5:36 p.m.
Hello Experts,
We have a big customer that facing the following issue on RHEL 6.2.
As per customer request I've configured the following rules:
$ cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
-a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
Audit start working as expected. Now customer is asking to exclude/ignore
the following from audit logs:
type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
key="rootact"
type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
a2=2F62696E2F70732061757877777777
type=CWD msg=audit(1581664357.597:257516): cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.597:257516): item=0 name="/bin/sh"
inode=398 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
exe="/bin/ps" key="rootact"
type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
a1="auxwwww"
type=CWD msg=audit(1581664357.601:257517): cwd="/opt/microfocus/Discovery/bin"
type=PATH msg=audit(1581664357.601:257517): item=0 name="/bin/ps"
inode=1451 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
What would be the best way to exclude such audit?
Your help would be much appreciated.
Thanks in advance & kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma(a)redhat.com <kweg(a)redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
5:41 p.m.
On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
Hello Experts,
We have a big customer that facing the following issue on RHEL 6.2.
As per customer request I've configured the following rules:
$ cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
-a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
-a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
Audit start working as expected. Now customer is asking to exclude/ignore
the following from audit logs:
type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
key="rootact"
type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh" a1="-c"
a2=2F62696E2F70732061757877777777
type=CWD msg=audit(1581664357.597:257516):
cwd="/opt/microfocus/Discovery/bin" type=PATH
msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
exe="/bin/ps" key="rootact"
type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
cwd="/opt/microfocus/Discovery/bin" type=PATH
msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
nametype=NORMAL
What would be the best way to exclude such audit?
Your help would be much appreciated.
What's objectionable about these events? The fact that its got a key says
they think they wanted it.
-Steve
6:04 p.m.
Hello Steve,
Thanks for the quick response.
Those particular logs generated by a third party monitoring application
named Microfocus, which keeps on running "ps -auxwwww" command and filling
up quickly the audit log.
Please your advice..
Thanks in adbance,
Kind regards,
Moshe
בתאריך יום ו׳, 21 בפבר׳ 2020, 01:41, מאת Steve Grubb <sgrubb(a)redhat.com>:
On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> Hello Experts,
>
> We have a big customer that facing the following issue on RHEL 6.2.
> As per customer request I've configured the following rules:
>
> $ cat audit.rules
>
> # This file contains the auditctl rules that are loaded
> # whenever the audit daemon is started via the initscripts.
> # The rules are simply the parameters that would be passed
> # to auditctl.
>
> # First rule - delete all
> -D
>
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
>
> # Feel free to add below this line. See auditctl man page
>
> -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
>
>
> Audit start working as expected. Now customer is asking to exclude/ignore
> the following from audit logs:
>
> type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/bin/bash"
> key="rootact"
> type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh"
a1="-c"
> a2=2F62696E2F70732061757877777777
> type=CWD msg=audit(1581664357.597:257516):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> exe="/bin/ps" key="rootact"
> type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> cwd="/opt/microfocus/Discovery/bin" type=PATH
> msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
> type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> nametype=NORMAL
>
> What would be the best way to exclude such audit?
> Your help would be much appreciated.
What's objectionable about these events? The fact that its got a key says
they think they wanted it.
-Steve
6:27 p.m.
Hello,
On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
Those particular logs generated by a third party monitoring
application
named Microfocus, which keeps on running "ps -auxwwww" command and filling
up quickly the audit log.
It looks like this is a daemon since auid is -1. So, I'd suggest that the
rule be something like:
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
This will not filter just that one item, it will filter all execution by all
daemons.
-Steve
> On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman
wrote:
> > $ cat audit.rules
> >
> > # This file contains the auditctl rules that are loaded
> > # whenever the audit daemon is started via the initscripts.
> > # The rules are simply the parameters that would be passed
> > # to auditctl.
> >
> > # First rule - delete all
> > -D
> >
> > # Increase the buffers to survive stress events.
> > # Make this bigger for busy systems
> > -b 320
> >
> > # Feel free to add below this line. See auditctl man page
> >
> > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> >
> >
> > Audit start working as expected. Now customer is asking to
> > exclude/ignore the following from audit logs:
> >
> > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > fsgid=0 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash"
> > key="rootact"
> > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh"
a1="-c"
> > a2=2F62696E2F70732061757877777777
> > type=CWD msg=audit(1581664357.597:257516):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.597:257516): item=0 name="/bin/sh" inode=398
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e syscall=59
> > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > exe="/bin/ps" key="rootact"
> > type=EXECVE msg=audit(1581664357.601:257517): argc=2 a0="/bin/ps"
> > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > msg=audit(1581664357.601:257517): item=0 name="/bin/ps" inode=1451
> > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > nametype=NORMAL
> >
> > What would be the best way to exclude such audit?
> > Your help would be much appreciated.
>
> What's objectionable about these events? The fact that its got a key says
> they think they wanted it.
>
> -Steve
1:32 a.m.
Hello Steve,
Thanks so much for your help! I've included your suggested filter in
audit.rules as shown below:
# cat audit.rules1
1 # This file contains the auditctl rules that are loaded
2 # whenever the audit daemon is started via the initscripts.
3 # The rules are simply the parameters that would be passed
4 # to auditctl.
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 320
10 ### Feel free to add below this line. See auditctl man page
11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
rootact
After restarting the auditd service following error received:
# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Unknown user: unset
-F unknown field: auid
There was an error in line 15 of /etc/audit/audit.rules
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid>=500 (0x1f4)
key=useract syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid>=500 (0x1f4)
key=useract syscall=execve
# auditctl -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
Unknown user: unset
-F unknown field: auid
You advice would be much appreciated.
Many thanks,
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma(a)redhat.com <kweg(a)redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 2:27 AM Steve Grubb <sgrubb(a)redhat.com> wrote:
Hello,
On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> Those particular logs generated by a third party monitoring application
> named Microfocus, which keeps on running "ps -auxwwww" command and
filling
> up quickly the audit log.
It looks like this is a daemon since auid is -1. So, I'd suggest that the
rule be something like:
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
This will not filter just that one item, it will filter all execution by
all
daemons.
-Steve
> > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > $ cat audit.rules
> > >
> > > # This file contains the auditctl rules that are loaded
> > > # whenever the audit daemon is started via the initscripts.
> > > # The rules are simply the parameters that would be passed
> > > # to auditctl.
> > >
> > > # First rule - delete all
> > > -D
> > >
> > > # Increase the buffers to survive stress events.
> > > # Make this bigger for busy systems
> > > -b 320
> > >
> > > # Feel free to add below this line. See auditctl man page
> > >
> > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > >
> > >
> > > Audit start working as expected. Now customer is asking to
> > > exclude/ignore the following from audit logs:
> > >
> > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash"
> > > key="rootact"
> > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh"
a1="-c"
> > > a2=2F62696E2F70732061757877777777
> > > type=CWD msg=audit(1581664357.597:257516):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh"
inode=398
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e
syscall=59
> > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > exe="/bin/ps" key="rootact"
> > > type=EXECVE msg=audit(1581664357.601:257517): argc=2
a0="/bin/ps"
> > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps"
inode=1451
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > What would be the best way to exclude such audit?
> > > Your help would be much appreciated.
> >
> > What's objectionable about these events? The fact that its got a key
says
> > they think they wanted it.
> >
> > -Steve
7:53 a.m.
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
Thanks so much for your help! I've included your suggested filter
in
audit.rules as shown below:
# cat audit.rules1
1 # This file contains the auditctl rules that are loaded
2 # whenever the audit daemon is started via the initscripts.
3 # The rules are simply the parameters that would be passed
4 # to auditctl.
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 320
10 ### Feel free to add below this line. See auditctl man page
11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
rootact
It won't work this way. You now have 2 sets of rootact. The audit rule engine
is a first match wins. So, this second set of rules will never trigger. The
rule I mentioned was supposed to replace the rule in the list.
After restarting the auditd service following error received:
# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Unknown user: unset
-F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
6:27 p.m.
Hello Steve,
Thanks so much for your help, I've modified audit.rules as per you
recommendation:
# cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
#-b 32768
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1
(0xffffffff) key=rootact syscall=execve
With the above settings, audit stop from logging all root commands!
Any recommendations/suggestions would be appreciated.
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma(a)redhat.com <kweg(a)redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
> 1 # This file contains the auditctl rules that are loaded
> 2 # whenever the audit daemon is started via the initscripts.
> 3 # The rules are simply the parameters that would be passed
> 4 # to auditctl.
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 320
> 10 ### Feel free to add below this line. See auditctl man page
> 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
> 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact
It won't work this way. You now have 2 sets of rootact. The audit rule
engine
is a first match wins. So, this second set of rules will never trigger.
The
rule I mentioned was supposed to replace the rule in the list.
> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Unknown user: unset
> -F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
5:48 p.m.
On Thu, Feb 20, 2020 at 6:37 PM Moshe Rechtman <mrechtma(a)redhat.com> wrote:
Hello Experts,
We have a big customer that facing the following issue on RHEL 6.2.
As per customer request I've configured the following rules ...
A few things: 1) please try to stick to only plaintext email on this
list (no html mail) 2) this mailing list is for the discussion and
development of the Linux audit subsystem in the upstream (or close to
upstream) code. If you are looking for RHEL, or any other enterprise
Linux distro, support please use the appropriate support channels.
Thank you.
--
paul moore
www.paul-moore.com
2076
days inactive
2080
days old
linux-audit@lists.linux-audit.osci.io
7 comments
3 participants
participants (3)
-
Moshe Rechtman -
Paul Moore -
Steve Grubb