From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Bhagwat, Shriniketan Manjunath" Subject: Audit reporting Invalid argument Date: Mon, 9 May 2016 13:40:58 +0000 Message-ID: <8FC6AD31395616439ECBCD98E071A87F4BF14ED7@G4W3202.americas.hpqcorp.net> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============4449980799981617116==" Return-path: Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com [10.5.110.28]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id u49DfAC9015901 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Mon, 9 May 2016 09:41:10 -0400 Received: from g9t5008.houston.hp.com (g9t5008.houston.hp.com [15.240.92.66]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 8CCF28F50F for ; Mon, 9 May 2016 13:41:09 +0000 (UTC) Received: from G4W9121.americas.hpqcorp.net (g4w9121.houston.hp.com [16.210.21.16]) (using TLSv1.2 with cipher AES256-SHA (256/256 bits)) (No client certificate requested) by g9t5008.houston.hp.com (Postfix) with ESMTPS id 2925759 for ; Mon, 9 May 2016 13:41:09 +0000 (UTC) Content-Language: en-US List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "linux-audit@redhat.com" List-Id: linux-audit@redhat.com --===============4449980799981617116== Content-Language: en-US Content-Type: multipart/alternative; boundary="_000_8FC6AD31395616439ECBCD98E071A87F4BF14ED7G4W3202americas_" --_000_8FC6AD31395616439ECBCD98E071A87F4BF14ED7G4W3202americas_ Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Hello, I am trying to monitor multiple files using Linux audit. In order to get be= tter performance, I am trying to reduce number of rules. If I specify more than one path field as in below example I am getting "In= valid argument". Examle1: # auditctl -a always,exit -F arch=3Dx86_64 -F path=3D/home/secpack/test.c -= F path=3D/home/secpack/test -S open Error sending add rule data request (Invalid argument) # auditctl -a always,exit -F arch=3Dx86_64 -F path=3D/home/secpack/test.c -= F dir=3D/tmp/ -S open Error sending add rule data request (Invalid argument) However, I am able to create a single rule to monitor multiple PIDs or UIDs= as below. Examle2: # auditctl -a always,exit -F arch=3Dx86_64 -F pid=3D3526 -F pid=3D3537 # auditctl -a always,exit -F arch=3Dx86_64 -F auid=3D0 -F auid=3D512 -F aui= d=3D1002 As per the auditctl man page, Build a rule field takes up to 64 fields on a= single command line. Each one must start with -F. Each field equation is= anded with each other to trigger an audit record. My question is, 1. specify more than one path field as in example1 is valid? 2. If not valid than how do I create single audit rule to monitor multiple = files/directory? 3. If valid, then why "Invalid argument" is reported? 4. To monitor 10 files, should 10 audit rules required? 5. if 10 rules are required, how to I optimize the rule for performance? My next question is does Linux audit support regular expressions? How do I = create audit rule to monitor /var/log/*.log? # auditctl -a always,exit -F arch=3Dx86_64 -F path=3D^/var/log/*.log$ -S o= pen Error sending add rule data request (Invalid argument) If my questions are already documented, please guide me to the documentatio= n. Regards, Ketan --_000_8FC6AD31395616439ECBCD98E071A87F4BF14ED7G4W3202americas_ Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable

Hello,

 

I am trying to monitor multiple files using Linux au= dit. In order to get better performance, I am trying to reduce number of ru= les.

If I specify more than one path field  as in be= low example I am getting “Invalid argument”.

 

Examle1:

# auditctl -a always,exit -F arch=3Dx86_64 -F path= =3D/home/secpack/test.c -F path=3D/home/secpack/test -S open

Error sending add rule data request (Invalid argumen= t)

# auditctl -a always,exit -F arch=3Dx86_64 -F path= =3D/home/secpack/test.c -F dir=3D/tmp/ -S open

Error sending add rule data request (Invalid argumen= t)

 

However, I am able to create a single rule to monito= r multiple PIDs or UIDs as below.

 

Examle2:

# auditctl -a always,exit -F arch=3Dx86_64 -F pid=3D= 3526 -F pid=3D3537

# auditctl -a always,exit -F arch=3Dx86_64 -F auid= =3D0 -F auid=3D512 -F auid=3D1002

 

As per the auditctl man page, Build a rule field tak= es up to 64 fields on a single command line. Each one must start with -F. E= ach field  equation  is  anded  with  each other&n= bsp; to  trigger  an audit record.

My question is,

1. specify more than one path field as in example1 i= s valid?

2. If not valid than how do I create single audit ru= le to monitor multiple files/directory?

3. If valid, then why “Invalid argument”= is reported?

4. To monitor 10 files, should 10 audit rules requir= ed?

5.  if 10 rules are required, how to I optimize= the rule for performance?

 

My next question is does Linux audit support regular= expressions? How do I create audit rule to monitor /var/log/*.log?

 

# auditctl -a always,exit -F arch=3Dx86_64 -F path= =3D^/var/log/*.log$  -S open

Error sending add rule data request (Invalid argumen= t)

 

If my questions are already documented, please guide= me to the documentation.

 

Regards,

Ketan

--_000_8FC6AD31395616439ECBCD98E071A87F4BF14ED7G4W3202americas_-- --===============4449980799981617116== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============4449980799981617116==--