* Filesystem filling up ...
@ 2007-06-27 17:42 Aaron Lippold
2007-06-27 18:17 ` Stephen John Smoogen
` (2 more replies)
0 siblings, 3 replies; 6+ messages in thread
From: Aaron Lippold @ 2007-06-27 17:42 UTC (permalink / raw)
To: linux-audit
Hello,
I was hoping some smarter audit folks than I could look at this small
set of rules and let me know if anythings seem: 1) way too broad 2)
would fill up a file system fast 3) could use improvement
cat << 'EOF' > /etc/audit/audit.rules
## Submitted by JasonM at FSO.
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Feel free to add below this line. See auditctl man page
# Increase the buffers to survive stress events
-b 256
-e 1
# Audit Failed opens
-a exit,always -S open -F success!=0
#
# Audit success and failure of delete
-a exit,always -S unlink -S rmdir
#
# Audit success and failure of admin actions
#-a task,always -F uid=0
-w /var/log/audit/ -k ADMIN
-w /etc/auditd.conf -k ADMIN
-w /etc/audit.rules -k ADMIN
-a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
-a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
EOF
Some of my end users are saying their logging a lot of audits. We are
using the same kickstart file but my test systems are not filling up.
Thanks for the help.
Aaron
^ permalink raw reply [flat|nested] 6+ messages in thread* Re: Filesystem filling up ...
2007-06-27 17:42 Filesystem filling up Aaron Lippold
@ 2007-06-27 18:17 ` Stephen John Smoogen
2007-06-29 15:39 ` Valdis.Kletnieks
2007-07-03 21:13 ` Steve Grubb
2 siblings, 0 replies; 6+ messages in thread
From: Stephen John Smoogen @ 2007-06-27 18:17 UTC (permalink / raw)
Cc: linux-audit
On 6/27/07, Aaron Lippold <lippold@gmail.com> wrote:
> Hello,
>
> I was hoping some smarter audit folks than I could look at this small
> set of rules and let me know if anythings seem: 1) way too broad 2)
> would fill up a file system fast 3) could use improvement
>
> cat << 'EOF' > /etc/audit/audit.rules
> ## Submitted by JasonM at FSO.
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
>
> # First rule - delete all
> -D
>
> # Feel free to add below this line. See auditctl man page
>
> # Increase the buffers to survive stress events
> -b 256
> -e 1
> # Audit Failed opens
> -a exit,always -S open -F success!=0
> #
> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir
> #
> # Audit success and failure of admin actions
> #-a task,always -F uid=0
> -w /var/log/audit/ -k ADMIN
> -w /etc/auditd.conf -k ADMIN
> -w /etc/audit.rules -k ADMIN
> -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S setrlimit
> -a exit,always -S setdomainname -S sched_setparam -S sched_setscheduler
> EOF
>
> Some of my end users are saying their logging a lot of audits. We are
> using the same kickstart file but my test systems are not filling up.
>
Not one of the smarter people... but I would think that you would need
to see what the others are seeing in large amounts and what you are
not seeing on the test boxes.
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
>
--
Stephen J Smoogen. -- CSIRT/Linux System Administrator
How far that little candle throws his beams! So shines a good deed
in a naughty world. = Shakespeare. "The Merchant of Venice"
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Filesystem filling up ...
2007-06-27 17:42 Filesystem filling up Aaron Lippold
2007-06-27 18:17 ` Stephen John Smoogen
@ 2007-06-29 15:39 ` Valdis.Kletnieks
2007-07-03 21:13 ` Steve Grubb
2 siblings, 0 replies; 6+ messages in thread
From: Valdis.Kletnieks @ 2007-06-29 15:39 UTC (permalink / raw)
To: Aaron Lippold; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 848 bytes --]
On Wed, 27 Jun 2007 19:42:39 +0200, Aaron Lippold said:
> # Audit Failed opens
> -a exit,always -S open -F success!=0
Note that a *lot* of programs will attempt to open optional config files,
and happily go on their merry way when they get an -ENOENT leaving an audit
entry for you to drown in. I just tested the venerable 'xfontsel', and at
one point, it generated *12* -ENOENT in a row looking for a bitmap for
a cursor before finding one it liked. The next 3 cursors only needed
9, 10, and 8 failed attempts before it found one.
> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir
That's going to be really painful on any system that does software development,
as your average compile generates a lot of temporary files that get unlinked.
You may want to investigate whether it's feasible to ignore unlinks in /tmp.
[-- Attachment #1.2: Type: application/pgp-signature, Size: 226 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Filesystem filling up ...
2007-06-27 17:42 Filesystem filling up Aaron Lippold
2007-06-27 18:17 ` Stephen John Smoogen
2007-06-29 15:39 ` Valdis.Kletnieks
@ 2007-07-03 21:13 ` Steve Grubb
2007-07-07 20:42 ` Aaron Lippold
2 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2007-07-03 21:13 UTC (permalink / raw)
To: linux-audit
On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
> I was hoping some smarter audit folks than I could look at this small
> set of rules and let me know if anythings seem: 1) way too broad 2)
> would fill up a file system fast 3) could use improvement
> # Audit Failed opens
> -a exit,always -S open -F success!=0
Maybe:
-a exit,always -S open -F exit=-13
-a exit,always -S open -F exit=-1
> #
> # Audit success and failure of delete
> -a exit,always -S unlink -S rmdir
> #
> # Audit success and failure of admin actions
> #-a task,always -F uid=0
> -w /var/log/audit/ -k ADMIN
> -w /etc/auditd.conf -k ADMIN
> -w /etc/audit.rules -k ADMIN
> -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
> setrlimit -a exit,always -S setdomainname -S sched_setparam -S
> sched_setscheduler EOF
Some of these may be broad. setrlimit for example.
> Some of my end users are saying their logging a lot of audits. We are
> using the same kickstart file but my test systems are not filling up.
You might be able to do some work with aureport to find out what is filling
your logs. Something like:
aureport --start this-week --summary -i --event
aureport --start this-week --summary -i --syscall
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Filesystem filling up ...
2007-07-03 21:13 ` Steve Grubb
@ 2007-07-07 20:42 ` Aaron Lippold
2007-07-08 20:17 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: Aaron Lippold @ 2007-07-07 20:42 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Thank you for the advise. I will send this on to the testers.
Hopefully we can get this worked out.
By the way, does anyone know of an audit.rules repository list where
some baselines of tested/documented configs can be downloaded?
Yours,
Aaron
On 7/3/07, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday 27 June 2007 01:42:39 pm Aaron Lippold wrote:
> > I was hoping some smarter audit folks than I could look at this small
> > set of rules and let me know if anythings seem: 1) way too broad 2)
> > would fill up a file system fast 3) could use improvement
>
> > # Audit Failed opens
> > -a exit,always -S open -F success!=0
>
> Maybe:
> -a exit,always -S open -F exit=-13
> -a exit,always -S open -F exit=-1
>
> > #
> > # Audit success and failure of delete
> > -a exit,always -S unlink -S rmdir
> > #
> > # Audit success and failure of admin actions
> > #-a task,always -F uid=0
> > -w /var/log/audit/ -k ADMIN
> > -w /etc/auditd.conf -k ADMIN
> > -w /etc/audit.rules -k ADMIN
> > -a exit,always -S stime -S acct -S reboot -S swapon -S settimeofday -S
> > setrlimit -a exit,always -S setdomainname -S sched_setparam -S
> > sched_setscheduler EOF
>
> Some of these may be broad. setrlimit for example.
>
>
> > Some of my end users are saying their logging a lot of audits. We are
> > using the same kickstart file but my test systems are not filling up.
>
> You might be able to do some work with aureport to find out what is filling
> your logs. Something like:
>
> aureport --start this-week --summary -i --event
> aureport --start this-week --summary -i --syscall
>
> -Steve
>
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: Filesystem filling up ...
2007-07-07 20:42 ` Aaron Lippold
@ 2007-07-08 20:17 ` Steve Grubb
0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2007-07-08 20:17 UTC (permalink / raw)
To: Aaron Lippold; +Cc: linux-audit
On Saturday 07 July 2007 04:42:56 pm Aaron Lippold wrote:
> By the way, does anyone know of an audit.rules repository list where
> some baselines of tested/documented configs can be downloaded?
There is no repository that I'm aware of. But I am interested in putting a
configuration file in the tarball for any major security target or standard.
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2007-07-08 20:17 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-06-27 17:42 Filesystem filling up Aaron Lippold
2007-06-27 18:17 ` Stephen John Smoogen
2007-06-29 15:39 ` Valdis.Kletnieks
2007-07-03 21:13 ` Steve Grubb
2007-07-07 20:42 ` Aaron Lippold
2007-07-08 20:17 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox