From: Steve Grubb <sgrubb@redhat.com>
To: ocakan <ocakan@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: filtering system calls with auid -1
Date: Wed, 18 Nov 2015 13:33:18 -0500 [thread overview]
Message-ID: <1672025.saokxMoU1a@x2> (raw)
In-Reply-To: <CAPOnzUa8itgpBfu04odK29QYAL=nSs4RRYYpR-LoX4_q+T2pvg@mail.gmail.com>
On Wednesday, November 18, 2015 03:54:58 PM ocakan wrote:
> Hello Steve!
>
> Thank you for your feedback. Somehow I still do not fully understand how
> the filtering with -F works.
>
> Regarding your questions: commands executed by root user, including
> subshells, subcmds from script are fine for me.
OK.
> I altered my audit.rules as you suggested to the following, no other rules:
> auditctl -l:
You can add a key to this if you like, -F key=root-commands
> -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0
>
> I get entries from crond like the following in audit.log:
Cron entries hit the user filter. If you were using selinux, you could write a
rule like this:
-a user,never -F subj_type=crond_t
> type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
>
> What I do not get now are commands executed as root user from ptsX/ttyX.
>
> root@myhost ~# cat /etc/passwd # no audit entry
> root@myhost ~# service rsyslog stop # no audit entry
> root@myhost ~# less /var/log/audit/audit.log # no audit entry
> root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE
> entry
Check to see what your loginuid is:
# cat /proc/self/loginuid
-Steve
next prev parent reply other threads:[~2015-11-18 18:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-17 9:38 filtering system calls with auid -1 ocakan
2015-11-17 19:55 ` Steve Grubb
2015-11-18 14:54 ` ocakan
2015-11-18 18:33 ` Steve Grubb [this message]
2015-11-19 21:41 ` ocakan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1672025.saokxMoU1a@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=ocakan@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.