Join Log in
Score:1
avatar Server

Auditd - Don't log events from salt-minion

br flag
Egyas

I'm updating our Auditd rules (Red Hat Linux) to log all tty/interactive commands from all users. That part works no problem.

What I'm trying to do now is to exclude commands issued by our salt-master that are executed on one of our salt-minions. These events are already logged in the audit log on the salt-master server, so they do not need to be duplicated on the minions.

I'm tried looking at the events generated by doing simple salt commands and looking for something specific that I can filter on, but I'm failing to see it.

Here's an example of what gets logged on one of my minions (in my lab) when I run this command on the salt server...

salt 'saltminion18*' cmd.run "ls -al /root/"

Here's what gets logged on the minion...

type=SYSCALL msg=audit(1679427008.316:874): arch=c000003e syscall=59 success=yes exit=0 a0=7fbe9c36d7f0 a1=7fbe905a48d0 a2=7fbe905d3930 a3=18 items=2 ppid=1530 pid=1531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="sh" exe="/usr/bin/bash" subj=system_u:system_r:unconfined_service_t:s0 key="root-commands"ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=EXECVE msg=audit(1679427008.316:874): argc=3 a0="/bin/sh" a1="-c" a2=6C73202D616C202F726F6F742F
type=CWD msg=audit(1679427008.316:874): cwd="/root"
type=PATH msg=audit(1679427008.316:874): item=0 name="/bin/sh" inode=3063 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:shell_exec_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PATH msg=audit(1679427008.316:874): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=67120844 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PROCTITLE msg=audit(1679427008.316:874): proctitle=2F62696E2F7368002D63006C73202D616C202F726F6F742F
type=SYSCALL msg=audit(1679427008.320:875): arch=c000003e syscall=59 success=yes exit=0 a0=55842804af60 a1=55842804b520 a2=558428043e10 a3=0 items=2 ppid=1530 pid=1531 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="ls" exe="/usr/bin/ls" subj=system_u:system_r:unconfined_service_t:s0 key="root-commands"ARCH=x86_64 SYSCALL=execve AUID="unset" UID="root" GID="root" EUID="root" SUID="root" FSUID="root" EGID="root" SGID="root" FSGID="root"
type=EXECVE msg=audit(1679427008.320:875): argc=3 a0="ls" a1="-al" a2="/root/"
type=CWD msg=audit(1679427008.320:875): cwd="/root"
type=PATH msg=audit(1679427008.320:875): item=0 name="/usr/bin/ls" inode=432080 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:bin_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PATH msg=audit(1679427008.320:875): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=67120844 dev=fd:00 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL cap_fp=0 cap_fi=0 cap_fe=0 cap_fver=0 cap_frootid=0OUID="root" OGID="root"
type=PROCTITLE msg=audit(1679427008.320:875): proctitle=2F62696E2F7368002D63006C73202D616C202F726F6F742F

Any advice on how I can get these commends/events from salt to be excluded in auditd?

101
1 + 0
Score:0
avatar Server
br flag
Egyas

Found AN answer for my own issue. Since we wonly wanted to log interactive commands, and in this case I was also specific to wanting to make sure root commands were logged (and any users using elevated privs, here was my solution.

I added the below section to my audit rules file.

## Log all execv by effective uid 0 or root PCI 10.2.2, ignoring uid of "unset".
-a exit,always -F arch=b64 -F euid=0 -F auid!=unset -S execve -k root-commands
-a exit,always -F arch=b32 -F euid=0 -F auid!=unset -S execve -k root-commands

This allowed all root commands to be logged. Since salt-master sends command to minions to be run using the auid of "unset", this nicely filtered them out as well.

+ 0
ธงชาติไทย
Elon Musk
I sit in a Tesla and translated this thread with Ai:

mangohost

Post an answer

Most people don’t grasp that asking a lot of questions unlocks learning and improves interpersonal bonding. In Alison’s studies, for example, though people could accurately recall how many questions had been asked in their conversations, they didn’t intuit the link between questions and liking. Across four studies, in which participants were engaged in conversations themselves or read transcripts of others’ conversations, people tended not to realize that question asking would influence—or had influenced—the level of amity between the conversationalists.