From: Brad Zynda <bradley.v.zynda@nasa.gov>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Systemd Journald and audit logging causing journal issues
Date: Wed, 18 Oct 2017 12:13:13 -0400 [thread overview]
Message-ID: <3f5f272b-63c4-eb5e-2240-313372a80ce4@nasa.gov> (raw)
In-Reply-To: <6322244.dH2N8TGAnG@x2>
On 10/18/2017 11:40 AM, Steve Grubb wrote:
> On Wednesday, October 18, 2017 11:14:31 AM EDT Brad Zynda wrote:
>> Here is an output from the server with PATH audit type re-allowed
>> (everything back to normal):
>>
>> Key Summary Report
>> ===========================
>> total key
>> ===========================
>> 6019 perm_mod
>> 3878 delete
>> 964 access
>> 96 privileged
>> 57 time-change
>> 51 session
>> 41 modules
>> 20 logins
>> 6 system-locale
>> 5 identity
>> 2 mounts
>> 2 scope
>> 2 actions
>> 1 MAC-policy
>>
>> Now this is probably not a peak result but I have come across 2 questions..
>>
>> 1. I wanted to cron this and email results but get, verified path sbin:
>>
>> Key Summary Report
>> ===========================
>> total key
>> ===========================
>> <no events of interest were found>
>
> This is a well known problem. From aureport man page:
>
> --input-logs
> Use the log file location from auditd.conf as input for analy‐
> sis. This is needed if you are using aureport from a cron job.
>
> ausearch/report can be piped to by stdin. This takes priority over the logs.
> Cron uses pipes for all 3 descriptors. Therefore you have to tell them to
> ignore what they are seeing and just use the logs.
>
>> 2. If it ends up being perm_mod as the high count what is the next step
>> to identify the rule in question?
>
> grep perm_mod /etc/audit/audit.rules
>
> delete also looks excessive.
>
> -Steve
>
Yep input-logs fit the bill.
So now you have to comment out a rule at a time and watch for
usage/count to fall?
Also if I wanted to grep and compare those numbers and alert with an
email what would be the magic number to threshold with in a gt statement
(500, 1000, etc.)?
Thanks,
Brad
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2017-10-18 16:13 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2017-10-02 17:30 Systemd Journald and audit logging causing journal issues Brad Zynda
2017-10-17 15:25 ` Steve Grubb
2017-10-17 15:40 ` Brad Zynda
2017-10-17 16:25 ` Steve Grubb
2017-10-17 17:13 ` Brad Zynda
2017-10-18 15:14 ` Brad Zynda
2017-10-18 15:40 ` Steve Grubb
2017-10-18 16:13 ` Brad Zynda [this message]
2017-10-18 16:26 ` Steve Grubb
2017-10-18 16:32 ` Brad Zynda
2017-10-18 23:27 ` Steve Grubb
2017-10-19 17:08 ` Brad Zynda
2017-10-19 20:13 ` Steve Grubb
2017-12-01 13:17 ` Brad Zynda
2017-12-01 13:54 ` Steve Grubb
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=3f5f272b-63c4-eb5e-2240-313372a80ce4@nasa.gov \
--to=bradley.v.zynda@nasa.gov \
--cc=linux-audit@redhat.com \
--cc=sgrubb@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox