Question about excluding rules
Moshe Rechtman
mrechtma at redhat.com
Mon Feb 24 00:27:37 UTC 2020
Hello Steve,
Thanks so much for your help, I've modified audit.rules as per you
recommendation:
# cat audit.rules
# This file contains the auditctl rules that are loaded
# whenever the audit daemon is started via the initscripts.
# The rules are simply the parameters that would be passed
# to auditctl.
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 320
#-b 32768
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F euid=0 -F auid=-1 -S execve -k rootact
# auditctl -l
LIST_RULES: exit,always arch=3221225534 (0xc000003e) euid=0 auid=-1
(0xffffffff) key=rootact syscall=execve
With the above settings, audit stop from logging all root commands!
Any recommendations/suggestions would be appreciated.
Kind regards,
Moshe
Moshe Rechtman
Technical Support Engineer
Red Hat Israel <https://www.redhat.com/>
34 Jerusalem rd. Ra'anana, 43501
*mrechtma at redhat.com <kweg at redhat.com> * T: *+972-9-**7692289 *
M: *+972-54-4971516* F: +972-9-7692223
@RedHat <https://twitter.com/redhat> Red Hat
<https://www.linkedin.com/company/red-hat> Red Hat
<https://www.facebook.com/RedHatInc>
<https://red.ht/sig>
On Fri, Feb 21, 2020 at 3:53 PM Steve Grubb <sgrubb at redhat.com> wrote:
> On Friday, February 21, 2020 2:32:58 AM EST Moshe Rechtman wrote:
> > Thanks so much for your help! I've included your suggested filter in
> > audit.rules as shown below:
> >
> > # cat audit.rules1
> >
> > 1 # This file contains the auditctl rules that are loaded
> > 2 # whenever the audit daemon is started via the initscripts.
> > 3 # The rules are simply the parameters that would be passed
> > 4 # to auditctl.
> > 5 # First rule - delete all
> > 6 -D
> > 7 # Increase the buffers to survive stress events.
> > 8 # Make this bigger for busy systems
> > 9 -b 320
> > 10 ### Feel free to add below this line. See auditctl man page
> > 11 -a exit,always -F arch=b64 -F euid=0 -S execve -k rootact
> > 12 -a exit,always -F arch=b32 -F euid=0 -S execve -k rootact
> > 13 -a exit,always -F arch=b64 -F euid>=500 -S execve -k useract
> > 14 -a exit,always -F arch=b32 -F euid>=500 -S execve -k useract
> > 15 -a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k
> > rootact
> > 16 -a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k
> > rootact
>
> It won't work this way. You now have 2 sets of rootact. The audit rule
> engine
> is a first match wins. So, this second set of rules will never trigger.
> The
> rule I mentioned was supposed to replace the rule in the list.
>
> > After restarting the auditd service following error received:
> >
> > # service auditd restart
> > Stopping auditd: [ OK ]
> > Starting auditd: [ OK ]
> > Unknown user: unset
> > -F unknown field: auid
>
> OK. I guess this is really old. Then make it auid=-1
>
> -Steve
>
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://listman.redhat.com/archives/linux-audit/attachments/20200224/68e05335/attachment.htm>
More information about the Linux-audit
mailing list