On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
Thanks for the response. Your response cleared many of my doubts. I
need one
clarity on use of Linux capability CAP_AUDIT_CONTROL.
My understanding is that, only root user can start/stop audit service and
configure auditctl rules. auditctl.c and auditd.c specifically check for
uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable
kernel auditing; change auditing filter rules; retrieve auditing status and
filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL
capability running from non root account will be able to start/stop audit
and configure auditctl rules?
Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I
have not revisited the checks since allowing libcap-ng to link with other
components.
Are there any documentation about how to use
CAP_AUDIT_CONTROL capability and how it is related to audit?
Very little. Its mostly reading source code.
Is it possible to suppress events for a file for the set of specific
syscalls? Example: Using the below rule I want to suppress audit event only
for chmod syscall for file /tmp/read_only. However below rule not only
suppresses the audit event for chmod syscall but also for other syscalls
for /tmp/read_only file.
# auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod
This is how I would try to write it. If that suppresses more syscalls than
chmod and you can give us a reproducer, I think it should go in the new github
issue tracker for the kernel.
-Steve
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 09, 2016 7:20 PM
To: linux-audit(a)redhat.com
Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Subject: Re: Audit reporting Invalid argument
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to
> get better performance, I am trying to reduce number of rules. If I
> specify more than one path field as in below example I am getting
> "Invalid argument".
>
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> -F path=/home/secpack/test -S open Error sending add rule data request
> (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> -F dir=/tmp/ -S open Error sending add rule data request (Invalid
> argument)
>
> However, I am able to create a single rule to monitor multiple PIDs or
> UIDs as below.
>
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> auid=1002
Which will produce no events due to the anding you mention below. Something
cannot have both pid 3526 and 3537.
> As per the auditctl man page, Build a rule field takes up to 64 fields
> on a single command line. Each one must start with -F. Each field
> equation is anded with each other to trigger an audit record. My
> question is, 1. specify more than one path field as in example1 is valid?
Nope.
> 2. If not valid than how do I create single audit rule to monitor
> multiple files/directory?
They need to be separate rules. You can also recursively watch a directory
with 'dir'
> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?
Possibly.
> 5. if 10 rules are required, how to I optimize the rule for performance?
The filesystem watches are very efficient. You can probably put a 100
watches on random files and you will not be able to see any performance hit
unless they are actually triggered. Syscall rules on the otherhand do
affect performance.
> My next question is does Linux audit support regular expressions?
No. The kernel pretty much wants things to be numbers rather than strings.
> How do I create audit rule to monitor /var/log/*.log?
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
-Steve
> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
> Error sending add rule data request (Invalid argument)
>
> If my questions are already documented, please guide me to the
> documentation.
>
> Regards,
> Ketan