From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Brennan, William C" Subject: auditing files which are executed? Date: Fri, 18 Jan 2008 17:45:42 -0500 Message-ID: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0332913291==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0IMkGwC032399 for ; Fri, 18 Jan 2008 17:46:16 -0500 Received: from mailgw3a.lmco.com (mailgw3a.lmco.com [192.35.35.7]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0IMjiT2017938 for ; Fri, 18 Jan 2008 17:45:44 -0500 Received: from emss09g01.ems.lmco.com (relay6.ems.lmco.com [166.17.13.59])by mailgw3a.lmco.com (LM-6) with ESMTP id m0IMjiC9020209for ; Fri, 18 Jan 2008 17:45:44 -0500 (EST) Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.3-x14 #31428) id <0JUV00G01388MN@lmco.com> for linux-audit@redhat.com; Fri, 18 Jan 2008 17:45:44 -0500 (EST) Received: from EMSS04I00.us.lmco.com ([166.17.13.135]) by lmco.com (PMDF V6.3-x14 #31428) with ESMTP id <0JUV0059C383BR@lmco.com> for linux-audit@redhat.com; Fri, 18 Jan 2008 17:45:39 -0500 (EST) Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============0332913291== Content-type: multipart/alternative; boundary="Boundary_(ID_b4Ck2h8HblKS0t0jCw9LSw)" Content-class: urn:content-classes:message This is a multi-part message in MIME format. --Boundary_(ID_b4Ck2h8HblKS0t0jCw9LSw) Content-type: text/plain; charset=us-ascii Content-transfer-encoding: 7BIT Okay, I'm a newbie, so excuse this question if the answer seems obvious. I've looked at auditctl to see how it can help us audit several different conditions, but I can't figure out how to do the following: How do I configure parameters for auditctl to make an audit record every time a file is executed? William C. Brennan Cube 4929, M1225 Lockheed Martin Valley Forge, PA 610-354-6960 --Boundary_(ID_b4Ck2h8HblKS0t0jCw9LSw) Content-type: text/html; charset=us-ascii Content-transfer-encoding: 7BIT

Okay, I’m a newbie, so excuse this question if the answer seems obvious.

 

I’ve looked at auditctl to see how it can help us audit several different conditions, but I can’t figure out how to do the following:

 

How do I configure parameters for auditctl to make an audit record every time a file is executed?

 

William C. Brennan

Cube 4929, M1225

Lockheed Martin

Valley Forge, PA

610-354-6960

 

--Boundary_(ID_b4Ck2h8HblKS0t0jCw9LSw)-- --===============0332913291== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0332913291==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Matthew Booth Subject: Re: auditing files which are executed? Date: Fri, 18 Jan 2008 22:49:38 +0000 Message-ID: <47912D02.30708@redhat.com> References: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com> Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============0426614861==" Return-path: In-Reply-To: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Brennan, William C" Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --===============0426614861== Content-Type: multipart/signed; micalg=pgp-sha1; protocol="application/pgp-signature"; boundary="------------enigBB22C2128A3F3F24A7A7D825" This is an OpenPGP/MIME signed message (RFC 2440 and 3156) --------------enigBB22C2128A3F3F24A7A7D825 Content-Type: text/plain; charset=UTF-8; format=flowed Content-Transfer-Encoding: quoted-printable Brennan, William C wrote: > Okay, I=E2=80=99m a newbie, so excuse this question if the answer seems= obvious. >=20 > =20 >=20 > I=E2=80=99ve looked at auditctl to see how it can help us audit several= =20 > different conditions, but I can=E2=80=99t figure out how to do the foll= owing: >=20 > =20 >=20 > How do I configure parameters for auditctl to make an audit record ever= y=20 > time a file is executed? >=20 On i386: -a entry,always -F arch=3Di386 -S execve On x86_64, you need the above in addition to: -a entry,always -F arch=3Dx86_64 -S execve Matt --=20 Matthew Booth, RHCA, RHCSS Red Hat, Global Professional Services M: +44 (0)7977 267231 GPG ID: D33C3490 GPG FPR: 3733 612D 2D05 5458 8A8A 1600 3441 EA19 D33C 3490 --------------enigBB22C2128A3F3F24A7A7D825 Content-Type: application/pgp-signature; name="signature.asc" Content-Description: OpenPGP digital signature Content-Disposition: attachment; filename="signature.asc" -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.5 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFHkS0HNEHqGdM8NJARApMaAJ9hso0Rrw31pCeeb9wf29irCB6MtACgglY5 1smXFQ8AMXw3TWSiU/hFOZ0= =4gZE -----END PGP SIGNATURE----- --------------enigBB22C2128A3F3F24A7A7D825-- --===============0426614861== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============0426614861==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Brennan, William C" Subject: RE: auditing files which are executed? Date: Fri, 18 Jan 2008 18:32:57 -0500 Message-ID: <249DC7180F301445BCA2E01EAAFDF40908F9594E@emss04m05.us.lmco.com> References: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com> <47912D02.30708@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7BIT Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0INXU6g005226 for ; Fri, 18 Jan 2008 18:33:30 -0500 Received: from mailgw3a.lmco.com (mailgw3a.lmco.com [192.35.35.7]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0INWuns012136 for ; Fri, 18 Jan 2008 18:32:59 -0500 Received: from emss09g01.ems.lmco.com (relay6.ems.lmco.com [166.17.13.59])by mailgw3a.lmco.com (LM-6) with ESMTP id m0INWuke005909for ; Fri, 18 Jan 2008 18:32:56 -0500 (EST) Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.3-x14 #31428) id <0JUV00B015EW7L@lmco.com> for linux-audit@redhat.com; Fri, 18 Jan 2008 18:32:56 -0500 (EST) Received: from EMSS04I00.us.lmco.com ([166.17.13.135]) by lmco.com (PMDF V6.3-x14 #31428) with ESMTP id <0JUV005QY5ERCD@lmco.com> for linux-audit@redhat.com; Fri, 18 Jan 2008 18:32:51 -0500 (EST) In-reply-to: <47912D02.30708@redhat.com> Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Matthew Booth wrote: > Brennan, William C wrote: > > How do I configure parameters for auditctl to make an audit record every > > time a file is executed? > > > > On i386: > -a entry,always -F arch=i386 -S execve > > On x86_64, you need the above in addition to: > -a entry,always -F arch=x86_64 -S execve Okay, that's valuable, but I see I did not describe my problem precisely enough. Let me try this again. How do I configure parameters for auditctl to make an audit record every time a PARTICULAR file is executed? Is there a way to do this? Or is the only way to report on this information by collecting auditing for all executed files (as given, above), and then to filter more accurately using "ausearch -f filename"? -- Bill From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: auditing files which are executed? Date: Fri, 18 Jan 2008 21:02:48 -0500 Message-ID: <200801182102.48410.sgrubb@redhat.com> References: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com> <47912D02.30708@redhat.com> <249DC7180F301445BCA2E01EAAFDF40908F9594E@emss04m05.us.lmco.com> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <249DC7180F301445BCA2E01EAAFDF40908F9594E@emss04m05.us.lmco.com> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Friday 18 January 2008 18:32:57 Brennan, William C wrote: > Okay, that's valuable, but I see I did not describe my problem precisel= y > enough. =A0Let me try this again. =A0How do I configure parameters for > auditctl to make an audit record every time a PARTICULAR file is > executed? You use file watches: auditctl -w /usr/sbin/stunnel -p x -k my-file-is-executed There are examples of this in the CAPP & LSPP rules. You can find this=20 by 'rpm -ql audit | grep lspp' -Steve From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Brennan, William C" Subject: RE: auditing files which are executed? Date: Mon, 21 Jan 2008 12:08:17 -0500 Message-ID: <249DC7180F301445BCA2E01EAAFDF4090900A2DD@emss04m05.us.lmco.com> References: <249DC7180F301445BCA2E01EAAFDF40908F9591B@emss04m05.us.lmco.com> <47912D02.30708@redhat.com> <249DC7180F301445BCA2E01EAAFDF40908F9594E@emss04m05.us.lmco.com> <200801182102.48410.sgrubb@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset=us-ascii Content-Transfer-Encoding: 7BIT Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx1.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m0LHCges030447 for ; Mon, 21 Jan 2008 12:12:42 -0500 Received: from mailgw2a.lmco.com (mailgw2a.lmco.com [192.91.147.7]) by mx3.redhat.com (8.13.1/8.13.1) with ESMTP id m0LHCBmb021933 for ; Mon, 21 Jan 2008 12:12:11 -0500 Received: from emss03g01.ems.lmco.com (relay3.ems.lmco.com [141.240.4.144])by mailgw2a.lmco.com (LM-6) with ESMTP id m0LHC881010746for ; Mon, 21 Jan 2008 12:12:10 -0500 (EST) Received: from CONVERSION2-DAEMON.lmco.com by lmco.com (PMDF V6.3-x14 #31428) id <0JV0009017M2WJ@lmco.com> for linux-audit@redhat.com; Mon, 21 Jan 2008 12:08:26 -0500 (EST) Received: from EMSS04I00.us.lmco.com ([166.17.13.135]) by lmco.com (PMDF V6.3-x14 #31428) with ESMTP id <0JV000KA47LSP6@lmco.com> for linux-audit@redhat.com; Mon, 21 Jan 2008 12:08:21 -0500 (EST) In-reply-to: <200801182102.48410.sgrubb@redhat.com> Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Steve Grubb wrote: > > You use file watches: > > auditctl -w /usr/sbin/stunnel -p x -k my-file-is-executed > > There are examples of this in the CAPP & LSPP rules. You can find this > by 'rpm -ql audit | grep lspp' Thanks Steve. I completely overlooked the example files. -- Bill