From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: perhaps obvious question: auditd and setuid/setgid?
Date: Fri, 04 Sep 2015 12:20:38 -0400 [thread overview]
Message-ID: <2447871.tML4uAQppZ@x2> (raw)
In-Reply-To: <55E9B0B7.9040607@gmail.com>
On Friday, September 04, 2015 10:54:47 AM John Jasen wrote:
> I was specifically wondering if I was missing the appropriate syscall
> for the use of setuid or setgid.
>
>From a brief examination and test, this appears to not be the case?
There are a couple ways to do this. One is using the find method. However, that
does not take into account file system based capabilities. In the lab I taught
this week, the rules generator also included this:
filecap /bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x -
F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules
filecap /sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F perm=x
-F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >> priv.rules
filecap /usr/bin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
filecap /usr/sbin 2>/dev/null | awk '{ printf "-a always,exit -F path=%s -F
perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged\n", $1 }' >>
priv.rules
But, if all you want is setuid, then you can use a rule like this instead of
file watches:
-a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0
-Steve
> On 09/02/2015 10:32 PM, rshaw1@umbc.edu wrote:
> >> I'm currently testing auditd with rules for setuid or setgid binaries on
> >> the system.
> >>
> >> I currently maintain the list via find, and pushing the results to a
> >> audit.rules file.
> >>
> >> I'm hoping there's a cleaner way, perhaps by triggering on the
> >> appropriate syscall -- but have not discovered it.
> >>
> >> Is there an easier method?
> >
> > The find method is what I use (though I push it to a file in rules.d and
> > then run augenrules, which for RHEL5/6 I just stole from RHEL7). Using
> > find to generate these rules is actually in the text of, IIRC, at least
> > one of the RHEL STIGs (6, draft of 7, possibly both), though not quite as
> > automated as the way I do it.
> >
> > --Ray
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2015-09-04 16:20 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-09-02 23:06 perhaps obvious question: auditd and setuid/setgid? John Jasen
2015-09-03 2:32 ` rshaw1
2015-09-04 14:54 ` John Jasen
2015-09-04 16:20 ` Steve Grubb [this message]
2015-09-04 17:36 ` John Jasen
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=2447871.tML4uAQppZ@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.