From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <linux-audit-bounces@redhat.com>
X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on
	aws-us-west-2-korg-lkml-1.web.codeaurora.org
Received: from us-smtp-delivery-124.mimecast.com (us-smtp-delivery-124.mimecast.com [170.10.133.124])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(No client certificate requested)
	by smtp.lore.kernel.org (Postfix) with ESMTPS id 5E113C433F5
	for <linux-audit@archiver.kernel.org>; Tue, 21 Dec 2021 20:40:54 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=redhat.com;
	s=mimecast20190719; t=1640119253;
	h=from:from:sender:sender:reply-to:subject:subject:date:date:
	 message-id:message-id:to:to:cc:cc:mime-version:mime-version:
	 content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references:list-id:list-help:
	 list-unsubscribe:list-subscribe:list-post;
	bh=pvAEaCN05e42y/BYLdwMEqz5fJACUt1Xb0PhOGgWU9U=;
	b=JJmWoDXJ5cX1IU9zK2bPF/s4J3qqMDYqIFPyYsSHlAO2oJSTkkJOA8fK46paAxpAMQkQZF
	jOlDVT6fnAm4yGskRE05eN6EPuTdCFSvnCOvHtHY+K6dhrELSi0YRGVf4K/fvxGrb9h5YS
	hk0pxl0WfjR/+AA3Y/bnGSqkfVbhXiw=
Received: from mimecast-mx01.redhat.com (mimecast-mx01.redhat.com
 [209.132.183.4]) by relay.mimecast.com with ESMTP with STARTTLS
 (version=TLSv1.2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id
 us-mta-34-ShZnfM-DOQWocmiGHtN8Ig-1; Tue, 21 Dec 2021 15:40:50 -0500
X-MC-Unique: ShZnfM-DOQWocmiGHtN8Ig-1
Received: from smtp.corp.redhat.com (int-mx05.intmail.prod.int.phx2.redhat.com [10.5.11.15])
	(using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
	(No client certificate requested)
	by mimecast-mx01.redhat.com (Postfix) with ESMTPS id 66A375F9CA;
	Tue, 21 Dec 2021 20:40:46 +0000 (UTC)
Received: from colo-mx.corp.redhat.com (colo-mx01.intmail.prod.int.phx2.redhat.com [10.5.11.20])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id 2001647394;
	Tue, 21 Dec 2021 20:40:45 +0000 (UTC)
Received: from lists01.pubmisc.prod.ext.phx2.redhat.com (lists01.pubmisc.prod.ext.phx2.redhat.com [10.5.19.33])
	by colo-mx.corp.redhat.com (Postfix) with ESMTP id 842B41809CB9;
	Tue, 21 Dec 2021 20:40:42 +0000 (UTC)
Received: from smtp.corp.redhat.com (int-mx01.intmail.prod.int.phx2.redhat.com
	[10.5.11.11])
	by lists01.pubmisc.prod.ext.phx2.redhat.com (8.13.8/8.13.8) with ESMTP
	id 1BLKdJWU007852 for <linux-audit@listman.util.phx.redhat.com>;
	Tue, 21 Dec 2021 15:39:19 -0500
Received: by smtp.corp.redhat.com (Postfix)
	id BC6436E1FB; Tue, 21 Dec 2021 20:39:19 +0000 (UTC)
Received: from x2.localnet (unknown [10.22.9.157])
	by smtp.corp.redhat.com (Postfix) with ESMTP id 9CF606E1F7;
	Tue, 21 Dec 2021 20:39:11 +0000 (UTC)
From: Steve Grubb <sgrubb@redhat.com>
To: Amjad Gabbar <amjadgabbar11@gmail.com>
Subject: Re: Maximum Value for q_depth
Date: Tue, 21 Dec 2021 15:39:11 -0500
Message-ID: <4366969.LvFx2qVVIh@x2>
Organization: Red Hat
In-Reply-To: <CAJcJf=Qbu+qkO-4SNcpV-HybzOLmC3SUB4J1cX+Jpq-cHSx0Ag@mail.gmail.com>
References: <CAJcJf=Q1RzmA_ETCO-Dd=LSjAXZteM+75N+cK5G1WLHFhmjv2Q@mail.gmail.com>
	<5525704.DvuYhMxLoT@x2>
	<CAJcJf=Qbu+qkO-4SNcpV-HybzOLmC3SUB4J1cX+Jpq-cHSx0Ag@mail.gmail.com>
MIME-Version: 1.0
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.11
X-loop: linux-audit@redhat.com
Cc: linux-audit@redhat.com
X-BeenThere: linux-audit@redhat.com
X-Mailman-Version: 2.1.12
Precedence: junk
List-Id: Linux Audit Discussion <linux-audit.redhat.com>
List-Unsubscribe: <https://listman.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://listman.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://listman.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
X-Scanned-By: MIMEDefang 2.79 on 10.5.11.15
Authentication-Results: relay.mimecast.com;
	auth=pass smtp.auth=CUSA124A263 smtp.mailfrom=linux-audit-bounces@redhat.com
X-Mimecast-Spam-Score: 0
X-Mimecast-Originator: redhat.com
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello,

On Tuesday, December 21, 2021 12:55:47 AM EST Amjad Gabbar wrote:
> Based on our discussion above, I performed some analysis as to why we were
> seeing so many events. The reason seems to be due to the default rules
> being triggered every time a cron job runs. We have numerous cron jobs
> running per minute as a result of which multiple different events(LOGIN,
> USER_END,CRED_DISP etc) are generated each time a cron job runs. As we do
> not enable SELinux, disabling these thing use subj_type=crond_t is not a
> viable option.
> 
> 1. I have tried the following way to exclude using msg_type and exe
> together and it seems to work.
> 
> -a exclude,always -F msgtype=MAC_IPSEC_EVENT -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_AUTH -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_ACCT -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=CRED_REFR -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=CRED_DISP -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=CRED_ACQ -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_START -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_END -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=SERVICE_START -F exe=/usr/sbin/cron
> 
> Just want to make sure there is nothing I am missing here and that this
> only excludes the msg types for the cron executable.

I think so. But it's easy enough to test. Just login and see if you get any 
USER_START events from something other than cron.

> 2. Apart from these messages, there is a LOGIN message that gets generated
> each time a cron runs. Eventhough, the LOGIN message in auditd does not
> have an exe field, the following statement surprisingly seems to be
> working.
> 
> -a exclude,always -F msgtype=LOGIN -F exe=/usr/sbin/cron
> 
> I can still see LOGIN messages for other users but the cron LOGIN messages
> seem to be suppressed. Could you provide some detail as to how this is
> happening and is the expected result.

It doesn't match against the text in the event. It matches against the 
process's attributes.

> 3. Is there a better way to suppress these cron messages that I am not
> considering apart from the SELinux option mentioned.

I think you found the best way for a non-selinux system. Back when it was 
documented that it could be supressed by selinux type, audit by executable 
did not exist. But as you found, that is an effective way to get rid of the 
events.

I also think the cronie program might be a little more audit friendly. It 
does not call PAM for the system crontabs run under the root user. PAM is run 
only for the local crontab (i.e. the one edited by the crontab command) and 
in case of the system crontabs only for jobs that are run under non-root 
user.

-Steve


--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit