RHEL_auditd how to filter per GID users only ?

drManhattan · 02-22-2013, 10:38 AM

Hi

I want to audit only users from certain GID on my RHEL5.8 box.
I cnfigured auditd with the following audit.rules file :

Code:

# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1000
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F gid=2101 -S unlink -S rmdir
-w /home/ -k access_rootfs -p xaw

When I start suditd in its log I see not only syscall "unlink" and "rmdir" for user from within GID=2101 but also below :

Code:

ode=10.192.25.55 type=USER_ACCT msg=audit(1361550601.159:386198): user pid=7766 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=10.192.25.55 type=CRED_ACQ msg=audit(1361550601.159:386199): user pid=7766 uid=0 auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=10.192.25.55 type=LOGIN msg=audit(1361550601.159:386200): login pid=7766 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=63309
node=10.192.25.55 type=USER_ACCT msg=audit(1361550601.160:386201): user pid=7767 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'

My question is:
How to configure auditd to ONLY audit users from GID=2101 ?

When I start auditd I see the follwoing head output :

Code:

node=10.192.25.55 type=DAEMON_START msg=audit(1361551830.781:251): auditd start, ver=1.8 format=raw kernel=2.6.18-308.el5 auid=0 pid=16923 res=success
node=10.192.25.55 type=CONFIG_CHANGE msg=audit(1361551830.884:386584): audit_enabled=1 old=1 by auid=0 res=1
node=10.192.25.55 type=CONFIG_CHANGE msg=audit(1361551830.886:386585): audit_backlog_limit=1000 old=1000 by auid=0 res=1
node=10.192.25.55 type=CONFIG_CHANGE msg=audit(1361551830.886:386586): auid=0 op=add rule key=(null) list=4 res=1
node=10.192.25.55 type=CONFIG_CHANGE msg=audit(1361551830.886:386587): auid=0 op=add rule key=(null) list=4 res=1
node=10.192.25.55 type=CONFIG_CHANGE msg=audit(1361551830.886:386588): auid=0 op=add rule key="access_rootfs" list=4 res=1

Maybe there is a problem that auditd load "op=add rule key=(null) " ?

unSpawn · 02-22-2013, 11:20 AM

USER_ACCT, CRED_ACQ and LOGIN are message types. Usually you don't want to miss out on logging those (though you can have "-a exclude,always -F msgtype=SOMETHING" if you really know what you're doing). "auid=0 op=add rule" isn't an error but the audit service notifying you it loaded rules. auid=4294967295, in other words a message from a process that was started before the audit service was, means you should start the audit service earlier ;-p

You can also add excludes like for examle for "auid=4294967295" you add

Code:

... -F ! auid=4294967295 ...

for more see see "-F" in 'man auditctl'.

drManhattan · 02-25-2013, 10:11 AM

Hi

Thx for your reply.

I only want auditd to log messages in /var/log/audit/audit.log file for the following setup :
1. Access,write, modification of files or dirs in /home fs.
2. Don't want anything to be logged in that audit.log file apart messages related uid=2217.

Myh actual setup looks like that :

Code:

# First rule - delete all
-D

# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1000

###--> FILE ACCESS (WATCHES)
-w /home/ -k access_homefs -p xaw

###--> SYSTEM CALL RULES
-A user,never -F uid=0 -F auid=4294967295 -F auid=506 -F auid=0
-a exit,always -F arch=b64 -F arch=b32 -S unlinkat
-a exit,always -F arch=b64 -F arch=b32 -F uid=2217 -S all

Unfortunatelly it still logs syscalls from uid=0.

unSpawn · 02-25-2013, 07:27 PM

Quote:

Originally Posted by drManhattan

Myh actual setup looks like that

That's fine but that doesn't tell us what you tried to make things work like you want.

Quote:

Originally Posted by drManhattan

I only want auditd to log messages in /var/log/audit/audit.log file for
(..) Don't want anything to be logged in that audit.log file apart messages related uid=2217. (..) Unfortunatelly it still logs syscalls from uid=0.

I already told you about negation and exclusion rules and I try to avoid repeating myself. What I'm beginning to suspect this is one of those "right job wrong tool" kind of things where you try to use audit log in a way or for a purpose it wasn't meant for in the first place. That doesn't mean it can't be done but it's probably easier to do it differently, like have Rsyslogd read the log file, apply an inclusion filter and make it spit out the lines to another file. Easy, simple, efficient and only using standard tools.

drManhattan · 02-26-2013, 07:16 AM

I found it.
I added the follwing at the beginning of audit.rules file.

Code:

-a exclude,always -F msgtype>=1100 -F msgtype<=1299
-a exclude,always -F msgtype>=1400 -F msgtype<=2999

Now my question is howto get rid of below entries from audit.log

Code:

node=10.8.4.118 type=LOGIN msg=audit(1361884393.999:2503816): login pid=20666 uid=0 old auid=4294967295 new auid=506 old ses=4294967295 new ses=241758
node=10.8.4.118 type=LOGIN msg=audit(1361884394.128:2503817): login pid=20692 uid=0 old auid=4294967295 new auid=506 old ses=4294967295 new ses=241759
node=10.8.4.118 type=LOGIN msg=audit(1361884441.116:2503818): login pid=21144 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=241760
node=10.8.4.118 type=LOGIN msg=audit(1361884441.116:2503819): login pid=21145 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=241761

I can use of course `auditctl -a exclude,always -F msgtype=LOGIN` but then I don't see all messages related type LOGIN for all users.
I only want to disable type=LOGIN for uid<2000.

How to achieve this ?

unSpawn · 02-26-2013, 11:21 AM

'man auditctl' says each "-F" field equation is anded so try something with "-F ! uid < 2001"?