On 10/18/2017 12:26 PM, Steve Grubb wrote: > On Wednesday, October 18, 2017 12:13:13 PM EDT Brad Zynda wrote: >> So now you have to comment out a rule at a time and watch for >> usage/count to fall? > > Well, I am certain that commenting out that rule will drop the count. But the > question more is why is that rule being triggered. One thing you could do is > post the rule to the mail list if you think it might be formed wrong. But you > might also want to see whay its being triggered by doing something like > > ausearch --start today -k perm_mod --raw | aureport --summary --file -i > > ausearch --start today -k perm_mod --raw | aureport --summary -x -i > > ausearch --start today -k perm_mod --raw | aureport --summary --syscall -i > >> Also if I wanted to grep and compare those numbers and alert with an >> email what would be the magic number to threshold with in a gt statement >> (500, 1000, etc.)? > > That's a bit harder. You'd want a sliding window of time. Assuming your cron > job runs once an hour and a US locale, you'd do something like this: > > aureport --start `date -d '1 hour ago' "+%m/%d/%Y %H:%M:%S"` --key --summary > --input-logs > > I don't know what the best threshold would be because its workload dependent. > If you wanted to see things visualized, I'd try playing with the data in R. > > http://security-plus-data-science.blogspot.com/2017/03/bar-charts.html > http://security-plus-data-science.blogspot.com/2017/03/heatmaps.html > > That assumes you have a recent audit package (2.7 or higher) and RStudio. > > -Steve > Here are the rules:
grep perm_mod /etc/audit/audit.rules -a always,exit -F arch=b64 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chmod -S fchmod -S fchmodat -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S chown -S fchown -S fchownat -S lchown -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b64 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod -a always,exit -F arch=b32 -S setxattr -S lsetxattr -S fsetxattr -S removexattr -S lremovexattr -S fremovexattr -F auid>=1000 -F auid!=4294967295 -k perm_mod grep delete /etc/audit/audit.rules -a always,exit -F arch=b64 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b32 -S unlink -S unlinkat -S rename -S renameat -F auid>=1000 -F auid!=4294967295 -k delete -a always,exit -F arch=b64 -S init_module -S delete_module -k modules -a always,exit -F arch=b32 -S init_module -S delete_module -k modules Thanks, Brad -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
