8:40 a.m.
Hello,
I am trying to monitor multiple files using Linux audit. In order to get better
performance, I am trying to reduce number of rules.
If I specify more than one path field as in below example I am getting "Invalid
argument".
Examle1:
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
path=/home/secpack/test -S open
Error sending add rule data request (Invalid argument)
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F dir=/tmp/ -S
open
Error sending add rule data request (Invalid argument)
However, I am able to create a single rule to monitor multiple PIDs or UIDs as below.
Examle2:
# auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
# auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002
As per the auditctl man page, Build a rule field takes up to 64 fields on a single command
line. Each one must start with -F. Each field equation is anded with each other to
trigger an audit record.
My question is,
1. specify more than one path field as in example1 is valid?
2. If not valid than how do I create single audit rule to monitor multiple
files/directory?
3. If valid, then why "Invalid argument" is reported?
4. To monitor 10 files, should 10 audit rules required?
5. if 10 rules are required, how to I optimize the rule for performance?
My next question is does Linux audit support regular expressions? How do I create audit
rule to monitor /var/log/*.log?
# auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
Error sending add rule data request (Invalid argument)
If my questions are already documented, please guide me to the documentation.
Regards,
Ketan
8:50 a.m.
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
I am trying to monitor multiple files using Linux audit. In order to
get
better performance, I am trying to reduce number of rules. If I specify
more than one path field as in below example I am getting "Invalid
argument".
Examle1:
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
path=/home/secpack/test -S open Error sending add rule data request
(Invalid argument)
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c -F
dir=/tmp/ -S open Error sending add rule data request (Invalid argument)
However, I am able to create a single rule to monitor multiple PIDs or UIDs
as below.
Examle2:
# auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537
# auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F auid=1002
Which will produce no events due to the anding you mention below. Something
cannot have both pid 3526 and 3537.
As per the auditctl man page, Build a rule field takes up to 64
fields on a
single command line. Each one must start with -F. Each field equation is
anded with each other to trigger an audit record. My question is,
1. specify more than one path field as in example1 is valid?
Nope.
2. If not valid than how do I create single audit rule to monitor
multiple
files/directory?
They need to be separate rules. You can also recursively watch a directory
with 'dir'
3. If valid, then why "Invalid argument" is reported?
4. To monitor 10 files, should 10 audit rules required?
Possibly.
5. if 10 rules are required, how to I optimize the rule for
performance?
The filesystem watches are very efficient. You can probably put a 100 watches on
random files and you will not be able to see any performance hit unless they
are actually triggered. Syscall rules on the otherhand do affect performance.
My next question is does Linux audit support regular expressions?
No. The kernel pretty much wants things to be numbers rather than strings.
How do I create audit rule to monitor /var/log/*.log?
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
-Steve
# auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S
open
Error sending add rule data request (Invalid argument)
If my questions are already documented, please guide me to the
documentation.
Regards,
Ketan
6:19 a.m.
Hi Steve,
Thanks for the response. Your response cleared many of my doubts. I need one clarity on
use of Linux capability CAP_AUDIT_CONTROL.
My understanding is that, only root user can start/stop audit service and configure
auditctl rules. auditctl.c and auditd.c specifically check for uid to be zero. The man
page says CAP_AUDIT_CONTROL " Enable and disable kernel auditing; change auditing
filter rules; retrieve auditing status and filtering rules." Does this mean, a
process with CAP_AUDIT_CONTROL capability running from non root account will be able to
start/stop audit and configure auditctl rules? Are there any documentation about how to
use CAP_AUDIT_CONTROL capability and how it is related to audit?
Is it possible to suppress events for a file for the set of specific syscalls? Example:
Using the below rule I want to suppress audit event only for chmod syscall for file
/tmp/read_only. However below rule not only suppresses the audit event for chmod syscall
but also for other syscalls for /tmp/read_only file.
# auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 09, 2016 7:20 PM
To: linux-audit(a)redhat.com
Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Subject: Re: Audit reporting Invalid argument
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
I am trying to monitor multiple files using Linux audit. In order to
get better performance, I am trying to reduce number of rules. If I
specify more than one path field as in below example I am getting
"Invalid argument".
Examle1:
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
-F path=/home/secpack/test -S open Error sending add rule data request
(Invalid argument)
# auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
-F dir=/tmp/ -S open Error sending add rule data request (Invalid
argument)
However, I am able to create a single rule to monitor multiple PIDs or
UIDs as below.
Examle2:
# auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
auid=1002
Which will produce no events due to the anding you mention below. Something cannot have
both pid 3526 and 3537.
As per the auditctl man page, Build a rule field takes up to 64
fields
on a single command line. Each one must start with -F. Each field
equation is anded with each other to trigger an audit record. My
question is, 1. specify more than one path field as in example1 is valid?
Nope.
2. If not valid than how do I create single audit rule to monitor
multiple files/directory?
They need to be separate rules. You can also recursively watch a directory with
'dir'
3. If valid, then why "Invalid argument" is reported?
4. To monitor 10 files, should 10 audit rules required?
Possibly.
5. if 10 rules are required, how to I optimize the rule for
performance?
The filesystem watches are very efficient. You can probably put a 100 watches on
random files and you will not be able to see any performance hit unless they
are actually triggered. Syscall rules on the otherhand do affect performance.
My next question is does Linux audit support regular expressions?
No. The kernel pretty much wants things to be numbers rather than strings.
How do I create audit rule to monitor /var/log/*.log?
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
-Steve
# auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S
open
Error sending add rule data request (Invalid argument)
If my questions are already documented, please guide me to the
documentation.
Regards,
Ketan
2:52 p.m.
On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
Thanks for the response. Your response cleared many of my doubts. I
need one
clarity on use of Linux capability CAP_AUDIT_CONTROL.
My understanding is that, only root user can start/stop audit service and
configure auditctl rules. auditctl.c and auditd.c specifically check for
uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable
kernel auditing; change auditing filter rules; retrieve auditing status and
filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL
capability running from non root account will be able to start/stop audit
and configure auditctl rules?
Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I
have not revisited the checks since allowing libcap-ng to link with other
components.
Are there any documentation about how to use
CAP_AUDIT_CONTROL capability and how it is related to audit?
Very little. Its mostly reading source code.
Is it possible to suppress events for a file for the set of specific
syscalls? Example: Using the below rule I want to suppress audit event only
for chmod syscall for file /tmp/read_only. However below rule not only
suppresses the audit event for chmod syscall but also for other syscalls
for /tmp/read_only file.
# auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod
This is how I would try to write it. If that suppresses more syscalls than
chmod and you can give us a reproducer, I think it should go in the new github
issue tracker for the kernel.
-Steve
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 09, 2016 7:20 PM
To: linux-audit(a)redhat.com
Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Subject: Re: Audit reporting Invalid argument
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to
> get better performance, I am trying to reduce number of rules. If I
> specify more than one path field as in below example I am getting
> "Invalid argument".
>
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> -F path=/home/secpack/test -S open Error sending add rule data request
> (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c
> -F dir=/tmp/ -S open Error sending add rule data request (Invalid
> argument)
>
> However, I am able to create a single rule to monitor multiple PIDs or
> UIDs as below.
>
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> auid=1002
Which will produce no events due to the anding you mention below. Something
cannot have both pid 3526 and 3537.
> As per the auditctl man page, Build a rule field takes up to 64 fields
> on a single command line. Each one must start with -F. Each field
> equation is anded with each other to trigger an audit record. My
> question is, 1. specify more than one path field as in example1 is valid?
Nope.
> 2. If not valid than how do I create single audit rule to monitor
> multiple files/directory?
They need to be separate rules. You can also recursively watch a directory
with 'dir'
> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?
Possibly.
> 5. if 10 rules are required, how to I optimize the rule for performance?
The filesystem watches are very efficient. You can probably put a 100
watches on random files and you will not be able to see any performance hit
unless they are actually triggered. Syscall rules on the otherhand do
affect performance.
> My next question is does Linux audit support regular expressions?
No. The kernel pretty much wants things to be numbers rather than strings.
> How do I create audit rule to monitor /var/log/*.log?
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log
-Steve
> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open
> Error sending add rule data request (Invalid argument)
>
> If my questions are already documented, please guide me to the
> documentation.
>
> Regards,
> Ketan
4:40 a.m.
Hi Steve,
Thanks for your input.
Not today. The check for uid 0 is a poor man's check for
CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root
user using CAP_AUDIT_CONTROL?
Regarding suppression of events, I will do some testing and let you know later.
Is there a way I can avoid default logging of the audit events to
/var/log/audit/audit.log? I do not want audit to log audit events to audit.log, however I
will capture them using my plug-in. Is there a way I can accomplish this? I tried to
commenting the log_file filed from auditd.conf, however the events are still written to
audit.log. I think below code from auditd-config.c is causing audit to write to audit.log
config->log_file = strdup("/var/log/audit/audit.log");
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Thursday, May 12, 2016 1:22 AM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Wednesday, May 11, 2016 11:19:07 AM Bhagwat, Shriniketan Manjunath wrote:
Thanks for the response. Your response cleared many of my doubts. I
need one clarity on use of Linux capability CAP_AUDIT_CONTROL.
My understanding is that, only root user can start/stop audit service
and configure auditctl rules. auditctl.c and auditd.c specifically
check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable
and disable kernel auditing; change auditing filter rules; retrieve
auditing status and filtering rules." Does this mean, a process with
CAP_AUDIT_CONTROL capability running from non root account will be
able to start/stop audit and configure auditctl rules?
Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL. I have not
revisited the checks since allowing libcap-ng to link with other components.
Are there any documentation about how to use CAP_AUDIT_CONTROL
capability and how it is related to audit?
Very little. Its mostly reading source code.
Is it possible to suppress events for a file for the set of specific
syscalls? Example: Using the below rule I want to suppress audit event
only for chmod syscall for file /tmp/read_only. However below rule not
only suppresses the audit event for chmod syscall but also for other
syscalls for /tmp/read_only file.
# auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S
chmod
This is how I would try to write it. If that suppresses more syscalls than chmod and you
can give us a reproducer, I think it should go in the new github issue tracker for the
kernel.
-Steve
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 09, 2016 7:20 PM
To: linux-audit(a)redhat.com
Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Subject: Re: Audit reporting Invalid argument
On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote:
> I am trying to monitor multiple files using Linux audit. In order to
> get better performance, I am trying to reduce number of rules. If I
> specify more than one path field as in below example I am getting
> "Invalid argument".
>
> Examle1:
> # auditctl -a always,exit -F arch=x86_64 -F
> path=/home/secpack/test.c -F path=/home/secpack/test -S open Error
> sending add rule data request (Invalid argument)
>
> # auditctl -a always,exit -F arch=x86_64 -F
> path=/home/secpack/test.c -F dir=/tmp/ -S open Error sending add
> rule data request (Invalid
> argument)
>
> However, I am able to create a single rule to monitor multiple PIDs
> or UIDs as below.
>
> Examle2:
> # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 #
> auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F
> auid=1002
Which will produce no events due to the anding you mention below.
Something cannot have both pid 3526 and 3537.
> As per the auditctl man page, Build a rule field takes up to 64
> fields on a single command line. Each one must start with -F. Each
> field equation is anded with each other to trigger an audit
> record. My question is, 1. specify more than one path field as in example1 is
valid?
Nope.
> 2. If not valid than how do I create single audit rule to monitor
> multiple files/directory?
They need to be separate rules. You can also recursively watch a
directory with 'dir'
> 3. If valid, then why "Invalid argument" is reported?
> 4. To monitor 10 files, should 10 audit rules required?
Possibly.
> 5. if 10 rules are required, how to I optimize the rule for performance?
The filesystem watches are very efficient. You can probably put a 100
watches on random files and you will not be able to see any
performance hit unless they are actually triggered. Syscall rules on
the otherhand do affect performance.
> My next question is does Linux audit support regular expressions?
No. The kernel pretty much wants things to be numbers rather than strings.
> How do I create audit rule to monitor /var/log/*.log?
-a always,exit -F dir=/var/log/audit/ -F perm=wa -F
key=write-audit-log
-Steve
> # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$
> -S open Error sending add rule data request (Invalid argument)
>
> If my questions are already documented, please guide me to the
> documentation.
>
> Regards,
> Ketan
7:53 a.m.
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> Not today. The check for uid 0 is a poor man's check for
CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root user
using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a
couple lines of code. But you still have the permissions of the directories
that hold the rules to correct. Easy to fix, but I think you might be fighting
the distribution's package manager which would set things back to root every
update.
Regarding suppression of events, I will do some testing and let you
know
later.
Is there a way I can avoid default logging of the audit events to
/var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use
log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
I do not want audit to log audit events to
audit.log, however I will capture them using my plug-in. Is there a way I
can accomplish this? I tried to commenting the log_file filed from
auditd.conf, however the events are still written to audit.log. I think
below code from auditd-config.c is causing audit to write to audit.log
config->log_file = strdup("/var/log/audit/audit.log");
12:21 p.m.
On 16/05/16, Steve Grubb wrote:
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath
wrote:
> > Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root user
> using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a
couple lines of code. But you still have the permissions of the directories
that hold the rules to correct. Easy to fix, but I think you might be fighting
the distribution's package manager which would set things back to root every
update.
There is no kernel obstacle that I can see now. It used to depend on
CAP_NET_ADMIN, I think, but that stuff has all been fixed. I can see
applications for it, possibly even in containers down the road...
-Steve
- RGB
--
Richard Guy Briggs <rgb(a)redhat.com>
Kernel Security Engineering, Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635
10:37 p.m.
Thanks Steve and Richard for your response.
I will provide the fix soon.
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> Not today. The check for uid 0 is a poor man's check for
> CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root
user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a couple lines
of code. But you still have the permissions of the directories that hold the rules to
correct. Easy to fix, but I think you might be fighting the distribution's package
manager which would set things back to root every update.
Regarding suppression of events, I will do some testing and let you
know later.
Is there a way I can avoid default logging of the audit events to
/var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use log_format =
NOLOG. If you have a current copy, then use write_logs = no.
-Steve
I do not want audit to log audit events to audit.log, however I will
capture them using my plug-in. Is there a way I can accomplish this? I
tried to commenting the log_file filed from auditd.conf, however the
events are still written to audit.log. I think below code from
auditd-config.c is causing audit to write to audit.log
config->log_file = strdup("/var/log/audit/audit.log");
3:15 a.m.
Hi,
Is it possible to start and stop the user written audit plug-in while auditd and audispd
running?
As I understand, audispd is started by auditd. Audispd starts the user plug-in program
using their configuration files present in /etc/audisp/plugins.d directory. Auditd and
user plug-in are started and stopped as part of auditd startup and stop.
Is it possible to start the user plug-in after the auditd is started and stop the user
plug-in before the auditd is stopped?
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> Not today. The check for uid 0 is a poor man's check for
> CAP_AUDIT_CONTROL
Are there any future plans to support enabling audit from non root
user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a couple lines
of code. But you still have the permissions of the directories that hold the rules to
correct. Easy to fix, but I think you might be fighting the distribution's package
manager which would set things back to root every update.
Regarding suppression of events, I will do some testing and let you
know later.
Is there a way I can avoid default logging of the audit events to
/var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use log_format =
NOLOG. If you have a current copy, then use write_logs = no.
-Steve
I do not want audit to log audit events to audit.log, however I will
capture them using my plug-in. Is there a way I can accomplish this? I
tried to commenting the log_file filed from auditd.conf, however the
events are still written to audit.log. I think below code from
auditd-config.c is causing audit to write to audit.log
config->log_file = strdup("/var/log/audit/audit.log");
10:01 a.m.
On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
Hi,
Is it possible to start and stop the user written audit plug-in while auditd
and audispd running? As I understand, audispd is started by auditd. Audispd
starts the user plug-in program using their configuration files present in
/etc/audisp/plugins.d directory. Auditd and user plug-in are started and
stopped as part of auditd startup and stop. Is it possible to start the
user plug-in after the auditd is started and stop the user plug-in before
the auditd is stopped?
There is nothing that prevents you from sending a SIGTERM to the plugin if you
are root. The plugin will be restarted when the next event arrives to audispd.
-Steve
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for
> > CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root
> user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done in a
couple lines of code. But you still have the permissions of the directories
that hold the rules to correct. Easy to fix, but I think you might be
fighting the distribution's package manager which would set things back to
root every update.
> Regarding suppression of events, I will do some testing and let you
> know later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then use
log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to audit.log, however I will
> capture them using my plug-in. Is there a way I can accomplish this? I
> tried to commenting the log_file filed from auditd.conf, however the
> events are still written to audit.log. I think below code from
> auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");
8:44 a.m.
Hi Steve,
> The plugin will be restarted when the next event arrives to
audispd.
I do not want my plug-in to be running unnecessarily all the time until the
auditd is running.
I can accomplish my requirement by sending SIGHUP to audispd and changing the plug-in
configuration's option active=yes/no.
Regards,
Ketan
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, June 13, 2016 8:31 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Monday, June 13, 2016 08:15:36 AM Bhagwat, Shriniketan Manjunath wrote:
Hi,
Is it possible to start and stop the user written audit plug-in while
auditd and audispd running? As I understand, audispd is started by
auditd. Audispd starts the user plug-in program using their
configuration files present in /etc/audisp/plugins.d directory. Auditd
and user plug-in are started and stopped as part of auditd startup and
stop. Is it possible to start the user plug-in after the auditd is
started and stop the user plug-in before the auditd is stopped?
There is nothing that prevents you from sending a SIGTERM to the plugin if you are root.
The plugin will be restarted when the next event arrives to audispd.
-Steve
-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com]
Sent: Monday, May 16, 2016 6:24 PM
To: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com>
Cc: linux-audit(a)redhat.com
Subject: Re: Audit reporting Invalid argument
On Saturday, May 14, 2016 09:40:05 AM Bhagwat, Shriniketan Manjunath wrote:
> > Not today. The check for uid 0 is a poor man's check for
> > CAP_AUDIT_CONTROL
>
> Are there any future plans to support enabling audit from non root
> user using CAP_AUDIT_CONTROL?
You are the only person who has asked for it. I suppose it can be done
in a couple lines of code. But you still have the permissions of the
directories that hold the rules to correct. Easy to fix, but I think
you might be fighting the distribution's package manager which would
set things back to root every update.
> Regarding suppression of events, I will do some testing and let you
> know later.
>
> Is there a way I can avoid default logging of the audit events to
> /var/log/audit/audit.log?
If you have an old copy old the audit system (2.5.1 or earlier) then
use log_format = NOLOG. If you have a current copy, then use write_logs = no.
-Steve
> I do not want audit to log audit events to audit.log, however I will
> capture them using my plug-in. Is there a way I can accomplish this?
> I tried to commenting the log_file filed from auditd.conf, however
> the events are still written to audit.log. I think below code from
> auditd-config.c is causing audit to write to audit.log
>
> config->log_file = strdup("/var/log/audit/audit.log");
3112
days inactive
3148
days old
linux-audit@lists.linux-audit.osci.io
10 comments
3 participants
participants (3)
-
Bhagwat, Shriniketan Manjunath -
Richard Guy Briggs -
Steve Grubb