* Excluding audit for BIND daemon @ 2017-09-22 5:09 Rituraj Buddhisagar 2017-09-22 16:47 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Rituraj Buddhisagar @ 2017-09-22 5:09 UTC (permalink / raw) To: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 2945 bytes --] Hi, I have a DNS server for which the auditd was generating lot of system calls and flooding the logs. Due to this the server was under heavy memory usage as audisp-remote was hogging the memory. The log output for audisp-remote showed that the syscall was 49. Then I got to know from ausyscall command that the call number 49 corresponds to bind. Hence I have *excluded* the call to "bind". I have put in below line in the /etc/audit/audit.rules *-a exclude,always -S 49* I have put the above line before section 10.2.2 which says "Feel free to add below this line" (please note I am running Ubuntu 14.04 but I suppose auditd implementation is same across board) . After the exclusion - I no more see the syscall=49 line in /var/log/audit/audit.rules. So thats a success or sorts! *Probem/Issue/Query now*: After the exclusion, I do see audit events for cron , sudo etc. But I do not see a call for "vi" file open mode etc. *Background:* log output earlier which was flooding the logs and giving message " *dns1 audisp-remote: message repeated 6613 times: [ queue is full - dropping event"* *log:* *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e syscall=49 success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337 pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" exe="/sbin/audisp-remote" key="root_action"* root@dns1:/tmp# ausyscall 49 *bind* I do see audit events for cron , sudo etc. But I do not see a call for "vi" file open mode etc. Observation: I open file /etc/audit/audit.rules in vi editor and then close it. Audit log does not show syscall=2 Earlier I used to see below output in logs, but I am not sure that was for which file opened in vi editor. *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e syscall=2 success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 ppid=21957 pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"* I did read a bit on auditd from below links. *Please let me know if I am missing something or are the calls getting audited in an expected way.* I went through below links; *would appreciate if someone can help with any references which are more lucid with example*s: https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/ https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-system_auditing.html Furthermore, I would like to read much on audisp-remote to send all these logs to a central server. I do not find any documentation on that. I see discussion on net where people are using rsyslog instead for that. Please help with references/links if any. Thanks! Best Regards, Rituraj B [-- Attachment #1.2: Type: text/html, Size: 8852 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Excluding audit for BIND daemon 2017-09-22 5:09 Excluding audit for BIND daemon Rituraj Buddhisagar @ 2017-09-22 16:47 ` Steve Grubb 2017-09-23 14:00 ` Rituraj Buddhisagar 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2017-09-22 16:47 UTC (permalink / raw) To: linux-audit Hello, On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote: > I have a DNS server for which the auditd was generating lot of system calls > and flooding the logs. > Due to this the server was under heavy memory usage as audisp-remote was > hogging the memory. The log output for audisp-remote showed that the > syscall was 49. Then I got to know from ausyscall command that the call > number 49 corresponds to bind. Hence I have *excluded* the call to "bind". > > I have put in below line in the /etc/audit/audit.rules > > *-a exclude,always -S 49* > > I have put the above line before section 10.2.2 which says "Feel free to > add below this line" (please note I am running Ubuntu 14.04 but I suppose > auditd implementation is same across board) . Also know that the rules are looked at from top to bottom with the first match winning. So, you would want this rule above whatever is causing events. > After the exclusion - I no more see the syscall=49 line in > /var/log/audit/audit.rules. So thats a success of sorts! > > *Probem/Issue/Query now*: After the exclusion, I do see audit events for > cron , sudo etc. But I do not see a call for "vi" file open mode etc. I'd need to see the rules to figure out what's wrong, but I have some hints below... > *Background:* > > log output earlier which was flooding the logs and giving message " *dns1 > audisp-remote: message repeated 6613 times: [ queue is full - dropping > event"* > > *log:* > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e syscall=49 > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337 > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" > exe="/sbin/audisp-remote" key="root_action"* The main question is what is the root_action rule(s)? Normally we add a auid!=4294967295 to prevent daemons from causing events. Typically when it's desired to get root events, its means that you want to target _people_ running as root rather than normal system activity. > root@dns1:/tmp# ausyscall 49 > *bind* > > I do see audit events for cron , sudo etc. But I do not see a call for "vi" > file open mode etc. > > Observation: I open file /etc/audit/audit.rules in vi editor and then close > it. Audit log does not show syscall=2 If you were wanting to record writes to that, you would use a rule like this: -w /etc/audit/ -p wa > Earlier I used to see below output in logs, but I am not sure that was for > which file opened in vi editor. > > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e syscall=2 > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 ppid=21957 > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"* Typically, its expected to look at events through ausearch. It groups the records into events. You can also use aureport to see summary information. > I did read a bit on auditd from below links. *Please let me know if I am > missing something or are the calls getting audited in an expected way.* > > I went through below links; *would appreciate if someone can help with any > references which are more lucid with example*s: > > https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-da > emon/ I was not aware of that site. But some of the information appears to be dated. For example, telling people to use pam_tally2 when they should be using pam_faillock. > https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht > ml/Security_Guide/chap-system_auditing.html > > Furthermore, I would like to read much on audisp-remote to send all these > logs to a central server. I do not find any documentation on that. I see > discussion on net where people are using rsyslog instead for that. Please > help with references/links if any. Admittedly there is not much written. It is on my list of topics to blog about. But I haven't had time for blogging lately. -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Excluding audit for BIND daemon 2017-09-22 16:47 ` Steve Grubb @ 2017-09-23 14:00 ` Rituraj Buddhisagar 2017-09-23 14:08 ` Rituraj Buddhisagar 0 siblings, 1 reply; 8+ messages in thread From: Rituraj Buddhisagar @ 2017-09-23 14:00 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 4715 bytes --] Hi Steve, Thanks for the response. Suppressing the events with -F auid!=4294967295 worked. I am seeing the events like "vi" "chmod" etc are getting audited by the system - even as a root account. I am yet to understand fully though on various rule sets and also on components like audisp / audisp-remote. So reading more .. Best Regards, Rituraj B On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> wrote: > Hello, > > On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote: > > I have a DNS server for which the auditd was generating lot of system > calls > > and flooding the logs. > > Due to this the server was under heavy memory usage as audisp-remote was > > hogging the memory. The log output for audisp-remote showed that the > > syscall was 49. Then I got to know from ausyscall command that the call > > number 49 corresponds to bind. Hence I have *excluded* the call to > "bind". > > > > I have put in below line in the /etc/audit/audit.rules > > > > *-a exclude,always -S 49* > > > > I have put the above line before section 10.2.2 which says "Feel free to > > add below this line" (please note I am running Ubuntu 14.04 but I suppose > > auditd implementation is same across board) . > > Also know that the rules are looked at from top to bottom with the first > match > winning. So, you would want this rule above whatever is causing events. > > > > After the exclusion - I no more see the syscall=49 line in > > /var/log/audit/audit.rules. So thats a success of sorts! > > > > *Probem/Issue/Query now*: After the exclusion, I do see audit events for > > cron , sudo etc. But I do not see a call for "vi" file open mode etc. > > I'd need to see the rules to figure out what's wrong, but I have some hints > below... > > > *Background:* > > > > log output earlier which was flooding the logs and giving message " *dns1 > > audisp-remote: message repeated 6613 times: [ queue is full - dropping > > event"* > > > > *log:* > > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e > syscall=49 > > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337 > > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" > > exe="/sbin/audisp-remote" key="root_action"* > > The main question is what is the root_action rule(s)? Normally we add a > auid!=4294967295 to prevent daemons from causing events. Typically when > it's > desired to get root events, its means that you want to target _people_ > running > as root rather than normal system activity. > > > > root@dns1:/tmp# ausyscall 49 > > *bind* > > > > I do see audit events for cron , sudo etc. But I do not see a call for > "vi" > > file open mode etc. > > > > Observation: I open file /etc/audit/audit.rules in vi editor and then > close > > it. Audit log does not show syscall=2 > > If you were wanting to record writes to that, you would use a rule like > this: > > -w /etc/audit/ -p wa > > > > Earlier I used to see below output in logs, but I am not sure that was > for > > which file opened in vi editor. > > > > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e > syscall=2 > > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 > ppid=21957 > > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > fsgid=0 > > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"* > > Typically, its expected to look at events through ausearch. It groups the > records into events. You can also use aureport to see summary information. > > > I did read a bit on auditd from below links. *Please let me know if I am > > missing something or are the calls getting audited in an expected way.* > > > > > I went through below links; *would appreciate if someone can help with > any > > references which are more lucid with example*s: > > > > https://linux-audit.com/configuring-and-auditing- > linux-systems-with-audit-da > > emon/ > > I was not aware of that site. But some of the information appears to be > dated. > For example, telling people to use pam_tally2 when they should be using > pam_faillock. > > > https://access.redhat.com/documentation/en-US/Red_Hat_ > Enterprise_Linux/6/ht > > ml/Security_Guide/chap-system_auditing.html > > > > Furthermore, I would like to read much on audisp-remote to send all these > > logs to a central server. I do not find any documentation on that. I see > > discussion on net where people are using rsyslog instead for that. Please > > help with references/links if any. > > Admittedly there is not much written. It is on my list of topics to blog > about. But I haven't had time for blogging lately. > > -Steve > [-- Attachment #1.2: Type: text/html, Size: 8124 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Excluding audit for BIND daemon 2017-09-23 14:00 ` Rituraj Buddhisagar @ 2017-09-23 14:08 ` Rituraj Buddhisagar 2017-09-23 18:16 ` Steve Grubb 0 siblings, 1 reply; 8+ messages in thread From: Rituraj Buddhisagar @ 2017-09-23 14:08 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 5456 bytes --] Continued...from previous mail of mine.. While I am reading and exploring much on auditd & on how I can have a proper central system where logs are stored and daily reports get generated, you might want to look at my config file on server and suggest/recommend if anything - would appreciate if any pointers. I am using default config which came with Ubuntu 16.04 and only change was* "-F auid!=4294967295"* on line where root_action is defined . Thanks! Best Regards, Rituraj B On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj@vayana.com> wrote: > Hi Steve, > > Thanks for the response. > > Suppressing the events with -F auid!=4294967295 worked. > > I am seeing the events like "vi" "chmod" etc are getting audited by the > system - even as a root account. > > I am yet to understand fully though on various rule sets and also on > components like audisp / audisp-remote. So reading more .. > > > Best Regards, > Rituraj B > > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> wrote: > >> Hello, >> >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote: >> > I have a DNS server for which the auditd was generating lot of system >> calls >> > and flooding the logs. >> > Due to this the server was under heavy memory usage as audisp-remote >> was >> > hogging the memory. The log output for audisp-remote showed that the >> > syscall was 49. Then I got to know from ausyscall command that the call >> > number 49 corresponds to bind. Hence I have *excluded* the call to >> "bind". >> > >> > I have put in below line in the /etc/audit/audit.rules >> > >> > *-a exclude,always -S 49* >> > >> > I have put the above line before section 10.2.2 which says "Feel free to >> > add below this line" (please note I am running Ubuntu 14.04 but I >> suppose >> > auditd implementation is same across board) . >> >> Also know that the rules are looked at from top to bottom with the first >> match >> winning. So, you would want this rule above whatever is causing events. >> >> >> > After the exclusion - I no more see the syscall=49 line in >> > /var/log/audit/audit.rules. So thats a success of sorts! >> > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit events for >> > cron , sudo etc. But I do not see a call for "vi" file open mode etc. >> >> I'd need to see the rules to figure out what's wrong, but I have some >> hints >> below... >> >> > *Background:* >> > >> > log output earlier which was flooding the logs and giving message " >> *dns1 >> > audisp-remote: message repeated 6613 times: [ queue is full - dropping >> > event"* >> > >> > *log:* >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e >> syscall=49 >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337 >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> sgid=0 >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" >> > exe="/sbin/audisp-remote" key="root_action"* >> >> The main question is what is the root_action rule(s)? Normally we add a >> auid!=4294967295 to prevent daemons from causing events. Typically when >> it's >> desired to get root events, its means that you want to target _people_ >> running >> as root rather than normal system activity. >> >> >> > root@dns1:/tmp# ausyscall 49 >> > *bind* >> > >> > I do see audit events for cron , sudo etc. But I do not see a call for >> "vi" >> > file open mode etc. >> > >> > Observation: I open file /etc/audit/audit.rules in vi editor and then >> close >> > it. Audit log does not show syscall=2 >> >> If you were wanting to record writes to that, you would use a rule like >> this: >> >> -w /etc/audit/ -p wa >> >> >> > Earlier I used to see below output in logs, but I am not sure that was >> for >> > which file opened in vi editor. >> > >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e >> syscall=2 >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 >> ppid=21957 >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> fsgid=0 >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"* >> >> Typically, its expected to look at events through ausearch. It groups the >> records into events. You can also use aureport to see summary information. >> >> > I did read a bit on auditd from below links. *Please let me know if I am >> > missing something or are the calls getting audited in an expected way.* >> >> > >> > I went through below links; *would appreciate if someone can help with >> any >> > references which are more lucid with example*s: >> > >> > https://linux-audit.com/configuring-and-auditing-linux- >> systems-with-audit-da >> > emon/ >> >> I was not aware of that site. But some of the information appears to be >> dated. >> For example, telling people to use pam_tally2 when they should be using >> pam_faillock. >> >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> rise_Linux/6/ht >> > ml/Security_Guide/chap-system_auditing.html >> > >> > Furthermore, I would like to read much on audisp-remote to send all >> these >> > logs to a central server. I do not find any documentation on that. I see >> > discussion on net where people are using rsyslog instead for that. >> Please >> > help with references/links if any. >> >> Admittedly there is not much written. It is on my list of topics to blog >> about. But I haven't had time for blogging lately. >> >> -Steve >> > > [-- Attachment #1.2: Type: text/html, Size: 10832 bytes --] [-- Attachment #2: audit-rules.doc --] [-- Type: application/msword, Size: 13824 bytes --] [-- Attachment #3: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Excluding audit for BIND daemon 2017-09-23 14:08 ` Rituraj Buddhisagar @ 2017-09-23 18:16 ` Steve Grubb 2017-09-23 18:29 ` Rituraj Buddhisagar 0 siblings, 1 reply; 8+ messages in thread From: Steve Grubb @ 2017-09-23 18:16 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote: > Continued...from previous mail of mine.. > > While I am reading and exploring much on auditd & on how I can have a > proper central system where logs are stored and daily reports get > generated, you might want to look at my config file on server and > suggest/recommend if anything - would appreciate if any pointers. > > I am using default config which came with Ubuntu 16.04 and only change was* > "-F auid!=4294967295"* on line where root_action is defined . There is no rule, root_action, that is shipped with the audit package. I would be interested in seeing it if you could copy and paste it into a reply. -Steve > On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj@vayana.com> > > wrote: > > Hi Steve, > > > > Thanks for the response. > > > > Suppressing the events with -F auid!=4294967295 worked. > > > > I am seeing the events like "vi" "chmod" etc are getting audited by the > > system - even as a root account. > > > > I am yet to understand fully though on various rule sets and also on > > components like audisp / audisp-remote. So reading more .. > > > > > > Best Regards, > > Rituraj B > > > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> wrote: > >> Hello, > >> > >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote: > >> > I have a DNS server for which the auditd was generating lot of system > >> > >> calls > >> > >> > and flooding the logs. > >> > Due to this the server was under heavy memory usage as audisp-remote > >> > >> was > >> > >> > hogging the memory. The log output for audisp-remote showed that the > >> > syscall was 49. Then I got to know from ausyscall command that the call > >> > number 49 corresponds to bind. Hence I have *excluded* the call to > >> > >> "bind". > >> > >> > I have put in below line in the /etc/audit/audit.rules > >> > > >> > *-a exclude,always -S 49* > >> > > >> > I have put the above line before section 10.2.2 which says "Feel free > >> > to > >> > add below this line" (please note I am running Ubuntu 14.04 but I > >> > >> suppose > >> > >> > auditd implementation is same across board) . > >> > >> Also know that the rules are looked at from top to bottom with the first > >> match > >> winning. So, you would want this rule above whatever is causing events. > >> > >> > After the exclusion - I no more see the syscall=49 line in > >> > /var/log/audit/audit.rules. So thats a success of sorts! > >> > > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit events > >> > for > >> > cron , sudo etc. But I do not see a call for "vi" file open mode etc. > >> > >> I'd need to see the rules to figure out what's wrong, but I have some > >> hints > >> below... > >> > >> > *Background:* > >> > > >> > log output earlier which was flooding the logs and giving message " > >> > >> *dns1 > >> > >> > audisp-remote: message repeated 6613 times: [ queue is full - dropping > >> > event"* > >> > > >> > *log:* > >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e > >> > >> syscall=49 > >> > >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337 > >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > >> > >> sgid=0 > >> > >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" > >> > exe="/sbin/audisp-remote" key="root_action"* > >> > >> The main question is what is the root_action rule(s)? Normally we add a > >> auid!=4294967295 to prevent daemons from causing events. Typically when > >> it's > >> desired to get root events, its means that you want to target _people_ > >> running > >> as root rather than normal system activity. > >> > >> > root@dns1:/tmp# ausyscall 49 > >> > *bind* > >> > > >> > I do see audit events for cron , sudo etc. But I do not see a call for > >> > >> "vi" > >> > >> > file open mode etc. > >> > > >> > Observation: I open file /etc/audit/audit.rules in vi editor and then > >> > >> close > >> > >> > it. Audit log does not show syscall=2 > >> > >> If you were wanting to record writes to that, you would use a rule like > >> this: > >> > >> -w /etc/audit/ -p wa > >> > >> > Earlier I used to see below output in logs, but I am not sure that was > >> > >> for > >> > >> > which file opened in vi editor. > >> > > >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e > >> > >> syscall=2 > >> > >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 > >> > >> ppid=21957 > >> > >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > >> > >> fsgid=0 > >> > >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"* > >> > >> Typically, its expected to look at events through ausearch. It groups the > >> records into events. You can also use aureport to see summary > >> information. > >> > >> > I did read a bit on auditd from below links. *Please let me know if I > >> > am > >> > missing something or are the calls getting audited in an expected way.* > >> > > >> > > >> > I went through below links; *would appreciate if someone can help with > >> > >> any > >> > >> > references which are more lucid with example*s: > >> > > >> > https://linux-audit.com/configuring-and-auditing-linux-> >> > >> systems-with-audit-da > >> > >> > emon/ > >> > >> I was not aware of that site. But some of the information appears to be > >> dated. > >> For example, telling people to use pam_tally2 when they should be using > >> pam_faillock. > >> > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > >> > >> rise_Linux/6/ht > >> > >> > ml/Security_Guide/chap-system_auditing.html > >> > > >> > Furthermore, I would like to read much on audisp-remote to send all > >> > >> these > >> > >> > logs to a central server. I do not find any documentation on that. I > >> > see > >> > discussion on net where people are using rsyslog instead for that. > >> > >> Please > >> > >> > help with references/links if any. > >> > >> Admittedly there is not much written. It is on my list of topics to blog > >> about. But I haven't had time for blogging lately. > >> > >> -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Excluding audit for BIND daemon 2017-09-23 18:16 ` Steve Grubb @ 2017-09-23 18:29 ` Rituraj Buddhisagar 2017-09-23 18:40 ` Rituraj Buddhisagar 2017-09-23 18:54 ` Steve Grubb 0 siblings, 2 replies; 8+ messages in thread From: Rituraj Buddhisagar @ 2017-09-23 18:29 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 6967 bytes --] Hi Steve, As per the config file which I had sent (/etc/audit/audit.rules); below line has root_action *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k root_action* I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/* Thanks! Best Regards, Rituraj B On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb@redhat.com> wrote: > On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote: > > Continued...from previous mail of mine.. > > > > While I am reading and exploring much on auditd & on how I can have a > > proper central system where logs are stored and daily reports get > > generated, you might want to look at my config file on server and > > suggest/recommend if anything - would appreciate if any pointers. > > > > I am using default config which came with Ubuntu 16.04 and only change > was* > > "-F auid!=4294967295"* on line where root_action is defined . > > There is no rule, root_action, that is shipped with the audit package. I > would > be interested in seeing it if you could copy and paste it into a reply. > > -Steve > > > On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj@vayana.com > > > > > > wrote: > > > Hi Steve, > > > > > > Thanks for the response. > > > > > > Suppressing the events with -F auid!=4294967295 worked. > > > > > > I am seeing the events like "vi" "chmod" etc are getting audited by the > > > system - even as a root account. > > > > > > I am yet to understand fully though on various rule sets and also on > > > components like audisp / audisp-remote. So reading more .. > > > > > > > > > Best Regards, > > > Rituraj B > > > > > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> > wrote: > > >> Hello, > > >> > > >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar > wrote: > > >> > I have a DNS server for which the auditd was generating lot of > system > > >> > > >> calls > > >> > > >> > and flooding the logs. > > >> > Due to this the server was under heavy memory usage as > audisp-remote > > >> > > >> was > > >> > > >> > hogging the memory. The log output for audisp-remote showed that > the > > >> > syscall was 49. Then I got to know from ausyscall command that the > call > > >> > number 49 corresponds to bind. Hence I have *excluded* the call to > > >> > > >> "bind". > > >> > > >> > I have put in below line in the /etc/audit/audit.rules > > >> > > > >> > *-a exclude,always -S 49* > > >> > > > >> > I have put the above line before section 10.2.2 which says "Feel > free > > >> > to > > >> > add below this line" (please note I am running Ubuntu 14.04 but I > > >> > > >> suppose > > >> > > >> > auditd implementation is same across board) . > > >> > > >> Also know that the rules are looked at from top to bottom with the > first > > >> match > > >> winning. So, you would want this rule above whatever is causing > events. > > >> > > >> > After the exclusion - I no more see the syscall=49 line in > > >> > /var/log/audit/audit.rules. So thats a success of sorts! > > >> > > > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit events > > >> > for > > >> > cron , sudo etc. But I do not see a call for "vi" file open mode > etc. > > >> > > >> I'd need to see the rules to figure out what's wrong, but I have some > > >> hints > > >> below... > > >> > > >> > *Background:* > > >> > > > >> > log output earlier which was flooding the logs and giving message " > > >> > > >> *dns1 > > >> > > >> > audisp-remote: message repeated 6613 times: [ queue is full - > dropping > > >> > event"* > > >> > > > >> > *log:* > > >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e > > >> > > >> syscall=49 > > >> > > >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337 > > >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 > > >> > > >> sgid=0 > > >> > > >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" > > >> > exe="/sbin/audisp-remote" key="root_action"* > > >> > > >> The main question is what is the root_action rule(s)? Normally we add > a > > >> auid!=4294967295 to prevent daemons from causing events. Typically > when > > >> it's > > >> desired to get root events, its means that you want to target _people_ > > >> running > > >> as root rather than normal system activity. > > >> > > >> > root@dns1:/tmp# ausyscall 49 > > >> > *bind* > > >> > > > >> > I do see audit events for cron , sudo etc. But I do not see a call > for > > >> > > >> "vi" > > >> > > >> > file open mode etc. > > >> > > > >> > Observation: I open file /etc/audit/audit.rules in vi editor and > then > > >> > > >> close > > >> > > >> > it. Audit log does not show syscall=2 > > >> > > >> If you were wanting to record writes to that, you would use a rule > like > > >> this: > > >> > > >> -w /etc/audit/ -p wa > > >> > > >> > Earlier I used to see below output in logs, but I am not sure that > was > > >> > > >> for > > >> > > >> > which file opened in vi editor. > > >> > > > >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e > > >> > > >> syscall=2 > > >> > > >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 > > >> > > >> ppid=21957 > > >> > > >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 > > >> > > >> fsgid=0 > > >> > > >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" > key="root_action"* > > >> > > >> Typically, its expected to look at events through ausearch. It groups > the > > >> records into events. You can also use aureport to see summary > > >> information. > > >> > > >> > I did read a bit on auditd from below links. *Please let me know if > I > > >> > am > > >> > missing something or are the calls getting audited in an expected > way.* > > >> > > > >> > > > >> > I went through below links; *would appreciate if someone can help > with > > >> > > >> any > > >> > > >> > references which are more lucid with example*s: > > >> > > > >> > https://linux-audit.com/configuring-and-auditing-linux-> >> > > >> systems-with-audit-da > > >> > > >> > emon/ > > >> > > >> I was not aware of that site. But some of the information appears to > be > > >> dated. > > >> For example, telling people to use pam_tally2 when they should be > using > > >> pam_faillock. > > >> > > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp > > >> > > >> rise_Linux/6/ht > > >> > > >> > ml/Security_Guide/chap-system_auditing.html > > >> > > > >> > Furthermore, I would like to read much on audisp-remote to send all > > >> > > >> these > > >> > > >> > logs to a central server. I do not find any documentation on that. I > > >> > see > > >> > discussion on net where people are using rsyslog instead for that. > > >> > > >> Please > > >> > > >> > help with references/links if any. > > >> > > >> Admittedly there is not much written. It is on my list of topics to > blog > > >> about. But I haven't had time for blogging lately. > > >> > > >> -Steve > > > [-- Attachment #1.2: Type: text/html, Size: 12190 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Excluding audit for BIND daemon 2017-09-23 18:29 ` Rituraj Buddhisagar @ 2017-09-23 18:40 ` Rituraj Buddhisagar 2017-09-23 18:54 ` Steve Grubb 1 sibling, 0 replies; 8+ messages in thread From: Rituraj Buddhisagar @ 2017-09-23 18:40 UTC (permalink / raw) To: Steve Grubb; +Cc: linux-audit [-- Attachment #1.1: Type: text/plain, Size: 8802 bytes --] So, here is the tree structure for auditd and audisp in Ubuntu. *root@dns:/etc# ls -l audit/rules.d/* *total 4* *-rw-r----- 1 root root 373 Jan 18 2016 audit.rules* *root@dns:/etc# * *root@dns:/etc# ls -l audisp/* *total 20* *-rw-r----- 1 root root 211 Jan 18 2016 audispd.conf* *-rw-r--r-- 1 root root 1143 Jan 18 2016 audisp-prelude.conf* *-rw-r--r-- 1 root root 714 Sep 16 13:51 audisp-remote.conf* *drwxr-x--- 2 root root 4096 Sep 16 10:42 plugins.d* *-rw-r--r-- 1 root root 246 Jan 18 2016 zos-remote.conf* *root@dns:/etc# * *root@dns:/etc# ls -l audisp/plugins.d/* *total 20* *-rw-r----- 1 root root 358 Jan 18 2016 af_unix.conf* *-rw-r--r-- 1 root root 436 Jan 18 2016 audispd-zos-remote.conf* *-rw-r--r-- 1 root root 280 Jan 18 2016 au-prelude.conf* *-rw-r--r-- 1 root root 239 Sep 16 10:42 au-remote.conf* *-rw-r----- 1 root root 453 Jan 18 2016 syslog.conf* Noticed that /etc/audit has a subdirectory rules.d - which again has another audit.rules. (the contents of that file are pasted below) *cat /etc/audit/rules.d/audit.rules* *# This file contains the auditctl rules that are loaded* *# whenever the audit daemon is started via the initscripts.* *# The rules are simply the parameters that would be passed* *# to auditctl.* *# First rule - delete all* *-D* *# Increase the buffers to survive stress events.* *# Make this bigger for busy systems* *-b 320* *# Feel free to add below this line. See auditctl man page* Best Regards, Rituraj B On Sat, Sep 23, 2017 at 11:59 PM, Rituraj Buddhisagar <rituraj@vayana.com> wrote: > Hi Steve, > > As per the config file which I had sent (/etc/audit/audit.rules); below > line has root_action > > *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k > root_action* > > I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/* > > Thanks! > > > > Best Regards, > Rituraj B > > > On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb@redhat.com> wrote: > >> On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote: >> > Continued...from previous mail of mine.. >> > >> > While I am reading and exploring much on auditd & on how I can have a >> > proper central system where logs are stored and daily reports get >> > generated, you might want to look at my config file on server and >> > suggest/recommend if anything - would appreciate if any pointers. >> > >> > I am using default config which came with Ubuntu 16.04 and only change >> was* >> > "-F auid!=4294967295"* on line where root_action is defined . >> >> There is no rule, root_action, that is shipped with the audit package. I >> would >> be interested in seeing it if you could copy and paste it into a reply. >> >> -Steve >> >> > On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar < >> rituraj@vayana.com> >> > >> > wrote: >> > > Hi Steve, >> > > >> > > Thanks for the response. >> > > >> > > Suppressing the events with -F auid!=4294967295 worked. >> > > >> > > I am seeing the events like "vi" "chmod" etc are getting audited by >> the >> > > system - even as a root account. >> > > >> > > I am yet to understand fully though on various rule sets and also on >> > > components like audisp / audisp-remote. So reading more .. >> > > >> > > >> > > Best Regards, >> > > Rituraj B >> > > >> > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb@redhat.com> >> wrote: >> > >> Hello, >> > >> >> > >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar >> wrote: >> > >> > I have a DNS server for which the auditd was generating lot of >> system >> > >> >> > >> calls >> > >> >> > >> > and flooding the logs. >> > >> > Due to this the server was under heavy memory usage as >> audisp-remote >> > >> >> > >> was >> > >> >> > >> > hogging the memory. The log output for audisp-remote showed that >> the >> > >> > syscall was 49. Then I got to know from ausyscall command that the >> call >> > >> > number 49 corresponds to bind. Hence I have *excluded* the call to >> > >> >> > >> "bind". >> > >> >> > >> > I have put in below line in the /etc/audit/audit.rules >> > >> > >> > >> > *-a exclude,always -S 49* >> > >> > >> > >> > I have put the above line before section 10.2.2 which says "Feel >> free >> > >> > to >> > >> > add below this line" (please note I am running Ubuntu 14.04 but I >> > >> >> > >> suppose >> > >> >> > >> > auditd implementation is same across board) . >> > >> >> > >> Also know that the rules are looked at from top to bottom with the >> first >> > >> match >> > >> winning. So, you would want this rule above whatever is causing >> events. >> > >> >> > >> > After the exclusion - I no more see the syscall=49 line in >> > >> > /var/log/audit/audit.rules. So thats a success of sorts! >> > >> > >> > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit >> events >> > >> > for >> > >> > cron , sudo etc. But I do not see a call for "vi" file open mode >> etc. >> > >> >> > >> I'd need to see the rules to figure out what's wrong, but I have some >> > >> hints >> > >> below... >> > >> >> > >> > *Background:* >> > >> > >> > >> > log output earlier which was flooding the logs and giving message " >> > >> >> > >> *dns1 >> > >> >> > >> > audisp-remote: message repeated 6613 times: [ queue is full - >> dropping >> > >> > event"* >> > >> > >> > >> > *log:* >> > >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e >> > >> >> > >> syscall=49 >> > >> >> > >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 >> ppid=22337 >> > >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 >> > >> >> > >> sgid=0 >> > >> >> > >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote" >> > >> > exe="/sbin/audisp-remote" key="root_action"* >> > >> >> > >> The main question is what is the root_action rule(s)? Normally we >> add a >> > >> auid!=4294967295 to prevent daemons from causing events. Typically >> when >> > >> it's >> > >> desired to get root events, its means that you want to target >> _people_ >> > >> running >> > >> as root rather than normal system activity. >> > >> >> > >> > root@dns1:/tmp# ausyscall 49 >> > >> > *bind* >> > >> > >> > >> > I do see audit events for cron , sudo etc. But I do not see a call >> for >> > >> >> > >> "vi" >> > >> >> > >> > file open mode etc. >> > >> > >> > >> > Observation: I open file /etc/audit/audit.rules in vi editor and >> then >> > >> >> > >> close >> > >> >> > >> > it. Audit log does not show syscall=2 >> > >> >> > >> If you were wanting to record writes to that, you would use a rule >> like >> > >> this: >> > >> >> > >> -w /etc/audit/ -p wa >> > >> >> > >> > Earlier I used to see below output in logs, but I am not sure that >> was >> > >> >> > >> for >> > >> >> > >> > which file opened in vi editor. >> > >> > >> > >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e >> > >> >> > >> syscall=2 >> > >> >> > >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 >> > >> >> > >> ppid=21957 >> > >> >> > >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 >> > >> >> > >> fsgid=0 >> > >> >> > >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" >> key="root_action"* >> > >> >> > >> Typically, its expected to look at events through ausearch. It >> groups the >> > >> records into events. You can also use aureport to see summary >> > >> information. >> > >> >> > >> > I did read a bit on auditd from below links. *Please let me know >> if I >> > >> > am >> > >> > missing something or are the calls getting audited in an expected >> way.* >> > >> > >> > >> > >> > >> > I went through below links; *would appreciate if someone can help >> with >> > >> >> > >> any >> > >> >> > >> > references which are more lucid with example*s: >> > >> > >> > >> > https://linux-audit.com/configuring-and-auditing-linux-> >> >> > >> systems-with-audit-da >> > >> >> > >> > emon/ >> > >> >> > >> I was not aware of that site. But some of the information appears to >> be >> > >> dated. >> > >> For example, telling people to use pam_tally2 when they should be >> using >> > >> pam_faillock. >> > >> >> > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp >> > >> >> > >> rise_Linux/6/ht >> > >> >> > >> > ml/Security_Guide/chap-system_auditing.html >> > >> > >> > >> > Furthermore, I would like to read much on audisp-remote to send all >> > >> >> > >> these >> > >> >> > >> > logs to a central server. I do not find any documentation on that. >> I >> > >> > see >> > >> > discussion on net where people are using rsyslog instead for that. >> > >> >> > >> Please >> > >> >> > >> > help with references/links if any. >> > >> >> > >> Admittedly there is not much written. It is on my list of topics to >> blog >> > >> about. But I haven't had time for blogging lately. >> > >> >> > >> -Steve >> >> >> > [-- Attachment #1.2: Type: text/html, Size: 18415 bytes --] [-- Attachment #2: Type: text/plain, Size: 0 bytes --] ^ permalink raw reply [flat|nested] 8+ messages in thread
* Re: Excluding audit for BIND daemon 2017-09-23 18:29 ` Rituraj Buddhisagar 2017-09-23 18:40 ` Rituraj Buddhisagar @ 2017-09-23 18:54 ` Steve Grubb 1 sibling, 0 replies; 8+ messages in thread From: Steve Grubb @ 2017-09-23 18:54 UTC (permalink / raw) To: Rituraj Buddhisagar; +Cc: linux-audit Hello, On Saturday, September 23, 2017 2:29:47 PM EDT Rituraj Buddhisagar wrote: > As per the config file which I had sent (/etc/audit/audit.rules); below > line has root_action > > *-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k > root_action* If you wanted just people and not daemons, then I would suggest changing the rule to this: -a exit,always -S all -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action However, that is likely to trigger way more events than you need. Because this will trigger on every single syscall and slow down the system. What you would normally want to know is which commands were run as root. A rule for that would look like this: -a exit,always -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action -a exit,always -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action Another approach would be to enable keystroke logging. This would involve adding pam_audit_tty to the su and sudo pam configs. Use the default setting shown in the pam man page. If you do this, then don't have the root_action rule because you'll get double information. And last bit of advice...there are pre-written rules that you can install. On Fedora, they are located in /usr/share/doc/audit/rules/. There is a README-rules file that explains how to use them. -Steve > I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/* > > Thanks! > > > > Best Regards, > Rituraj B > > On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb@redhat.com> wrote: > > On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote: > > > Continued...from previous mail of mine.. > > > > > > While I am reading and exploring much on auditd & on how I can have a > > > proper central system where logs are stored and daily reports get > > > generated, you might want to look at my config file on server and > > > suggest/recommend if anything - would appreciate if any pointers. > > > > > > I am using default config which came with Ubuntu 16.04 and only change > > > > was* > > > > > "-F auid!=4294967295"* on line where root_action is defined . > > > > There is no rule, root_action, that is shipped with the audit package. I > > would > > be interested in seeing it if you could copy and paste it into a reply. > > > > -Steve ^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2017-09-23 18:54 UTC | newest] Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed) -- links below jump to the message on this page -- 2017-09-22 5:09 Excluding audit for BIND daemon Rituraj Buddhisagar 2017-09-22 16:47 ` Steve Grubb 2017-09-23 14:00 ` Rituraj Buddhisagar 2017-09-23 14:08 ` Rituraj Buddhisagar 2017-09-23 18:16 ` Steve Grubb 2017-09-23 18:29 ` Rituraj Buddhisagar 2017-09-23 18:40 ` Rituraj Buddhisagar 2017-09-23 18:54 ` Steve Grubb
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.