* NISPOM Auditing
@ 2008-05-22 20:28 Mathis, Jim
2008-05-22 21:19 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: Mathis, Jim @ 2008-05-22 20:28 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 1164 bytes --]
Hello,
I need to log file edit attempts when a user doesn't have permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
## unsuccessful creation
-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation
-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation
## unsuccessful open
-a exit,always -S open -F exit=-13 -k open
## unsuccessful close
-a exit,always -S close -F exit=-13 -k close
## unsuccessful modifications
-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
-a exit,always -S renameat -F exit=-13 -k mods
## unsuccessful deletion
-a exit,always -S rmdir -S unlink -F exit=-13 -k delete
-a exit,always -S unlinkat -F exit=-13 -k delete
## unauthorized change directory (cd)
-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
## Watch Files
-w /var/log/audit/audit.log -p rwxa -k audit-log2
Thanks
-Jim
[-- Attachment #1.2: Type: text/html, Size: 2782 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: NISPOM Auditing
2008-05-22 20:28 NISPOM Auditing Mathis, Jim
@ 2008-05-22 21:19 ` Steve Grubb
2008-05-27 14:00 ` corbin
0 siblings, 1 reply; 6+ messages in thread
From: Steve Grubb @ 2008-05-22 21:19 UTC (permalink / raw)
To: linux-audit
On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:
Have you looked at the latest nispom.rules file in the audit package? I have a
set of rules that should meet NISPOM requirements. If it doesn't I'd like to
know what is wrong with it so we can fix it. This set of rules looks similar
to it, but there are differences. The main difference is adding -F arch= to
each syscall rule to make sure the numbers are correct.
> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation
-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open
-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open
> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
:)
> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2
This rule only watches one file. There could be more. You might want a rule
like:
-w /var/log/audit -k audit-logs
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* RE: NISPOM Auditing
2008-05-22 21:19 ` Steve Grubb
@ 2008-05-27 14:00 ` corbin
2008-05-27 14:19 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: corbin @ 2008-05-27 14:00 UTC (permalink / raw)
To: 'Steve Grubb', linux-audit
Can these rules apply to RHEL4 or just RHEL5? I, too, have to create a
NISPOM compliant network and have written scripts to do so. However, I am
just exploring the audit.rules settings in RHEL and wanted to know if these
changes are particular to a specific version of Red Hat.
Thanks!
Starr
-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Steve Grubb
Sent: Thursday, May 22, 2008 4:20 PM
To: linux-audit@redhat.com
Subject: Re: NISPOM Auditing
On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:
Have you looked at the latest nispom.rules file in the audit package? I have
a
set of rules that should meet NISPOM requirements. If it doesn't I'd like to
know what is wrong with it so we can fix it. This set of rules looks similar
to it, but there are differences. The main difference is adding -F arch= to
each syscall rule to make sure the numbers are correct.
> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation
-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F
exit=-EACCES -k creation
> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open
-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open
> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd
:)
> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2
This rule only watches one file. There could be more. You might want a rule
like:
-w /var/log/audit -k audit-logs
-Steve
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: NISPOM Auditing
2008-05-27 14:00 ` corbin
@ 2008-05-27 14:19 ` Steve Grubb
0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2008-05-27 14:19 UTC (permalink / raw)
To: corbin; +Cc: linux-audit
On Tuesday 27 May 2008 10:00:19 corbin wrote:
> Can these rules apply to RHEL4 or just RHEL5?
The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4
did. It also has more options in auditctl & kernel to make rules capture just
the required data. Some things you simply can't express in RHEL4. For
example, the ability to audit only users (auid>=500) rather than everything
including daemons. For RHEL4, you can get everything required for NISPOM, but
you depend more on the reduction tools and eat more disk space doing so.
> However, I am just exploring the audit.rules settings in RHEL and wanted to
> know if these changes are particular to a specific version of Red Hat.
I believe that RHEL4 has a nispom.rules file also. It has not be updated in
quite a while, but it should be a good starting point. It probably needs
updating for arch=b32 and 64 so that biarch machines get the right syscalls
being audited.
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
* NISPOM Auditing
@ 2008-05-21 16:01 Mathis, Jim
2008-05-21 17:14 ` Steve Grubb
0 siblings, 1 reply; 6+ messages in thread
From: Mathis, Jim @ 2008-05-21 16:01 UTC (permalink / raw)
To: linux-audit
[-- Attachment #1.1: Type: text/plain, Size: 265 bytes --]
Hello,
Is there a way to setup a watch log to report if a user attempted to
"cd" to a directory that they didn't have permission to access. I have
watch logs in place but it doesn't seem to report when a "cd" is
attempted and permission is denied. Thanks.
-Jim
[-- Attachment #1.2: Type: text/html, Size: 916 bytes --]
[-- Attachment #2: Type: text/plain, Size: 0 bytes --]
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: NISPOM Auditing
2008-05-21 16:01 Mathis, Jim
@ 2008-05-21 17:14 ` Steve Grubb
0 siblings, 0 replies; 6+ messages in thread
From: Steve Grubb @ 2008-05-21 17:14 UTC (permalink / raw)
To: linux-audit
On Wednesday 21 May 2008 12:01:52 Mathis, Jim wrote:
> Is there a way to setup a watch log to report if a user attempted to
> "cd" to a directory that they didn't have permission to access.
No, a watch applies to file ops and not the chdir syscall. However, you can
create a syscall audit rule that works sometimes:
-a always,exit -S chdir -F path=/dir/dir1/dir2 -k evil-cd
This will catch the case where they have permission to cd into that directory.
But if they don't have permission to go beyond dir in the above example, then
you have to resort to something more like:
-a always,exit -S chdir -F exit=-EACCES -k evil-cd
Which gets it and every other cd that fails due to permissions. This is
because the path lookup inside the kernel never completes due to permissions,
so the audit system has no full path to check against. You can cut down the
false positives by adding -F auid>=500. And also use the -F arch=b32 and
b64 for biarch systems.
-Steve
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2008-05-27 14:19 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2008-05-22 20:28 NISPOM Auditing Mathis, Jim
2008-05-22 21:19 ` Steve Grubb
2008-05-27 14:00 ` corbin
2008-05-27 14:19 ` Steve Grubb
-- strict thread matches above, loose matches on Subject: below --
2008-05-21 16:01 Mathis, Jim
2008-05-21 17:14 ` Steve Grubb
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox