Audit rules keys

Audit rules keys

[Henning, Arthur C. (CSL)]

Using system-config-audit getting key (-k) configuration errors when
saving changes.

[root@localhost ~]# Stopping auditd: [  OK  ]
Starting auditd: [  OK  ]
key option needs a watch or syscall given prior to it
There was an error in line 9 of /etc/audit/audit.rules
cat /etc/audit/audit.rules
-e 1
-f 2
-b 8192
-r 0

-D
-a entry,always -S adjtimex -S settimeofday
-a entry,always -S clock_settime
-a entry,always -k kill -S kill
-a exit,always -k system-locale -S sethostname
-a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S
link -S symlink
-a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat
-S symlinkat

If I remove the key from line 9 and save, get error reported line 10,
etc.

Started with NISPOM.rules contrib file.

Art Henning (CSL) 
Enterprise IT Solutions
Northrop Grumman Corp
art.henning@ngc.com

Re: Audit rules keys

[Linda Knippers]

Henning, Arthur C. (CSL) wrote:
> Using system-config-audit getting key (-k) configuration errors when
> saving changes.
> 
> [root@localhost ~]# Stopping auditd: [  OK  ]
> Starting auditd: [  OK  ]
> key option needs a watch or syscall given prior to it

This is telling you that the -k flag needs to be after a -S
flag.  I don't know why the order matters but apparently it does.

> There was an error in line 9 of /etc/audit/audit.rules
> cat /etc/audit/audit.rules
> -e 1
> -f 2
> -b 8192
> -r 0
> 
> -D
> -a entry,always -S adjtimex -S settimeofday
> -a entry,always -S clock_settime
> -a entry,always -k kill -S kill
try:
-a entry, always -S kill -k kill

And for the rest, make the -k stuff to the end.

> -a exit,always -k system-locale -S sethostname
> -a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S
> link -S symlink
> -a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat
> -S symlinkat
> 
> If I remove the key from line 9 and save, get error reported line 10,
> etc.
> 
> Started with NISPOM.rules contrib file.

Are the options in the wrong order in the contrib file too?
The draft I saw posted for comments was in the correct order
but I haven't looked at what's currently shipped.

-- ljk
> 
> Art Henning (CSL) 
> Enterprise IT Solutions
> Northrop Grumman Corp
> art.henning@ngc.com
> 
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: Audit rules keys

[Steve Grubb]

On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote:
> > Using system-config-audit getting key (-k) configuration errors when
> > saving changes.
> >
> > [root@localhost ~]# Stopping auditd: [  OK  ]
> > Starting auditd: [  OK  ]
> > key option needs a watch or syscall given prior to it
>
> This is telling you that the -k flag needs to be after a -S
> flag.  I don't know why the order matters but apparently it does.

Correct. It matters because originally keys were only associated with watches. 
So, I needed the rule writer to declare that this is going to be a syscall or 
watch rule so that I can error check appropriately.

Keys do not apply to rules like, -b or -e, so I still want to see the rule 
type ahead of a key option so that errors are caught.

-Steve

RE: Audit rules keys

[Henning, Arthur C. (CSL)]

[-- Attachment #1.1: Type: text/plain, Size: 3882 bytes --]

Here is what I am finding:

Copy NISPOM.rules to /etc/audit/audit.rules

Sample entries:

-a entry,always -S adjtimex -S settimeofday -k time-change
-w /etc/localtime -p wa -k time-change
-a exit,always -S sethostname -k system-locale
-w /etc/issue -p wa -k system-locale
-w /etc/issue.net -p wa -k system-locale
-w /etc/hosts -p wa -k system-locale
-w /etc/sysconfig/network -p wa -k system-locale 

Using system-config-audit, I create a rule for the SYSCALL kill with a key of kill
"Save" the configuration.
Get the described error.

The audit.rules now is configured:

-e 1
-f 2
-b 8192
-r 0

-D
-a entry,always -k kill -S kill
-a entry,always -k time-change -S adjtimex -S settimeofday
-a exit,always -k system-locale -S sethostname
-a exit,always -F exit=-13 -k creation -S creat -S mkdir -S mknod -S link -S symlink
-a exit,always -F exit=-13 -k creation -S mkdirat -S mknodat -S linkat -S symlinkat
-a exit,always -F exit=-13 -k open -S open
-a exit,always -F exit=-13 -k open -S openat
-a exit,always -F exit=-13 -k close -S close
-a exit,always -F exit=-13 -k mods -S rename -S truncate -S ftruncate
-a exit,always -F exit=-13 -k mods -S renameat
-a exit,always -p a -F exit=-13 -k mods -S all
-a exit,always -p a -F exit=-1 -k mods -S all
-a exit,always -F exit=-13 -k delete -S rmdir -S unlink
-a exit,always -F exit=-13 -k delete -S unlinkat
-w /etc/localtime -p wa -k time-change -S all
-w /etc/issue -p wa -k system-locale -S all
-w /etc/issue.net -p wa -k system-locale -S all
-w /etc/hosts -p wa -k system-locale -S all
-w /etc/sysconfig/network -p wa -k system-locale -S all
-w /var/log/faillog -p wa -k logins -S all
-w /var/log/lastlog -p wa -k logins -S all
-w /var/log/messages -p wa -k logins -S all
-w /var/log/wtmp -p wa -k logins -S all
-w /var/log/authlog -p wa -k logins -S all
-w /var/log/tallylog -p wa -k logins -S all
-w /etc/group -p wa -k auth -S all
-w /etc/passwd -p wa -k auth -S all
-w /etc/gshadow -p wa -k auth -S all
-w /etc/shadow -p wa -k auth -S all
-w /etc/login.defs -p wa -k auth -S all
-w /etc/security/opasswd -p wa -k auth -S all
-w /var/log/audit/audit.log -k audit-logs -S all
-w /var/log/audit/audit.log.1 -k audit-logs -S all
-w /var/log/audit/audit.log.2 -k audit-logs -S all
-w /var/log/audit/audit.log.3 -k audit-logs -S all
-w /var/log/audit/audit.log.4 -k audit-logs -S all
-w /var/log/audit/audit.log.5 -k audit-logs -S all
-w /var/log/audit/audit.log.6 -k audit-logs -S all
-w /var/log/audit/audit.log.7 -k audit-logs -S all
-w /etc/audit/auditd.conf -k audit-conf -S all
-w /etc/audit/audit.rules -k audit-conf -S all

Would appear the system-config-audit GUI is rewriting the entire rule file then complaining it's not configured correctly.

Art Henning (CSL) 
Enterprise IT Solutions
Northrop Grumman Corp
art.henning@ngc.com

-----Original Message-----
From: Steve Grubb [mailto:sgrubb@redhat.com] 
Sent: Tuesday, August 21, 2007 10:56 AM
To: linux-audit@redhat.com
Cc: Linda Knippers; Henning, Arthur C. (CSL)
Subject: Re: Audit rules keys

On Tuesday 21 August 2007 11:39:51 Linda Knippers wrote:
> > Using system-config-audit getting key (-k) configuration errors when
> > saving changes.
> >
> > [root@localhost ~]# Stopping auditd: [  OK  ]
> > Starting auditd: [  OK  ]
> > key option needs a watch or syscall given prior to it
>
> This is telling you that the -k flag needs to be after a -S
> flag.  I don't know why the order matters but apparently it does.

Correct. It matters because originally keys were only associated with watches. 
So, I needed the rule writer to declare that this is going to be a syscall or 
watch rule so that I can error check appropriately.

Keys do not apply to rules like, -b or -e, so I still want to see the rule 
type ahead of a key option so that errors are caught.

-Steve

[-- Attachment #1.2: Type: text/html, Size: 10145 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Audit rules keys

[Steve Grubb]

On Tuesday 21 August 2007 12:09:28 Henning, Arthur C. (CSL) wrote:
> Would appear the system-config-audit GUI is rewriting the entire rule file
> then complaining it's not configured correctly.

Yes its re-writing the rules. But its probably auditctl that's complaining. 
Thanks for the feedback on this tool. I believe this is the first we've had 
so far. This tool is available for Fedora, but I have not enabled it on RHEL 
yet.

-Steve