All of lore.kernel.org
 help / color / mirror / Atom feed
* How to filter PROCTITLE events
@ 2019-07-24  9:27 杨海
  2019-07-24 12:14 ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: 杨海 @ 2019-07-24  9:27 UTC (permalink / raw)
  To: linux-audit


[-- Attachment #1.1.1: Type: text/plain, Size: 254 bytes --]

Hi


I am looking for the method to filter the PROCTITLE events via auditctl.


It is said we can do it, but I could not figure out how.
"The proctitle event is emitted during syscall audits, and can be filtered with auditctl."



Regards
Hai

[-- Attachment #1.1.2: Type: text/html, Size: 1118 bytes --]

[-- Attachment #1.2: 05F306BC@0426F11D.9F24385D.jpg --]
[-- Type: image/jpeg, Size: 13628 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
  2019-07-24  9:27 How to filter PROCTITLE events 杨海
@ 2019-07-24 12:14 ` Steve Grubb
  2019-07-25  5:44   ` 杨海
  0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2019-07-24 12:14 UTC (permalink / raw)
  To: linux-audit

On Wednesday, July 24, 2019 5:27:59 AM EDT 杨海 wrote:
> Hi
> 
> I am looking for the method to filter the PROCTITLE events via auditctl.
> 
> It is said we can do it, but I could not figure out how.

Did you read about the exclude filter?  :-)

> "The proctitle event is emitted during syscall audits, and can be filtered
> with auditctl."

-a always,exclude -F msgtype=PROCTITLE

There is another example in the 20-dont-audit.rules file.

-Steve



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
  2019-07-24 12:14 ` Steve Grubb
@ 2019-07-25  5:44   ` 杨海
  2019-07-25 14:51     ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: 杨海 @ 2019-07-25  5:44 UTC (permalink / raw)
  To: Steve Grubb, linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 999 bytes --]

Thanks Steve. It works :-)
Meanwhile, for read/write system call, if they belongs to same pid and same fd, we are trying to suppress them into one msg. I guess it would not be able to filter using auditctl, is that right?


Regards
Hai









 
 
------------------ Original ------------------
From:  "Steve Grubb"<sgrubb@redhat.com>;
Date:  Wed, Jul 24, 2019 08:14 PM
To:  "linux-audit"<linux-audit@redhat.com>; 
Cc:  "杨海"<hai.yang@magic-shield.com>; 
Subject:  Re: How to filter PROCTITLE events

 

On Wednesday, July 24, 2019 5:27:59 AM EDT 杨海 wrote:
> Hi
> 
> I am looking for the method to filter the PROCTITLE events via auditctl.
> 
> It is said we can do it, but I could not figure out how.

Did you read about the exclude filter?  :-)

> "The proctitle event is emitted during syscall audits, and can be filtered
> with auditctl."

-a always,exclude -F msgtype=PROCTITLE

There is another example in the 20-dont-audit.rules file.

-Steve

[-- Attachment #1.2: Type: text/html, Size: 2063 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
  2019-07-25  5:44   ` 杨海
@ 2019-07-25 14:51     ` Steve Grubb
  2019-07-30 12:18       ` 杨海
  0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2019-07-25 14:51 UTC (permalink / raw)
  To: 杨海; +Cc: linux-audit

On Thursday, July 25, 2019 1:44:07 AM EDT 杨海 wrote:
> Thanks Steve. It works :-)
> Meanwhile, for read/write system call, if they belongs to same pid and same
> fd, we are trying to suppress them into one msg. I guess it would not be
> able to filter using auditctl, is that right?

Technically you could suppress them. In practice, it's not feasible. You 
would need to have application specific rules to suppress. The more rules you 
have the more performance you lose.

But I would start by questioning whether you really need to monitor reads and 
writes? If a file is opened with O_WRONLY or O_RDWR, can it just be assumed 
that the file was written to?

-Steve



--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
  2019-07-25 14:51     ` Steve Grubb
@ 2019-07-30 12:18       ` 杨海
  2019-07-30 12:29         ` Steve Grubb
  0 siblings, 1 reply; 6+ messages in thread
From: 杨海 @ 2019-07-30 12:18 UTC (permalink / raw)
  To: Steve Grubb; +Cc: linux-audit


[-- Attachment #1.1: Type: text/plain, Size: 1342 bytes --]

Hi Steve,


Thanks for the suggestion on read/write. I have two more questions which I haven't figured out.
1) Does auditctl rules support regular expressions? For some params, it is not easy to filter specific messages using “=” or "!=".
2) In message payload, some fields are not what we care about. Any way we can reduce the fields/params in audit log?


Regards
Hai
 
 
------------------ Original ------------------
From:  "Steve Grubb"<sgrubb@redhat.com>;
Date:  Thu, Jul 25, 2019 10:51 PM
To:  "杨海"<hai.yang@magic-shield.com>; 
Cc:  "linux-audit"<linux-audit@redhat.com>; 
Subject:  Re: How to filter PROCTITLE events

 

On Thursday, July 25, 2019 1:44:07 AM EDT 杨海 wrote:
> Thanks Steve. It works :-)
> Meanwhile, for read/write system call, if they belongs to same pid and same
> fd, we are trying to suppress them into one msg. I guess it would not be
> able to filter using auditctl, is that right?

Technically you could suppress them. In practice, it's not feasible. You 
would need to have application specific rules to suppress. The more rules you 
have the more performance you lose.

But I would start by questioning whether you really need to monitor reads and 
writes? If a file is opened with O_WRONLY or O_RDWR, can it just be assumed 
that the file was written to?

-Steve

[-- Attachment #1.2: Type: text/html, Size: 1990 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]



^ permalink raw reply	[flat|nested] 6+ messages in thread
* Re: How to filter PROCTITLE events
  2019-07-30 12:18       ` 杨海
@ 2019-07-30 12:29         ` Steve Grubb
  0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2019-07-30 12:29 UTC (permalink / raw)
  To: 杨海; +Cc: linux-audit

Hello,

On Tuesday, July 30, 2019 8:18:41 AM EDT 杨海 wrote:
> Thanks for the suggestion on read/write. I have two more questions which I
> haven't figured out.
> 1) Does auditctl rules support regular expressions?
> For some params, it is not easy to filter specific messages using “=” or
> "!=". 

No. Most things inside the kernel are numbers. Text is a human convenience.

> 2) In message payload, some fields are not what we care about. Any
> way we can reduce the fields/params in audit log? 

By default, no. You could patch auditd to do so if its really necessary.

-Steve




--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

^ permalink raw reply	[flat|nested] 6+ messages in thread
end of thread, other threads:[~2019-07-30 12:29 UTC | newest]

Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2019-07-24  9:27 How to filter PROCTITLE events 杨海
2019-07-24 12:14 ` Steve Grubb
2019-07-25  5:44   ` 杨海
2019-07-25 14:51     ` Steve Grubb
2019-07-30 12:18       ` 杨海
2019-07-30 12:29         ` Steve Grubb

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.