Excluding audit for BIND daemon

Excluding audit for BIND daemon

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 2945 bytes --]

Hi,

I have a DNS server for which the auditd was generating lot of system calls
and flooding the logs.
Due to this  the server was under heavy memory usage as audisp-remote was
hogging the memory.  The log output for audisp-remote showed that the
syscall was 49. Then I got to know from ausyscall command that the call
number 49 corresponds to bind. Hence I have *excluded* the call to "bind".

I have put in below line in the /etc/audit/audit.rules


*-a exclude,always -S 49*

I have put the above line before section 10.2.2 which says "Feel free to
add below this line" (please note I am running Ubuntu 14.04 but I suppose
auditd implementation is same across board) .

After the exclusion - I no more see the syscall=49 line in
/var/log/audit/audit.rules. So thats a success or sorts!

*Probem/Issue/Query now*: After the exclusion, I do see audit events for
cron , sudo etc. But I do not see a call for "vi" file open mode etc.

*Background:*

log output earlier which was flooding the logs and giving message " *dns1
audisp-remote: message repeated 6613 times: [ queue is full - dropping
event"*

*log:*
*type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e syscall=49
success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
exe="/sbin/audisp-remote" key="root_action"*

root@dns1:/tmp# ausyscall 49
*bind*


I do see audit events for cron , sudo etc. But I do not see a call for "vi"
file open mode etc.

Observation: I open file /etc/audit/audit.rules in vi editor and then close
it. Audit log does not show syscall=2

Earlier I used to see below output in logs, but I am not sure that was for
which file opened in vi editor.

*type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e syscall=2
success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 ppid=21957
pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"*

I did read a bit on auditd from below links. *Please let me know if I am
missing something or are the calls getting audited in an expected way.*


I went through below links; *would appreciate if someone can help with any
references which are more lucid with example*s:

https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html

Furthermore, I would like to read much on audisp-remote to send all these
logs to a central server. I do not find any documentation on that. I see
discussion on net where people are using rsyslog instead for that. Please
help with references/links if any.

Thanks!


Best Regards,
Rituraj B

​​

​​

[-- Attachment #1.2: Type: text/html, Size: 8852 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Excluding audit for BIND daemon

[Steve Grubb]

Hello,

On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> I have a DNS server for which the auditd was generating lot of system calls
> and flooding the logs.
> Due to this  the server was under heavy memory usage as audisp-remote was
> hogging the memory.  The log output for audisp-remote showed that the
> syscall was 49. Then I got to know from ausyscall command that the call
> number 49 corresponds to bind. Hence I have *excluded* the call to "bind".
> 
> I have put in below line in the /etc/audit/audit.rules
>
> *-a exclude,always -S 49*
> 
> I have put the above line before section 10.2.2 which says "Feel free to
> add below this line" (please note I am running Ubuntu 14.04 but I suppose
> auditd implementation is same across board) .

Also know that the rules are looked at from top to bottom with the first match 
winning. So, you would want this rule above whatever is causing events.
 

> After the exclusion - I no more see the syscall=49 line in
> /var/log/audit/audit.rules. So thats a success of sorts!
> 
> *Probem/Issue/Query now*: After the exclusion, I do see audit events for
> cron , sudo etc. But I do not see a call for "vi" file open mode etc.

I'd need to see the rules to figure out what's wrong, but I have some hints 
below...

> *Background:*
> 
> log output earlier which was flooding the logs and giving message " *dns1
> audisp-remote: message repeated 6613 times: [ queue is full - dropping
> event"*
> 
> *log:*
> *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e syscall=49
> success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
> pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> exe="/sbin/audisp-remote" key="root_action"*

The main question is what is the root_action rule(s)? Normally we add a
auid!=4294967295 to prevent daemons from causing events. Typically when it's 
desired to get root events, its means that you want to target _people_ running 
as root rather than normal system activity.


> root@dns1:/tmp# ausyscall 49
> *bind*
> 
> I do see audit events for cron , sudo etc. But I do not see a call for "vi"
> file open mode etc.
> 
> Observation: I open file /etc/audit/audit.rules in vi editor and then close
> it. Audit log does not show syscall=2

If you were wanting to record writes to that, you would use a rule like this:

-w /etc/audit/ -p wa

 
> Earlier I used to see below output in logs, but I am not sure that was for
> which file opened in vi editor.
> 
> *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e syscall=2
> success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 ppid=21957
> pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
> tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"*

Typically, its expected to look at events through ausearch. It groups the 
records into events. You can also use aureport to see summary information.
 
> I did read a bit on auditd from below links. *Please let me know if I am
> missing something or are the calls getting audited in an expected way.*
 
> 
> I went through below links; *would appreciate if someone can help with any
> references which are more lucid with example*s:
> 
> https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-da
> emon/

I was not aware of that site. But some of the information appears to be dated. 
For example, telling people to use pam_tally2 when they should be using 
pam_faillock.

> https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht
> ml/Security_Guide/chap-system_auditing.html
> 
> Furthermore, I would like to read much on audisp-remote to send all these
> logs to a central server. I do not find any documentation on that. I see
> discussion on net where people are using rsyslog instead for that. Please
> help with references/links if any.

Admittedly there is not much written. It is on my list of topics to blog 
about. But I haven't had time for blogging lately.

-Steve

Re: Excluding audit for BIND daemon

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 4715 bytes --]

Hi Steve,

Thanks for the response.

Suppressing the events with -F auid!=4294967295 worked.

I am seeing the events like "vi" "chmod" etc are getting audited by the
system - even as a root account.

I am yet to understand fully though on various rule sets and also on
components like audisp / audisp-remote. So reading more ..


Best Regards,
Rituraj B


On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> Hello,
>
> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> > I have a DNS server for which the auditd was generating lot of system
> calls
> > and flooding the logs.
> > Due to this  the server was under heavy memory usage as audisp-remote was
> > hogging the memory.  The log output for audisp-remote showed that the
> > syscall was 49. Then I got to know from ausyscall command that the call
> > number 49 corresponds to bind. Hence I have *excluded* the call to
> "bind".
> >
> > I have put in below line in the /etc/audit/audit.rules
> >
> > *-a exclude,always -S 49*
> >
> > I have put the above line before section 10.2.2 which says "Feel free to
> > add below this line" (please note I am running Ubuntu 14.04 but I suppose
> > auditd implementation is same across board) .
>
> Also know that the rules are looked at from top to bottom with the first
> match
> winning. So, you would want this rule above whatever is causing events.
>
>
> > After the exclusion - I no more see the syscall=49 line in
> > /var/log/audit/audit.rules. So thats a success of sorts!
> >
> > *Probem/Issue/Query now*: After the exclusion, I do see audit events for
> > cron , sudo etc. But I do not see a call for "vi" file open mode etc.
>
> I'd need to see the rules to figure out what's wrong, but I have some hints
> below...
>
> > *Background:*
> >
> > log output earlier which was flooding the logs and giving message " *dns1
> > audisp-remote: message repeated 6613 times: [ queue is full - dropping
> > event"*
> >
> > *log:*
> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
> syscall=49
> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> > exe="/sbin/audisp-remote" key="root_action"*
>
> The main question is what is the root_action rule(s)? Normally we add a
> auid!=4294967295 to prevent daemons from causing events. Typically when
> it's
> desired to get root events, its means that you want to target _people_
> running
> as root rather than normal system activity.
>
>
> > root@dns1:/tmp# ausyscall 49
> > *bind*
> >
> > I do see audit events for cron , sudo etc. But I do not see a call for
> "vi"
> > file open mode etc.
> >
> > Observation: I open file /etc/audit/audit.rules in vi editor and then
> close
> > it. Audit log does not show syscall=2
>
> If you were wanting to record writes to that, you would use a rule like
> this:
>
> -w /etc/audit/ -p wa
>
>
> > Earlier I used to see below output in logs, but I am not sure that was
> for
> > which file opened in vi editor.
> >
> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
> syscall=2
> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
> ppid=21957
> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0
> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"*
>
> Typically, its expected to look at events through ausearch. It groups the
> records into events. You can also use aureport to see summary information.
>
> > I did read a bit on auditd from below links. *Please let me know if I am
> > missing something or are the calls getting audited in an expected way.*
>
> >
> > I went through below links; *would appreciate if someone can help with
> any
> > references which are more lucid with example*s:
> >
> > https://linux-audit.com/configuring-and-auditing-
> linux-systems-with-audit-da
> > emon/
>
> I was not aware of that site. But some of the information appears to be
> dated.
> For example, telling people to use pam_tally2 when they should be using
> pam_faillock.
>
> > https://access.redhat.com/documentation/en-US/Red_Hat_
> Enterprise_Linux/6/ht
> > ml/Security_Guide/chap-system_auditing.html
> >
> > Furthermore, I would like to read much on audisp-remote to send all these
> > logs to a central server. I do not find any documentation on that. I see
> > discussion on net where people are using rsyslog instead for that. Please
> > help with references/links if any.
>
> Admittedly there is not much written. It is on my list of topics to blog
> about. But I haven't had time for blogging lately.
>
> -Steve
>

[-- Attachment #1.2: Type: text/html, Size: 8124 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Excluding audit for BIND daemon

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 5456 bytes --]

Continued...from previous mail of mine..

While I am reading and exploring much on auditd & on how I can have a
proper central system where logs are stored and daily reports get
generated, you might want to look at my config file on server and
suggest/recommend if anything - would appreciate if any pointers.

I am using default config which came with Ubuntu 16.04 and only change was*
"-F auid!=4294967295"* on line where root_action is defined .

Thanks!


Best Regards,
Rituraj B


On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj@vayana.com>
wrote:

> Hi Steve,
>
> Thanks for the response.
>
> Suppressing the events with -F auid!=4294967295 worked.
>
> I am seeing the events like "vi" "chmod" etc are getting audited by the
> system - even as a root account.
>
> I am yet to understand fully though on various rule sets and also on
> components like audisp / audisp-remote. So reading more ..
>
>
> Best Regards,
> Rituraj B
>
>
> On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> Hello,
>>
>> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
>> > I have a DNS server for which the auditd was generating lot of system
>> calls
>> > and flooding the logs.
>> > Due to this  the server was under heavy memory usage as audisp-remote
>> was
>> > hogging the memory.  The log output for audisp-remote showed that the
>> > syscall was 49. Then I got to know from ausyscall command that the call
>> > number 49 corresponds to bind. Hence I have *excluded* the call to
>> "bind".
>> >
>> > I have put in below line in the /etc/audit/audit.rules
>> >
>> > *-a exclude,always -S 49*
>> >
>> > I have put the above line before section 10.2.2 which says "Feel free to
>> > add below this line" (please note I am running Ubuntu 14.04 but I
>> suppose
>> > auditd implementation is same across board) .
>>
>> Also know that the rules are looked at from top to bottom with the first
>> match
>> winning. So, you would want this rule above whatever is causing events.
>>
>>
>> > After the exclusion - I no more see the syscall=49 line in
>> > /var/log/audit/audit.rules. So thats a success of sorts!
>> >
>> > *Probem/Issue/Query now*: After the exclusion, I do see audit events for
>> > cron , sudo etc. But I do not see a call for "vi" file open mode etc.
>>
>> I'd need to see the rules to figure out what's wrong, but I have some
>> hints
>> below...
>>
>> > *Background:*
>> >
>> > log output earlier which was flooding the logs and giving message "
>> *dns1
>> > audisp-remote: message repeated 6613 times: [ queue is full - dropping
>> > event"*
>> >
>> > *log:*
>> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
>> syscall=49
>> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
>> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> sgid=0
>> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
>> > exe="/sbin/audisp-remote" key="root_action"*
>>
>> The main question is what is the root_action rule(s)? Normally we add a
>> auid!=4294967295 to prevent daemons from causing events. Typically when
>> it's
>> desired to get root events, its means that you want to target _people_
>> running
>> as root rather than normal system activity.
>>
>>
>> > root@dns1:/tmp# ausyscall 49
>> > *bind*
>> >
>> > I do see audit events for cron , sudo etc. But I do not see a call for
>> "vi"
>> > file open mode etc.
>> >
>> > Observation: I open file /etc/audit/audit.rules in vi editor and then
>> close
>> > it. Audit log does not show syscall=2
>>
>> If you were wanting to record writes to that, you would use a rule like
>> this:
>>
>> -w /etc/audit/ -p wa
>>
>>
>> > Earlier I used to see below output in logs, but I am not sure that was
>> for
>> > which file opened in vi editor.
>> >
>> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
>> syscall=2
>> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
>> ppid=21957
>> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> fsgid=0
>> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"*
>>
>> Typically, its expected to look at events through ausearch. It groups the
>> records into events. You can also use aureport to see summary information.
>>
>> > I did read a bit on auditd from below links. *Please let me know if I am
>> > missing something or are the calls getting audited in an expected way.*
>>
>> >
>> > I went through below links; *would appreciate if someone can help with
>> any
>> > references which are more lucid with example*s:
>> >
>> > https://linux-audit.com/configuring-and-auditing-linux-
>> systems-with-audit-da
>> > emon/
>>
>> I was not aware of that site. But some of the information appears to be
>> dated.
>> For example, telling people to use pam_tally2 when they should be using
>> pam_faillock.
>>
>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> rise_Linux/6/ht
>> > ml/Security_Guide/chap-system_auditing.html
>> >
>> > Furthermore, I would like to read much on audisp-remote to send all
>> these
>> > logs to a central server. I do not find any documentation on that. I see
>> > discussion on net where people are using rsyslog instead for that.
>> Please
>> > help with references/links if any.
>>
>> Admittedly there is not much written. It is on my list of topics to blog
>> about. But I haven't had time for blogging lately.
>>
>> -Steve
>>
>
>

[-- Attachment #1.2: Type: text/html, Size: 10832 bytes --]

[-- Attachment #2: audit-rules.doc --]
[-- Type: application/msword, Size: 13824 bytes --]

[-- Attachment #3: Type: text/plain, Size: 0 bytes --]

Re: Excluding audit for BIND daemon

[Steve Grubb]

On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> Continued...from previous mail of mine..
> 
> While I am reading and exploring much on auditd & on how I can have a
> proper central system where logs are stored and daily reports get
> generated, you might want to look at my config file on server and
> suggest/recommend if anything - would appreciate if any pointers.
> 
> I am using default config which came with Ubuntu 16.04 and only change was*
> "-F auid!=4294967295"* on line where root_action is defined .

There is no rule, root_action, that is shipped with the audit package. I would 
be interested in seeing it if you could copy and paste it into a reply.

-Steve
 
> On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj@vayana.com>
> 
> wrote:
> > Hi Steve,
> > 
> > Thanks for the response.
> > 
> > Suppressing the events with -F auid!=4294967295 worked.
> > 
> > I am seeing the events like "vi" "chmod" etc are getting audited by the
> > system - even as a root account.
> > 
> > I am yet to understand fully though on various rule sets and also on
> > components like audisp / audisp-remote. So reading more ..
> > 
> > 
> > Best Regards,
> > Rituraj B
> > 
> > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> >> Hello,
> >> 
> >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> >> > I have a DNS server for which the auditd was generating lot of system
> >> 
> >> calls
> >> 
> >> > and flooding the logs.
> >> > Due to this  the server was under heavy memory usage as audisp-remote
> >> 
> >> was
> >> 
> >> > hogging the memory.  The log output for audisp-remote showed that the
> >> > syscall was 49. Then I got to know from ausyscall command that the call
> >> > number 49 corresponds to bind. Hence I have *excluded* the call to
> >> 
> >> "bind".
> >> 
> >> > I have put in below line in the /etc/audit/audit.rules
> >> > 
> >> > *-a exclude,always -S 49*
> >> > 
> >> > I have put the above line before section 10.2.2 which says "Feel free
> >> > to
> >> > add below this line" (please note I am running Ubuntu 14.04 but I
> >> 
> >> suppose
> >> 
> >> > auditd implementation is same across board) .
> >> 
> >> Also know that the rules are looked at from top to bottom with the first
> >> match
> >> winning. So, you would want this rule above whatever is causing events.
> >> 
> >> > After the exclusion - I no more see the syscall=49 line in
> >> > /var/log/audit/audit.rules. So thats a success of sorts!
> >> > 
> >> > *Probem/Issue/Query now*: After the exclusion, I do see audit events
> >> > for
> >> > cron , sudo etc. But I do not see a call for "vi" file open mode etc.
> >> 
> >> I'd need to see the rules to figure out what's wrong, but I have some
> >> hints
> >> below...
> >> 
> >> > *Background:*
> >> > 
> >> > log output earlier which was flooding the logs and giving message "
> >> 
> >> *dns1
> >> 
> >> > audisp-remote: message repeated 6613 times: [ queue is full - dropping
> >> > event"*
> >> > 
> >> > *log:*
> >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
> >> 
> >> syscall=49
> >> 
> >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
> >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> >> 
> >> sgid=0
> >> 
> >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> >> > exe="/sbin/audisp-remote" key="root_action"*
> >> 
> >> The main question is what is the root_action rule(s)? Normally we add a
> >> auid!=4294967295 to prevent daemons from causing events. Typically when
> >> it's
> >> desired to get root events, its means that you want to target _people_
> >> running
> >> as root rather than normal system activity.
> >> 
> >> > root@dns1:/tmp# ausyscall 49
> >> > *bind*
> >> > 
> >> > I do see audit events for cron , sudo etc. But I do not see a call for
> >> 
> >> "vi"
> >> 
> >> > file open mode etc.
> >> > 
> >> > Observation: I open file /etc/audit/audit.rules in vi editor and then
> >> 
> >> close
> >> 
> >> > it. Audit log does not show syscall=2
> >> 
> >> If you were wanting to record writes to that, you would use a rule like
> >> this:
> >> 
> >> -w /etc/audit/ -p wa
> >> 
> >> > Earlier I used to see below output in logs, but I am not sure that was
> >> 
> >> for
> >> 
> >> > which file opened in vi editor.
> >> > 
> >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
> >> 
> >> syscall=2
> >> 
> >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
> >> 
> >> ppid=21957
> >> 
> >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >> 
> >> fsgid=0
> >> 
> >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"*
> >> 
> >> Typically, its expected to look at events through ausearch. It groups the
> >> records into events. You can also use aureport to see summary
> >> information.
> >> 
> >> > I did read a bit on auditd from below links. *Please let me know if I
> >> > am
> >> > missing something or are the calls getting audited in an expected way.*
> >> > 
> >> > 
> >> > I went through below links; *would appreciate if someone can help with
> >> 
> >> any
> >> 
> >> > references which are more lucid with example*s:
> >> > 
> >> > https://linux-audit.com/configuring-and-auditing-linux-> >> 
> >> systems-with-audit-da
> >> 
> >> > emon/
> >> 
> >> I was not aware of that site. But some of the information appears to be
> >> dated.
> >> For example, telling people to use pam_tally2 when they should be using
> >> pam_faillock.
> >> 
> >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> >> 
> >> rise_Linux/6/ht
> >> 
> >> > ml/Security_Guide/chap-system_auditing.html
> >> > 
> >> > Furthermore, I would like to read much on audisp-remote to send all
> >> 
> >> these
> >> 
> >> > logs to a central server. I do not find any documentation on that. I
> >> > see
> >> > discussion on net where people are using rsyslog instead for that.
> >> 
> >> Please
> >> 
> >> > help with references/links if any.
> >> 
> >> Admittedly there is not much written. It is on my list of topics to blog
> >> about. But I haven't had time for blogging lately.
> >> 
> >> -Steve

Re: Excluding audit for BIND daemon

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 6967 bytes --]

Hi Steve,

As per the config file which I had sent (/etc/audit/audit.rules); below
line has root_action

*-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
root_action*

I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*

Thanks!



Best Regards,
Rituraj B


On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> > Continued...from previous mail of mine..
> >
> > While I am reading and exploring much on auditd & on how I can have a
> > proper central system where logs are stored and daily reports get
> > generated, you might want to look at my config file on server and
> > suggest/recommend if anything - would appreciate if any pointers.
> >
> > I am using default config which came with Ubuntu 16.04 and only change
> was*
> > "-F auid!=4294967295"* on line where root_action is defined .
>
> There is no rule, root_action, that is shipped with the audit package. I
> would
> be interested in seeing it if you could copy and paste it into a reply.
>
> -Steve
>
> > On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj@vayana.com
> >
> >
> > wrote:
> > > Hi Steve,
> > >
> > > Thanks for the response.
> > >
> > > Suppressing the events with -F auid!=4294967295 worked.
> > >
> > > I am seeing the events like "vi" "chmod" etc are getting audited by the
> > > system - even as a root account.
> > >
> > > I am yet to understand fully though on various rule sets and also on
> > > components like audisp / audisp-remote. So reading more ..
> > >
> > >
> > > Best Regards,
> > > Rituraj B
> > >
> > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com>
> wrote:
> > >> Hello,
> > >>
> > >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar
> wrote:
> > >> > I have a DNS server for which the auditd was generating lot of
> system
> > >>
> > >> calls
> > >>
> > >> > and flooding the logs.
> > >> > Due to this  the server was under heavy memory usage as
> audisp-remote
> > >>
> > >> was
> > >>
> > >> > hogging the memory.  The log output for audisp-remote showed that
> the
> > >> > syscall was 49. Then I got to know from ausyscall command that the
> call
> > >> > number 49 corresponds to bind. Hence I have *excluded* the call to
> > >>
> > >> "bind".
> > >>
> > >> > I have put in below line in the /etc/audit/audit.rules
> > >> >
> > >> > *-a exclude,always -S 49*
> > >> >
> > >> > I have put the above line before section 10.2.2 which says "Feel
> free
> > >> > to
> > >> > add below this line" (please note I am running Ubuntu 14.04 but I
> > >>
> > >> suppose
> > >>
> > >> > auditd implementation is same across board) .
> > >>
> > >> Also know that the rules are looked at from top to bottom with the
> first
> > >> match
> > >> winning. So, you would want this rule above whatever is causing
> events.
> > >>
> > >> > After the exclusion - I no more see the syscall=49 line in
> > >> > /var/log/audit/audit.rules. So thats a success of sorts!
> > >> >
> > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit events
> > >> > for
> > >> > cron , sudo etc. But I do not see a call for "vi" file open mode
> etc.
> > >>
> > >> I'd need to see the rules to figure out what's wrong, but I have some
> > >> hints
> > >> below...
> > >>
> > >> > *Background:*
> > >> >
> > >> > log output earlier which was flooding the logs and giving message "
> > >>
> > >> *dns1
> > >>
> > >> > audisp-remote: message repeated 6613 times: [ queue is full -
> dropping
> > >> > event"*
> > >> >
> > >> > *log:*
> > >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
> > >>
> > >> syscall=49
> > >>
> > >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
> > >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> > >>
> > >> sgid=0
> > >>
> > >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> > >> > exe="/sbin/audisp-remote" key="root_action"*
> > >>
> > >> The main question is what is the root_action rule(s)? Normally we add
> a
> > >> auid!=4294967295 to prevent daemons from causing events. Typically
> when
> > >> it's
> > >> desired to get root events, its means that you want to target _people_
> > >> running
> > >> as root rather than normal system activity.
> > >>
> > >> > root@dns1:/tmp# ausyscall 49
> > >> > *bind*
> > >> >
> > >> > I do see audit events for cron , sudo etc. But I do not see a call
> for
> > >>
> > >> "vi"
> > >>
> > >> > file open mode etc.
> > >> >
> > >> > Observation: I open file /etc/audit/audit.rules in vi editor and
> then
> > >>
> > >> close
> > >>
> > >> > it. Audit log does not show syscall=2
> > >>
> > >> If you were wanting to record writes to that, you would use a rule
> like
> > >> this:
> > >>
> > >> -w /etc/audit/ -p wa
> > >>
> > >> > Earlier I used to see below output in logs, but I am not sure that
> was
> > >>
> > >> for
> > >>
> > >> > which file opened in vi editor.
> > >> >
> > >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
> > >>
> > >> syscall=2
> > >>
> > >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
> > >>
> > >> ppid=21957
> > >>
> > >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > >>
> > >> fsgid=0
> > >>
> > >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic"
> key="root_action"*
> > >>
> > >> Typically, its expected to look at events through ausearch. It groups
> the
> > >> records into events. You can also use aureport to see summary
> > >> information.
> > >>
> > >> > I did read a bit on auditd from below links. *Please let me know if
> I
> > >> > am
> > >> > missing something or are the calls getting audited in an expected
> way.*
> > >> >
> > >> >
> > >> > I went through below links; *would appreciate if someone can help
> with
> > >>
> > >> any
> > >>
> > >> > references which are more lucid with example*s:
> > >> >
> > >> > https://linux-audit.com/configuring-and-auditing-linux-> >>
> > >> systems-with-audit-da
> > >>
> > >> > emon/
> > >>
> > >> I was not aware of that site. But some of the information appears to
> be
> > >> dated.
> > >> For example, telling people to use pam_tally2 when they should be
> using
> > >> pam_faillock.
> > >>
> > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> > >>
> > >> rise_Linux/6/ht
> > >>
> > >> > ml/Security_Guide/chap-system_auditing.html
> > >> >
> > >> > Furthermore, I would like to read much on audisp-remote to send all
> > >>
> > >> these
> > >>
> > >> > logs to a central server. I do not find any documentation on that. I
> > >> > see
> > >> > discussion on net where people are using rsyslog instead for that.
> > >>
> > >> Please
> > >>
> > >> > help with references/links if any.
> > >>
> > >> Admittedly there is not much written. It is on my list of topics to
> blog
> > >> about. But I haven't had time for blogging lately.
> > >>
> > >> -Steve
>
>
>

[-- Attachment #1.2: Type: text/html, Size: 12190 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Excluding audit for BIND daemon

[Rituraj Buddhisagar]

[-- Attachment #1.1: Type: text/plain, Size: 8802 bytes --]

So, here is the tree structure for auditd and audisp in Ubuntu.

*root@dns:/etc# ls -l audit/rules.d/*
*total 4*
*-rw-r----- 1 root root 373 Jan 18  2016 audit.rules*
*root@dns:/etc# *
*root@dns:/etc# ls -l audisp/*
*total 20*
*-rw-r----- 1 root root  211 Jan 18  2016 audispd.conf*
*-rw-r--r-- 1 root root 1143 Jan 18  2016 audisp-prelude.conf*
*-rw-r--r-- 1 root root  714 Sep 16 13:51 audisp-remote.conf*
*drwxr-x--- 2 root root 4096 Sep 16 10:42 plugins.d*
*-rw-r--r-- 1 root root  246 Jan 18  2016 zos-remote.conf*
*root@dns:/etc# *
*root@dns:/etc# ls -l audisp/plugins.d/*
*total 20*
*-rw-r----- 1 root root 358 Jan 18  2016 af_unix.conf*
*-rw-r--r-- 1 root root 436 Jan 18  2016 audispd-zos-remote.conf*
*-rw-r--r-- 1 root root 280 Jan 18  2016 au-prelude.conf*
*-rw-r--r-- 1 root root 239 Sep 16 10:42 au-remote.conf*
*-rw-r----- 1 root root 453 Jan 18  2016 syslog.conf*


Noticed that /etc/audit has a subdirectory rules.d - which again has
another audit.rules. (the contents of that file are pasted below)

*cat /etc/audit/rules.d/audit.rules*
*# This file contains the auditctl rules that are loaded*
*# whenever the audit daemon is started via the initscripts.*
*# The rules are simply the parameters that would be passed*
*# to auditctl.*

*# First rule - delete all*
*-D*

*# Increase the buffers to survive stress events.*
*# Make this bigger for busy systems*
*-b 320*

*# Feel free to add below this line. See auditctl man page*




Best Regards,
Rituraj B


On Sat, Sep 23, 2017 at 11:59 PM, Rituraj Buddhisagar <rituraj@vayana.com>
wrote:

> Hi Steve,
>
> As per the config file which I had sent (/etc/audit/audit.rules); below
> line has root_action
>
> *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
> root_action*
>
> I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*
>
> Thanks!
>
>
>
> Best Regards,
> Rituraj B
>
>
> On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:
>
>> On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
>> > Continued...from previous mail of mine..
>> >
>> > While I am reading and exploring much on auditd & on how I can have a
>> > proper central system where logs are stored and daily reports get
>> > generated, you might want to look at my config file on server and
>> > suggest/recommend if anything - would appreciate if any pointers.
>> >
>> > I am using default config which came with Ubuntu 16.04 and only change
>> was*
>> > "-F auid!=4294967295"* on line where root_action is defined .
>>
>> There is no rule, root_action, that is shipped with the audit package. I
>> would
>> be interested in seeing it if you could copy and paste it into a reply.
>>
>> -Steve
>>
>> > On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <
>> rituraj@vayana.com>
>> >
>> > wrote:
>> > > Hi Steve,
>> > >
>> > > Thanks for the response.
>> > >
>> > > Suppressing the events with -F auid!=4294967295 worked.
>> > >
>> > > I am seeing the events like "vi" "chmod" etc are getting audited by
>> the
>> > > system - even as a root account.
>> > >
>> > > I am yet to understand fully though on various rule sets and also on
>> > > components like audisp / audisp-remote. So reading more ..
>> > >
>> > >
>> > > Best Regards,
>> > > Rituraj B
>> > >
>> > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com>
>> wrote:
>> > >> Hello,
>> > >>
>> > >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar
>> wrote:
>> > >> > I have a DNS server for which the auditd was generating lot of
>> system
>> > >>
>> > >> calls
>> > >>
>> > >> > and flooding the logs.
>> > >> > Due to this  the server was under heavy memory usage as
>> audisp-remote
>> > >>
>> > >> was
>> > >>
>> > >> > hogging the memory.  The log output for audisp-remote showed that
>> the
>> > >> > syscall was 49. Then I got to know from ausyscall command that the
>> call
>> > >> > number 49 corresponds to bind. Hence I have *excluded* the call to
>> > >>
>> > >> "bind".
>> > >>
>> > >> > I have put in below line in the /etc/audit/audit.rules
>> > >> >
>> > >> > *-a exclude,always -S 49*
>> > >> >
>> > >> > I have put the above line before section 10.2.2 which says "Feel
>> free
>> > >> > to
>> > >> > add below this line" (please note I am running Ubuntu 14.04 but I
>> > >>
>> > >> suppose
>> > >>
>> > >> > auditd implementation is same across board) .
>> > >>
>> > >> Also know that the rules are looked at from top to bottom with the
>> first
>> > >> match
>> > >> winning. So, you would want this rule above whatever is causing
>> events.
>> > >>
>> > >> > After the exclusion - I no more see the syscall=49 line in
>> > >> > /var/log/audit/audit.rules. So thats a success of sorts!
>> > >> >
>> > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit
>> events
>> > >> > for
>> > >> > cron , sudo etc. But I do not see a call for "vi" file open mode
>> etc.
>> > >>
>> > >> I'd need to see the rules to figure out what's wrong, but I have some
>> > >> hints
>> > >> below...
>> > >>
>> > >> > *Background:*
>> > >> >
>> > >> > log output earlier which was flooding the logs and giving message "
>> > >>
>> > >> *dns1
>> > >>
>> > >> > audisp-remote: message repeated 6613 times: [ queue is full -
>> dropping
>> > >> > event"*
>> > >> >
>> > >> > *log:*
>> > >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
>> > >>
>> > >> syscall=49
>> > >>
>> > >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0
>> ppid=22337
>> > >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>> > >>
>> > >> sgid=0
>> > >>
>> > >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
>> > >> > exe="/sbin/audisp-remote" key="root_action"*
>> > >>
>> > >> The main question is what is the root_action rule(s)? Normally we
>> add a
>> > >> auid!=4294967295 to prevent daemons from causing events. Typically
>> when
>> > >> it's
>> > >> desired to get root events, its means that you want to target
>> _people_
>> > >> running
>> > >> as root rather than normal system activity.
>> > >>
>> > >> > root@dns1:/tmp# ausyscall 49
>> > >> > *bind*
>> > >> >
>> > >> > I do see audit events for cron , sudo etc. But I do not see a call
>> for
>> > >>
>> > >> "vi"
>> > >>
>> > >> > file open mode etc.
>> > >> >
>> > >> > Observation: I open file /etc/audit/audit.rules in vi editor and
>> then
>> > >>
>> > >> close
>> > >>
>> > >> > it. Audit log does not show syscall=2
>> > >>
>> > >> If you were wanting to record writes to that, you would use a rule
>> like
>> > >> this:
>> > >>
>> > >> -w /etc/audit/ -p wa
>> > >>
>> > >> > Earlier I used to see below output in logs, but I am not sure that
>> was
>> > >>
>> > >> for
>> > >>
>> > >> > which file opened in vi editor.
>> > >> >
>> > >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
>> > >>
>> > >> syscall=2
>> > >>
>> > >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
>> > >>
>> > >> ppid=21957
>> > >>
>> > >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>> > >>
>> > >> fsgid=0
>> > >>
>> > >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic"
>> key="root_action"*
>> > >>
>> > >> Typically, its expected to look at events through ausearch. It
>> groups the
>> > >> records into events. You can also use aureport to see summary
>> > >> information.
>> > >>
>> > >> > I did read a bit on auditd from below links. *Please let me know
>> if I
>> > >> > am
>> > >> > missing something or are the calls getting audited in an expected
>> way.*
>> > >> >
>> > >> >
>> > >> > I went through below links; *would appreciate if someone can help
>> with
>> > >>
>> > >> any
>> > >>
>> > >> > references which are more lucid with example*s:
>> > >> >
>> > >> > https://linux-audit.com/configuring-and-auditing-linux-> >>
>> > >> systems-with-audit-da
>> > >>
>> > >> > emon/
>> > >>
>> > >> I was not aware of that site. But some of the information appears to
>> be
>> > >> dated.
>> > >> For example, telling people to use pam_tally2 when they should be
>> using
>> > >> pam_faillock.
>> > >>
>> > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>> > >>
>> > >> rise_Linux/6/ht
>> > >>
>> > >> > ml/Security_Guide/chap-system_auditing.html
>> > >> >
>> > >> > Furthermore, I would like to read much on audisp-remote to send all
>> > >>
>> > >> these
>> > >>
>> > >> > logs to a central server. I do not find any documentation on that.
>> I
>> > >> > see
>> > >> > discussion on net where people are using rsyslog instead for that.
>> > >>
>> > >> Please
>> > >>
>> > >> > help with references/links if any.
>> > >>
>> > >> Admittedly there is not much written. It is on my list of topics to
>> blog
>> > >> about. But I haven't had time for blogging lately.
>> > >>
>> > >> -Steve
>>
>>
>>
>

[-- Attachment #1.2: Type: text/html, Size: 18415 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Excluding audit for BIND daemon

[Steve Grubb]

Hello,

On Saturday, September 23, 2017 2:29:47 PM EDT Rituraj Buddhisagar wrote:
> As per the config file which I had sent (/etc/audit/audit.rules); below
> line has root_action
> 
> *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
> root_action*

If you wanted just people and not daemons, then I would suggest changing the
rule to this:

-a exit,always -S all -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action

However, that is likely to trigger way more events than you need. Because this
will trigger on every single syscall and slow down the system. What you would
normally want to know is which commands were run as root. A rule for that
would look like this:

-a exit,always -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action
-a exit,always -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action

Another approach would be to enable keystroke logging. This would involve
adding pam_audit_tty to the su and sudo pam configs. Use the default setting
shown in the pam man page. If you do this, then don't have the root_action
rule because you'll get double information.

And last bit of advice...there are pre-written rules that you can install. On
Fedora, they are located in /usr/share/doc/audit/rules/. There is a README-rules
file that explains how to use them.

-Steve

> I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*
> 
> Thanks!
> 
> 
> 
> Best Regards,
> Rituraj B
> 
> On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> > > Continued...from previous mail of mine..
> > > 
> > > While I am reading and exploring much on auditd & on how I can have a
> > > proper central system where logs are stored and daily reports get
> > > generated, you might want to look at my config file on server and
> > > suggest/recommend if anything - would appreciate if any pointers.
> > > 
> > > I am using default config which came with Ubuntu 16.04 and only change
> > 
> > was*
> > 
> > > "-F auid!=4294967295"* on line where root_action is defined .
> > 
> > There is no rule, root_action, that is shipped with the audit package. I
> > would
> > be interested in seeing it if you could copy and paste it into a reply.
> > 
> > -Steve