Hi All,

I have a system that is logging many events for a path that I think should be ignored…

 

[root@host1 ~]# auditctl -l

LIST_RULES: exit,always dir=/etc/audit (0xa) perm=wa key=auditd_configuration

LIST_RULES: exit,always dir=/etc/audisp (0xb) perm=wa key=auditd_configuration

LIST_RULES: exit,always watch=/etc/libaudit.conf perm=wa key=auditd_configuration

LIST_RULES: exit,always watch=/etc/sysconfig/auditd perm=wa key=auditd_configuration

LIST_RULES: exit,never dir=/etc/lvm/cache (0xe) syscall=all

LIST_RULES: exit,never dir=/opt (0x4) syscall=all

LIST_RULES: exit,never dir=/tmp (0x4) syscall=all

LIST_RULES: exit,never dir=/naab1 (0x6) syscall=all

LIST_RULES: exit,never dir=/naab2 (0x6) syscall=all

LIST_RULES: exit,never dir=/ab1 (0x4) syscall=all

LIST_RULES: exit,never dir=/ab2 (0x4) syscall=all

LIST_RULES: exit,always perm=a key=file_attributes

LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=1074292226 (0x40086602) key=file_attributes syscall=ioctl

LIST_RULES: exit,always arch=3221225534 (0xc000003e) a1=-2146933247 (0x80086601) key=file_attributes syscall=ioctl

LIST_RULES: exit,always arch=3221225534 (0xc000003e) exit=-13 (0xfffffff3) key=invalid_logical_access syscall=open

LIST_RULES: exit,always dir=/bin (0x4) perm=wa key=bin_modification

LIST_RULES: exit,always dir=/boot (0x5) perm=wa key=boot_modification

LIST_RULES: exit,always dir=/etc (0x4) perm=wa key=etc_modification

LIST_RULES: exit,always dir=/home (0x5) perm=wa key=home_modification

LIST_RULES: exit,always dir=/lib (0x4) perm=wa key=lib_modification

LIST_RULES: exit,always dir=/lib64 (0x6) perm=wa key=lib64_modification

LIST_RULES: exit,always dir=/root (0x5) perm=wa key=root_modification

LIST_RULES: exit,always dir=/sbin (0x5) perm=wa key=sbin_modification

LIST_RULES: exit,always dir=/usr (0x4) perm=wa key=usr_modification

LIST_RULES: exit,always dir=/var/spool/at (0xd) perm=wa key=misc_var

LIST_RULES: exit,always dir=/var/spool/cron (0xf) perm=wa key=misc_var

LIST_RULES: exit,never dir=/var (0x4) syscall=all

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=dir_operations syscall=mkdir,rmdir,unlinkat

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=link_operation syscall=rename,link,unlink,symlink

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=special_device_creation syscall=mknod,mknodat

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=mount_operation syscall=mount,umount2

LIST_RULES: exit,always arch=3221225534 (0xc000003e) key=kernel_module syscall=create_module,init_module,delete_module

LIST_RULES: exclude,always msgtype=CRED_ACQ (0x44f)

LIST_RULES: exclude,always msgtype=CRED_DISP (0x450)

LIST_RULES: exclude,always msgtype=CRYPTO_KEY_USER (0x964)

LIST_RULES: exclude,always msgtype=CRYPTO_SESSION (0x967)

LIST_RULES: exclude,always msgtype=LOGIN (0x3ee)

LIST_RULES: exclude,always msgtype=USER_ACCT (0x44d)

LIST_RULES: exclude,always msgtype=USER_AUTH (0x44c)

LIST_RULES: exclude,always msgtype=USER_CMD (0x463)

LIST_RULES: exclude,always msgtype=USER_END (0x452)

LIST_RULES: exclude,always msgtype=USER_LOGIN (0x458)

LIST_RULES: exclude,always msgtype=USER_START (0x451)

[root@host1 ~]# tail /var/log/audit/audit.log

node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=3 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958573 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00

node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=2 name="temp_checkpoint.checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00

node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=3 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958614 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00

node=host1.domain type=PATH msg=audit(1324401918.113:223550509): item=4 name="checkpoint.1568280a-4eef7e3f-38e9.102.138" inode=30958644 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00

node=host1.domain type=PATH msg=audit(1324401918.113:223550510): item=4 name="checkpoint.1568280a-4eef7e3f-38d2.76.138" inode=30958636 dev=fd:0d mode=0100660 ouid=3534 ogid=9001 rdev=00:00

node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550511): arch=c000003e syscall=82 success=yes exit=0 a0=7ecdb0 a1=7d10e0 a2=7f6c0782dcd4 a3=0 items=4 ppid=14614 pid=16951 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=9372 comm="db-update.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/db_v2/bin/db-update.impl.gcc4p64" key="link_operation"

node=host1.domain type=SYSCALL msg=audit(1324401918.113:223550512): arch=c000003e syscall=82 success=yes exit=0 a0=9a6e50 a1=92e9f0 a2=7fe84e682cd4 a3=0 items=4 ppid=14595 pid=14937 auid=7463 uid=3534 gid=9001 euid=3534 suid=3534 fsuid=3534 egid=9001 sgid=9001 fsgid=9001 tty=(none) ses=10226 comm="multitool.impl." exe="/var/some-app/some-app-V3-0-3/gcc4p64/bin/multitool" key="link_operation"

node=host1.domain type=CWD msg=audit(1324401918.113:223550511):  cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873"

node=host1.domain type=CWD msg=audit(1324401918.113:223550512):  cwd="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4ef0423c-38fe"

node=host1.domain type=PATH msg=audit(1324401918.113:223550511): item=0 name="/naab1/serial/data/dir1/serial/dir2/abc_load/temp/some-app/.WORK-serial/1568280a-4eef7e3f-3873" inode=30932995 dev=fd:0d mode=040755 ouid=3534 ogid=9001 rdev=00:00

[root@host1 ~]#

 

I’m referring to event ID 223550511 (key is link_operation) in the logs which is using a path of ‘/naab1/…’

 

How come this event is not ignored due to the 8th rule? I think I’m missing something.

 

Many thanks,

Max


________________________________________________________________________
In order to protect our email recipients, Betfair Group use SkyScan from
MessageLabs to scan all Incoming and Outgoing mail for viruses.

________________________________________________________________________