Re: Syscalls

[Steve Grubb <sgrubb@redhat.com>]

On Wednesday 28 February 2007 07:23, Johnston Mark (UK) wrote:
> We're trying to setup auditing to match a few policy requirements. The
> ones that I'm struggling with are the following:
>
> 1) Using auditd to check for system start/stop. In "man syscalls" it
> shows shutdown, but auditd doesn't like it when I use this for a system
> call. Would also have been nice to track any time someone uses init.

shutdown is not system shutdown, its socket shutdown. If this has to be 
tracked, probably the best thing to do is for us to patch init to record 
changes to runlevels.

> 2) Use aureport to show logins (failed and successful).

We patched openssh, login, and gdm to support this. aureport should pick up 
the USER_LOGIN records in the audit logs.

> I've logged into our system with failed and successful tries, and it's
> visible in audit.log, but it doesn't show anything under aureport, the count
> is 0. 

Sounds like your distro is unpatched.

> 3) Were trying to log anytime someone is unsuccessful in doing
> something. We've tried the open command with success!=0 as per the
> example in the man page, but we get a whole bunch of stuff in the logs,
> not the failed attempts

You probably want:

-a always,exit -S open -F exit=-13

the -13 is -EACCES from errno.h.

> 4) Were trying to track all usage by the root user, again we are getting
> a whole bunch of other stuff in the logs, not actions by the user root
> only.

I am still looking at this. I think we need to patch bash for this.

> 5) We are trying to track changes to the system date and time. I've been
> using the example in capp.rules, but all we get is ntpd, not the usage
> of date, which we would like.

We patched hwclock in util-linux to provide an audited way to set time. Going 
forward, I think we should apply a similar patch to coreutils.

-Steve