Re: Systemd Journald and audit logging causing journal issues

public inbox for linux-audit@redhat.com
 help / color / mirror / Atom feed

From: Brad Zynda <bradley.v.zynda@nasa.gov>
To: Steve Grubb <sgrubb@redhat.com>
Cc: linux-audit@redhat.com
Subject: Re: Systemd Journald and audit logging causing journal issues
Date: Wed, 18 Oct 2017 12:32:15 -0400	[thread overview]
Message-ID: <fb069027-e7cc-de4b-f9a2-e44095d08583@nasa.gov> (raw)
In-Reply-To: <38688134.fP2IbDyV6k@x2>



On 10/18/2017 12:26 PM, Steve Grubb wrote:
> On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote:
>> So now you have to comment out a rule at a time and watch for
>> usage/count to fall?
> 
> Well, I am certain that commenting out that rule will drop the count. But the 
> question more is why is that rule being triggered. One thing you could do is 
> post the rule to the mail list if you think it might be formed wrong. But you 
> might also want to see whay its being triggered by doing something like
> 
> ausearch --start today -k perm_mod --raw | aureport --summary --file -i
> 
> ausearch --start today -k perm_mod --raw | aureport --summary -x -i
> 
> ausearch --start today -k perm_mod --raw | aureport --summary --syscall -i
> 
>> Also if I wanted to grep and compare those numbers and alert with an
>> email what would be the magic number to threshold with in a gt statement
>> (500, 1000, etc.)?
> 
> That's a bit harder. You'd want a sliding window of time. Assuming your cron 
> job runs once an hour and a US locale, you'd do something like this:
> 
> aureport --start `date -d '1 hour ago' "+%m/%d/%Y %H:%M:%S"` --key --summary 
> --input-logs
> 
> I don't know what the best threshold would be because its workload dependent. 
> If you wanted to see things visualized, I'd try playing with the data in R.
> 
> http://security-plus-data-science.blogspot.com/2017/03/bar-charts.html
> http://security-plus-data-science.blogspot.com/2017/03/heatmaps.html
> 
> That assumes you have a recent audit package (2.7 or higher) and RStudio.
> 
> -Steve
> 
Here are the rules:

grep perm_mod /etc/audit/audit.rules
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F
auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F
auid!=4294967295 -k perm_mod

grep delete /etc/audit/audit.rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat
-F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat
-F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

Thanks,
Brad

next prev parent reply	other threads:[~2017-10-18 16:32 UTC|newest]

Thread overview: 15+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2017-10-02 17:30 Systemd Journald and audit logging causing journal issues Brad Zynda
2017-10-17 15:25 ` Steve Grubb
2017-10-17 15:40   ` Brad Zynda
2017-10-17 16:25     ` Steve Grubb
2017-10-17 17:13       ` Brad Zynda
2017-10-18 15:14         ` Brad Zynda
2017-10-18 15:40           ` Steve Grubb
2017-10-18 16:13             ` Brad Zynda
2017-10-18 16:26               ` Steve Grubb
2017-10-18 16:32                 ` Brad Zynda [this message]
2017-10-18 23:27                   ` Steve Grubb
2017-10-19 17:08                     ` Brad Zynda
2017-10-19 20:13                       ` Steve Grubb
2017-12-01 13:17                         ` Brad Zynda
2017-12-01 13:54                           ` Steve Grubb

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=fb069027-e7cc-de4b-f9a2-e44095d08583@nasa.gov \
    --to=bradley.v.zynda@nasa.gov \
    --cc=linux-audit@redhat.com \
    --cc=sgrubb@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox