RE: Audit reporting Invalid argument

["Bhagwat, Shriniketan Manjunath" <shriniketan.bhagwat@hpe.com>]

Hi Steve,

Thanks for your input. 

> Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root user using CAP_AUDIT_CONTROL?

Regarding suppression of events, I will do some testing and let you know later. 

Is there a way I can avoid default logging of the audit events to /var/log/audit/audit.log? I do not want audit to log audit events to audit.log, however I will capture them using my plug-in. Is there a way I can accomplish this? I tried to commenting the log_file filed from auditd.conf, however the events are still written to audit.log. I think below code from auditd-config.c is causing audit to write to audit.log

config->log_file = strdup("/var/log/audit/audit.log");

Regards,
Ketan

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, May 12, 2016 1:22 AM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument

On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
> Thanks for the response. Your response cleared many of my doubts. I 
> need one clarity on use of Linux capability CAP_AUDIT_CONTROL.
> 
> My understanding is that, only root user can start/stop audit service 
> and configure auditctl rules. auditctl.c and auditd.c specifically 
> check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable 
> and disable kernel auditing; change auditing filter rules; retrieve 
> auditing status and filtering rules." Does this mean, a process with 
> CAP_AUDIT_CONTROL capability running from non root account will be 
> able to start/stop audit and configure auditctl rules?

Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I have not revisited the checks since allowing libcap-ng to link with other components.

> Are there any documentation about how to use CAP_AUDIT_CONTROL 
> capability and how it is related to audit?

Very little. Its mostly reading source code.


> Is it possible to suppress events for a file for the set of specific 
> syscalls? Example: Using the below rule I want to suppress audit event 
> only for chmod syscall for file /tmp/read_only. However below rule not 
> only suppresses the audit event for chmod syscall but also for other 
> syscalls for /tmp/read_only file.
>
> # auditctl -a never,exit -F arch=x86_64  -F path=/tmp/read_only  -S 
> chmod

This is how I would try to write it. If that suppresses more syscalls than chmod and you can give us a reproducer, I think it should go in the new github issue tracker for the kernel.

-Steve


> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 09, 2016 7:20 PM
> To: linux-audit@redhat.com
> Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Subject: Re: Audit reporting Invalid argument
> 
> On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> > I am trying to monitor multiple files using Linux audit. In order to 
> > get better performance, I am trying to reduce number of rules. If I 
> > specify more than one path field  as in below example I am getting 
> > "Invalid argument".
> > 
> > Examle1:
> > # auditctl -a always,exit -F arch=x86_64 -F 
> > path=/home/secpack/test.c -F path=/home/secpack/test -S open Error 
> > sending add rule data request (Invalid argument)
> > 
> > # auditctl -a always,exit -F arch=x86_64 -F 
> > path=/home/secpack/test.c -F dir=/tmp/ -S open Error sending add 
> > rule data request (Invalid
> > argument)
> > 
> > However, I am able to create a single rule to monitor multiple PIDs 
> > or UIDs as below.
> > 
> > Examle2:
> > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 # 
> > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> > auid=1002
> 
> Which will produce no events due to the anding you mention below. 
> Something cannot have both pid 3526 and 3537.
> > As per the auditctl man page, Build a rule field takes up to 64 
> > fields on a single command line. Each one must start with -F. Each 
> > field equation  is anded  with  each other  to  trigger  an audit 
> > record. My question is, 1. specify more than one path field as in example1 is valid?
> 
> Nope.
> 
> > 2. If not valid than how do I create single audit rule to monitor 
> > multiple files/directory?
> 
> They need to be separate rules. You can also recursively watch a 
> directory with 'dir'
> > 3. If valid, then why "Invalid argument" is reported?
> > 4. To monitor 10 files, should 10 audit rules required?
> 
> Possibly.
> 
> > 5.  if 10 rules are required, how to I optimize the rule for performance?
> 
> The filesystem watches are very efficient. You can probably put a 100 
> watches on random files and you will not be able to see any 
> performance hit unless they are actually triggered. Syscall rules on 
> the otherhand do affect performance.
> > My next question is does Linux audit support regular expressions?
> 
> No. The kernel pretty much wants things to be numbers rather than strings.
> 
> > How do I create audit rule to monitor /var/log/*.log?
> 
> -a always,exit -F dir=/var/log/audit/ -F perm=wa -F 
> key=write-audit-log
> 
> -Steve
> 
> > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  
> > -S open Error sending add rule data request (Invalid argument)
> > 
> > If my questions are already documented, please guide me to the 
> > documentation.
> > 
> > Regards,
> > Ketan