pauldaviesc / logging-limits.conf Goto Github PK
View Code? Open in Web Editor NEWTry and solving to log the violation of rules specified in limits.conf
Try and solving to log the violation of rules specified in limits.conf
Note-to-self :
The a0 field was there in the original notify.sh. This is required to understand which resource was requested for. When some part of notify.sh was was ported to py script, forgot to add the a0 field to the RLIMIT violation notification.
Thank you for great idea and implementation!
Just tried to use today and ran into some issues:
$ sudo sh ./rules.sh
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
Syscall name unknown: mmap2
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
Any ideas of why some of the auditctl commands have failed?
After rules.sh was ran, here's list of rules that were created anyway:
$ sudo auditctl -l
-a always,exit -S clone -F key=noproc
-a always,exit -S fork -F key=noproc
-a always,exit -S vfork -F key=noproc
-a always,exit -S execve -F key=exec
-a always,exit -S write -F exit=-EFBIG -F success=0 -F key=fsize
-a always,exit -S open -F exit=-EMFILE -F success=0 -F key=nofile
-a always,exit -S mlock -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S mlockall -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S munlock -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S munlockall -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S mmap -F exit=-EAGAIN -F success=0 -F key=memlock
-a always,exit -S mmap -F exit=-ENOMEM -F success=0 -F key=as
-a always,exit -S munmap -F exit=-ENOMEM -F success=0 -F key=as
-a always,exit -S brk -F exit=-ENOMEM -F success=0 -F key=as
-a always,exit -S setrlimit -F exit=-EINVAL -F success=0 -F key=rlimit
-a always,exit -S setrlimit -F exit=-EPERM -F success=0 -F key=rlimit
Most of the messages above are warnings, not sure if rules will actually work now.
Two rules were nnot created.
$ grep auditctl rules.sh | wc -l
18
$ sudo auditctl -l | wc -l
16
RHEL 6.7
2.6.32-573.12.1.el6.x86_64
It is due to the fact that the number of fields in the system call log of the audit system varies. Thus the approach of selecting fixed field assuming that it is the required field is flawed. It may require the porting of the predecessors.sh to a python script.
When the audit system clears the audit.log automatically a mail is sent containing all the violations so far. This happens due to the fact that the after that log gets cleared , curr* will be empty and the prev* will contain the previous violations. Now when you take the diff , the diff will be full of prev and that is send as mail.
Note-to-self:
At times we comm and exe field in audit log is inadequate. For example if the command "ruby example.rb", if it is to create some audit log then we will have exe= and comm="ruby". This obviously does not give any idea about the the program that was actually run. So it will be great if we can rely on the type=EXECVE audit logs.
A declarative, efficient, and flexible JavaScript library for building user interfaces.
๐ Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
An Open Source Machine Learning Framework for Everyone
The Web framework for perfectionists with deadlines.
A PHP framework for web artisans
Bring data to life with SVG, Canvas and HTML. ๐๐๐
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
Some thing interesting about web. New door for the world.
A server is a program made to process requests and deliver data to clients.
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
Some thing interesting about visualization, use data art
Some thing interesting about game, make everyone happy.
We are working to build community through open source technology. NB: members must have two-factor auth.
Open source projects and samples from Microsoft.
Google โค๏ธ Open Source for everyone.
Alibaba Open Source for everyone
Data-Driven Documents codes.
China tencent open source team.