adding rules
by Pittigher, Raymond - CS
OK, I can not find any documentation on auditing and/or using auditctl besides the man pages so I need to use this list
server. We run servers that are on a classified network and require auditing so the nisbom rules are loaded in the
servers. This causes huge log files, and I mean 12GB huge, too much to parse information quickly.
The file is full on entries with such things as the Backup Exec program that generates these:
type=SYSCALL msg=audit(1246316460.238:30532639): arch=c000003e syscall=2 success=no exit=-13 a0=3aaad4e8e0 a1=0 a2=0
a3=1 items=1 ppid=1 pid=19748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="beremote" exe="/opt/VRTSralus/bin/beremote" subj=system_u:system_r:initrc_t:s0 key="open"
type=CWD msg=audit(1246316460.238:30532639): cwd="/"
type=PATH msg=audit(1246316460.238:30532639): item=0 name="/tmp/filec5sswB" inode=17 dev=08:03 mode=060000 ouid=0 ogid=0
rdev=08:08 obj=system_u:object_r:tmp_t:s0
and also crond entries:
type=USER_ACCT msg=audit(1254500281.236:65937): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1254500281.240:65938): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_START msg=audit(1254500281.248:65939): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1254500281.310:65940): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_END msg=audit(1254500281.312:65941): user pid=17320 uid=0 auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: session close acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
and also ntpd entries:
type=SYSCALL msg=audit(1222281403.726:1905): arch=40000003 syscall=124 success=yes exit=0 a0=9d6d60 a1=8 a2=9466f8
a3=9d6d60 items=0 ppid=1 pid=4897 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38 sgid=38 fsgid=38
tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0 key="time-change"
I have the ntp stuff under control by removing the 2 lines in the audit.rules file but the other 2 have thousands of
entries per day. How do I not log those in the rules? I notice that they both have selinux sub fields
(subj=system_u:system_r:crond_t) but a rule created with
auditctl -A exit,never -F subj_user=system_u -F subj_role=system_r -F subj_type=crond_t
or any variation of does nothing. What can I read that would lead me in the right direction?
This e-mail and any files transmitted with it may be proprietary and are intended solely for the use of the individual or entity to whom they are addressed. If you have received this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the author and do not necessarily represent those of ITT Corporation. The recipient should check this e-mail and any attachments for the presence of viruses. ITT accepts no liability for any damage caused by any virus transmitted by this e-mail.
15 years, 2 months
- 2
- 1
audit-1.7.15 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- In audisp-remote, add a sigchld handler
- In auditd, check for duplicate remote connections before accepting
- Remove trailing ':' if any are at the end of acct fields in ausearch
- Update remote logging code to do better sanity check of data
- Fix audisp-prelude to prefer files if multiple path records are encountered
Audisp-remote was leaving zombie processes when one of the _action config
optins was set to exec. Auditd was also not checking for duplicate connections
from the same machine before accepting.
There were a couple networking packet length check problems reported by
Sebastian Krahmer of Suse. The most serious issue was in the gssapi code.
After checking with other distributions, none had enabled this code. So,
likely this is not a problem for most people. If you roll your own package and
enable gssapi support, it is recommended for you to upgrade. The main issue
was that the packet length from the network packet itself was not sanitized
before trusting. Its believed that this will eventually lead to a problem in
the kerberos libraries. A few other places in the code were found to be
trusting the packet length. Analysis found that nothing bad happens in these
other places. They would all eventually lead to a read of 0 length and auditd
will disconnect without logging the malicious event. It should be pointed out
that if you use remote logging, you want to specify the tcp_client_ports to be
< 1024 to make sure only processes with CAP_NET_BIND_SERVICE can send audit
events.
Ausearch now trims ':' from acct records in AUDIT_LOGIN events so that it can
be interpreted correctly, and the audisp-prelude plugin was chosing the first
audit record when multiple path records are in the same event. In many cases
this would be a directory, but we now look for the record who's mode field
indicates that the object is a file.
Please let me know if you run across any problems with this release.
-Steve
15 years, 2 months
- 1
- 0
audit-2.0.2 released
by Steve Grubb
Hi,
I've just released a new version of the audit daemon. It can be downloaded
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:
- If audisp-remote plugin has a queue at exit, use non-zero exit code
- Fix autrace to use the exit filter
- In audisp-remote, add a sigchld handler
- In auditd, check for duplicate remote connections before accepting
- Remove trailing ':' if any are at the end of acct fields in ausearch
- Update remote logging code to do better sanity check of data
- Fix audisp-prelude to prefer files if multiple path records are encountered
- Add libaudit.conf man page
This is a security and bug fix release. This release is mostly focused on
networking issues. The audisp-remote now bases its exit code on whether it had
records that could not be transferred to the aggregator. Audisp-remote was
also leaving zombie processes when one of the _action config optins was set to
exec. Auditd was also not checking for duplicate connections from the same
machine before accepting.
There were a couple networking packet length check problems reported by
Sebastian Krahmer of Suse. The most serious issue was in the gssapi code.
After checking with other distributions, none had enabled this code. So,
likely this is not a problem for most people. If you roll your own package and
enable gssapi support, it is recommended for you to upgrade. The main issue
was that the packet length from the network packet itself was not sanitized
before trusting. Its believed that this will eventually lead to a problem in
the kerberos libraries. A few other places in the code were found to be
trusting the packet length. Analysis found that nothing bad happens in these
other places. They would all eventually lead to a read of 0 length and auditd
will disconnect without logging the malicious event. It should be pointed out
that if you use remote logging, you want to specify the tcp_client_ports to be
< 1024 to make sure only processes with CAP_NET_BIND_SERVICE can send audit
events.
Other bugs fixed include fixing autrace to place audit rules on the exit filter,
trim ':' from acct records in AUDIT_LOGIN events so that it can be interpreted
correctly, and the audisp-prelude plugin was chosing the first audit record
when multiple path records are in the same event. In many cases this would be
a directory, but we now look for the record who's mode field indicates that the
object is a file.
Please let me know if you run across any problems with this release.
-Steve
15 years, 2 months
- 1
- 0