RE: [EXT] Re: "key=" on all related log lines

It's funny that this topic came up today, I just emailed my team on Monday about some concerns I have regarding the difference between -k keyname and key=keyname in the audit.rules files. If I understand this correctly, some rules assign a keyname with –k keyname, and other rules use those assigned keynames to filter/limit the scope of the rule (-F key=keyname). If this is correct, I believe we may have some rules in the sample 30-stig.rules that would never generate the keyname they are filtering against. Perhaps this is in error? For example: For instance, in the case of system-locale, there are some rules are assigning the keyname with "-k system-locale” to certain events and other rules filtering what is collected based on –F key=system-locale, so this one may be ok -a always,exit -F arch=b32 -S sethostname,setdomainname -F key=system-locale -a always,exit -F arch=b64 -S sethostname,setdomainname -F key=system-locale -w /etc/issue -p wa -k system-locale -w /etc/issue.net -p wa -k system-locale -w /etc/hosts -p wa -k system-locale -w /etc/hostname -p wa -k system-locale -a always,exit -F dir=/etc/NetworkManager/ -F perm=wa -F key=system-locale However, in the case of perm_mod, there are no rules assigning the keyname with "-k perm_mod", so I suspect that nothing will ever be collected for the rules that are filtering based on perm_mod: -a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod -a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=unset -F key=perm_mod Is this correct? If so, we may need to make some corrections so related events get assigned the perm_mod keyname , and correct any other similar issues that may exist. If not, can you explain how events wouold be generated with the perm_mod keyname? Thanks so much, Karen Wieprecht -----Original Message----- From: linux-audit-bounces(a)redhat.com <linux-audit-bounces(a)redhat.com&gt; On Behalf Of Steve Grubb Sent: Friday, December 18, 2020 8:44 AM To: Andreas Hasenack <andreas(a)canonical.com&gt; Cc: Linux-audit(a)redhat.com Subject: [EXT] Re: "key=" on all related log lines APL external email warning: Verify sender linux-audit-bounces(a)redhat.com before clicking links or attachments  On Friday, December 18, 2020 8:24:04 AM EST Andreas Hasenack wrote: Correct. Correct. They are correlated by the combination of seconds since 1970, millisecond, and serial number. And the records between two events can be interlaced in the logs. Nothing in the klernel serializes the output. So, its entirely on user space to correlate things. No. Then, I'd say you're not doing it the way it was intended. A simple grep is not sufficient. You would want to use the audit tools or auparse library to do this for you. They take care of the correlation and de-interlacing of events. And they can do the filtering. A good example is the setroubleshooter plugin. It filters just for AVC's and then sees if they have configuration solutions to avoid the AVC's. Writing a filre using the auparse library is pretty simple. You can find an example to start from here: https://github.com/linux-audit/audit-userspace/blob/master/contrib/plugin/ audisp-example.c I'd also suggest making any plugin double threaded, with one side dequeuing events and the other thread processing them and some kind of queue in between. If the socket buffer between auditd and the plugin gets full, it can affect the audit daemon's performance. -Steve -- Linux-audit mailing list Linux-audit(a)redhat.com https://www.redhat.com/mailman/listinfo/linux-audit