pauldaviesc / logging-limits.conf Goto Github PK

Note-to-self :
The a0 field was there in the original notify.sh. This is required to understand which resource was requested for. When some part of notify.sh was was ported to py script, forgot to add the a0 field to the RLIMIT violation notification.

Thank you for great idea and implementation!

Just tried to use today and ran into some issues:

$ sudo sh ./rules.sh
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
Syscall name unknown: mmap2
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch
WARNING - 32/64 bit syscall mismatch, you should specify an arch

Any ideas of why some of the auditctl commands have failed?

After rules.sh was ran, here's list of rules that were created anyway:

$ sudo auditctl -l
-a always,exit -S clone -F key=noproc
-a always,exit -S fork -F key=noproc
-a always,exit -S vfork -F key=noproc
-a always,exit -S execve -F key=exec
-a always,exit -S write -F exit=-EFBIG -F success=0 -F key=fsize
-a always,exit -S open -F exit=-EMFILE -F success=0 -F key=nofile
-a always,exit -S mlock -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S mlockall -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S munlock -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S munlockall -F exit=-ENOMEM -F success=0 -F key=memlock
-a always,exit -S mmap -F exit=-EAGAIN -F success=0 -F key=memlock
-a always,exit -S mmap -F exit=-ENOMEM -F success=0 -F key=as
-a always,exit -S munmap -F exit=-ENOMEM -F success=0 -F key=as
-a always,exit -S brk -F exit=-ENOMEM -F success=0 -F key=as
-a always,exit -S setrlimit -F exit=-EINVAL -F success=0 -F key=rlimit
-a always,exit -S setrlimit -F exit=-EPERM -F success=0 -F key=rlimit

Most of the messages above are warnings, not sure if rules will actually work now.
Two rules were nnot created.

$ grep auditctl rules.sh | wc -l
18
$ sudo auditctl -l | wc -l
16

RHEL 6.7
2.6.32-573.12.1.el6.x86_64

It is due to the fact that the number of fields in the system call log of the audit system varies. Thus the approach of selecting fixed field assuming that it is the required field is flawed. It may require the porting of the predecessors.sh to a python script.

When the audit system clears the audit.log automatically a mail is sent containing all the violations so far. This happens due to the fact that the after that log gets cleared , curr* will be empty and the prev* will contain the previous violations. Now when you take the diff , the diff will be full of prev and that is send as mail.

Note-to-self:
At times we comm and exe field in audit log is inadequate. For example if the command "ruby example.rb", if it is to create some audit log then we will have exe= and comm="ruby". This obviously does not give any idea about the the program that was actually run. So it will be great if we can rely on the type=EXECVE audit logs.