Re: [PATCHv2] netfilter: audit target to record accepted/dropped packets
by Eric Paris
On Fri, Jan 14, 2011 at 2:18 PM, Jan Engelhardt <jengelh(a)medozas.de> wrote:
(The reason for audit's existence still eludes me..)
audit exists because a very large number of gov't customers (Not just
USA) have special requirements about how 'relevant' information is
gathered and stored. They require centralization and standardization
and require pretty formal documentation describing it's operation.
The gov't certification authority has recently added a requirement
that they be able to log 'illegal attempted network connections' via
the approved audit facility. Thus, this patch.
-Eric
15 years, 1 month
- 1
- 0
Re: [PATCH] netfilter: audit target to record accepted/dropped packets
by Eric Paris
On Fri, Jan 14, 2011 at 10:20 AM, Thomas Graf <tgraf(a)infradead.org> wrote:
> This patch adds a new netfilter target which creates audit records
> for packets traversing a certain chain.
>
> It can be used to record packets which are rejected administraively
> as follows:
>
> -N AUDIT_DROP
> -A AUDIT_DROP -j AUDIT --type DROP
> -A AUDIT_DROP -j DROP
>
> a rule which would typically drop or reject a packet would then
> invoke the new chain to record packets before dropping them.
>
> -j AUDIT_DROP
>
> The module is protocol independant and works for iptables, ip6tables
> and ebtables.
>
> The following information is logged:
> - netfilter hook
> - packet length
> - incomming/outgoing interface
> - MAC src/dst/proto for ethernet packets
> - src/dst/protocol address for IPv4/IPv6
> - src/dst port for TCP/UDP/UDPLITE
> - icmp type/code
>
> Cc: Patrick McHardy <kaber(a)trash.net>
> Cc: Eric Paris <eparis(a)parisplace.org>
> Cc: Al Viro <viro(a)ZenIV.linux.org.uk>
> Signed-off-by: Thomas Graf <tgraf(a)redhat.com>
>From an audit PoV feel free to add
Acked-by: Eric Paris <eparis(a)redhat.com>
15 years, 1 month
- 1
- 0
Excluding certain processes
by rshaw1@umbc.edu
I'm running audit 1.7.17-3 (RHEL 5) on ~450 clients sending via audisp to
a single server. This is mostly working well, except that periodically, I
get messages like:
Jan 4 07:57:33 hostfoo audispd: queue is full - dropping event
Jan 4 07:58:04 hostfoo last message repeated 814 times
Jan 4 07:59:05 hostfoo last message repeated 4121 times
Jan 4 08:00:06 hostfoo last message repeated 2602 times
Jan 4 08:00:31 hostfoo last message repeated 773 times
Reading through the man pages, I've increased the q_depth value in
audispd.conf. But even with it set at 99999 (the maximum), many events
are still being dropped from almost half the clients. Setting disp_qos to
"lossless" in auditd.conf has also not helped.
It would be nice to solve this in general. More specifically, however, I
know that on the worst offender, the flood of events is being caused by an
rsync job that runs at 8 and 12. The events look something like:
node=hostfoo.domain.com type=SYSCALL msg=audit(1294232521.544:29609884):
arch=c000003e syscall=90 success=yes exit=0 a0=7fffbe5a7f60 a1=1ed a2=1
a3=0 items=1 ppid=4397 pid=4398 auid=4990 uid=4990 gid=100 euid=4990
suid=4990 fsuid=4990 egid=100 sgid=100 fsgid=100 tty=(none) ses=2867
comm="rsync" exe="/home/bob/.toast/pkg/rsync/v3.0.4/1/root/bin/rsync"
key="perm_mod"
Is there any way I can tell the perm_mod rules in audit.rules "Don't tell
me about it if the command is rsync"? I couldn't find an obvious answer
from the auditctl man page (it doesn't seem that I can just specify, say,
comm!=rsync).
Thanks,
--Ray
15 years, 1 month
- 3
- 2