questions about auditing on a new RH 6 box

Tangren, Bill bill.tangren at usno.navy.mil
Fri Jan 14 17:23:01 UTC 2011 


-----Original Message-----
From: Eric Paris [mailto:eparis at redhat.com] 
Sent: Friday, January 14, 2011 11:42 AM
To: Tangren, Bill
Cc: linux-audit at redhat.com
Subject: Re: questions about auditing on a new RH 6 box

On Fri, 2011-01-14 at 16:21 +0000, Tangren, Bill wrote:
> I have a new VM running RH 6 server. I put some audit.rules in place, and
> now I notice that I am getting 11 MB of audit log entries every half hour.
> This server has no users or services running. I am trying to use
> audit-viewer to determine which of my rules is creating so much log traffic,
> but I don't understand the output enough to be able to tell. The version of
> audit is 2.0.4-1 (64 bit). 
> 
> Is this the correct forum to ask this question? 
> 
> If so, I can provide the audit rules and some of the logs.

This is probably the best forum there is.  Let us know your troubles.

-Eric


OK, here goes. These are the audit rules. And before you read them, please don't shoot the messenger. This is what I was told to audit, according to regulations. If it is misconfigured, or if something causes excessive logging to no good purpose, I can modify them some. I've used these rules on RH 5 systems with no problems. Also, I've left in the comments.

***********************
-f 2

# Ensures that any access or modifications to the password file is audited
-w /etc/passwd -p rwa

# Ensures that any access or modifications to the shadow file is audited
-w /etc/shadow -p rwa

# Ensures that any reads of the audit log by the current user that's logged is
# audited. It might be beneficial to create a rule for each of the 5 logs
# that are generated.
-w /var/log/audit/audit.log -k LOG_audit

# Ensures that the user who is logged in and fails to access a file or process
# is audited. Note: this will prevent kernel panics if you have a web server running
# because it will not log apache file accesses
-a exit,always -F arch=b64 -S open -S openat -F exit=EACCES -F uid!=apache -k access
-a exit,always -F arch=b64 -S open -S openat -F exit=EPERM -F uid!=apache -k access

# Ensures that any user who fails to change permissions of a file or directory is
# audited
-a exit,always -F arch=b64 -S chmod -S lchown -S chown -F success=0  -F exit!=-11

# Ensures that any user who mounts or unmounts a device is audited

# ensures that mounting and dismounting are audited
-a exit,always -F arch=b64 -S mount -S umount2

# Ensures that when anything is written to CD or DVD is audited
# This rule MUST be edited to reflect the device path that is specific to
# the system that the rules are being written for.
-w /dev/cdrom -p w

# AUDITING THE EXECVE FUNCTION
# Ensures any user that properly executes a process is audited.
# Since the open command is being audited, this rule causes
# redundancy. Since any command must be opened prior to execution, with this
# in affect, the system will have duplicate entries for every time something is
# executed. This is noted in case the desire to audit both comes up.
-a exit,always -F arch=b64 -S execve -F auid=-1 -F success=0

# AUDITING SHUTDOWNS AND REBOOTS
# Red Hat ensures auditing whenever the reboot command is sent to the kernel
-a exit,always -F arch=b64 -S socket -F a0=13

# AUDITING THE ROOT DIRECTORY IN FEDORA
# Ensures auditing of any unauthorized access to roots home directory.
-w /root -p rw -F uid!=0

# AUDITING THE ROOT DIRECTORY IN FEDORA
# Ensures auditing of any failed unauthorized access to roots home directory.
-w /root -p rw -F uid!=0 -F success=0

#Auditing configuration changes to the audit.conf and audit.rules files
-w /etc/audit.conf -k wa
-w /etc/audit.rules -k wa

#Ensure that the following system calls are audited for the current logged in
#user and for root

-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=0 -F auid=-1 -F exit!=-11

#Ensure that failed attempts at using the following system calls are audited
-a exit,always -F arch=b64 -S mknod -S acct -S swapon -S sethostname -F success=1 -F exit!=-11

#Ensure that failed deletion of files and processes by anyone is audited
-a exit,always -F arch=b64 -S rmdir -S unlink -F success=0 -F exit!=-11

#Ensure that failed use of the following system calls is audited
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=0 -F auid=-1 -F exit!=-11

#Ensure that successful use of the following system calls is audited
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S settimeofday -S adjtimex -S nfsservctl -S umount2 -S fdatasync -S setdomainname -F success=1 -F auid=-1 -F exit!=-11

#Ensure that failed use of the following system calls is audited
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=0 -F auid=-1 -F exit!=-11

#Ensure that successful use of the following system calls is audited
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=0 -F exit!=-11
-a exit,always -F arch=b64 -S quotactl -S mount -S kill -S chroot -F success=1 -F auid=-1 -F exit!=-11

#Ensure that when a failed login is recorded by syslog to the faillog file is
#audited
-w /var/log/faillog -k wa
-w /var/log/lastlog -k wa

#Ensure that when a login in recorded by syslog to the appropriate file is
#audited
-w /var/log/wtmp -k wa

More information about the Linux-audit mailing list