From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Filtering Date: Tue, 16 Jan 2007 14:47:05 -0500 Message-ID: <200701161447.05986.sgrubb@redhat.com> References: <200701151457.51419.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Thomas, Daniel J." List-Id: linux-audit@redhat.com On Tuesday 16 January 2007 11:09, Thomas, Daniel J. wrote: > We found that we really don't need to use any file watches at all, but > rather capture exit code -13. We also found that capturing exit code -1 > would catch failed attempts to change permissions, owner, attributes on the > file. > > Right now I have a problem with too many logs. Yep. That is part of the problem in relying on syscall auditing only. You have to figure out how to limit the events so that you are recording what you are really wanting. This means getting rid of -S all and replacing it with the syscalls that only affect disk. The next thing is that you really can't be interested in failed accesses of everything. I'd look at limiting what you are auditing with devmajor/minor. You might even want to partition your system in such a way that its easier to get what you want....that is if you find that there's no way to use watches. > Any ideas? Everything I can think of involves limiting syscalls, using devmajor/minor, and perhaps limiting with -F auid!=0 -F auid!=-1 to get rid of daemon and root cron/at access attempts. -Steve