=7556479 dev=08:05 mode=0100644 ouid=0 ogid=0 rdev=00:00

As user karen:

type=SYSCALL msg=audit(1168961386.899:39900): arch=c000003e syscall=2
success=no exit=-13 a0=33e7d192fa a1=2 a2=2 a3=8 items=1 pid=9654
auid=4294967295 uid=501 gid=100 euid=501 suid=501 fsuid=501 egid=100
sgid=100 fsgid=100 comm="tcsh" exe="/bin/tcsh"
type=CWD msg=audit(1168961386.899:39900):  cwd="/home/karen"
type=PATH msg=audit(1168961386.899:39900): name="/var/run/utmp"
flags=101  inode=1867783 dev=08:02 mode=0100664 ouid=0 ogid=22
rdev=00:00

I thought maybe I could filter using flags 401 and 101, but I don't see
a way to do that.  I also thought maybe using the arguments to syscall,
but they don't really seem constant enough to be certain of.

Any ideas?

Thanks!

-Dan Thomas

Re: Filtering

[Steve Grubb]

On Tuesday 16 January 2007 11:09, Thomas, Daniel J. wrote:
> We found that we really don't need to use any file watches at all, but
> rather capture exit code -13.  We also found that capturing exit code -1
> would catch failed attempts to change permissions, owner, attributes on the
> file. 
>
> Right now I have a problem with too many logs.

Yep. That is part of the problem in relying on syscall auditing only. You have 
to figure out how to limit the events so that you are recording what you are 
really wanting. This means getting rid of -S all and replacing it with the 
syscalls that only affect disk. 

The next thing is that you really can't be interested in failed accesses of 
everything. I'd look at limiting what you are auditing with devmajor/minor. 
You might even want to partition your system in such a way that its easier to 
get what you want....that is if you find that there's no way to use watches.

> Any ideas?

Everything I can think of involves limiting syscalls, using devmajor/minor, 
and perhaps limiting with -F auid!=0 -F auid!=-1 to get rid of daemon and 
root cron/at access attempts.

-Steve