From mboxrd@z Thu Jan 1 00:00:00 1970 From: PJB Subject: Re: Filtering out non-interactive users Date: Sat, 15 Jan 2011 20:39:30 -0500 Message-ID: <20110116013929.GA10485@monolith> References: <20110114163701.GA31627@monolith> <201101141721.49236.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx07.extmail.prod.ext.phx2.redhat.com [10.5.110.11]) by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id p0G1dqqR023096 for ; Sat, 15 Jan 2011 20:39:52 -0500 Received: from vms173019pub.verizon.net (vms173019pub.verizon.net [206.46.173.19]) by mx1.redhat.com (8.13.8/8.13.8) with ESMTP id p0G1dfWF007624 for ; Sat, 15 Jan 2011 20:39:41 -0500 Received: from monolith ([unknown] [72.94.244.37]) by vms173019.mailsrvcs.net (Sun Java(tm) System Messaging Server 7u2-7.02 32bit (built Apr 16 2009)) with ESMTPA id <0LF300KQTDXUR713@vms173019.mailsrvcs.net> for linux-audit@redhat.com; Sat, 15 Jan 2011 19:39:36 -0600 (CST) Content-disposition: inline In-reply-to: <201101141721.49236.sgrubb@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Fri, Jan 14, 2011 at 05:21:49PM -0500, Steve Grubb [sgrubb@redhat.com] wrote: > > In older versions of the audit code, we used the following type of system > > call auditing rule which seemed to work pretty well: > > > > -a exit,always -S creat -S open -S openat -S truncate -S ftruncate -F > > success=0 -F auid!=-1 > > This rule looks correct except that if you have a 64 bit system, I would suggest a -F > arch=b32 between the '-a' and '-S' and then another copy of the rule for the 64 bit > arch. We are running purely 32-bit systems so I left out the architecture filter. However while trying to debug I did add it in and it seemed to make no difference. > > Can someone point me to documentation/examples or help me out with the > > proper syntax for setting up rules that will exclude the background > > processes? We are using auditd 1.7.4 now and the 'auid' filter above no > > longer does the job. > > There's been a lot of bugs fixed since then. You might try building a newer auditctl > and trying it out to see if that makes a difference. Also note that the event capturing > is done by the kernel and the kernel version would matter more than the auditd > version. Unfortunately I'm in one of those situations where changing software versions will cause severe heartburn with management and customer types due to concerns about baseline stability, so I have to stick with what we have right now. The kernel is 2.6.33.1 with no extra patches, as far as I know. > Are you getting other events like logins? Just making sure your disk isn't full or > something else. And when you do auditctl -s, it shows the audit system is enabled? We are getting CWD, PATH, and SYSCALL audit events in the log, but only from files/directories that have an explicit watch set on them. I haven't seen any other type of audit event other than those three come through, and again only on things that we set explicit watches on. Thanks, Patrick