1:32 a.m.
Hello Steve,
Thanks so much for your help! I've included your suggested filter in
audit.rules as shown below:
# cat audit.rules1
1 # This file contains the auditctl rules that are loaded
2 # whenever the audit daemon is started via the initscripts.
3 # The rules are simply the parameters that would be passed
4 # to auditctl.
5 # First rule - delete all
6 -D
7 # Increase the buffers to survive stress events.
8 # Make this bigger for busy systems
9 -b 320
10 ### Feel free to add below this line. See auditctl man page
11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
rootact
After restarting the auditd service following error received:
# service auditd restart
Stopping auditd: [ OK ]
Starting auditd: [ OK ]
Unknown user: unset
-F unknown field: auid
There was an error in line 15 of /etc/audit/audit.rules
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid=0 key=rootact
syscall=execve
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid>=500 (0x1f4)
key=useract syscall=execve
LIST_RULES: exit,always arch=1073741827 (0x40000003) euid>=500 (0x1f4)
key=useract syscall=execve
# auditctl -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
rootact
Unknown user: unset
-F unknown field: auid
You advice would be much appreciated.
Many thanks,
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma(a)redhat.com <kweg(a)redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 2:27 AM Steve Grubb <sgrubb(a)redhat.com> wrote:
Hello,
On Thursday, February 20, 2020 7:04:37 PM EST Moshe Rechtman wrote:
> Those particular logs generated by a third party monitoring application
> named Microfocus, which keeps on running "ps -auxwwww" command and
filling
> up quickly the audit log.
It looks like this is a daemon since auid is -1. So, I'd suggest that the
rule be something like:
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k rootact
This will not filter just that one item, it will filter all execution by
all
daemons.
-Steve
> > On Thursday, February 20, 2020 6:36:46 PM EST Moshe Rechtman wrote:
> > > $ cat audit.rules
> > >
> > > # This file contains the auditctl rules that are loaded
> > > # whenever the audit daemon is started via the initscripts.
> > > # The rules are simply the parameters that would be passed
> > > # to auditctl.
> > >
> > > # First rule - delete all
> > > -D
> > >
> > > # Increase the buffers to survive stress events.
> > > # Make this bigger for busy systems
> > > -b 320
> > >
> > > # Feel free to add below this line. See auditctl man page
> > >
> > > -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > > -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > > -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > >
> > >
> > > Audit start working as expected. Now customer is asking to
> > > exclude/ignore the following from audit logs:
> > >
> > > type=SYSCALL msg=audit(1581664357.597:257516): arch=c000003e
> > > syscall=59 success=yes exit=0 a0=3869161ea3 a1=7ffd15530c20
> > > a2=7ffd15534348 a3=3869617240 items=2 ppid=3350 pid=59266
> > > auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0
> > > fsgid=0 tty=(none) ses=4294967295 comm="sh"
exe="/bin/bash"
> > > key="rootact"
> > > type=EXECVE msg=audit(1581664357.597:257516): argc=3 a0="sh"
a1="-c"
> > > a2=2F62696E2F70732061757877777777
> > > type=CWD msg=audit(1581664357.597:257516):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.597:257516): item=0 name="/bin/sh"
inode=398
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.597:257516): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > ype=SYSCALL msg=audit(1581664357.601:257517): arch=c000003e
syscall=59
> > > success=yes exit=0 a0=155c2f0 a1=155b8d0 a2=155b460 a3=18 items=2
> > > ppid=3350 pid=59266 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0
> > > egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ps"
> > > exe="/bin/ps" key="rootact"
> > > type=EXECVE msg=audit(1581664357.601:257517): argc=2
a0="/bin/ps"
> > > a1="auxwwww" type=CWD msg=audit(1581664357.601:257517):
> > > cwd="/opt/microfocus/Discovery/bin" type=PATH
> > > msg=audit(1581664357.601:257517): item=0 name="/bin/ps"
inode=1451
> > > dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > > type=PATH msg=audit(1581664357.601:257517): item=1 name=(null)
> > > inode=4481 dev=fd:01 mode=0100755 ouid=0 ogid=0 rdev=00:00
> > > nametype=NORMAL
> > >
> > > What would be the best way to exclude such audit?
> > > Your help would be much appreciated.
> >
> > What's objectionable about these events? The fact that its got a key
says
> > they think they wanted it.
> >
> > -Steve