From: Steve Grubb <sgrubb@redhat.com>
To: ocakan <ocakan@gmail.com>
Cc: linux-audit@redhat.com
Subject: Re: filtering system calls with auid -1
Date: Wed, 18 Nov 2015 13:33:18 -0500 [thread overview]
Message-ID: <1672025.saokxMoU1a@x2> (raw)
In-Reply-To: <CAPOnzUa8itgpBfu04odK29QYAL=nSs4RRYYpR-LoX4_q+T2pvg@mail.gmail.com>
On Wednesday, November 18, 2015 03:54:58 PM ocakan wrote:
> Hello Steve!
>
> Thank you for your feedback. Somehow I still do not fully understand how
> the filtering with -F works.
>
> Regarding your questions: commands executed by root user, including
> subshells, subcmds from script are fine for me.
OK.
> I altered my audit.rules as you suggested to the following, no other rules:
> auditctl -l:
You can add a key to this if you like, -F key=root-commands
> -a always,exit -F arch=x86_64 -S execve -F auid>=500 -F auid!=-1 -F uid=0
> -a always,exit -F arch=i386 -S execve -F auid>=500 -F auid!=-1 -F uid=0
>
> I get entries from crond like the following in audit.log:
Cron entries hit the user filter. If you were using selinux, you could write a
rule like this:
-a user,never -F subj_type=crond_t
> type=USER_ACCT msg=audit(1447855321.729:306): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_ACQ msg=audit(1447855321.731:307): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_START msg=audit(1447855321.731:308): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_open
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=CRED_DISP msg=audit(1447855321.739:309): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:setcred
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
> type=USER_END msg=audit(1447855321.739:310): user pid=25780 uid=0
> auid=4294967295 ses=4294967295
> subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:session_close
> acct="root" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron
> res=success'
>
> What I do not get now are commands executed as root user from ptsX/ttyX.
>
> root@myhost ~# cat /etc/passwd # no audit entry
> root@myhost ~# service rsyslog stop # no audit entry
> root@myhost ~# less /var/log/audit/audit.log # no audit entry
> root@myhost ~# iptables -F # NETFILTER_CFG && SYSCALL entry but no EXECVE
> entry
Check to see what your loginuid is:
# cat /proc/self/loginuid
-Steve
next prev parent reply other threads:[~2015-11-18 18:33 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-11-17 9:38 filtering system calls with auid -1 ocakan
2015-11-17 19:55 ` Steve Grubb
2015-11-18 14:54 ` ocakan
2015-11-18 18:33 ` Steve Grubb [this message]
2015-11-19 21:41 ` ocakan
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1672025.saokxMoU1a@x2 \
--to=sgrubb@redhat.com \
--cc=linux-audit@redhat.com \
--cc=ocakan@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox