Systemd Journald and audit logging causing journal issues

Brad Zynda bradley.v.zynda at nasa.gov
Wed Oct 18 16:32:15 UTC 2017 


On 10/18/2017 12:26 PM, Steve Grubb wrote:
> On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote:
>> So now you have to comment out a rule at a time and watch for
>> usage/count to fall?
> 
> Well, I am certain that commenting out that rule will drop the count. But the 
> question more is why is that rule being triggered. One thing you could do is 
> post the rule to the mail list if you think it might be formed wrong. But you 
> might also want to see whay its being triggered by doing something like
> 
> ausearch --start today -k perm_mod --raw | aureport --summary --file -i
> 
> ausearch --start today -k perm_mod --raw | aureport --summary -x -i
> 
> ausearch --start today -k perm_mod --raw | aureport --summary --syscall -i
> 
>> Also if I wanted to grep and compare those numbers and alert with an
>> email what would be the magic number to threshold with in a gt statement
>> (500, 1000, etc.)?
> 
> That's a bit harder. You'd want a sliding window of time. Assuming your cron 
> job runs once an hour and a US locale, you'd do something like this:
> 
> aureport --start `date -d '1 hour ago' "+%m/%d/%Y %H:%M:%S"` --key --summary 
> --input-logs
> 
> I don't know what the best threshold would be because its workload dependent. 
> If you wanted to see things visualized, I'd try playing with the data in R.
> 
> http://security-plus-data-science.blogspot.com/2017/03/bar-charts.html
> http://security-plus-data-science.blogspot.com/2017/03/heatmaps.html
> 
> That assumes you have a recent audit package (2.7 or higher) and RStudio.
> 
> -Steve
> 
Here are the rules:

grep perm_mod /etc/audit/audit.rules
-a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000
-F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F
auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F
auid>=1000 -F auid!=4294967295 -k perm_mod
-a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F
auid!=4294967295 -k perm_mod
-a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S
removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F
auid!=4294967295 -k perm_mod

grep delete /etc/audit/audit.rules
-a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat
-F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat
-F auid>=1000 -F auid!=4294967295 -k delete
-a always,exit -F arch=b64 -S init_module -S delete_module -k modules
-a always,exit -F arch=b32 -S init_module -S delete_module -k modules

Thanks,
Brad

More information about the Linux-audit mailing list