Re: Question about excluding rules
Hello Steve,
Thanks so much for your help, I've modified audit.rules as per you
recommendation:
# cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
#-b 32768
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1
(0xffffffff) key=rootact syscall=execve
With the above settings, audit stop from logging all root commands!
Any recommendations/suggestions would be appreciated.
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma(a)redhat.com <kweg(a)redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> Thanks so much for your help! I've included your suggested filter in
> audit.rules as shown below:
>
> # cat audit.rules1
>
> 1 # This file contains the auditctl rules that are loaded
> 2 # whenever the audit daemon is started via the initscripts.
> 3 # The rules are simply the parameters that would be passed
> 4 # to auditctl.
> 5 # First rule - delete all
> 6 -D
> 7 # Increase the buffers to survive stress events.
> 8 # Make this bigger for busy systems
> 9 -b 320
> 10 ### Feel free to add below this line. See auditctl man page
> 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> rootact
> 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> rootact
It won't work this way. You now have 2 sets of rootact. The audit rule
engine
is a first match wins. So, this second set of rules will never trigger.
The
rule I mentioned was supposed to replace the rule in the list.
> After restarting the auditd service following error received:
>
> # service auditd restart
> Stopping auditd: [ OK ]
> Starting auditd: [ OK ]
> Unknown user: unset
> -F unknown field: auid
OK. I guess this is really old. Then make it auid=-1
-Steve
Attachments:
- attachment.html (text/html — 7.5 KB)