FW: I'd like to turn auditd off but...
by Brian Ross
Further to this, I've just found out that auditd is logging it seems every transaction that Oracle makes. I have found squillions of entries in the log file for the oracle user "orpmpxgi". Is there any way to quickly stop auditd logging for a particular user?
Stopping that, may fix many of my problems.
Cheers
Brian Ross
From: linux-audit-bounces(a)redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Brian Ross
Sent: Tuesday, November 22, 2011 9:04 AM
To:
Subject: I'd like to turn auditd off but...
I have a client who is still running RHEL3. Over the last 12 months the auditd process has become steadily more and more intrusive and causing problems. I have attempted to turn it off but whenever I do so, suddenly SSH logins stop working.
At the moment the only way I have to manage the auditd process is to regularly delete the 2+GB of log files it creates every 4 hours. Can anybody tell me how to turn it off without affecting other things?
Cheers
Brian Ross
Brian Ross
Technical Consultant
ASG Group Limited
Level 1 / 267 St Georges Tce.
Perth, WA, 6000
Telephone +61 8 9420 5451
Mobile +61 0434 181 701
Facsimile +61 8 9420 5422
Brian.Ross(a)asggroup.com.au<mailto:DooWhan.Kweon@asggroup.com.au>
http://www.asggroup.com.au/
[cid:image001.gif@01CBB23E.C8A47A50][cid:a481d55a-5674-4333-904b-fdf6e072879c]
Confidentiality Notice: The information contained in this message is strictly confidential. It is intended only for the use of the individual or entity named above. If the reader is not the intended recipient, or the authorised agent thereof, you are hereby notified that any disclosure, use, distribution or copying of the within information is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete all copies of the original message.
P PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL
14 years, 2 months
Disabling monitoring of a subfolder
by Marina Gray
I have a folder which I'd like to monitor with auditd, with the
exception of one specific subdirectory. Is there any way I can disable
monitoring just that subdirectory, but keep monitoring the rest of the
dir recursively as usual?
Say, I first do:
auditctl -w /var/mydata/ -k my-data -p w
and want to exclude looking at /var/mydata/tmp_data/
Thanks!
M G
14 years, 2 months
I'd like to turn auditd off but...
by Brian Ross
I have a client who is still running RHEL3. Over the last 12 months the auditd process has become steadily more and more intrusive and causing problems. I have attempted to turn it off but whenever I do so, suddenly SSH logins stop working.
At the moment the only way I have to manage the auditd process is to regularly delete the 2+GB of log files it creates every 4 hours. Can anybody tell me how to turn it off without affecting other things?
Cheers
Brian Ross
Brian Ross
Technical Consultant
ASG Group Limited
Level 1 / 267 St Georges Tce.
Perth, WA, 6000
Telephone +61 8 9420 5451
Mobile +61 0434 181 701
Facsimile +61 8 9420 5422
Brian.Ross(a)asggroup.com.au<mailto:DooWhan.Kweon@asggroup.com.au>
http://www.asggroup.com.au/
[cid:image001.gif@01CBB23E.C8A47A50]
Confidentiality Notice: The information contained in this message is strictly confidential. It is intended only for the use of the individual or entity named above. If the reader is not the intended recipient, or the authorised agent thereof, you are hereby notified that any disclosure, use, distribution or copying of the within information is strictly prohibited. If you have received this message in error, please notify us immediately by telephone and delete all copies of the original message.
* PLEASE CONSIDER THE ENVIRONMENT BEFORE YOU PRINT THIS E-MAIL
14 years, 2 months
[PATCH 01/26] audit: make filetype matching consistent with other filters
by Eric Paris
Every other filter that matches part of the inodes list collected by audit
will match against any of the inodes on that list. The filetype matching
however had a strange way of doing things. It allowed userspace to
indicated if it should match on the first of the second name collected by
the kernel. Name collection ordering seems like a kernel internal and
making userspace rules get that right just seems like a bad idea. As it
turns out the userspace audit writers had no idea it was doing this and
thus never overloaded the value field. The kernel always checked the first
name collected which for the tested rules was always correct.
This patch just makes the filetype matching like the major, minor, inode,
and LSM rules in that it will match against any of the names collected. It
also changes the rule validation to reject the old unused rule types.
Noone new it was there. Noone used it. Why keep around the extra code?
Signed-off-by: Eric Paris <eparis(a)redhat.com>
---
kernel/auditfilter.c | 4 ++--
kernel/auditsc.c | 19 +++++++++----------
2 files changed, 11 insertions(+), 12 deletions(-)
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index f8277c8..d94dde8 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c
@@ -385,7 +385,7 @@ static struct audit_entry *audit_rule_to_entry(struct audit_rule *rule)
goto exit_free;
break;
case AUDIT_FILETYPE:
- if ((f->val & ~S_IFMT) > S_IFMT)
+ if (f->val & ~S_IFMT)
goto exit_free;
break;
case AUDIT_INODE:
@@ -536,7 +536,7 @@ static struct audit_entry *audit_data_to_entry(struct audit_rule_data *data,
goto exit_free;
break;
case AUDIT_FILETYPE:
- if ((f->val & ~S_IFMT) > S_IFMT)
+ if (f->val & ~S_IFMT)
goto exit_free;
break;
default:
diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 47b7fc1..dc8e5f0 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -305,21 +305,20 @@ static int audit_match_perm(struct audit_context *ctx, int mask)
}
}
-static int audit_match_filetype(struct audit_context *ctx, int which)
+static int audit_match_filetype(struct audit_context *ctx, int val)
{
- unsigned index = which & ~S_IFMT;
- mode_t mode = which & S_IFMT;
+ int index;
+ mode_t mode = (mode_t)val;
if (unlikely(!ctx))
return 0;
- if (index >= ctx->name_count)
- return 0;
- if (ctx->names[index].ino == -1)
- return 0;
- if ((ctx->names[index].mode ^ mode) & S_IFMT)
- return 0;
- return 1;
+ for (index = 0; index < ctx->name_count; index++) {
+ if ((ctx->names[index].ino != -1) &&
+ ((ctx->names[index].mode & S_IFMT) == mode))
+ return 1;
+ }
+ return 0;
}
/*
14 years, 2 months
test patch for new inode filter types
by Eric Paris
This is NOT full support for the new inode filter constructs I added to
the policy, but is just enough to test some of it. I'm hoping someone
else will write real userspace patches. One will need to apply the
kernel patches and then install the new kernel headers (or
update /usr/include/linux/audit.h by hand) Then apply this patch to
audit and build a new audit (I found audit build sucks because it will
build against the system libaudit rather than the one in tree, but you
can fix this using make DESTDIR=[dir] install, and using the auditctl
from [dir]/usr/local/sbin/)
This patch supports two types of rules
auditctl -a exit,always -F arch=b64 -S open -F obj_uid=500
Which audits all opens for a uid=500 file. (the kernel supports gid,
but this patch doesn't, you can just copy the uid code to make gid work)
This patch also supports
auditctl -a exit,always -C
Which will audit all cases where a process accesses a file in which the
process uid != file uid.
The kernel is a bit more flexible, it supports process_gid != file_gid.
The kernel also supports == > <, etc. This portion of the patch needs
to do support a better construct for parsing the intent and passing that
down. But it seemed like a lot of work on a codebase I'm not familiar
with and hoped someone familiar could write a text parse for this
construct.
We should be able to support something like:
auditctl -a exit,always -F interfield!=uid
I dunno what it should look like. But like I said, I just slapped -C as
a way to test process_uid != file_uid, so it should be pretty easy to
look at that and see how other interactions should work.
-Eric
14 years, 2 months
Audit Event Record Types
by artem
Hi all.
do not tell where I can find a complete list "Audit Event Record Types"
sorry for my bad english...
Artem
14 years, 3 months
filtering on inode ouid
by Peter Moody
Apologies if this is the wrong list:
Is it possible to filter on what shows up in the audit logs as the ouid of
an inode being accessed?
Alternatively, if I'm only interested in inodes of a particular ouid (or
more specifically, accesses to an inode of a particular ouid from a process
with a different uid), is my best bet doing post-audit filtering?
cheers,
peter
14 years, 3 months
Do we need entry,always rules?
by Eric Paris
The kernel will take them, but I believe we decided to deprecate them.
I can remove some 'dead' code from the kernel and just return -EINVAL if
someone tries to set one. Anyone see a problem with that?
-Eric
14 years, 3 months
