12:09 a.m.
Hi,
I have a DNS server for which the auditd was generating lot of system calls
and flooding the logs.
Due to this the server was under heavy memory usage as audisp-remote was
hogging the memory. The log output for audisp-remote showed that the
syscall was 49. Then I got to know from ausyscall command that the call
number 49 corresponds to bind. Hence I have *excluded* the call to "bind".
I have put in below line in the /etc/audit/audit.rules
*-a exclude,always -S 49*
I have put the above line before section 10.2.2 which says "Feel free to
add below this line" (please note I am running Ubuntu 14.04 but I suppose
auditd implementation is same across board) .
After the exclusion - I no more see the syscall=49 line in
/var/log/audit/audit.rules. So thats a success or sorts!
*Probem/Issue/Query now*: After the exclusion, I do see audit events for
cron , sudo etc. But I do not see a call for "vi" file open mode etc.
*Background:*
log output earlier which was flooding the logs and giving message " *dns1
audisp-remote: message repeated 6613 times: [ queue is full - dropping
event"*
*log:*
*type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e syscall=49
success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
exe="/sbin/audisp-remote" key="root_action"*
root@dns1:/tmp# ausyscall 49
*bind*
I do see audit events for cron , sudo etc. But I do not see a call for "vi"
file open mode etc.
Observation: I open file /etc/audit/audit.rules in vi editor and then close
it. Audit log does not show syscall=2
Earlier I used to see below output in logs, but I am not sure that was for
which file opened in vi editor.
*type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e syscall=2
success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 ppid=21957
pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic"
key="root_action"*
I did read a bit on auditd from below links. *Please let me know if I am
missing something or are the calls getting audited in an expected way.*
I went through below links; *would appreciate if someone can help with any
references which are more lucid with example*s:
https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit...
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/...
Furthermore, I would like to read much on audisp-remote to send all these
logs to a central server. I do not find any documentation on that. I see
discussion on net where people are using rsyslog instead for that. Please
help with references/links if any.
Thanks!
Best Regards,
Rituraj B
11:47 a.m.
Hello,
On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
I have a DNS server for which the auditd was generating lot of system
calls
and flooding the logs.
Due to this the server was under heavy memory usage as audisp-remote was
hogging the memory. The log output for audisp-remote showed that the
syscall was 49. Then I got to know from ausyscall command that the call
number 49 corresponds to bind. Hence I have *excluded* the call to "bind".
I have put in below line in the /etc/audit/audit.rules
*-a exclude,always -S 49*
I have put the above line before section 10.2.2 which says "Feel free to
add below this line" (please note I am running Ubuntu 14.04 but I suppose
auditd implementation is same across board) .
Also know that the rules are looked at from top to bottom with the first match
winning. So, you would want this rule above whatever is causing events.
After the exclusion - I no more see the syscall=49 line in
/var/log/audit/audit.rules. So thats a success of sorts!
*Probem/Issue/Query now*: After the exclusion, I do see audit events for
cron , sudo etc. But I do not see a call for "vi" file open mode etc.
I'd need to see the rules to figure out what's wrong, but I have some hints
below...
*Background:*
log output earlier which was flooding the logs and giving message " *dns1
audisp-remote: message repeated 6613 times: [ queue is full - dropping
event"*
*log:*
*type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e syscall=49
success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
exe="/sbin/audisp-remote" key="root_action"*
The main question is what is the root_action rule(s)? Normally we add a
auid!=4294967295 to prevent daemons from causing events. Typically when it's
desired to get root events, its means that you want to target _people_ running
as root rather than normal system activity.
root@dns1:/tmp# ausyscall 49
*bind*
I do see audit events for cron , sudo etc. But I do not see a call for "vi"
file open mode etc.
Observation: I open file /etc/audit/audit.rules in vi editor and then close
it. Audit log does not show syscall=2
If you were wanting to record writes to that, you would use a rule like this:
-w /etc/audit/ -p wa
Earlier I used to see below output in logs, but I am not sure that
was for
which file opened in vi editor.
*type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e syscall=2
success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2 ppid=21957
pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic"
key="root_action"*
Typically, its expected to look at events through ausearch. It groups the
records into events. You can also use aureport to see summary information.
I did read a bit on auditd from below links. *Please let me know if I
am
missing something or are the calls getting audited in an expected way.*
I went through below links; *would appreciate if someone can help with any
references which are more lucid with example*s:
https://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-da
emon/
I was not aware of that site. But some of the information appears to be dated.
For example, telling people to use pam_tally2 when they should be using
pam_faillock.
https://access.redhat.com/documentation/en-US/Red_Hat_Enterprise_Linux/6/ht
ml/Security_Guide/chap-system_auditing.html
Furthermore, I would like to read much on audisp-remote to send all these
logs to a central server. I do not find any documentation on that. I see
discussion on net where people are using rsyslog instead for that. Please
help with references/links if any.
Admittedly there is not much written. It is on my list of topics to blog
about. But I haven't had time for blogging lately.
-Steve
9 a.m.
Hi Steve,
Thanks for the response.
Suppressing the events with -F auid!=4294967295 worked.
I am seeing the events like "vi" "chmod" etc are getting audited by
the
system - even as a root account.
I am yet to understand fully though on various rule sets and also on
components like audisp / audisp-remote. So reading more ..
Best Regards,
Rituraj B
On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
Hello,
On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> I have a DNS server for which the auditd was generating lot of system
calls
> and flooding the logs.
> Due to this the server was under heavy memory usage as audisp-remote was
> hogging the memory. The log output for audisp-remote showed that the
> syscall was 49. Then I got to know from ausyscall command that the call
> number 49 corresponds to bind. Hence I have *excluded* the call to
"bind".
>
> I have put in below line in the /etc/audit/audit.rules
>
> *-a exclude,always -S 49*
>
> I have put the above line before section 10.2.2 which says "Feel free to
> add below this line" (please note I am running Ubuntu 14.04 but I suppose
> auditd implementation is same across board) .
Also know that the rules are looked at from top to bottom with the first
match
winning. So, you would want this rule above whatever is causing events.
> After the exclusion - I no more see the syscall=49 line in
> /var/log/audit/audit.rules. So thats a success of sorts!
>
> *Probem/Issue/Query now*: After the exclusion, I do see audit events for
> cron , sudo etc. But I do not see a call for "vi" file open mode etc.
I'd need to see the rules to figure out what's wrong, but I have some hints
below...
> *Background:*
>
> log output earlier which was flooding the logs and giving message " *dns1
> audisp-remote: message repeated 6613 times: [ queue is full - dropping
> event"*
>
> *log:*
> *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
syscall=49
> success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
> pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> exe="/sbin/audisp-remote" key="root_action"*
The main question is what is the root_action rule(s)? Normally we add a
auid!=4294967295 to prevent daemons from causing events. Typically when
it's
desired to get root events, its means that you want to target _people_
running
as root rather than normal system activity.
> root@dns1:/tmp# ausyscall 49
> *bind*
>
> I do see audit events for cron , sudo etc. But I do not see a call for
"vi"
> file open mode etc.
>
> Observation: I open file /etc/audit/audit.rules in vi editor and then
close
> it. Audit log does not show syscall=2
If you were wanting to record writes to that, you would use a rule like
this:
-w /etc/audit/ -p wa
> Earlier I used to see below output in logs, but I am not sure that was
for
> which file opened in vi editor.
>
> *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
syscall=2
> success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
ppid=21957
> pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0
> tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic"
key="root_action"*
Typically, its expected to look at events through ausearch. It groups the
records into events. You can also use aureport to see summary information.
> I did read a bit on auditd from below links. *Please let me know if I am
> missing something or are the calls getting audited in an expected way.*
>
> I went through below links; *would appreciate if someone can help with
any
> references which are more lucid with example*s:
>
> https://linux-audit.com/configuring-and-auditing-
linux-systems-with-audit-da
> emon/
I was not aware of that site. But some of the information appears to be
dated.
For example, telling people to use pam_tally2 when they should be using
pam_faillock.
> https://access.redhat.com/documentation/en-US/Red_Hat_
Enterprise_Linux/6/ht
> ml/Security_Guide/chap-system_auditing.html
>
> Furthermore, I would like to read much on audisp-remote to send all these
> logs to a central server. I do not find any documentation on that. I see
> discussion on net where people are using rsyslog instead for that. Please
> help with references/links if any.
Admittedly there is not much written. It is on my list of topics to blog
about. But I haven't had time for blogging lately.
-Steve
9:08 a.m.
Continued...from previous mail of mine..
While I am reading and exploring much on auditd & on how I can have a
proper central system where logs are stored and daily reports get
generated, you might want to look at my config file on server and
suggest/recommend if anything - would appreciate if any pointers.
I am using default config which came with Ubuntu 16.04 and only change was*
"-F auid!=4294967295"* on line where root_action is defined .
Thanks!
Best Regards,
Rituraj B
On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj(a)vayana.com>
wrote:
Hi Steve,
Thanks for the response.
Suppressing the events with -F auid!=4294967295 worked.
I am seeing the events like "vi" "chmod" etc are getting audited by
the
system - even as a root account.
I am yet to understand fully though on various rule sets and also on
components like audisp / audisp-remote. So reading more ..
Best Regards,
Rituraj B
On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> Hello,
>
> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
> > I have a DNS server for which the auditd was generating lot of system
> calls
> > and flooding the logs.
> > Due to this the server was under heavy memory usage as audisp-remote
> was
> > hogging the memory. The log output for audisp-remote showed that the
> > syscall was 49. Then I got to know from ausyscall command that the call
> > number 49 corresponds to bind. Hence I have *excluded* the call to
> "bind".
> >
> > I have put in below line in the /etc/audit/audit.rules
> >
> > *-a exclude,always -S 49*
> >
> > I have put the above line before section 10.2.2 which says "Feel free to
> > add below this line" (please note I am running Ubuntu 14.04 but I
> suppose
> > auditd implementation is same across board) .
>
> Also know that the rules are looked at from top to bottom with the first
> match
> winning. So, you would want this rule above whatever is causing events.
>
>
> > After the exclusion - I no more see the syscall=49 line in
> > /var/log/audit/audit.rules. So thats a success of sorts!
> >
> > *Probem/Issue/Query now*: After the exclusion, I do see audit events for
> > cron , sudo etc. But I do not see a call for "vi" file open mode etc.
>
> I'd need to see the rules to figure out what's wrong, but I have some
> hints
> below...
>
> > *Background:*
> >
> > log output earlier which was flooding the logs and giving message "
> *dns1
> > audisp-remote: message repeated 6613 times: [ queue is full - dropping
> > event"*
> >
> > *log:*
> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
> syscall=49
> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> > exe="/sbin/audisp-remote" key="root_action"*
>
> The main question is what is the root_action rule(s)? Normally we add a
> auid!=4294967295 to prevent daemons from causing events. Typically when
> it's
> desired to get root events, its means that you want to target _people_
> running
> as root rather than normal system activity.
>
>
> > root@dns1:/tmp# ausyscall 49
> > *bind*
> >
> > I do see audit events for cron , sudo etc. But I do not see a call for
> "vi"
> > file open mode etc.
> >
> > Observation: I open file /etc/audit/audit.rules in vi editor and then
> close
> > it. Audit log does not show syscall=2
>
> If you were wanting to record writes to that, you would use a rule like
> this:
>
> -w /etc/audit/ -p wa
>
>
> > Earlier I used to see below output in logs, but I am not sure that was
> for
> > which file opened in vi editor.
> >
> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
> syscall=2
> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
> ppid=21957
> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0
> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic"
key="root_action"*
>
> Typically, its expected to look at events through ausearch. It groups the
> records into events. You can also use aureport to see summary information.
>
> > I did read a bit on auditd from below links. *Please let me know if I am
> > missing something or are the calls getting audited in an expected way.*
>
> >
> > I went through below links; *would appreciate if someone can help with
> any
> > references which are more lucid with example*s:
> >
> > https://linux-audit.com/configuring-and-auditing-linux-
> systems-with-audit-da
> > emon/
>
> I was not aware of that site. But some of the information appears to be
> dated.
> For example, telling people to use pam_tally2 when they should be using
> pam_faillock.
>
> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> rise_Linux/6/ht
> > ml/Security_Guide/chap-system_auditing.html
> >
> > Furthermore, I would like to read much on audisp-remote to send all
> these
> > logs to a central server. I do not find any documentation on that. I see
> > discussion on net where people are using rsyslog instead for that.
> Please
> > help with references/links if any.
>
> Admittedly there is not much written. It is on my list of topics to blog
> about. But I haven't had time for blogging lately.
>
> -Steve
>
1:16 p.m.
On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
Continued...from previous mail of mine..
While I am reading and exploring much on auditd & on how I can have a
proper central system where logs are stored and daily reports get
generated, you might want to look at my config file on server and
suggest/recommend if anything - would appreciate if any pointers.
I am using default config which came with Ubuntu 16.04 and only change was*
"-F auid!=4294967295"* on line where root_action is defined .
There is no rule, root_action, that is shipped with the audit package. I would
be interested in seeing it if you could copy and paste it into a reply.
-Steve
On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar
<rituraj(a)vayana.com>
wrote:
> Hi Steve,
>
> Thanks for the response.
>
> Suppressing the events with -F auid!=4294967295 worked.
>
> I am seeing the events like "vi" "chmod" etc are getting audited
by the
> system - even as a root account.
>
> I am yet to understand fully though on various rule sets and also on
> components like audisp / audisp-remote. So reading more ..
>
>
> Best Regards,
> Rituraj B
>
> On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
>> Hello,
>>
>> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:
>> > I have a DNS server for which the auditd was generating lot of system
>>
>> calls
>>
>> > and flooding the logs.
>> > Due to this the server was under heavy memory usage as audisp-remote
>>
>> was
>>
>> > hogging the memory. The log output for audisp-remote showed that the
>> > syscall was 49. Then I got to know from ausyscall command that the call
>> > number 49 corresponds to bind. Hence I have *excluded* the call to
>>
>> "bind".
>>
>> > I have put in below line in the /etc/audit/audit.rules
>> >
>> > *-a exclude,always -S 49*
>> >
>> > I have put the above line before section 10.2.2 which says "Feel free
>> > to
>> > add below this line" (please note I am running Ubuntu 14.04 but I
>>
>> suppose
>>
>> > auditd implementation is same across board) .
>>
>> Also know that the rules are looked at from top to bottom with the first
>> match
>> winning. So, you would want this rule above whatever is causing events.
>>
>> > After the exclusion - I no more see the syscall=49 line in
>> > /var/log/audit/audit.rules. So thats a success of sorts!
>> >
>> > *Probem/Issue/Query now*: After the exclusion, I do see audit events
>> > for
>> > cron , sudo etc. But I do not see a call for "vi" file open mode
etc.
>>
>> I'd need to see the rules to figure out what's wrong, but I have some
>> hints
>> below...
>>
>> > *Background:*
>> >
>> > log output earlier which was flooding the logs and giving message "
>>
>> *dns1
>>
>> > audisp-remote: message repeated 6613 times: [ queue is full - dropping
>> > event"*
>> >
>> > *log:*
>> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
>>
>> syscall=49
>>
>> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
>> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
>>
>> sgid=0
>>
>> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
>> > exe="/sbin/audisp-remote" key="root_action"*
>>
>> The main question is what is the root_action rule(s)? Normally we add a
>> auid!=4294967295 to prevent daemons from causing events. Typically when
>> it's
>> desired to get root events, its means that you want to target _people_
>> running
>> as root rather than normal system activity.
>>
>> > root@dns1:/tmp# ausyscall 49
>> > *bind*
>> >
>> > I do see audit events for cron , sudo etc. But I do not see a call for
>>
>> "vi"
>>
>> > file open mode etc.
>> >
>> > Observation: I open file /etc/audit/audit.rules in vi editor and then
>>
>> close
>>
>> > it. Audit log does not show syscall=2
>>
>> If you were wanting to record writes to that, you would use a rule like
>> this:
>>
>> -w /etc/audit/ -p wa
>>
>> > Earlier I used to see below output in logs, but I am not sure that was
>>
>> for
>>
>> > which file opened in vi editor.
>> >
>> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
>>
>> syscall=2
>>
>> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
>>
>> ppid=21957
>>
>> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
>>
>> fsgid=0
>>
>> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic"
key="root_action"*
>>
>> Typically, its expected to look at events through ausearch. It groups the
>> records into events. You can also use aureport to see summary
>> information.
>>
>> > I did read a bit on auditd from below links. *Please let me know if I
>> > am
>> > missing something or are the calls getting audited in an expected way.*
>> >
>> >
>> > I went through below links; *would appreciate if someone can help with
>>
>> any
>>
>> > references which are more lucid with example*s:
>> >
>> > https://linux-audit.com/configuring-and-auditing-linux-> >>
>> systems-with-audit-da
>>
>> > emon/
>>
>> I was not aware of that site. But some of the information appears to be
>> dated.
>> For example, telling people to use pam_tally2 when they should be using
>> pam_faillock.
>>
>> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
>>
>> rise_Linux/6/ht
>>
>> > ml/Security_Guide/chap-system_auditing.html
>> >
>> > Furthermore, I would like to read much on audisp-remote to send all
>>
>> these
>>
>> > logs to a central server. I do not find any documentation on that. I
>> > see
>> > discussion on net where people are using rsyslog instead for that.
>>
>> Please
>>
>> > help with references/links if any.
>>
>> Admittedly there is not much written. It is on my list of topics to blog
>> about. But I haven't had time for blogging lately.
>>
>> -Steve
1:29 p.m.
Hi Steve,
As per the config file which I had sent (/etc/audit/audit.rules); below
line has root_action
*-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
root_action*
I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*
Thanks!
Best Regards,
Rituraj B
On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar
wrote:
> Continued...from previous mail of mine..
>
> While I am reading and exploring much on auditd & on how I can have a
> proper central system where logs are stored and daily reports get
> generated, you might want to look at my config file on server and
> suggest/recommend if anything - would appreciate if any pointers.
>
> I am using default config which came with Ubuntu 16.04 and only change
was*
> "-F auid!=4294967295"* on line where root_action is defined .
There is no rule, root_action, that is shipped with the audit package. I
would
be interested in seeing it if you could copy and paste it into a reply.
-Steve
> On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <rituraj(a)vayana.com
>
>
> wrote:
> > Hi Steve,
> >
> > Thanks for the response.
> >
> > Suppressing the events with -F auid!=4294967295 worked.
> >
> > I am seeing the events like "vi" "chmod" etc are getting
audited by the
> > system - even as a root account.
> >
> > I am yet to understand fully though on various rule sets and also on
> > components like audisp / audisp-remote. So reading more ..
> >
> >
> > Best Regards,
> > Rituraj B
> >
> > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb(a)redhat.com>
wrote:
> >> Hello,
> >>
> >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar
wrote:
> >> > I have a DNS server for which the auditd was generating lot of
system
> >>
> >> calls
> >>
> >> > and flooding the logs.
> >> > Due to this the server was under heavy memory usage as
audisp-remote
> >>
> >> was
> >>
> >> > hogging the memory. The log output for audisp-remote showed that
the
> >> > syscall was 49. Then I got to know from ausyscall command that the
call
> >> > number 49 corresponds to bind. Hence I have *excluded* the call to
> >>
> >> "bind".
> >>
> >> > I have put in below line in the /etc/audit/audit.rules
> >> >
> >> > *-a exclude,always -S 49*
> >> >
> >> > I have put the above line before section 10.2.2 which says "Feel
free
> >> > to
> >> > add below this line" (please note I am running Ubuntu 14.04 but
I
> >>
> >> suppose
> >>
> >> > auditd implementation is same across board) .
> >>
> >> Also know that the rules are looked at from top to bottom with the
first
> >> match
> >> winning. So, you would want this rule above whatever is causing
events.
> >>
> >> > After the exclusion - I no more see the syscall=49 line in
> >> > /var/log/audit/audit.rules. So thats a success of sorts!
> >> >
> >> > *Probem/Issue/Query now*: After the exclusion, I do see audit events
> >> > for
> >> > cron , sudo etc. But I do not see a call for "vi" file open
mode
etc.
> >>
> >> I'd need to see the rules to figure out what's wrong, but I have
some
> >> hints
> >> below...
> >>
> >> > *Background:*
> >> >
> >> > log output earlier which was flooding the logs and giving message
"
> >>
> >> *dns1
> >>
> >> > audisp-remote: message repeated 6613 times: [ queue is full -
dropping
> >> > event"*
> >> >
> >> > *log:*
> >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
> >>
> >> syscall=49
> >>
> >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337
> >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
> >>
> >> sgid=0
> >>
> >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> >> > exe="/sbin/audisp-remote" key="root_action"*
> >>
> >> The main question is what is the root_action rule(s)? Normally we add
a
> >> auid!=4294967295 to prevent daemons from causing events. Typically
when
> >> it's
> >> desired to get root events, its means that you want to target _people_
> >> running
> >> as root rather than normal system activity.
> >>
> >> > root@dns1:/tmp# ausyscall 49
> >> > *bind*
> >> >
> >> > I do see audit events for cron , sudo etc. But I do not see a call
for
> >>
> >> "vi"
> >>
> >> > file open mode etc.
> >> >
> >> > Observation: I open file /etc/audit/audit.rules in vi editor and
then
> >>
> >> close
> >>
> >> > it. Audit log does not show syscall=2
> >>
> >> If you were wanting to record writes to that, you would use a rule
like
> >> this:
> >>
> >> -w /etc/audit/ -p wa
> >>
> >> > Earlier I used to see below output in logs, but I am not sure that
was
> >>
> >> for
> >>
> >> > which file opened in vi editor.
> >> >
> >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
> >>
> >> syscall=2
> >>
> >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
> >>
> >> ppid=21957
> >>
> >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> >>
> >> fsgid=0
> >>
> >> > tty=pts0 ses=361 comm="vi"
exe="/usr/bin/vim.basic"
key="root_action"*
> >>
> >> Typically, its expected to look at events through ausearch. It groups
the
> >> records into events. You can also use aureport to see summary
> >> information.
> >>
> >> > I did read a bit on auditd from below links. *Please let me know if
I
> >> > am
> >> > missing something or are the calls getting audited in an expected
way.*
> >> >
> >> >
> >> > I went through below links; *would appreciate if someone can help
with
> >>
> >> any
> >>
> >> > references which are more lucid with example*s:
> >> >
> >> > https://linux-audit.com/configuring-and-auditing-linux-> >>
> >> systems-with-audit-da
> >>
> >> > emon/
> >>
> >> I was not aware of that site. But some of the information appears to
be
> >> dated.
> >> For example, telling people to use pam_tally2 when they should be
using
> >> pam_faillock.
> >>
> >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> >>
> >> rise_Linux/6/ht
> >>
> >> > ml/Security_Guide/chap-system_auditing.html
> >> >
> >> > Furthermore, I would like to read much on audisp-remote to send all
> >>
> >> these
> >>
> >> > logs to a central server. I do not find any documentation on that. I
> >> > see
> >> > discussion on net where people are using rsyslog instead for that.
> >>
> >> Please
> >>
> >> > help with references/links if any.
> >>
> >> Admittedly there is not much written. It is on my list of topics to
blog
> >> about. But I haven't had time for blogging lately.
> >>
> >> -Steve
1:40 p.m.
So, here is the tree structure for auditd and audisp in Ubuntu.
*root@dns:/etc# ls -l audit/rules.d/*
*total 4*
*-rw-r----- 1 root root 373 Jan 18 2016 audit.rules*
*root@dns:/etc# *
*root@dns:/etc# ls -l audisp/*
*total 20*
*-rw-r----- 1 root root 211 Jan 18 2016 audispd.conf*
*-rw-r--r-- 1 root root 1143 Jan 18 2016 audisp-prelude.conf*
*-rw-r--r-- 1 root root 714 Sep 16 13:51 audisp-remote.conf*
*drwxr-x--- 2 root root 4096 Sep 16 10:42 plugins.d*
*-rw-r--r-- 1 root root 246 Jan 18 2016 zos-remote.conf*
*root@dns:/etc# *
*root@dns:/etc# ls -l audisp/plugins.d/*
*total 20*
*-rw-r----- 1 root root 358 Jan 18 2016 af_unix.conf*
*-rw-r--r-- 1 root root 436 Jan 18 2016 audispd-zos-remote.conf*
*-rw-r--r-- 1 root root 280 Jan 18 2016 au-prelude.conf*
*-rw-r--r-- 1 root root 239 Sep 16 10:42 au-remote.conf*
*-rw-r----- 1 root root 453 Jan 18 2016 syslog.conf*
Noticed that /etc/audit has a subdirectory rules.d - which again has
another audit.rules. (the contents of that file are pasted below)
*cat /etc/audit/rules.d/audit.rules*
*# This file contains the auditctl rules that are loaded*
*# whenever the audit daemon is started via the initscripts.*
*# The rules are simply the parameters that would be passed*
*# to auditctl.*
*# First rule - delete all*
*-D*
*# Increase the buffers to survive stress events.*
*# Make this bigger for busy systems*
*-b 320*
*# Feel free to add below this line. See auditctl man page*
Best Regards,
Rituraj B
On Sat, Sep 23, 2017 at 11:59 PM, Rituraj Buddhisagar <rituraj(a)vayana.com>
wrote:
Hi Steve,
As per the config file which I had sent (/etc/audit/audit.rules); below
line has root_action
*-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
root_action*
I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*
Thanks!
Best Regards,
Rituraj B
On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> > Continued...from previous mail of mine..
> >
> > While I am reading and exploring much on auditd & on how I can have a
> > proper central system where logs are stored and daily reports get
> > generated, you might want to look at my config file on server and
> > suggest/recommend if anything - would appreciate if any pointers.
> >
> > I am using default config which came with Ubuntu 16.04 and only change
> was*
> > "-F auid!=4294967295"* on line where root_action is defined .
>
> There is no rule, root_action, that is shipped with the audit package. I
> would
> be interested in seeing it if you could copy and paste it into a reply.
>
> -Steve
>
> > On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <
> rituraj(a)vayana.com>
> >
> > wrote:
> > > Hi Steve,
> > >
> > > Thanks for the response.
> > >
> > > Suppressing the events with -F auid!=4294967295 worked.
> > >
> > > I am seeing the events like "vi" "chmod" etc are
getting audited by
> the
> > > system - even as a root account.
> > >
> > > I am yet to understand fully though on various rule sets and also on
> > > components like audisp / audisp-remote. So reading more ..
> > >
> > >
> > > Best Regards,
> > > Rituraj B
> > >
> > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <sgrubb(a)redhat.com>
> wrote:
> > >> Hello,
> > >>
> > >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar
> wrote:
> > >> > I have a DNS server for which the auditd was generating lot of
> system
> > >>
> > >> calls
> > >>
> > >> > and flooding the logs.
> > >> > Due to this the server was under heavy memory usage as
> audisp-remote
> > >>
> > >> was
> > >>
> > >> > hogging the memory. The log output for audisp-remote showed that
> the
> > >> > syscall was 49. Then I got to know from ausyscall command that
the
> call
> > >> > number 49 corresponds to bind. Hence I have *excluded* the call
to
> > >>
> > >> "bind".
> > >>
> > >> > I have put in below line in the /etc/audit/audit.rules
> > >> >
> > >> > *-a exclude,always -S 49*
> > >> >
> > >> > I have put the above line before section 10.2.2 which says
"Feel
> free
> > >> > to
> > >> > add below this line" (please note I am running Ubuntu 14.04
but I
> > >>
> > >> suppose
> > >>
> > >> > auditd implementation is same across board) .
> > >>
> > >> Also know that the rules are looked at from top to bottom with the
> first
> > >> match
> > >> winning. So, you would want this rule above whatever is causing
> events.
> > >>
> > >> > After the exclusion - I no more see the syscall=49 line in
> > >> > /var/log/audit/audit.rules. So thats a success of sorts!
> > >> >
> > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit
> events
> > >> > for
> > >> > cron , sudo etc. But I do not see a call for "vi" file
open mode
> etc.
> > >>
> > >> I'd need to see the rules to figure out what's wrong, but I
have some
> > >> hints
> > >> below...
> > >>
> > >> > *Background:*
> > >> >
> > >> > log output earlier which was flooding the logs and giving message
"
> > >>
> > >> *dns1
> > >>
> > >> > audisp-remote: message repeated 6613 times: [ queue is full -
> dropping
> > >> > event"*
> > >> >
> > >> > *log:*
> > >> > *type=SYSCALL msg=audit(1506025977.586:46629194): arch=c000003e
> > >>
> > >> syscall=49
> > >>
> > >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0
> ppid=22337
> > >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0
> > >>
> > >> sgid=0
> > >>
> > >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"
> > >> > exe="/sbin/audisp-remote" key="root_action"*
> > >>
> > >> The main question is what is the root_action rule(s)? Normally we
> add a
> > >> auid!=4294967295 to prevent daemons from causing events. Typically
> when
> > >> it's
> > >> desired to get root events, its means that you want to target
> _people_
> > >> running
> > >> as root rather than normal system activity.
> > >>
> > >> > root@dns1:/tmp# ausyscall 49
> > >> > *bind*
> > >> >
> > >> > I do see audit events for cron , sudo etc. But I do not see a
call
> for
> > >>
> > >> "vi"
> > >>
> > >> > file open mode etc.
> > >> >
> > >> > Observation: I open file /etc/audit/audit.rules in vi editor and
> then
> > >>
> > >> close
> > >>
> > >> > it. Audit log does not show syscall=2
> > >>
> > >> If you were wanting to record writes to that, you would use a rule
> like
> > >> this:
> > >>
> > >> -w /etc/audit/ -p wa
> > >>
> > >> > Earlier I used to see below output in logs, but I am not sure
that
> was
> > >>
> > >> for
> > >>
> > >> > which file opened in vi editor.
> > >> >
> > >> > *type=SYSCALL msg=audit(1506025995.825:46633170): arch=c000003e
> > >>
> > >> syscall=2
> > >>
> > >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2
> > >>
> > >> ppid=21957
> > >>
> > >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0
> > >>
> > >> fsgid=0
> > >>
> > >> > tty=pts0 ses=361 comm="vi"
exe="/usr/bin/vim.basic"
> key="root_action"*
> > >>
> > >> Typically, its expected to look at events through ausearch. It
> groups the
> > >> records into events. You can also use aureport to see summary
> > >> information.
> > >>
> > >> > I did read a bit on auditd from below links. *Please let me know
> if I
> > >> > am
> > >> > missing something or are the calls getting audited in an expected
> way.*
> > >> >
> > >> >
> > >> > I went through below links; *would appreciate if someone can help
> with
> > >>
> > >> any
> > >>
> > >> > references which are more lucid with example*s:
> > >> >
> > >> > https://linux-audit.com/configuring-and-auditing-linux->
>>
> > >> systems-with-audit-da
> > >>
> > >> > emon/
> > >>
> > >> I was not aware of that site. But some of the information appears to
> be
> > >> dated.
> > >> For example, telling people to use pam_tally2 when they should be
> using
> > >> pam_faillock.
> > >>
> > >> > https://access.redhat.com/documentation/en-US/Red_Hat_Enterp
> > >>
> > >> rise_Linux/6/ht
> > >>
> > >> > ml/Security_Guide/chap-system_auditing.html
> > >> >
> > >> > Furthermore, I would like to read much on audisp-remote to send
all
> > >>
> > >> these
> > >>
> > >> > logs to a central server. I do not find any documentation on
that.
> I
> > >> > see
> > >> > discussion on net where people are using rsyslog instead for
that.
> > >>
> > >> Please
> > >>
> > >> > help with references/links if any.
> > >>
> > >> Admittedly there is not much written. It is on my list of topics to
> blog
> > >> about. But I haven't had time for blogging lately.
> > >>
> > >> -Steve
>
>
>
1:54 p.m.
Hello,
On Saturday, September 23, 2017 2:29:47 PM EDT Rituraj Buddhisagar wrote:
As per the config file which I had sent (/etc/audit/audit.rules);
below
line has root_action
*-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k
root_action*
If you wanted just people and not daemons, then I would suggest changing the
rule to this:
-a exit,always -S all -F euid=0 -F auid>=1000 -F auid!=4294967295 -F key=root_action
However, that is likely to trigger way more events than you need. Because this
will trigger on every single syscall and slow down the system. What you would
normally want to know is which commands were run as root. A rule for that
would look like this:
-a exit,always -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F
key=root_action
-a exit,always -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=4294967295 -F
key=root_action
Another approach would be to enable keystroke logging. This would involve
adding pam_audit_tty to the su and sudo pam configs. Use the default setting
shown in the pam man page. If you do this, then don't have the root_action
rule because you'll get double information.
And last bit of advice...there are pre-written rules that you can install. On
Fedora, they are located in /usr/share/doc/audit/rules/. There is a README-rules
file that explains how to use them.
-Steve
I do not see root_action anywhere else in /etc/audit/* and
/etc/audisp/*
Thanks!
Best Regards,
Rituraj B
On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <sgrubb(a)redhat.com> wrote:
> On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:
> > Continued...from previous mail of mine..
> >
> > While I am reading and exploring much on auditd & on how I can have a
> > proper central system where logs are stored and daily reports get
> > generated, you might want to look at my config file on server and
> > suggest/recommend if anything - would appreciate if any pointers.
> >
> > I am using default config which came with Ubuntu 16.04 and only change
>
> was*
>
> > "-F auid!=4294967295"* on line where root_action is defined .
>
> There is no rule, root_action, that is shipped with the audit package. I
> would
> be interested in seeing it if you could copy and paste it into a reply.
>
> -Steve
2647
days inactive
2648
days old
linux-audit@lists.linux-audit.osci.io
7 comments
2 participants
participants (2)
-
Rituraj Buddhisagar -
Steve Grubb