= Steve Grubb <sgrubb@redhat.com> · = 08/13/2009 02:29 PM

On Thursday 13 August 2009 10:56:50 am David Flatley wrote:

>   Red Hat 5.3 running audit 1.7.7-6

> Rotating logs at 20 megs and allowing 8 logs

> Rules have watches and syscalls from the SECSCAN recommendations, =
and have

> added some of Steve Grubb's recommendations.

I would be curious what the SECSCAN recommendations are. Never heard of=
 it...

> When we extract and archive the audit logs we get "Error rece=
iving audit

> netlink packet (No buffer space available) an "error sending =
signal info

> request"

> Our extract is: stop auditd then create a file and run ausearch -i=
 > file

> then run an aureport -i > file then once that is done we delete=
 all the

> logs and restart auditd.

I think this is your problem. If you have audit rules loaded and stop a=
uditd, 

then audit events are going to pile up in the queue waiting for auditd =
to 

download them. At some point the kernel will decide auditd doesn't exis=
t and 

will dump all events to syslog. This probably is not what you want eith=
er.

I would recommend calling "service auditd rotate" and then gr=
ab logs 

audit.log.1 -> audit.logs.7 and move them away to another directory =
for post  

processing the contents.

You may also want to check you backlog size settings too.

> If I run this manually it works fine but if I have it running it i=
n a cron

> we get Kernel panics, lockups and log data loss plus the buffer me=
ssages.

Shouldn't really make a difference.

-Steve

>> Because I was getting errors restarting the auditd on s=
ome of their

>> recommendations one of which was mount?

>Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386=
.

>>   I would like to be able to do the audit log extract=
ions (ausearch and

>> aureport) when I get say 8 - 20 megs logs. I see I can do an e=
xec on a

>> script in max_log_file_action.

>> So if I set the max_log_file to 160, I can then run a script t=
o move the

>> rotated logs and process them, thus not stopping auditd and ke=
eping things

>> working?

>Yes, I think so. But if you are hooking max_log_file action, then y=
ou would 

>need to send sigusr1 to ppid to get auditd to rotate the log and op=
en another 

>one. If you don't, auditd will still have an open descriptor to the=
 file.
I am in error, I meant space_left_action because there is an exec f=
or this.
I was going to do the "service auditd rotate" then move a=
ll the audit.log.* to
another directory so that ausearch -i and aureport -i could run on =
the logs. 
The core for me is to keep audit running while dealing with log gen=
eration.
Our regression test can generate 8 20 meg rotated logs in an hour. =
So if I can
get audit to kick off the extraction script at certain points then =
that would
fix my situation.
   Thanks.
On Monday 17 August 2009 10:49:55 am David Flatley wrote:

>  If I were to move all the rotated logs to another directory,=

> say /home/logs. So instead of doing "ausearch -i" to cap=
ture all the

> information in the rotated logs in

> /var/log/audit directory. I would do "ausearch -i -f /home/lo=
gs" , correct?

Yes.

> Backlog is set to 12288 right now.

ok

>  The SECSCAN requires many -w (watches) and a fair amount of =
syscalls. I

> modified the syscalls to add your recommendation for using "a=
rch=3Db32" and

> "arch=3Db64".

Are there any public references to this standard?

> Because I was getting errors restarting the auditd on some of thei=
r

> recommendations one of which was mount?

Yes, that is correct. Mount is syscall 165 on x86_64 and 21 on i386.

>  Another setting I believe was doing me in was the log size i=
s 20 megs and

> I allow 8 rotated logs. But I had admin_disk_full set to 160 and t=
he action

> was suspend.

> So this could have been tripping me up also.

If the partition was 320Mb or smaller, then yes that would be a problem=
. But I 

also think the fact that its being suspended is sent to syslog.

>   I would like to be able to do the audit log extractions (au=
search and

> aureport) when I get say 8 - 20 megs logs. I see I can do an exec =
on a

> script in max_log_file_action.

> So if I set the max_log_file to 160, I can then run a script to mo=
ve the

> rotated logs and process them, thus not stopping auditd and keepin=
g things

> working?

Yes, I think so. But if you are hooking max_log_file action, then you w=
ould 

need to send sigusr1 to ppid to get auditd to rotate the log and open a=
nother 

one. If you don't, auditd will still have an open descriptor to the fil=
e.

-Steve

>> Lenny:

>> 

>> I was going to move the rotated logs into /home/logs and use &=
quot;ausearch

>> -i -f /home/logs".

>> 

>> 

>> David Flatley CISSP

>> 

>> 

>David,

>

>It won't work like that; exactly the issue I described:

>

>[root@slim root]# mkdir logs-test

>[root@slim root]# cd !$

>cd logs-test

>[root@slim logs-test]# auditctl -m "TEST message"

>[root@slim logs-test]# service auditd rotate

>Rotating logs:               &nb=
sp;                   &nbs=
p;         [  OK  ]

>[root@slim logs-test]# cp /var/log/audit/audit.log.1 .

>[root@slim logs-test]# ausearch -i -f `pwd` -m USER

><no matches>

>[root@slim logs-test]# grep TEST audit.log.1

>node=3Dslim type=3DUSER msg=3Daudit(1250529052.265:305135): user pi=
d=3D8191

>uid=3D0 auid=3D500 ses=3D4172 subj=3Duser_u:user_r:user_t:s0 msg=3D=
'TEST message:

>exe=3D"/sbin/auditctl" (hostname=3D?, addr=3D?, terminal=3D=
pts/18 res=3Dsuccess)'

>

>

>LCB.

  UGH this is a wrench in the works...
  I was hoping to grab all the rotated logs, process them whil=
e still allowing audit
to run with no interruptions. Problem I run into is I run ausearch =
-i > /tmp/file and then
do ausearch -i /nfs/file with auditd stopped, then compare files an=
d if they are the same in 
size then delete the /tmp/file. I do this to make sure I get the lo=
g in the nfs archive directory 
and the /tmp is a backup if there is a problem. If audit is running=
 there is no way the files will 
be equal in size while processing the /var/log/audit data in two di=
fferent intervals.
  Thanks for feedback on this Lenny.  

On Mon, 2009-08-17 at 13:06 -0400, David Flatley wrote:

> Lenny:

> 

> I was going to move the rotated logs into /home/logs and use "=
;ausearch

> -i -f /home/logs".

> 

> 

> David Flatley CISSP

> 

> 

David,

It won't work like that; exactly the issue I described:

[root@slim root]# mkdir logs-test

[root@slim root]# cd !$

cd logs-test

[root@slim logs-test]# auditctl -m "TEST message"

[root@slim logs-test]# service auditd rotate

Rotating logs:                 =
                    &=
nbsp;       [  OK  ]

[root@slim logs-test]# cp /var/log/audit/audit.log.1 .

[root@slim logs-test]# ausearch -i -f `pwd` -m USER

<no matches>

[root@slim logs-test]# grep TEST audit.log.1

node=3Dslim type=3DUSER msg=3Daudit(1250529052.265:305135): user pid=3D=
8191

uid=3D0 auid=3D500 ses=3D4172 subj=3Duser_u:user_r:user_t:s0 msg=3D'TES=
T message:

exe=3D"/sbin/auditctl" (hostname=3D?, addr=3D?, terminal=3Dpt=
s/18 res=3Dsuccess)'

LCB.

-- 

LC (Lenny) Bruzenak

lenny@magitekltd.com

On Mon, 2009-08-17 at 12:15 -0500, LC Bruzenak wrote:

> On Mon, 2009-08-17 at 13:06 -0400, David Flatley wrote:

> > Lenny:

> > 

> > I was going to move the rotated logs into /home/logs and use "ausearch

> > -i -f /home/logs".

> > 

> > 

> > David Flatley CISSP

> > 

> > 

> 

> David,

> 

> It won't work like that; exactly the issue I described:

> 

> [root@slim root]# mkdir logs-test

> [root@slim root]# cd !$

> cd logs-test

> [root@slim logs-test]# auditctl -m "TEST message"

> [root@slim logs-test]# service auditd rotate

> Rotating logs:                                             [  OK  ]

> [root@slim logs-test]# cp /var/log/audit/audit.log.1 .

> [root@slim logs-test]# ausearch -i -f `pwd` -m USER

> <no matches>

> [root@slim logs-test]# grep TEST audit.log.1

> node=slim type=USER msg=audit(1250529052.265:305135): user pid=8191

> uid=0 auid=500 ses=4172 subj=user_u:user_r:user_t:s0 msg='TEST message:

> exe="/sbin/auditctl" (hostname=?, addr=?, terminal=pts/18 res=success)'

> 

> 

> LCB.

> 

David,

I should have been more diligent. The input switch was supposed to be

"-if" IIUC. The "-f" switch is looking for a filename inside the record.

[root@slim logs-test]# ausearch -i -if `pwd` -m USER

<no matches>

[root@slim logs-test]# ausearch -i -if `pwd`/audit.log.1  -m USER

...

----

node=slim type=USER msg=audit(08/17/2009 12:10:52.265:305135) : user

pid=8191 uid=root auid=lcb ses=4172 subj=user_u:user_r:user_t:s0

msg='TEST message: exe=/sbin/auditctl (hostname=?, addr=?,

terminal=pts/18 res=success)' 

...

This is what you want to do right - search inside a directory other

than /var/log/audit with multiple audit logs inside the directory?

LCB.
   Yes but not search for anything specific. Actually all I want to do is convert the 
logs from kernel text to regular notation (ausearch -i) to start with. I like Steve's 
idea of doing "service auditd rotate", then moving all the rotated logs to another 
directory to run the "ausearch -i" on the logs. This way auditd can keep running and 
processing the logs does not effect auditd. So what you did is pretty much what I want 
to do with the -if instead of just the -f. 
  Thanks Lenny!

On Thursday 27 August 2009 01:21:43 pm David Flatley wrote:

>    When auditd starts and reports an error on a line in =
the audit.rules,

> does auditd continue to run with the rest of the rules?

> Or does auditd stop waiting for a correction to the rules file?

It depends on whether or not its processed a "-i" directive i=
n the rules. If 

not, it stops. If so, it continues.

-Steve

From:	= Steve Grubb <sgrubb@redhat.com>
To:	linux-audit@redhat.com
Cc:	David Flatley/Burlington/IBM@IBMUS
Date:	= 08/13/2009 02:29 PM
Subject:	Re: buffer space

From:	= Steve Grubb <sgrubb@redhat.com>
To:	David Flatley/Burlington/IBM@IBMUS
Cc:	linux-audit@redhat.com
Date:	= 08/17/2009 11:08 AM
Subject:	Re: buffer space

From:	= LC Bruzenak <lenny@magitekltd.com>
To:	David Flatley/Burlington/IBM@IBMUS
Cc:	linux-audit@redhat.com, Steve Grubb <sgrubb@redhat.= com>
Date:	= 08/17/2009 01:16 PM
Subject:	Re: buffer space

From:	= Steve Grubb <sgrubb@redhat.com>
To:	David Flatley/Burlington/IBM@IBMUS
Cc:	linux-audit@redhat.com
Date:	= 08/27/2009 01:32 PM
Subject:	Re: buffer space