Re: Auditd filtering

[Steve Grubb <sgrubb@redhat.com>]

Hello,

Missed this email and just noticed it. Hope the discussion is still of use to you.

On Tuesday, June 07, 2011 12:23:41 PM Nick Stires wrote:
> I started with a generic filter for all syscall events, this cut it down
> adequately, but we no longer captured the items we wanted to.

I would probably not approach the problem that way. You might look at the stig.rules 
file, which I consider probably the best sample to look at.
 
> Here's some example logs for the two events we are trying to trim down:
> 
> ################
> ################
> Netstat sample
> ################
> ################
> type=SYSCALL msg=audit(1307462086.972:1619017): arch=c000003e syscall=2
> success=no exit=-2 a0=6d9c790 a1=0 a2=0 a3=3074f234f3 items=2 ppid=4945
> pid=32700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat"
> subj=kernel key=(null) 

This is saying it returned ENOENT. That meand you are probably filtering all opens with 
success = no. Glibc attempts to open a lot of different files when a program is started. 
Most of these files don't exist. Is that really anything useful to capture? In the stig 
rules, I only look for opens that return EPERM or EACESS because those are the ones 
where DAC or MAC policy has been enforced against a processes attempts. We also have a 
nother decision as to whether or not you want system processes included in the audit 
or just failed opens that directly result from a user. The stig rules file only gets 
the ones that start by human invokaction.


> type=CWD msg=audit(1307462086.972:1619017): cwd="/"
> type=PATH msg=audit(1307462086.972:1619017): item=0
> name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo" type=PATH
> msg=audit(1307462086.972:1619017): item=1
> name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo"
> 
> ################
> ################
> Ganglia Sample
> ################
> ################
> type=SYSCALL msg=audit(1307462163.369:1620406): arch=c000003e syscall=2
> per=400000 success=no exit=-2 a0=2aaab81124b8 a1=0 a2=1b6 a3=0 items=2
> ppid=678 pid=681 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002
> egid=100 sgid=100 fsgid=100 tty=(none) ses=641 comm="java"
> exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null) 

This one again is a ENOENT return code. So, this is the same as the above discussion.


> Exemption rules:
> # a0=0x413586 appears to prevent proc tcp6 messages in the netstat sections
> -a exit,never -F a0=0x413586 -F success=0
> -a exit,never -F exit=-6 -F success=0
> -a exit,never -F exit=-13 -F success=0

This one ^^ is interesting...it means you don't want any event where the kernel 
blocked access due to permissions. I would think this is one of the events you are 
interested in.


> -a entry,never -S 159
> # UID 1002 = ganglia user. These do not work as intended.
> -a user,never -F auid=1002
> -a user,never -F uid=1002

 These last 2 would only work if ganglia sends audit events. So, you probably want to 
delete them.

> Any ideas on how I can target these audit logs for filtering?

I'd probably recommend rewriting your audit rules. However, if you just want a never 
rule, its probably something like:

-a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
-a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT

-Steve