When is EOE generated?
by Giovanni Panepinto
Hello all,
According to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/... , the record EOE gets generated to represent "the end of a multi-record event."
In my audit logs, I can see that for some events, EOE doesn't get generated.
Log sample:
type=SYSCALL msg=audit(1568174009.456:2069021): arch=c000003e syscall=2 success=yes exit=3 a0=7ffcaf5b3915 a1=941 a2=1b6 a3=7c9bd777 items=2 ppid=22527 pid=23323 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6417 comm="touch" exe="/usr/bin/touch" key="usr_local_bin_change"
type=PATH msg=audit(1568174009.456:2069021): item=0 name="/usr/local/bin/" inode=12583209 dev=fe:00 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT
type=PATH msg=audit(1568174009.456:2069021): item=1 name="/usr/local/bin/myfile1" inode=12599538 dev=fe:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=CREATE
type=UNKNOWN[1327] msg=audit(1568174009.456:2069021): proctitle=746F756368002F7573722F6C6F63616C2F62696E2F6D7966696C6531
Auditd version:
2.3.6
Following rule set:
-D
-b 4096
-w /etc/sudoers -p wa -k sysadmin-scope
-w /etc/sudoers.d -p wa -k sysadmin-scope
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete
-w /sbin/insmod -p x -k modules
-w /sbin/rmmod -p x -k modules
-w /sbin/modprobe -p x -k modules
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-w /var/log/faillog -p wa -k logins
-w /var/log/lastlog -p wa -k logins
-w /var/log/tallylog -p wa -k logins
-w /var/run/utmp -p wa -k session
-w /var/log/wtmp -p wa -k session
-w /var/log/btmp -p wa -k session
-a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b64 -S umount2 -F auid>=500 -F auid!=4294967295 -k mounts
-a always,exit -F arch=b32 -S umount2 -F auid>=500 -F auid!=4294967295 -k mounts
-w /var/log/sudo.log -p wa -k sysadmin-actions
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access
-a always,exit -F path=/usr/lib/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/lib/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged
-a always,exclude -F msgtype=CWD
-a always,exclude -F msgtype=CRYPTO_KEY_USER
-a never,exit -F dir=/sys/fs/cgroup
-a never,exit -F dir=/run/systemd/journal
-a never,exit -F uid=1002
-a never,exit -F uid=1003
-a never,exit -F uid=521
-a always,exit -F perm=w -F dir=/sbin -F arch=b64 -F success=1 -F key=sbin_write
-a always,exit -F perm=a -F dir=/sbin -F arch=b64 -F success=1 -F key=sbin_attribute_change
-a always,exit -F perm=a -F path=/var/log/messages -F arch=b64 -F success=1 -F key=var_log_messages_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/messages -F success=1 -F key=var_log_messages_delete
-a always,exit -F perm=w -F dir=/usr/sbin -F arch=b64 -F success=1 -F key=usr_sbin_write
-a always,exit -F perm=a -F dir=/usr/sbin -F arch=b64 -F success=1 -F key=usr_sbin_attribute_change
-a always,exit -F arch=b64 -S unlink -F path=/etc/ssh/sshd_config -F success=1 -F key=sshd_config_delete
-a always,exit -F perm=wa -F path=/etc/ssh/sshd_config -F arch=b64 -F success=1 -F key=sshd_config_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/dmesg -F success=1 -F key=var_log_dmesg_delete
-a always,exit -F perm=a -F path=/var/log/dmesg -F arch=b64 -F success=1 -F key=var_log_dmesg_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/faillog -F success=1 -F key=var_log_faillog_delete
-a always,exit -F perm=a -F path=/var/log/faillog -F arch=b64 -F success=1 -F key=var_log_faillog_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/utmp -F success=1 -F key=var_log_utmp_delete
-a always,exit -F perm=a -F path=/var/log/utmp -F arch=b64 -F success=1 -F key=var_log_utmp_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/user.log -F success=1 -F key=var_log_user_delete
-a always,exit -F perm=a -F path=/var/log/user.log -F arch=b64 -F success=1 -F key=var_log_user_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/auth.log -F success=1 -F key=var_log_auth_delete
-a always,exit -F perm=a -F path=/var/log/auth.log -F arch=b64 -F success=1 -F key=var_log_auth_change
-a always,exit -F arch=b64 -S unlink -F path=/etc/login.defs -F success=1 -F key=etc_logindefs_delete
-a always,exit -F perm=aw -F path=/etc/login.defs -F arch=b64 -F success=1 -F key=etc_logindefs_change
-a always,exit -F perm=w -F dir=/usr/bin -F arch=b64 -F success=1 -F key=usr_bin_write
-a always,exit -F perm=a -F dir=/usr/bin -F arch=b64 -F success=1 -F key=usr_bin_attribute_change
-a always,exit -F arch=b64 -S unlink -F path=/etc/passwd -F success=1 -F key=etc_passwd_delete
-a always,exit -F perm=aw -F path=/etc/passwd -F arch=b64 -F success=1 -F key=etc_passwd_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/boot.log -F success=1 -F key=var_log_boot_delete
-a always,exit -F perm=a -F path=/var/log/boot.log -F arch=b64 -F success=1 -F key=var_log_boot_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/kern.log -F success=1 -F key=var_log_kernlog_delete
-a always,exit -F perm=a -F path=/var/log/kern.log -F arch=b64 -F success=1 -F key=var_log_kernlog_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/btmp -F success=1 -F key=var_log_btmp_delete
-a always,exit -F perm=a -F path=/var/log/btmp -F arch=b64 -F success=1 -F key=var_log_btmp_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/wtmp -F success=1 -F key=var_log_wtmp_delete
-a always,exit -F perm=a -F path=/var/log/wtmp -F arch=b64 -F success=1 -F key=var_log_wtmp_change
-a always,exit -F arch=b64 -S unlink -F path=/etc/pam.d/common-password -F success=1 -F key=etc_pam_commonpassword_delete
-a always,exit -F perm=aw -F path=/etc/pam.d/common-password -F arch=b64 -F success=1 -F key=etc_pam_commonpassword_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/syslog -F success=1 -F key=var_log_syslog_delete
-a always,exit -F perm=a -F path=/var/log/syslog -F arch=b64 -F success=1 -F key=var_log_syslog_change
-a always,exit -F perm=aw -F dir=/boot -F arch=b64 -F success=1 -F key=boot_change
-a always,exit -F arch=b64 -S unlink -F path=/etc/sudoers -F success=1 -F key=etc_sudoers_delete
-a always,exit -F perm=aw -F path=/etc/sudoers -F arch=b64 -F success=1 -F key=etc_sudoers_change
-a always,exit -F arch=b64 -S unlink -F path=/etc/sudoers -F success=1 -F key=etc_shadow_delete
-a always,exit -F perm=aw -F path=/etc/shadow -F arch=b64 -F success=1 -F key=etc_shadow_change
-a always,exit -F perm=aw -F dir=/usr/local/bin -F arch=b64 -F success=1 -F key=usr_local_bin_change
-a always,exit -F arch=b64 -S unlink -F path=/var/log/cron -F success=1 -F key=var_log_cron_delete
-a always,exit -F perm=a -F path=/var/log/cron -F arch=b64 -F success=1 -F key=var_log_cron_change
-a always,exit -F perm=aw -F dir=/bin -F arch=b64 -F success=1 -F key=bin_change
-a always,exit -F perm=w -F dir=/usr/local/sbin -F arch=b64 -F success=1 -F key=usr_local_sbin_write
-a always,exit -F perm=a -F dir=/usr/local/sbin -F arch=b64 -F success=1 -F key=usr_local_sbin_attribute_change
-a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change
-a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change
-a always,exit -F arch=b64 -S clock_settime -k time-change
-a always,exit -F arch=b32 -S clock_settime -k time-change
-w /etc/localtime -p wa -k time-change
-w /etc/apparmor -p wa -k MAC-policy
-w /etc/selinux -p wa -k MAC-policy
-a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale
-a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale
-w /etc/group -p wa -k identity
-w /etc/passwd -p wa -k identity
-w /etc/gshadow -p wa -k identity
-w /etc/shadow -p wa -k identity
-w /etc/security/opasswd -p wa -k identity
So my question is, what defines a multi-record event? And why is EOE not generated when I create a file under /usr/local/bin?
--
Kind Regards,
Giovanni
5 years, 1 month
Help with audit syscall event output
by Ankitha Kundhuru
Hi All,
Any help is greatly appreciated.
My piece of code can read audit.log file and process it.But when I enable
good number of syscalls, disk gets filled really quick (15GB for half a day
usage)
I wanted to know if there is a way to directly get the events from
userspace audit daemon instead of writing it to a file. Plan is that my
application should process the events as soon as they are created.
Suggest me if a way exist.
Thanks in advance.
Thanks & Regards,
Ankitha Kundhuru
5 years, 1 month