Hi, On Thu, Nov 19, 2020 at 11:34 AM Steve Grubb <sgr...@redhat.com> wrote: > > On Thursday, November 19, 2020 9:04:24 AM EST Andreas Hasenack wrote: > > I read in an old presentation (~2011) that these come from "trusted > > apps", > > There are only 10 - 15 apps that are "trusted apps". They are logging events > that are required by various security standards such as common criteria, DISA > STIG, PCI DSS, etc. > > > and in fact any process with cap_audit_write (iirc) can log > > such events. > > While that may be true, it is generally not the case that they do in fact > log. > > > The tip was that exclude/never list/action could be used to reduce this > > noise, is that still the case and recommended approach? > > If you must, sure. Trusted app events are in the 1100-1199 range. But which > app is causing the problems that you see? In the past, we had to silence > crond because it was noisy.
cron is one, for sure. Everytime it fires, it's a sequence of USER_ACCT, CRED_ACQ, LOGIN, USER_START, CRED_DISP, USER_END. And it doesn't really log useful information either, like the job it ran. The syslog entry is more useful for that. In this example, I had a /bin/true root crontab: ---- type=USER_ACCT msg=audit(11/19/20 14:44:01.418:368) : pid=32715 uid=root auid=unset ses=unset msg='op=PAM:accounting acct=root exe=/usr/sbin/cron hostname=? addr=? terminal=cron res=success' ---- type=CRED_ACQ msg=audit(11/19/20 14:44:01.418:369) : pid=32715 uid=root auid=unset ses=unset msg='op=PAM:setcred acct=root exe=/usr/sbin/cron hostname=? addr=? terminal=cron res=success' ---- type=LOGIN msg=audit(11/19/20 14:44:01.418:370) : pid=32715 uid=root old-auid=unset auid=root tty=(none) old-ses=4294967295 ses=6 res=yes ---- type=USER_START msg=audit(11/19/20 14:44:01.418:371) : pid=32715 uid=root auid=root ses=6 msg='op=PAM:session_open acct=root exe=/usr/sbin/cron hostname=? addr=? terminal=cron res=success' ---- type=CRED_DISP msg=audit(11/19/20 14:44:01.422:372) : pid=32715 uid=root auid=root ses=6 msg='op=PAM:setcred acct=root exe=/usr/sbin/cron hostname=? addr=? terminal=cron res=success' ---- type=USER_END msg=audit(11/19/20 14:44:01.422:373) : pid=32715 uid=root auid=root ses=6 msg='op=PAM:session_close acct=root exe=/usr/sbin/cron hostname=? addr=? terminal=cron res=success' ---- Another one is k8s apparently reapplying the iptables rules frequently, so I get SYSCALL for setsockopt() with IPT_SO_SET_REPLACE and NETFILTER_CFG entries. These perhaps I could turn off based on who is emitting them via "exe=/foo/bar" and/or userid, as I can see this happening very frequently as containers come and go. > > > Or is there a way to use audit with only the rules defined in /etc/audit/ > > rules.d? > > The rules in that dir are insufficient to fulfill regulatory requirements. If > you are doing some kind of syscall experiment, then I can see that you might > want to turn them off. But if your aim is meeting some kind of standard, then > other events are required. No standard or regulatory requirement required, I was just looking at another layer of security to watch for specific events for which I would create rules. -- Linux-audit mailing list Linux-audit@redhat.com https://www.redhat.com/mailman/listinfo/linux-audit
