Filtering audit events

[Steven Grubb]

----- Original Message -----
>From: rshaw1 at umbc.edu
>To: linux-audit at redhat.com
>Sent: Monday, August 31, 2015 8:18:12 AM
>Subject: Filtering audit events
>
>I'm trying to figure out a way to filter a large number of events similar
>to the following:
>
>time->Mon Aug 31 08:08:26 2015
>type=PATH msg=audit(1441022906.019:52947542): item=1 name=(null) inode=133
>dev=fd:06 mode=0100640 ouid=0 ogid=9002 rdev=00:00
>obj=system_u:object_r:var_log_t:s0 nametype=NORMAL
>type=PATH msg=audit(1441022906.019:52947542): item=0
>name="/var/log/simpana/Log_Files/locks/" inode=92 dev=fd:06 mode=040775
>ouid=0 ogid=9002 rdev=00:00 obj=system_u:object_r:var_log_t:s0
>nametype=PARENT
>type=CWD msg=audit(1441022906.019:52947542):  cwd="/opt/simpana"
>type=SYSCALL msg=audit(1441022906.019:52947542): arch=c000003e syscall=2
>success=no exit=-13 a0=996d68 a1=42 a2=1b6 a3=0 items=2 ppid=11855
>pid=15755 auid=7538 uid=0 gid=9002 euid=4990 suid=4990 fsuid=4990
>egid=9002 sgid=9002 fsgid=9002 tty=(none) ses=125779 comm="clBackup"
>exe="/opt/simpana/iDataAgent/clBackup" subj=system_u:system_r:initrc_t:s0
>key="access"

If you use the -i argument to ausearch, it becomes more clear what the issue is. The problem is that the program is opening the file for read and write, but the permissions are just for group read. If that file were 0660, then you would not get this audit event.


>The STIG-compliant audit ruleset we're using seems to generate a lot of
>these, and I'm concerned that may be affecting the performance of the app
>in question (also, I consider it log spam).  I tried the following rule
>(plus a few variations like ogid), but it doesn't seem to be working:
>
>-a exit,never -F gid=9002 -k exclude

This should work as long as its before the open rule. Rules are processed from top to bottom with first match winning.

>What would be the best way to approach this?

Fix the permissions if possible?

-Steve

>I have a few other apps with similar issues.