From: Steve Grubb <sgrubb@redhat.com>
To: linux-audit@redhat.com
Subject: Re: Excluding few executable from audit.rules in redhat6.5
Date: Mon, 17 Nov 2014 12:09:10 -0500 [thread overview]
Message-ID: <10981052.36n0eHvUFY@x2> (raw)
In-Reply-To: <2779362.U37ZQvvdpt@x2>
On Monday, November 17, 2014 11:42:17 AM Steve Grubb wrote:
> On Monday, November 17, 2014 10:14:59 AM LC Bruzenak wrote:
> > On 11/17/2014 09:30 AM, Steve Grubb wrote:
> > > Well, what do you really want to do? In general, I'd look at the
> > > original
> > > auditing rule to see if its scope can be narrowed. In this case, it
> > > appears
> > > that you are wanting all calls to chmod. Why? Are you more concerned
> > > with
> > > failed calls to chmod, meaning a user is trying to change system files?
> > > Are
> > > system daemons calling chmod OK? Or do you really want everything? Or do
> > > you want no events at all for that daemon no matter what the syscall?
> > >
> > > The event you are showing is that app successfully making a directory
> > > world
> > > writable/readable. Its setting the sticky bit, so its "safe."
> >
> > I think this is auditing because the supplied STIG rules specify it.
> > The "perm_mod" key is the hint. You probably do not want to remove this
> > rule for all chmod syscalls.
>
> OK. Missed that. Then looking at the rule, it has an exclusion for daemons
> because its only concerned with auid>=500. So, that means that someone
> restarted the daemon by hand rather than rebooting the system
>
> If a temporary fix is needed until the systems is rebooted, then one could
> do this:
>
> auditctl -A exit,never -S chmod -F uid=345
A correction is in order, this likely needs arch fields to be added. It should
have been:
auditctl -A exit,never -F arch=b32 -S chmod -F uid=345
auditctl -A exit,never -F arch=b64 -S chmod -F uid=345
-Steve
> That will get rid of all chmod calls by user account 345. Notice the capital
> A, this places the rule at the beginning because the rule that matches
> first wins. I would not make that a permanent rule, just a workaround until
> it can be rebooted. But also note that it could trigger other rules because
> it has a user's auid.
>
> > You cannot exclude an executable itself from the rule set by name.
> > The "exclude" option only applies to event types.
> >
> > You could exclude it by type, except it is running as a generic
> > unconfined_t.
>
> Yeah, as a daemon it should be something else. Unconfined is only from a
> user session. Daemons get initrc_t when they are unknown.
>
> -Steve
>
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
next prev parent reply other threads:[~2014-11-17 17:09 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2014-11-17 15:02 Excluding few executable from audit.rules in redhat6.5 Tilden Doran D
2014-11-17 15:30 ` Steve Grubb
2014-11-17 16:14 ` LC Bruzenak
2014-11-17 16:42 ` Steve Grubb
2014-11-17 17:09 ` Steve Grubb [this message]
2014-11-18 10:22 ` Tilden Doran D
2014-11-18 15:25 ` Steve Grubb
2014-11-19 5:38 ` Tilden Doran D
2014-11-19 15:31 ` Steve Grubb
2014-11-18 10:10 ` Tilden Doran D
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=10981052.36n0eHvUFY@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox