Auditing a program use but not what it is doing

Auditing a program use but not what it is doing

[MAUPERTUIS, PHILIPPE]

[-- Attachment #1.1: Type: text/plain, Size: 1240 bytes --]

Hi,
Like many, we are using aide and clamav.
I woud like to have an audit record when these program are run but no records for what they are doing.
I mean, I want to know that clamscan or aide has been launched but not that it checks say /etc/passwd whatever rules could be in place for /etc/passwd

Thanks
Philippe

equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email

[-- Attachment #1.2: Type: text/html, Size: 6163 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Auditing a program use but not what it is doing

[Steve Grubb]

On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE wrote:
> Like many, we are using aide and clamav.
> I woud like to have an audit record when these program are run but no
> records for what they are doing. I mean, I want to know that clamscan or
> aide has been launched but not that it checks say /etc/passwd whatever
> rules could be in place for /etc/passwd

Then all you need to do is place a watch on them.

-a always,exit -F path=path-to-aide -F perm=x -F key=something-ran

-Steve

RE: Auditing a program use but not what it is doing

[MAUPERTUIS, PHILIPPE]

> Objet : Re: Auditing a program use but not what it is doing
>
> On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE
> wrote:
> > Like many, we are using aide and clamav.
> > I woud like to have an audit record when these program are run but no
> > records for what they are doing. I mean, I want to know that clamscan or
> > aide has been launched but not that it checks say /etc/passwd whatever
> > rules could be in place for /etc/passwd
>
> Then all you need to do is place a watch on them.
>
> -a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
Just to be sure to understand how it works :
If we have two rules in that order :
-a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x  -F key=aide_run
-a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts
When running aide :
-  the first rule produces a message
- the second rule  is ignored

Philippe

equensWorldline is a registered trade mark and trading name owned by the Worldline Group through its holding company.
This e-mail and the documents attached are confidential and intended solely for the addressee. If you receive this e-mail in error, you are not authorized to copy, disclose, use or retain it. Please notify the sender immediately and delete this email from your systems. As emails may be intercepted, amended or lost, they are not secure. EquensWorldline and the Worldline Group therefore can accept no liability for any errors or their content. Although equensWorldline and the Worldline Group endeavours to maintain a virus-free network, we do not warrant that this transmission is virus-free and can accept no liability for any damages resulting from any virus transmitted. The risks are deemed to be accepted by everyone who communicates with equensWorldline and the Worldline Group by email

Re: Auditing a program use but not what it is doing

[Steve Grubb]

On Thursday, February 13, 2020 11:35:46 AM EST MAUPERTUIS, PHILIPPE wrote:
> > Objet : Re: Auditing a program use but not what it is doing
> > 
> > On Wednesday, February 12, 2020 5:01:37 AM EST MAUPERTUIS, PHILIPPE
> > 
> > wrote:
> > > Like many, we are using aide and clamav.
> > > I woud like to have an audit record when these program are run but no
> > > records for what they are doing. I mean, I want to know that clamscan
> > > or
> > > aide has been launched but not that it checks say /etc/passwd whatever
> > > rules could be in place for /etc/passwd
> > 
> > Then all you need to do is place a watch on them.
> > 
> > -a always,exit -F path=path-to-aide -F perm=x -F key=something-ran
> 
> Just to be sure to understand how it works :
> If we have two rules in that order :
> -a always,exit -F arch=b64 -F exe=/sbin/aide -F perm=x  -F key=aide_run

The exe option is to audit syscalls by a specific application. For example,
you might want to use it to see what IP address and application connects to.

-a always,exit -F arch=b64 -S connect,recvfrom -F auid>=1000 -F auid!=-1 -F exe=/usr/bin/bash

To place a _watch_ on a file, you use the path option with permission of
executable. The rule above should be:

-a always,exit -F path=/usr/sbin/aide -F perm=x  -F key=aide_run

There should be other examples like this in the shipped rules.

> -a always,exit -F path=/etc/passwd -F perm=wa -F key=10.2.5.c-accounts

This will create an event whenever an application writes to or changes
permissions of passwd. Try running adduser or chmod it.

> When running aide :
> -  the first rule produces a message
> - the second rule  is ignored

It would only trigger on a write/permission change.

-Steve