* Audit reporting Invalid argument
@ 2016-05-09 13:40 Bhagwat, Shriniketan Manjunath
2016-05-09 13:50 ` Steve Grubb
0 siblings, 1 reply; 11+ messages in thread
From: Bhagwat, Shriniketan Manjunath @ 2016-05-09 13:40 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1728 bytes --]
Hello,
I am trying to monitor multiple files using Linux audit. In order to get better performance, I am trying to reduce number of rules.
If I specify more than one path field as in below example I am getting "Invalid argument".
Examle1:
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F path=/home/secpack/test -S open
Error sending add rule data request (Invalid argument)
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F dir=/tmp/ -S open
Error sending add rule data request (Invalid argument)
However, I am able to create a single rule to monitor multiple PIDs or UIDs as below.
Examle2:
# auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
# auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002
As per the auditctl man page, Build a rule field takes up to 64 fields on a single command line. Each one must start with -F. Each field equation is anded with each other to trigger an audit record.
My question is,
1. specify more than one path field as in example1 is valid?
2. If not valid than how do I create single audit rule to monitor multiple files/directory?
3. If valid, then why "Invalid argument" is reported?
4. To monitor 10 files, should 10 audit rules required?
5. if 10 rules are required, how to I optimize the rule for performance?
My next question is does Linux audit support regular expressions? How do I create audit rule to monitor /var/log/*.log?
# auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
Error sending add rule data request (Invalid argument)
If my questions are already documented, please guide me to the documentation.
Regards,
Ketan
[-- Attachment #1.2: Type: text/html, Size: 4956 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Audit reporting Invalid argument
2016-05-09 13:40 Audit reporting Invalid argument Bhagwat, Shriniketan Manjunath
@ 2016-05-09 13:50 ` Steve Grubb
2016-05-11 11:19 ` Bhagwat, Shriniketan Manjunath
0 siblings, 1 reply; 11+ messages in thread
From: Steve Grubb @ 2016-05-09 13:50 UTC (permalink / raw)
To: linux-audit; +Cc: Bhagwat, Shriniketan Manjunath
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to get
> better performance, I am trying to reduce number of rules. If I specify
> more than one path field as in below example I am getting "Invalid
> argument".
>
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
> path=/home/secpack/test -S open Error sending add rule data request
> (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
> dir=/tmp/ -S open Error sending add rule data request (Invalid argument)
>
> However, I am able to create a single rule to monitor multiple PIDs or UIDs
> as below.
>
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
> # auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002
Which will produce no events due to the anding you mention below. Something
cannot have both pid 3526 and 3537.
> As per the auditctl man page, Build a rule field takes up to 64 fields on a
> single command line. Each one must start with -F. Each field equation is
> anded with each other to trigger an audit record. My question is,
> 1. specify more than one path field as in example1 is valid?
Nope.
> 2. If not valid than how do I create single audit rule to monitor multiple
> files/directory?
They need to be separate rules. You can also recursively watch a directory
with 'dir'
> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?
Possibly.
> 5. if 10 rules are required, how to I optimize the rule for performance?
The filesystem watches are very efficient. You can probably put a 100 watches on
random files and you will not be able to see any performance hit unless they
are actually triggered. Syscall rules on the otherhand do affect performance.
> My next question is does Linux audit support regular expressions?
No. The kernel pretty much wants things to be numbers rather than strings.
> How do I create audit rule to monitor /var/log/*.log?
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
-Steve
> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
> Error sending add rule data request (Invalid argument)
>
> If my questions are already documented, please guide me to the
> documentation.
>
> Regards,
> Ketan
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Audit reporting Invalid argument
2016-05-09 13:50 ` Steve Grubb
@ 2016-05-11 11:19 ` Bhagwat, Shriniketan Manjunath
2016-05-11 19:52 ` Steve Grubb
0 siblings, 1 reply; 11+ messages in thread
From: Bhagwat, Shriniketan Manjunath @ 2016-05-11 11:19 UTC (permalink / raw)
To: Steve Grubb, linux-audit
Hi Steve,
Thanks for the response. Your response cleared many of my doubts. I need one clarity on use of Linux capability CAP_AUDIT_CONTROL.
My understanding is that, only root user can start/stop audit service and configure auditctl rules. auditctl.c and auditd.c specifically check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL capability running from non root account will be able to start/stop audit and configure auditctl rules? Are there any documentation about how to use CAP_AUDIT_CONTROL capability and how it is related to audit?
Is it possible to suppress events for a file for the set of specific syscalls? Example: Using the below rule I want to suppress audit event only for chmod syscall for file /tmp/read_only. However below rule not only suppresses the audit event for chmod syscall but also for other syscalls for /tmp/read_only file.
# auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 09, 2016 7:20 PM
To: linux-audit@redhat.com
Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Subject: Re: Audit reporting Invalid argument
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to
> get better performance, I am trying to reduce number of rules. If I
> specify more than one path field as in below example I am getting
> "Invalid argument".
>
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> -F path=/home/secpack/test -S open Error sending add rule data request
> (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> -F dir=/tmp/ -S open Error sending add rule data request (Invalid
> argument)
>
> However, I am able to create a single rule to monitor multiple PIDs or
> UIDs as below.
>
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> auid=1002
Which will produce no events due to the anding you mention below. Something cannot have both pid 3526 and 3537.
> As per the auditctl man page, Build a rule field takes up to 64 fields
> on a single command line. Each one must start with -F. Each field
> equation is anded with each other to trigger an audit record. My
> question is, 1. specify more than one path field as in example1 is valid?
Nope.
> 2. If not valid than how do I create single audit rule to monitor
> multiple files/directory?
They need to be separate rules. You can also recursively watch a directory with 'dir'
> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?
Possibly.
> 5. if 10 rules are required, how to I optimize the rule for performance?
The filesystem watches are very efficient. You can probably put a 100 watches on
random files and you will not be able to see any performance hit unless they
are actually triggered. Syscall rules on the otherhand do affect performance.
> My next question is does Linux audit support regular expressions?
No. The kernel pretty much wants things to be numbers rather than strings.
> How do I create audit rule to monitor /var/log/*.log?
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
-Steve
> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
> Error sending add rule data request (Invalid argument)
>
> If my questions are already documented, please guide me to the
> documentation.
>
> Regards,
> Ketan
^ permalink raw reply [flat|nested] 11+ messages in thread
* Re: Audit reporting Invalid argument
2016-05-11 11:19 ` Bhagwat, Shriniketan Manjunath
@ 2016-05-11 19:52 ` Steve Grubb
2016-05-14 9:40 ` Bhagwat, Shriniketan Manjunath
0 siblings, 1 reply; 11+ messages in thread
From: Steve Grubb @ 2016-05-11 19:52 UTC (permalink / raw)
To: Bhagwat, Shriniketan Manjunath; +Cc: linux-audit
On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
> Thanks for the response. Your response cleared many of my doubts. I need one
> clarity on use of Linux capability CAP_AUDIT_CONTROL.
>
> My understanding is that, only root user can start/stop audit service and
> configure auditctl rules. auditctl.c and auditd.c specifically check for
> uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable
> kernel auditing; change auditing filter rules; retrieve auditing status and
> filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL
> capability running from non root account will be able to start/stop audit
> and configure auditctl rules?
Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I
have not revisited the checks since allowing libcap-ng to link with other
components.
> Are there any documentation about how to use
> CAP_AUDIT_CONTROL capability and how it is related to audit?
Very little. Its mostly reading source code.
> Is it possible to suppress events for a file for the set of specific
> syscalls? Example: Using the below rule I want to suppress audit event only
> for chmod syscall for file /tmp/read_only. However below rule not only
> suppresses the audit event for chmod syscall but also for other syscalls
> for /tmp/read_only file.
>
> # auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod
This is how I would try to write it. If that suppresses more syscalls than
chmod and you can give us a reproducer, I think it should go in the new github
issue tracker for the kernel.
-Steve
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 09, 2016 7:20 PM
> To: linux-audit@redhat.com
> Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Subject: Re: Audit reporting Invalid argument
>
> On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> > I am trying to monitor multiple files using Linux audit. In order to
> > get better performance, I am trying to reduce number of rules. If I
> > specify more than one path field as in below example I am getting
> > "Invalid argument".
> >
> > Examle1:
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F path=/home/secpack/test -S open Error sending add rule data request
> > (Invalid argument)
> >
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F dir=/tmp/ -S open Error sending add rule data request (Invalid
> > argument)
> >
> > However, I am able to create a single rule to monitor multiple PIDs or
> > UIDs as below.
> >
> > Examle2:
> > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> > auid=1002
>
> Which will produce no events due to the anding you mention below. Something
> cannot have both pid 3526 and 3537.
> > As per the auditctl man page, Build a rule field takes up to 64 fields
> > on a single command line. Each one must start with -F. Each field
> > equation is anded with each other to trigger an audit record. My
> > question is, 1. specify more than one path field as in example1 is valid?
>
> Nope.
>
> > 2. If not valid than how do I create single audit rule to monitor
> > multiple files/directory?
>
> They need to be separate rules. You can also recursively watch a directory
> with 'dir'
> > 3. If valid, then why "Invalid argument" is reported?
> > 4. To monitor 10 files, should 10 audit rules required?
>
> Possibly.
>
> > 5. if 10 rules are required, how to I optimize the rule for performance?
>
> The filesystem watches are very efficient. You can probably put a 100
> watches on random files and you will not be able to see any performance hit
> unless they are actually triggered. Syscall rules on the otherhand do
> affect performance.
> > My next question is does Linux audit support regular expressions?
>
> No. The kernel pretty much wants things to be numbers rather than strings.
>
> > How do I create audit rule to monitor /var/log/*.log?
>
> -a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
>
> -Steve
>
> > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
> > Error sending add rule data request (Invalid argument)
> >
> > If my questions are already documented, please guide me to the
> > documentation.
> >
> > Regards,
> > Ketan
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Audit reporting Invalid argument
2016-05-11 19:52 ` Steve Grubb
@ 2016-05-14 9:40 ` Bhagwat, Shriniketan Manjunath
2016-05-16 12:53 ` Steve Grubb
0 siblings, 1 reply; 11+ messages in thread
From: Bhagwat, Shriniketan Manjunath @ 2016-05-14 9:40 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Hi Steve,
Thanks for your input.
> Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root user using CAP_AUDIT_CONTROL?
Regarding suppression of events, I will do some testing and let you know later.
Is there a way I can avoid default logging of the audit events to /var/log/audit/audit.log? I do not want audit to log audit events to audit.log, however I will capture them using my plug-in. Is there a way I can accomplish this? I tried to commenting the log_file filed from auditd.conf, however the events are still written to audit.log. I think below code from auditd-config.c is causing audit to write to audit.log
config->log_file = strdup("/var/log/audit/audit.log");
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, May 12, 2016 1:22 AM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument
On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
> Thanks for the response. Your response cleared many of my doubts. I
> need one clarity on use of Linux capability CAP_AUDIT_CONTROL.
>
> My understanding is that, only root user can start/stop audit service
> and configure auditctl rules. auditctl.c and auditd.c specifically
> check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable
> and disable kernel auditing; change auditing filter rules; retrieve
> auditing status and filtering rules." Does this mean, a process with
> CAP_AUDIT_CONTROL capability running from non root account will be
> able to start/stop audit and configure auditctl rules?
Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I have not revisited the checks since allowing libcap-ng to link with other components.
> Are there any documentation about how to use CAP_AUDIT_CONTROL
> capability and how it is related to audit?
Very little. Its mostly reading source code.
> Is it possible to suppress events for a file for the set of specific
> syscalls? Example: Using the below rule I want to suppress audit event
> only for chmod syscall for file /tmp/read_only. However below rule not
> only suppresses the audit event for chmod syscall but also for other
> syscalls for /tmp/read_only file.
>
> # auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S
> chmod
This is how I would try to write it. If that suppresses more syscalls than chmod and you can give us a reproducer, I think it should go in the new github issue tracker for the kernel.
-Steve
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 09, 2016 7:20 PM
> To: linux-audit@redhat.com
> Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Subject: Re: Audit reporting Invalid argument
>
> On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> > I am trying to monitor multiple files using Linux audit. In order to
> > get better performance, I am trying to reduce number of rules. If I
> > specify more than one path field as in below example I am getting
> > "Invalid argument".
> >
> > Examle1:
> > # auditctl -a always,exit -F arch=x86_64 -F
> > path=/home/secpack/test.c -F path=/home/secpack/test -S open Error
> > sending add rule data request (Invalid argument)
> >
> > # auditctl -a always,exit -F arch=x86_64 -F
> > path=/home/secpack/test.c -F dir=/tmp/ -S open Error sending add
> > rule data request (Invalid
> > argument)
> >
> > However, I am able to create a single rule to monitor multiple PIDs
> > or UIDs as below.
> >
> > Examle2:
> > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> > auid=1002
>
> Which will produce no events due to the anding you mention below.
> Something cannot have both pid 3526 and 3537.
> > As per the auditctl man page, Build a rule field takes up to 64
> > fields on a single command line. Each one must start with -F. Each
> > field equation is anded with each other to trigger an audit
> > record. My question is, 1. specify more than one path field as in example1 is valid?
>
> Nope.
>
> > 2. If not valid than how do I create single audit rule to monitor
> > multiple files/directory?
>
> They need to be separate rules. You can also recursively watch a
> directory with 'dir'
> > 3. If valid, then why "Invalid argument" is reported?
> > 4. To monitor 10 files, should 10 audit rules required?
>
> Possibly.
>
> > 5. if 10 rules are required, how to I optimize the rule for performance?
>
> The filesystem watches are very efficient. You can probably put a 100
> watches on random files and you will not be able to see any
> performance hit unless they are actually triggered. Syscall rules on
> the otherhand do affect performance.
> > My next question is does Linux audit support regular expressions?
>
> No. The kernel pretty much wants things to be numbers rather than strings.
>
> > How do I create audit rule to monitor /var/log/*.log?
>
> -a always,exit -F dir=/var/log/audit/ -F perm=wa -F
> key=write-audit-log
>
> -Steve
>
> > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$
> > -S open Error sending add rule data request (Invalid argument)
> >
> > If my questions are already documented, please guide me to the
> > documentation.
> >
> > Regards,
> > Ketan
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: Audit reporting Invalid argument
2016-05-14 9:40 ` Bhagwat, Shriniketan Manjunath
@ 2016-05-16 12:53 ` Steve Grubb
2016-05-16 17:21 ` Richard Guy Briggs
` (2 more replies)
0 siblings, 3 replies; 11+ messages in thread
From: Steve Grubb @ 2016-05-16 12:53 UTC (permalink / raw)
To: Bhagwat, Shriniketan Manjunath; +Cc: linux-audit
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root user
> using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a
couple lines of code. But you still have the permissions of the directories
that hold the rules to correct. Easy to fix, but I think you might be fighting
the distribution's package manager which would set things back to root every
update.
> Regarding suppression of events, I will do some testing and let you know
> later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use
log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to
> audit.log, however I will capture them using my plug-in. Is there a way I
> can accomplish this? I tried to commenting the log_file filed from
> auditd.conf, however the events are still written to audit.log. I think
> below code from auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: Audit reporting Invalid argument
2016-05-16 12:53 ` Steve Grubb
@ 2016-05-16 17:21 ` Richard Guy Briggs
2016-05-19 3:37 ` Bhagwat, Shriniketan Manjunath
2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath
2 siblings, 0 replies; 11+ messages in thread
From: Richard Guy Briggs @ 2016-05-16 17:21 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit, Bhagwat, Shriniketan Manjunath
On 16/05/16, Steve Grubb wrote:
> On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
> >
> > Are there any future plans to support enabling audit from non root user
> > using CAP_AUDIT_CONTROL?
>
> You are the only person who has asked for it. I suppose it can be done in a
> couple lines of code. But you still have the permissions of the directories
> that hold the rules to correct. Easy to fix, but I think you might be fighting
> the distribution's package manager which would set things back to root every
> update.
There is no kernel obstacle that I can see now. It used to depend on
CAP_NET_ADMIN, I think, but that stuff has all been fixed. I can see
applications for it, possibly even in containers down the road...
> -Steve
- RGB
--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
^ permalink raw reply [flat|nested] 11+ messages in thread
* RE: Audit reporting Invalid argument
2016-05-16 12:53 ` Steve Grubb
2016-05-16 17:21 ` Richard Guy Briggs
@ 2016-05-19 3:37 ` Bhagwat, Shriniketan Manjunath
2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath
2 siblings, 0 replies; 11+ messages in thread
From: Bhagwat, Shriniketan Manjunath @ 2016-05-19 3:37 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Thanks Steve and Richard for your response.
I will provide the fix soon.
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for
> > CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root
> user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a couple lines of code. But you still have the permissions of the directories that hold the rules to correct. Easy to fix, but I think you might be fighting the distribution's package manager which would set things back to root every update.
> Regarding suppression of events, I will do some testing and let you
> know later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to audit.log, however I will
> capture them using my plug-in. Is there a way I can accomplish this? I
> tried to commenting the log_file filed from auditd.conf, however the
> events are still written to audit.log. I think below code from
> auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");
^ permalink raw reply [flat|nested] 11+ messages in thread* RE: Audit reporting Invalid argument
2016-05-16 12:53 ` Steve Grubb
2016-05-16 17:21 ` Richard Guy Briggs
2016-05-19 3:37 ` Bhagwat, Shriniketan Manjunath
@ 2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath
2016-06-13 15:01 ` Steve Grubb
2 siblings, 1 reply; 11+ messages in thread
From: Bhagwat, Shriniketan Manjunath @ 2016-06-13 8:15 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Hi,
Is it possible to start and stop the user written audit plug-in while auditd and audispd running?
As I understand, audispd is started by auditd. Audispd starts the user plug-in program using their configuration files present in /etc/audisp/plugins.d directory. Auditd and user plug-in are started and stopped as part of auditd startup and stop.
Is it possible to start the user plug-in after the auditd is started and stop the user plug-in before the auditd is stopped?
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for
> > CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root
> user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a couple lines of code. But you still have the permissions of the directories that hold the rules to correct. Easy to fix, but I think you might be fighting the distribution's package manager which would set things back to root every update.
> Regarding suppression of events, I will do some testing and let you
> know later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to audit.log, however I will
> capture them using my plug-in. Is there a way I can accomplish this? I
> tried to commenting the log_file filed from auditd.conf, however the
> events are still written to audit.log. I think below code from
> auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");
^ permalink raw reply [flat|nested] 11+ messages in thread* Re: Audit reporting Invalid argument
2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath
@ 2016-06-13 15:01 ` Steve Grubb
2016-06-14 13:44 ` Bhagwat, Shriniketan Manjunath
0 siblings, 1 reply; 11+ messages in thread
From: Steve Grubb @ 2016-06-13 15:01 UTC (permalink / raw)
To: Bhagwat, Shriniketan Manjunath; +Cc: linux-audit
On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
> Hi,
>
> Is it possible to start and stop the user written audit plug-in while auditd
> and audispd running? As I understand, audispd is started by auditd. Audispd
> starts the user plug-in program using their configuration files present in
> /etc/audisp/plugins.d directory. Auditd and user plug-in are started and
> stopped as part of auditd startup and stop. Is it possible to start the
> user plug-in after the auditd is started and stop the user plug-in before
> the auditd is stopped?
There is nothing that prevents you from sending a SIGTERM to the plugin if you
are root. The plugin will be restarted when the next event arrives to audispd.
-Steve
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 16, 2016 6:24 PM
> To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Cc: linux-audit@redhat.com
> Subject: Re: Audit reporting Invalid argument
>
> On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > > Not today. The check for uid 0 is a poor man's check for
> > > CAP_AUDIT_CONTROL
> >
> > Are there any future plans to support enabling audit from non root
> > user using CAP_AUDIT_CONTROL?
>
> You are the only person who has asked for it. I suppose it can be done in a
> couple lines of code. But you still have the permissions of the directories
> that hold the rules to correct. Easy to fix, but I think you might be
> fighting the distribution's package manager which would set things back to
> root every update.
> > Regarding suppression of events, I will do some testing and let you
> > know later.
> >
> > Is there a way I can avoid default logging of the audit events to
> > /var/log/audit/audit.log?
>
> If you have an old copy old the audit system (2.5.1 or earlier) then use
> log_format = NOLOG. If you have a current copy, then use write_logs = no.
>
> -Steve
>
> > I do not want audit to log audit events to audit.log, however I will
> > capture them using my plug-in. Is there a way I can accomplish this? I
> > tried to commenting the log_file filed from auditd.conf, however the
> > events are still written to audit.log. I think below code from
> > auditd-config.c is causing audit to write to audit.log
> >
> > config->log_file = strdup("/var/log/audit/audit.log");
^ permalink raw reply [flat|nested] 11+ messages in thread* RE: Audit reporting Invalid argument
2016-06-13 15:01 ` Steve Grubb
@ 2016-06-14 13:44 ` Bhagwat, Shriniketan Manjunath
0 siblings, 0 replies; 11+ messages in thread
From: Bhagwat, Shriniketan Manjunath @ 2016-06-14 13:44 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
Hi Steve,
>> The plugin will be restarted when the next event arrives to audispd.
I do not want my plug-in to be running unnecessarily all the time until the auditd is running.
I can accomplish my requirement by sending SIGHUP to audispd and changing the plug-in configuration's option active=yes/no.
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, June 13, 2016 8:31 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument
On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
> Hi,
>
> Is it possible to start and stop the user written audit plug-in while
> auditd and audispd running? As I understand, audispd is started by
> auditd. Audispd starts the user plug-in program using their
> configuration files present in /etc/audisp/plugins.d directory. Auditd
> and user plug-in are started and stopped as part of auditd startup and
> stop. Is it possible to start the user plug-in after the auditd is
> started and stop the user plug-in before the auditd is stopped?
There is nothing that prevents you from sending a SIGTERM to the plugin if you are root. The plugin will be restarted when the next event arrives to audispd.
-Steve
> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 16, 2016 6:24 PM
> To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Cc: linux-audit@redhat.com
> Subject: Re: Audit reporting Invalid argument
>
> On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > > Not today. The check for uid 0 is a poor man's check for
> > > CAP_AUDIT_CONTROL
> >
> > Are there any future plans to support enabling audit from non root
> > user using CAP_AUDIT_CONTROL?
>
> You are the only person who has asked for it. I suppose it can be done
> in a couple lines of code. But you still have the permissions of the
> directories that hold the rules to correct. Easy to fix, but I think
> you might be fighting the distribution's package manager which would
> set things back to root every update.
> > Regarding suppression of events, I will do some testing and let you
> > know later.
> >
> > Is there a way I can avoid default logging of the audit events to
> > /var/log/audit/audit.log?
>
> If you have an old copy old the audit system (2.5.1 or earlier) then
> use log_format = NOLOG. If you have a current copy, then use write_logs = no.
>
> -Steve
>
> > I do not want audit to log audit events to audit.log, however I will
> > capture them using my plug-in. Is there a way I can accomplish this?
> > I tried to commenting the log_file filed from auditd.conf, however
> > the events are still written to audit.log. I think below code from
> > auditd-config.c is causing audit to write to audit.log
> >
> > config->log_file = strdup("/var/log/audit/audit.log");
^ permalink raw reply [flat|nested] 11+ messages in thread
end of thread, other threads:[~2016-06-14 13:44 UTC | newest]
Thread overview: 11+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-09 13:40 Audit reporting Invalid argument Bhagwat, Shriniketan Manjunath
2016-05-09 13:50 ` Steve Grubb
2016-05-11 11:19 ` Bhagwat, Shriniketan Manjunath
2016-05-11 19:52 ` Steve Grubb
2016-05-14 9:40 ` Bhagwat, Shriniketan Manjunath
2016-05-16 12:53 ` Steve Grubb
2016-05-16 17:21 ` Richard Guy Briggs
2016-05-19 3:37 ` Bhagwat, Shriniketan Manjunath
2016-06-13 8:15 ` Bhagwat, Shriniketan Manjunath
2016-06-13 15:01 ` Steve Grubb
2016-06-14 13:44 ` Bhagwat, Shriniketan Manjunath
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.