Re: httpd auid = -1

From: Steve Grubb <sgrubb@redhat.com>
To: Todd Heberlein <todd_heberlein@mac.com>
Cc: linux-audit@redhat.com
Subject: Re: httpd auid = -1
Date: Thu, 30 Jul 2020 17:41:13 -0400	[thread overview]
Message-ID: <1705434.8GvrW9sroV@x2> (raw)
In-Reply-To: <87773DC0-7C77-470D-8E13-ED8C217D4C0E@mac.com>

On Thursday, July 30, 2020 2:47:05 PM EDT Todd Heberlein wrote:
> Thanks!
> 
> This has some interesting implications regarding attackers coming in
> through a vulnerability in an organization's web services. I’ll have to
> compare what relevant information I can capture in the audit logs vs. what
> is captured in web server logs.

The audit rules are designed to common criteria, STIG, PCI-DS, etc. To date, 
no one has articulated any rules that need to be written against any server. 
The rule naming scheme recognizes that may be a possibility and set aside 
rules that start with 50- specifically for server rules. But with some many 
daemons, where to start? And what to monitor?

If you are thinking about intrusion detection, then I have been working on 
that problem for a while. There are specific rules that detect specific 
actions. But unless you've thought of everything, there is always a hole.

Once they get inside, they probably want to do recon to see what they have to 
work with.

-a always,exit -F perm=x -F path=/usr/bin/uname -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/rpm -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/yum -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/dnf -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/w -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/who -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/whoami -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/id -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/netstat -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/ss -F key=ids-recon
-a always,exit -F perm=x -F path=/usr/bin/route -F key=ids-recon
...etc. 

But then they might want to use a tool downloaded to escalate. You might be 
able to detect them making it executable:

-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/home -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/home -F a2&0111 -F filetype=file 
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/tmp -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/tmp -F a2&0111 -F filetype=file 
-F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/var/tmp -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/var/tmp -F a2&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S chmod,fchmod -F dir=/dev/shm -F a1&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec
-a exit,always -F arch=b64 -S fchmodat -F dir=/dev/shm -F a2&0111 -F 
filetype=file -F auid>=1000 -F auid!=-1 -F key=ids-mkexec

There's a lot of rules to add. And this will get noisy because many system 
scripts do things that look like recon. Update looks like mkexec.

What I'd recommend is also looking at something like fapolicyd to prevent 
execution of any downloaded tools. That will give a bigger signal to noise 
ratio that trying to craft some audit rules. Because ultimately, audit can 
tell you something was executed. It can't tell you the software doesn't 
belong on the system.

-Steve

> > On Jul 30, 2020, at 11:29 AM, Steve Grubb <sgrubb@redhat.com> wrote:
> > 
> > On Thursday, July 30, 2020 1:54:09 PM EDT Todd Heberlein wrote:
> >> I’ve noticed that the httpd process on a CentOS 7.7 system I am working
> >> 
> >> with is running with an Audit ID of -1. Example ID values are:
> >>        auid=4294967295
> >>        uid=48
> >>        gid=48
> >>        ...
> >> 
> >> So if use the standard filter "-F auid!=-1” in the audit rules I do not
> >> see httpd activity.
> >> 
> >> Is this common?
> > 
> > Yes, this is common. Most people are interested in the actions that
> > people
> > take on the machine rather than normal system functioning.
> > 
> >> How do I change the auid to something else, so I can capture the httpd
> >> activity in the audit log?
> > 
> > A couple of ways.
> > 1) remove the auid!=-1. That will get you all daemons.
> > 2) Use audit by executable rules:
> > -a always,exit -F arch=b64 -S execve -F exe=/usr/sbin/httpd -F
> > key=httpd-exec
> > 
> > -Steve
> > 
> >> Example audit line:
> >> 
> >> type=SYSCALL msg=audit(1596065566.721:31357): arch=c000003e syscall=2
> >> success=yes exit=15 a0=55a0a2d9b3c0 a1=80000 a2=0 a3=7ffe5d4d6720
> >> items=1
> >> ppid=1130 pid=1253 auid=4294967295 uid=48 gid=48 euid=48 suid=48
> >> fsuid=48
> >> egid=48 sgid=48 fsgid=48 tty=(none) ses=4294967295 comm="httpd"
> >> exe="/usr/sbin/httpd" key=(null)

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit