<div dir="ltr"><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">So, here is the tree structure for auditd and audisp in Ubuntu.</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><div class="gmail_default"><i><font color="#0000ff">root@dns:/etc# ls -l audit/rules.d/</font></i></div><div class="gmail_default"><i><font color="#0000ff">total 4</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r----- 1 root root 373 Jan 18 2016 audit.rules</font></i></div><div class="gmail_default"><i><font color="#0000ff">root@dns:/etc# </font></i></div><div class="gmail_default"><i><font color="#0000ff">root@dns:/etc# ls -l audisp/</font></i></div><div class="gmail_default"><i><font color="#0000ff">total 20</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r----- 1 root root 211 Jan 18 2016 audispd.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r--r-- 1 root root 1143 Jan 18 2016 audisp-prelude.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r--r-- 1 root root 714 Sep 16 13:51 audisp-remote.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">drwxr-x--- 2 root root 4096 Sep 16 10:42 plugins.d</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r--r-- 1 root root 246 Jan 18 2016 zos-remote.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">root@dns:/etc# </font></i></div><div class="gmail_default"><i><font color="#0000ff">root@dns:/etc# ls -l audisp/plugins.d/</font></i></div><div class="gmail_default"><i><font color="#0000ff">total 20</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r----- 1 root root 358 Jan 18 2016 af_unix.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r--r-- 1 root root 436 Jan 18 2016 audispd-zos-remote.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r--r-- 1 root root 280 Jan 18 2016 au-prelude.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r--r-- 1 root root 239 Sep 16 10:42 au-remote.conf</font></i></div><div class="gmail_default"><i><font color="#0000ff">-rw-r----- 1 root root 453 Jan 18 2016 syslog.conf</font></i></div><div style="color:rgb(32,18,77)"><br></div></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">Noticed that /etc/audit has a subdirectory rules.d - which again has another audit.rules. (the contents of that file are pasted below)</div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)"><br></div><div class="gmail_default" style="font-family:verdana,sans-serif;font-size:small"><i><font color="#0000ff">cat /etc/audit/rules.d/audit.rules</font></i></div><div class="gmail_default"><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># This file contains the auditctl rules that are loaded</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># whenever the audit daemon is started via the initscripts.</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># The rules are simply the parameters that would be passed</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># to auditctl.</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i><br></i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># First rule - delete all</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i>-D</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i><br></i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># Increase the buffers to survive stress events.</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># Make this bigger for busy systems</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i>-b 320</i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i><br></i></font></div><div class="gmail_default"><font face="verdana, sans-serif" color="#0000ff"><i># Feel free to add below this line. See auditctl man page</i></font></div><div style="color:rgb(32,18,77);font-family:verdana,sans-serif;font-size:small"><br></div><div style="color:rgb(32,18,77);font-family:verdana,sans-serif;font-size:small"><br></div><div style="color:rgb(32,18,77);font-family:verdana,sans-serif;font-size:small"><br></div></div><div class="gmail_extra"><br clear="all"><div><div class="gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table cellpadding="0" cellspacing="0" border="0" style="background:none;border-collapse:collapse;color:rgb(85,85,85);font-family:proxima-nova,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px;border:0px;margin:0px;padding:0px"><tbody><tr><td colspan="2" style="font-family:Arial,Helvetica,sans-serif;padding-bottom:5px"><font size="2" color="#0b5394">Best Regards,<br>Rituraj B</font></td></tr><tr><td colspan="2" style="font-family:Arial,Helvetica,sans-serif;color:rgb(38,56,119);font-size:12px"><br></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div> <br><div class="gmail_quote">On Sat, Sep 23, 2017 at 11:59 PM, Rituraj Buddhisagar <span dir="ltr"><<a href="mailto:rituraj@vayana.com" target="_blank">rituraj@vayana.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><div dir="ltr"><div style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">Hi Steve, </div><div style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)"><br></div><div style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)">As per the config file which I had sent (/etc/audit/audit.rules); below line has root_action</div><div style="font-family:verdana,sans-serif;font-size:small;color:rgb(32,18,77)"><br></div><div><font color="#20124d" face="verdana, sans-serif"><b>-a exit,always -S all -F euid=0 -F perm=wxa -F auid!=4294967295 -k root_action</b></font><br></div><div><font color="#20124d" face="verdana, sans-serif"><br></font></div><div><font color="#20124d" face="verdana, sans-serif">I do not see root_action anywhere else in /etc/audit/* and /etc/audisp/*</font></div><div><font color="#20124d" face="verdana, sans-serif"><br></font></div><div><font color="#20124d" face="verdana, sans-serif">Thanks!</font></div><div><font color="#20124d" face="verdana, sans-serif"><br></font></div><div><font color="#20124d" face="verdana, sans-serif"><br></font></div><div class="gmail_extra"><br clear="all"><div><div class="m_8249348630462108554gmail_signature" data-smartmail="gmail_signature"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><div dir="ltr"><table cellpadding="0" cellspacing="0" border="0" style="background:none;border-collapse:collapse;color:rgb(85,85,85);font-family:proxima-nova,"Helvetica Neue",Helvetica,Arial,sans-serif;font-size:16px;border:0px;margin:0px;padding:0px"><tbody><tr><td colspan="2" style="font-family:Arial,Helvetica,sans-serif;padding-bottom:5px"><font size="2" color="#0b5394">Best Regards,<br>Rituraj B</font></td></tr><tr><td colspan="2" style="font-family:Arial,Helvetica,sans-serif;color:rgb(38,56,119);font-size:12px"><br></td></tr></tbody></table></div></div></div></div></div></div></div></div></div></div></div></div></div></div></div><div><div class="h5"> <br><div class="gmail_quote">On Sat, Sep 23, 2017 at 11:46 PM, Steve Grubb <span dir="ltr"><<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>></span> wrote:<br><blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex"><span>On Saturday, September 23, 2017 10:08:40 AM EDT Rituraj Buddhisagar wrote:<br> > Continued...from previous mail of mine..<br> ><br> > While I am reading and exploring much on auditd & on how I can have a<br> > proper central system where logs are stored and daily reports get<br> > generated, you might want to look at my config file on server and<br> > suggest/recommend if anything - would appreciate if any pointers.<br> ><br> </span>> I am using default config which came with Ubuntu 16.04 and only change was*<br> > "-F auid!=4294967295"* on line where root_action is defined .<br> <br> There is no rule, root_action, that is shipped with the audit package. I would<br> be interested in seeing it if you could copy and paste it into a reply.<br> <span class="m_8249348630462108554HOEnZb"><font color="#888888"><br> -Steve<br> </font></span><div class="m_8249348630462108554HOEnZb"><div class="m_8249348630462108554h5"><br> > On Sat, Sep 23, 2017 at 7:30 PM, Rituraj Buddhisagar <<a href="mailto:rituraj@vayana.com" target="_blank">rituraj@vayana.com</a>><br> ><br> > wrote:<br> > > Hi Steve,<br> > ><br> > > Thanks for the response.<br> > ><br> > > Suppressing the events with -F auid!=4294967295 worked.<br> > ><br> > > I am seeing the events like "vi" "chmod" etc are getting audited by the<br> > > system - even as a root account.<br> > ><br> > > I am yet to understand fully though on various rule sets and also on<br> > > components like audisp / audisp-remote. So reading more ..<br> > ><br> > ><br> > > Best Regards,<br> > > Rituraj B<br> > ><br> > > On Fri, Sep 22, 2017 at 10:17 PM, Steve Grubb <<a href="mailto:sgrubb@redhat.com" target="_blank">sgrubb@redhat.com</a>> wrote:<br> > >> Hello,<br> > >><br> > >> On Friday, September 22, 2017 1:09:19 AM EDT Rituraj Buddhisagar wrote:<br> > >> > I have a DNS server for which the auditd was generating lot of system<br> > >><br> > >> calls<br> > >><br> > >> > and flooding the logs.<br> > >> > Due to this the server was under heavy memory usage as audisp-remote<br> > >><br> > >> was<br> > >><br> > >> > hogging the memory. The log output for audisp-remote showed that the<br> > >> > syscall was 49. Then I got to know from ausyscall command that the call<br> > >> > number 49 corresponds to bind. Hence I have *excluded* the call to<br> > >><br> > >> "bind".<br> > >><br> > >> > I have put in below line in the /etc/audit/audit.rules<br> > >> ><br> > >> > *-a exclude,always -S 49*<br> > >> ><br> > >> > I have put the above line before section 10.2.2 which says "Feel free<br> > >> > to<br> > >> > add below this line" (please note I am running Ubuntu 14.04 but I<br> > >><br> > >> suppose<br> > >><br> > >> > auditd implementation is same across board) .<br> > >><br> > >> Also know that the rules are looked at from top to bottom with the first<br> > >> match<br> > >> winning. So, you would want this rule above whatever is causing events.<br> > >><br> > >> > After the exclusion - I no more see the syscall=49 line in<br> > >> > /var/log/audit/audit.rules. So thats a success of sorts!<br> > >> ><br> > >> > *Probem/Issue/Query now*: After the exclusion, I do see audit events<br> > >> > for<br> > >> > cron , sudo etc. But I do not see a call for "vi" file open mode etc.<br> > >><br> > >> I'd need to see the rules to figure out what's wrong, but I have some<br> > >> hints<br> > >> below...<br> > >><br> > >> > *Background:*<br> > >> ><br> > >> > log output earlier which was flooding the logs and giving message "<br> > >><br> > >> *dns1<br> > >><br> > >> > audisp-remote: message repeated 6613 times: [ queue is full - dropping<br> > >> > event"*<br> > >> ><br> > >> > *log:*<br> > >> > *type=SYSCALL msg=audit(1506025977.586:46629<wbr>194): arch=c000003e<br> > >><br> > >> syscall=49<br> > >><br> > >> > success=yes exit=0 a0=3 a1=7ffe540ecf20 a2=c a3=0 items=0 ppid=22337<br> > >> > pid=22338 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0<br> > >><br> > >> sgid=0<br> > >><br> > >> > fsgid=0 tty=(none) ses=4294967295 comm="audisp-remote"<br> > >> > exe="/sbin/audisp-remote" key="root_action"*<br> > >><br> > >> The main question is what is the root_action rule(s)? Normally we add a<br> > >> auid!=4294967295 to prevent daemons from causing events. Typically when<br> > >> it's<br> > >> desired to get root events, its means that you want to target _people_<br> > >> running<br> > >> as root rather than normal system activity.<br> > >><br> > >> > root@dns1:/tmp# ausyscall 49<br> > >> > *bind*<br> > >> ><br> > >> > I do see audit events for cron , sudo etc. But I do not see a call for<br> > >><br> > >> "vi"<br> > >><br> > >> > file open mode etc.<br> > >> ><br> > >> > Observation: I open file /etc/audit/audit.rules in vi editor and then<br> > >><br> > >> close<br> > >><br> > >> > it. Audit log does not show syscall=2<br> > >><br> > >> If you were wanting to record writes to that, you would use a rule like<br> > >> this:<br> > >><br> > >> -w /etc/audit/ -p wa<br> > >><br> > >> > Earlier I used to see below output in logs, but I am not sure that was<br> > >><br> > >> for<br> > >><br> > >> > which file opened in vi editor.<br> > >> ><br> > >> > *type=SYSCALL msg=audit(1506025995.825:46633<wbr>170): arch=c000003e<br> > >><br> > >> syscall=2<br> > >><br> > >> > success=yes exit=3 a0=5598f609a210 a1=200c1 a2=81a0 a3=0 items=2<br> > >><br> > >> ppid=21957<br> > >><br> > >> > pid=22355 auid=1006 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0<br> > >><br> > >> fsgid=0<br> > >><br> > >> > tty=pts0 ses=361 comm="vi" exe="/usr/bin/vim.basic" key="root_action"*<br> > >><br> > >> Typically, its expected to look at events through ausearch. It groups the<br> > >> records into events. You can also use aureport to see summary<br> > >> information.<br> > >><br> > >> > I did read a bit on auditd from below links. *Please let me know if I<br> > >> > am<br> > >> > missing something or are the calls getting audited in an expected way.*<br> > >> ><br> > >> ><br> > >> > I went through below links; *would appreciate if someone can help with<br> > >><br> > >> any<br> > >><br> > >> > references which are more lucid with example*s:<br> > >> ><br> > >> > <a href="https://linux-audit.com/configuring-and-auditing-linux-" rel="noreferrer" target="_blank">https://linux-audit.com/config<wbr>uring-and-auditing-linux-</a>> >><br> > >> systems-with-audit-da<br> > >><br> > >> > emon/<br> > >><br> > >> I was not aware of that site. But some of the information appears to be<br> > >> dated.<br> > >> For example, telling people to use pam_tally2 when they should be using<br> > >> pam_faillock.<br> > >><br> > >> > <a href="https://access.redhat.com/documentation/en-US/Red_Hat_Enterp" rel="noreferrer" target="_blank">https://access.redhat.com/docu<wbr>mentation/en-US/Red_Hat_Enterp</a><br> > >><br> > >> rise_Linux/6/ht<br> > >><br> > >> > ml/Security_Guide/chap-system_<wbr>auditing.html<br> > >> ><br> > >> > Furthermore, I would like to read much on audisp-remote to send all<br> > >><br> > >> these<br> > >><br> > >> > logs to a central server. I do not find any documentation on that. I<br> > >> > see<br> > >> > discussion on net where people are using rsyslog instead for that.<br> > >><br> > >> Please<br> > >><br> > >> > help with references/links if any.<br> > >><br> > >> Admittedly there is not much written. It is on my list of topics to blog<br> > >> about. But I haven't had time for blogging lately.<br> > >><br> > >> -Steve<br> <br> <br> </div></div></blockquote></div><br></div></div></div></div> </blockquote></div><br></div></div>