Limit output to audit.log

jharding · August 15, 2022, 6:24pm

Hello!

I’m trying to configure FIM with Auditd on Ubuntu 14.04 (I know, ancient software). When I set it up, I’m getting a tremendous amount of traffic to /var/log/audit/audit.log. It appears that every time a command in a monitored directory is run, it triggers a log entry.

I’d like to only have log entries generated when a file is modified, rather than simply accessed. Is this possible? My auditd config is below.

I have InsightIDR Essentials, so I’m using NXLog to get FIM on my more recent Ubuntu machines, but am stuck with Auditd for 14.04 systems.

#
# This file controls the configuration of the audit daemon
#

log_file = /var/log/audit/audit.log
log_format = RAW
log_group = adm
priority_boost = 4
flush = INCREMENTAL
freq = 20
num_logs = 5
disp_qos = lossy
dispatcher = /sbin/audispd
name_format = NONE
##name = mydomain
max_log_file = 6
max_log_file_action = ROTATE
space_left = 75
space_left_action = SYSLOG
action_mail_acct = root
admin_space_left = 50
admin_space_left_action = SUSPEND
disk_full_action = SUSPEND
disk_error_action = SUSPEND
##tcp_listen_port =
tcp_listen_queue = 5
tcp_max_per_addr = 1
##tcp_client_ports = 1024-65535
tcp_client_max_idle = 0
enable_krb5 = no
krb5_principal = auditd
##krb5_key_file = /etc/audit/audit.key

My rules are as follows:

## First rule - delete all
-D

## Increase the buffers to survive stress events.
## Make this bigger for busy systems
-b 8192

## This determine how long to wait in burst of events
#--backlog_wait_time 0

# REQUIRED (for Insight Agent): watch for execve syscalls, change to arch=b32 for 32 bit systems
-a always,exit -F arch=b64 -S execve -F key=execve

-w /bin -p w
-w /boot -p w
-w /etc -p w
-w /sbin -p w
-w /usr/bin -p w
-w /usr/local/bin -p w
-w /usr/local/sbin -p w
-w /usr/sbin -p w
-w /usr/share/keyrings -p w
-w /var/spool/cron -p w
## Set failure mode to syslog
-f 1

david_smith · August 15, 2022, 6:38pm

@jharding when you say a tremendous amount of traffic you are just referring to locally on the disk or do you mean within log search under the FIM logset? By design linux FIM should only send up creates, modifications and delete events.

The agent also monitors process start events, thats is what the line below is doing,
-a always,exit -F arch=b64 -S execve -F key=execve

this means for all actions taken on the machine the agent is monitoring all activity in order to parse and transmit process starts, these are treated separately to FIM events however, and you will only see process start logs in log search if you are an IDR Ultimate, MDR or had previously purchased Enhanced Endpoint Telemetry.

If you do not have process starts in log search, the other place you can see process information, albeit not in a searchable manner, is via an asset page, you can click Running Processes.

David

jharding · August 15, 2022, 7:21pm

Thanks @david_smith! The process starts line was what was cluttering up the logs for me.

david_smith · August 15, 2022, 7:26pm

That makes sense, you are somewhat limited on what you can do about that in that case, in theory you could set the audit policy to ignore process start events which match a particular pattern, but this comes with the caveat that you would potentially miss some suspicious behavior.