Auditd filtering
Nick Stires
Nick.Stires at binghamtech.com
Tue Jun 7 16:23:41 UTC 2011
I've run into an issue where I have a network of 55 RHEL 5 boxes that each run monitoring software such as nagios and ganglia and are generating roughly 1.2G of audit logs per day. Much of these entries are from the monitoring functionality. I've had to disable audisp, centralized auditing, due to hard drive and networking limitations.
We're finding that 95% of the audit events fall into three unique events, each repeating causing a tail -f of the audit log to resemble the matrix. I've been Googling and reading posts off this site in attempt to write some filter policies to prevent these from writing to the log. I can safely filter out 159 since its a minor hit (change time). The others are more critical, such as file opens.
I started with a generic filter for all syscall events, this cut it down adequately, but we no longer captured the items we wanted to.
Here's some example logs for the two events we are trying to trim down:
################
################
Netstat sample
################
################
type=SYSCALL msg=audit(1307462086.972:1619017): arch=c000003e syscall=2 success=no exit=-2 a0=6d9c790 a1=0 a2=0 a3=3074f234f3 items=2 ppid=4945 pid=32700 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="netstat" exe="/bin/netstat" subj=kernel key=(null)
type=CWD msg=audit(1307462086.972:1619017): cwd="/"
type=PATH msg=audit(1307462086.972:1619017): item=0 name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo"
type=PATH msg=audit(1307462086.972:1619017): item=1 name="/usr/share/locale/en.utf8/LC_MESSAGES/net-tools.mo"
################
################
Ganglia Sample
################
################
type=SYSCALL msg=audit(1307462163.369:1620406): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=2aaab81124b8 a1=0 a2=1b6 a3=0 items=2 ppid=678 pid=681 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=641 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462163.369:1620406): cwd="/home/ganglia"
type=PATH msg=audit(1307462163.369:1620406): item=0 name="/proc/net/if_inet6"
type=PATH msg=audit(1307462163.369:1620406): item=1 name="/proc/net/if_inet6"
type=SYSCALL msg=audit(1307462163.365:1620404): arch=c000003e syscall=2 success=no exit=-20 a0=7fff922a6610 a1=10800 a2=7fff922a68f0 a3=22 items=2 ppid=703 pid=704 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="modprobe" exe="/sbin/modprobe" subj=kernel key=(null)
type=CWD msg=audit(1307462163.365:1620404): cwd="/"
type=PATH msg=audit(1307462163.365:1620404): item=0 name="/etc/modprobe.d/blacklist-firewire" inode=1049506 dev=08:07 mode=0100644 ouid=0 ogid=0 rdev=00:00 obj=unlabeled
type=PATH msg=audit(1307462163.365:1620404): item=1 name="/etc/modprobe.d/blacklist-firewire"
type=SYSCALL msg=audit(1307462402.517:1626432): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=7fff089b2f60 a1=0 a2=2b20f5d60000 a3=62696c2f2e2e2f6e items=2 ppid=2805 pid=2807 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=644 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462402.517:1626432): cwd="/home/ganglia"
type=PATH msg=audit(1307462402.517:1626432): item=0 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/x86_64/libpthread.so.0"
type=PATH msg=audit(1307462402.517:1626432): item=1 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/x86_64/libpthread.so.0"
type=SYSCALL msg=audit(1307462402.517:1626433): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=7fff089b2f60 a1=0 a2=2b20f5d60000 a3=62696c2f2e2e2f6e items=2 ppid=2805 pid=2807 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=644 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462402.517:1626433): cwd="/home/ganglia"
type=PATH msg=audit(1307462402.517:1626433): item=0 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/libpthread.so.0"
type=PATH msg=audit(1307462402.517:1626433): item=1 name="/usr/java/jdk1.6.0_24/bin/../lib/amd64/jli/libpthread.so.0"
type=SYSCALL msg=audit(1307462402.517:1626434): arch=c000003e syscall=2 per=400000 success=no exit=-2 a0=7fff089b2f60 a1=0 a2=2b20f5d60000 a3=65726a2f2e2e2f6e items=2 ppid=2805 pid=2807 auid=1002 uid=1002 gid=100 euid=1002 suid=1002 fsuid=1002 egid=100 sgid=100 fsgid=100 tty=(none) ses=644 comm="java" exe="/usr/java/jdk1.6.0_24/bin/java" subj=kernel key=(null)
type=CWD msg=audit(1307462402.517:1626434): cwd="/home/ganglia"
type=PATH msg=audit(1307462402.517:1626434): item=0 name="/usr/java/jdk1.6.0_24/bin/../jre/lib/amd64/jli/tls/x86_64/libpthread.so.0"
type=PATH msg=audit(1307462402.517:1626434): item=1 name="/usr/java/jdk1.6.0_24/bin/../jre/lib/amd64/jli/tls/x86_64/libpthread.so.0"
Exemption rules:
# a0=0x413586 appears to prevent proc tcp6 messages in the netstat sections
-a exit,never -F a0=0x413586 -F success=0
-a exit,never -F exit=-6 -F success=0
-a exit,never -F exit=-13 -F success=0
-a entry,never -S 159
# UID 1002 = ganglia user. These do not work as intended.
-a user,never -F auid=1002
-a user,never -F uid=1002
Any ideas on how I can target these audit logs for filtering?
Thanks!
Nicholas Stires
Principal Systems Engineer
Bingham Technical Solutions LLC
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20110607/1c759c26/attachment.htm>
More information about the Linux-audit
mailing list