Linux - ServerThis forum is for the discussion of Linux Software used in a server related context.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Distribution: Ubuntu 10.04 LTS on IBM Lenovo R61e, RHEL5-6,SLES10-11
Posts: 262
Rep:
RHEL_auditd how to filter per GID users only ?
Hi
I want to audit only users from certain GID on my RHEL5.8 box.
I cnfigured auditd with the following audit.rules file :
Code:
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1000
# Feel free to add below this line. See auditctl man page
-a exit,always -F arch=b64 -F gid=2101 -S unlink -S rmdir
-w /home/ -k access_rootfs -p xaw
When I start suditd in its log I see not only syscall "unlink" and "rmdir" for user from within GID=2101 but also below :
Code:
ode=10.192.25.55 type=USER_ACCT msg=audit(1361550601.159:386198): user pid=7766 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=10.192.25.55 type=CRED_ACQ msg=audit(1361550601.159:386199): user pid=7766 uid=0 auid=4294967295 msg='PAM: setcred acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
node=10.192.25.55 type=LOGIN msg=audit(1361550601.159:386200): login pid=7766 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=63309
node=10.192.25.55 type=USER_ACCT msg=audit(1361550601.160:386201): user pid=7767 uid=0 auid=4294967295 msg='PAM: accounting acct="root" : exe="/usr/sbin/crond" (hostname=?, addr=?, terminal=cron res=success)'
My question is:
How to configure auditd to ONLY audit users from GID=2101 ?
When I start auditd I see the follwoing head output :
USER_ACCT, CRED_ACQ and LOGIN are message types. Usually you don't want to miss out on logging those (though you can have "-a exclude,always -F msgtype=SOMETHING" if you really know what you're doing). "auid=0 op=add rule" isn't an error but the audit service notifying you it loaded rules. auid=4294967295, in other words a message from a process that was started before the audit service was, means you should start the audit service earlier ;-p
You can also add excludes like for examle for "auid=4294967295" you add
Distribution: Ubuntu 10.04 LTS on IBM Lenovo R61e, RHEL5-6,SLES10-11
Posts: 262
Original Poster
Rep:
Hi
Thx for your reply.
I only want auditd to log messages in /var/log/audit/audit.log file for the following setup :
1. Access,write, modification of files or dirs in /home fs.
2. Don't want anything to be logged in that audit.log file apart messages related uid=2217.
Myh actual setup looks like that :
Code:
# First rule - delete all
-D
# Increase the buffers to survive stress events.
# Make this bigger for busy systems
-b 1000
###--> FILE ACCESS (WATCHES)
-w /home/ -k access_homefs -p xaw
###--> SYSTEM CALL RULES
-A user,never -F uid=0 -F auid=4294967295 -F auid=506 -F auid=0
-a exit,always -F arch=b64 -F arch=b32 -S unlinkat
-a exit,always -F arch=b64 -F arch=b32 -F uid=2217 -S all
Unfortunatelly it still logs syscalls from uid=0.
Last edited by drManhattan; 02-25-2013 at 10:13 AM.
That's fine but that doesn't tell us what you tried to make things work like you want.
Quote:
Originally Posted by drManhattan
I only want auditd to log messages in /var/log/audit/audit.log file for
(..) Don't want anything to be logged in that audit.log file apart messages related uid=2217. (..) Unfortunatelly it still logs syscalls from uid=0.
I already told you about negation and exclusion rules and I try to avoid repeating myself. What I'm beginning to suspect this is one of those "right job wrong tool" kind of things where you try to use audit log in a way or for a purpose it wasn't meant for in the first place. That doesn't mean it can't be done but it's probably easier to do it differently, like have Rsyslogd read the log file, apply an inclusion filter and make it spit out the lines to another file. Easy, simple, efficient and only using standard tools.
Distribution: Ubuntu 10.04 LTS on IBM Lenovo R61e, RHEL5-6,SLES10-11
Posts: 262
Original Poster
Rep:
I found it.
I added the follwing at the beginning of audit.rules file.
Code:
-a exclude,always -F msgtype>=1100 -F msgtype<=1299
-a exclude,always -F msgtype>=1400 -F msgtype<=2999
Now my question is howto get rid of below entries from audit.log
Code:
node=10.8.4.118 type=LOGIN msg=audit(1361884393.999:2503816): login pid=20666 uid=0 old auid=4294967295 new auid=506 old ses=4294967295 new ses=241758
node=10.8.4.118 type=LOGIN msg=audit(1361884394.128:2503817): login pid=20692 uid=0 old auid=4294967295 new auid=506 old ses=4294967295 new ses=241759
node=10.8.4.118 type=LOGIN msg=audit(1361884441.116:2503818): login pid=21144 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=241760
node=10.8.4.118 type=LOGIN msg=audit(1361884441.116:2503819): login pid=21145 uid=0 old auid=4294967295 new auid=0 old ses=4294967295 new ses=241761
I can use of course `auditctl -a exclude,always -F msgtype=LOGIN` but then I don't see all messages related type LOGIN for all users.
I only want to disable type=LOGIN for uid<2000.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.