Re: Excluding the single executable on the top of audit.rules
Hello,
On Tuesday, August 19, 2014 11:07:18 AM Исаев Виталий Анатольевич wrote:
I would like to ask for an explanation about making my audit.rules
proper.
What am I trying to do is to exclude all the syscall events coming from
exe="/usr/bin/pulseaudio" and its components. At the moment about 95% of
audit log is filled with messages related to pulseaudio:
# aureport -x -if my.log --summary
Executable Summary Report
=================================
total file
=================================
1156923 /usr/bin/pulseaudio
I would be curious which rule you are getting hit with. Normally, you design
the rules so that a properly running system does not cause events. This means
qualifying the rules with something like EPERM or EACCES so that you only log
real problems and not normal system operation. That said, at the moment, the
best way to remove a single process is to use selinux types in the audit
event. However, this trick does not work in this case because pulseaudio has
no SE Linux policy. You would almost want to give it a type that maps to
unconfined_t. Then you could write a rule like:
-a exit,never -S all -F subj_type=pulseaudio_t
You would place that at the top of the rules so it matches first. There was
work going on to match against an executable name. But I haven't seen any
progress in a long time. If that were finished, it would solve your problem.
-Steve
191719 /usr/libexec/pulse/gconf-helper
49282 /usr/bin/gnome-volume-control-applet
8035 /usr/libexec/gnome-settings-daemon
1045 /usr/sbin/crond
265 /usr/bin/nautilus
23 /usr/sbin/sshd
Please look through the current version of audit.rules. How should I modify
them?
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
# Feel free to add below this line. See auditctl man page
#-a exit,never -F exe=/usr/bin/pulseaudio -S open
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
auid!=429496729 -S open -a exit,always -F arch=x86_64 -F uid>=500 -F
gid>=500 -F ppid!=1 -F auid!=429496729 -S execve -a exit,always -F
arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fork
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
auid!=429496729 -S vfork -a exit,always -F arch=x86_64 -F uid>=500 -F
gid>=500 -F ppid!=1 -F auid!=429496729 -S exit -a exit,always -F
arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S
exit_group -a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1
-F auid!=429496729 -S getdents -a exit,always -F arch=x86_64 -F uid>=500 -F
gid>=500 -F ppid!=1 -F auid!=429496729 -S chmod -a exit,always -F
arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchmod
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
auid!=429496729 -S fchmodat -a exit,always -F arch=x86_64 -F uid>=500 -F
gid>=500 -F ppid!=1 -F auid!=429496729 -S chown -a exit,always -F
arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S fchown
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
auid!=429496729 -S lchown -a exit,always -F arch=x86_64 -F uid>=500 -F
gid>=500 -F ppid!=1 -F auid!=429496729 -S fchownat -a exit,always -F
arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F auid!=429496729 -S unlink
-a exit,always -F arch=x86_64 -F uid>=500 -F gid>=500 -F ppid!=1 -F
auid!=429496729 -S unlinkat
P.S. We're using RHEL 6.4 with audit-2.2-2.el6.x86_64.
Sincerely,
Vitaly Isaev
Software engineer
Information security department
Fintech JSC, Moscow, Russia