Hi Steve, Thanks for the response. Your response cleared many of my doubts. I need one clarity on use of Linux capability CAP_AUDIT_CONTROL.
My understanding is that, only root user can start/stop audit service and configure auditctl rules. auditctl.c and auditd.c specifically check for uid to be zero. The man page says CAP_AUDIT_CONTROL " Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules." Does this mean, a process with CAP_AUDIT_CONTROL capability running from non root account will be able to start/stop audit and configure auditctl rules? Are there any documentation about how to use CAP_AUDIT_CONTROL capability and how it is related to audit? Is it possible to suppress events for a file for the set of specific syscalls? Example: Using the below rule I want to suppress audit event only for chmod syscall for file /tmp/read_only. However below rule not only suppresses the audit event for chmod syscall but also for other syscalls for /tmp/read_only file. # auditctl -a never,exit -F arch=x86_64 -F path=/tmp/read_only -S chmod Regards, Ketan -----Original Message----- From: Steve Grubb [mailto:[email protected]] Sent: Monday, May 09, 2016 7:20 PM To: [email protected] Cc: Bhagwat, Shriniketan Manjunath <[email protected]> Subject: Re: Audit reporting Invalid argument On Monday, May 09, 2016 01:40:58 PM Bhagwat, Shriniketan Manjunath wrote: > I am trying to monitor multiple files using Linux audit. In order to > get better performance, I am trying to reduce number of rules. If I > specify more than one path field as in below example I am getting > "Invalid argument". > > Examle1: > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c > -F path=/home/secpack/test -S open Error sending add rule data request > (Invalid argument) > > # auditctl -a always,exit -F arch=x86_64 -F path=/home/secpack/test.c > -F dir=/tmp/ -S open Error sending add rule data request (Invalid > argument) > > However, I am able to create a single rule to monitor multiple PIDs or > UIDs as below. > > Examle2: > # auditctl -a always,exit -F arch=x86_64 -F pid=3526 -F pid=3537 # > auditctl -a always,exit -F arch=x86_64 -F auid=0 -F auid=512 -F > auid=1002 Which will produce no events due to the anding you mention below. Something cannot have both pid 3526 and 3537. > As per the auditctl man page, Build a rule field takes up to 64 fields > on a single command line. Each one must start with -F. Each field > equation is anded with each other to trigger an audit record. My > question is, 1. specify more than one path field as in example1 is valid? Nope. > 2. If not valid than how do I create single audit rule to monitor > multiple files/directory? They need to be separate rules. You can also recursively watch a directory with 'dir' > 3. If valid, then why "Invalid argument" is reported? > 4. To monitor 10 files, should 10 audit rules required? Possibly. > 5. if 10 rules are required, how to I optimize the rule for performance? The filesystem watches are very efficient. You can probably put a 100 watches on random files and you will not be able to see any performance hit unless they are actually triggered. Syscall rules on the otherhand do affect performance. > My next question is does Linux audit support regular expressions? No. The kernel pretty much wants things to be numbers rather than strings. > How do I create audit rule to monitor /var/log/*.log? -a always,exit -F dir=/var/log/audit/ -F perm=wa -F key=write-audit-log -Steve > # auditctl -a always,exit -F arch=x86_64 -F path=^/var/log/*.log$ -S open > Error sending add rule data request (Invalid argument) > > If my questions are already documented, please guide me to the > documentation. > > Regards, > Ketan -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
