RE: Audit reporting Invalid argument

Not today. The check for uid 0 is a poor man's check for CAP_AUDIT_CONTROL

Thanks for the response. Your response cleared many of my doubts. I need one clarity on use of Linux capability CAP_AUDIT_CONTROL. My understanding is that, only root user can start/stop audit service and configure auditctl rules. auditctl.c and auditd.c specifically check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL capability running from non root account will be able to start/stop audit and configure auditctl rules?

Are there any documentation about how to use CAP_AUDIT_CONTROL capability and how it is related to audit?

Is it possible to suppress events for a file for the set of specific syscalls? Example: Using the below rule I want to suppress audit event only for chmod syscall for file /tmp/read_only. However below rule not only suppresses the audit event for chmod syscall but also for other syscalls for /tmp/read_only file. # auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod

-----Original Message----- From: Steve Grubb [mailto:sgrubb@redhat.com] Sent: Monday, May 09, 2016 7:20 PM To: linux-audit(a)redhat.com Cc: Bhagwat, Shriniketan Manjunath <shriniketan.bhagwat(a)hpe.com&gt; Subject: Re: Audit reporting Invalid argument On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote: > I am trying to monitor multiple files using Linux audit. In order to > get better performance, I am trying to reduce number of rules. If I > specify more than one path field as in below example I am getting > "Invalid argument". > > Examle1: > # auditctl -a always,exit -F arch=x86_64 -F > path=/home/secpack/test.c -F path=/home/secpack/test -S open Error > sending add rule data request (Invalid argument) > > # auditctl -a always,exit -F arch=x86_64 -F > path=/home/secpack/test.c -F dir=/tmp/ -S open Error sending add > rule data request (Invalid > argument) > > However, I am able to create a single rule to monitor multiple PIDs > or UIDs as below. > > Examle2: > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 # > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F > auid=1002 Which will produce no events due to the anding you mention below. Something cannot have both pid 3526 and 3537. > As per the auditctl man page, Build a rule field takes up to 64 > fields on a single command line. Each one must start with -F. Each > field equation is anded with each other to trigger an audit > record. My question is, 1. specify more than one path field as in example1 is valid? Nope. > 2. If not valid than how do I create single audit rule to monitor > multiple files/directory? They need to be separate rules. You can also recursively watch a directory with 'dir' > 3. If valid, then why "Invalid argument" is reported? > 4. To monitor 10 files, should 10 audit rules required? Possibly. > 5. if 10 rules are required, how to I optimize the rule for performance? The filesystem watches are very efficient. You can probably put a 100 watches on random files and you will not be able to see any performance hit unless they are actually triggered. Syscall rules on the otherhand do affect performance. > My next question is does Linux audit support regular expressions? No. The kernel pretty much wants things to be numbers rather than strings. > How do I create audit rule to monitor /var/log/*.log? -a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log -Steve > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ > -S open Error sending add rule data request (Invalid argument) > > If my questions are already documented, please guide me to the > documentation. > > Regards, > Ketan