From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Cc: Michael C Mc Quaid <Michael.C.Mc.Quaid@raytheon.com>
Subject: Re: Need help with understanding auditd rules
Date: Fri, 28 Aug 2015 08:48:57 -0400 [thread overview]
Message-ID: <4131398.noCnRfcxNU@x2> (raw)
In-Reply-To: <OF7F3F36E6.CFDF8F52-ON86257EAF.0044C8AD-86257EAF.0044C8BC@mck.us.ray.com>
On Friday, August 28, 2015 07:31:18 AM Michael C Mc Quaid wrote:
> I don't know if this is an appropriate use of this group email, but after
> days and days of trying, we are not able to fix the auditing problem we are
> having, and we're desperate for help.
>
> We need to audit our system to meet new security standards, which we have
> been able to do via the audit.rules file on our RHEL 5&6 nodes. However,
> we also have to run the hp-health packages on our systems to remotely
> monitor our systems with HP Insight Manager. When we run the hp-health
> processes, our auditd logs go from ~1000 entries to ~35,000 entries (every
> 10min), which is causing a problem in moving our audit logs to our storage
> system.
So...what's causing it?
ausearch --start today -k --raw | aureport --key --summary
aureport --start today --syscall --summary
aureport --start today --file --summary
> We have set up rules to "never" audit the hp-health processes themselves,
> but this does not fix the problem. It only reduces the amount of entries
> by ~10,000. It seems that the hp-ilo module loaded in the kernel is
> running system "checks" at a very rapid pace and is reporting them to the
> hp-snmp-agent processes (which are the ones we have set up never audit
> rules for). We don't know how to set up a rule to eliminate the monitoring
> of these ilo activities (which are a combination
> chmods/touches/opens/execves/etc.), while continuing to monitor these
> syscalls for the rest of the system.
>
> Are you aware of anyone else who has run into this problem,
Yes, there are people that flood their system with events.
> or is there a thread on your web-page we can look at (we looked, but could
> not find anything). We are looking for a way to set up a rule to not monitor
> any of the Insight Manager activity but still maintain the capability to
> monitor all of our other syscalls.
Normally, the security rules are intended to be about what people do rather
than daemons. The difference between people and daemons is people have an auid
>= 500 and a daemon has an auid of -1. People have a session id > 0 and
daemons have -1. You might be able to fix your rules to not care about what
daemons do. For example, if you currently have:
-a always,exit -S open
you might change it to
-a always,exit -S open -F auid>=500 -F auid!=-1
The kernel uses unsigned numbers. This causes -1 to become 4294967295 which
is greater than 500.
-Steve
prev parent reply other threads:[~2015-08-28 12:48 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-08-28 12:31 Need help with understanding auditd rules Michael C Mc Quaid
2015-08-28 12:48 ` Steve Grubb [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4131398.noCnRfcxNU@x2 \
--to=sgrubb@redhat.com \
--cc=Michael.C.Mc.Quaid@raytheon.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).