Example

Example

[Fulda, Paul (Space Technology)]

[-- Attachment #1.1: Type: text/plain, Size: 357 bytes --]

Can someone give me an example of how to audit the "date" command in the
audit.rules file.  I would like for it to report only failures for a
user using the command.  Root using the command would report nothing.  I
can get this working for file watches but not for executables using:

-a exit,always  -w /etc/shadow -S open -F success!=1


Thanks!

[-- Attachment #1.2: Type: text/html, Size: 827 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

RE: Example

[Fulda, Paul (Space Technology)]

[-- Attachment #1.1: Type: text/plain, Size: 754 bytes --]

Let me rephrase.  It would report an audit record only if a general user
uses the 'date' command, but do nothing if root execute it.

________________________________

From: linux-audit-bounces@redhat.com
[mailto:linux-audit-bounces@redhat.com] On Behalf Of Fulda, Paul (Space
Technology)
Sent: Tuesday, September 23, 2008 11:18 AM
To: Linux-audit@redhat.com
Subject: Example



Can someone give me an example of how to audit the "date" command in the
audit.rules file.  I would like for it to report only failures for a
user using the command.  Root using the command would report nothing.  I
can get this working for file watches but not for executables using:

-a exit,always  -w /etc/shadow -S open -F success!=1 


Thanks! 


[-- Attachment #1.2: Type: text/html, Size: 1453 bytes --]

[-- Attachment #2: Type: text/plain, Size: 0 bytes --]

Re: Example

[Steve Grubb]

On Tuesday 23 September 2008 12:18:27 Fulda, Paul (Space Technology) wrote:
> Can someone give me an example of how to audit the "date" command in the
> audit.rules file. 

The "watch" style commands will not work. The audit system works at the 
syscall level. So, under the hood, the audit system will place a rule on 
execve, or open on your behalf. Neither of these are the actual syscall that 
fails.


> I would like for it to report only failures for a user using the command.
> Root using the command would report nothing.  I can get this working for file
> watches but not for executables using

strace is your friend. I ran a command that would fail and see something like 
this:

write(3, "strace: exec: Permission denied\n"..., 32strace: exec: Permission 
denied
) = 32
close(3)                                = 0
munmap(0x7f17fc707000, 4096)            = 0
exit_group(1)  

So, we should be able to place a rule on exit_group.

-a exit,always -S exit_group -F a0=1 -F auid>=500

But I'm really not sure this will give you good, quality results. You can 
experiment and see. But the audit system is at the syscall level and not the 
application level and that should always be taken into account.

-Steve