Example

From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Fulda, Paul (Space Technology)" Subject: Example Date: Tue, 23 Sep 2008 11:18:27 -0500 Message-ID: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1331294877==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m8NGIsWC012780 for ; Tue, 23 Sep 2008 12:18:54 -0400 Received: from xmrm0101.northgrum.com (xmrm0101.northgrum.com [155.104.240.104]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m8NGIT23022470 for ; Tue, 23 Sep 2008 12:18:29 -0400 Content-class: urn:content-classes:message List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============1331294877== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C91D98.02E341DC" This is a multi-part message in MIME format. ------_=_NextPart_001_01C91D98.02E341DC Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Can someone give me an example of how to audit the "date" command in the audit.rules file. I would like for it to report only failures for a user using the command. Root using the command would report nothing. I can get this working for file watches but not for executables using: -a exit,always -w /etc/shadow -S open -F success!=3D1 Thanks! ------_=_NextPart_001_01C91D98.02E341DC Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Example

Can someone give me an example of how = to audit the "date" command in the audit.rules file. I = would like for it to report only failures for a user using the = command. Root using the command would report nothing. I can = get this working for file watches but not for executables = using:

-a exit,always -w /etc/shadow -S = open -F success!=3D1

Thanks!

------_=_NextPart_001_01C91D98.02E341DC-- --===============1331294877== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1331294877==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: "Fulda, Paul (Space Technology)" Subject: RE: Example Date: Tue, 23 Sep 2008 11:23:27 -0500 Message-ID: References: Mime-Version: 1.0 Content-Type: multipart/mixed; boundary="===============1272564124==" Return-path: Received: from mx3.redhat.com (mx3.redhat.com [172.16.48.32]) by int-mx2.corp.redhat.com (8.13.1/8.13.1) with ESMTP id m8NGNU3K015782 for ; Tue, 23 Sep 2008 12:23:30 -0400 Received: from xmrm0101.northgrum.com (xmrm0101.northgrum.com [155.104.240.104]) by mx3.redhat.com (8.13.8/8.13.8) with ESMTP id m8NGNSi9026326 for ; Tue, 23 Sep 2008 12:23:28 -0400 Content-class: urn:content-classes:message In-Reply-To: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: "Fulda, Paul (Space Technology)" , Linux-audit@redhat.com List-Id: linux-audit@redhat.com This is a multi-part message in MIME format. --===============1272564124== Content-class: urn:content-classes:message Content-Type: multipart/alternative; boundary="----_=_NextPart_001_01C91D98.B58F3BDC" This is a multi-part message in MIME format. ------_=_NextPart_001_01C91D98.B58F3BDC Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Let me rephrase. It would report an audit record only if a general user uses the 'date' command, but do nothing if root execute it. ________________________________ From: linux-audit-bounces@redhat.com [mailto:linux-audit-bounces@redhat.com] On Behalf Of Fulda, Paul (Space Technology) Sent: Tuesday, September 23, 2008 11:18 AM To: Linux-audit@redhat.com Subject: Example Can someone give me an example of how to audit the "date" command in the audit.rules file. I would like for it to report only failures for a user using the command. Root using the command would report nothing. I can get this working for file watches but not for executables using: -a exit,always -w /etc/shadow -S open -F success!=3D1=20 Thanks!=20 ------_=_NextPart_001_01C91D98.B58F3BDC Content-Type: text/html; charset="us-ascii" Content-Transfer-Encoding: quoted-printable Example

Let me rephrase. It would report an audit = record only=20 if a general user uses the 'date' command, but do nothing if root = execute=20 it.

From: linux-audit-bounces@redhat.com = [mailto:linux-audit-bounces@redhat.com] On Behalf Of Fulda, Paul = (Space=20 Technology)
Sent: Tuesday, September 23, 2008 11:18 = AM
To:=20 Linux-audit@redhat.com
Subject: Example

Can someone give me an example of how to = audit the=20 "date" command in the audit.rules file. I would like for it to = report only=20 failures for a user using the command. Root using the command = would report=20 nothing. I can get this working for file watches but not for = executables=20 using:

-a exit,always -w /etc/shadow -S = open -F=20 success!=3D1

Thanks!

------_=_NextPart_001_01C91D98.B58F3BDC-- --===============1272564124== Content-Type: text/plain; charset="us-ascii" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit Content-Disposition: inline --===============1272564124==-- From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Example Date: Wed, 24 Sep 2008 07:34:20 -0400 Message-ID: <200809240734.21742.sgrubb@redhat.com> References: Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: "Fulda, Paul (Space Technology)" List-Id: linux-audit@redhat.com On Tuesday 23 September 2008 12:18:27 Fulda, Paul (Space Technology) wrot= e: > Can someone give me an example of how to audit the "date" command in th= e > audit.rules file.=20 The "watch" style commands will not work. The audit system works at the=20 syscall level. So, under the hood, the audit system will place a rule on=20 execve, or open on your behalf. Neither of these are the actual syscall t= hat=20 fails. > I would like for it to report only failures for a user using the comman= d. > Root using the command would report nothing. =C2=A0I can get this worki= ng for file > watches but not for executables using strace is your friend. I ran a command that would fail and see something = like=20 this: write(3, "strace: exec: Permission denied\n"..., 32strace: exec: Permissi= on=20 denied ) =3D 32 close(3) =3D 0 munmap(0x7f17fc707000, 4096) =3D 0 exit_group(1) =20 So, we should be able to place a rule on exit_group. -a exit,always -S exit_group -F a0=3D1 -F auid>=3D500 But I'm really not sure this will give you good, quality results. You can= =20 experiment and see. But the audit system is at the syscall level and not = the=20 application level and that should always be taken into account. -Steve