Linux-audit September 2019

linux-audit@lists.linux-audit.osci.io

11 participants
12 discussions

by Giovanni Panepinto

Hello all, According to https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/... , the record EOE gets generated to represent "the end of a multi-record event." In my audit logs, I can see that for some events, EOE doesn't get generated. Log sample: type=SYSCALL msg=audit(1568174009.456:2069021): arch=c000003e syscall=2 success=yes exit=3 a0=7ffcaf5b3915 a1=941 a2=1b6 a3=7c9bd777 items=2 ppid=22527 pid=23323 auid=1012 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 ses=6417 comm="touch" exe="/usr/bin/touch" key="usr_local_bin_change" type=PATH msg=audit(1568174009.456:2069021): item=0 name="/usr/local/bin/" inode=12583209 dev=fe:00 mode=040755 ouid=0 ogid=0 rdev=00:00 nametype=PARENT type=PATH msg=audit(1568174009.456:2069021): item=1 name="/usr/local/bin/myfile1" inode=12599538 dev=fe:00 mode=0100600 ouid=0 ogid=0 rdev=00:00 nametype=CREATE type=UNKNOWN[1327] msg=audit(1568174009.456:2069021): proctitle=746F756368002F7573722F6C6F63616C2F62696E2F6D7966696C6531 Auditd version: 2.3.6 Following rule set: -D -b 4096 -w /etc/sudoers -p wa -k sysadmin-scope -w /etc/sudoers.d -p wa -k sysadmin-scope -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=500 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=500 -F auid!=4294967295 -k delete -w /sbin/insmod -p x -k modules -w /sbin/rmmod -p x -k modules -w /sbin/modprobe -p x -k modules -a always,exit -F arch=b64 -S init_module -S delete_module -k modules -w /var/log/faillog -p wa -k logins -w /var/log/lastlog -p wa -k logins -w /var/log/tallylog -p wa -k logins -w /var/run/utmp -p wa -k session -w /var/log/wtmp -p wa -k session -w /var/log/btmp -p wa -k session -a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -k mounts -a always,exit -F arch=b64 -S umount2 -F auid>=500 -F auid!=4294967295 -k mounts -a always,exit -F arch=b32 -S umount2 -F auid>=500 -F auid!=4294967295 -k mounts -w /var/log/sudo.log -p wa -k sysadmin-actions -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b64 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F arch=b32 -S creat -S open -S openat -S truncate -S ftruncate -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -k access -a always,exit -F path=/usr/lib/utempter/utempter -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/sudo -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/su -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/wall -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/write -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/mount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/newgrp -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/at -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/passwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/umount -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/chage -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/chfn -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/chsh -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/expiry -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/gpasswd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/bin/crontab -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postdrop -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/usr/sbin/postqueue -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/lib/dbus-1/dbus-daemon-launch-helper -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/sbin/unix_chkpwd -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exit -F path=/sbin/mount.nfs -F perm=x -F auid>=500 -F auid!=4294967295 -k privileged -a always,exclude -F msgtype=CWD -a always,exclude -F msgtype=CRYPTO_KEY_USER -a never,exit -F dir=/sys/fs/cgroup -a never,exit -F dir=/run/systemd/journal -a never,exit -F uid=1002 -a never,exit -F uid=1003 -a never,exit -F uid=521 -a always,exit -F perm=w -F dir=/sbin -F arch=b64 -F success=1 -F key=sbin_write -a always,exit -F perm=a -F dir=/sbin -F arch=b64 -F success=1 -F key=sbin_attribute_change -a always,exit -F perm=a -F path=/var/log/messages -F arch=b64 -F success=1 -F key=var_log_messages_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/messages -F success=1 -F key=var_log_messages_delete -a always,exit -F perm=w -F dir=/usr/sbin -F arch=b64 -F success=1 -F key=usr_sbin_write -a always,exit -F perm=a -F dir=/usr/sbin -F arch=b64 -F success=1 -F key=usr_sbin_attribute_change -a always,exit -F arch=b64 -S unlink -F path=/etc/ssh/sshd_config -F success=1 -F key=sshd_config_delete -a always,exit -F perm=wa -F path=/etc/ssh/sshd_config -F arch=b64 -F success=1 -F key=sshd_config_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/dmesg -F success=1 -F key=var_log_dmesg_delete -a always,exit -F perm=a -F path=/var/log/dmesg -F arch=b64 -F success=1 -F key=var_log_dmesg_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/faillog -F success=1 -F key=var_log_faillog_delete -a always,exit -F perm=a -F path=/var/log/faillog -F arch=b64 -F success=1 -F key=var_log_faillog_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/utmp -F success=1 -F key=var_log_utmp_delete -a always,exit -F perm=a -F path=/var/log/utmp -F arch=b64 -F success=1 -F key=var_log_utmp_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/user.log -F success=1 -F key=var_log_user_delete -a always,exit -F perm=a -F path=/var/log/user.log -F arch=b64 -F success=1 -F key=var_log_user_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/auth.log -F success=1 -F key=var_log_auth_delete -a always,exit -F perm=a -F path=/var/log/auth.log -F arch=b64 -F success=1 -F key=var_log_auth_change -a always,exit -F arch=b64 -S unlink -F path=/etc/login.defs -F success=1 -F key=etc_logindefs_delete -a always,exit -F perm=aw -F path=/etc/login.defs -F arch=b64 -F success=1 -F key=etc_logindefs_change -a always,exit -F perm=w -F dir=/usr/bin -F arch=b64 -F success=1 -F key=usr_bin_write -a always,exit -F perm=a -F dir=/usr/bin -F arch=b64 -F success=1 -F key=usr_bin_attribute_change -a always,exit -F arch=b64 -S unlink -F path=/etc/passwd -F success=1 -F key=etc_passwd_delete -a always,exit -F perm=aw -F path=/etc/passwd -F arch=b64 -F success=1 -F key=etc_passwd_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/boot.log -F success=1 -F key=var_log_boot_delete -a always,exit -F perm=a -F path=/var/log/boot.log -F arch=b64 -F success=1 -F key=var_log_boot_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/kern.log -F success=1 -F key=var_log_kernlog_delete -a always,exit -F perm=a -F path=/var/log/kern.log -F arch=b64 -F success=1 -F key=var_log_kernlog_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/btmp -F success=1 -F key=var_log_btmp_delete -a always,exit -F perm=a -F path=/var/log/btmp -F arch=b64 -F success=1 -F key=var_log_btmp_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/wtmp -F success=1 -F key=var_log_wtmp_delete -a always,exit -F perm=a -F path=/var/log/wtmp -F arch=b64 -F success=1 -F key=var_log_wtmp_change -a always,exit -F arch=b64 -S unlink -F path=/etc/pam.d/common-password -F success=1 -F key=etc_pam_commonpassword_delete -a always,exit -F perm=aw -F path=/etc/pam.d/common-password -F arch=b64 -F success=1 -F key=etc_pam_commonpassword_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/syslog -F success=1 -F key=var_log_syslog_delete -a always,exit -F perm=a -F path=/var/log/syslog -F arch=b64 -F success=1 -F key=var_log_syslog_change -a always,exit -F perm=aw -F dir=/boot -F arch=b64 -F success=1 -F key=boot_change -a always,exit -F arch=b64 -S unlink -F path=/etc/sudoers -F success=1 -F key=etc_sudoers_delete -a always,exit -F perm=aw -F path=/etc/sudoers -F arch=b64 -F success=1 -F key=etc_sudoers_change -a always,exit -F arch=b64 -S unlink -F path=/etc/sudoers -F success=1 -F key=etc_shadow_delete -a always,exit -F perm=aw -F path=/etc/shadow -F arch=b64 -F success=1 -F key=etc_shadow_change -a always,exit -F perm=aw -F dir=/usr/local/bin -F arch=b64 -F success=1 -F key=usr_local_bin_change -a always,exit -F arch=b64 -S unlink -F path=/var/log/cron -F success=1 -F key=var_log_cron_delete -a always,exit -F perm=a -F path=/var/log/cron -F arch=b64 -F success=1 -F key=var_log_cron_change -a always,exit -F perm=aw -F dir=/bin -F arch=b64 -F success=1 -F key=bin_change -a always,exit -F perm=w -F dir=/usr/local/sbin -F arch=b64 -F success=1 -F key=usr_local_sbin_write -a always,exit -F perm=a -F dir=/usr/local/sbin -F arch=b64 -F success=1 -F key=usr_local_sbin_attribute_change -a always,exit -F arch=b64 -S adjtimex -S settimeofday -k time-change -a always,exit -F arch=b32 -S adjtimex -S settimeofday -S stime -k time-change -a always,exit -F arch=b64 -S clock_settime -k time-change -a always,exit -F arch=b32 -S clock_settime -k time-change -w /etc/localtime -p wa -k time-change -w /etc/apparmor -p wa -k MAC-policy -w /etc/selinux -p wa -k MAC-policy -a always,exit -F arch=b64 -S sethostname -S setdomainname -k system-locale -a always,exit -F arch=b32 -S sethostname -S setdomainname -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/sysconfig/network -p wa -k system-locale -w /etc/group -p wa -k identity -w /etc/passwd -p wa -k identity -w /etc/gshadow -p wa -k identity -w /etc/shadow -p wa -k identity -w /etc/security/opasswd -p wa -k identity So my question is, what defines a multi-record event? And why is EOE not generated when I create a file under /usr/local/bin? -- Kind Regards, Giovanni

5 years, 3 months

2
3
0 / 0

Help with audit syscall event output

by Ankitha Kundhuru

Hi All, Any help is greatly appreciated. My piece of code can read audit.log file and process it.But when I enable good number of syscalls, disk gets filled really quick (15GB for half a day usage) I wanted to know if there is a way to directly get the events from userspace audit daemon instead of writing it to a file. Plan is that my application should process the events as soon as they are created. Suggest me if a way exist. Thanks in advance. Thanks & Regards, Ankitha Kundhuru

5 years, 3 months

2
2
0 / 0

← Newer
1
2
Older →

2024

2023

2022

2021

2020

2019

2018

2017

2016

2015

2014

2013

2012

2011

2010

2009

2008

2007

2006

2005

2004

Linux-audit September 2019