Regarding Auditing on RHEL 7.1

Regarding Auditing on RHEL 7.1

[Sarthak Jain]

[-- Attachment #1.1: Type: text/plain, Size: 882 bytes --]

Hi,

I am Sarthak Jain working in MicroFocus. I want your small help to clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I hope you are the right person to contact. It will just 2 min (max :P) to go through the problem.

Assumption: Ideally, if we change the configuration file (for ex- /etc/hosts), we should be getting audit events for it.

Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we modify this file, then audit events are coming as attached in file - 'file1.txt'.

Problem: Let say if we change the permissions of the '/etc/hosts' to (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at all. I have attached the file - 'file2.txt' for your reference. Can you please clarify this ? Is it a kernel level bug?

I would be greatly thankful to you if you could please comment on this.

Thanks.


[-- Attachment #1.2: Type: text/html, Size: 3125 bytes --]

[-- Attachment #2: file1.txt --]
[-- Type: text/plain, Size: 4222 bytes --]

----
time->Wed Feb 24 00:44:20 2016
type=CONFIG_CHANGE msg=audit(1456296260.392:3012733752): auid=0 ses=612921 op="updated rules" path="/etc/hosts" key=(null) list=4 res=1
----
time->Wed Feb 24 00:44:20 2016
type=PATH msg=audit(1456296260.392:3012733753): item=3 name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=CREATE
type=PATH msg=audit(1456296260.392:3012733753): item=2 name="/etc/hosts" inode=133015 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=DELETE
type=PATH msg=audit(1456296260.392:3012733753): item=1 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=PATH msg=audit(1456296260.392:3012733753): item=0 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(1456296260.392:3012733753):  cwd="/root"
type=SYSCALL msg=audit(1456296260.392:3012733753): arch=c000003e syscall=82 success=yes exit=0 a0=1d5c730 a1=1d82ab0 a2=fffffffffffffea0 a3=7fffcc152380 items=4 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Wed Feb 24 00:44:20 2016
type=CONFIG_CHANGE msg=audit(1456296260.393:3012733754): auid=0 ses=612921 op="updated rules" path="/etc/hosts" key=(null) list=4 res=1
----
time->Wed Feb 24 00:44:20 2016
type=PATH msg=audit(1456296260.393:3012733755): item=1 name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=CREATE
type=PATH msg=audit(1456296260.393:3012733755): item=0 name="/etc/" inode=130309 dev=fd:01 mode=040755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:etc_t:s0 objtype=PARENT
type=CWD msg=audit(1456296260.393:3012733755):  cwd="/root"
type=SYSCALL msg=audit(1456296260.393:3012733755): arch=c000003e syscall=2 success=yes exit=3 a0=1d5c730 a1=241 a2=1c0 a3=0 items=2 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Wed Feb 24 00:44:20 2016
type=PATH msg=audit(1456296260.413:3012733759): item=0 name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=unconfined_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1456296260.413:3012733759):  cwd="/root"
type=SYSCALL msg=audit(1456296260.413:3012733759): arch=c000003e syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc4923b877e a2=1d81fd0 a3=20 items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Wed Feb 24 00:44:20 2016
type=PATH msg=audit(1456296260.413:3012733761): item=0 name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1456296260.413:3012733761):  cwd="/root"
type=SYSCALL msg=audit(1456296260.413:3012733761): arch=c000003e syscall=90 success=yes exit=0 a0=1d5c730 a1=81c0 a2=0 a3=20 items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)
----
time->Wed Feb 24 00:44:20 2016
type=PATH msg=audit(1456296260.414:3012733762): item=0 name="/etc/hosts" inode=133022 dev=fd:01 mode=0100700 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1456296260.414:3012733762):  cwd="/root"
type=SYSCALL msg=audit(1456296260.414:3012733762): arch=c000003e syscall=188 success=yes exit=0 a0=1d5c730 a1=7fc491f71ddf a2=1d81c30 a3=1c items=1 ppid=7009 pid=7575 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

[-- Attachment #3: file2.txt --]
[-- Type: text/plain, Size: 1299 bytes --]

----
time->Wed Feb 24 00:45:55 2016
type=PATH msg=audit(1456296355.292:3012759691): item=0 name="/etc/hosts~" inode=133015 dev=fd:01 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1456296355.292:3012759691):  cwd="/root"
type=SYSCALL msg=audit(1456296355.292:3012759691): arch=c000003e syscall=132 success=yes exit=0 a0=2245a70 a1=7fffdf2b4390 a2=2000 a3=7fffdf2b4050 items=1 ppid=7009 pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key="9980284E037547A8A9364B62ACB360C6"
----
time->Wed Feb 24 00:45:55 2016
type=PATH msg=audit(1456296355.303:3012759696): item=0 name="/etc/hosts" inode=133022 dev=fd:01 mode=0100666 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:net_conf_t:s0 objtype=NORMAL
type=CWD msg=audit(1456296355.303:3012759696):  cwd="/root"
type=SYSCALL msg=audit(1456296355.303:3012759696): arch=c000003e syscall=90 success=yes exit=0 a0=221f730 a1=81b6 a2=0 a3=7fffdf2b4050 items=1 ppid=7009 pid=7704 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=612921 comm="vi" exe="/usr/bin/vi" subj=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 key=(null)

[-- Attachment #4: Type: text/plain, Size: 0 bytes --]

Re: Regarding Auditing on RHEL 7.1

[Steve Grubb]

On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote:
> I am Sarthak Jain working in MicroFocus. I want your small help to clarify
> one of my doubt regarding the kernel auditing on RHEL 7.1. I hope you are
> the right person to contact. It will just 2 min (max :P) to go through the
> problem.
> 
> Assumption: Ideally, if we change the configuration file (for ex-
> /etc/hosts), we should be getting audit events for it.
> 
> Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). If we
> modify this file, then audit events are coming as attached in file -
> 'file1.txt'.
> 
> Problem: Let say if we change the permissions of the '/etc/hosts' to
> (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" event at
> all.

That is because the audit configuration has not changed. Config change events 
are specific to changes in the audit system itself. What you get on this is 
syscall event with a path

If you want to get events on changing permissions on a file, then you would put 
a rule like this:

-a always,exit -F path=/etc/hosts -F perms=a -F key=permission-change

After modifying the file with chmod, then run:

ausearch --start today -k permission-change


> I have attached the file - 'file2.txt' for your reference. Can you
> please clarify this ? Is it a kernel level bug?

No. Its doing what it should.

-Steve

RE: Regarding Auditing on RHEL 7.1

[Sarthak Jain]

Hi Steve,

Thanks for explaining the thing properly. I think I misinterpreted the meaning of "CONFIG_CHANGE" and I understood.

The problem which I was asking was something different. I actually have already started a different thread for that.

Thanks.

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Friday, February 26, 2016 1:22 AM
To: linux-audit@redhat.com
Cc: Sarthak Jain <Sarthak.Jain@microfocus.com>
Subject: Re: Regarding Auditing on RHEL 7.1

On Wednesday, February 24, 2016 07:04:08 AM Sarthak Jain wrote:
> I am Sarthak Jain working in MicroFocus. I want your small help to 
> clarify one of my doubt regarding the kernel auditing on RHEL 7.1. I 
> hope you are the right person to contact. It will just 2 min (max :P) 
> to go through the problem.
> 
> Assumption: Ideally, if we change the configuration file (for ex- 
> /etc/hosts), we should be getting audit events for it.
> 
> Scenario: By default, the permissions for '/etc/hosts' is (rw-r-r--). 
> If we modify this file, then audit events are coming as attached in 
> file - 'file1.txt'.
> 
> Problem: Let say if we change the permissions of the '/etc/hosts' to 
> (rw-rw-rw), then audit system is not recording the "CONFIG_CHANGE" 
> event at all.

That is because the audit configuration has not changed. Config change events are specific to changes in the audit system itself. What you get on this is syscall event with a path

If you want to get events on changing permissions on a file, then you would put a rule like this:

-a always,exit -F path=/etc/hosts -F perms=a -F key=permission-change

After modifying the file with chmod, then run:

ausearch --start today -k permission-change


> I have attached the file - 'file2.txt' for your reference. Can you 
> please clarify this ? Is it a kernel level bug?

No. Its doing what it should.

-Steve