Re: auditctl for admin's accessing other user files

From: Steve Grubb <sgrubb@redhat.com>
To: "warron.french" <warron.french@gmail.com>
Cc: Linux-Audit Mailing List <linux-audit@redhat.com>
Subject: Re: auditctl for admin's accessing other user files
Date: Sat, 30 Jun 2018 09:33:53 -0400	[thread overview]
Message-ID: <16462729.GJusgXACfJ@x2> (raw)
In-Reply-To: <CAJdJdQkZWmJytnHVSaK+t5o3sDx4asM0v_Eba-mPMF5URNskrQ@mail.gmail.com>

On Friday, June 29, 2018 10:44:48 PM EDT warron.french wrote:
> This is very cool!  I didn't know you could pass data from ausearch into
> aureport.  Does the -f option simply expect stdin if a file is not
> specified then?

ausearch and aureport both check stdin to see if its a pipe. If so, it reads 
it instead of the logs. This leads to the common problem of getting no output 
when run from a cron job. This is because the cron job creates a pipe for 
stdin even when it doesn't pipe anything to it. So, that lead to the creation 
of the --input-logs commandline option to force it to read the logs even when 
stdin is a pipe.

So, if you wanted to do one of those reports mentioned below from a cron job, 
then the ausearch would need to use that option but aureport wouldn't so that 
it can process the output of ausearch. Also note that when piping them, they 
expect data in the raw format.

-Steve

> On Mon, Jun 25, 2018 at 5:28 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> > On Monday, June 25, 2018 4:59:59 PM EDT Skaggs, Nicholas C wrote:
> > > Hello
> > > I noticed in the man page for auditctl, an example of how to monitor if
> > > admins are accessing other user's files. I created a rule like the one
> > > in
> > > the example. This is great that it is pulling the action and user
> > > calling
> > > the action!
> > > 
> > > The rule
> > > -a always,exit -S all -F dir=/home/username/ -F uid=0 -C auid!=obj_uid
> > > 
> > > I will pull a report on the findings with
> > > aureport -f -i | grep /home/username/
> > 
> > One other thing to comment on. You might do the report part a little
> > different. I'd let ausearch do the filtering before it goes to aureport.
> > Its
> > much more flexible. For example, if you added a key to the rule
> > "admin-access".
> > Then you can do this:
> > 
> > summary of all accesses
> > ausearch --start today -k admin-access --raw | aureport --summary -f
> > 
> > summary for a specific dir
> > ausearch --start today -k admin-access -f /home/username --raw | aureport
> > --summary -f
> > 
> > summary of who did it
> > ausearch --start today -k admin-access --raw | aureport --summary -u -i
> > 
> > summary for a sepcific admin
> > ausearch --start today -k admin-access --loginuid admin-name --raw |
> > aureport --summary -f
> > 
> > If you don't use the key in the searches, then you may be getting
> > unrelated events in the report.
> > 
> > -Steve
> > 
> > > The report is heavier than anticipated so I tried to make an adjustment
> > 
> > to
> > 
> > > only capture what happens in the directory -a always,exit -S all -F
> > > path=/home/username/ -F uid=0 -C auid!=obj_uid ... but that is
> > > returning
> > > with  Error sending add rule data request (Invalid argument)
> > > 
> > > I then tried the below rule; it does not return an error upon add, but
> > 
> > when
> > 
> > > I do an auditctl -l there are no rules listed -a always,exit -S all -F
> > > path=/home/username/ -p=rwxa -F uid=0 -C auid!=obj_uid
> > > 
> > > Is there a preferred  way to set the rule, maybe on the inode of the
> > > directory, but does not lose the ability to see if an admin is doing it
> > > and what action?  I have been adding these on the fly, instead of
> > > adding
> > > to the /etc/audit/audit.rules file, for now.
> > > 
> > > 
> > > Thanks!
> > > Nick Skaggs
> > 
> > --
> > Linux-audit mailing list
> > Linux-audit@redhat.com
> > https://www.redhat.com/mailman/listinfo/linux-audit