On 12/29/2014 08:41 PM, Paul Moore wrote: > To help verify that I'm heading down the right path, could you share your > audit configuration as well? If that's not possible, can you at least > confirm > that you using a few audit directory watches?
Well, it is just a victim system for trinity - but I did not configured auditd in a special manner - so it is just the plain default configuration of Gentoo: n22kvm-clone audit # wc * 26 201 1127 audit.rules 13 85 573 audit.rules.stop.post 16 81 547 audit.rules.stop.pre 32 95 701 auditd.conf 87 462 2948 total n22kvm-clone audit # tail -n 40 -v * ==> audit.rules <== # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $ # # This file contains the auditctl rules that are loaded # whenever the audit daemon is started via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # First rule - delete all # This is to clear out old rules, so we don't append to them. -D # Feel free to add below this line. See auditctl man page # The following rule would cause all of the syscalls listed to be ignored in logging. -a exit,never -F arch=b32 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat #-a exit,never -F arch=b64 -S read -S write -S open -S fstat -S mmap -S brk -S munmap -S nanosleep -S fcntl -S close -S dup2 -S rt_sigaction -S stat # The following rule would cause the capture of all systems not caught above. # -a exit,always -S all # Increase the buffers to survive stress events -b 8192 # vim:ft=conf: ==> audit.rules.stop.post <== # Copyright 1999-2005 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.post,v 1.1 2006/06/22 07:41:46 robbat2 Exp $ # # This file contains the auditctl rules that are loaded immediately after the # audit deamon is stopped via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # Not used for the default Gentoo configuration as of v1.2.3 # Paranoid security types might wish to reconfigure kauditd here. # vim:ft=conf: ==> audit.rules.stop.pre <== # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/audit.rules.stop.pre,v 1.2 2011/09/11 02:58:55 robbat2 Exp $ # # This file contains the auditctl rules that are loaded immediately before the # audit deamon is stopped via the initscripts. # The rules are simply the parameters that would be passed # to auditctl. # auditd is stopping, don't capture events anymore -D # Disable kernel generating audit events -e 0 # vim:ft=conf: ==> auditd.conf <== # # This file controls the configuration of the audit daemon # log_file = /var/log/audit/audit.log log_format = RAW log_group = root priority_boost = 4 flush = INCREMENTAL freq = 20 num_logs = 5 disp_qos = lossy dispatcher = /sbin/audispd name_format = NONE ##name = mydomain max_log_file = 6 max_log_file_action = ROTATE space_left = 75 space_left_action = SYSLOG action_mail_acct = root admin_space_left = 50 admin_space_left_action = SUSPEND disk_full_action = SUSPEND disk_error_action = SUSPEND ##tcp_listen_port = tcp_listen_queue = 5 tcp_max_per_addr = 1 ##tcp_client_ports = 1024-65535 tcp_client_max_idle = 0 enable_krb5 = no krb5_principal = auditd ##krb5_key_file = /etc/audit/audit.key n22kvm-clone audit # cat /etc/conf.d/auditd # Copyright 1999-2011 Gentoo Foundation # Distributed under the terms of the GNU General Public License v2 # $Header: /var/cvsroot/gentoo-x86/sys-process/audit/files/auditd-conf.d-2.1.3,v 1.1 2011/09/11 02:58:55 robbat2 Exp $ # Configuration options for auditd # -f for foreground mode # There are some other options as well, but you'll have to look in the source # code to find them as they aren't ready for use yet. EXTRAOPTIONS='' # Audit rules file to run after starting auditd RULEFILE_STARTUP=/etc/audit/audit.rules # Audit rules file to run before and after stopping auditd RULEFILE_STOP_PRE=/etc/audit/audit.rules.stop.pre RULEFILE_STOP_POST=/etc/audit/audit.rules.stop.post # If you want to enforce a certain locale for auditd, # uncomment one of the next lines: #AUDITD_LANG=none AUDITD_LANG=C #AUDITD_LANG=en_US #AUDITD_LANG=en_US.UTF-8 -- Toralf pgp key: 7B1A 07F4 EC82 0F90 D4C2 8936 872A E508 0076 E94E -- To unsubscribe from this list: send the line "unsubscribe linux-kernel" in the body of a message to majord...@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html Please read the FAQ at http://www.tux.org/lkml/