From: Steve Grubb <sgrubb@redhat.com>
To: Brad Zynda <bradley.v.zynda@nasa.gov>
Cc: linux-audit@redhat.com
Subject: Re: Systemd Journald and audit logging causing journal issues
Date: Wed, 18 Oct 2017 19:27:53 -0400 [thread overview]
Message-ID: <3415645.lFTUzFUhp1@x2> (raw)
In-Reply-To: <fb069027-e7cc-de4b-f9a2-e44095d08583@nasa.gov>
On Wednesday, October 18, 2017 12:32:15 PM EDT Brad Zynda wrote:
> On 10/18/2017 12:26 PM, Steve Grubb wrote:
> > On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote:
> >> So now you have to comment out a rule at a time and watch for
> >> usage/count to fall?
> >
> > Well, I am certain that commenting out that rule will drop the count. But
> > the question more is why is that rule being triggered. One thing you
> > could do is post the rule to the mail list if you think it might be
> > formed wrong. But you might also want to see whay its being triggered by
> > doing something like
> >
> > ausearch --start today -k perm_mod --raw | aureport --summary --file -i
> >
> > ausearch --start today -k perm_mod --raw | aureport --summary -x -i
> >
> > ausearch --start today -k perm_mod --raw | aureport --summary --syscall -i
> >
> >> Also if I wanted to grep and compare those numbers and alert with an
> >> email what would be the magic number to threshold with in a gt statement
> >> (500, 1000, etc.)?
> >
> > That's a bit harder. You'd want a sliding window of time. Assuming your
> > cron job runs once an hour and a US locale, you'd do something like this:
> >
> > aureport --start `date -d '1 hour ago' "+%m/%d/%Y %H:%M:%S"` --key
> > --summary --input-logs
> >
> > I don't know what the best threshold would be because its workload
> > dependent. If you wanted to see things visualized, I'd try playing with
> > the data in R.
> >
> > http://security-plus-data-science.blogspot.com/2017/03/bar-charts.html
> > http://security-plus-data-science.blogspot.com/2017/03/heatmaps.html
> >
> > That assumes you have a recent audit package (2.7 or higher) and RStudio.
> >
> > -Steve
>
> Here are the rules:
>
> grep perm_mod /etc/audit/audit.rules
> -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000
> -F auid!=4294967295 -k perm_mod
> -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000
> -F auid!=4294967295 -k perm_mod
> -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F
> auid>=1000 -F auid!=4294967295 -k perm_mod
> -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
> auid>=1000 -F auid!=4294967295 -k perm_mod
> -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F
> auid!=4294967295 -k perm_mod
> -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
> removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F
> auid!=4294967295 -k perm_mod
>
> grep delete /etc/audit/audit.rules
> -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat
> -F auid>=1000 -F auid!=4294967295 -k delete
> -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat
> -F auid>=1000 -F auid!=4294967295 -k delete
> -a always,exit -F arch=b64 -S init_module -S delete_module -k modules
> -a always,exit -F arch=b32 -S init_module -S delete_module -k modules
These rules are well formed. Meaning no obvious holes that would cause
unintended events. The other ausearch/aureport commands I gave you should show
you what is causing the events and to which files. This information may be
used to create some kind of "never" rule that limits what gets audited. If you
do create some exclusion rule, it needs to be above the perm_mod rules because
audit is a "first match wins" system.
-Steve
-Steve
next prev parent reply other threads:[~2017-10-18 23:27 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 17:30 Systemd Journald and audit logging causing journal issues Brad Zynda
2017-10-17 15:25 ` Steve Grubb
2017-10-17 15:40 ` Brad Zynda
2017-10-17 16:25 ` Steve Grubb
2017-10-17 17:13 ` Brad Zynda
2017-10-18 15:14 ` Brad Zynda
2017-10-18 15:40 ` Steve Grubb
2017-10-18 16:13 ` Brad Zynda
2017-10-18 16:26 ` Steve Grubb
2017-10-18 16:32 ` Brad Zynda
2017-10-18 23:27 ` Steve Grubb [this message]
2017-10-19 17:08 ` Brad Zynda
2017-10-19 20:13 ` Steve Grubb
2017-12-01 13:17 ` Brad Zynda
2017-12-01 13:54 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3415645.lFTUzFUhp1@x2 \
--to=sgrubb@redhat.com \
--cc=bradley.v.zynda@nasa.gov \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox