* Auditd filtering
@ 2011-06-07 16:23 Nick Stires
2011-06-25 18:05 ` Steve Grubb
0 siblings, 1 reply; 2+ messages in thread
From: Nick Stires @ 2011-06-07 16:23 UTC (permalink / raw)
To: linux-audit@redhat.com
[-- Attachment #1.1: Type: text/plain, Size: 5481 bytes --]
I've run into an issue where I have a network of 55 RHEL 5 boxes that each run monitoring software such as nagios and ganglia and are generating roughly 1.2G of audit logs per day. Much of these entries are from the monitoring functionality. I've had to disable audisp, centralized auditing, due to hard drive and networking limitations.
We're finding that 95% of the audit events fall into three unique events, each repeating causing a tail -f of the audit log to resemble the matrix. I've been Googling and reading posts off this site in attempt to write some filter policies to prevent these from writing to the log. I can safely filter out 159 since its a minor hit (change time). The others are more critical, such as file opens.
I started with a generic filter for all syscall events, this cut it down adequately, but we no longer captured the items we wanted to.
Here's some example logs for the two events we are trying to trim down:
################
################
Netstat sample
################
################
type=SYSCALL msg=audit(1307462086.972:1619017): arch=c000003e syscall=2 success=no exit=-2 a0=6d9c790 a1=0 a2=0 a3=3074f234f3 items=2 ppid=4945 pid=32700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=kernel key=(null)
type=CWD msg=audit(1307462086.972:1619017): cwd="/"
type=PATH msg=audit(1307462086.972:1619017): item=0 name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo"
type=PATH msg=audit(1307462086.972:1619017): item=1 name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo"
################
################
Ganglia Sample
################
################
type=SYSCALL msg=audit(1307462163.369:1620406): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=2aaab81124b8 a1=0 a2=1b6 a3=0 items=2 ppid=678 pid=681 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=641 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462163.369:1620406): cwd="/home/ganglia"
type=PATH msg=audit(1307462163.369:1620406): item=0 name="/proc/net/if_inet6"
type=PATH msg=audit(1307462163.369:1620406): item=1 name="/proc/net/if_inet6"
type=SYSCALL msg=audit(1307462163.365:1620404): arch=c000003e syscall=2 success=no exit=-20 a0=7fff922a6610 a1=10800 a2=7fff922a68f0 a3=22 items=2 ppid=703 pid=704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=kernel key=(null)
type=CWD msg=audit(1307462163.365:1620404): cwd="/"
type=PATH msg=audit(1307462163.365:1620404): item=0 name="/etc/modprobe.d/blacklist-firewire" inode=1049506 dev=08:07 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
type=PATH msg=audit(1307462163.365:1620404): item=1 name="/etc/modprobe.d/blacklist-firewire"
type=SYSCALL msg=audit(1307462402.517:1626432): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=7fff089b2f60 a1=0 a2=2b20f5d60000 a3=62696c2f2e2e2f6e items=2 ppid=2805 pid=2807 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=644 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462402.517:1626432): cwd="/home/ganglia"
type=PATH msg=audit(1307462402.517:1626432): item=0 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/x86_64/libpthread.so.0"
type=PATH msg=audit(1307462402.517:1626432): item=1 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/x86_64/libpthread.so.0"
type=SYSCALL msg=audit(1307462402.517:1626433): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=7fff089b2f60 a1=0 a2=2b20f5d60000 a3=62696c2f2e2e2f6e items=2 ppid=2805 pid=2807 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=644 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462402.517:1626433): cwd="/home/ganglia"
type=PATH msg=audit(1307462402.517:1626433): item=0 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/libpthread.so.0"
type=PATH msg=audit(1307462402.517:1626433): item=1 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/libpthread.so.0"
type=SYSCALL msg=audit(1307462402.517:1626434): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=7fff089b2f60 a1=0 a2=2b20f5d60000 a3=65726a2f2e2e2f6e items=2 ppid=2805 pid=2807 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=644 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462402.517:1626434): cwd="/home/ganglia"
type=PATH msg=audit(1307462402.517:1626434): item=0 name="/usr/java/jdk1.6.0_24/bin/../jre/lib/amd64/jli/tls/x86_64/libpthread.so.0"
type=PATH msg=audit(1307462402.517:1626434): item=1 name="/usr/java/jdk1.6.0_24/bin/../jre/lib/amd64/jli/tls/x86_64/libpthread.so.0"
Exemption rules:
# a0=0x413586 appears to prevent proc tcp6 messages in the netstat sections
-a exit,never -F a0=0x413586 -F success=0
-a exit,never -F exit=-6 -F success=0
-a exit,never -F exit=-13 -F success=0
-a entry,never -S 159
# UID 1002 = ganglia user. These do not work as intended.
-a user,never -F auid=1002
-a user,never -F uid=1002
Any ideas on how I can target these audit logs for filtering?
Thanks!
Nicholas Stires
Principal Systems Engineer
Bingham Technical Solutions LLC
[-- Attachment #1.2: Type: text/html, Size: 7471 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: Auditd filtering
2011-06-07 16:23 Auditd filtering Nick Stires
@ 2011-06-25 18:05 ` Steve Grubb
0 siblings, 0 replies; 2+ messages in thread
From: Steve Grubb @ 2011-06-25 18:05 UTC (permalink / raw)
To: linux-audit
Hello,
Missed this email and just noticed it. Hope the discussion is still of use to you.
On Tuesday, June 07, 2011 12:23:41 PM Nick Stires wrote:
> I started with a generic filter for all syscall events, this cut it down
> adequately, but we no longer captured the items we wanted to.
I would probably not approach the problem that way. You might look at the stig.rules
file, which I consider probably the best sample to look at.
> Here's some example logs for the two events we are trying to trim down:
>
> ################
> ################
> Netstat sample
> ################
> ################
> type=SYSCALL msg=audit(1307462086.972:1619017): arch=c000003e syscall=2
> success=no exit=-2 a0=6d9c790 a1=0 a2=0 a3=3074f234f3 items=2 ppid=4945
> pid=32700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat"
> subj=kernel key=(null)
This is saying it returned ENOENT. That meand you are probably filtering all opens with
success = no. Glibc attempts to open a lot of different files when a program is started.
Most of these files don't exist. Is that really anything useful to capture? In the stig
rules, I only look for opens that return EPERM or EACESS because those are the ones
where DAC or MAC policy has been enforced against a processes attempts. We also have a
nother decision as to whether or not you want system processes included in the audit
or just failed opens that directly result from a user. The stig rules file only gets
the ones that start by human invokaction.
> type=CWD msg=audit(1307462086.972:1619017): cwd="/"
> type=PATH msg=audit(1307462086.972:1619017): item=0
> name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo" type=PATH
> msg=audit(1307462086.972:1619017): item=1
> name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo"
>
> ################
> ################
> Ganglia Sample
> ################
> ################
> type=SYSCALL msg=audit(1307462163.369:1620406): arch=c000003e syscall=2
> per=400000 success=no exit=-2 a0=2aaab81124b8 a1=0 a2=1b6 a3=0 items=2
> ppid=678 pid=681 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002
> egid=100 sgid=100 fsgid=100 tty=(none) ses=641 comm="java"
> exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
This one again is a ENOENT return code. So, this is the same as the above discussion.
> Exemption rules:
> # a0=0x413586 appears to prevent proc tcp6 messages in the netstat sections
> -a exit,never -F a0=0x413586 -F success=0
> -a exit,never -F exit=-6 -F success=0
> -a exit,never -F exit=-13 -F success=0
This one ^^ is interesting...it means you don't want any event where the kernel
blocked access due to permissions. I would think this is one of the events you are
interested in.
> -a entry,never -S 159
> # UID 1002 = ganglia user. These do not work as intended.
> -a user,never -F auid=1002
> -a user,never -F uid=1002
These last 2 would only work if ganglia sends audit events. So, you probably want to
delete them.
> Any ideas on how I can target these audit logs for filtering?
I'd probably recommend rewriting your audit rules. However, if you just want a never
rule, its probably something like:
-a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
-a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
-Steve
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2011-06-25 18:05 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2011-06-07 16:23 Auditd filtering Nick Stires
2011-06-25 18:05 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox