Sycall Rules vs Watch Rules
by Amjad Gabbar
Hi,
I have done some analysis and digging into how both the watch rules and
syscall rules are translated.
>From my understanding, in terms of logging, both the below rules are
similar. There is no difference in either of the rules.
1. -w /etc -p wa -k ETC_WATCH
2. -a always,exit -F arch=b64 -S <all syscalls part of the write and attr
classes> -F dir=/etc -F perm=wa -k ETC_WATCH
The write and attr classes consist of syscalls in
“include/asm-generic/audit_*.h“.
The perm flag is needed in the second case for including open/openat
syscalls which are not a part of the write and attr syscall list.
I'd like to verify if what I mentioned earlier is accurate, and I have an
additional point but depends on whether this is accurate.
Ali
1 year
128 Character limit on proctitle field?
by Wieprecht, Karen M.
All,
We're working with Docker and podman, and I'm working on parsing the audit data we get to flag prohibited and missing command options based on STIG guidelines. I normally extract the proctitle from the raw auditd data , but these commands are very long with sometimes 23 or more command line parameters , and I noticed that all of the auditd proctitle data for the lengthier commands is being cut off at 128 characters.
I'm bringing this up for two reasons:
One, not everyone working with this data may realize that there seems to be a character limit,
and second, if this is by chance a bug as opposed to intentional, then I'm hoping we can get a fix cooking for it?
In the meantime, I may be able to work around this by piecing together the full command from the "a#= " fields, but it would be much easier if proctitle wasn't cut off after 128 chars.
Thanks, any info you can share would be much appreciated,
Karen Wieprecht
1 year, 1 month
Increasing audit netlink buffer size
by Seyeong Kim
Hello all
Recently I've seen some people who faced below error msg while booting
or while the machine is working.
Error receiving audit netlink packet (No buffer space available)
Error setting audit daemon pid (No buffer space available)
Unable to set audit pid, exiting
increasing q_depth=75000 and -b 8192 didn't help for them.
There is no stable reproducer but I suspect this is because the
default netlink buffer is not big enough. Below were my test steps to
see the above msg.
1. launch instance
2. enable audit with kernel parameters
3. run for i in {1..100000}; do auditctl --reset-lost; done
4. while running #3, keep restarting systemctl restart auditd
I wasn't able to let them test this test pkg but could you please give
me any advice related to this if it makes sense or not?
Thanks in advance. Regards
Index: audit-3.0.7/lib/netlink.c
===================================================================
--- audit-3.0.7.orig/lib/netlink.c
+++ audit-3.0.7/lib/netlink.c
@@ -34,6 +34,9 @@
#ifndef NETLINK_AUDIT
#define NETLINK_AUDIT 9
#endif
+#ifndef SO_RCVBUFFORCE
+#define SO_RCVBUFFORCE 33
+#endif
static int adjust_reply(struct audit_reply *rep, int len);
static int check_ack(int fd);
@@ -47,6 +50,7 @@ static int check_ack(int fd);
int audit_open(void)
{
int saved_errno;
+ int rcvbuf;
int fd = socket(PF_NETLINK, SOCK_RAW, NETLINK_AUDIT);
if (fd < 0) {
@@ -62,6 +66,19 @@ int audit_open(void)
errno = saved_errno;
return fd;
}
+
+ rcvbuf = 10*1024*1024; // size is temp value for now.
+ if (setsockopt(fd, SOL_SOCKET, SO_RCVBUFFORCE,
+ &rcvbuf, sizeof(rcvbuf))) {
+ saved_errno = errno;
+ audit_msg(LOG_ERR,
+ "Error setting netlink sock buffer size (%s)",
+ strerror(errno));
+ close(fd);
+ errno = saved_errno;
+ return -1;
+ }
+
if (fcntl(fd, F_SETFD, FD_CLOEXEC) == -1) {
saved_errno = errno;
audit_msg(LOG_ERR,
1 year, 1 month