From mboxrd@z Thu Jan 1 00:00:00 1970 From: Rituraj Buddhisagar Subject: Re: Excluding audit for BIND daemon Date: Sat, 23 Sep 2017 19:30:00 +0530 Message-ID: References: <12657632.xMCL0O33bu@x2> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============2846881212731483856==" Return-path: Received: from mx1.redhat.com (ext-mx01.extmail.prod.ext.phx2.redhat.com [10.5.110.25]) by smtp.corp.redhat.com (Postfix) with ESMTPS id DB3155E260 for ; Sat, 23 Sep 2017 14:00:08 +0000 (UTC) Received: from mail-qk0-f176.google.com (mail-qk0-f176.google.com [209.85.220.176]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mx1.redhat.com (Postfix) with ESMTPS id 3CA0C81DE2 for ; Sat, 23 Sep 2017 14:00:02 +0000 (UTC) Received: by mail-qk0-f176.google.com with SMTP id s132so3318496qke.7 for ; Sat, 23 Sep 2017 07:00:02 -0700 (PDT) In-Reply-To: <12657632.xMCL0O33bu@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Steve Grubb Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com --===============2846881212731483856== Content-Type: multipart/alternative; boundary="94eb2c097570d9a00f0559dbbddb" --94eb2c097570d9a00f0559dbbddb Content-Type: text/plain; charset="UTF-8" Hi Steve, Thanks for the response. Suppressing the events with -F auid!=4294967295 worked. I am seeing the events like "vi" "chmod" etc are getting audited by the system - even as a root account. I am yet to understand fully though on various rule sets and also on components like audisp / audisp-remote. So reading more .. Best Regards, Rituraj B On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb wrote: > Hello, > > On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote: > > I have a DNS server for which the auditd was generating lot of system > calls > > and flooding the logs. > > Due to this the server was under heavy memory usage as audisp-remote was > > hogging the memory. The log output for audisp-remote showed that the > > syscall was 49. Then I got to know from ausyscall command that the call > > number 49 corresponds to bind. Hence I have *excluded* the call to > "bind". > > > > I have put in below line in the /etc/audit/audit.rules > > > > *-a exclude,always -S 49* > > > > I have put the above line before section 10.2.2 which says "Feel free to > > add below this line" (please note I am running Ubuntu 14.04 but I suppose > > auditd implementation is same across board) . > > Also know that the rules are looked at from top to bottom with the first > match > winning. So, you would want this rule above whatever is causing events. > > > > After the exclusion - I no more see the syscall=49 line in > > /var/log/audit/audit.rules. So thats a success of sorts! > > > > *Probem/Issue/Query now*: After the exclusion, I do see audit events for > > cron , sudo etc. But I do not see a call for "vi" file open mode etc. > > I'd need to see the rules to figure out what's wrong, but I have some hints > below... > > > *Background:* > > > > log output earlier which was flooding the logs and giving message " *dns1 > > audisp-remote: message repeated 6613 times: [ queue is full - dropping > > event"* > > > > *log:* > > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e > syscall=49 > > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337 > > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" > > exe="/sbin/audisp-remote" key="root_action"* > > The main question is what is the root_action rule(s)? Normally we add a > auid!=4294967295 to prevent daemons from causing events. Typically when > it's > desired to get root events, its means that you want to target _people_ > running > as root rather than normal system activity. > > > > root@dns1:/tmp# ausyscall 49 > > *bind* > > > > I do see audit events for cron , sudo etc. But I do not see a call for > "vi" > > file open mode etc. > > > > Observation: I open file /etc/audit/audit.rules in vi editor and then > close > > it. Audit log does not show syscall=2 > > If you were wanting to record writes to that, you would use a rule like > this: > > -w /etc/audit/ -p wa > > > > Earlier I used to see below output in logs, but I am not sure that was > for > > which file opened in vi editor. > > > > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e > syscall=2 > > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 > ppid=21957 > > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 > > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"* > > Typically, its expected to look at events through ausearch. It groups the > records into events. You can also use aureport to see summary information. > > > I did read a bit on auditd from below links. *Please let me know if I am > > missing something or are the calls getting audited in an expected way.* > > > > > I went through below links; *would appreciate if someone can help with > any > > references which are more lucid with example*s: > > > > https://linux-audit.com/configuring-and-auditing- > linux-systems-with-audit-da > > emon/ > > I was not aware of that site. But some of the information appears to be > dated. > For example, telling people to use pam_tally2 when they should be using > pam_faillock. > > > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/6/ht > > ml/Security_Guide/chap-system_auditing.html > > > > Furthermore, I would like to read much on audisp-remote to send all these > > logs to a central server. I do not find any documentation on that. I see > > discussion on net where people are using rsyslog instead for that. Please > > help with references/links if any. > > Admittedly there is not much written. It is on my list of topics to blog > about. But I haven't had time for blogging lately. > > -Steve > --94eb2c097570d9a00f0559dbbddb Content-Type: text/html; charset="UTF-8" Content-Transfer-Encoding: quoted-printable
Hi Steve,=C2=A0

Thanks fo= r the response.=C2=A0

Suppressing the even= ts with -F=C2=A0auid!=3D4294967295 = worked.

I am seeing the events like "vi" "chmod" etc= are getting audited by the system - even as a root account.

I am yet to= understand fully though on various rule sets and also on components like a= udisp / audisp-remote. So reading more ..


Best Regards,
= Rituraj B


On Fri, Sep 22, 2017 at 10:17 PM, Steve Grub= b <sgrubb@redhat.com> wrote:
Hello,

On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> I have a DNS server for which the auditd was generating lot of system = calls
> and flooding the logs.
> Due to this=C2=A0 the server was under heavy memory usage as audisp-re= mote was
> hogging the memory.=C2=A0 The log output for audisp-remote showed that= the
> syscall was 49. Then I got to know from ausyscall command that the cal= l
> number 49 corresponds to bind. Hence I have *excluded* the call= to "bind".
>
> I have put in below line in the /etc/audit/audit.rules
>
> *-a exclude,always -S 49*
>
> I have put the above line before section 10.2.2 which says "Feel = free to
> add below this line" (please note I am running Ubuntu 14.04 but I= suppose
> auditd implementation is same across board) .

Also know that the rules are looked at from top to bottom with the f= irst match
winning. So, you would want this rule above whatever is causing events.


> After the exclusion - I no more see the syscall=3D49 line in
> /var/log/audit/audit.rules. So thats a success of sorts!
>
> *Probem/Issue/Query now*: After the exclusion, I do see audit events f= or
> cron , sudo etc. But I do not see a call for &q= uot;vi" file open mode etc.

I'd need to see the rules to figure out what's wrong, but I = have some hints
below...

> *Background:*
>
> log output earlier which was flooding the logs and giving message &quo= t; *dns1
> audisp-remote: message repeated 6613 times: [ q= ueue is full - dropping
> event"*
>
> *log:*
> *type=3DSYSCALL msg=3Daudit(1506025977.586:46629194): arch=3Dc000= 003e syscall=3D49
> success=3Dyes exit=3D0 a0=3D3 a1=3D7ffe540ecf20= a2=3Dc a3=3D0 items=3D0 ppid=3D22337
> pid=3D22338 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid= =3D0 egid=3D0 sgid=3D0
> fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D"audisp-remote&quo= t;
> exe=3D"/sbin/audisp-remote" key=3D"root_action&q= uot;*

The main question is what is the root_action rule(s)? Normally we add a
auid!=3D4294967295 to prevent daemons from causing events. Typically when i= t's
desired to get root events, its means that you want to target _people_ runn= ing
as root rather than normal system activity.


> root@dns1:/tmp# ausyscall 49
> *bind*
>
> I do see audit events for cron , sudo etc. But I do not see a call for= "vi"
> file open mode etc.
>
> Observation: I open file /etc/audit/audit.rules in vi editor and then = close
> it. Audit log does not show syscall=3D2

If you were wanting to record writes to that, you would use a rule l= ike this:

-w /etc/audit/ -p wa


> Earlier I used to see below output in logs, but I am not sure that was= for
> which file opened in vi editor.
>
> *type=3DSYSCALL msg=3Daudit(1506025995.825:46633170): arch= =3Dc000003e syscall=3D2
> success=3Dyes exit=3D3 a0=3D5598f609a210 a1=3D2= 00c1 a2=3D81a0 a3=3D0 items=3D2 ppid=3D21957
> pid=3D22355 auid=3D1006 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 eg= id=3D0 sgid=3D0 fsgid=3D0
> tty=3Dpts0 ses=3D361 comm=3D"vi" exe=3D"/usr/bin= /vim.basic" key=3D"root_action"*

Typically, its expected to look at events through ausearch. It groups the records into events. You can also use aureport to see summary information.<= br>
> I did read a bit on auditd from below links. *Please let me know if I = am
> missing something or are the calls getting audited in an expected way.= *

>
> I went through below links; *would appreciate if someone can help with= any
> references which are more lucid with example*s:
>
> https://linux-audit= .com/configuring-and-auditing-linux-systems-with-audit-da
> emon/

I was not aware of that site. But some of the information appears to be dat= ed.
For example, telling people to use pam_tally2 when they should be using
pam_faillock.

> https://access.redha= t.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht
> ml/Security_Guide/chap-system_auditing.htm= l
>
> Furthermore, I would like to read much on audisp-remote to send all th= ese
> logs to a central server. I do not find any documentation on that. I s= ee
> discussion on net where people are using rsyslog instead for that. Ple= ase
> help with references/links if any.

Admittedly there is not much written. It is on my list of topics to = blog
about. But I haven't had time for blogging lately.

-Steve

--94eb2c097570d9a00f0559dbbddb-- --===============2846881212731483856== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============2846881212731483856==--