NISPOM Auditing

NISPOM Auditing

[Mathis, Jim]

[-- Attachment #1.1: Type: text/plain, Size: 265 bytes --]

Hello,
 
Is there a way to setup a watch log to report if a user attempted to
"cd" to a directory that they didn't have permission to access. I have
watch logs in place but it doesn't seem to report when a "cd" is
attempted and permission is denied. Thanks.
 
-Jim

[-- Attachment #1.2: Type: text/html, Size: 916 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: NISPOM Auditing

[Steve Grubb]

On Wednesday 21 May 2008 12:01:52 Mathis, Jim wrote:
> Is there a way to setup a watch log to report if a user attempted to
> "cd" to a directory that they didn't have permission to access.

No, a watch applies to file ops and not the chdir syscall. However, you can 
create a syscall audit rule that works sometimes:

-a always,exit -S chdir -F path=/dir/dir1/dir2 -k evil-cd

This will catch the case where they have permission to cd into that directory. 
But if they don't have permission to go beyond dir in the above example, then 
you have to resort to something more like:

-a always,exit -S chdir -F exit=-EACCES -k evil-cd

Which gets it and every other cd that fails due to permissions. This is 
because the path lookup inside the kernel never completes due to permissions, 
so the audit system has no full path to check against. You can cut down the 
false positives by adding -F auid>=500. And also use the -F arch=b32   and 
b64 for biarch systems.

-Steve

NISPOM Auditing

[Mathis, Jim]

[-- Attachment #1.1: Type: text/plain, Size: 1164 bytes --]

Hello,
 
I need to log file edit attempts when a user doesn't have permission to
edit a specific file. For example, a non-root user attempts to edit
"/var/log/audit/audit'log" which has a permission setting of 640.
Although the user won't be able to edit the file (permission denied) -
I'd still like to log the attempt. Here's a snippet of my audit.rules
file:
 
## unsuccessful creation

-a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
-k creation

-a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
-k creation

## unsuccessful open

-a exit,always -S open -F exit=-13 -k open

## unsuccessful close

-a exit,always -S close -F exit=-13 -k close

## unsuccessful modifications

-a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods

-a exit,always -S renameat -F exit=-13 -k mods

## unsuccessful deletion

-a exit,always -S rmdir -S unlink -F exit=-13 -k delete 

-a exit,always -S unlinkat -F exit=-13 -k delete

## unauthorized change directory (cd)

-a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

## Watch Files

-w /var/log/audit/audit.log -p rwxa -k audit-log2

 

Thanks 

-Jim


[-- Attachment #1.2: Type: text/html, Size: 2782 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: NISPOM Auditing

[Steve Grubb]

On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:

Have you looked at the latest nispom.rules file in the audit package? I have a 
set of rules that should meet NISPOM requirements. If it doesn't I'd like to 
know what is wrong with it so we can fix it. This set of rules looks similar 
to it, but there are differences. The main difference is adding -F arch=  to 
each syscall rule to make sure the numbers are correct.


> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation

-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation



> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open

-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open



> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

:)

> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2

This rule only watches one file. There could be more. You might want a rule 
like:

-w /var/log/audit -k audit-logs

-Steve

RE: NISPOM Auditing

[corbin]

Can these rules apply to RHEL4 or just RHEL5?  I, too, have to create a
NISPOM compliant network and have written scripts to do so.  However, I am
just exploring the audit.rules settings in RHEL and wanted to know if these
changes are particular to a specific version of Red Hat. 

Thanks!
Starr

-----Original Message-----
From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com]
On Behalf Of Steve Grubb
Sent: Thursday, May 22, 2008 4:20 PM
To: linux-audit@redhat.com
Subject: Re: NISPOM Auditing

On Thursday 22 May 2008 16:28:41 Mathis, Jim wrote:
> I need to log file edit attempts when a user doesn't have permission to
> edit a specific file. For example, a non-root user attempts to edit
> "/var/log/audit/audit'log" which has a permission setting of 640.
> Although the user won't be able to edit the file (permission denied) -
> I'd still like to log the attempt. Here's a snippet of my audit.rules
> file:

Have you looked at the latest nispom.rules file in the audit package? I have
a 
set of rules that should meet NISPOM requirements. If it doesn't I'd like to

know what is wrong with it so we can fix it. This set of rules looks similar

to it, but there are differences. The main difference is adding -F arch=  to

each syscall rule to make sure the numbers are correct.


> ## unsuccessful creation
>
> -a exit,always -S creat -S mkdir -S mknod -S link -S symlink -F exit=-13
> -k creation
>
> -a exit,always -S mkdirat -S mknodat -S linkat -S symlinkat -F exit=-13
> -k creation

-a exit,always -F arch=b32 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S creat -S mkdir -S mknod -S link -S symlink -F 
exit=-EACCES -k creation
-a exit,always -F arch=b32 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation
-a exit,always -F arch=b64 -S mkdirat -S mknodat -S linkat -S symlinkat -F 
exit=-EACCES -k creation



> ## unsuccessful open
>
> -a exit,always -S open -F exit=-13 -k open

-a exit,always -F arch=b32 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b64 -S open -F exit=-EACCES -k open
-a exit,always -F arch=b32 -S open -F exit=-EPERM -k open
-a exit,always -F arch=b64 -S open -F exit=-EPERM -k open



> ## unsuccessful close
>
> -a exit,always -S close -F exit=-13 -k close
>
> ## unsuccessful modifications
>
> -a exit,always -S rename -S truncate -S ftruncate -F exit=-13 -k mods
>
> -a exit,always -S renameat -F exit=-13 -k mods
>
> ## unsuccessful deletion
>
> -a exit,always -S rmdir -S unlink -F exit=-13 -k delete
>
> -a exit,always -S unlinkat -F exit=-13 -k delete
>
> ## unauthorized change directory (cd)
>
> -a exit,always -S chdir -F path=/var/log/audit -k evil2-cd

:)

> ## Watch Files
>
> -w /var/log/audit/audit.log -p rwxa -k audit-log2

This rule only watches one file. There could be more. You might want a rule 
like:

-w /var/log/audit -k audit-logs

-Steve

--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit

Re: NISPOM Auditing

[Steve Grubb]

On Tuesday 27 May 2008 10:00:19 corbin wrote:
> Can these rules apply to RHEL4 or just RHEL5?

The rules are different between RHEL4 and 5. RHEL5 has more syscalls than 4 
did. It also has more options in auditctl & kernel to make rules capture just 
the required data. Some things you simply can't express in RHEL4. For 
example, the ability to audit only users (auid>=500) rather than everything 
including daemons. For RHEL4, you can get everything required for NISPOM, but 
you depend more on the reduction tools and eat more disk space doing so.

> However, I am just exploring the audit.rules settings in RHEL and wanted to
> know if these changes are particular to a specific version of Red Hat.

I believe that RHEL4 has a nispom.rules file also. It has not be updated in 
quite a while, but it should be a good starting point. It probably needs 
updating for arch=b32 and 64 so that biarch machines get the right syscalls 
being audited.

-Steve