On Saturday, April 04, 2015 12:23:56 AM [Cloud ASIA] Toshihiro Takehara wrote:
Now I set up audit.rules, then audit.log became very big.
The reason why is keepalived daemon and it's misc check shell adds some
entry every seconds.
Typically when logs get too big, its because of a problem in the rules. There
are also times when a system is misconfigured and that will cause a flood, too.
I want to suppress or exclude log entry, and I searched the way like
this.
=>
https://www.redhat.com/archives/linux-audit/2011-October/msg00000.html
but I could not get effective answer.
Could you please tell me someone an effective way?
This is the audit.rules below.
# First rule - delete all
> -D
> # Increase the buffers to survive stress events.
> # Make this bigger for busy systems
> -b 320
> # Feel free to add below this line. See auditctl man page
For one thing, your analysis will be easier if you used "keys" to say what the
event represents. For example, why open on uid = 10 and uid >=500? And is 500
the minimal user id or is 1000 the minimal? Recent distributions have moved to
1000 meaning the rules may need migrating from 500 to 1000.
> -a exit,always -F arch=b64 -F dir=/etc -F success=0 -S open -S
truncate
> -a exit,always -F arch=b64 -S open -F uid=10
> -a exit,always -F arch=b64 -S open -F auid>=500 -F perm=wa
The audit system uses unsigned numbers in the rule matching engine. That means
-1 is >=500. So you have to add auid!=4294967295. And why do you want all
opens? Both success and failure? Typically, programs open a lot of non-
existing files giving ENOENT.
> -a exit,never -F arch=x86_64 -S all -F
path=/root/mysql_status_check.sh
> -a never,exit -F arch=b32 -S open -S openat -F exit=-ENOENT
> -a never,exit -F arch=b64 -S open -S openat -F exit=-ENOENT
Typically for security auditiing, you are interested in the files that the user
is denied access to rather than everything they access. To do this, I'd
recommend:
-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F
exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=failed-access
-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F
exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=failed-access
> -w /etc/sudoers -p wa -k sudoers-change
> -w /etc/ -p wa
> -w /var/lib/mysql -p wa
- keepalived is checking every seconds.
/usr/sbin/keepalived
- misc check program
/root/mysql_status_check.sh
type=SYSCALL msg=audit(1427989933.878:3632254): arch=c000003e syscall=2
success=yes exit=0 a0=4378a2 a1=2 a2=9 a3=8 items=1 ppid=43118 pid=3379
auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
ses=3 comm="keepalived" exe="/usr/sbin/keepalived" key=(null)
This is an open syscall from a program started by a user in session 3. They
used the keepalived program to do it. Is this a daemon or a user program? If
its a daemon, why does it have a auid and session set? That would be the
source of the problem.
type=SYSCALL msg=audit(1427918414.323:2598129): arch=c000003e
syscall=2
success=no exit=-6 a0=4a3155 a1=802 a2=1 a3=7fff4aefd1a0 items=1 ppid=20915
pid=20917 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
Same issue different program.
type=SYSCALL msg=audit(1427918414.341:2598135): arch=c000003e
syscall=2
success=yes exit=3 a0=f14470 a1=241 a2=1b6 a3=76 items=2 ppid=20916
pid=20947 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=3 comm="mysql_status_ch" exe="/bin/bash" key=(null)
This seems to be a user program. But again, why do you want all open syscalls?
-Steve