* Question about excluding rules
@ 2020-02-20 23:36 Moshe Rechtman
2020-02-20 23:36 ` Moshe Rechtman
` (2 more replies)
0 siblings, 3 replies; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-20 23:36 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2987 bytes --]
Hello Experts,
We have a big customer that facing the following issue on RHEL 6.2.
As per customer request I've configured the following rules:
$ cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
-a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
Audit start working as expected. Now customer is asking to exclude/ignore
the following from audit logs:
type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
key="rootact"
type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
a2=2F62696E2F70732061757877777777
type=CWD msg=audit(1581664357.597:257516): cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.597:257516): item=0 name="/bin/sh"
inode=398 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
exe="/bin/ps" key="rootact"
type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" a1="auxwwww"
type=CWD msg=audit(1581664357.601:257517): cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.601:257517): item=0 name="/bin/ps"
inode=1451 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
What would be the best way to exclude such audit?
Your help would be much appreciated.
Thanks in advance & kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
[-- Attachment #1.2: Type: text/html, Size: 7286 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Question about excluding rules
2020-02-20 23:36 Question about excluding rules Moshe Rechtman
@ 2020-02-20 23:36 ` Moshe Rechtman
2020-02-20 23:41 ` Steve Grubb
2020-02-20 23:48 ` Paul Moore
2 siblings, 0 replies; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-20 23:36 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 2987 bytes --]
Hello Experts,
We have a big customer that facing the following issue on RHEL 6.2.
As per customer request I've configured the following rules:
$ cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
-a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
Audit start working as expected. Now customer is asking to exclude/ignore
the following from audit logs:
type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
key="rootact"
type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
a2=2F62696E2F70732061757877777777
type=CWD msg=audit(1581664357.597:257516): cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.597:257516): item=0 name="/bin/sh"
inode=398 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
exe="/bin/ps" key="rootact"
type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps" a1="auxwwww"
type=CWD msg=audit(1581664357.601:257517): cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.601:257517): item=0 name="/bin/ps"
inode=1451 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
What would be the best way to exclude such audit?
Your help would be much appreciated.
Thanks in advance & kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
[-- Attachment #1.2: Type: text/html, Size: 7286 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-20 23:36 Question about excluding rules Moshe Rechtman
2020-02-20 23:36 ` Moshe Rechtman
@ 2020-02-20 23:41 ` Steve Grubb
2020-02-20 23:41 ` Steve Grubb
2020-02-21 0:04 ` Moshe Rechtman
2020-02-20 23:48 ` Paul Moore
2 siblings, 2 replies; 16+ messages in thread
From: Steve Grubb @ 2020-02-20 23:41 UTC (permalink / raw)
To: linux-audit
On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> Hello Experts,
>
> We have a big customer that facing the following issue on RHEL 6.2.
> As per customer request I've configured the following rules:
>
> $ cat audit.rules
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
>
> # First rule - delete all
> -D
>
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
>
> # Feel free to add below this line. See auditctl man page
>
> -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
>
>
> Audit start working as expected. Now customer is asking to exclude/ignore
> the following from audit logs:
>
> type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> key="rootact"
> type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> a2=2F62696E2F70732061757877777777
> type=CWD msg=audit(1581664357.597:257516):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> exe="/bin/ps" key="rootact"
> type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> What would be the best way to exclude such audit?
> Your help would be much appreciated.
What's objectionable about these events? The fact that its got a key says
they think they wanted it.
-Steve
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-20 23:41 ` Steve Grubb
@ 2020-02-20 23:41 ` Steve Grubb
2020-02-21 0:04 ` Moshe Rechtman
1 sibling, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2020-02-20 23:41 UTC (permalink / raw)
To: linux-audit
On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> Hello Experts,
>
> We have a big customer that facing the following issue on RHEL 6.2.
> As per customer request I've configured the following rules:
>
> $ cat audit.rules
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
>
> # First rule - delete all
> -D
>
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
>
> # Feel free to add below this line. See auditctl man page
>
> -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
>
>
> Audit start working as expected. Now customer is asking to exclude/ignore
> the following from audit logs:
>
> type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> key="rootact"
> type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> a2=2F62696E2F70732061757877777777
> type=CWD msg=audit(1581664357.597:257516):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> exe="/bin/ps" key="rootact"
> type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> What would be the best way to exclude such audit?
> Your help would be much appreciated.
What's objectionable about these events? The fact that its got a key says
they think they wanted it.
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-20 23:36 Question about excluding rules Moshe Rechtman
2020-02-20 23:36 ` Moshe Rechtman
2020-02-20 23:41 ` Steve Grubb
@ 2020-02-20 23:48 ` Paul Moore
2020-02-20 23:48 ` Paul Moore
2 siblings, 1 reply; 16+ messages in thread
From: Paul Moore @ 2020-02-20 23:48 UTC (permalink / raw)
To: Moshe Rechtman; +Cc: linux-audit
On Thu, Feb 20, 2020 at 6:37 PM Moshe Rechtman <mrechtma@redhat.com> wrote:
> Hello Experts,
>
> We have a big customer that facing the following issue on RHEL 6.2.
> As per customer request I've configured the following rules ...
A few things: 1) please try to stick to only plaintext email on this
list (no html mail) 2) this mailing list is for the discussion and
development of the Linux audit subsystem in the upstream (or close to
upstream) code. If you are looking for RHEL, or any other enterprise
Linux distro, support please use the appropriate support channels.
Thank you.
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-20 23:48 ` Paul Moore
@ 2020-02-20 23:48 ` Paul Moore
0 siblings, 0 replies; 16+ messages in thread
From: Paul Moore @ 2020-02-20 23:48 UTC (permalink / raw)
To: Moshe Rechtman; +Cc: linux-audit
On Thu, Feb 20, 2020 at 6:37 PM Moshe Rechtman <mrechtma@redhat.com> wrote:
> Hello Experts,
>
> We have a big customer that facing the following issue on RHEL 6.2.
> As per customer request I've configured the following rules ...
A few things: 1) please try to stick to only plaintext email on this
list (no html mail) 2) this mailing list is for the discussion and
development of the Linux audit subsystem in the upstream (or close to
upstream) code. If you are looking for RHEL, or any other enterprise
Linux distro, support please use the appropriate support channels.
Thank you.
--
paul moore
www.paul-moore.com
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-20 23:41 ` Steve Grubb
2020-02-20 23:41 ` Steve Grubb
@ 2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:27 ` Steve Grubb
1 sibling, 2 replies; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-21 0:04 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3391 bytes --]
Hello Steve,
Thanks for the quick response.
Those particular logs generated by a third party monitoring application
named Microfocus, which keeps on running "ps -auxwwww" command and filling
up quickly the audit log.
Please your advice..
Thanks in adbance,
Kind regards,
Moshe
בתאריך יום ו׳, 21 בפבר׳ 2020, 01:41, מאת Steve Grubb <sgrubb@redhat.com>:
> On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > Hello Experts,
> >
> > We have a big customer that facing the following issue on RHEL 6.2.
> > As per customer request I've configured the following rules:
> >
> > $ cat audit.rules
> >
> > # This file contains the auditctl rules that are loaded
> > # whenever the audit daemon is started via the initscripts.
> > # The rules are simply the parameters that would be passed
> > # to auditctl.
> >
> > # First rule - delete all
> > -D
> >
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> >
> > # Feel free to add below this line. See auditctl man page
> >
> > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> >
> >
> > Audit start working as expected. Now customer is asking to exclude/ignore
> > the following from audit logs:
> >
> > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > key="rootact"
> > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > a2=2F62696E2F70732061757877777777
> > type=CWD msg=audit(1581664357.597:257516):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > exe="/bin/ps" key="rootact"
> > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > What would be the best way to exclude such audit?
> > Your help would be much appreciated.
>
> What's objectionable about these events? The fact that its got a key says
> they think they wanted it.
>
> -Steve
>
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 4515 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 0:04 ` Moshe Rechtman
@ 2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:27 ` Steve Grubb
1 sibling, 0 replies; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-21 0:04 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3391 bytes --]
Hello Steve,
Thanks for the quick response.
Those particular logs generated by a third party monitoring application
named Microfocus, which keeps on running "ps -auxwwww" command and filling
up quickly the audit log.
Please your advice..
Thanks in adbance,
Kind regards,
Moshe
בתאריך יום ו׳, 21 בפבר׳ 2020, 01:41, מאת Steve Grubb <sgrubb@redhat.com>:
> On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > Hello Experts,
> >
> > We have a big customer that facing the following issue on RHEL 6.2.
> > As per customer request I've configured the following rules:
> >
> > $ cat audit.rules
> >
> > # This file contains the auditctl rules that are loaded
> > # whenever the audit daemon is started via the initscripts.
> > # The rules are simply the parameters that would be passed
> > # to auditctl.
> >
> > # First rule - delete all
> > -D
> >
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> >
> > # Feel free to add below this line. See auditctl man page
> >
> > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> >
> >
> > Audit start working as expected. Now customer is asking to exclude/ignore
> > the following from audit logs:
> >
> > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > key="rootact"
> > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > a2=2F62696E2F70732061757877777777
> > type=CWD msg=audit(1581664357.597:257516):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > exe="/bin/ps" key="rootact"
> > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > What would be the best way to exclude such audit?
> > Your help would be much appreciated.
>
> What's objectionable about these events? The fact that its got a key says
> they think they wanted it.
>
> -Steve
>
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 4515 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:04 ` Moshe Rechtman
@ 2020-02-21 0:27 ` Steve Grubb
2020-02-21 0:27 ` Steve Grubb
2020-02-21 7:32 ` Moshe Rechtman
1 sibling, 2 replies; 16+ messages in thread
From: Steve Grubb @ 2020-02-21 0:27 UTC (permalink / raw)
To: Moshe Rechtman; +Cc: linux-audit
Hello,
On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> Those particular logs generated by a third party monitoring application
> named Microfocus, which keeps on running "ps -auxwwww" command and filling
> up quickly the audit log.
It looks like this is a daemon since auid is -1. So, I'd suggest that the
rule be something like:
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
This will not filter just that one item, it will filter all execution by all
daemons.
-Steve
> > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > $ cat audit.rules
> > >
> > > # This file contains the auditctl rules that are loaded
> > > # whenever the audit daemon is started via the initscripts.
> > > # The rules are simply the parameters that would be passed
> > > # to auditctl.
> > >
> > > # First rule - delete all
> > > -D
> > >
> > > # Increase the buffers to survive stress events.
> > > # Make this bigger for busy systems
> > > -b 320
> > >
> > > # Feel free to add below this line. See auditctl man page
> > >
> > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > >
> > >
> > > Audit start working as expected. Now customer is asking to
> > > exclude/ignore the following from audit logs:
> > >
> > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > > key="rootact"
> > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > > a2=2F62696E2F70732061757877777777
> > > type=CWD msg=audit(1581664357.597:257516):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > exe="/bin/ps" key="rootact"
> > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > What would be the best way to exclude such audit?
> > > Your help would be much appreciated.
> >
> > What's objectionable about these events? The fact that its got a key says
> > they think they wanted it.
> >
> > -Steve
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 0:27 ` Steve Grubb
@ 2020-02-21 0:27 ` Steve Grubb
2020-02-21 7:32 ` Moshe Rechtman
1 sibling, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2020-02-21 0:27 UTC (permalink / raw)
To: Moshe Rechtman; +Cc: linux-audit
Hello,
On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> Those particular logs generated by a third party monitoring application
> named Microfocus, which keeps on running "ps -auxwwww" command and filling
> up quickly the audit log.
It looks like this is a daemon since auid is -1. So, I'd suggest that the
rule be something like:
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
This will not filter just that one item, it will filter all execution by all
daemons.
-Steve
> > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > $ cat audit.rules
> > >
> > > # This file contains the auditctl rules that are loaded
> > > # whenever the audit daemon is started via the initscripts.
> > > # The rules are simply the parameters that would be passed
> > > # to auditctl.
> > >
> > > # First rule - delete all
> > > -D
> > >
> > > # Increase the buffers to survive stress events.
> > > # Make this bigger for busy systems
> > > -b 320
> > >
> > > # Feel free to add below this line. See auditctl man page
> > >
> > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > >
> > >
> > > Audit start working as expected. Now customer is asking to
> > > exclude/ignore the following from audit logs:
> > >
> > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > > key="rootact"
> > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > > a2=2F62696E2F70732061757877777777
> > > type=CWD msg=audit(1581664357.597:257516):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > exe="/bin/ps" key="rootact"
> > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > What would be the best way to exclude such audit?
> > > Your help would be much appreciated.
> >
> > What's objectionable about these events? The fact that its got a key says
> > they think they wanted it.
> >
> > -Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 0:27 ` Steve Grubb
2020-02-21 0:27 ` Steve Grubb
@ 2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 13:53 ` Steve Grubb
1 sibling, 2 replies; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-21 7:32 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 6128 bytes --]
Hello Steve,
Thanks so much for your help! I've included your suggested filter in
audit.rules as shown below:
# cat audit.rules1
1 # This file contains the auditctl rules that are loaded
2 # whenever the audit daemon is started via the initscripts.
3 # The rules are simply the parameters that would be passed
4 # to auditctl.
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 320
10 ### Feel free to add below this line. See auditctl man page
11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
rootact
After restarting the auditd service following error received:
# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Unknown user: unset
-F unknown field: auid
There was an error in line 15 of /etc/audit/audit.rules
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid>=500 (0x1f4)
key=useract syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid>=500 (0x1f4)
key=useract syscall=execve
# auditctl -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
Unknown user: unset
-F unknown field: auid
You advice would be much appreciated.
Many thanks,
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 2:27 AM Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> > Those particular logs generated by a third party monitoring application
> > named Microfocus, which keeps on running "ps -auxwwww" command and
> filling
> > up quickly the audit log.
>
> It looks like this is a daemon since auid is -1. So, I'd suggest that the
> rule be something like:
>
> -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
>
> This will not filter just that one item, it will filter all execution by
> all
> daemons.
>
> -Steve
>
> > > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > > $ cat audit.rules
> > > >
> > > > # This file contains the auditctl rules that are loaded
> > > > # whenever the audit daemon is started via the initscripts.
> > > > # The rules are simply the parameters that would be passed
> > > > # to auditctl.
> > > >
> > > > # First rule - delete all
> > > > -D
> > > >
> > > > # Increase the buffers to survive stress events.
> > > > # Make this bigger for busy systems
> > > > -b 320
> > > >
> > > > # Feel free to add below this line. See auditctl man page
> > > >
> > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > > >
> > > >
> > > > Audit start working as expected. Now customer is asking to
> > > > exclude/ignore the following from audit logs:
> > > >
> > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > > > key="rootact"
> > > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > > > a2=2F62696E2F70732061757877777777
> > > > type=CWD msg=audit(1581664357.597:257516):
> > > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > >
> > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e
> syscall=59
> > > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > > exe="/bin/ps" key="rootact"
> > > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > >
> > > > What would be the best way to exclude such audit?
> > > > Your help would be much appreciated.
> > >
> > > What's objectionable about these events? The fact that its got a key
> says
> > > they think they wanted it.
> > >
> > > -Steve
>
>
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 11539 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 7:32 ` Moshe Rechtman
@ 2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 13:53 ` Steve Grubb
1 sibling, 0 replies; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-21 7:32 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 6128 bytes --]
Hello Steve,
Thanks so much for your help! I've included your suggested filter in
audit.rules as shown below:
# cat audit.rules1
1 # This file contains the auditctl rules that are loaded
2 # whenever the audit daemon is started via the initscripts.
3 # The rules are simply the parameters that would be passed
4 # to auditctl.
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 320
10 ### Feel free to add below this line. See auditctl man page
11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
rootact
After restarting the auditd service following error received:
# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Unknown user: unset
-F unknown field: auid
There was an error in line 15 of /etc/audit/audit.rules
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid>=500 (0x1f4)
key=useract syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid>=500 (0x1f4)
key=useract syscall=execve
# auditctl -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
Unknown user: unset
-F unknown field: auid
You advice would be much appreciated.
Many thanks,
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 2:27 AM Steve Grubb <sgrubb@redhat.com> wrote:
> Hello,
>
> On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> > Those particular logs generated by a third party monitoring application
> > named Microfocus, which keeps on running "ps -auxwwww" command and
> filling
> > up quickly the audit log.
>
> It looks like this is a daemon since auid is -1. So, I'd suggest that the
> rule be something like:
>
> -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
>
> This will not filter just that one item, it will filter all execution by
> all
> daemons.
>
> -Steve
>
> > > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > > $ cat audit.rules
> > > >
> > > > # This file contains the auditctl rules that are loaded
> > > > # whenever the audit daemon is started via the initscripts.
> > > > # The rules are simply the parameters that would be passed
> > > > # to auditctl.
> > > >
> > > > # First rule - delete all
> > > > -D
> > > >
> > > > # Increase the buffers to survive stress events.
> > > > # Make this bigger for busy systems
> > > > -b 320
> > > >
> > > > # Feel free to add below this line. See auditctl man page
> > > >
> > > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > > >
> > > >
> > > > Audit start working as expected. Now customer is asking to
> > > > exclude/ignore the following from audit logs:
> > > >
> > > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > > fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> > > > key="rootact"
> > > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
> > > > a2=2F62696E2F70732061757877777777
> > > > type=CWD msg=audit(1581664357.597:257516):
> > > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > >
> > > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e
> syscall=59
> > > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > > exe="/bin/ps" key="rootact"
> > > > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > > nametype=NORMAL
> > > >
> > > > What would be the best way to exclude such audit?
> > > > Your help would be much appreciated.
> > >
> > > What's objectionable about these events? The fact that its got a key
> says
> > > they think they wanted it.
> > >
> > > -Steve
>
>
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 11539 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 7:32 ` Moshe Rechtman
@ 2020-02-21 13:53 ` Steve Grubb
2020-02-21 13:53 ` Steve Grubb
2020-02-24 0:27 ` Moshe Rechtman
1 sibling, 2 replies; 16+ messages in thread
From: Steve Grubb @ 2020-02-21 13:53 UTC (permalink / raw)
To: Moshe Rechtman; +Cc: linux-audit
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
> 1 # This file contains the auditctl rules that are loaded
> 2 # whenever the audit daemon is started via the initscripts.
> 3 # The rules are simply the parameters that would be passed
> 4 # to auditctl.
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 320
> 10 ### Feel free to add below this line. See auditctl man page
> 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
> 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact
It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.
> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Unknown user: unset
> -F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 13:53 ` Steve Grubb
@ 2020-02-21 13:53 ` Steve Grubb
2020-02-24 0:27 ` Moshe Rechtman
1 sibling, 0 replies; 16+ messages in thread
From: Steve Grubb @ 2020-02-21 13:53 UTC (permalink / raw)
To: Moshe Rechtman; +Cc: linux-audit
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
> 1 # This file contains the auditctl rules that are loaded
> 2 # whenever the audit daemon is started via the initscripts.
> 3 # The rules are simply the parameters that would be passed
> 4 # to auditctl.
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 320
> 10 ### Feel free to add below this line. See auditctl man page
> 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
> 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact
It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.
> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Unknown user: unset
> -F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-21 13:53 ` Steve Grubb
2020-02-21 13:53 ` Steve Grubb
@ 2020-02-24 0:27 ` Moshe Rechtman
2020-02-24 0:27 ` Moshe Rechtman
1 sibling, 1 reply; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-24 0:27 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3147 bytes --]
Hello Steve,
Thanks so much for your help, I've modified audit.rules as per you
recommendation:
# cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
#-b 32768
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1
(0xffffffff) key=rootact syscall=execve
With the above settings, audit stop from logging all root commands!
Any recommendations/suggestions would be appreciated.
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> > Thanks so much for your help! I've included your suggested filter in
> > audit.rules as shown below:
> >
> > # cat audit.rules1
> >
> > 1 # This file contains the auditctl rules that are loaded
> > 2 # whenever the audit daemon is started via the initscripts.
> > 3 # The rules are simply the parameters that would be passed
> > 4 # to auditctl.
> > 5 # First rule - delete all
> > 6 -D
> > 7 # Increase the buffers to survive stress events.
> > 8 # Make this bigger for busy systems
> > 9 -b 320
> > 10 ### Feel free to add below this line. See auditctl man page
> > 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> > rootact
> > 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> > rootact
>
> It won't work this way. You now have 2 sets of rootact. The audit rule
> engine
> is a first match wins. So, this second set of rules will never trigger.
> The
> rule I mentioned was supposed to replace the rule in the list.
>
> > After restarting the auditd service following error received:
> >
> > # service auditd restart
> > Stopping auditd: [ OK ]
> > Starting auditd: [ OK ]
> > Unknown user: unset
> > -F unknown field: auid
>
> OK. I guess this is really old. Then make it auid=-1
>
> -Steve
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 7691 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 16+ messages in thread
* Re: Question about excluding rules
2020-02-24 0:27 ` Moshe Rechtman
@ 2020-02-24 0:27 ` Moshe Rechtman
0 siblings, 0 replies; 16+ messages in thread
From: Moshe Rechtman @ 2020-02-24 0:27 UTC (permalink / raw)
To: Steve Grubb; +Cc: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 3147 bytes --]
Hello Steve,
Thanks so much for your help, I've modified audit.rules as per you
recommendation:
# cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
#-b 32768
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1
(0xffffffff) key=rootact syscall=execve
With the above settings, audit stop from logging all root commands!
Any recommendations/suggestions would be appreciated.
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma@redhat.com <kweg@redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb@redhat.com> wrote:
> On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> > Thanks so much for your help! I've included your suggested filter in
> > audit.rules as shown below:
> >
> > # cat audit.rules1
> >
> > 1 # This file contains the auditctl rules that are loaded
> > 2 # whenever the audit daemon is started via the initscripts.
> > 3 # The rules are simply the parameters that would be passed
> > 4 # to auditctl.
> > 5 # First rule - delete all
> > 6 -D
> > 7 # Increase the buffers to survive stress events.
> > 8 # Make this bigger for busy systems
> > 9 -b 320
> > 10 ### Feel free to add below this line. See auditctl man page
> > 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> > rootact
> > 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> > rootact
>
> It won't work this way. You now have 2 sets of rootact. The audit rule
> engine
> is a first match wins. So, this second set of rules will never trigger.
> The
> rule I mentioned was supposed to replace the rule in the list.
>
> > After restarting the auditd service following error received:
> >
> > # service auditd restart
> > Stopping auditd: [ OK ]
> > Starting auditd: [ OK ]
> > Unknown user: unset
> > -F unknown field: auid
>
> OK. I guess this is really old. Then make it auid=-1
>
> -Steve
>
>
>
[-- Attachment #1.2: Type: text/html, Size: 7691 bytes --]
[-- Attachment #2: Type: text/plain, Size: 102 bytes --]
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 16+ messages in thread
end of thread, other threads:[~2020-02-24 0:28 UTC | newest]
Thread overview: 16+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-02-20 23:36 Question about excluding rules Moshe Rechtman
2020-02-20 23:36 ` Moshe Rechtman
2020-02-20 23:41 ` Steve Grubb
2020-02-20 23:41 ` Steve Grubb
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:04 ` Moshe Rechtman
2020-02-21 0:27 ` Steve Grubb
2020-02-21 0:27 ` Steve Grubb
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 7:32 ` Moshe Rechtman
2020-02-21 13:53 ` Steve Grubb
2020-02-21 13:53 ` Steve Grubb
2020-02-24 0:27 ` Moshe Rechtman
2020-02-24 0:27 ` Moshe Rechtman
2020-02-20 23:48 ` Paul Moore
2020-02-20 23:48 ` Paul Moore
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).