Re: Maximum Value for q_depth

From: Steve Grubb <sgrubb@redhat.com>
To: Amjad Gabbar <amjadgabbar11@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: Maximum Value for q_depth
Date: Tue, 21 Dec 2021 15:39:11 -0500	[thread overview]
Message-ID: <4366969.LvFx2qVVIh@x2> (raw)
In-Reply-To: <CAJcJf=Qbu+qkO-4SNcpV-HybzOLmC3SUB4J1cX+Jpq-cHSx0Ag@mail.gmail.com>

Hello,

On Tuesday, December 21, 2021 12:55:47 AM EST Amjad Gabbar wrote:
> Based on our discussion above, I performed some analysis as to why we were
> seeing so many events. The reason seems to be due to the default rules
> being triggered every time a cron job runs. We have numerous cron jobs
> running per minute as a result of which multiple different events(LOGIN,
> USER_END,CRED_DISP etc) are generated each time a cron job runs. As we do
> not enable SELinux, disabling these thing use subj_type=crond_t is not a
> viable option.
> 
> 1. I have tried the following way to exclude using msg_type and exe
> together and it seems to work.
> 
> -a exclude,always -F msgtype=MAC_IPSEC_EVENT -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_AUTH -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_ACCT -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=CRED_REFR -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=CRED_DISP -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=CRED_ACQ -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_START -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=USER_END -F exe=/usr/sbin/cron
> -a exclude,always -F msgtype=SERVICE_START -F exe=/usr/sbin/cron
> 
> Just want to make sure there is nothing I am missing here and that this
> only excludes the msg types for the cron executable.

I think so. But it's easy enough to test. Just login and see if you get any 
USER_START events from something other than cron.

> 2. Apart from these messages, there is a LOGIN message that gets generated
> each time a cron runs. Eventhough, the LOGIN message in auditd does not
> have an exe field, the following statement surprisingly seems to be
> working.
> 
> -a exclude,always -F msgtype=LOGIN -F exe=/usr/sbin/cron
> 
> I can still see LOGIN messages for other users but the cron LOGIN messages
> seem to be suppressed. Could you provide some detail as to how this is
> happening and is the expected result.

It doesn't match against the text in the event. It matches against the 
process's attributes.

> 3. Is there a better way to suppress these cron messages that I am not
> considering apart from the SELinux option mentioned.

I think you found the best way for a non-selinux system. Back when it was 
documented that it could be supressed by selinux type, audit by executable 
did not exist. But as you found, that is an effective way to get rid of the 
events.

I also think the cronie program might be a little more audit friendly. It 
does not call PAM for the system crontabs run under the root user. PAM is run 
only for the local crontab (i.e. the one edited by the crontab command) and 
in case of the system crontabs only for jobs that are run under non-root 
user.

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://listman.redhat.com/mailman/listinfo/linux-audit