Re: Auditing a program use but not what it is doing

[Steve Grubb <sgrubb@redhat.com>]

On Thursday, February 13, 2020 11:35:46 AM EST MAUPERTUIS, PHILIPPE wrote:
> > Objet : Re: Auditing a program use but not what it is doing
> > 
> > On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE
> > 
> > wrote:
> > > Like many, we are using aide and clamav.
> > > I woud like to have an audit record when these program are run but no
> > > records for what they are doing. I mean, I want to know that clamscan
> > > or
> > > aide has been launched but not that it checks say /etc/passwd whatever
> > > rules could be in place for /etc/passwd
> > 
> > Then all you need to do is place a watch on them.
> > 
> > -a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
> 
> Just to be sure to understand how it works :
> If we have two rules in that order :
> -a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x  -F key=aide_run

The exe option is to audit syscalls by a specific application. For example,
you might want to use it to see what IP address and application connects to.

-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash

To place a _watch_ on a file, you use the path option with permission of
executable. The rule above should be:

-a always,exit -F path=/usr/sbin/aide -F perm=x  -F key=aide_run

There should be other examples like this in the shipped rules.

> -a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts

This will create an event whenever an application writes to or changes
permissions of passwd. Try running adduser or chmod it.

> When running aide :
> -  the first rule produces a message
> - the second rule  is ignored

It would only trigger on a write/permission change.

-Steve