Auditd and Watches
Steve Grubb
sgrubb at redhat.com
Thu May 24 14:10:08 UTC 2007
On Thursday 24 May 2007 09:53, Simmons Jr,Felix wrote:
> [root at XXXX-22 ~]# auditctl -l
> No rules
> AUDIT_WATCH_LIST: dev=104:2, path=/var/tmp/important_test,
> filterkey=test-file, perms=wa, valid=0
This seems slightly odd output. What kernel and audit package are you using?
> My question is this (about time eh?) even though the only rule I have in
> my rules is a single watch on a file, I'm getting all sorts of other
> events in my /var/log/audit/audit.log. A lot of it are don't care items
> at this phase and would only aid in growing my log files. Is there
> something I'm missing that can turn off the additional chatter in the
> logs?
Yes if you are using 2.6.16 and later kernels.
/usr/include/libaudit.h has this table:
* 1000 - 1099 are for commanding the audit system
* 1100 - 1199 user space trusted application messages
* 1200 - 1299 messages internal to the audit daemon
* 1300 - 1399 audit event messages
* 1400 - 1499 kernel SE Linux use
* 1500 - 1599 AppArmor events
* 1600 - 1699 kernel crypto events
* 1700 - 1799 kernel anomaly records
* 1800 - 1999 future kernel use (maybe integrity labels and related events)
* 2001 - 2099 unused (kernel)
* 2100 - 2199 user space anomaly records
* 2200 - 2299 user space actions taken in response to anomalies
* 2300 - 2399 user space generated LSPP events
* 2400 - 2499 user space crypto events
* 2500 - 2999 future user space (maybe integrity labels and related events)
So, you could do:
-a exclude,always -F msgtype>=1100 -F msgtype<=1299
-a exclude,always -F msgtype>=1400 -F msgtype<=2999
Although I recommend widening the choices to allow SE Linux AVC's through. And
note that if you try to type this at a command prompt, you will need quotes
around "msgtype>=1100" since <> are something the shell will interpret.
> Basically I'm trying to chunk the logs down so my host based ids can
> snag the events and alert accordingly.
Yes, I am working on a IDS/IPS system, too. But it doesn't use the logs,
rather it uses the realtime interface so it can react in realtime. I made a
presentation about it at the Red Hat Summit a couple weeks ago and put my
presentation here:
http://people.redhat.com/sgrubb/audit/summit07_audit_ids.odp
To some extent that is what's driving development and requirements for the
audit event dispatcher and the audit parsing library.
-Steve
More information about the Linux-audit
mailing list