On Wednesday, January 05, 2011 02:27:58 pm LC Bruzenak wrote: > On Wed, 2011-01-05 at 08:35 -0500, [email protected] wrote: > > I'm running audit 1.7.17-3 (RHEL 5) on ~450 clients sending via audisp to > > a single server. This is mostly working well, except that periodically, > > I get messages like: > > > > Jan 4 07:57:33 hostfoo audispd: queue is full - dropping event > > Jan 4 07:58:04 hostfoo last message repeated 814 times > > Jan 4 07:59:05 hostfoo last message repeated 4121 times > > Jan 4 08:00:06 hostfoo last message repeated 2602 times > > Jan 4 08:00:31 hostfoo last message repeated 773 times > > > > Reading through the man pages, I've increased the q_depth value in > > audispd.conf. But even with it set at 99999 (the maximum), many events > > are still being dropped from almost half the clients. Setting disp_qos > > to "lossless" in auditd.conf has also not helped. > > > > It would be nice to solve this in general. More specifically, however, I > > know that on the worst offender, the flood of events is being caused by > > an rsync job that runs at 8 and 12. The events look something like: > > > > node=hostfoo.domain.com type=SYSCALL msg=audit(1294232521.544:29609884): > > arch=c000003e syscall=90 success=yes exit=0 a0=7fffbe5a7f60 a1=1ed a2=1 > > a3=0 items=1 ppid=4397 pid=4398 auid=4990 uid=4990 gid=100 euid=4990 > > suid=4990 fsuid=4990 egid=100 sgid=100 fsgid=100 tty=(none) ses=2867 > > comm="rsync" exe="/home/bob/.toast/pkg/rsync/v3.0.4/1/root/bin/rsync" > > key="perm_mod" > > > > Is there any way I can tell the perm_mod rules in audit.rules "Don't tell > > me about it if the command is rsync"? I couldn't find an obvious answer > > from the auditctl man page (it doesn't seem that I can just specify, say, > > comm!=rsync). > > > > Thanks, > > > > --Ray > > Ray, > > I think your example illustrates why you would not want to filter based > on command name since it is a non-standard rsync > (/home/bob/.toast/pkg/rsync/v3.0.4/1/root/bin/rsync). > Probably a trojan. :) > > The problem is that you likely do not want to disallow all rsync events, > just the ones you want to allow to run event-free. > > Otherwise you are effectively overriding the rule which specifies these > events in the first place, since everyone can run rsync - or maybe it > justifies removing this rule in your case? > > You can do it by controlling access to rsync, then disallow selected > subjects, with types (custom policy) or group (egid). Or set a range of > UIDs which are allowed to rsync free of audit, then specify that range > of UIDs as acceptable in your rule. > > You are right; rsyncs generate LOTS of events due to this rule and > basically can overflow the event queue regardless of the settings. > > The easiest way (just a theory), if this is a cron job, is to run it as > a particular pseudo-user from /etc/cron.d/, then add that uid to the > rule with "-F euid!= 1000". You could add that pseudo user ID to the > sudoers file and have it run rsync with nopasswd.
Yeah a custom uid might help your situation. Also look at boosting the priority so that audispd gets more runtime. -Steve > Bottom line is that there are a few ways around it but nothing as simple > as excluding by command. > > HTH, > LCB -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
