Audit reporting Invalid argument

Audit reporting Invalid argument

[Bhagwat, Shriniketan Manjunath]

[-- Attachment #1.1: Type: text/plain, Size: 1728 bytes --]

Hello,

I am trying to monitor multiple files using Linux audit. In order to get better performance, I am trying to reduce number of rules.
If I specify more than one path field  as in below example I am getting "Invalid argument".

Examle1:
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F path=/home/secpack/test -S open
Error sending add rule data request (Invalid argument)
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F dir=/tmp/ -S open
Error sending add rule data request (Invalid argument)

However, I am able to create a single rule to monitor multiple PIDs or UIDs as below.

Examle2:
# auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
# auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002

As per the auditctl man page, Build a rule field takes up to 64 fields on a single command line. Each one must start with -F. Each field  equation  is  anded  with  each other  to  trigger  an audit record.
My question is,
1. specify more than one path field as in example1 is valid?
2. If not valid than how do I create single audit rule to monitor multiple files/directory?
3. If valid, then why "Invalid argument" is reported?
4. To monitor 10 files, should 10 audit rules required?
5.  if 10 rules are required, how to I optimize the rule for performance?

My next question is does Linux audit support regular expressions? How do I create audit rule to monitor /var/log/*.log?

# auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  -S open
Error sending add rule data request (Invalid argument)

If my questions are already documented, please guide me to the documentation.

Regards,
Ketan

[-- Attachment #1.2: Type: text/html, Size: 4956 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit reporting Invalid argument

[Steve Grubb]

On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to get
> better performance, I am trying to reduce number of rules. If I specify
> more than one path field  as in below example I am getting "Invalid
> argument".
> 
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
> path=/home/secpack/test -S open Error sending add rule data request
> (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
> dir=/tmp/ -S open Error sending add rule data request (Invalid argument)
> 
> However, I am able to create a single rule to monitor multiple PIDs or UIDs
> as below.
> 
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
> # auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002

Which will produce no events due to the anding you mention below. Something 
cannot have both pid 3526 and 3537.

 
> As per the auditctl man page, Build a rule field takes up to 64 fields on a
> single command line. Each one must start with -F. Each field  equation  is 
> anded  with  each other  to  trigger  an audit record. My question is,
> 1. specify more than one path field as in example1 is valid?

Nope.

> 2. If not valid than how do I create single audit rule to monitor multiple
> files/directory?

They need to be separate rules. You can also recursively watch a directory 
with 'dir'


> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?

Possibly.

> 5.  if 10 rules are required, how to I optimize the rule for performance?

The filesystem watches are very efficient. You can probably put a 100 watches on 
random files and you will not be able to see any performance hit unless they 
are actually triggered. Syscall rules on the otherhand do affect performance.


> My next question is does Linux audit support regular expressions?

No. The kernel pretty much wants things to be numbers rather than strings.

> How do I create audit rule to monitor /var/log/*.log?

-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
 
-Steve


> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  -S open
> Error sending add rule data request (Invalid argument)
> 
> If my questions are already documented, please guide me to the
> documentation.
> 
> Regards,
> Ketan

RE: Audit reporting Invalid argument

[Bhagwat, Shriniketan Manjunath]

Hi Steve,

Thanks for the response. Your response cleared many of my doubts. I need one clarity on use of Linux capability CAP_AUDIT_CONTROL.

My understanding is that, only root user can start/stop audit service and configure auditctl rules. auditctl.c and auditd.c specifically check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL capability running from non root account will be able to start/stop audit and configure auditctl rules? Are there any documentation about how to use CAP_AUDIT_CONTROL capability and how it is related to audit? 

Is it possible to suppress events for a file for the set of specific syscalls? Example: Using the below rule I want to suppress audit event only for chmod syscall for file /tmp/read_only. However below rule not only suppresses the audit event for chmod syscall but also for other syscalls for /tmp/read_only file.
# auditctl -a never,exit -F arch=x86_64  -F path=/tmp/read_only  -S chmod

Regards,
Ketan

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Monday, May 09, 2016 7:20 PM
To: linux-audit@redhat.com
Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Subject: Re: Audit reporting Invalid argument

On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to 
> get better performance, I am trying to reduce number of rules. If I 
> specify more than one path field  as in below example I am getting 
> "Invalid argument".
> 
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c 
> -F path=/home/secpack/test -S open Error sending add rule data request 
> (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c 
> -F dir=/tmp/ -S open Error sending add rule data request (Invalid 
> argument)
> 
> However, I am able to create a single rule to monitor multiple PIDs or 
> UIDs as below.
> 
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 # 
> auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F 
> auid=1002

Which will produce no events due to the anding you mention below. Something cannot have both pid 3526 and 3537.

 
> As per the auditctl man page, Build a rule field takes up to 64 fields 
> on a single command line. Each one must start with -F. Each field  
> equation  is anded  with  each other  to  trigger  an audit record. My 
> question is, 1. specify more than one path field as in example1 is valid?

Nope.

> 2. If not valid than how do I create single audit rule to monitor 
> multiple files/directory?

They need to be separate rules. You can also recursively watch a directory with 'dir'


> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?

Possibly.

> 5.  if 10 rules are required, how to I optimize the rule for performance?

The filesystem watches are very efficient. You can probably put a 100 watches on 
random files and you will not be able to see any performance hit unless they 
are actually triggered. Syscall rules on the otherhand do affect performance.


> My next question is does Linux audit support regular expressions?

No. The kernel pretty much wants things to be numbers rather than strings.

> How do I create audit rule to monitor /var/log/*.log?

-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
 
-Steve


> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  -S open
> Error sending add rule data request (Invalid argument)
> 
> If my questions are already documented, please guide me to the
> documentation.
> 
> Regards,
> Ketan

Re: Audit reporting Invalid argument

[Steve Grubb]

On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
> Thanks for the response. Your response cleared many of my doubts. I need one
> clarity on use of Linux capability CAP_AUDIT_CONTROL.
> 
> My understanding is that, only root user can start/stop audit service and
> configure auditctl rules. auditctl.c and auditd.c specifically check for
> uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable
> kernel auditing; change auditing filter rules; retrieve auditing status and
> filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL
> capability running from non root account will be able to start/stop audit
> and configure auditctl rules?

Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I 
have not revisited the checks since allowing libcap-ng to link with other 
components.

> Are there any documentation about how to use
> CAP_AUDIT_CONTROL capability and how it is related to audit?

Very little. Its mostly reading source code.


> Is it possible to suppress events for a file for the set of specific
> syscalls? Example: Using the below rule I want to suppress audit event only
> for chmod syscall for file /tmp/read_only. However below rule not only
> suppresses the audit event for chmod syscall but also for other syscalls
> for /tmp/read_only file. 
>
> # auditctl -a never,exit -F arch=x86_64  -F path=/tmp/read_only  -S chmod

This is how I would try to write it. If that suppresses more syscalls than 
chmod and you can give us a reproducer, I think it should go in the new github 
issue tracker for the kernel.

-Steve


> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 09, 2016 7:20 PM
> To: linux-audit@redhat.com
> Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Subject: Re: Audit reporting Invalid argument
> 
> On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> > I am trying to monitor multiple files using Linux audit. In order to
> > get better performance, I am trying to reduce number of rules. If I
> > specify more than one path field  as in below example I am getting
> > "Invalid argument".
> > 
> > Examle1:
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F path=/home/secpack/test -S open Error sending add rule data request
> > (Invalid argument)
> > 
> > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> > -F dir=/tmp/ -S open Error sending add rule data request (Invalid
> > argument)
> > 
> > However, I am able to create a single rule to monitor multiple PIDs or
> > UIDs as below.
> > 
> > Examle2:
> > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> > auid=1002
> 
> Which will produce no events due to the anding you mention below. Something
> cannot have both pid 3526 and 3537.
> > As per the auditctl man page, Build a rule field takes up to 64 fields
> > on a single command line. Each one must start with -F. Each field
> > equation  is anded  with  each other  to  trigger  an audit record. My
> > question is, 1. specify more than one path field as in example1 is valid?
> 
> Nope.
> 
> > 2. If not valid than how do I create single audit rule to monitor
> > multiple files/directory?
> 
> They need to be separate rules. You can also recursively watch a directory
> with 'dir'
> > 3. If valid, then why "Invalid argument" is reported?
> > 4. To monitor 10 files, should 10 audit rules required?
> 
> Possibly.
> 
> > 5.  if 10 rules are required, how to I optimize the rule for performance?
> 
> The filesystem watches are very efficient. You can probably put a 100
> watches on random files and you will not be able to see any performance hit
> unless they are actually triggered. Syscall rules on the otherhand do
> affect performance.
> > My next question is does Linux audit support regular expressions?
> 
> No. The kernel pretty much wants things to be numbers rather than strings.
> 
> > How do I create audit rule to monitor /var/log/*.log?
> 
> -a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
> 
> -Steve
> 
> > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  -S open
> > Error sending add rule data request (Invalid argument)
> > 
> > If my questions are already documented, please guide me to the
> > documentation.
> > 
> > Regards,
> > Ketan

RE: Audit reporting Invalid argument

[Bhagwat, Shriniketan Manjunath]

Hi Steve,

Thanks for your input. 

> Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root user using CAP_AUDIT_CONTROL?

Regarding suppression of events, I will do some testing and let you know later. 

Is there a way I can avoid default logging of the audit events to /var/log/audit/audit.log? I do not want audit to log audit events to audit.log, however I will capture them using my plug-in. Is there a way I can accomplish this? I tried to commenting the log_file filed from auditd.conf, however the events are still written to audit.log. I think below code from auditd-config.c is causing audit to write to audit.log

config->log_file = strdup("/var/log/audit/audit.log");

Regards,
Ketan

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Thursday, May 12, 2016 1:22 AM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument

On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
> Thanks for the response. Your response cleared many of my doubts. I 
> need one clarity on use of Linux capability CAP_AUDIT_CONTROL.
> 
> My understanding is that, only root user can start/stop audit service 
> and configure auditctl rules. auditctl.c and auditd.c specifically 
> check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable 
> and disable kernel auditing; change auditing filter rules; retrieve 
> auditing status and filtering rules." Does this mean, a process with 
> CAP_AUDIT_CONTROL capability running from non root account will be 
> able to start/stop audit and configure auditctl rules?

Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I have not revisited the checks since allowing libcap-ng to link with other components.

> Are there any documentation about how to use CAP_AUDIT_CONTROL 
> capability and how it is related to audit?

Very little. Its mostly reading source code.


> Is it possible to suppress events for a file for the set of specific 
> syscalls? Example: Using the below rule I want to suppress audit event 
> only for chmod syscall for file /tmp/read_only. However below rule not 
> only suppresses the audit event for chmod syscall but also for other 
> syscalls for /tmp/read_only file.
>
> # auditctl -a never,exit -F arch=x86_64  -F path=/tmp/read_only  -S 
> chmod

This is how I would try to write it. If that suppresses more syscalls than chmod and you can give us a reproducer, I think it should go in the new github issue tracker for the kernel.

-Steve


> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 09, 2016 7:20 PM
> To: linux-audit@redhat.com
> Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Subject: Re: Audit reporting Invalid argument
> 
> On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> > I am trying to monitor multiple files using Linux audit. In order to 
> > get better performance, I am trying to reduce number of rules. If I 
> > specify more than one path field  as in below example I am getting 
> > "Invalid argument".
> > 
> > Examle1:
> > # auditctl -a always,exit -F arch=x86_64 -F 
> > path=/home/secpack/test.c -F path=/home/secpack/test -S open Error 
> > sending add rule data request (Invalid argument)
> > 
> > # auditctl -a always,exit -F arch=x86_64 -F 
> > path=/home/secpack/test.c -F dir=/tmp/ -S open Error sending add 
> > rule data request (Invalid
> > argument)
> > 
> > However, I am able to create a single rule to monitor multiple PIDs 
> > or UIDs as below.
> > 
> > Examle2:
> > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 # 
> > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> > auid=1002
> 
> Which will produce no events due to the anding you mention below. 
> Something cannot have both pid 3526 and 3537.
> > As per the auditctl man page, Build a rule field takes up to 64 
> > fields on a single command line. Each one must start with -F. Each 
> > field equation  is anded  with  each other  to  trigger  an audit 
> > record. My question is, 1. specify more than one path field as in example1 is valid?
> 
> Nope.
> 
> > 2. If not valid than how do I create single audit rule to monitor 
> > multiple files/directory?
> 
> They need to be separate rules. You can also recursively watch a 
> directory with 'dir'
> > 3. If valid, then why "Invalid argument" is reported?
> > 4. To monitor 10 files, should 10 audit rules required?
> 
> Possibly.
> 
> > 5.  if 10 rules are required, how to I optimize the rule for performance?
> 
> The filesystem watches are very efficient. You can probably put a 100 
> watches on random files and you will not be able to see any 
> performance hit unless they are actually triggered. Syscall rules on 
> the otherhand do affect performance.
> > My next question is does Linux audit support regular expressions?
> 
> No. The kernel pretty much wants things to be numbers rather than strings.
> 
> > How do I create audit rule to monitor /var/log/*.log?
> 
> -a always,exit -F dir=/var/log/audit/ -F perm=wa -F 
> key=write-audit-log
> 
> -Steve
> 
> > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$  
> > -S open Error sending add rule data request (Invalid argument)
> > 
> > If my questions are already documented, please guide me to the 
> > documentation.
> > 
> > Regards,
> > Ketan

Re: Audit reporting Invalid argument

[Steve Grubb]

On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
> 
> Are there any future plans to support enabling audit from non root user
> using CAP_AUDIT_CONTROL?

You are the only person who has asked for it. I suppose it can be done in a 
couple lines of code. But you still have the permissions of the directories 
that hold the rules to correct. Easy to fix, but I think you might be fighting 
the distribution's package manager which would set things back to root every 
update.


> Regarding suppression of events, I will do some testing and let you know
> later. 
> 
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?

If you have an old copy old the audit system (2.5.1 or earlier) then use 
log_format = NOLOG. If you have a current copy, then use write_logs = no.

-Steve

> I do not want audit to log audit events to
> audit.log, however I will capture them using my plug-in. Is there a way I
> can accomplish this? I tried to commenting the log_file filed from
> auditd.conf, however the events are still written to audit.log. I think
> below code from auditd-config.c is causing audit to write to audit.log
> 
> config->log_file = strdup("/var/log/audit/audit.log");

Re: Audit reporting Invalid argument

[Richard Guy Briggs]

On 16/05/16, Steve Grubb wrote:
> On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
> > 
> > Are there any future plans to support enabling audit from non root user
> > using CAP_AUDIT_CONTROL?
> 
> You are the only person who has asked for it. I suppose it can be done in a 
> couple lines of code. But you still have the permissions of the directories 
> that hold the rules to correct. Easy to fix, but I think you might be fighting 
> the distribution's package manager which would set things back to root every 
> update.

There is no kernel obstacle that I can see now.  It used to depend on
CAP_NET_ADMIN, I think, but that stuff has all been fixed.  I can see
applications for it, possibly even in containers down the road...

> -Steve

- RGB

--
Richard Guy Briggs <rgb@redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635

RE: Audit reporting Invalid argument

[Bhagwat, Shriniketan Manjunath]

Thanks Steve and Richard for your response.
I will provide the fix soon.

Regards,
Ketan

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument

On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for 
> > CAP_AUDIT_CONTROL
> 
> Are there any future plans to support enabling audit from non root 
> user using CAP_AUDIT_CONTROL?

You are the only person who has asked for it. I suppose it can be done in a couple lines of code. But you still have the permissions of the directories that hold the rules to correct. Easy to fix, but I think you might be fighting the distribution's package manager which would set things back to root every update.


> Regarding suppression of events, I will do some testing and let you 
> know later.
> 
> Is there a way I can avoid default logging of the audit events to 
> /var/log/audit/audit.log?

If you have an old copy old the audit system (2.5.1 or earlier) then use log_format = NOLOG. If you have a current copy, then use write_logs = no.

-Steve

> I do not want audit to log audit events to audit.log, however I will 
> capture them using my plug-in. Is there a way I can accomplish this? I 
> tried to commenting the log_file filed from auditd.conf, however the 
> events are still written to audit.log. I think below code from 
> auditd-config.c is causing audit to write to audit.log
> 
> config->log_file = strdup("/var/log/audit/audit.log");

RE: Audit reporting Invalid argument

[Bhagwat, Shriniketan Manjunath]

Hi,

Is it possible to start and stop the user written audit plug-in while auditd and audispd running? 
As I understand, audispd is started by auditd. Audispd starts the user plug-in program using their configuration files present in /etc/audisp/plugins.d directory. Auditd and user plug-in are started and stopped as part of auditd startup and stop. 
Is it possible to start the user plug-in after the auditd is started and stop the user plug-in before the auditd is stopped? 

Regards,
Ketan

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument

On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for 
> > CAP_AUDIT_CONTROL
> 
> Are there any future plans to support enabling audit from non root 
> user using CAP_AUDIT_CONTROL?

You are the only person who has asked for it. I suppose it can be done in a couple lines of code. But you still have the permissions of the directories that hold the rules to correct. Easy to fix, but I think you might be fighting the distribution's package manager which would set things back to root every update.


> Regarding suppression of events, I will do some testing and let you 
> know later.
> 
> Is there a way I can avoid default logging of the audit events to 
> /var/log/audit/audit.log?

If you have an old copy old the audit system (2.5.1 or earlier) then use log_format = NOLOG. If you have a current copy, then use write_logs = no.

-Steve

> I do not want audit to log audit events to audit.log, however I will 
> capture them using my plug-in. Is there a way I can accomplish this? I 
> tried to commenting the log_file filed from auditd.conf, however the 
> events are still written to audit.log. I think below code from 
> auditd-config.c is causing audit to write to audit.log
> 
> config->log_file = strdup("/var/log/audit/audit.log");

Re: Audit reporting Invalid argument

[Steve Grubb]

On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
> Hi,
> 
> Is it possible to start and stop the user written audit plug-in while auditd
> and audispd running? As I understand, audispd is started by auditd. Audispd
> starts the user plug-in program using their configuration files present in
> /etc/audisp/plugins.d directory. Auditd and user plug-in are started and
> stopped as part of auditd startup and stop. Is it possible to start the
> user plug-in after the auditd is started and stop the user plug-in before
> the auditd is stopped?

There is nothing that prevents you from sending a SIGTERM to the plugin if you 
are root. The plugin will be restarted when the next event arrives to audispd.

-Steve

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 16, 2016 6:24 PM
> To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Cc: linux-audit@redhat.com
> Subject: Re: Audit reporting Invalid argument
> 
> On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > > Not today. The check for uid 0 is a poor man's check for
> > > CAP_AUDIT_CONTROL
> > 
> > Are there any future plans to support enabling audit from non root
> > user using CAP_AUDIT_CONTROL?
> 
> You are the only person who has asked for it. I suppose it can be done in a
> couple lines of code. But you still have the permissions of the directories
> that hold the rules to correct. Easy to fix, but I think you might be
> fighting the distribution's package manager which would set things back to
> root every update.
> > Regarding suppression of events, I will do some testing and let you
> > know later.
> > 
> > Is there a way I can avoid default logging of the audit events to
> > /var/log/audit/audit.log?
> 
> If you have an old copy old the audit system (2.5.1 or earlier) then use
> log_format = NOLOG. If you have a current copy, then use write_logs = no.
> 
> -Steve
> 
> > I do not want audit to log audit events to audit.log, however I will
> > capture them using my plug-in. Is there a way I can accomplish this? I
> > tried to commenting the log_file filed from auditd.conf, however the
> > events are still written to audit.log. I think below code from
> > auditd-config.c is causing audit to write to audit.log
> > 
> > config->log_file = strdup("/var/log/audit/audit.log");

RE: Audit reporting Invalid argument

[Bhagwat, Shriniketan Manjunath]

Hi Steve,

>> The plugin will be restarted when the next event arrives to audispd.
I do not want my plug-in to be running unnecessarily all the time until the auditd is running. 
I can accomplish my requirement by sending SIGHUP to audispd and changing the plug-in configuration's option active=yes/no.

Regards,
Ketan

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Monday, June 13, 2016 8:31 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
Cc: linux-audit@redhat.com
Subject: Re: Audit reporting Invalid argument

On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
> Hi,
> 
> Is it possible to start and stop the user written audit plug-in while 
> auditd and audispd running? As I understand, audispd is started by 
> auditd. Audispd starts the user plug-in program using their 
> configuration files present in /etc/audisp/plugins.d directory. Auditd 
> and user plug-in are started and stopped as part of auditd startup and 
> stop. Is it possible to start the user plug-in after the auditd is 
> started and stop the user plug-in before the auditd is stopped?

There is nothing that prevents you from sending a SIGTERM to the plugin if you are root. The plugin will be restarted when the next event arrives to audispd.

-Steve

> -----Original Message-----
> From: Steve Grubb [mailto:sgrubb@redhat.com]
> Sent: Monday, May 16, 2016 6:24 PM
> To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat@hpe.com>
> Cc: linux-audit@redhat.com
> Subject: Re: Audit reporting Invalid argument
> 
> On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > > Not today. The check for uid 0 is a poor man's check for 
> > > CAP_AUDIT_CONTROL
> > 
> > Are there any future plans to support enabling audit from non root 
> > user using CAP_AUDIT_CONTROL?
> 
> You are the only person who has asked for it. I suppose it can be done 
> in a couple lines of code. But you still have the permissions of the 
> directories that hold the rules to correct. Easy to fix, but I think 
> you might be fighting the distribution's package manager which would 
> set things back to root every update.
> > Regarding suppression of events, I will do some testing and let you 
> > know later.
> > 
> > Is there a way I can avoid default logging of the audit events to 
> > /var/log/audit/audit.log?
> 
> If you have an old copy old the audit system (2.5.1 or earlier) then 
> use log_format = NOLOG. If you have a current copy, then use write_logs = no.
> 
> -Steve
> 
> > I do not want audit to log audit events to audit.log, however I will 
> > capture them using my plug-in. Is there a way I can accomplish this? 
> > I tried to commenting the log_file filed from auditd.conf, however 
> > the events are still written to audit.log. I think below code from 
> > auditd-config.c is causing audit to write to audit.log
> > 
> > config->log_file = strdup("/var/log/audit/audit.log");