12:36 p.m.
Like Greg, I have servers that are doing a lot of auditing of file access
that I don't want it to do. I am running a RHEL ES 4 system, fully
patched, that runs audit-1.0.15-3.EL4. This is the output for aureport
summary:
[root@aa ~]# /sbin/aureport -ts yesterday 00:00:00 -te today 00:00:00
Summary Report
======================
Range of time: 11/02/2007 10:38:28.035 - 11/05/2007 10:53:23.707
Number of changes in configuration: 0
Number of changes to accounts or groups: 0
Number of logins: 0
Number of failed logins: 0
Number of users: 3
Number of terminals: 2
Number of host names: 1
Number of executables: 55
Number of files: 3151
Number of AVC denials: 96937
Number of failed syscalls: 4300876
Number of watched file events: 215001
Number of anomaly events: 0
Number of responses to anomaly events: 0
Number of process IDs: 32349
Number of events: 4531650
Notice the large number of watched file events. The daily audit logs are
nearly 2GB in size. [And I'm required to keep a year's worth of audit
logs!]
When I issue this command:
[root@aa ~]# aureport -f --summary | head -20
File Summary Report
===========================
total file
===========================
703314 passwd
703313 /etc/passwd
515973 /dev/tty
355209 /home/httpd/faq/docs/daylight_time.php/.htaccess
288538 /home/httpd/css/default.css/.htaccess
281723 /home/httpd/js/default.js/.htaccess
237471 /home/httpd/menu/stmenu.js/.htaccess
211210 /home/httpd/graphics/USNODomeatNight_painted.png/.htaccess
209720 /home/httpd/css/print.css/.htaccess
205240 /home/httpd/graphics/blank.gif/.htaccess
205042 /home/httpd/graphics/header_strip_stars.jpg/.htaccess
202624 /home/httpd/graphics/valid-html401.png/.htaccess
188072 /home/httpd/favicon.ico/.htaccess
131774 /home/httpd/data/USPLACES.DA
49634 /home/httpd/faq/docs/daylight_time.html/.htaccess
Note the high percentage of files accessed by the web server, especially
.htaccess.
I have a rule that audits failed access to files:
-a exit,always -S chmod -S lchown -S chown -F success=0
I assume that this is the rule that is causing so many files accessed by
the web server to be logged. How can change this rule to exclude user
apache from tripping this rule?
--
Bill Tangren
U.S. Naval Observatory
2:08 p.m.
On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote:
I have a rule that audits failed access to files:
-a exit,always -S chmod -S lchown -S chown -F success=0
I assume that this is the rule that is causing so many files accessed by
the web server to be logged. How can change this rule to exclude user
apache from tripping this rule?
Fields (-F options) are "anded" to decide whether to trigger or not. So, you
could use:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F uid!=apache
But you could chose to limit by partition or exact error code, too. For
example, you may not want the failures due to ENOENT (file doesn't exist). In
that case, it would be:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-2
-Steve
2:32 p.m.
On DATE, the author spaketh: Steve Grubb
On Monday 05 November 2007 01:36:30 pm Bill Tangren wrote:
> I have a rule that audits failed access to files:
>
> -a exit,always -S chmod -S lchown -S chown -F success=0
>
> I assume that this is the rule that is causing so many files accessed by
> the web server to be logged. How can change this rule to exclude user
> apache from tripping this rule?
Fields (-F options) are "anded" to decide whether to trigger or not. So,
you
could use:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F uid!=apache
But you could chose to limit by partition or exact error code, too. For
example, you may not want the failures due to ENOENT (file doesn't exist).
In
that case, it would be:
-a exit,always -S chmod -S lchown -S chown -F success=0 -F exit!=-2
-Steve
Thanks, Steve. I'll try these out.
And sorry about the off-list post. Don't know why that happens sometimes,
and I seem to always forget to check.
Bill
--
Bill Tangren
U.S. Naval Observatory
6257
days inactive
6257
days old
linux-audit@lists.linux-audit.osci.io
2 comments
2 participants
participants (2)
-
Bill Tangren -
Steve Grubb