Auditd blog -- way too noisy

757 views
Skip to first unread message

Andrew A

unread,
Jul 26, 2022, 10:29:07 AM7/26/22
to Wazuh mailing list
Hello, 

   I tried following this blog post in order to monitor root commands via auditd: 


I also found the same config on the actual auditd github page


When you add: 

-a exit,always -F arch=b64 -F euid=0 -S execve -k audit-wazuh-c 
-a exit,always -F arch=b32 -F euid=0 -S execve -k audit-wazuh-c

There are non-stop logs to auditd for many /usr/bin tools. Like THOUSANDS of alerts in minutes. At least on an amazon linux 2 machine. Just wondering if there's been any best practices / lessons learned for making this actually useful. 

Thanks, 

Andrew

Roman Luna

unread,
Jul 26, 2022, 2:06:30 PM7/26/22
to Wazuh mailing list

Hi Andre,

The firsts rules that are shown in the blog are meant to create an event for every command that is run by sudo.

Due to this you may get a lot of events that might not be useful to you, however, you may also create new rules to specify the commands that you wish to see in the dashboard.

With the following title in the blog: “Tracking and monitoring root-specific command execution: Once we define our rule to detect execution of commands as root, we can create additional rules that detect the use of certain malicious commands, based on this one.”

In there, you will find the steps in order to create the lists, the rule and how it works.

The rules that are specified in the blog have different levels of priority, if you only wish to see specific commands, you may silence the others rules by setting the level to 0:

<!-- System call rules -->
<rule id="80792" level="0">
     <if_sid>80700</if_sid>
     <list field="audit.key" lookup="match_key_value" check_value="command">etc/lists/audit-keys</list>
     <description>Audit: Command: $(audit.exe)</description>
     <group>audit_command,gdpr_IV_30.1.g,</group>
</rule>

<rule id="100002" level="0">
    <if_sid>80792</if_sid>
    <field name="audit.euid">0</field>
    <description>Audit: Root command execution: $(audit.exe) with loginuid user $(audit.auid)</description>
    <group>audit_command,</group>
</rule>

<rule id="100010" level="8">
    <if_sid>100002</if_sid>
    <list field="audit.command" lookup="match_key">etc/lists/kernel_control_commands</list>
    <description>Audit:  [Kernel modification] ($(audit.command)) Executed with loginuid user  $(audit.auid): $(audit.execve.a0) $(audit.execve.a1) $(audit.execve.a2)  </description>
    <group>audit_command,</group>
</rule>

Let me know if this helps,

Regards,
Roman from Wazuh!.

Andrew A

unread,
Jul 26, 2022, 4:08:52 PM7/26/22
to Wazuh mailing list
Thanks -- ill give it a look. 
Message has been deleted
Message has been deleted

Andrew A

unread,
Jul 26, 2022, 4:32:46 PM7/26/22
to Wazuh mailing list
Honestly think the issue is at the auditd level and not wazuh. The blog uses a very clunky rule for tracking sudo commands. 

I think I need something like this instead: 


Because even if I block alerts in wazuh I'm still having these what would be millions of alerts going to my audit.log file. 

On Tuesday, July 26, 2022 at 4:09:57 PM UTC-4 Andrew A wrote:
What was confusing is no one was doing anything with root -- and I was getting thousands of alerts. By it was like 5 different /usr/bin programs over and over. Assuming I may just be able to set those to 0. 

Andrew A

unread,
Jul 26, 2022, 5:02:37 PM7/26/22
to Wazuh mailing list
For anyone following -- this worked great: 

-a always,exit -F arch=b64 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=audit-wazuh-c
-a always,exit -F arch=b32 -S execve -F euid=0 -F auid>=1000 -F auid!=-1 -F key=audit-wazuh-c

Reply all
Reply to author
Forward
0 new messages