5:22 p.m.
OK, I can not find any documentation on auditing and/or using auditctl besides the man
pages so I need to use this list
server. We run servers that are on a classified network and require auditing so the nisbom
rules are loaded in the
servers. This causes huge log files, and I mean 12GB huge, too much to parse information
quickly.
The file is full on entries with such things as the Backup Exec program that generates
these:
type=SYSCALL msg=audit(1246316460.238:30532639): arch=c000003e syscall=2 success=no
exit=-13 a0=3aaad4e8e0 a1=0 a2=0
a3=1 items=1 ppid=1 pid=19748 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0
sgid=0 fsgid=0 tty=(none)
ses=4294967295 comm="beremote" exe="/opt/VRTSralus/bin/beremote"
subj=system_u:system_r:initrc_t:s0 key="open"
type=CWD msg=audit(1246316460.238:30532639): cwd="/"
type=PATH msg=audit(1246316460.238:30532639): item=0 name="/tmp/filec5sswB"
inode=17 dev=08:03 mode=060000 ouid=0 ogid=0
rdev=08:08 obj=system_u:object_r:tmp_t:s0
and also crond entries:
type=USER_ACCT msg=audit(1254500281.236:65937): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: accounting
acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_ACQ msg=audit(1254500281.240:65938): user pid=17320 uid=0 auid=4294967295
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root"
: exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_START msg=audit(1254500281.248:65939): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session open
acct="root" : exe="/usr/sbin/crond" (hostname=?,
addr=?, terminal=cron res=success)'
type=CRED_DISP msg=audit(1254500281.310:65940): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred acct="root"
: exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_END msg=audit(1254500281.312:65941): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023
msg='PAM: session close acct="root" : exe="/usr/sbin/crond"
(hostname=?, addr=?, terminal=cron res=success)'
and also ntpd entries:
type=SYSCALL msg=audit(1222281403.726:1905): arch=40000003 syscall=124 success=yes exit=0
a0=9d6d60 a1=8 a2=9466f8
a3=9d6d60 items=0 ppid=1 pid=4897 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38
egid=38 sgid=38 fsgid=38
tty=(none) ses=4294967295 comm="ntpd" exe="/usr/sbin/ntpd"
subj=system_u:system_r:ntpd_t:s0 key="time-change"
I have the ntp stuff under control by removing the 2 lines in the audit.rules file but the
other 2 have thousands of
entries per day. How do I not log those in the rules? I notice that they both have selinux
sub fields
(subj=system_u:system_r:crond_t) but a rule created with
auditctl -A exit,never -F subj_user=system_u -F subj_role=system_r -F subj_type=crond_t
or any variation of does nothing. What can I read that would lead me in the right
direction?
This e-mail and any files transmitted with it may be proprietary and are intended solely
for the use of the individual or entity to whom they are addressed. If you have received
this e-mail in error please notify the sender.
Please note that any views or opinions presented in this e-mail are solely those of the
author and do not necessarily represent those of ITT Corporation. The recipient should
check this e-mail and any attachments for the presence of viruses. ITT accepts no
liability for any damage caused by any virus transmitted by this e-mail.
11:46 a.m.
On Friday 16 October 2009 06:22:13 pm Pittigher, Raymond - CS wrote:
We run servers that are on a classified network and require auditing
so the
nisbom rules are loaded in the servers. This causes huge log files, and I
mean 12GB huge, too much to parse information quickly. The file is full on
entries with such things as the Backup Exec program that generates these:
It would be helpful to know which kernel/audit versions you are using since
there have been new options added over time.
type=SYSCALL msg=audit(1246316460.238:30532639): arch=c000003e
syscall=2
success=no exit=-13 a0=3aaad4e8e0 a1=0 a2=0 a3=1 items=1 ppid=1 pid=19748
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="beremote"
exe="/opt/VRTSralus/bin/beremote" subj=system_u:system_r:initrc_t:s0
key="open" type=CWD msg=audit(1246316460.238:30532639): cwd="/"
type=PATH msg=audit(1246316460.238:30532639): item=0 name="/tmp/filec5sswB"
inode=17 dev=08:03 mode=060000 ouid=0 ogid=0 rdev=08:08
obj=system_u:object_r:tmp_t:s0
This looks like an open syscall failed with errno EACCES trying to open
/tmp/filec5sswB. This would almost look like a real system problem. I would
look into why beremote is not allowed to create tmp files.
But assuming that you wanted to do this with the audit system and you are on a
somewhat recent kernel, you should be able to do something like:
-a exit,never -F arch=b64 -S open -F exit=-EACCES -F subj_type=initrc_t -k
open
at the top of the open section so that it matches first. This will cause all
opens that have a subject label of initrc_t to not record an event. The
problem is that it will do this not just for beremote, but all apps that have
initrc_t for a subject label. The fix for this is to make a policy for beremote
so that it has a different label and then the audit rule will only be applied
to beremote.
and also crond entries:
type=USER_ACCT msg=audit(1254500281.236:65937): user pid=17320 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=CRED_ACQ msg=audit(1254500281.240:65938): user pid=17320 uid=0
auid=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM:
setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=USER_START msg=audit(1254500281.248:65939): user pid=17320 uid=0
auid=0 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session
open acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron res=success)'
type=CRED_DISP msg=audit(1254500281.310:65940): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: setcred
acct="root"
: exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
type=USER_END msg=audit(1254500281.312:65941): user pid=17320 uid=0 auid=0
subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='PAM: session close
acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?,
terminal=cron
res=success)'
There's no good way to stop cron events unless you make some selinux policy
that prevents cron from opening the netlink socket to send an audit event.
This could be don't audited so that you don't wind up with AVC's instead.
and also ntpd entries:
type=SYSCALL msg=audit(1222281403.726:1905): arch=40000003 syscall=124
success=yes exit=0 a0=9d6d60 a1=8 a2=9466f8 a3=9d6d60 items=0 ppid=1
pid=4897 auid=4294967295 uid=38 gid=38 euid=38 suid=38 fsuid=38 egid=38
sgid=38 fsgid=38 tty=(none) ses=4294967295 comm="ntpd"
exe="/usr/sbin/ntpd" subj=system_u:system_r:ntpd_t:s0
key="time-change"
I have the ntp stuff under control by removing the 2 lines in the
audit.rules file but the other 2 have thousands of entries per day. How do
I not log those in the rules?
I would consider keeping the rule, but put something ahead of it that like
this:
-a exit,never -F arch=b32 -S adjtimex -F subj_type=ntpd_t
This is in case you time gets changed some other way during a security breach.
It would cause the chain of events to not look right.
I notice that they both have selinux sub fields
(subj=system_u:system_r:crond_t) but a rule created with
auditctl -A exit,never -F subj_user=system_u -F subj_role=system_r -F
subj_type=crond_t or any variation of does nothing. What can I read that
would lead me in the right direction?
you might want to look at:
http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp
Look at page 9. This shows where events come from and which filters they hit.
The rule you mention above is written for the exit filter. The cron event comes
from user space. It goes through the user filter, so that where the rule would
need to be. The only valid fields for this filter is: uid, auid, gid, and pid.
So, there is not much there to help you.
The best approach for now is to use selinux to prevent crond_t from opening
its socket. This might cause crond to have an error, or it might work out OK.
I haven't tried it.
-Steve
5544
days inactive
5545
days old
linux-audit@lists.linux-audit.osci.io
1 comments
2 participants
participants (2)
-
Pittigher, Raymond - CS -
Steve Grubb