From mboxrd@z Thu Jan  1 00:00:00 1970
From: Rituraj Buddhisagar <rituraj@vayana.com>
Subject: Excluding audit for BIND daemon
Date: Fri, 22 Sep 2017 10:39:19 +0530
Message-ID: <CAPHnQ1D+BD5mVXGjDFVGPLB7uu-ng1KrJK71eBeEDc=K0K4Dvg@mail.gmail.com>
Mime-Version: 1.0
Content-Type: multipart/mixed; boundary="===============3404421623438914708=="
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx10.extmail.prod.ext.phx2.redhat.com
	[10.5.110.39])
	by smtp.corp.redhat.com (Postfix) with ESMTPS id C6C4661F44
	for <linux-audit@redhat.com>; Fri, 22 Sep 2017 05:09:23 +0000 (UTC)
Received: from mail-qt0-f177.google.com (mail-qt0-f177.google.com
	[209.85.216.177])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(No client certificate requested)
	by mx1.redhat.com (Postfix) with ESMTPS id 5B81761462
	for <linux-audit@redhat.com>; Fri, 22 Sep 2017 05:09:21 +0000 (UTC)
Received: by mail-qt0-f177.google.com with SMTP id t46so50102qtj.2
	for <linux-audit@redhat.com>; Thu, 21 Sep 2017 22:09:21 -0700 (PDT)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

--===============3404421623438914708==
Content-Type: multipart/alternative; boundary="001a1140d2b820b4840559c0369e"

--001a1140d2b820b4840559c0369e
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

Hi,

I have a DNS server for which the auditd was generating lot of system calls
and flooding the logs.
Due to this  the server was under heavy memory usage as audisp-remote was
hogging the memory.  The log output for audisp-remote showed that the
syscall was 49. Then I got to know from ausyscall command that the call
number 49 corresponds to bind. Hence I have *excluded* the call to "bind".

I have put in below line in the /etc/audit/audit.rules


*-a exclude,always -S 49*

I have put the above line before section 10.2.2 which says "Feel free to
add below this line" (please note I am running Ubuntu 14.04 but I suppose
auditd implementation is same across board) .

After the exclusion - I no more see the syscall=3D49 line in
/var/log/audit/audit.rules. So thats a success or sorts!

*Probem/Issue/Query now*: After the exclusion, I do see audit events for
cron , sudo etc. But I do not see a call for "vi" file open mode etc.

*Background:*

log output earlier which was flooding the logs and giving message " *dns1
audisp-remote: message repeated 6613 times: [ queue is full - dropping
event"*

*log:*
*type=3DSYSCALL msg=3Daudit(1506025977.586:46629194): arch=3Dc000003e sysca=
ll=3D49
success=3Dyes exit=3D0 a0=3D3 a1=3D7ffe540ecf20 a2=3Dc a3=3D0 items=3D0 ppi=
d=3D22337
pid=3D22338 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 e=
gid=3D0 sgid=3D0
fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D"audisp-remote"
exe=3D"/sbin/audisp-remote" key=3D"root_action"*

root@dns1:/tmp# ausyscall 49
*bind*


I do see audit events for cron , sudo etc. But I do not see a call for "vi"
file open mode etc.

Observation: I open file /etc/audit/audit.rules in vi editor and then close
it. Audit log does not show syscall=3D2

Earlier I used to see below output in logs, but I am not sure that was for
which file opened in vi editor.

*type=3DSYSCALL msg=3Daudit(1506025995.825:46633170): arch=3Dc000003e sysca=
ll=3D2
success=3Dyes exit=3D3 a0=3D5598f609a210 a1=3D200c1 a2=3D81a0 a3=3D0 items=
=3D2 ppid=3D21957
pid=3D22355 auid=3D1006 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D=
0 sgid=3D0 fsgid=3D0
tty=3Dpts0 ses=3D361 comm=3D"vi" exe=3D"/usr/bin/vim.basic" key=3D"root_act=
ion"*

I did read a bit on auditd from below links. *Please let me know if I am
missing something or are the calls getting audited in an expected way.*


I went through below links; *would appreciate if someone can help with any
references which are more lucid with example*s:

https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-d=
aemon/
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht=
ml/Security_Guide/chap-system_auditing.html

Furthermore, I would like to read much on audisp-remote to send all these
logs to a central server. I do not find any documentation on that. I see
discussion on net where people are using rsyslog instead for that. Please
help with references/links if any.

Thanks!


Best Regards,
Rituraj B

=E2=80=8B=E2=80=8B

=E2=80=8B=E2=80=8B

--001a1140d2b820b4840559c0369e
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><div class=3D"gmail_default" style=3D"font-family:verdana,=
sans-serif;font-size:small;color:rgb(32,18,77)">Hi,=C2=A0</div><div class=
=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-size:small;=
color:rgb(32,18,77)"><br></div><div class=3D"gmail_default" style=3D"font-f=
amily:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">I have a DNS =
server for which the auditd was generating lot of system calls and flooding=
 the logs.</div><div class=3D"gmail_default" style=3D"font-family:verdana,s=
ans-serif;font-size:small;color:rgb(32,18,77)">Due to this =C2=A0the server=
 was under heavy memory usage as audisp-remote was hogging the memory.=C2=
=A0 The log output for audisp-remote showed that the syscall was 49. Then I=
 got to know from ausyscall command that the call number 49 corresponds to =
bind. Hence I have <b>excluded</b> the call to &quot;bind&quot;.</div><div =
class=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-size:s=
mall;color:rgb(32,18,77)"><br></div><div class=3D"gmail_default" style=3D"f=
ont-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">I have p=
ut in below line in the /etc/audit/audit.rules</div><div class=3D"gmail_def=
ault" style=3D"font-family:verdana,sans-serif;font-size:small;color:rgb(32,=
18,77)"><br></div><div class=3D"gmail_default"><b><font color=3D"#20124d" f=
ace=3D"verdana, sans-serif"><i>-a exclude,always -S 49</i></font><br></b></=
div><div class=3D"gmail_default"><font color=3D"#20124d" face=3D"verdana, s=
ans-serif"><br></font></div><div class=3D"gmail_default"><font color=3D"#20=
124d" face=3D"verdana, sans-serif">I have put the above line before section=
 10.2.2 which says &quot;Feel free to add below this line&quot; (please not=
e I am running Ubuntu 14.04 but I suppose auditd implementation is same acr=
oss board) .</font></div><div class=3D"gmail_default"><font color=3D"#20124=
d" face=3D"verdana, sans-serif"><br></font></div><div class=3D"gmail_defaul=
t"><font color=3D"#20124d" face=3D"verdana, sans-serif">After the exclusion=
 - I no more see the syscall=3D49 line in /var/log/audit/audit.rules. So th=
ats a success or sorts!</font></div><div class=3D"gmail_default"><font colo=
r=3D"#20124d" face=3D"verdana, sans-serif"><br></font></div><div class=3D"g=
mail_default"><font color=3D"#20124d" face=3D"verdana, sans-serif"><b><u>Pr=
obem/Issue/Query now</u></b>: After the exclusion,=C2=A0</font><span style=
=3D"color:rgb(32,18,77);font-family:verdana,sans-serif">I do see audit even=
ts for cron , sudo etc. But I do not see a call for &quot;vi&quot; file ope=
n mode etc.</span></div><div class=3D"gmail_default"><span style=3D"color:r=
gb(32,18,77);font-family:verdana,sans-serif"><b><br></b></span></div><div c=
lass=3D"gmail_default"><span style=3D"color:rgb(32,18,77);font-family:verda=
na,sans-serif"><b><u>Background:</u></b></span></div><div class=3D"gmail_de=
fault"><font color=3D"#20124d" face=3D"verdana, sans-serif"><br></font></di=
v><div class=3D"gmail_default"><font color=3D"#20124d" face=3D"verdana, san=
s-serif">log output earlier which was flooding the logs and giving message =
&quot;=C2=A0<i>dns1 audisp-remote: message repeated 6613 times: [ queue is =
full - dropping event&quot;</i></font></div><div class=3D"gmail_default"><f=
ont color=3D"#20124d" face=3D"verdana, sans-serif"><br></font></div><div cl=
ass=3D"gmail_default"><font color=3D"#20124d" face=3D"verdana, sans-serif">=
<b><i>log:</i></b></font></div><div class=3D"gmail_default"><font face=3D"v=
erdana, sans-serif" color=3D"#0000ff"><i>type=3DSYSCALL msg=3Daudit(1506025=
977.586:46629194): arch=3Dc000003e <b>syscall=3D49</b> success=3Dyes exit=
=3D0 a0=3D3 a1=3D7ffe540ecf20 a2=3Dc a3=3D0 items=3D0 ppid=3D22337 pid=3D22=
338 auid=3D4294967295 uid=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 =
sgid=3D0 fsgid=3D0 tty=3D(none) ses=3D4294967295 comm=3D&quot;audisp-remote=
&quot; exe=3D&quot;/sbin/audisp-remote&quot; key=3D&quot;root_action&quot;<=
/i><br></font></div><div class=3D"gmail_default"><font color=3D"#20124d" fa=
ce=3D"verdana, sans-serif"><br></font></div><div class=3D"gmail_default"><f=
ont color=3D"#20124d" face=3D"verdana, sans-serif"><div class=3D"gmail_defa=
ult">root@dns1:/tmp# ausyscall 49</div><div class=3D"gmail_default"><b>bind=
</b></div><div class=3D"gmail_default"><br></div><div class=3D"gmail_defaul=
t"><br></div></font></div><div class=3D"gmail_default"><font color=3D"#2012=
4d" face=3D"verdana, sans-serif">I do see audit events for cron , sudo etc.=
 But I do not see a call for &quot;vi&quot; file open mode etc.</font></div=
><div class=3D"gmail_default"><font color=3D"#20124d" face=3D"verdana, sans=
-serif"><br></font></div><div class=3D"gmail_default"><font color=3D"#20124=
d" face=3D"verdana, sans-serif">Observation: I open file /etc/audit/audit.r=
ules in vi editor and then close it. Audit log does not show syscall=3D2</f=
ont></div><div class=3D"gmail_default"><font color=3D"#20124d" face=3D"verd=
ana, sans-serif"><br></font></div><div class=3D"gmail_default"><font color=
=3D"#20124d" face=3D"verdana, sans-serif">Earlier I used to see below outpu=
t in logs, but I am not sure that was for which file opened in vi editor.</=
font></div><div class=3D"gmail_default"><font color=3D"#20124d" face=3D"ver=
dana, sans-serif"><br></font></div><div class=3D"gmail_default"><i><font co=
lor=3D"#0000ff">type=3DSYSCALL msg=3Daudit(1506025995.825:46633170): arch=
=3Dc000003e <b>syscall=3D2</b> success=3Dyes exit=3D3 a0=3D5598f609a210 a1=
=3D200c1 a2=3D81a0 a3=3D0 items=3D2 ppid=3D21957 pid=3D22355 auid=3D1006 ui=
d=3D0 gid=3D0 euid=3D0 suid=3D0 fsuid=3D0 egid=3D0 sgid=3D0 fsgid=3D0 tty=
=3Dpts0 ses=3D361 <b>comm=3D&quot;vi&quot;</b> exe=3D&quot;/usr/bin/vim.bas=
ic&quot; key=3D&quot;root_action&quot;</font></i></div><div class=3D"gmail_=
default"><font color=3D"#20124d" face=3D"verdana, sans-serif">=C2=A0=C2=A0<=
/font></div><div class=3D"gmail_default"><font color=3D"#20124d" face=3D"ve=
rdana, sans-serif">I did read a bit on auditd from below links. <b>Please l=
et me know if I am missing something or are the calls getting audited in an=
 expected way.</b></font></div><div class=3D"gmail_default" style=3D"font-f=
amily:verdana,sans-serif;font-size:small;color:rgb(32,18,77)"><br></div><di=
v class=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-size=
:small;color:rgb(32,18,77)"><br></div><div class=3D"gmail_default" style=3D=
"font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">I went=
 through below links; <u>would appreciate if someone can help with any refe=
rences which are more lucid with example</u>s:</div><div class=3D"gmail_def=
ault" style=3D"font-family:verdana,sans-serif;font-size:small;color:rgb(32,=
18,77)"><br></div><div class=3D"gmail_default" style=3D"font-family:verdana=
,sans-serif;font-size:small;color:rgb(32,18,77)"><div class=3D"gmail_defaul=
t"><a href=3D"https://linux-audit.com/configuring-and-auditing-linux-system=
s-with-audit-daemon/">https://linux-audit.com/configuring-and-auditing-linu=
x-systems-with-audit-daemon/</a></div><div class=3D"gmail_default"><a href=
=3D"https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/=
6/html/Security_Guide/chap-system_auditing.html">https://access.redhat.com/=
documentation/en-US/Red_Hat_Enterprise_Linux/6/html/Security_Guide/chap-sys=
tem_auditing.html</a></div><div class=3D"gmail_default"><br></div></div><di=
v class=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-size=
:small;color:rgb(32,18,77)">Furthermore, I would like to read much on audis=
p-remote to send all these logs to a central server. I do not find any docu=
mentation on that. I see discussion on net where people are using rsyslog i=
nstead for that. Please help with references/links if any.</div><div class=
=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-size:small;=
color:rgb(32,18,77)"><br></div><div class=3D"gmail_default" style=3D"font-f=
amily:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">Thanks!</div>=
<div class=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-s=
ize:small;color:rgb(32,18,77)"><br></div><div class=3D"gmail_default" style=
=3D"font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)"><br=
></div><div><div class=3D"gmail_signature"><div dir=3D"ltr"><div dir=3D"ltr=
"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div =
dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"ltr"><div dir=3D"=
ltr"><div dir=3D"ltr"><div dir=3D"ltr"><table cellpadding=3D"0" cellspacing=
=3D"0" border=3D"0" style=3D"background:none;border-collapse:collapse;color=
:rgb(85,85,85);font-family:proxima-nova,&quot;Helvetica Neue&quot;,Helvetic=
a,Arial,sans-serif;font-size:16px;border:0px;margin:0px;padding:0px"><tbody=
><tr><td colspan=3D"2" style=3D"font-family:Arial,Helvetica,sans-serif;padd=
ing-bottom:5px"><font size=3D"2" color=3D"#0b5394">Best Regards,<br>Rituraj=
 B</font></td></tr><tr><td colspan=3D"2" style=3D"font-family:Arial,Helveti=
ca,sans-serif;color:rgb(38,56,119);font-size:12px"><div class=3D"gmail_defa=
ult" style=3D"font-family:verdana,sans-serif;font-size:small;color:rgb(32,1=
8,77);display:inline">=E2=80=8B=E2=80=8B</div><br></td></tr></tbody></table=
><div class=3D"gmail_default" style=3D"font-family:verdana,sans-serif;font-=
size:small;color:rgb(32,18,77);display:inline">=E2=80=8B=E2=80=8B</div></di=
v></div></div></div></div></div></div></div></div></div></div></div></div><=
/div></div>
</div>

--001a1140d2b820b4840559c0369e--


--===============3404421623438914708==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline


--===============3404421623438914708==--