From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Filtering out non-interactive users
Date: Fri, 14 Jan 2011 17:21:49 -0500 [thread overview]
Message-ID: <201101141721.49236.sgrubb@redhat.com> (raw)
In-Reply-To: <20110114163701.GA31627@monolith>
On Friday, January 14, 2011 11:37:01 am PJB wrote:
> I've recently been working on a number of systems that need to fulfill
> auditing requirements for things such as "failed program executions,"
> "failed file/directory deletions" and such, and we have been attempting to
> use auditd to fulfill these requirements. However we've been having
> difficulty filtering out the 'noise' from non-interactive processes since
> our requirements only need us to capture these events for real human
> users.
>
> In older versions of the audit code, we used the following type of system
> call auditing rule which seemed to work pretty well:
>
> -a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F
> success=0 -F auid!=-1
This rule looks correct except that if you have a 64 bit system, I would suggest a -F
arch=b32 between the '-a' and '-S' and then another copy of the rule for the 64 bit
arch.
> Filtering on an 'auid!=-1' seemed to do a very good job of stripping out
> system calls from daemon processes and such. However at some point I guess
> this was changed because we no longer seem to be able to capture any
> system calls at all when we have this filter defined on a rule.
That should work. I'd try listing the rules back out to see if something is getting
mis-translated going into the kernel.
> Can someone point me to documentation/examples or help me out with the
> proper syntax for setting up rules that will exclude the background
> processes? We are using auditd 1.7.4 now and the 'auid' filter above no
> longer does the job.
There's been a lot of bugs fixed since then. You might try building a newer auditctl
and trying it out to see if that makes a difference. Also note that the event capturing
is done by the kernel and the kernel version would matter more than the auditd
version.
Are you getting other events like logins? Just making sure your disk isn't full or
something else. And when you do auditctl -s, it shows the audit system is enabled?
-Steve
next prev parent reply other threads:[~2011-01-14 22:21 UTC|newest]
Thread overview: 9+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-01-14 16:37 Filtering out non-interactive users PJB
2011-01-14 22:21 ` Steve Grubb [this message]
2011-01-16 1:39 ` PJB
2011-01-16 15:00 ` Steve Grubb
2011-01-19 14:01 ` PJB
2011-01-19 14:33 ` Steve Grubb
2011-01-19 14:48 ` PJB
2011-01-19 15:04 ` Steve Grubb
2011-01-20 19:28 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=201101141721.49236.sgrubb@redhat.com \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox